Tag Archives: fraud examination

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.

Analytic Reinforcements

Rumbi’s post of last week on ransomware got me thinking on a long drive back from Washington about what an excellent tool the AICPA’s new Cybersecurity Risk Management Reporting Framework is, not only for CPAs but for CFEs as well as for all our client organizations. As the seemingly relentless wave of cyberattacks continues with no sign of let up, organizations are under intense pressure from key stakeholders and regulators to implement and enhance their cyber security and fraud prevention programs to protect customers, employees and all the types of valuable information in their possession.

According to research from the ACFE, the average total cost per company, per event of a data breach is $3.62 million. Initial damage estimates of a single breach, while often staggering, may not take into account less obvious and often undetectable threats such as the theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These effects can knock on for years and have devastating financial, operational and brand impact ramifications.

Given the present broad regulatory pressures to tighten cyber security controls and the visibility surrounding cyberrisk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by our various governing bodies. One of the more prominent is a regulation by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on an entity’s risk assessment, the NYDFS law has specific requirements around data encryption and including data protection and retention, third-party information security, application security, incident response and breach notification, board reporting, and required annual re-certifications.

However, organizations continue to report to the ACFE regarding their struggle to systematically report to stakeholders on the overall effectiveness of their cyber security risk management programs. In response, the AICPA in April of last year released a new cyber security risk management reporting framework intended to help organizations expand cyberrisk reporting to a broad range of internal and external users, to include management and the board of directors. The AICPA’s new reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about the state of an organization’s cyberrisk management program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s basic cyber security objectives and in developing and maintaining controls within the entity’s cyber security risk management program irregardless of whether the standard is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for standardization (ISO)’s ISO 27001/2 and related frameworks, or even an internally developed framework based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered by CFEs as a leading practice that provides management, boards and other key stakeholders with clear insight into the current state of an organization’s cyber security program while identifying gaps or pitfalls that leave organizations vulnerable to cyber fraud and other intrusions.

What stakeholders might benefit from a client organization’s cyber security risk management examination report? Clearly, we CFEs as we go about our routine fraud risk assessments; but such a report, most importantly, can be vital in helping an organization’s board of directors establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyberrisk management and fraud prevention programs and drive more effective decision making. Active involvement and oversight from the board can help ensure that an organization is paying adequate attention to cyberrisk management and displaying due diligence. The board can help shape expectations for reporting on cyberthreats while also advocating for greater transparency and assurance around the effectiveness of the program.

The cyber security risk management report in its initial and follow-up iterations can be invaluable in providing overview guidance to CFEs and forensic accountants in targeting both fraud prevention and fraud detection/investigative analytics. We know from our ACFE training that data analytics need to be fully integrated into the investigative process. Ensuring that data analytics are embedded in the detection/investigative process requires support from all levels, starting with the managing CFE. It will be an easier, more coherent process for management to support such a process if management is already supporting cyber security risk management reporting. Management will also have an easier time reinforcing the use of analytics generally, although the data analytics function supporting fraud examination will still have to market its services, team leaders will still be challenged by management, and team members will still have to be trained to effectively employ the newer analytical tools.

The presence of a robust cyber security risk management reporting process should also prove of assistance to the lead CFE in establishing goals for the implementation and use of data analytics in every investigation, and these goals should be communicated to the entire investigative team. It should be made clear to every level of the client organization that data analytics will support the investigative planning process for every detected fraud. The identification of business processes, IT systems, data sources, and potential analytic routines should be discussed and considered not only during planning, but also throughout every stage of the entire investigative engagement. Key in obtaining the buy-in of all is to include investigative team members in identifying areas or tests that the analytics group will target in support of the field work. Initially, it will be important to highlight success stories and educate managers and team leaders about what is possible. Improving on the traditional investigative approach of document review, interviewing, transaction review, etc. investigators can benefit from the implementation of data analytics to allow for more precise identification of the control deficiencies, instances of noncompliance with policies and procedures, and mis-assessment of areas of high risk that contributed to the development of the fraud in the first place. These same analytics can then be used to ensure that appropriate post-fraud management follow-up has occurred by elevating the identified deficiencies to the cyber security risk management reporting process and by implementing enhanced fraud prevention procedures in areas of higher fraud risk. This process would be especially useful in responding to and following up data breaches.

Once patterns are gathered and centralized, analytics can be employed to measure the frequency of occurrence, the bit sizes, the quantity of files executed and average time of use. The math involved allows an examiner to grasp the big picture. Individuals, including examiners, are normally overwhelmed by the sheer volume of information, but automation of pattern recognizing techniques makes big data a tractable investigative resource. The larger the sample size, the easier it is to determine patterns of normal and abnormal behavior. Network haystacks are bombarded by algorithms that can notify the CFE information archeologist about the probes of an insider threat for example.

Without analytics, enterprise-level fraud examination and risk assessment is a diminished discipline, limited in scope and effectiveness. Without an educated investigative workforce, armed with a programing language for automation and an accompanying data-mining philosophy and skill set, the control needs of management leaders at the enterprise level will go unmet; leaders will not have the data needed for fraud prevention on a large scale nor a workforce that is capable of getting them that data in the emergency following a breach or penetration.

The beauty of analytics, from a security and fraud prevention perspective, is that it allows the investigative efforts of the CFE to align with the critical functions of corporate business. It can be used to discover recurring risks, incidents and common trends that might otherwise have been missed. Establishing numerical baselines on quantified data can supplement a normal investigator’s tasks and enhance the auditor’s ability to see beneath the surface of what is presented in an examination. Good communication of analyzed data gives decision makers a better view of their systems through a holistic approach, which can aid in the creation of enterprise-level goals. Analytics and data mining always add dimension and depth to the CFE’s examination process at the enterprise level and dovetail with and are supported beautifully by the AICPA’s cyber security risk management reporting initiative.

CFEs should encourage the staffs of client analytics support functions to possess …

–understanding of the employing enterprise’s data concepts (data elements, record types, database types, and data file formats).
–understanding of logical and physical database structures.
–the ability to communicate effectively with IT and related functions to achieve efficient data acquisition and analysis.
–the ability to perform ad hoc data analysis as required to meet specific fraud examiner and fraud prevention objectives.
–the ability to design, build, and maintain well-documented, ongoing automated data analysis routines.
–the ability to provide consultative assistance to others who are involved in the application of analytics.

Taken Hostage

by Rumbi Petrozzello
2019 Vice President – Central Virginia ACFE Chapter

On March 22, 2018, I flew into the Atlanta Airport and stopped by the airport’s EMS offices to request an incident report. The gentleman who greeted me at the entrance to the offices was very kind and asked me to wait while he pulled up the details of the report for me. He called over to his coworker, who was sitting in front of a computer, and asked him for help. I heard the coworker clicking on his mouse a few times and then he said that his machine didn’t seem to be working. “It hasn’t been working all morning,” he added. The gentleman then gave me a phone number to call for assistance and apologized for not being more helpful. After I called the number, got voicemail and left a message, I became concerned because I was leaving the country the next day for a week and a half and so hoped that someone would get back to me that day.

Unfortunately, no one had called me back by the time I left. When I returned, I found no voicemail. I called again and left a message. A week after that, the airport EMS Chief returned my call with apologies for the delay – their computers had been down, and he was only now able to start getting back to people. Because I had been out of the country and not really following the news, it was only after a couple of months that I put two and two together. At that point I was working on Eye on Fraud, a publication of the AICPA’s Fraud Task Force. The edition was on Ransomware and as I looked at the information concerning Atlanta, I noticed the dates and realized that the day that I flew into Atlanta and visited the EMS office was the same day that the city of Atlanta was struck by a ransomware attack that crippled the city for over a week and resulted in costs to the city exceeding $2.6 million; a lot more than the $52,000 that was demanded in ransom by the attackers. In late November, two Iranians were indicted for the Atlanta and other attacks. The Atlanta ransomware attack featured many characteristics shared by such attacks, be they on individuals, companies, or governments.

Ransomware attacks have been a problem for decades; the first such documented attack took place in 1989. At that time the malicious code was delivered to victims’ computers via floppy disk and the whole exploit was very easy for victims to reverse. 2006 saw a big uptick in ransomware attacks and, today, ransomware is big business for individual cyber criminals and for organized gangs alike, earning them about a billion dollars in 2016.

Ransomware is a form of malware (malicious software), and works in one of two general ways:

1. Crypto-ransomware encrypts hard drives or files and folders.
2. Locker-ransomware locks users out of their machines, without employing encryption.

As time has gone on, ransomware has become more complex and ransomware attacks more sophisticated. One way in which cyber criminals break into computer systems is via human engineering. This can take the form of an email with a malicious attachment or a link to a compromised website. Cyber criminals also take advantage of known weaknesses in computer operating systems. The WannaCry ransomware, which swept the globe several years ago, took advantage of a flaw in Microsoft Windows. This underscores how essential it is to provide cyber training to employees and to update this training often. Employees must be taught to always be vigilant and on the lookout for such attacks, and to maintain awareness of how such threats are constantly changing and migrating. All it takes is a single employee lapse in judgment and attention for malware to get into a business’s computer system. It’s also essential to keep computers and software up to date with the latest patches. WannaCry was successful in part because Microsoft had discontinued its support of some versions of Windows, including for Windows XP and Windows Server 2003. The amount of money companies thought they were saving by continuing to use old unsupported software was dwarfed by the cost of recovery from malware attacks specifically targeting that software.

When CFEs and forensic accountants dialogue with clients about ransomware attack scenarios, we should remind them that cyber criminals are equal opportunity offenders when it comes to such exploits. Employees should be alert to this whether they are working on an employer’s machine or on a personal one. Ransomware has now made its way into the smartphone space, so employees should be made aware that heightened vigilance should extend even to their smartphones. CFEs should additionally work with clients to fund penetration and phishing tests to determine how effective staff training has been and to highlight areas for improvement.

Both individuals and companies should have a plan on how they will deal with a possible ransomware attack. A well-thought out plan can minimize the effects of an attack and can also mean that the reaction to the attack is measured and not mounted on the basis of uncoordinated panic. For example, when LabCorp was attacked in July 2018, the company contained the spread of the malware in less than an hour. Its, therefore, doubly important that we CFEs and forensic accountants work with IT specialists to formulate an advance plan in case of a ransomware or other malware, attack.

Experts recommend that ransom should not be paid. Clients need to be made to understand that when their systems are taken hostage, they are dealing with criminals and criminals are, more often than not, not to be trusted. When the city of Leeds, Alabama, was attacked, the city paid the cyber criminals $12,000 in ransom. Despite making this payment, the hackers restored only a limited number of files. The city was then faced with the expenditure of additional funds in the attempt to recover or rebuild the remaining files. Sometimes hackers will disappear with ransom and restore nothing. In the face of this, companies and individuals should be encouraged to have back up and restoration plans. To be useful, backups must be made regularly and kept physically separate from the machine or network being protected. The recovery plan should be tested at least annually.

Ransomware exploits are not going away any time soon. Ransomware attacks are a way to get money, not only through the ransom demanded itself but also through access to other sensitive information belonging to employees and clients. Often the hacker will demand a nominal amount in ransom and sell the information stolen by access to the company’s network for a lot more.

We, as CFEs and forensic accountants, can help our client address the ballooning threat in a number of ways:

• by performing a risk assessments of clients’ systems and processes, to identify weaknesses and areas for control improvement.
• by providing staff training on security best practices. This training should be updated at least once a year; in addition to updating staff on changes, this will also serve to remind employees to be vigilant. This training must include everyone in a company, even top management and the board.
• by reminding clients to keep software up to date and to consider upgrades or total changes when an application is no longer supported. Encourage management to have software updates automated on employees’ machines.
• by working with clients to create a backup and recovery system, that features off-site backups. This program should be tested regularly, and backups should be reviewed to ensure their integrity.
• by working with IT and third-party vendors on annual penetration and social engineering testing at client locations. The third-party vendors used should be rotated ever three years.

CSO Online predicts that ransomware attacks will rise to one every 14 seconds by the end of 2019. We CFEs and forensic accountants should work with our clients to innovate effective ways to protect themselves and to mitigate the effects of the future attacks that certainly will occur. The key is to ensure that clients remain educated, vigilant and prepared.

Detect and Prevent

I got a call last week from a long term colleague, one of whose smaller client firms recently discovered a long running key-employee initiated fraud. My friend has been asked to assist her client in developing approaches to strengthen controls to, hopefully, prevent such disasters in the future.

ACFE training has consistently told us over the years, and daily experience repeatedly confirmed, that it is simply not possible or economical to stop all fraud before it happens. The only way for a retail concern to absolutely stop shoplifting might be to close and accept orders only over the Internet. Similarly, the only way for a bank to absolutely stop all loan fraud might be for it to stop lending money.

In general, my friend and I agreed during our conversation, that increasing preventive security can reduce fraud losses, but beyond some point, the cost of additional preventive security will exceed the related savings from reduced fraud losses. This is where detection comes in; it may be economical when prevention is not. One way to prevent a salesclerk from stealing from the register would be for the security department to carefully monitor, review, and approve every one of the clerk’s sales. However, it would likely be much more cost effective instead to implement a simple detective control: an end-of-shift reconciliation between the cash in the register and the transactions logged by the cash register during the clerk’s shift. If refunds are not given at the point of sale, the end-of-shift balance of cash in the register should equal the shift’s sales per the transaction logs minus the balance of cash in the register at the beginning of the shift. Any significant failure of these numbers to reconcile would amount to a red flag. Of course, further investigation could show that the clerk simply made an error and so did not commit fraud.

But the cost effectiveness of detective controls, like preventive controls, imposes limits. First, such controls are not cost free to implement, and improving detective controls may cost more than the results they provide. Second, detective controls produce both false positives and false negatives. A false positive occurs when a detective control signals a possible fraud that upon investigation turns up a reasonable explanation for the indicator. A false negative occurs when a detective control fails to signal a possible fraud when one exists. Reducing false negatives means increasing the fraud detection rate.

Similarly, the cost effectiveness of increasing preventive security has a limit as does the benefit of increasing the fraud detection rate. To increase the detection rate, it’s necessary to increase the frequency at which the detective control signals possible fraud. The result is more expensive investigations, and the cost of such additional investigations can exceed the resulting reduction in fraud losses.

As we all learned in undergraduate auditing, controls are essentially policies and procedures designed to minimize losses due to fraud or to other events such as errors or acts of nature. Corrective controls are merely special control types involved once a loss is known to exist. With respect to fraud, an important corrective control involves the investigation of potential frauds and the investigation and recovery process from discovered frauds.

More generally speaking, fraud investigations themselves serve not only a corrective function but also detective and preventive functions. Such investigations are detective of fraud to the extent that they follow up on fraud signals or red flags in order to confirm or disconfirm the presence of fraud. But once fraud is confirmed to exist, fraud examinations shift toward gathering evidence and become corrective by assisting in recovery from the perpetrator and other sources such as from insurance. Fraud investigations are also corrective in that they can lead to the revelation and repair of heretofore unknown weaknesses.

The end result is that the fraud investigation functions to correct the original loss, and the related discovery of the fraud scenario leads to prevention of similar losses in the future. In summary, the fraud examination has served to detect, correct, and prevent fraud. However, fraud investigations are not normally thought of as detective controls. This so is because fraud investigations tend to be much more costly than standard detective controls and therefore are normally used only when there is already some predication in the form of a fraud indicator triggered by a typical detective control. Therefore, the primary functions of fraud investigations are to address existing frauds and help to prevent future ones.

In some cases, the primary benefit of a fraud investigation might be to prevent future frauds. Even when recovery is impossible or impractical (e.g., because the thief has no assets), unwinding the fraud scheme may still have the benefit of leading to the prevention of the same scheme in the future. Furthermore, a company might benefit from spending a very large sum of money to investigate and prosecute a very small theft in order to deter other individuals from defrauding the company in the same way. Many State governments have statutes specifying that every fraud affecting governmental assets, whether large or small, must be fully investigated because taxpayer funds are involved (the assets affected are public property).

There is never a guarantee that investigating a fraud indicator will lead to the discovery of fraud. Depending on the situation, an investigation might lead to nothing at all (i.e., produce a reasonable explanation for the original red flag) or to the discovery of losses due to simple errors, waste, inefficiencies, or even uncontrollable events like acts of nature. If a lender is considering a loan application, a fraud indicator might indicate nothing, fraud, or an error. On the other hand, in regard to the possible theft of raw materials in a production process, a fraud indicator just might indicate undocumented waste or scrap.

Two important factors to consider concerning the general design of a fraud detection process are not only the costs and benefits of detecting, correcting, and preventing a given fraud scenario but also the costs and benefits of detecting, correcting, and preventing errors, waste, uncontrollable events, and inefficiencies in general. Of course, the particular costs that are relevant will vary from one type of business process to another.

As a general rule, we can say that both preventive controls and detective controls cost less than corrective controls. Corrective controls tend to involve hands-on, resource-intensive investigations, and in many cases, such investigations do not result in recovering the loss. On the other hand, preventive controls can also be quite costly. Banks pay armed guards and incur costs to maintain expensive vaults and alarm systems. Companies surround their headquarters with high fences and armed guards, and use security checkpoints and biometric key card systems inside. On the information technology side, firms use sophisticated firewalls and multi-layer access controls. The costs of all these preventive measures can add up to staggering sums in large companies. Of course, losses that are not prevented or corrected in a timely fashion can lead to the ultimate corrective measure: bankruptcy. In fact, some ACFE estimates show that about one-third of all business failures relate to some form of fraudulent activity.

One positive aspect of the cost of preventive controls is that unlike detective controls, they do not generate fraud indicators that lead to costly investigations. In fact, they tend to do their job in complete silence so that management never even knows when they prevent a fraud. The thick door of a bank vault with a time lock prevents bank employees from entering the building at night to steal its contents. Similarly, passwords, pin numbers, and biometric data silently provide access to authorized individuals and prevent access from others.

The problem with preventive controls is that they are always subject to circumvention by determined and cunning fraudsters. There is no perfect solution to preventing acts of fraud, so detection is necessary as a secondary line of defense, and in some cases, as the primary line of defense. Consider a lending company that accepts online loan applications. It may be difficult or impossible to prevent fraudulent applications, but the company can certainly put a sophisticated (and expensive) system in place to analyze applications and provide indicators that suggest when an application may be fraudulent.

In general, the optimal allocation of resources to prevention versus detection depends on the particular business process under consideration. So, there is no general rule that dictates the optimal allocation of resources between prevention versus detection. But there are some general steps that can assist in making the allocation:

1. Analyze the target business process and identify threats and vulnerabilities.
2. Select reasonable preventive controls according to the business process and customs within the client’s industry.
3. Estimate fraud losses given the assumed preventive controls.
4. Identify and add a basic set of detective controls to the system.
5. For a given set of detective controls, identify the optimal mix of false negatives versus false positives. The optimal mix depends on the costs of investigations versus the costs of losses. Large losses and small investigation costs favor relatively low false negatives and high false positives for red flags.
6. Given the assumed mix of false negative and false positive errors, estimate the incremental cost associated with adding the detective (and related corrective) controls, and estimate the resulting reduction in fraud losses.
7. Compare the reduction in fraud losses with the increase in costs associated with adding the optimal mix of detection and correction controls.
8. If increase in costs is significantly lower than the related reduction in fraud losses, consider adding more detective controls. Otherwise, accept the set of detective controls under consideration.

The Unsanctioned Invoice

Of all the frauds classified as occupational, one of the most pernicious encountered by CFEs is the personal purchase with company funds scam. I say pernicious because not only is this type of fraud a cancer, devouring it’s host organization from within, but also because this basic fraud scenario can take on so many different forms.

Instead of undertaking externally involved schemes to generate cash, many employed fraudsters choose to betray their employers by simply purchasing personal items with their company’s money. Company accounts are used by the vampires to buy items for their side businesses and for their families. The list of benefiting recipients goes on and on. In one case a supervisor started a company for his son and directed work to the son’s company. In addition to this ethically challenged behavior, the supervisor saw to it that his employer purchased all the materials and supplies necessary for running the son’s business. As the fraud matured, the supervisor purchased materials through his employer that were used to add a room to his own house. All in all, the perpetrator bought nearly $50,000 worth of supplies and materials for himself and various others using company money.

One might wonder why a purchases fraud is not classified by the ACFE as a theft of inventory or other assets rather than as a billing scheme. After all, in purchases schemes the fraudster buys something with company money, then takes the purchased item for himself or others. In the case cited above, the supervisor took building materials and supplies. How does this differ from those frauds where employees steal supplies and other materials? On first glance, the schemes appear very similar. In fact, the perpetrator of a purchases fraud is stealing inventory just as s/he would in any other-inventory theft scheme. Nevertheless, the heart of the scheme is not the taking of the inventory but the purchasing of the inventory. In other words, when an employee steals merchandise from a warehouse, s/he is stealing an asset that the company needs, an asset that it has on hand for a particular reason. The harm to the victim company is not only the cost of the asset, but the loss of the asset itself. In a purchasing scheme, on the other hand, the asset which is taken is superfluous. The perpetrator causes the victim company to order and pay for an asset which it does not really need in the course of business, so the only damage to the victim company is the money lost in purchasing the particular item. This is why purchasing schemes are categorized as invoice frauds.

Most of the employees identified by the ACFE as undertaking purchase schemes do so by running unsanctioned invoices through the accounts payable system. The fraudster buys an item and submits the bill to his employer as if it represented a purchase on behalf of the company. The goal is to have the company pay the invoice. Obviously, the invoice which the employee submits to his company is not legitimate. The main hurdle for a fraudster to overcome, therefore, is to avoid scrutiny of the invalid invoice and to obtain authorization for the bill to be paid.

As in the many cases of shell company related schemes we’ve written about on this blog, the person who engages in a purchases scheme is often the very person in the company whose duties include authorizing purchases. Obviously, proper controls should preclude anyone from approving her own purchases. Such poorly separated functions leave little other than her conscience to dissuade an employee from fraud. Nevertheless, CFEs see many examples of small to medium sized companies in which this lapse in controls exists. As the ACFE continues to point out, fraud arises in part because of a perceived opportunity. An employee who sees that no one is reviewing his or her actions is more likely to turn to fraud than one who knows that her company applies due diligence in the attempt to detect all employee theft.

An example of how poor controls can lead to fraud was the case where a manager of a remote location of a large, publicly traded company was authorized to both order supplies and approve vendor invoices for payment. For over a year, the manager routinely added personal items and supplies for his own business to orders made on behalf of his employer. The orders often included a strange mix of items; technical supplies and home furnishings might, for instance, be purchased in the same order. Because the manager was in a position to approve his own purchases, he could get away with such blatantly obvious frauds. In addition to ordering personal items, the perpetrator changed the delivery address for certain supplies so that they would be delivered directly to his home or side business. This scheme cost the victim company approximately $300,000 in unnecessary purchases. In a similar case, an employee with complete control of purchasing and storing supplies for his department bought approximately $100,000 worth of unnecessary supplies using company funds. The employee authorized both the orders and the payments. The excess supplies were taken to the perpetrator’s home where he used them to manufacture a product for his own business. It should be obvious that not only do poor controls pave the way for fraud, a lack of oversight regarding the purchasing function can allow an employee to remove huge amounts from the company’s bottom line.

Not all fraudsters are free to approve their own purchases. Those who cannot must rely on other methods to get their personal bills paid by the company. The chief control document in many voucher systems is the purchase order. When an employee wants to buy goods or services, s/he submits a purchase requisition to a superior. If the purchase requisition is approved, a purchase order is sent to a vendor. A copy of this purchase order, retained in the voucher, tells accounts payable that the transaction has been approved. Later, when an invoice and receiving report corresponding to this purchase order are assembled, accounts payable will issue a check.

So in order to make their purchases appear authentic, some fraudsters generate false purchase orders. In one case, an employee forged the signature of a division controller on purchase orders. Thus the purchase orders appeared to be authentic and the employee was able to buy approximately $3,000 worth of goods at his company’s expense. In another instance, a part time employee at an educational institution obtained unused purchase order numbers and used them to order computer equipment under a fictitious name. The employee then intercepted the equipment as it arrived at the school and loaded the items into his car. Eventually, the employee began using fictitious purchase order numbers instead of real ones. The scheme came to light when the perpetrator inadvertently selected the name of a real vendor. After scrutinizing the documents, the school knew that it had been victimized. In the meantime, the employee had bought nearly $8,000 worth of unnecessary equipment.

Purchase orders can also be altered by employees who seek to obtain merchandise at their employer’s expense. In one instance, several individuals conspired to purchase over $2 million worth of materials for their personal use. The ringleader of the scheme was a low-level supervisor who had access to the computer system which controlled the requisition and receipt of materials. This supervisor entered the system and either initiated orders of materials that exceeded the needs of a particular project or altered existing orders to increase the amount of materials being requisitioned. Because the victim organization had poor controls, it did not compare completed work orders on projects to the amount of materials ordered for those projects. This allowed the inflated orders to go undetected.

Another way for an employee to get a false purchase approved is to misrepresent the nature of the purchase. In many companies, those with the power to authorize purchases are not always attentive to their duties. If a trusted subordinate vouches for an acquisition, for instance, busy supervisors often give rubber stamp approval to purchase requisitions. Additionally, employees sometimes misrepresent the nature of the items they are purchasing in order to pass a cursory review by their superiors.

Instead of running false invoices through accounts payable, some employees make personal purchases on company credit cards or running accounts with vendors. As with invoicing schemes, the key to getting away with a false credit card purchase is avoiding detection. Unlike invoicing schemes, however, prior approval for purchases is not required. An employee with a company credit card can buy an item merely by signing his or her name (or forging someone else’s) at the time of purchase. Later review of the credit card statement, however, may detect the fraudulent purchase.

As with invoicing schemes, those who committed the frauds were often in a position to approve their own purchases;, the same is often true with credit card schemes. A manager in one case, reviewed and approved his own credit card statements. This allowed him to make fraudulent purchases on the company card for approximately two years.

Finally, there is, the fraudster who buys items and then returns them for cash. A good example of such a scheme is that in which an employee made fraudulent gains from a business travel account. The employee’s scheme began by purchasing tickets for herself and her family through her company’s travel budget. Poor separation of duties allowed the fraudster to order the tickets, receive them, prepare claims for payments, and distribute checks. The only review of her activities was made by a busy and rather uninterested supervisor who approved the employee’s claims without requiring support documentation. Eventually, the employee’s scheme evolved. She began to purchase airline tickets and return them for their cash value. An employee of the travel agency assisted in the scheme by encoding the tickets as though the fraudster had paid for them herself. That caused the airlines to pay refunds directly to the fraudster rather than to her employer. In the course of two years, this employee embezzled over $100,000 through her purchases scheme.

Risk-Centric Fraud Prevention

A number of our certified Chapter members, currently practicing both independently and as corporate staff, report being asked to proactively assist in the establishment of first time internal fraud prevention programs by clients and employers. That this development is something new is borne out by recent articles in the trade press but, on a moment’s reflection, shouldn’t be surprising since CFEs are so uniquely qualified for the particular task.

At a time when an increasingly volatile stock environment, increased cases of cyber fraud, the pressure of globalization and a multitude of increased regulatory requirements are of major concern to all managements, risk assessment and fraud prevention really have to play an important role in ensuring that corporations are not exposed to unexpected and poorly controlled risks. Internal fraud prevention related activities need to be revisited with a focus not just on all these new business paradigms but also on stakeholders’ expectations, transparency, and accountability.

It just makes sense then that today’s environment also calls for greater collaboration and strong relationships between all types of assurance professionals with their clients at all levels to ensure an internal anti-fraud structure is in place (if one doesn’t presently exist) that facilitates a healthy, secure and transparent operating environment.

To facilitate the establishment of a risk-centric approach, today’s fraud prevention functions (new or presently existing) must continually revisit their methodologies, processes, and practices. CFEs can provide experienced insight and real-time value to their client organization by expanding their consulting efforts to facilitate a risk-centric approach, helping to establish the foundation for a more sophisticated and nimble tone at the top, and by focusing on increased collaboration and strategic engagement.

Fraud prevention efforts have been dominated for some time now by a control focused approach that is often reactive and regressive in actual practice in the face of today’s swiftly changing realities. Anti-fraud professionals today need to widen their proactive scope to address the growing governance threats and risk management needs of increasingly global organizations. This requires them to adopt a revised risk-centric approach that involves:

–Taking fraud prevention and business ethics from a compliance perspective to a cultural mind-set. Accurately assessing these risks requires more than just checking to see whether rules are being followed; practitioners must also try to ensure that the spirit of these rules is incorporated into activities at every level.

–Determining key business and fraud risks rather than casting a wide net over numerous risks, many of which may be remote or obscure; the concept of critical business process identification drawn from disaster recovery and continuous operations planning is especially relevant here.

–Identifying emerging risk issues and trends, such as changes in the regulatory environment (which are often wholly reactive), and bringing them to the attention of key stakeholders.

–Estimating the significance of each fraud risk and assessing its probability of occurrence based on a deeper understanding of the present sense conveyed by constantly shifting data and as sometimes pinpointed by sophisticated statistical analysis.

–Identifying programs and controls designed to more sensitively detect and address risk and by concurrent testing of their effectiveness in real-time.

–Coordinating with the other critical risk and control related business processes, such as compliance, risk management, fiscal control, and legal, to ensure that fraud risks are identified, controlled and managed appropriately.

To provide real strategic value to the organization, new and existing fraud prevention practitioners need to help develop risk-based action plans that respond to their present state of risk assessment awareness and which focus on stakeholder expectations. Internal anti-fraud plans should incorporate risk identification and prioritization, as well as analysis and quantification of risk factors particularly in the new business ventures and strategies so characteristic of today’s volatile environment. Such planning should also reflect an understanding of shared risks among various projects and initiatives, and feature continuous monitoring of business activities and key performance indicators.

In the present cyber-threat laden environment the internal fraud prevention business process has to move from being just another routine and disconnected function to being a fulcrum of organizational governance and risk, working in concert with management, the board, and external auditors. Top management can establish the fraud prevention function’s role by:

–Allowing senior fraud examiners and investigators exposure to security information presently associated with key management and governance committees;
–Championing the importance of ethical conduct, fraud identification and fraud prevention consistently.
–Taking immediate and proactive action on fraud examination and investigative findings regardless of whatever level of the organization suspected perpetrators are identified.
–Holding senior executives accountable for identified instances of fraud, waste and abuse in business processes over which they exercise management oversight.
–Supporting the management of the fraud prevention function when its findings and recommendations to improve security prove politically unpopular.
–Defining fraud prevention’s role and management’s expectations.
–Providing appropriate funding, talent and authority to the function.

The ACFE has long indicated that a strong tone at the top from senior management about the importance of a internal fraud prevention function goes a long way toward promoting the engagement of managers throughout the client organization.

For staff assigned to an internal fraud prevention plan to proactively review important business strategies successfully for fraud vulnerability, examiners need to collaborate with management. In addition to providing assurance on compliance initiatives, examiners should develop a forward-looking approach to their assessment planning in which they cooperate and coordinate with related risk and control functions, focus on critical business risks and exposures, and determine the relevance and effectiveness of gathered executive responses to help an organization manage fraud risk proactively. To be forward-looking, fraud prevention professionals need to be fully integrated into the strategic planning process so that they can clearly identify which fraud related risks the organization will be undertaking. They also must be involved with the business in evaluating problems that come to light to determine whether they are the result of control weaknesses that could also emerge in other parts of the organization.

To identify and analyze rapidly emerging risks, direct resources toward areas of greatest risk, and conduct targeted, real-time investigations in response to specific, predicated risks, examiners must leverage technology, learn new skills, and work with management to understand and clarify their evolving expanded role.

To assess the new emerging risks effectively, fraud prevention professionals must develop a deeper understanding of the client business and of the processes that make competitors in the client’s industry successful. An effective fraud prevention activity that can deal with contemporary business risks and meet the ever-increasing demands of management and stakeholders requires a solid staffing strategy. As CFEs we must help spread the word that our client organizations need to invest in skilled resources, methods, training, career paths, and technical infrastructure to deal with increasing cyber-related business risks related to fraud, their internal controls, and government imposed regulations. When staffing a fraud prevention function, top management should:

–Establish a program for selecting and developing the fraud prevention team.
–Identify the skills and expertise required for an effective anti-fraud business process; the ACFE’s guidance and training programs are an invaluable resource to any organization contemplating a new fraud prevention function or looking to strengthen an existing one.
–Assess existing resources to identify staffing gaps.
–Identify and create key performance indicators for deploying fraud prevention and investigatory resources.
–Co-source or outsource internal fraud prevention activities, based on an assessment of current resources, budget, and strategic and tactical requirements.

Acquiring new skills through ACFE training can enable internally focused examiners to direct resources to those techniques that are the most effective in identifying risks to the organization. Especially important is the need to develop deep expertise in specialties such as credit, IT, finance, compliance, and cyber. In addition, investigators and examiners will have to be trained to approach their work strategically, beginning with a detailed understanding of where its owners and stakeholders view where the client business has been and where it is going.

In summary, progressive internal fraud prevention and investigation functions need to partner with their client organization’s risk management function to gain comprehensive visibility into enterprise-wide risks and to support performance of automation supported follow-on risk assessments that can help prevent fraud vulnerability issues from turning into fraud events. Such insight into the organization’s risk profile allows internal investigative professionals to deliver more strategic value by focusing their proactive fraud risk evaluation efforts on areas that represent the greatest risk to the organization as well as proactively anticipating where emerging fraud risk issues are most likely to cause problems. In addition, leveraging the activities performed by the client’s risk management function can lower fraud prevention’s overall cost of operation.

The Man in the Mirror

I readily confess I would not have won any awards for effective delegation during my early years as a fraud examiner/information systems audit professional. To my mind the buck stopped with the guy in the mirror I saw shaving every morning. I prided myself on being personally capable of performing every routine task of every assignment involved in whatever function I was managing at the time. What finally weaned me from the practice of doing it all myself was the threat of burn-out and the seemingly ever-increasing demands of a typical work week of seventy hours.

The demands of managing in an assurance environment featuring risk assessments, regulatory compliance, fraud investigations, corporate governance, and engagement quality control can be crushing for any new (or not so new) manager but especially so for those unwilling or who simply lack the skills to adequately delegate; those skills usually only come with experience.

While some new to assurance or investigative management may think delegating simply means passing off work to subordinates, the lines of delegation also can occur laterally to peers and upward to superiors. The distinction is important, because in delegating to subordinates, one of the goals is to achieve long term investigative team development. This goal comes with a shift in emphasis from managing to leading. Managing is about getting the work done, whereas leading fosters learning, growth, and a greater sense of responsibility among individual members of the your team.

According to the ACFE, the first step to successful delegation within examination work is recognizing when to let go rather than trying to do too much. For CFEs new to leadership responsibilities, a willingness to delegate can be challenging. CFEs typically advance to management positions as a result of their individual achievements and performance. This advancement fosters a sense that the person best suited to accomplish a given task is the one whose already done it satisfactorily, but that is not the way leaders should think. Even though an assurance professional has advanced to a management position based on past accomplishments, he or she needs to take a broader view of what is in the long term interest of her function group and/or organization. A conscious commitment to delegation can enable the individual manager to not only increase their personal productivity but also (and here I speak from personal experience) gain better control of their lives and, hence, prevent burnout.

An honest self-examination is a precursor to delegation. CFEs and other assurance professionals in a management position need to understand their capabilities and role(s) within the organization. One way to do this is by considering their vision for and the needs of the organization. Then, what are the assurance function’s immediate and long-term goals, including capabilities and developmental needs? Realizing that trusting others, not just one self, to do a high quality job is a personal decision and there can be many barriers to it. What is the nature of your own personal career goals and your priorities for work-life balance? A periodic, wholly candid assessment of these and similar issues can give any manager a better perspective on his or her motives in relation to delegating.

Delegating is more than just shoving work on someone who possesses the skill set to fit the task. Rather, delegating is an opportunity to cultivate members of the investigative team by increasing the number of people who are capable of taking on a bigger role, which can help strengthen the team and create a succession plan in the event of unexpected personnel turnover. How often have we all been witness to the chaos which can ensure when a key staff member leaves and no-one has been groomed to fill her place?

To the extent possible, an new staff CFE should be matched strategically with an assignment that is a bit above his or her head as a way of providing a positive learning experience. Delegating with career development in mind means managers will need to resist playing the role of lifeguard. Subordinates will struggle at times, but managers shouldn’t be too quick to act as helicopter parents and come to the rescue. Instead, managers should remain confident in the basic capabilities of their staff and allow reasonable time for learning and growth, which enables the team to gain experience and add more value to the organization.

Knowing whether a particular assignment is within an examiner’s potential capabilities and can enable him or her to grow professionally, however, is often not an easy task. As managers delegate assignments, they should consider not limiting assignments only to those areas in which an investigator has had prior experience. Also, managers need to avoid the tendency toward primarily delegating interesting or important assignments to the most favored team members; managers should groom everyone on the team not just the superstars; it’s the superstars who are, let’s face it, the most desirable targets for external recruiters. The same is true for undesirable assignments; managers also should spread those among the whole team, which can demonstrate that everyone is treated fairly. A thoughtful delegating process helps keep the assurance team challenged and motivated, thereby reducing the likelihood of losing promising but insufficiently challenged staff members.

Initial parameters need to be established to prevent misunderstandings, deficient productivity, or delays in the timely completion of examinations. All parties involved should have a clear understanding of the delegated assignment and of expectations. However, managers should refrain from giving excessively detailed instructions. Successful delegating does not mean micromanaging anyone. Instead, managers should consider focusing on discussing the objectives, scope, and outcomes of the assignment. When examiners are allowed the flexibility and freedom to perform their work, they not only learn more but also may show considerable ingenuity. Managing CFEs can foster an environment of participative management by encouraging input from subordinates toward refining the plans, expectations, and deadlines, as well as emphasize how the present investigation fits into the larger scheme. When a team member sees the whole process rather than only a part, he or she is less likely to miss a critical matter and may become more motivated to deliver a quality product.

The ACFE recommends that the CFE engagement manager should give his or her subordinates authority to operationally pursue their assignment and to make decisions as they see fit. Delegating the authority is no less important than assigning the responsibility for a task. In the absence of conferring an appropriate level of authority, the team member’s performance could be undercut. Also, examination managers should keep an open mind by welcoming new ideas, innovative suggestions, and alternative proposals from others. Nothing is more motivating for a subordinate than to realize that he or she has a significant ownership stake in the results. This is another reason why managers should delegate as much of an entire assignment, rather than a small portion, as possible. Doing so can help instill a sense of importance and self-esteem for the staff investigator no matter what the number of years of their experience.

Communication is an essential element of successful delegating, and regular updates about progress, results, and deadlines should occur weekly, or sometimes daily, depending on the staff member’s level of experience and the type of assignment. Meetings can be conducted face-to-face, by phone, or through videoconferencing and do not always have to be long to be effective.

As managers check on progress, they should be supportive rather than intrusive and avoid putting a subordinate on the defensive by being too critical. Managers also should allow for communication flexibility by encouraging more immediate contact between progress meetings in the event a matter requiring urgent attention unexpectedly develops.

Any significant delegated assignment should culminate with a constructive evaluation of the subordinate’s performance. Often, there is a tendency to view the simple act of delegation itself as work done. As an old colleague of mine used to say, “A task delegated is a task completed.” Even in a case where the smaller scope of a subordinate’s assignment does not merit an exit session, it is still a boost for team morale to give recognition and show gratitude for the work done.

I have never met an experienced (and successful) CFE investigation team leader who did not embrace the role and significance of delegating. However, the ability to delegate depends on trust, communication, and encouragement. When delegating, assurance managers need to accept the risk that mistakes can and will occur and remember that professionals can learn from their mistakes. Not only is valuable experience gained by the investigative team, but the manager’s time also is freed up for more critical tasks and projects. In the long run, a commitment to delegation serves to strengthen any team of investigators as well as benefit our client organization, whatever and wherever that might be.