Category Archives: Fraud Prevention

Loose Ends

A forensic accountant colleague of mine often refers to “loose-ends”. In his telling, loose-ends are elements of an investigation that get over-looked or insufficiently investigated which have the power to come back and bite an examiner with ill effect. That a small anomaly may be a sign of fraud is a fact that is no surprise to any seasoned investigator. Since fraud is typically hidden, the discovery of fraud usually is unlikely, at least at the beginning, to involve a huge revelation.

The typical audit does not presume that those the auditor examiners and the documents s/he reviews have something sinister about them. The overwhelming majority of audits are conducted in companies in which material fraud does not exist. However, the auditor maintains constant awareness that material fraud could be present.

Imagine a policewoman walking down a dark alley into which she knows a suspect has entered just before her. She doesn’t know where the suspect is, but as she walks down that alley, she is acutely aware of and attuned to her surroundings. Her senses are at their highest level. She knows beyond the shadow of a doubt that danger lurks nearby.

Fraud audits (and audits in general) aren’t like that. Fraud audits are more like walking through a busy mall and watching normal people go about their daily activities. In the back of the examiner’s mind, he knows that among all the shoppers are a few, a very few, shoplifters. They look just like everyone else. The examiner knows they are there because statistical studies and past experience have shown that they are, but he doesn’t know exactly where or who they are or when he will encounter them, if at all. If he were engaged to find them, he would have to design procedures to increase the likelihood of discovery without in any way annoying the substantial majority of honest shoppers in whose midst they swim.

A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control.

It occurred to me a while back that a fraud risk assessment can of thought of as ignoring a loose-end if it fails to include sufficient consideration of the client organization’s ethical dimension. That the ethical dimension is not typically included as a matter of course in the routine fraud risk assessment constitutes, to my mind, a lost opportunity to conduct a fuller, and potentially, a more useful assessment. As part of their assessments, today’s practitioners can potentially use surveys, Control Self-Assessment sessions, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline. Under this expanded model, the most successful fraud risk assessment would include small brainstorming sessions with the operational management of the business process(s) under review. Facilitated by a Certified Fraud Examiner (CFE), these assessments would look at typical fraud schemes encountered in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.

Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the CFE understand the actual robustness and resilience of the control and of the control environment and estimate the potential risk to the organization.

One challenge at this point in the process is ensuring that the analysis assesses not just roles, but also those specific individuals who are responsible for the controls. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert like the CFE can help facilitate the discussion and ensure that nothing is left off the table. To ask and get the answers to the right questions, the CFE facilitator should help the respondents keep in mind that:

o Fraud entails intentional misconduct designed to avoid detection.
o Risk assessments identify where fraud might occur and who the potential perpetrator(s) might be.
o Persons inside and outside of the organization could perpetrate such schemes.
o Fraud perpetrators typically exploit weaknesses in the system of controls or may override or circumvent controls.
o Fraud perpetrators typically find ways to hide the fraud from detection.

It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to by the ACFE as measuring the organization’s ethical baseline.

Organizations can determine their ethical baseline by periodically conducting either CFE moderated Control Self-Assessment sessions including employees from high-risk business processes, through an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation. The survey can ask respondents to rate questions or statements on a scale, ranging from 1—Strongly Disagree to 5—Strongly Agree. Sample statements might include:

1. Our organizational culture is trust-based.
2. Missing approvals are not a big deal here.
3. Strong personalities dominate most departments.
4. Pressure to perform outweighs ethical behavior.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here.
7. The saying “Don’t rock the boat!” fits this organization.
8. I am encouraged to speak up whenever needed.
9. Ethical behavior is a top priority of management.
10.I know where I can go if I need to report a potential issue of misconduct.

The ethical baseline should not be totally measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If repeated over time, the baseline can help identify both positive and negative trends. The results of the ethical baseline survey should be discussed by the CFE with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization.

In summary, the additional value created by combining of the results of the traditional fraud risk assessment with an ethical baseline assessment can help CFEs better determine areas of risk and control that should be considered in building the fraud prevention and response plans. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden by management may require more frequent assurance from prevention professionals than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent assessment of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By adding ethical climate evaluation to their standard fraud risk assessment procedures, CFEs can tie up what otherwise might be a major loose-end in their risk evaluation.

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?

What am I Bid!

A couple of recently reported high profile cases (one from the governmental and one from the private sector), involving bid rigging in the mid-western construction industry merit a consideration of the principle fraud scenarios involved.  The ACFE tells us that in a legitimate competitive bidding process, vendors submit confidential bids stating the price at which they will complete a contract or project, based on the specifications set forth by the purchasing company. Legally, all bidders are supposed to be able to bid under the same terms and conditions. Bid-rigging schemes occur when an employee fraudulently assists a vendor in winning a contract. The competitive bidding process can be tailor-made for bribery, as several suppliers or contractors vie for contracts in what can be a very cutthroat environment. An “inside influence” can ensure that a vendor wins the sought-after contract; thus, many vendors are willing to pay for this influence.

The way competitive bidding is rigged depends largely upon the level of influence of the corrupt employee. The more power a person has over the bidding process, the more likely the person will be able to influence the selection of a supplier. Therefore, employees who participate in bid-rigging schemes tend to have major influence over the competitive bidding process. Potential targets for accepting bribes include buyers, contracting officials, engineers and technical representatives, quality or product assurance representatives, subcontractor liaison employees, or anyone else with authority over the contract awards.

Bid-rigging schemes can be categorized based on the stage of bidding at which the fraudster exerts his or her influence. Thus, bid-rigging schemes can be separated into three categories: pre-solicitation phase, solicitation phase, and submission phase.

–Pre-solicitation fraud: This occurs before bids are officially sought for a project. There are two distinct types of pre-solicitation phase bid rigging scenarios. The first is a need recognition scenario in which an employee is paid to convince her company that a project is necessary. The result of such a scheme is that the victim company purchases unnecessary goods or services from a supplier at the direction of the corrupt employee. The second is a specifications scenario, in which a contract is tailored to the strengths of a supplier: the vendor and an employee set the specifications of the contract to accommodate the vendor’s capabilities.

–Solicitation fraud: During this phase, the purchaser requests bids from potential contractors. Fraudsters attempt to influence the selection of a contractor by restricting the pool of competitors from whom bids are sought. In other words, a corrupt vendor pays an employee to assure that one or more of the vendor’s competitors do not get to bid on the contract. Thus, the corrupt vendor can improve its chances of winning the job. There are several different variations of basic  solicitation schemes:

-Bid-pooling: Several bidders conspire to split up contracts, assuring that each gets a certain amount of work. Instead of submitting confidential bids, the vendors discuss what their bids will be, so they can guarantee that each vendor will win a share of the purchasing company’s business. Furthermore, since the vendors plan their bids in advance, they can conspire to raise their prices.

-Bid-splitting: Some companies and government divisions require that a purchase or contract over a certain dollar amount go through a formal bidding process. In these cases, a company pays an employee to split a contract into small dollar amounts that will not require a formal bid. Then, the employee simply gives the contract to the vendor offering the kickback, thus avoiding the bidding process altogether.

-Fictitious suppliers: Another way to eliminate competition is to solicit bids from fictitious suppliers. The perpetrator uses quotes from several fictitious companies to demonstrate competitive pricing on final contracts. In other words, bogus price quotes can validate actual (and inflated) pricing of an accepted contract.

-Time advantages: Competition can be limited by severely restricting the time for submitting bids. That way, certain suppliers are given advance notice of contracts before bid solicitation, so they have adequate time to prepare. These vendors have a decided advantage over the competition. A vendor can also pay an employee to turn over the specifications to him or her earlier than to his or her competitors.

-Limited scope of solicitations: Bids can be solicited in obscure publications or during holiday periods, so some vendors are unlikely to see them. This eliminates potential rivals and creates an advantage for corrupt suppliers. In more blatant cases, the bids of outsiders are accepted but are “lost” or improperly disqualified by the corrupt employee of the purchaser.

–Submission fraud: During this phase, bids are given to the buyer. Competitive bids are confidential and are supposed to remain sealed until the date all bids are opened and examined. People with access to sealed bids are often the targets of unethical vendors. Some vendors will pay to submit their bid last, knowing what others bid or to see competitors’ bids and adjust their own bid accordingly.

In bid-rigging scenarios, an employee sells his influence or access to confidential information. Since information can be copied or sold without taking it outside the organization, there is no missing asset to conceal. The perpetrator merely must conceal the use of influence or the transfer of information. S/he also needs to ensure that all of the appropriate documentation is available in case someone reviews his or her decisions. An illegally won contract results in profits that a vendor would not have earned under normal conditions. The vendor employee responsible for arranging the bid-rigging can be rewarded with cash, a promotion, power, or prestige.

Companies are far from defenseless in controlling for these types of abuses.  CFEs and other assurance professionals can proactively advise on the setting up of policies and on the establishment of controls over the bidding process and by helping to verify, through on-going testing, that they are enforced.  In reviewing the bid-letting process, management or its auditors should look for:

-Premature disclosure of information (by buyers or firms participating in design and engineering), indicating that information was revealed to one bidder and not the others.
-Limited time for submission of bids (so only those with advance information have adequate time to prepare bids or proposals).
-Failure to make potential competitors aware of the solicitation, e.g., by using obscure publications to publish bid solicitations or the publication of bid solicitations during holidays.
-Vague solicitations regarding time, place, or other requirements for submitting acceptable bids.
-Inadequate control over number and destination of bid packages sent to interested bidders.
-Purchasing employee helps contractor prepare a bid.
-Failure to amend solicitation to include necessary bid clarification, such as notifying one contractor of changes that can be made following the bid.

Clients should also be advised to examine contract specifications before bids are solicited and to check for any of the following conditions:

-Instances of unnecessary specifications, especially where they might limit the number of qualified bidders.
-Requirements inadequately described. A vendor might bribe an employee to prepare vague specifications with the intention of charging more money after being accepted as the approved vendor.
-Specifications developed with the help of a contractor or consultant who will be permitted to bid or work on the contract.

We can also advise our clients to closely review bid acceptances to ensure that all policies and controls were enforced. Specifically, they should look for the following:

-Specifications tailored to a particular vendor.
-Unreasonably restrictive pre-qualifications.
-An employee who defines a “need” that could only be met by one supplier.
-An employee who justifies a sole-source or noncompetitive procurement process.
-Changes in a bid once other bidders’ prices are known, sometimes accomplished through deliberate mistakes “planted” in a bid.
-Bids accepted after the due date.
-Low bidder withdraws to become a subcontractor on the same contract.
-Falsified documents or receipt dates (to get a late bid accepted).
-Falsification of contractor qualifications, work history, facilities, equipment, or personnel.

Clients are also well advised to examine contracts relative to other contracts. Determine if any of the following conditions exist:

-A large project condensed into smaller projects to avoid the bid process or other control procedures.
-Backup suppliers that are scarce or nonexistent (this may reveal an unusually strong attachment to a primary supplier that is bribing an employee).
-Large write-offs of surplus supplies (this may indicate excessive purchases from a supplier that is bribing a purchasing agent).

Clients might additionally look for indications that bidders are in collusion, such as:

-Improper communication by purchasers with contractors or their representatives at trade or professional meetings.
-A bidders’ conference, which permits improper communications between contractors, who then can rig bids.
-Determine if purchasing agents have a financial interest in the contractor or have had discussions regarding employment.

CFEs, equipped with their in-depth knowledge of fraud scenarios, can bring powerful antifraud controls to any enterprise habitually involved in a competitive bidding process as a core component of its business strategy.

People, People & People

Our Chapter’s Vice-President Rumbi Petrolozzi’s comment in her last blog post to the effect that one of the most challenging tasks for the forensic accountant or auditor working proactively is defining the most effective and efficient scope of work for a risk-based assurance project. Because resources are always scarce, assurance professionals need to make sure they can meet both quality and scheduling requirements whilst staying within our fixed resource and cost constraints.

An essential step in defining the scope of a project is identifying the critical risks to review and the controls required to manage those risks. An efficient scope focuses on the subset of controls (i.e., the key controls) necessary to provide assurance. Performing tests of controls that are not critical is not efficient. Similarly, failing to test controls that could be the source of major fraud vulnerabilities leads to an ineffective audit.  As Rumbi points out, and too often overlooked, the root cause of most risk and control failures is people. After all, outstanding people are required to make an organization successful, and failing to hire, retain, and train a competent team of employees inevitably leads to business failure.

In an interview, a few decades ago, one of America’s most famous business leaders was asked what his greatest challenges were in turning one of his new companies around from failure to success. He is said to have responded that his three greatest challenges were “people, people, and people.” Certainly, when assurance professionals or management analyze the reasons for data breaches and control failures, people are generally found to be the root cause. For example, weaknesses may include (echoing Rumbi):

Insufficiently trained personnel to perform the work. A common material weakness in compliance with internal control over financial reporting requirements is a lack of experienced financial reporting personnel within a company. In more traditional anti-fraud process reviews, examiners often find that control weaknesses arise because individuals don’t understand the tasks they have to perform.

Insufficient numbers to perform the work. When CPAs find that important reconciliations are not performed timely, inventories are not counted, a backlog in transaction processing exists, or agreed-upon corrective actions to address prior audit findings aren’t completed, managers frequently offer the excuse that their area is understaffed.

Poor management and leadership. Fraud examiners find again and again, that micromanagers and dictators can destroy a solid finance function. At the other end of the spectrum, the absence of leadership, motivation, and communication can cause whole teams to flounder. Both situations generally lead to a failure to perform key controls consistently. For example, poor managers have difficulty retaining experienced professionals to perform account reconciliations on time and with acceptable levels of quality leading directly to an enhanced level of vulnerability to numerous fraud scenarios.

Ineffective human resource practices. In some cases, management may choose to accept a certain level of inefficiency and retain individuals who are not performing up to par. For instance, in an example cited by one of our ACFE training event speakers last year, the financial analysis group of a U.S. manufacturing company was failing to provide management with timely business information. Although the department was sufficiently staffed, the team members were ineffective. Still, management did not have the resolve to terminate poor performers, for fear it would not be possible to hire quality analysts to replace the people who were terminated.

In such examples, people-related weaknesses result in business process key control failures often leading to the facilitation of subsequent frauds. The key control failure was the symptom, and the people-related weakness was the root cause. As a result, the achievement of the business objective of fraud prevention is rendered at risk.

Consider a fraud examiner’s proactive assessment of an organization’s procurement function. If the examiner finds that all key controls are designed adequately and operating effectively, in compliance with company policy, and targeted cost savings are being generated, should s/he conclude the controls are adequate? What if that department has a staff attrition rate of 25 percent and morale is low? Does that change the fraud vulnerability assessment? Clearly, even if the standard set of controls were in place, the function would not be performing at optimal levels.  Just as people problems can lead to risk and control failures, exceptional people can help a company achieve success. In fact, an effective system of internal control considers the adequacy of controls not only to address the risks related to poor people-related management but also to recognize reduction in fraud vulnerability due to excellence in people-related management.

The people issue should be addressed in at least two phases of the assurance professional’s review process: planning and issue analysis (i.e., understanding weaknesses, their root cause, and the appropriate corrective actions).  In the planning phase, the examiner should consider how people-related anti-fraud controls might impact the review and which controls should be included in the scope. The following questions might be considered in relation to anti-fraud controls over staffing, organization, training, management and leadership, performance appraisals, and employee development:

–How significant would a failure of people-related controls be to the achievement of objectives and the management of business risk covered by the examination?
–How critical is excellence in people management to the achievement of operational excellence related to the objectives of the review?

Issue analysis requires a different approach. Reviewers may have to ask the question “why” three or more times before they get to the root cause of a problem. Consider the following little post-fraud dialogue (we’ve all heard variations) …

CFE: “Why weren’t the reconciliations completed on time?”
MANAGER. “Because we were busy closing the books and one staff member was on vacation.”
CFE: “You are still expected to complete the reconciliations, which are critical to closing the books. Even with one person on vacation, why were you too busy?”
MANAGER: “We just don’t have enough people to get everything done, even when we work through weekends and until late at night.”
CFE: “Why don’t you have enough people?”
MANAGER: “Management won’t let me hire anybody else because of cost constraints.”
CFE: “Why won’t management let you hire anybody? Don’t they realize the issue?”
MANAGER: “Well, I think they do, but I have been so busy that I may not have done an effective job of explaining the situation. Now that you are going to write this up as a control weakness, maybe they will.”

The root cause of the problem in this scenario is that the manager responsible for reconciliations failed to provide effective leadership. She did not communicate the problem and ensure she had sufficient resources to perform the work assigned. The root cause is a people problem, and the reviewer should address that directly in his or her final report. If the CFE only reports that the reconciliations weren’t completed on time, senior management might only press the manager to perform better without understanding the post-fraud need for both performance improvement and additional staff.

In many organizations, it’s difficult for a reviewer to discuss people issues with management, even when these issues can be seen to directly and clearly contribute to fraud vulnerably. Assurance professionals may find it tricky, for political reasons to recommend the hiring of additional staff or to explain that the existing staff members do not have the experience or training necessary to perform their assigned tasks. Additionally, we are likely to run into political resistance when reporting management and leadership failure. But, that’s the job assurance professionals are expected to perform; to provide an honest, objective assessment of the condition of critical anti-fraud controls including those related to people.  If the scope of our work does not consider people risks, or if reviewers are unable to report people-related weaknesses, we are not adding the value we should. We’re also failing to report on matters critical to the maintenance and extension of the client’s anti-fraud program.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

With a Little Help

by Rumbi Petrozzello, CPA/CFF, CFE
2018 Vice-President – Central Virginia Chapter ACFE

In November, my husband and I headed out to our usual spot, on Fourth Avenue in Brooklyn, to cheer for those running the New York marathon. A marathon, for those who don’t know, is 26.2 miles long. People who complete marathons get nothing but respect from me – success in marathoning only comes with a lot of dedication and training. Many people spend at least six months following a training plan that is not just about building distance. For instance, when learning (and it is learning) how to complete 26.2 miles of running (or walking for that matter) people must learn how to remain fueled and hydrated while running. This training also then applies to making lifestyle adjustments such as changing one’s diet and sleeping habits. Years ago, when I was training for the New York Marathon, friends knew to not call after 10PM because I was going to bed early to get enough sleep before early morning runs. I tried not to go out on Friday nights, because I went on my long runs on Saturday mornings and wanted to be energized for them. I spent a lot of time and energy doing research, talking to friends who were seasoned runners and even took running classes to improve my performance and chances of success during the race. Despite the very popular tag line “Just Do It”, a lot of work goes into even getting to that point.

The past few months, I have been doing quite a bit of work that involves assessing the controls that companies have over their systems to detect, deter and prevent fraud and error. Going in, the time energy and money that companies have put into all of this is impressive. They will have an audit committee, an internal audit function and a lot of documentation around what their systems are. There will be volumes of documentation on procedures and protocols and, at the very least, on paper, things look fantastic. However, when we start talking to employees about what their reality is, things often are very different. Some of the issues we found included:

• Staff who did not quite understand what some technical terms meant and, so ignored the parts they didn’t understand. We spoke with people who were very happy to perform and review controls, but they didn’t know how best to do that, and no one was telling them the how;

• Some staff did not understand why they were being asked to change things and, believing that what they had been doing for years constituted a good system, stuck with that;

• In some cases, it wasn’t clear just who was responsible for ownership of a process and that meant, often, that nothing ended up getting done;

• In other instances, staff were given such vague instructions that they resorted to making it up as they went along.

Having the rules is completely useless if your people don’t know what do with them and, just as importantly, why they’re doing what they’ve been asked to do in the first place. What is vital in all of this, is the proper training. As CFEs and Forensic Accountants, we are perfectly positioned to work with clients to ensure that controls and systems go beyond theory. So it’s vitally important for success to constantly work with clients to strengthen systems and controls. This can be done by recommending that our corporate clients:

• Provide training to employees. This training must include the identification of control owners and then the process of working directly with them to ensure that they understand what their roles are and specifically why they need to follow the steps being asked of them. Sometimes, when a control owner is given a requested role, they are told to “review” something. Review can mean anything and often what some people consider to be a review is insufficient for complete understanding. For instance, an employee may think that merely saying they checked something is sufficient. Or that having a verbal conversation is enough proof of review. Be sure to recommend to clients that they let employees know that there should be written evidence of a mandated review and to be equally sure to provide clear examples of what qualifies as evidence of that review.

• Review systems and controls to ensure that they address risks. A company may institute many systems and related procedures but, upon review, a CFE or forensic accountant may find inadequate segregation of duties. You may find that a supervisor is checking a team’s work, but no one is authorizing that supervisor’s. This becomes particularly risky if that supervisor has access to many aspects of the business. A CFE or forensic accountant, can review roles and duties to ensure that duties are sufficiently segregated.

• Training should be ongoing and updated for changes in the company as well as changes in technology and processes. At least once a year, employees should receive updated training and performance reviews. In this way, companies can also learn if there have been material changes that might lead to systems and processes having been adjusted in such a way as to create weakness and holes that could lead to future fraud or error.

It’s all well and good to have ads where famous people run, jump and play and tell you to “just do it”. I remember people rolling their eyes at me when I mentioned that I was dashing to running class – why do you have to learn how to run? Doesn’t everyone know how to do that? Yes, I could run, but with training, I ran a better marathon and lived to tell the tale (unlike the original guy). Yes, employees may know how to do the compliance and control work but as a CFE or forensic accountant, you can help a client company work with their employees to perform their work better, be aware of controls and be cognizant of risk and how to mitigate it. It’s so much better than just doing it.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.