Tag Archives: Engagement Management

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?

Managing Disruption

Technology risks are evolving and changing so rapidly, it’s more difficult for management to assess new fraud threats and to adjust its strategies to manage and mitigate them. Applications that use disruptive technologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. CFEs and other anti-fraud professionals are struggling to stay abreast of the most recent developments and to identify anti-fraud policies, procedures and controls that add value.  Additionally, the exponential growth of computing power has enabled our client organizations to capitalize on the use of mobile devices and to leverage the ubiquity of the internet to reach their markets almost instantly.

While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for CFEs. Digitalization of data has created opportunities for knowledgeable investigators to improve their use of data analytics, use algorithms to facilitate cognitive intelligence, and to even create bot applications that perform automated fraud assessment tasks in real time. The essence of the risks and controls involved has not changed as much as the underlying technology. The new processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must continue to be enforced. However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Anti-fraud focused information security and access control processes must treat the bot as if it were a person and only allow it access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts remain faithfully performed.

Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the fraud prevention landscape. New businesses created by these technologies need to follow established governance processes and design fraud and abuse risk management and related internal controls into their business processes. As entirely new markets and products are developed, it’s important that risk managers with fraud investigation experience are involved proactively from the first. This blog has devoted several recent posts to blockchain technology.  Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology.  Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, routine contract management, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new fraud risks, which were previously being addressed by the middle man.

There are several ways CFEs can proactively help manage the effect of the fraud related aspects of disruptive technologies on their client organizations. By focusing on anti-fraud assurance, providing fraud scenario insight to management, and by demonstrating proficiency and expertise in innovative technologies, fraud examiners will be able to contribute significantly to the overall fraud prevention programs of our client organizations.

For many years organizations have been encouraged by economists to focus on what they do best. That is wise advice for the fraud examination profession, as well. By continuing to focus on governance, fraud risk, and preventative controls, CFEs can help ensure fraud prevention policies and processes are designed and operating effectively. Regardless of the nature or tempo of the changes, investigators will then be able to more effectively fulfill their mission. Moreover, proactively helping their organizations anticipate emerging fraud risks and technological changes can position fraud examiners as authorities and better prepare client organizations to better respond to disruptive events.

By aligning with the expectations of the profession’s key client stakeholders and working closely with those subject-matter experts who are implementing disruptive technologies from within and without, CFEs can remain focused on the most relevant and significant fraud prevention related issues.  For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable the CFE community to significantly affect the business agenda.  More than ever, fraud examiners must constantly pursue training to learn about recent technologies and the complex and emerging new risks being introduced into their organizations.  Additionally, chief investigators need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.  Perhaps the most important thing CFEs can do to prepare for disruptive technological innovations is to embrace and leverage new technologies in their own work. CFE investigators need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots.

All assurance professionals need to completely understand how technologies like blockchain work and how they can be used and analyzed in fraud investigations.  They must take advantage of machine learning and data analytics in their examination processes. Moreover, continuous fraud auditing should be the standard default for new review routines and real-time identification of fraud signatures and red flags should be a requirement as organizations implement new business processes.

In summary, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, few thought that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and fraudsters capitalize on the opportunities that arise. Fraud risk managers will have to assess emerging threats consistently and continuously. CFEs will need to respond to emerging threats with new and better ways to perform our investigations and engage to redesign our own processes or face disruption ourselves.