Category Archives: Fraud Management

Working Toward Non-Prosecution

A recent major article in the financial trade press alluded to the importance of the U.S. Foreign Corrupt Practices Act as a piece of US government regulation of which it behooves all fraud examiners to be aware. The reference got me to thinking about the confusion that still persists regarding certain provisions of the Act among corporate players as reported in the article in question following several high profile prosecutions. Enacted to great fanfare in 1977, the purpose of the FCPA was to prevent the bribery by the agents of US corporations of foreign government officials when those agents were negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper corporate books and records as well as maintenance of inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve to the present day.

From the first, the FCPA spawned questions of definition and interpretation for those trying to comply, i.e., who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define “adequate” internal controls to detect and deter bribery and corruption?

The United Kingdom enacted its UK Bribery Act in July 2010 which really represented the first real attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of “adequate procedures”, that if followed could allow affirmative defense for an organization under investigation for bribery. The UK Bribery Act recommended several internal controls for combating bribery and offered the incentive of a more favorable result for those who could document compliance. Among the controls:

• Establish anti-bribery procedures;
• A top corporate level commitment to prevent bribery;
• Periodic and documented risk assessments;
• Proportionate due diligence;
• Communication of bribery prevention policies and procedures to all involved parties to corporate transactions;
• Monitoring of anti-bribery procedures.

The concept of an affirmative defense for adequate procedures creates quite a contrast to the US FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved. The UK Bribery Act simply equates all facilitation and influence payments to bribery, thus eliminating much confusion. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness remains enforcement.

Then, in 2010, the US Department of Justice and the Securities Exchange Commission released a guide book introducing several hallmarks of an effective FCPA compliance program. The publication of the guidebook is a development which, according to the article I was reading, many auditors and CFE’s remain unaware, even today. The Resource Guide provides our client companies with the tools to demonstrate a proactive approach to the deterrence of bribery and corruption. Companies found out of compliance may receive some consideration during the fines and penalty stage of their cases.

The guidebook recommends that companies doing business overseas:
• Establish a code of conduct that specifically addresses the risk of bribery and corruption;
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and anti-corruption activities;
• Train all employees to be thoroughly prepared to address bribery and corruption risk and document that the training took place;
• Perform fraud risk assessments of potential bribery and corruption pitfalls by country and industry;
• Review the anti-corruption program annually to assess the effectiveness of policies, procedures and controls;
• Perform audits (routine and surprise) and monitor foreign business operations to assure strict compliance with the published code of conduct;
• Ensure proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations;
• Investigate and respond promptly and appropriately to all allegations of bribery and corruption;
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations;
• Perform adequate due diligence that addresses the risk of bribery and corruption performed by third parties prior to entering into any business relationship.

Fraud examiners should make their clients aware that a company which can provide evidence of compliance with these recommendations is afforded many advantages if they’re ever charged with a violation of the Act. Among them is a Deferred Prosecution Agreement (DPA). Under a Deferred Prosecution Agreement the Department of Justice files a court document charging the organization while simultaneously requesting that prosecution be deferred in order to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor. If the company completes the term of the DPA the DOJ will dismiss the charges without imposing fines and penalties!

The DOJ and the company may alternatively even enter into a Non-Prosecution Agreement. Under such an agreement the DOJ retains the right to file charges against the organization at a later time should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and posted on the DOJ website. Similar to the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will, again, drop all charges.

The good news is that, since publication of the guidebook, corporate compliance programs have continued to mature, and are now generally accepted as just another cost of conducting business in a global marketplace. The US government is continuing to clarify expectations with regard to corporate responsibility at home and abroad, and working with international partners and their compliance programs.

Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International, are playing a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace. Hence, every fraud examiner and assurance professional should strongly support these efforts while strongly encouraging our clients to become familiar with and comply with the provisions of the recently updated 2010 guidebook.

You Are Your Report

The ACFE tells us that organizing and writing the final fraud investigation report is one of the most challenging tasks that CFE’s report routinely performing in connection with their examinations. Thus, the whole process of communicating the results of our investigations is, and must be, an integral part of any CFE’s practice. As I’m sure every reader of this blog knows, any communication can be challenging, even when the news being delivered is positive, but when the news to be delivered is negative (e.g., analyzing the facts of an embezzlement or presenting the results of an investigation of a complex management fraud), the job of delivering it can be super stressful. In such situations, the CFE’s ability to communicate takes on increased importance. An organized, thoughtful approach can make that task easier and more constructive for all concerned. Therefore, in my opinion, practitioners would do well to apply some key steps to any kind effective communication.

We can take some comfort in realization of the fact that the responsibility for delivering bad news is certainly not unique to fraud examiners. Professionals of all disciplines have developed protocols for communicating news perceived to be negative. These protocols are generally built on the keys to effective information transfer common to all types of communication and stress the importance of having a plan. Where they differ from the general communication guidance with which assurance professionals may already be familiar is their emphasis on specific keys that are particularly helpful in face-to-face meetings and situations requiring investigators to deliver negative news. One such protocol exists under a variety of names but is most frequently dubbed the “ABCDE” mnemonic. Let’s go through the letters of the mnemonic one by one.

The “A” stands for advanced planning. Advance preparation is an especially important element of effectively communicating bad news. It should go without having to be said that CFE’s can avoid wasted time and potentially embarrassing mistakes by having a solid grasp of the facts before delivering any of their findings to others. This includes carefully reviewing findings and confirming their understanding of critical issues well in advance of any reporting. Although fraud examiners often are sometimes familiar with their audience as the result of past interactions (especially if they’re employed by an attorney or an investigative firm), it’s always helpful to gather background information about the target audience of the findings, their level of involvement with and understanding of the issue, and their communication styles so the CFE can tailor the report and/ or related meeting accordingly. Examiners also may consider visualizing the point of view they expect the audience will have regarding the issue in question, because this will likely guide their reactions and questions. And as always, practice makes perfect. It’s better to work out any bugs alone or with a colleague (if you’re lucky enough to have one) than in the midst of a highly charged meeting with attorneys and management present.

“B” addresses the protocol process of building the environment and is especially relevant to face to face presentations of the report. The setting for the meeting also is an important factor, as it should allow the examiner to maintain control over the meeting’s direction. Optimally, the meeting should occur in a place that’s private, where the participants are not distracted, and where interruptions are kept to a minimum. These factors may not be as difficult to control in the case of meetings with an audit committee or in your employing attorney’s office which generally occur in a private conference room, but examiners should consider the practical complications that can arise when meeting with a client manager in his or her office. Distractions created by telephones, e-mail, employees coming and going, or the possibility of being overheard can limit meeting productivity. With this in mind, CFE’s should try to schedule the meeting at a time and place where the participants can devote their full attention to the challenging issues at hand.

Communicating well is the “C” in our mnemonic. To try always to employ direct, clear language to communicate bad news, while still being sensitive to the audience’s feelings, is an imperative skill for investigators to possess. Although it’s sometimes tempting to temper an issue or to use euphemisms to try to soften the blow, that approach can add confusion, and ultimately, only delay the inevitable. A straightforward, honest delivery of the facts is generally the best policy and is, after all, what we’re being paid to do. Never lose sight of the fact that some words (e.g., scam and scheme) are emotionally charged and may elicit negative reactions from the audience. Instead, words such as “suspected scenario”, or “suspected irregularity” better convey the message without unnecessarily offending anyone. Striking the right balance between directness and sensitivity can be difficult, but it’s critical to the successful delivery of bad news. Providing the audience with specific examples from her report can help clarify the CFE’s message without the need for personal, un-objective, or emotion laden words. We know from many ACFE publications and training courses that the majority of communication comes from body language, facial expressions, eye contact, and tone of voice. As fraud examiners and forensic accountants, we need to be aware of these nonverbal cues and keep them in check so they do not undermine delivery of our results. An important and often overlooked aspect of good communication is ensuring that the message sent equals the message received. Remember the old politician’s maxim; “Tell them. Tell them what your said. Tell them again”! It’s important, particularly in the case of bad news, for the examiner to verify that the audience fully understands the message being delivered, both its content and seriousness. Eliciting feedback from the audience will give the CFE an opportunity to confirm what they heard and will enable her to clear up any miscommunication immediately.

Dealing with reactions is the “D” in our mnemonic. As we all know, in the case of fraud reports, there will always be reactions. It’s inevitable, and healthy, that the audience will have questions and want you, the examiner, to provide actual transactions and/or evidence supporting the report findings. CFE’s should be prepared, based on “A” their advanced preparation, to anticipate questions and by gathering supporting documentation in advance, to provide these items during the meeting. Examiners should also expect audience members to offer their own responses or explanations to counter the report findings. Because emotions will be running high, these responses may take the form of a personal attack on the examiner, but s/he must take care not to react defensively or place blame. Above all, we CFE’s must keep in mind that our role is to communicate factual information so that appropriate due diligence can be taken and never to in any way speculate as to guilt or offer value judgments; stick to the facts which will always speak for themselves far more eloquently than you can.

It’s important for management and counsel to identify the immediate impact of the bad news. For example, does this apparent instance of fraud as revealed by the fraud report have immediate regulatory ramifications? Does this situation result in the need for a restatement of financial statements? Should we move forward immediately with terminations or prosecution? The fear of unknown consequences can make bad news seem even worse. By doing some advance research to help address these types of questions, the CFE can make a valuable contribution to the organization by helping to at least begin to define the extent of the unknown. Once the immediate impact has been assessed, the next logical step will be to develop a long-term plan for fixing or mitigating the control problem. Because of the examiner’s familiarity with the mechanics of the underlying issue confronting management and counsel, s/he is in an excellent position to work with other assurance professionals to provide alternatives or suggestions for remediation and for the eventual strengthening of the client’s fraud prevention program. Examiners should be sure to emphasize their willingness to provide additional information or assistance as needed as we assist management and others to arrange the timetable for following up on the results of our investigations.

The Know It All

As fraud examiners intimately concerned with the general on-going state of health of fraud management and response systems, we find ourselves constantly looking at the integrity of the data that’s truly the life blood of today’s client organizations.  We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data vulnerabilities to a minimum.   Every little bit of critical information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture. 

When it comes to managing its client, financial and payment data, almost every organization has a Pauline.  Pauline’s the person everyone goes to get the answers about data, and the state of the system(s) that process it, that no one else in her unit ever seems to have.  That’s because Pauline is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance.  Pauline is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees.   The great recession of past memory where enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices only exacerbated a still existing, ever growing trend.  The very real threat to the fraud management system that the Pauline’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever present possibility) but that they will retire or get another job out of state, taking their vital knowledge of the company systems and data with them. 

The day after Pauline’s retirement party and, to an increasing degree thereafter, it will dawn on  Pauline’s unit management that it’s lost a large amount of valuable information about the true state of its data and financial processing system(s), of its total lack of a large amount of system critical data documentation that’s been carried around nowhere but in Jane’s head.  The point is that, for some organizations, their reliance on a few key employees for day to day, operationally related information on their data goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their fraud prevention system.  Today’s newspapers and the internet are full of stories about data breeches, only reinforcing the importance of vulnerable data and of its documentation to the on-going operational viability of our client organizations. 

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of that change related information is ever formally documented.  Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily the ones involved in everyday, routine data management projects.  There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them.  The anomalies might be in the form of missing data, changes in data field definitions, or change in the content of the fields; the possibilities are endless.  Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management systems and for the overall fraud risk assessment process itself become almost impossible to determine.   

If our auditor or fraud examiner, operating under today’s typical budget or time constraints,  is not very thorough and misses even finding some of these anomalies, they can end up never being addressed.   How many times as an analyst have you tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah.  Pauline made that change back in February before she retired; we don’t have too many details on it.”  In other words, undocumented changes to transactions and data, details of which are now only existent in Pauline’s head.  When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of overall fraud management.  The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high.  What can’t be seen, can’t ever be managed or even explained. 

It’s truly humbling for any practitioner to experience how much critical financial information resides in the fading (or absent) memories of past or present key employees.  As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent transaction related documentation and the sharing of knowledge on a consistent basis for all systems but especially in matters involving changes to critical financial systems.  One nice benefit of this approach, which I brought to the attention of one of my clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than constantly serving as the encyclopedia for the rest of the operational staff. 

And the Cash Flows On

As a fraud examiner and information systems auditor, I’ve always been a big fan of the cash flow statement and I think you should be too. For the non-accountant investigators among you, the cash flow statement reveals what happened to the client’s cash during the reporting period. It’s very much like your bank account statement: You have a beginning balance of cash at the start of the month, you deposit your paycheck, you write some checks for your mortgage and groceries, and then you end the month with a new cash balance. This is what a cash flow statement is: simply a beginning balance of cash, plus or minus some cash transactions, to arrive at an ending cash balance.

Another way to view the cash flow statement is as an income statement that is adjusted for non-cash transactions and transactions that have not yet impacted cash. Non-cash transactions are transactions that affect the income statement but will never affect cash. Depreciation is a non-cash transaction that is added back to profits on the cash flow statement since cash is never paid out or collected when an asset is depreciated. The cash flow statement also clarifies transactions that immediately impact cash. A company can make a sale but not collect on it, or incur an expense and not immediately pay for it in cash. These are called accounts receivable and accounts payable, respectively. Revenues that are earned but not received and expenses that are incurred but not paid would show up on the income statement, but not on the cash flow statement. So the formula for the statement is simply …

Beginning Cash Balance
+I- Net Cash Flows from Operating Activities
+I- Net Cash Flows from Investing Activities
+I- Net Cash Flows from Financing Activities
= Ending Cash Balance

There are two methods of reporting cash flows from operations; in the direct method, the sources of operating cash flows are listed along with the uses of operating cash flows, with the difference between them being the net cash flow from operating activities. In contrast, the indirect method reconciles net income per the income statement with net cash flows from operating activities; that is, accrual-basis net income is adjusted for non-cash revenues and expenses to arrive at net cash flows from operations. The net cash flows from operating activities is the same amount regardless of which method is used. The indirect method is usually easier to compute and provides a comparison of the company’s operating results under the accrual and cash methods of accounting. As a result, most companies choose to use the indirect method, but either method is acceptable.

So what does all this provide as a tool for the fraud examiner? Simply, the cash flow statement provides any CFE with lots of neat information for further analysis in a very compact form. First of all, the statement tells you what the company’s cash receipts and cash payments were for the period. Remember that it’s unlike the income statement in that the income statement takes into account all revenue and expense transactions, whether or not they affected cash. The cash flow statement only considers transactions that involve cash.

The cash flow statement divides the company’s cash transactions into three categories:

• Operating activities, which include all cash received and paid out in connection with the company’s normal business operations, such as cash received from customers and funds paid to vendors. This category essentially encompasses any cash transactions that affect items on the income statement.
• Investing activities, which are cash flows related to the sale or purchase of non-current assets, such as fixed assets, intangible assets, and investments. This category generally covers those cash transactions that affect the asset side of the balance sheet.
• Financing activities, which are all cash inflows and outflows pertaining to the company’s debt and equity financing. Inflows include the proceeds received from issuing stocks and bonds and from borrowing money from a bank. Outflows include debt repayments and cash dividends paid to shareholders. In general, this category includes the cash transactions that affect the liabilities and owners’ equity side of the balance sheet.

In a perfect world, a company should only need loans when it has a timing problem between collecting and spending money or when it’s expanding. However, if a company expends more money than it will ever make, it will eventually go out of business. This is where the cash flow statement is so useful to the fraud examiner. You will want to get an idea of the cash flow necessary to run the business so that you will be able to tell whether the company is generating enough cash from operations to continue to do business. The examiner can also evaluate the relationship between total cash generated from financing and investing activities and the amount generated by operating activities.

Some things you will want to note from the cash flow statement in connection with any suspected financial fraud:
• Does the company have heavy demands on its operating cash each period?
• Do the inflows equal or exceed the outflows?
• Is the cash balance increasing or decreasing over time?
• Is the company making smart decisions about sources and uses of cash given its apparent financial condition?

This is information pertinent to the investigation of a wide range of fraud scenarios, the successful investigation of which involves different data than that commonly available in the income statement. The income statement alone does not reveal a complete picture of the company’s financial health, necessary for a full investigation of so many types of fraud. Evaluating income and cash flows includes considering the timing of items, such as collections of accounts receivable. In the end, a company might have a fabulous looking income statement, but might not have any cash available for operations. This may occur because the revenues recorded on the income statement have not been collected. Remember, as part of doing business, companies usually allow customers to make purchases on credit; this means the companies will collect the cash subsequent to the actual recording of the revenues. For example, a small high-tech manufacturer might have a healthy looking profit on its income statement, but not be able to pay its employees’ salaries. However, the entrepreneurial owners of the company expect all is well, since they think the net income on the income statement to be equal to the amount of cash in the company’s bank account. But, as is often the case, there’s a timing difference between when the company records a sale and when it actually receives the cash from its customers. As a result, the cash balance seldom, if ever, will match the income on the income statement. Other transactions – such as accrued or prepaid expenses, depreciation, and inventory purchases – will also cause a disparity between an organization’s net income and its net cash flows.

The statement of cash flows represents a trove of invaluable information that can cast light on virtually every aspect of a client’s financial health and, thus inform any investigation. Use it to your advantage.

Charting the Road Ahead

There are a number of good reasons why fraud examiners and forensic accountants should work hard at including inclusive, well written descriptions of fraud scenarios in their reports; some of these reasons are obvious and some less so. A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud. It’s been my experience that well written reports, couched in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.

A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board. They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur. The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its reoccurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves. A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore, only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling. A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome. Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate. The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can sometimes be many and related. Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls work as separate lines of defense, at times in a sequential way, and at other times interacting with each other to help prevent the re-occurrence of the adverse event. The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts. Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation. If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them. These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time. This question is best answered by involved managers, in particular with the loss prevention manager. If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence. Is it the worst case loss, or the most likely or median loss? In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization. Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face). Documented control failures should always be clearly associated with the losses. Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine fraud prevention programs. Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the ongoing process of fraud risk assessment for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

! RVACFES May 2019 Spring Training Event !

The ACFE wants to help establish you as a consummate courtroom professional! Certified Fraud Examiners, accountants, auditors and investigative/assurance professionals of all kinds are called upon to provide testimony in criminal and civil prosecutions where their services can be used to support investigations of matters such as financial frauds, embezzlements, misapplication of funds, bankruptcy fraud, improper accounting practices, and tax fraud. Fraud examiners may also be used as defense witnesses or to support the defendant’s counsel on matters that involve accounting or audit related issues.

LEARN MORE

There are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing lay testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

As you will learn, the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Our speaker, HUGO HOLLAND, CFE, JD,  will expound in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” an expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this. The best thing for an inexperienced expert witness is to work with experienced attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• How to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• Remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• How best to state the facts. The expert witness should tell truth plainly and simply. You will learn how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which she does not know the answer but should simply say that she does not know or does not have enough information to form an opinion.

• Learn to control the pace The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that she is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.
• Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course.

REGISTER HERE

The Association of Certified Fraud Examiners is the world’s largest anti-fraud organization and premier provider of antifraud training and education. Together with more than 85,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. Visit ACFE.com to learn more.

“ACFE,” “CFE,” “Certified Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

On Motivation

The ACFE tells us that there is no simple profile for employees who commit fraud. However, some ACFE statistics are available. Its research has repeatedly shown that about 10 percent to 15 percent of employees are fundamentally dishonest and are likely to steal from their company if given the opportunity. About 66 percent of employees are likely to steal under the right circumstances, such as when under pressure, or when “everyone is doing it,” and the opportunity exists. In contrast, about 20 percent to 25 percent of employees are fundamentally honest and are unlikely to steal under any circumstances.

Furthermore, those employees who do steal from the company are unlikely to have a prior criminal record, and those with a good education, family, background, and work record can be just as likely to steal as anyone else.

On the other hand, research shows that the three elements of the standard fraud triangle, with which we’re all familiar, have proven themselves descriptive over many the years in explaining which employees may defraud our client companies.

• Pressure – Usually related to financial pressure such as large medical bills, gambling problems, drug habits, and extravagant living.

• Opportunity – Required to commit any fraud.

• Rationalization – Likely depends on the type of criminal and the criminal’s personality type or possible personality disorder.

The rationalization component of the fraud triangle suggests possible types of individuals who may commit fraud:

• The fundamentally dishonest employee without a personality disorder. This person could habitually be dishonest but does not have a personality disorder. Rationalization comes easily because the person is accustomed to dishonesty. Therefore, the rationalizations are likely to include statements such as “I need it more than they do” and “They won’t miss it.”

• The fundamentally dishonest employee with a personality disorder. Various personality disorders may contribute to the ability of the employee to rationalize fraud. Psychiatry uses the diagnosis antisocial personality disorder and the related diagnosis dissocial personality disorder. The following are characteristics that apply to persons with these types of mental disorders:

— Nonconformist behavior; tend to be misfits.
— Habitual lying and dishonesty.
— Impulsiveness.
— Irritability and aggressiveness.
— Insensitivity to harming self or others.
— Strong disregard for the needs of self and others.
— Tendency to blame others for personal faults and mistakes.
— Lack of responsibility.
— Difficulty in establishing and maintaining close relationships.
— Absence of the ability to feel emotions or the full range of normal emotions.

The deceitfulness dimension of these disorders could enable the person to hide some or all of his or her antisocial characteristics. This type of person is often able to steal without giving much conscious thought to rationalizations. The crime could simply arise out of the mental disturbance.

• Then there is the normally honest employee who steals given pressure and opportunity and rationalizes the theft. A person who does not normally steal is likely to give serious thought to rationalizing the theft. One common rationalization is that the person is only borrowing the money; often the person takes money with the intent to pay it back, and many times does in fact pay it back. The result is that the corporate till can become the employee’s personal lending institution; however, in many cases, the person is never able to pay back the ill-gotten loan. The normally honest employee is likely to steal out of a sudden financial need or because of a problem with a financially excessive lifestyle.

The ACFE advises us to consider possible motives when examining evidence related to an occupational fraud. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes: it can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused; and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, s/he might suspect a payroll employee who recently complained about not having received a raise in the past two years. Although such information does not mean that the payroll employee committed fraud, the possible motive can guide the examiner.

During the process of interviewing suspects, interviewers should seek to understand the possible motives of interviewees. To do this, interviewers should suspend their own value system. This will better position the interviewer(s) to persuade suspects to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions.

In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his or her motivations, even if the suspect reveals those motivations in an indirect manner.

In interviewing suspects for motives:

• Leave your ego at the door.
• Talk to the suspected perpetrator as an adult.
• Do not patronize the suspect.
• Use good communication skills to develop rapport with subjects so that they will feel comfortable talking to you.
• Avoid being confrontational with the suspect. If the interviewer is confrontational, the perpetrator will be less likely to make an admission.

When conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work and how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s “normal” behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Next, the interviewer might ask non-accusatory questions related to the issue at hand, such as:

• Why do you think someone would do something like this?
• What do you think should happen to a person who would do something like this?
• Of all of the people who work in this area, who could be involved?

The answers to these questions can help the interviewer understand the possible motives of various suspects, narrow the pool of suspects, or even obtain an admission. For example, a suspect who answers the question “Why do you think someone would do something like this?” with a sympathetic answer might be trying to appeal to the interviewer’s sense of compassion to reduce or minimize his or her punishment.

The more the interviewer knows about the perpetrator, the better chance s/he will have of identifying the perpetrator’s motive and rationalization. Once the perpetrator thinks that the interviewer understands her motive, she will become more likely to confess.

During the motivation identifying interview, fraud examiners must also remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. Unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason.

Situational fraudsters, those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises, do not tend to view themselves as criminals. This is in contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud. Situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if s/he can genuinely communicate that s/he understands how anyone under similar-circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is constructing a trap, s/he generally will not make an admission of wrongdoing.

In summary, the fraud triangle is always helpful in explaining motivations for employees to defraud their employing organization by drawing attention to pressure, opportunity, and rationalization. Pressure is typically caused by sudden financial needs arising from things such as medical bills, gambling problems, drug habits, and extravagant living. The opportunity depends on the employee’s position and the strength of the company’s internal control processes. Rationalization depends on the type of criminal. The pure sociopath may need little or no rationalization. The fundamentally dishonest employee may give some conscious thought to rationalizing crimes, but the rationalization comes easily because the person is accustomed to dishonesty. Finally, the normally honest employee generally expends the most effort in rationalizing the crime, and often this type of person will really think that s/he is only borrowing the money.

When You Assume

by Rumbi Petrozzello
2018 Vice President – Central Virginia ACFE Chapter

On November 8, 2007, in the small town of Constantine, Michigan, 11-year-old Jodi Parrack was reported missing. Residents from the surrounding region volunteered to search for the missing girl, including Ray McCann, a police reservist. During the search, Ray suggested to Jodi’s mother, Valerie, that they should search for Jodi in the local cemetery. Valerie and Ray did so and, tragically, found her daughter there; she had been murdered.

Almost immediately, Ray came under suspicion. His reaction to Jodi’s death appeared to some of the investigators to be suspicious and why had he suggested that he and Valerie go to the cemetery, of all places, to look for Jodi? Then, during their subsequent investigation, the police found Jodi’s DNA on Ray’s body; according to Ray this was because he had pulled Valerie away from Jodi when he and her mother discovered the child’s body.

For years, Ray was under suspicion. He was brought in for questioning by the police on multiple occasions, and his answers, as far as the police were concerned, were not particularly convincing. He claimed to have been in one place and the police said that there was proof that he was not there. Seven years after Jodi’s murder, Ray was arrested and charged with perjury, related to the answers he had originally given the police; this seems to have been a tactic the police employed to hold him while they continued to try to gather enough evidence to charge him with Jodi’s murder.

While Ray was being held and facing from two to twenty years behind bars, another girl was attacked; she fought back, escaped and led the police to another man, Daniel Furlong. It turned out that Furlong’s DNA had been found on Jodi’s body during the original investigation as well as Ray’s and yet, the police had persisted in focusing solely on Ray. It was also revealed that the authorities were not honest when they told Ray that they possessed evidence Ray was lying. All the police really had was a deeply held conviction that Ray was being deceptive, leading to their determination to somehow develop evidence to validate that feeling.

By the time Ray was released after spending 20 wasted months of his life behind bars, he had lost his job, his family and the trust of the community in which he lived and which he had hoped someday to serve.

As Fraud Examiners and/or Forensic Accountants, we are engaged to investigate alleged wrongdoing and to follow up on leads as we work to resolve often confusing and contradictory matters. As we seek evidence, interview people and try to figure out what happened and who did what, it can be all too easy to make the mistake of viewing a red flag as somehow constituting proof. If someone giggles when they’re telling you they know nothing; if a person taps her foot throughout an interview, or if someone is extremely helpful, none of those things in themselves means anything definitive in resolving the question as to whether or not they have done anything wrong, let alone illegal.

Professional skepticism is a CFE’s tendency not to believe or take anyone’s assertions at face value, a mental tendency to ask every assertion to “prove it” (with evidence). The inevitable occurrence of confusion, errors and deception in all situations involving actual or suspected fraud dictates this basic aspect of professional skepticism. Persuading a skeptical CFE or forensic accountant is not impossible, just somewhat more difficult than persuading a normal person in an everyday context. Our skepticism protects the Ray McCann’s of this world because it’s a manifestation of objectivity, holding no special concern for preconceived conclusions on any side of an issue. Skepticism is not an attitude of being cynical, hypercritical, or scornful. The properly skeptical investigator asks these questions (1) What do I need to know? (2) How well do I know it? (3) Does it make sense?

Professional skepticism should lead investigators to appropriate inquiry about every clue involving seeming wrong doing. Clues should lead to thinking about the evidence needed, wringing out all the implications from the evidence, then arriving at the most suitable and supportable explanation. Time pressure to complete an investigation is no excuse for failing to exercise professional skepticism and bias and prejudice are always unacceptable. Too many investigators (including auditors) have gotten themselves into trouble by accepting some respondent’s glib assertion and stopping too early in an investigation without seeking facts supportive of alternative explanations.

A red flag means only that further investigation is warranted; it definitely does not mean that the examiner should shut down all other avenues of investigation and it certainly does not mean that an attempt should ever be made to make the crime fit the person. In the sad case of Ray McCann, the police continued to pursue him to the exclusion of all others even though they had found someone else’s DNA on Jodi’s body. They never appeared to be even looking for any other suspect. Even when Daniel Furlong subsequently confessed to murdering Jodi, the local authorities still persisted in implying that Ray was somehow connected to the crime; in the face of all contradictory evidence, the police still stubbornly refused to let go of their original hypothesis.

As we pursue our work as forensic accountants and fraud examiners, we should be constantly reviewing our hypotheses and assessing our approaches.

• Are we trying to make evidence fit the facts as we initially suppose them to be?
• Are we ignoring evidence because it does not fit the story we’re trying to tell?
• Are we letting a particular person’s behavior cloud a more objective judgment of the totality of what’s going on?

Often, even after a person has been cleared of suspicion in a case, we hear parties involved in the investigation make statements along the lines of, “I just know they are good for something.” Fortunately, our practice is not founded on feelings and gut instincts; our practice, and profession, is one that relies on evidence. As you’re investigating a matter, keep in mind:

• Following your defined process and procedure throughout is paramount to investigative success. Even if someone or some aspect of a case looks totally transparent within the context of the investigation, be thorough and follow your evidence all the way through.

• If your findings do not support your original premise, don’t try to force things. Step back and ask yourself why this is the case. Ask yourself if you need to reconsider your foundational hypothesis.

• Beware of confirmation bias – that is be careful that you are not looking only for data that reinforces the conclusion(s) that you have already reached (and, in so doing, ignoring anything that might prove contradictory).

• Even if your team is determined to work the assignment in a particular direction, make sure you speak up and let them know about any reservations you might have. You may not have the popular position, but you may end up expressing the critical position if it turns out that there is other evidence in light of which the conclusions the team has made need to be adjusted.

In summary, when you feel it in your gut and you are absolutely sure that you are right about a hypothesis, it’s very difficult to look beyond your conviction and to see or even consider other options. It’s vital that you do so since, as the ACFE has pointed out so many times, there is a hefty price to be paid professionally for ignoring evidence which eventually proves to be critical simply because it appears not to corroborate your case. Due professional care requires a disposition to question all material assertions made by all respondents involved in the case whether oral or written. This attitude must be balanced with an open mind about the integrity of all concerned. We CFEs should neither blindly assume that everyone is dishonest nor thoughtlessly assume that those involved in our investigations are not ethically challenged. The key lies in the examiner’s attitude toward gathering the evidence necessary to reach reasonable and supportable investigative decisions.

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?