Category Archives: Fraud Prevention

Detect and Prevent

I got a call last week from a long term colleague, one of whose smaller client firms recently discovered a long running key-employee initiated fraud. My friend has been asked to assist her client in developing approaches to strengthen controls to, hopefully, prevent such disasters in the future.

ACFE training has consistently told us over the years, and daily experience repeatedly confirmed, that it is simply not possible or economical to stop all fraud before it happens. The only way for a retail concern to absolutely stop shoplifting might be to close and accept orders only over the Internet. Similarly, the only way for a bank to absolutely stop all loan fraud might be for it to stop lending money.

In general, my friend and I agreed during our conversation, that increasing preventive security can reduce fraud losses, but beyond some point, the cost of additional preventive security will exceed the related savings from reduced fraud losses. This is where detection comes in; it may be economical when prevention is not. One way to prevent a salesclerk from stealing from the register would be for the security department to carefully monitor, review, and approve every one of the clerk’s sales. However, it would likely be much more cost effective instead to implement a simple detective control: an end-of-shift reconciliation between the cash in the register and the transactions logged by the cash register during the clerk’s shift. If refunds are not given at the point of sale, the end-of-shift balance of cash in the register should equal the shift’s sales per the transaction logs minus the balance of cash in the register at the beginning of the shift. Any significant failure of these numbers to reconcile would amount to a red flag. Of course, further investigation could show that the clerk simply made an error and so did not commit fraud.

But the cost effectiveness of detective controls, like preventive controls, imposes limits. First, such controls are not cost free to implement, and improving detective controls may cost more than the results they provide. Second, detective controls produce both false positives and false negatives. A false positive occurs when a detective control signals a possible fraud that upon investigation turns up a reasonable explanation for the indicator. A false negative occurs when a detective control fails to signal a possible fraud when one exists. Reducing false negatives means increasing the fraud detection rate.

Similarly, the cost effectiveness of increasing preventive security has a limit as does the benefit of increasing the fraud detection rate. To increase the detection rate, it’s necessary to increase the frequency at which the detective control signals possible fraud. The result is more expensive investigations, and the cost of such additional investigations can exceed the resulting reduction in fraud losses.

As we all learned in undergraduate auditing, controls are essentially policies and procedures designed to minimize losses due to fraud or to other events such as errors or acts of nature. Corrective controls are merely special control types involved once a loss is known to exist. With respect to fraud, an important corrective control involves the investigation of potential frauds and the investigation and recovery process from discovered frauds.

More generally speaking, fraud investigations themselves serve not only a corrective function but also detective and preventive functions. Such investigations are detective of fraud to the extent that they follow up on fraud signals or red flags in order to confirm or disconfirm the presence of fraud. But once fraud is confirmed to exist, fraud examinations shift toward gathering evidence and become corrective by assisting in recovery from the perpetrator and other sources such as from insurance. Fraud investigations are also corrective in that they can lead to the revelation and repair of heretofore unknown weaknesses.

The end result is that the fraud investigation functions to correct the original loss, and the related discovery of the fraud scenario leads to prevention of similar losses in the future. In summary, the fraud examination has served to detect, correct, and prevent fraud. However, fraud investigations are not normally thought of as detective controls. This so is because fraud investigations tend to be much more costly than standard detective controls and therefore are normally used only when there is already some predication in the form of a fraud indicator triggered by a typical detective control. Therefore, the primary functions of fraud investigations are to address existing frauds and help to prevent future ones.

In some cases, the primary benefit of a fraud investigation might be to prevent future frauds. Even when recovery is impossible or impractical (e.g., because the thief has no assets), unwinding the fraud scheme may still have the benefit of leading to the prevention of the same scheme in the future. Furthermore, a company might benefit from spending a very large sum of money to investigate and prosecute a very small theft in order to deter other individuals from defrauding the company in the same way. Many State governments have statutes specifying that every fraud affecting governmental assets, whether large or small, must be fully investigated because taxpayer funds are involved (the assets affected are public property).

There is never a guarantee that investigating a fraud indicator will lead to the discovery of fraud. Depending on the situation, an investigation might lead to nothing at all (i.e., produce a reasonable explanation for the original red flag) or to the discovery of losses due to simple errors, waste, inefficiencies, or even uncontrollable events like acts of nature. If a lender is considering a loan application, a fraud indicator might indicate nothing, fraud, or an error. On the other hand, in regard to the possible theft of raw materials in a production process, a fraud indicator just might indicate undocumented waste or scrap.

Two important factors to consider concerning the general design of a fraud detection process are not only the costs and benefits of detecting, correcting, and preventing a given fraud scenario but also the costs and benefits of detecting, correcting, and preventing errors, waste, uncontrollable events, and inefficiencies in general. Of course, the particular costs that are relevant will vary from one type of business process to another.

As a general rule, we can say that both preventive controls and detective controls cost less than corrective controls. Corrective controls tend to involve hands-on, resource-intensive investigations, and in many cases, such investigations do not result in recovering the loss. On the other hand, preventive controls can also be quite costly. Banks pay armed guards and incur costs to maintain expensive vaults and alarm systems. Companies surround their headquarters with high fences and armed guards, and use security checkpoints and biometric key card systems inside. On the information technology side, firms use sophisticated firewalls and multi-layer access controls. The costs of all these preventive measures can add up to staggering sums in large companies. Of course, losses that are not prevented or corrected in a timely fashion can lead to the ultimate corrective measure: bankruptcy. In fact, some ACFE estimates show that about one-third of all business failures relate to some form of fraudulent activity.

One positive aspect of the cost of preventive controls is that unlike detective controls, they do not generate fraud indicators that lead to costly investigations. In fact, they tend to do their job in complete silence so that management never even knows when they prevent a fraud. The thick door of a bank vault with a time lock prevents bank employees from entering the building at night to steal its contents. Similarly, passwords, pin numbers, and biometric data silently provide access to authorized individuals and prevent access from others.

The problem with preventive controls is that they are always subject to circumvention by determined and cunning fraudsters. There is no perfect solution to preventing acts of fraud, so detection is necessary as a secondary line of defense, and in some cases, as the primary line of defense. Consider a lending company that accepts online loan applications. It may be difficult or impossible to prevent fraudulent applications, but the company can certainly put a sophisticated (and expensive) system in place to analyze applications and provide indicators that suggest when an application may be fraudulent.

In general, the optimal allocation of resources to prevention versus detection depends on the particular business process under consideration. So, there is no general rule that dictates the optimal allocation of resources between prevention versus detection. But there are some general steps that can assist in making the allocation:

1. Analyze the target business process and identify threats and vulnerabilities.
2. Select reasonable preventive controls according to the business process and customs within the client’s industry.
3. Estimate fraud losses given the assumed preventive controls.
4. Identify and add a basic set of detective controls to the system.
5. For a given set of detective controls, identify the optimal mix of false negatives versus false positives. The optimal mix depends on the costs of investigations versus the costs of losses. Large losses and small investigation costs favor relatively low false negatives and high false positives for red flags.
6. Given the assumed mix of false negative and false positive errors, estimate the incremental cost associated with adding the detective (and related corrective) controls, and estimate the resulting reduction in fraud losses.
7. Compare the reduction in fraud losses with the increase in costs associated with adding the optimal mix of detection and correction controls.
8. If increase in costs is significantly lower than the related reduction in fraud losses, consider adding more detective controls. Otherwise, accept the set of detective controls under consideration.

The Unsanctioned Invoice

Of all the frauds classified as occupational, one of the most pernicious encountered by CFEs is the personal purchase with company funds scam. I say pernicious because not only is this type of fraud a cancer, devouring it’s host organization from within, but also because this basic fraud scenario can take on so many different forms.

Instead of undertaking externally involved schemes to generate cash, many employed fraudsters choose to betray their employers by simply purchasing personal items with their company’s money. Company accounts are used by the vampires to buy items for their side businesses and for their families. The list of benefiting recipients goes on and on. In one case a supervisor started a company for his son and directed work to the son’s company. In addition to this ethically challenged behavior, the supervisor saw to it that his employer purchased all the materials and supplies necessary for running the son’s business. As the fraud matured, the supervisor purchased materials through his employer that were used to add a room to his own house. All in all, the perpetrator bought nearly $50,000 worth of supplies and materials for himself and various others using company money.

One might wonder why a purchases fraud is not classified by the ACFE as a theft of inventory or other assets rather than as a billing scheme. After all, in purchases schemes the fraudster buys something with company money, then takes the purchased item for himself or others. In the case cited above, the supervisor took building materials and supplies. How does this differ from those frauds where employees steal supplies and other materials? On first glance, the schemes appear very similar. In fact, the perpetrator of a purchases fraud is stealing inventory just as s/he would in any other-inventory theft scheme. Nevertheless, the heart of the scheme is not the taking of the inventory but the purchasing of the inventory. In other words, when an employee steals merchandise from a warehouse, s/he is stealing an asset that the company needs, an asset that it has on hand for a particular reason. The harm to the victim company is not only the cost of the asset, but the loss of the asset itself. In a purchasing scheme, on the other hand, the asset which is taken is superfluous. The perpetrator causes the victim company to order and pay for an asset which it does not really need in the course of business, so the only damage to the victim company is the money lost in purchasing the particular item. This is why purchasing schemes are categorized as invoice frauds.

Most of the employees identified by the ACFE as undertaking purchase schemes do so by running unsanctioned invoices through the accounts payable system. The fraudster buys an item and submits the bill to his employer as if it represented a purchase on behalf of the company. The goal is to have the company pay the invoice. Obviously, the invoice which the employee submits to his company is not legitimate. The main hurdle for a fraudster to overcome, therefore, is to avoid scrutiny of the invalid invoice and to obtain authorization for the bill to be paid.

As in the many cases of shell company related schemes we’ve written about on this blog, the person who engages in a purchases scheme is often the very person in the company whose duties include authorizing purchases. Obviously, proper controls should preclude anyone from approving her own purchases. Such poorly separated functions leave little other than her conscience to dissuade an employee from fraud. Nevertheless, CFEs see many examples of small to medium sized companies in which this lapse in controls exists. As the ACFE continues to point out, fraud arises in part because of a perceived opportunity. An employee who sees that no one is reviewing his or her actions is more likely to turn to fraud than one who knows that her company applies due diligence in the attempt to detect all employee theft.

An example of how poor controls can lead to fraud was the case where a manager of a remote location of a large, publicly traded company was authorized to both order supplies and approve vendor invoices for payment. For over a year, the manager routinely added personal items and supplies for his own business to orders made on behalf of his employer. The orders often included a strange mix of items; technical supplies and home furnishings might, for instance, be purchased in the same order. Because the manager was in a position to approve his own purchases, he could get away with such blatantly obvious frauds. In addition to ordering personal items, the perpetrator changed the delivery address for certain supplies so that they would be delivered directly to his home or side business. This scheme cost the victim company approximately $300,000 in unnecessary purchases. In a similar case, an employee with complete control of purchasing and storing supplies for his department bought approximately $100,000 worth of unnecessary supplies using company funds. The employee authorized both the orders and the payments. The excess supplies were taken to the perpetrator’s home where he used them to manufacture a product for his own business. It should be obvious that not only do poor controls pave the way for fraud, a lack of oversight regarding the purchasing function can allow an employee to remove huge amounts from the company’s bottom line.

Not all fraudsters are free to approve their own purchases. Those who cannot must rely on other methods to get their personal bills paid by the company. The chief control document in many voucher systems is the purchase order. When an employee wants to buy goods or services, s/he submits a purchase requisition to a superior. If the purchase requisition is approved, a purchase order is sent to a vendor. A copy of this purchase order, retained in the voucher, tells accounts payable that the transaction has been approved. Later, when an invoice and receiving report corresponding to this purchase order are assembled, accounts payable will issue a check.

So in order to make their purchases appear authentic, some fraudsters generate false purchase orders. In one case, an employee forged the signature of a division controller on purchase orders. Thus the purchase orders appeared to be authentic and the employee was able to buy approximately $3,000 worth of goods at his company’s expense. In another instance, a part time employee at an educational institution obtained unused purchase order numbers and used them to order computer equipment under a fictitious name. The employee then intercepted the equipment as it arrived at the school and loaded the items into his car. Eventually, the employee began using fictitious purchase order numbers instead of real ones. The scheme came to light when the perpetrator inadvertently selected the name of a real vendor. After scrutinizing the documents, the school knew that it had been victimized. In the meantime, the employee had bought nearly $8,000 worth of unnecessary equipment.

Purchase orders can also be altered by employees who seek to obtain merchandise at their employer’s expense. In one instance, several individuals conspired to purchase over $2 million worth of materials for their personal use. The ringleader of the scheme was a low-level supervisor who had access to the computer system which controlled the requisition and receipt of materials. This supervisor entered the system and either initiated orders of materials that exceeded the needs of a particular project or altered existing orders to increase the amount of materials being requisitioned. Because the victim organization had poor controls, it did not compare completed work orders on projects to the amount of materials ordered for those projects. This allowed the inflated orders to go undetected.

Another way for an employee to get a false purchase approved is to misrepresent the nature of the purchase. In many companies, those with the power to authorize purchases are not always attentive to their duties. If a trusted subordinate vouches for an acquisition, for instance, busy supervisors often give rubber stamp approval to purchase requisitions. Additionally, employees sometimes misrepresent the nature of the items they are purchasing in order to pass a cursory review by their superiors.

Instead of running false invoices through accounts payable, some employees make personal purchases on company credit cards or running accounts with vendors. As with invoicing schemes, the key to getting away with a false credit card purchase is avoiding detection. Unlike invoicing schemes, however, prior approval for purchases is not required. An employee with a company credit card can buy an item merely by signing his or her name (or forging someone else’s) at the time of purchase. Later review of the credit card statement, however, may detect the fraudulent purchase.

As with invoicing schemes, those who committed the frauds were often in a position to approve their own purchases;, the same is often true with credit card schemes. A manager in one case, reviewed and approved his own credit card statements. This allowed him to make fraudulent purchases on the company card for approximately two years.

Finally, there is, the fraudster who buys items and then returns them for cash. A good example of such a scheme is that in which an employee made fraudulent gains from a business travel account. The employee’s scheme began by purchasing tickets for herself and her family through her company’s travel budget. Poor separation of duties allowed the fraudster to order the tickets, receive them, prepare claims for payments, and distribute checks. The only review of her activities was made by a busy and rather uninterested supervisor who approved the employee’s claims without requiring support documentation. Eventually, the employee’s scheme evolved. She began to purchase airline tickets and return them for their cash value. An employee of the travel agency assisted in the scheme by encoding the tickets as though the fraudster had paid for them herself. That caused the airlines to pay refunds directly to the fraudster rather than to her employer. In the course of two years, this employee embezzled over $100,000 through her purchases scheme.

Risk-Centric Fraud Prevention

A number of our certified Chapter members, currently practicing both independently and as corporate staff, report being asked to proactively assist in the establishment of first time internal fraud prevention programs by clients and employers. That this development is something new is borne out by recent articles in the trade press but, on a moment’s reflection, shouldn’t be surprising since CFEs are so uniquely qualified for the particular task.

At a time when an increasingly volatile stock environment, increased cases of cyber fraud, the pressure of globalization and a multitude of increased regulatory requirements are of major concern to all managements, risk assessment and fraud prevention really have to play an important role in ensuring that corporations are not exposed to unexpected and poorly controlled risks. Internal fraud prevention related activities need to be revisited with a focus not just on all these new business paradigms but also on stakeholders’ expectations, transparency, and accountability.

It just makes sense then that today’s environment also calls for greater collaboration and strong relationships between all types of assurance professionals with their clients at all levels to ensure an internal anti-fraud structure is in place (if one doesn’t presently exist) that facilitates a healthy, secure and transparent operating environment.

To facilitate the establishment of a risk-centric approach, today’s fraud prevention functions (new or presently existing) must continually revisit their methodologies, processes, and practices. CFEs can provide experienced insight and real-time value to their client organization by expanding their consulting efforts to facilitate a risk-centric approach, helping to establish the foundation for a more sophisticated and nimble tone at the top, and by focusing on increased collaboration and strategic engagement.

Fraud prevention efforts have been dominated for some time now by a control focused approach that is often reactive and regressive in actual practice in the face of today’s swiftly changing realities. Anti-fraud professionals today need to widen their proactive scope to address the growing governance threats and risk management needs of increasingly global organizations. This requires them to adopt a revised risk-centric approach that involves:

–Taking fraud prevention and business ethics from a compliance perspective to a cultural mind-set. Accurately assessing these risks requires more than just checking to see whether rules are being followed; practitioners must also try to ensure that the spirit of these rules is incorporated into activities at every level.

–Determining key business and fraud risks rather than casting a wide net over numerous risks, many of which may be remote or obscure; the concept of critical business process identification drawn from disaster recovery and continuous operations planning is especially relevant here.

–Identifying emerging risk issues and trends, such as changes in the regulatory environment (which are often wholly reactive), and bringing them to the attention of key stakeholders.

–Estimating the significance of each fraud risk and assessing its probability of occurrence based on a deeper understanding of the present sense conveyed by constantly shifting data and as sometimes pinpointed by sophisticated statistical analysis.

–Identifying programs and controls designed to more sensitively detect and address risk and by concurrent testing of their effectiveness in real-time.

–Coordinating with the other critical risk and control related business processes, such as compliance, risk management, fiscal control, and legal, to ensure that fraud risks are identified, controlled and managed appropriately.

To provide real strategic value to the organization, new and existing fraud prevention practitioners need to help develop risk-based action plans that respond to their present state of risk assessment awareness and which focus on stakeholder expectations. Internal anti-fraud plans should incorporate risk identification and prioritization, as well as analysis and quantification of risk factors particularly in the new business ventures and strategies so characteristic of today’s volatile environment. Such planning should also reflect an understanding of shared risks among various projects and initiatives, and feature continuous monitoring of business activities and key performance indicators.

In the present cyber-threat laden environment the internal fraud prevention business process has to move from being just another routine and disconnected function to being a fulcrum of organizational governance and risk, working in concert with management, the board, and external auditors. Top management can establish the fraud prevention function’s role by:

–Allowing senior fraud examiners and investigators exposure to security information presently associated with key management and governance committees;
–Championing the importance of ethical conduct, fraud identification and fraud prevention consistently.
–Taking immediate and proactive action on fraud examination and investigative findings regardless of whatever level of the organization suspected perpetrators are identified.
–Holding senior executives accountable for identified instances of fraud, waste and abuse in business processes over which they exercise management oversight.
–Supporting the management of the fraud prevention function when its findings and recommendations to improve security prove politically unpopular.
–Defining fraud prevention’s role and management’s expectations.
–Providing appropriate funding, talent and authority to the function.

The ACFE has long indicated that a strong tone at the top from senior management about the importance of a internal fraud prevention function goes a long way toward promoting the engagement of managers throughout the client organization.

For staff assigned to an internal fraud prevention plan to proactively review important business strategies successfully for fraud vulnerability, examiners need to collaborate with management. In addition to providing assurance on compliance initiatives, examiners should develop a forward-looking approach to their assessment planning in which they cooperate and coordinate with related risk and control functions, focus on critical business risks and exposures, and determine the relevance and effectiveness of gathered executive responses to help an organization manage fraud risk proactively. To be forward-looking, fraud prevention professionals need to be fully integrated into the strategic planning process so that they can clearly identify which fraud related risks the organization will be undertaking. They also must be involved with the business in evaluating problems that come to light to determine whether they are the result of control weaknesses that could also emerge in other parts of the organization.

To identify and analyze rapidly emerging risks, direct resources toward areas of greatest risk, and conduct targeted, real-time investigations in response to specific, predicated risks, examiners must leverage technology, learn new skills, and work with management to understand and clarify their evolving expanded role.

To assess the new emerging risks effectively, fraud prevention professionals must develop a deeper understanding of the client business and of the processes that make competitors in the client’s industry successful. An effective fraud prevention activity that can deal with contemporary business risks and meet the ever-increasing demands of management and stakeholders requires a solid staffing strategy. As CFEs we must help spread the word that our client organizations need to invest in skilled resources, methods, training, career paths, and technical infrastructure to deal with increasing cyber-related business risks related to fraud, their internal controls, and government imposed regulations. When staffing a fraud prevention function, top management should:

–Establish a program for selecting and developing the fraud prevention team.
–Identify the skills and expertise required for an effective anti-fraud business process; the ACFE’s guidance and training programs are an invaluable resource to any organization contemplating a new fraud prevention function or looking to strengthen an existing one.
–Assess existing resources to identify staffing gaps.
–Identify and create key performance indicators for deploying fraud prevention and investigatory resources.
–Co-source or outsource internal fraud prevention activities, based on an assessment of current resources, budget, and strategic and tactical requirements.

Acquiring new skills through ACFE training can enable internally focused examiners to direct resources to those techniques that are the most effective in identifying risks to the organization. Especially important is the need to develop deep expertise in specialties such as credit, IT, finance, compliance, and cyber. In addition, investigators and examiners will have to be trained to approach their work strategically, beginning with a detailed understanding of where its owners and stakeholders view where the client business has been and where it is going.

In summary, progressive internal fraud prevention and investigation functions need to partner with their client organization’s risk management function to gain comprehensive visibility into enterprise-wide risks and to support performance of automation supported follow-on risk assessments that can help prevent fraud vulnerability issues from turning into fraud events. Such insight into the organization’s risk profile allows internal investigative professionals to deliver more strategic value by focusing their proactive fraud risk evaluation efforts on areas that represent the greatest risk to the organization as well as proactively anticipating where emerging fraud risk issues are most likely to cause problems. In addition, leveraging the activities performed by the client’s risk management function can lower fraud prevention’s overall cost of operation.

Forensic Data Analysis

As a long term advocate of big data based solutions to investigative challenges, I have been interested to see the recent application of such approaches to the ever-growing problem of data beaches. More data is stored electronically than ever before, financial data, marketing data, customer data, vendor listings, sales transactions, email correspondence, and more, and evidence of fraud can be located anywhere within those mountains of data. Unfortunately, fraudulent data often looks like legitimate data when viewed in the raw. Taking a sample and testing it might not uncover fraudulent activity. Fortunately, today’s fraud examiners have the ability to sort through piles of information by using special software and data analysis techniques. These methods can identify future trends within a certain industry, and they can be configured to identify breaks in audit control programs and anomalies in accounting records.

In general, fraud examiners perform two primary functions to explore and analyze large amounts of data: data mining and data analysis. Data mining is the science of searching large volumes of data for patterns. Data analysis refers to any statistical process used to analyze data and draw conclusions from the findings. These terms are often used interchangeably. If properly used, data analysis processes and techniques are powerful resources. They can systematically identify red flags and perform predictive modeling, detecting a fraudulent situation long before many traditional fraud investigation techniques would be able to do so.

Big data are high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization. Simply put, big data is information of extreme size, diversity, and complexity. In addition to thinking of big data as a single set of data, fraud investigators and forensic accountants are conceptualizing about the way data grow when different data sets are connected together that might not normally be connected. Big data represents the continuous expansion of data sets, the size, variety, and speed of generation of which makes it difficult for investigators and client managements to manage and analyze.

Big data can be instrumental to the evidence gathering phase of an investigation. Distilled down to its core, how do fraud examiners gather data in an investigation? They look at documents and financial or operational data, and they interview people. The challenge is that people often gravitate to the areas with which they are most comfortable. Attorneys will look at documents and email messages and then interview individuals. Forensic accounting professionals will look at the accounting and financial data (structured data). Some people are strong interviewers. The key is to consider all three data sources in unison.

Big data helps to make it all work together to bring the complete picture into focus. With the ever-increasing size of data sets, data analytics has never been more important or useful. Big data requires the use of creative and well-planned analytics due to its size and complexity. One of the main advantages of using data analytics in a big data environment is that it allows the investigator to analyze an entire population of data rather than having to choose a sample and risk drawing erroneous conclusions in the event of a sampling error.

To conduct an effective data analysis, a fraud examiner must take a comprehensive approach. Any direction can (and should) be taken when applying analytical tests to available data. The more creative fraudsters get in hiding their breach-related schemes, the more creative the fraud examiner must become in analyzing data to detect these schemes. For this reason, it is essential that fraud investigators consider both structured and unstructured data when planning their engagements.

Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports. Unstructured data, by contrast, is data not found in a traditional spreadsheet or database. Examples of unstructured data include vendor invoices, email and user documents, human resources files, social media activity, corporate document repositories, and news feeds. When using data analysis to conduct a fraud examination, the fraud examiner might use structured data, unstructured data, or a combination of the two. For example, conducting an analysis on email correspondence (unstructured data) among employees might turn up suspicious activity in the purchasing department. Upon closer inspection of the inventory records (structured data), the fraud examiner might uncover that an employee has been stealing inventory and covering her tracks in the record.

Recent reports of breach responses detailed in social media and the trade press indicate that those investigators deploying advanced forensic data analysis tools across larger data sets provided better insights into the penetration, which lead to more focused investigations, better root cause analysis and contributed to more effective fraud risk management. Advanced technologies that incorporate data visualization, statistical analysis and text-mining concepts, as compared to spreadsheets or relational database tools, can now be applied to massive data sets from disparate sources enhancing breach response at all organizational levels.

These technologies enable our client companies to ask new compliance questions of their data that they might not have been able to ask previously. Fraud examiners can establish important trends in business conduct or identify suspect transactions among millions of records rather than being forced to rely on smaller samplings that could miss important transactions.

Data breaches bring enhanced regulatory attention. It’s clear that data breaches have raised the bar on regulators’ expectations of the components of an effective compliance and anti-fraud program. Adopting big data/forensic data analysis procedures into the monitoring and testing of compliance can create a cycle of improved adherence to company policies and improved fraud prevention and detection, while providing additional comfort to key stakeholders.

CFEs and forensic accountants are increasingly being called upon to be members of teams implementing or expanding big data/forensic data analysis programs so as to more effectively manage data breaches and a host of other instances of internal and external fraud, waste and abuse. To build a successful big data/forensic data analysis program, your client companies would be well advised to:

— begin by focusing on the low-hanging fruit: the priority of the initial project(s) matters. The first and immediately subsequent projects, the low-hanging investigative fruit, normally incurs the largest cost associated with setting up the analytics infrastructure, so it’s important that the first few investigative projects yield tangible results/recoveries.

— go beyond usual the rule-based, descriptive analytics. One of the key goals of forensic data analysis is to increase the detection rate of internal control noncompliance while reducing the risk of false positives. From a technology perspective, client’s internal audit and other investigative groups need to move beyond rule-based spreadsheets and database applications and embrace both structured and unstructured data sources that include the use of data visualization, text-mining and statistical analysis tools.

— see that successes are communicated. Share information on early successes across divisional and departmental lines to gain broad business process support. Once validated, success stories will generate internal demand for the outputs of the forensic data analysis program. Try to construct a multi-disciplinary team, including information technology, business users (i.e., end-users of the analytics) and functional specialists (i.e., those involved in the design of the analytics and day-to-day operations of the forensic data analysis program). Communicate across multiple departments to keep key stakeholders assigned to the fraud prevention program updated on forensic data analysis progress under a defined governance program. Don’t just seek to report instances of noncompliance; seek to use the data to improve fraud prevention and response. Obtain investment incrementally based on success, and not by attempting to involve the entire client enterprise all at once.

—leadership support will gets the big data/forensic data analysis program funded, but regular interpretation of the results by experienced or trained professionals are what will make the program successful. Keep the analytics simple and intuitive; don’t try to cram too much information into any one report. Invest in new, updated versions of tools to make analytics sustainable. Develop and acquire staff professionals with the required skill sets to sustain and leverage the forensic data analysis effort over the long-term.
Finally, enterprise-wide deployment of forensic data analysis takes time; clients shouldn’t be lead to expect overnight adoption; an analytics integration is a journey, not a destination. Quick-hit projects might take four to six weeks, but the program and integration can take one to two years or more.

Our client companies need to look at a broader set of risks, incorporate more data sources, move away from lightweight, end-user, desktop tools and head toward real-time or near-real time analysis of increased data volumes. Organizations that embrace these potential areas for improvement can deliver more effective and efficient compliance programs that are highly focused on identifying and containing damage associated with hacker and other exploitation of key high fraud-risk business processes.

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Interagency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Interagency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Interagency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Interagency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Interagency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Trust but Check

The community support for a business, and business in general, depends on the credibility that stakeholders place in corporate commitments, the company’s reputation, and the strength of its competitive advantage. All of these depend on the trust that stakeholders place in a company’s activities. Trust, in turn, depends on the values underlying corporate activities. Off-shore accounts, manipulation of shell corporations to evade taxes, loan fraud and management self-dealing are just a few instances of the moral cancer that, drop by drop, erodes trust until the point where the free enterprise systems of democratic nations are replaced by naked oligarchy, kleptocracy and cultures of corruption.

If the interests of all stakeholders are systematically not respected, then action that continues to be often painful to shareholders, officers, and directors usually occurs. In fact, it is unlikely that businesses or professions can achieve their long-run strategic objectives without the support of key stakeholders, such as shareholders, employees, customers, creditors, suppliers, governments, and host communities.

A constant theme and trend (as echoed in the trade press) has become increasingly more evident since the turn of the century. The judgment and moral character of executives, owners, boards of directors, and auditors has been often insufficient, on their own, to prevent increasingly severe corporate, ethical, and governance scandals. Governments and regulators world-wide have been required to constantly tighten guidelines and governance regulations to assure the protection of the public. The self-interested lure of greed has proven to be too strong for many to resist, and they have succumbed to conflicts of interest when left too much on their own. Corporations that were once able to shift jurisdictions to avoid new regulations regarding tax and other matters now are facing global measures designed to expose and control questionable ethics and governance practices. Assurance professionals themselves, of all types, are also facing international standards of behavior.

These changes have come about because of the pressures brought to bear on corporations and management by the reporting of scandals and abuses by a still potent free press and by suits by activist investors and other involved stakeholders. But changes in laws, regulations, and standards are only part of what stakeholders have contributed. The expectations for good ethical behavior and good governance practices have changed. Failure to comply with these expectations now impacts reputations, profits, and careers even if the behavior is strictly within legal boundaries.

As ACFE training tells us, it’s become increasingly evident to most executives, owners, and auditors that their individual success is directly related to their ability to develop and maintain a corporate culture of integrity. They cannot afford the loss of reputation, revenue, reliability, and credibility as a result of a loss of integrity. It is no longer an effective, sustainable, or medium or long-term strategy to project or practice questionable ethics. ACFE training goes on to indicate a number of causes, or signs, of ethical problems within any given corporation:

— Pressure to meet goals, especially financial ones, at any cost;
–A culture that does not foster open and candid conversation and discussion;
–A CEO who is surrounded by people who will agree and flatter the CEO, as well as a CEO whose reputation is ‘beyond criticism’;
–Weak boards that do not exercise their fiduciary responsibilities with diligence;
–An organization that promotes people on the basis of nepotism and favoritism;
–Hubris. The arrogant belief that rules are for other people, but not for us;
–A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

The LIBOR rate scandal of 2012 is an almost perfect example of ethical collapse and manifests a majority of the red flags enumerated above. The scandal featured the systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, in an environment where little or no regulation prevailed. After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally undertaken resulting in prosecutions and huge penalties for the banks and the individual traders involved.

The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average, and its publication, and dissemination. Reuters set aside the four highest and four lowest estimates and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation.

Insiders to the banking system knew about the manipulation of LIBOR rate submissions for decades, but changes were not made until the public became aware of the problem, and until the U.S. Department of Justice (DOJ) forced the U.K. government to act. The president of the New York Federal Reserve Bank (Fed), at that time emailed the governor of the Bank of England in June 2008, suggesting ways to “enhance” LIBOR. Although ensuing emails report agreement on the suggestions, and articles appeared in the trade press from 2008 to 2011, serious changes were not applied until October 2012 when the U.K. government accepted the recommendations of the Wheatley Review of Libor. This Review by Martin Wheatley, managing director of British Financial Services Authority, was commissioned in June 2012 in view of investigations, charges and settlements that were raising public awareness of LIBOR deficiencies.

One of the motivations for creating the Wheatley Review involved the prosecution of a former UBS and later Citigroup Inc. trader, on criminal fraud charges for manipulating the LIBOR rates. The trader, known to insiders as the “Rain Man” for his abilities and demeanor, allegedly sought his superiors approval before attempting to influence the LIBOR rates, an act that some observers thought at the time would provide a strong defense against conviction.

Insiders who knew of LIBOR manipulations were generally reluctant to take a public stand for earlier change. However, on July 27, 2012, a former trader for Morgan Stanley in London, published an article that told of his earlier attempts to bring LIBOR rate manipulations to the attention of authorities, but without success. In his article, he indicated how he learned as a new trader in 1991 that the banks manipulated their rate submissions to make profit on specific contracts, and to mask liquidity problems such as during the subprime lending crisis of 2008. For example, if the LIBOR rate submissions were misstated to be low, the discounted valuation of related assets would be raised, thus providing misleadingly higher levels of short-term, near-cash assets than should have been reported.

Numerous studies since the scandal have detailed the effects of unethical LIBOR manipulation. Just two examples of such manipulation. At the time of the scandal many home owners borrowed their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers received a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for the period 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. As a consequence, one observer estimated that each LIBOR submitting bank may be liable for as much as $2.3 billion.

Municipalities raise funds through the issue of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were eventually launched to recover these losses, which cost municipalities, hospitals, and other non-profits as much as $600 million a year.

At the end of the day, trust in each other and in our counter-parties is all we really have as economic actors; CFE’s and forensic accountants thus have a vital role to play in investigating, documenting and assisting in the identification and possible prosecution of those who, like the LIBOR manipulators, knowingly collude in making the choice to violate that trust.

Loose Ends

A forensic accountant colleague of mine often refers to “loose-ends”. In his telling, loose-ends are elements of an investigation that get over-looked or insufficiently investigated which have the power to come back and bite an examiner with ill effect. That a small anomaly may be a sign of fraud is a fact that is no surprise to any seasoned investigator. Since fraud is typically hidden, the discovery of fraud usually is unlikely, at least at the beginning, to involve a huge revelation.

The typical audit does not presume that those the auditor examiners and the documents s/he reviews have something sinister about them. The overwhelming majority of audits are conducted in companies in which material fraud does not exist. However, the auditor maintains constant awareness that material fraud could be present.

Imagine a policewoman walking down a dark alley into which she knows a suspect has entered just before her. She doesn’t know where the suspect is, but as she walks down that alley, she is acutely aware of and attuned to her surroundings. Her senses are at their highest level. She knows beyond the shadow of a doubt that danger lurks nearby.

Fraud audits (and audits in general) aren’t like that. Fraud audits are more like walking through a busy mall and watching normal people go about their daily activities. In the back of the examiner’s mind, he knows that among all the shoppers are a few, a very few, shoplifters. They look just like everyone else. The examiner knows they are there because statistical studies and past experience have shown that they are, but he doesn’t know exactly where or who they are or when he will encounter them, if at all. If he were engaged to find them, he would have to design procedures to increase the likelihood of discovery without in any way annoying the substantial majority of honest shoppers in whose midst they swim.

A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control.

It occurred to me a while back that a fraud risk assessment can of thought of as ignoring a loose-end if it fails to include sufficient consideration of the client organization’s ethical dimension. That the ethical dimension is not typically included as a matter of course in the routine fraud risk assessment constitutes, to my mind, a lost opportunity to conduct a fuller, and potentially, a more useful assessment. As part of their assessments, today’s practitioners can potentially use surveys, Control Self-Assessment sessions, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline. Under this expanded model, the most successful fraud risk assessment would include small brainstorming sessions with the operational management of the business process(s) under review. Facilitated by a Certified Fraud Examiner (CFE), these assessments would look at typical fraud schemes encountered in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.

Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the CFE understand the actual robustness and resilience of the control and of the control environment and estimate the potential risk to the organization.

One challenge at this point in the process is ensuring that the analysis assesses not just roles, but also those specific individuals who are responsible for the controls. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert like the CFE can help facilitate the discussion and ensure that nothing is left off the table. To ask and get the answers to the right questions, the CFE facilitator should help the respondents keep in mind that:

o Fraud entails intentional misconduct designed to avoid detection.
o Risk assessments identify where fraud might occur and who the potential perpetrator(s) might be.
o Persons inside and outside of the organization could perpetrate such schemes.
o Fraud perpetrators typically exploit weaknesses in the system of controls or may override or circumvent controls.
o Fraud perpetrators typically find ways to hide the fraud from detection.

It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to by the ACFE as measuring the organization’s ethical baseline.

Organizations can determine their ethical baseline by periodically conducting either CFE moderated Control Self-Assessment sessions including employees from high-risk business processes, through an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation. The survey can ask respondents to rate questions or statements on a scale, ranging from 1—Strongly Disagree to 5—Strongly Agree. Sample statements might include:

1. Our organizational culture is trust-based.
2. Missing approvals are not a big deal here.
3. Strong personalities dominate most departments.
4. Pressure to perform outweighs ethical behavior.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here.
7. The saying “Don’t rock the boat!” fits this organization.
8. I am encouraged to speak up whenever needed.
9. Ethical behavior is a top priority of management.
10.I know where I can go if I need to report a potential issue of misconduct.

The ethical baseline should not be totally measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If repeated over time, the baseline can help identify both positive and negative trends. The results of the ethical baseline survey should be discussed by the CFE with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization.

In summary, the additional value created by combining of the results of the traditional fraud risk assessment with an ethical baseline assessment can help CFEs better determine areas of risk and control that should be considered in building the fraud prevention and response plans. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden by management may require more frequent assurance from prevention professionals than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent assessment of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By adding ethical climate evaluation to their standard fraud risk assessment procedures, CFEs can tie up what otherwise might be a major loose-end in their risk evaluation.

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

Fraud Prevention Oriented Data Mining

One of the most useful components of our Chapter’s recently completed two-day seminar on Cyber Fraud & Data Breaches was our speaker, Cary Moore’s, observations on the fraud fighting potential of management’s creative use of data mining. For CFEs and forensic accountants, the benefits of data mining go much deeper than as just a tool to help our clients combat traditional fraud, waste and abuse. In its simplest form, data mining provides automated, continuous feedback to ensure that systems and anti-fraud related internal controls operate as intended and that transactions are processed in accordance with policies, laws and regulations. It can also provide our client managements with timely information that can permit a shift from traditional retrospective/detective activities to the proactive/preventive activities so important to today’s concept of what effective fraud prevention should be. Data mining can put the organization out front of potential fraud vulnerability problems, giving it an opportunity to act to avoid or mitigate the impact of negative events or financial irregularities.

Data mining tests can produce “red flags” that help identify the root cause of problems and allow actionable enhancements to systems, processes and internal controls that address systemic weaknesses. Applied appropriately, data mining tools enable organizations to realize important benefits, such as cost optimization, adoption of less costly business models, improved program, contract and payment management, and process hardening for fraud prevention.

In its most complex, modern form, data mining can be used to:

–Inform decision-making
–Provide predictive intelligence and trend analysis
–Support mission performance
–Improve governance capabilities, especially dynamic risk assessment
–Enhance oversight and transparency by targeting areas of highest value or fraud risk for increased scrutiny
–Reduce costs especially for areas that represent lower risk of irregularities
–Improve operating performance

Cary emphasized that leading, successful organizational implementers have tended to take a measured approach initially when embarking on a fraud prevention-oriented data mining initiative, starting small and focusing on particular “pain points” or areas of opportunity to tackle first, such as whether only eligible recipients are receiving program funds or targeting business processes that have previously experienced actual frauds. Through this approach, organizations can deliver quick wins to demonstrate an early return on investment and then build upon that success as they move to more sophisticated data mining applications.

So, according to ACFE guidance, what are the ingredients of a successful data mining program oriented toward fraud prevention? There are several steps, which should be helpful to any organization in setting up such an effort with fraud, waste, abuse identification/prevention in mind:

–Avoid problems by adopting commonly used data mining approaches and related tools.

This is essentially a cultural transformation for any organization that has either not understood the value these tools can bring or has viewed their implementation as someone else’s responsibility. Given the cyber fraud and breach related challenges faced by all types of organizations today, it should be easier for fraud examiners and forensic accountants to convince management of the need to use these tools to prevent problems and to improve the ability to focus on cost-effective means of better controlling fraud -related vulnerabilities.

–Understand the potential that data mining provides to the organization to support day to day management of fraud risk and strategic fraud prevention.

Understanding, both the value of data mining and how to use the results, is at the heart of effectively leveraging these tools. The CEO and corporate counsel can play an important educational and support role for a program that must ultimately be owned by line managers who have responsibility for their own programs and operations.

–Adopt a version of an enterprise risk management program (ERM) that includes a consideration of fraud risk.

An organization must thoroughly understand its risks and establish a risk appetite across the enterprise. In this way, it can focus on those area of highest value to the organization. An organization should take stock of its risks and ask itself fundamental questions, such as:

-What do we lose sleep over?
-What do we not want to hear about us on the evening news or read about in the print media or on a blog?
-What do we want to make sure happens and happens well?

Data mining can be an integral part of an overall program for enterprise risk management. Both are premised on establishing a risk appetite and incorporating a governance and reporting framework. This framework in turn helps ensure that day-to-day decisions are made in line with the risk appetite, and are supported by data needed to monitor, manage and alleviate risk to an acceptable level. The monitoring capabilities of data mining are fundamental to managing risk and focusing on issues of importance to the organization. The application of ERM concepts can provide a framework within which to anchor a fraud prevention program supported by effective data mining.

–Determine how your client is going to use the data mined information in managing the enterprise and safeguarding enterprise assets from fraud, waste and abuse.

Once an organization is on top of the data, using it effectively becomes paramount and should be considered as the information requirements are being developed. As Cary pointed out, getting the right data has been cited as being the top challenge by 20 percent of ACFE surveyed respondents, whereas 40 percent said the top challenge was the “lack of understanding of how to use analytics”. Developing a shared understanding so that everyone is on the same page is critical to success.

–Keep building and enhancing the application of data mining tools.

As indicated above, a tried and true approach is to begin with the lower hanging fruit, something that will get your client started and will provide an opportunity to learn on a smaller scale. The experience gained will help enable the expansion and the enhancement of data mining tools. While this may be done gradually, it should be a priority and not viewed as the “management reform initiative of the day. There should be a clear game plan for building data mining capabilities into the fiber of management’s fraud and breach prevention effort.

–Use data mining as a tool for accountability and compliance with the fraud prevention program.

It is important to hold managers accountable for not only helping institute robust data mining programs, but for the results of these programs. Has the client developed performance measures that clearly demonstrate the results of using these tools? Do they reward those managers who are in the forefront in implementing these tools? Do they make it clear to those who don’t that their resistance or hesitation are not acceptable?

–View this as a continuous process and not a “one and done” exercise.

Risks change over time. Fraudsters are always adjusting their targets and moving to exploit new and emerging weaknesses. They follow the money. Technology will continue to evolve, and it will both introduce new risks but also new opportunities and tools for management. This client management effort to protect against dangers and rectify errors is one that never ends, but also one that can pay benefits in preventing or managing cyber-attacks and breaches that far outweigh the costs if effectively and efficiently implemented.

In conclusion, the stark realities of today’s cyber related challenges at all levels of business, private and public, and the need to address ever rising service delivery expectations have raised the stakes for managing the cost of doing business and conducting the on-going war against fraud, waste and abuse. Today’s client-managers should want to be on top of problems before they become significant, and the strategic use of data mining tools can help them manage and protect their enterprises whilst saving money…a win/win opportunity for the client and for the CFE.