When developing a fraud control system, it is very difficult to know what to protect and how to protect it if one does not first perform a risk assessment to see where the risks lie in the entity (except for a fraud that has already occurred!). That would include the assets with the most risk, the fraud schemes most likely to occur, related red flags, and the residual risk considering what controls are in place to mitigate the risks present. Fraud prevention and risk assessment both deserve a thorough discussion, so they are separated in this book.
The goal of any antifraud programme is to prevent fraud, not just detect it. Detection is inevitably tied to prevention, and the two together provide the system of antifraud controls. This unit presents the components of a successful antifraud control system.
Prevention Environment
A key to successful fraud prevention is to look at the entity's culture and try to change it, if necessary. Some activities and attitudes can help in achieving this goal. The important prevention elements that are discussed next are generally applied to an entity, and not necessarily directed toward a specific fraud.
Corporate Governance Structure
Research had shown that weak corporate governance was associated with all of the major financial frauds. For instance, the COSO Landmark Study (1998) studied 200 of the 300 fraud cases handled by the Securities and Exchange Commission (SEC) from 1987 to 1997. The researchers found a distinctive pattern of weak boards for those entities investigated. Seventy-two percent of the cases identified the chief executive officer (CEO), and 43 percent named the chief financial officer (CFO) as being involved with the fraud. In addition, according to Wheel, Deal and Steal, the vast majority of the boards are chaired by a former or current CEO.
Weaknesses from the report were summarized as follows:
Board members who were not independent
Board dominated by insiders
Board members with significant equity holdings
Board members with little board experience
Boards and audit committees that did not meet
Audit committee members who knew little about finances or auditing
No audit committee
Audit committee did not meet
Top executives involved in the frauds
From the weaknesses listed here, the basic elements of governance are clear .For instance, audit committees are responsible for implementing an anonymous tips and complaints system and a whistleblower system. In summary, good corporate governance includes active, qualified, and independent members of the board and especially the audit committee.
Tone at the Top
Regardless of the corporate governance structure, management's style sets the tone for the organization. Although it is a worn-out phrase, sometimes ignored, often misused, the tone at the top is still a key to preventing fraud. If one reviews the major scandals of recent years, in almost every case, an executive was involved. That executive typically mistrusted people and kept as much of the financial affairs as possible secreted away from auditors. Thus there was clearly no antifraud tone at the top in Enron, WorldCom, Tyco, and others. If key managers, and the board of directors where it exists, continually talk about fraud, communicate fraud policies, and encourage everyone to be involved in preventing and detecting fraud, then the entity eventually will develop an antifraud culture. Without the emphasis and support of key management, it is almost impossible to have such a culture.
Realistic Financial Goals
Another common element of the major frauds was the overoptimistic goals set for corporate performance. In financial frauds of the past, almost every goal and strategy of the entity revolved around increasing profits to an abnormal level for that industry and/or that entity. If the entity's leaders, especially the board, can avoid setting unrealistic financial goals, there will be less pressure on the executives to cut corners to reach those financial goals. Balancing those goals with any negative impact they might have is a delicate task. As discussed, one of the legs of the fraud triangle is pressure (motivation), and unrealistic financial goals automatically create this leg. Management can always override controls or collude at some level, which is a second leg of the fraud triangle-opportunity. That situation means only the executive's ethics (rationalization-the third and final leg) will prevent that executive from committing a financial fraud, if unrealistic performance goals exist.
Policies and Procedures
Policies define entity objectives and principles, while procedures define actions the entity takes to ensure objectives are achieved. Policies and procedures document the actions and transactions determined to be unethical, as well as how violations will be treated. Therefore, the foundation for an antifraud culture and environment for any entity serious about preventing fraud is a fraud policy and carefully crafted procedures based on policy. SOX essentially requires publicly-traded companies to have an ethics policy. Companies without a written ethics policy must state so in their 10-K forms and explain why they do not have one. A fraud policy becomes the source document for developing fraud prevention measures, actions to detect fraud, and actions in response to a fraud, and thus influence the effectiveness of an antifraud culture or climate.
To have an effective antifraud culture, an entity should have policies and procedures that:
Define frauds
Describe publication and communication of policy
Describe implementation of controls for antifraud
Describe training
Describe proactive fraud audit measures
Describe testing of antifraud controls
Define investigation policies and procedures
Describe actions taken in fraud audit
Describe the analysis of evidence
Describe resolutions to frauds
Describe incident reporting procedures
But the creation of a written ethics or fraud policy is insufficient by itself. Effective systems include a means of communicating that policy adequately to all involved. An example would be to include ethics and fraud in employee orientation programmes. Crucial to the success of the policy is a monitoring and compliance system. In research conducted on frauds and cooperatives, it was found when all three-policy, communication, and compliance-are present, fraud instances were statistically significantly less than any other situation.
Only about one-tenth of the entities with an ethics policy had any compliance mechanism in place. Ethics policies can be based on values or principles. Instead of a detailed list of policies and procedures, a handful of values are selected as symbolic of the entity. With this approach, employees must buy into the values, which must be engrained in the culture and reinforced by actions. Importantly, entities must consider the human element of the organization's culture. Although a myriad of factors influence culture, some are more important than others. The people are a large component of culture. Building an antifraud culture that fits the people, the business operations, and the organization as a whole will ensure that fraud is mitigated to the degree possible.
Perception of Detection
Antifraud professionals agree that perception of detection is at the top of the list of fraud prevention measures. In fact, based on years of law enforcement and criminal justice experience, crime experts say the best deterrent to crime, including fraud, is the perception of detection. Because white-collar criminals who commit fraud tend to have some personal code of ethics, this technique is even more effective in preventing fraud than it is for ''street'' crimes. The fear of jail, humiliation, or loss of family ties is enough of a deterrent for many potential fraudsters to cause them to stop, think, and decide it is not worth the total cost. The best thing any entity can do to minimize fraud is to find a cost-beneficial way to increase the perception of detection. Some ways to increase the perception of detection include:
Surveillance
Anonymous tips
Surprise audits
Prosecution
Enforcement of ethics and fraud policies
Catch me if you can!
Surveillance
In those places where assets are at high risk, such as mailrooms where mail that contains checks and/or cash is opened, surveillance cameras or other surveillance methods can be a good perception of detection method. If surveillance is going to be employed as a countermeasure against fraud, it is best to announce it to the world that it is in place. One must make sure to monitor the surveillance in such a way that people will believe someone is actually following up on suspicious activities. Unethical employees will test the effectiveness of surveillance to see if it is really monitored and used by someone to actually follow up on suspicious activities. It is possible to use ''dead'' or fake cameras but only in conjunction with live cameras with monitoring and expeditious follow-up.
Anonymous Tips
Tips have been shown to be the best method to date in detecting frauds. However, they are also a prevention measure. The reason is simple. If employees know there is an anonymous tips system and anyone who sees something suspicious can turn them in, then it begins to serve as a perception-of-detection preventive measure. Best practices for anonymous tip programmes include appropriate involvement of management, independent handling of complaints by a third party, and using multiple communication methods (phone, letter, email, etc.). Above all, make it easy, convenient, and comfortable for employees to provide a tip.
Surprise Audits
Internal audit is the highest-ranked proactive method of detection (per the Association of Certified Fraud Examiners [ACFE] Report to the Nation [RTTN] statistics). But surprise audits by either the internal audit function or hired fraud auditors are even more effective. Not only can these audits serve a similar purpose in detecting frauds (which can then be considered for further preventive measures), but the fact the surprise audit was unannounced can create a perception of detection. Fraudsters do not know when the fraud auditor is going to show up, so they cannot prepare to fool the auditor. In fact, in at least one fraud, a fake announcement of a surprise audit (the internal auditor was attempting to play a joke) caused the manager of the business unit to confess to a fraud.
Prosecution
Enormous benefits can be gained by prosecuting fraudsters to the maximum extent of the law. It is true that there is some downside risk in a public trial, and even some risk that the prosecuting agency may fail to do its job effectively. But the upside is not merely obtaining justice for the single incident and justice for the fraudster. Prosecuting someone sends a strong message about perception of detection: If one commits a fraud and gets caught, this entity is going to seek prosecution and perhaps imprisonment. Most experts agree that prosecution is key to maintaining an effective level of perception of detection.
Enforcement of Ethics and Fraud Policies
The same philosophy is true for compliance with fraud policy, ethics policy, and corporate policy in handling frauds. An entity should have determined beforehand what it would do if a fraud occurred; in particular, what penalties would be meted out for what kinds of frauds and levels of fraud. Then the entity would need to make sure to monitor and follow through with its stated penalties for fraud. Failure to follow its own guidelines for punishment of frauds is worse than having no fraud policy at all. It is emotionally difficult to make these kinds of decisions ad hoc after a fraud has occurred, and those emotions may inhibit the best decision.
Catch Me If You Can!
Oddly enough, perhaps the greatest perception of a detection measure is to catch a fraudster, prosecute him, and highly publicize what has been done. A recently busted fraudster can significantly increase the perception of detection, as it serves as a living example and reminder that this entity is serious, capable of detecting frauds, and willing to prosecute. Additionally, rewarding employees who contribute to detecting fraud contributes to an antifraud culture.
Classic Approaches
A review of the classic approaches to the reduction of employee theft, fraud, and embezzlement is helpful in developing an effective fraud prevention and control program. Here are the classics:
Directive approach. The directive approach is confrontational and authoritative. It says: ''don't steal. If you do, and we catch you, you'll be fired.''
When an entity does little or nothing to prevent fraud, it is probably taking this approach. If a fraud did occur and was detected, management would probably fire the employee-and probably would not prosecute the fraudster. Management probably also would be shocked that someone would perpetrate a fraud against the entity.
Preventive approach. In the preventive approach, potential fraudsters are screened out using various means, including background checks for criminal records and credit reports. Internal controls can be used in the preventive approach. Namely, segregation of duties can mitigate the risk of fraud at least to the point where management must override controls or persons must collude to commit fraud, which are always possibilities.
Detective approach. In the detective approach, management sets up accounting controls and an internal audit function to monitor potential frauds. The internal audit function periodically verifies the legitimacy of transactions and confirms the existence of assets. Between the periodic audits, management depends on the accounting controls to detect any fraud that might occur.
Observation approach. The observation approach relies on physical observation of assets and employees. Management monitors employee conduct for suspicious behaviors or activities. The level of stocks of valuable and portable goods is also monitored in person or by other means, such as cameras. The goods include valuable and portable inventory, cash, and other such assets.
Investigative approach. Based on investigative results, the investigative approach follows up on discrepancies. For example, the entity would follow up on allegations of theft. For unfavorable, or certain favorable, variances in inventory, goods, materials, supplies, and product costs, the entity would follow up to determine the nature and extent of the loss and who the likely culprits might be.
Insurance approach. This approach depends on adequate insurance coverage to cover losses that might occur due to a fraud. Although this approach clearly does not reduce employee theft, it does soften the financial blow when fraudulent losses occur.
Other Prevention Measures
Outside of the general (environmental, cultural, and corporate) prevention measures, specific prevention measures can be employed to minimize fraud. The key employees-those who have control or access over valuable and portable assets such as cash or checks-need to be the object of prevention measures and fraud countermeasures. An entity should consider the appropriate prevention measures that would hold these employees accountable for handling valued assets.
Background Checks
One potentially effective prevention measure is to use background checks for key employees. Although a background check can reveal potential problems, it is not a 100 percent effective means of identifying potential fraudsters and not always cost effective for all employees. A background check could reveal a criminal record and/or high debt. Either of them could be justification not to hire the person. The high debt is evidence that the pressure (economic or financial pressure in this case) leg of the fraud triangle is already present. The criminal record shows the history of committing crimes before and willingness to perpetrate a fraud (relates to rationalization).
However, according to the ACFE 2008 RTTN, only 7 percent of fraud perpetrators in the study had prior convictions, and only 12 percent had been previously terminated by an employer for fraud-related conduct. Another related, simple, and sometimes overlooked measure is calling potential employee's references. There have been instances noted where a fraudster made a mistake in the references or confidently assumed no one would check and a single, simple phone call had a big impact on the hiring decision.
Regular Audits
The fact that auditors are coming around on a regular basis can serve as a prevention measure. Though by nature regular audits are detective, they could increase the perception of detection and thus serve as a prevention measure. However, if the auditors use some effective audit tools and techniques to look for ongoing fraud aggressively, that would serve as a prevention measure. A key to the effectiveness of regular fraud audits is to identify, review, and analyse anomalies.
In at least a couple of the major financial frauds of recent years, the internal audit function was crippled and not allowed to do anything serious with financial information, but kept busy with other kinds of audits. The CEOs for those companies were taking no chances that some diligent internal auditor might stumble across their scams. That happened where one internal auditor came in late at night and secretly examined financial records to which she was not allowed access during the day by the senior executives. Eventually, she uncovered the financial fraud and exposed the fraudster CEO.
In a separate instance, a small university newspaper office in USA had one accountant who did all of the accounting. A retired accounting professor was conducting regular audits of the newspaper accounts. In April of a certain year, the retired professor notified the university president that this year would be his last audit. He suggested that the president find a replacement or put an internal audit function into place. Up until this time, the university did not have an internal audit function. In mid-October, a university VP got a call from the newspaper printing vendor. The vendor representative said the company was not going to print the next issue of the university newspaper because it had not been paid in some time. The VP checked into the records and found the accounting clerk had stolen thousands of dollars. Oddly enough, she began to steal in May of that year. Clearly the regular audit had served as a perception-of-detection measure for her, but once removed, she was able to rationalize the fraud.
Internal Controls
The fraud triangle includes opportunity, which is basically a synonym for internal controls. Of the three legs, a fraud auditor or professional has little if any ability to affect pressure or rationalization, though management can create a positively influencing environment for those aspects. Pressure and rationalization aspects happen predominantly in one's mind and can be difficult to observe directly. Specific control activities can restrict the opportunity to commit fraud and are more easily observed. Thus the control environment, specifically antifraud control activities, can act as preventive fraud measures. Historically, the most common flaw with regards to fraud in control activities (aligned with corporate governance as discussed earlier) is inadequate and unmonitored segregation of duties. Other internal controls include:
Proper authorization procedures
Adequate documentation, records, and audit trail
Physical control over assets and records
Independent checks on performance
Monitoring of controls
Invigilation
A variation of surveillance is invigilation. In invigilation, the fraud auditor creates a pristine environment that should be fraud-free. That is, it is a high profile, well-staffed fraud audit. Because employees will be very careful to not commit fraudulent activities during such a time, the invigilation serves as a benchmark of what the entity should be earning in revenues. By analyzing the revenues during the invigilation against other time periods, a fraud auditor can determine if frauds are occurring regularly outside the invigilation.
Invigilation is particularly useful for off-the-books frauds for which normal detective methods are fairly useless. Invigilation provides a benchmark to verify existing revenues, for example, and enables management to determine whether skimming or some other off-the-book scheme appears to have been perpetrated.
Accounting Cycles
One way to address prevention measures is to examine the accounting business processes in their natural cycles. Considering some of the common characteristics of frauds in these areas is a way to develop effective prevention measures therein. Here we present a few examples to illustrate preventive measures that might be affected.
Generalizations
First, it should be noted how accounting transactions and cycles are specific to any given organization. The specificity can be due to the industry, strategy, size, culture, organizational structure, capital structure, and various other factors. The important fact to glean from this is that to prevent or detect fraud, one must understand the underlying processes and the situational environment. No frauds occur within a vacuum.
Organizational size is one of the most important factors to consider in fraud control. Size greatly impacts segregation of duties, a critical area to fraud prevention and detection. Size is also a factor when it comes to the type and amount of fraud committed .Size is a factor when it comes to the control method; large organizations are innately more complex, and therefore more difficult to control in most aspects, but have more control resources to expend. The opposite is true for smaller organizations. This generalization does not always hold true. For example, segregation of duties is hard to implement in small organizations as a preventive control but is easier to detect as the organizational structure is generally much thinner and more tightly connected. Again, the critical point here is to understand the organizational context and the fraud environment factors at hand.
Although each organization's accounting transactions and cycles differ, on some level they are the same. Only a handful of basic accounting cycles exist. Though fraudulent transactions therein take on many forms, their substance is the same.
Sales Cycle
One common scheme in the sales cycle is lapping. For a person to carry on a lapping scheme for an extended period of time, she cannot afford to take more than a day or so at a time off work. Two possible prevention measures for lapping are: (1) forced rotation of duties and (2) forced taking of vacation. Segregation of duties can help prevent frauds such as larceny and write-off schemes. In many cases, a simple independent authorization step needs to be added to the business process.
Purchases Cycle
In the purchases cycle, the highest percentage of frauds revolve around fraudulent disbursements. One common fraud is a shell company. To perpetrate this fraud, a party needs to add vendors to the authorized list. Again, many fraud schemes could be stymied by segregation of duties, often a simple independent authorization step. This measure should help prevent check tampering, false voids, and false refunds, for example. Transactions with related parties, both in prevention and detection controls, should be carefully scrutinized, as this situation is another common area for fraud in disbursements.
Payroll Cycle
In the payroll cycle, common schemes to consider include ghost employees. An independent party could be used to add employees to the authorized payroll file. Another prevention method is to cross-check payroll against human resource (HR) records periodically. A ghost employee will be in the payroll but not the HR file. Forced rotation of duties and vacations in the payroll manager area is probably a good prevention measure as well. Another critical point is the attention to people in and associated with the organization. HR, of course, is highly focused on getting the right people and, after all, people commit fraud. A thorough hiring process can be an effective fraud prevention technique.
Fraud response
The three basic phases of an antifraud programme are prevention, detection, and response.
The response phase is necessary if a fraud is detected. Because an entity clearly wants to detect all frauds committed against it, management should think about what its response would be before a fraud actually occurs. Chronologically, this phase is likely to be the first or second (a fraud risk assessment may precede this step ;) to be performed in terms of planning and developing policies and procedures for an antifraud programme.
Fraud Policy
Most likely, the best place to begin developing an effective fraud response is to develop an appropriate fraud policy. There are numerous reasons why this step should occur before a fraud ever occurs, and before developing specifics in an antifraud program, which will be brought out later. There are several issues to consider addressing when crafting the fraud policy. First, a proper definition of fraud is important.
For instance, if an employee ''borrowed'' the employer's digital camera, makes pictures of his/her personal property, uses the entity's computers to set up an account at ebay.com, and to manage that account to sell his/her stuff, and does so on company time-is that a fraud? A judge or jury, absent a fraud definition agreed to by the parties, may struggle with the belief that it is a fraud. But if the entity had used the Association of Certified Fraud Examiners (ACFE) definition, built it into its fraud policy, and had employees sign a copy indicating their agreement to adhere to that policy, there would be much less doubt in a courtroom about the definition of a fraud in that case. The same could be said about employees ''borrowing'' heavy equipment (e.g., backhoe) for the weekend to do some work for themselves or friends because it is not being used until next Monday. So the entity should determine what actions it would consider fraud and carefully craft a definition as a key part of the fraud policy.
Issues to consider in defining fraud would include:
Any dishonest or fraudulent act
Violation of fiduciary responsibilities
Misappropriation of funds, securities, supplies, or other entity assets
Unauthorized use of the entity's assets; such as equipment for personal use, or computers used for personal gain
Impropriety in the handling or reporting of money or financial transactions
Profiteering as a result of insider knowledge of entity activities
Disclosing confidential and proprietary information to outside parties
Disclosing to other persons securities activities engaged in or contemplated by the entity
Accepting or seeking anything of material value from contractors, vendors,
or persons providing services or materials to the entity. Exception: Gifts less
than $50 in value
Destruction, removal, or inappropriate use of records (paper or digital), furniture, fixtures, or equipment
Malicious activities directed at the entity's computers, systems, or technologies
Any violation of a relevant illegal act
Any similar or related irregularity
Management should include in the entity's policy how irregularities that are detected or suspected will be handled. The policy should stipulate who, what, where, when related to any tips, complaints, or whistle blowing, especially where such reports of suspicion should be reported. The policy should also discuss how to maintain the anonymity of tipsters. There should be some formal structure established to handle those reports and to make decisions on what to investigate, and how investigations will be handled. The policy should discuss how the entity will take care to avoid mistaken accusations, false accusations, or alerting suspects that an investigation has been undertaken. No information about the nature of any investigation or status of an investigation should be allowed except as authorized by management or required for legal reasons.
The policy should convey the need to maintain the appropriate level of confidentiality, especially the protection of the rights of innocent employees who might get accidentally swept into an investigation, including whistleblowers and tipsters.
Fraud Response Team
Once management has developed a formal structure for handling fraud on paper, it needs to identify people, positions, or units to be responsible for the different procedures stipulated in the fraud policy. The ACFE has provided a tool to assist this part of fraud response in what it refers to as a ''fraud policy decision
Fraud Response Team and SMEs
Legal/Litigation: prosecution, knowledge of potential effectual prosecutors, civil litigation
Legal/HR: legal termination of fraudster, legal issues in investigating an employee
Forensic accounting/CFE: fraud investigation, fraud/legal evidence, proper interviews
Digital forensics: data mining for evidence
Cyber forensics: evidence embedded in IT, hidden in IT, potential cyber sources of
evidence
Internal audit: support the investigation, evidence gathering, controls remediation
Public relations: avoid publicity, manage publicity, craft public responses to fraud
Executive management: manage all key decisions of the process and follow up
The team definitely needs an SME (subject Matter Expert) in forensic accounting and fraud investigation. Some people make the mistake of thinking a fraud audit is the same as a financial audit, and that expert financial auditors or internal auditors will be able to successfully audit for evidence and/or conduct a fraud investigation. Nothing can be further from the truth. The approach to a fraud audit is drastically different from a financial audit, and a CPA who is not trained or experienced in fraud investigations will be impaired in his or her ability to successfully conclude a fraud audit or investigation.
Clearly, executive management should be part of the response team. Senior management will need to be involved with the key decisions of the investigation, and will certainly want to follow up with some remediation activities to prevent fraud from happening to the entity again. One key duty of management would be to provide a strategic means to recover the monetary loss and assign responsibility of that process. However, in making the decision of who represents executive management, the entity should take into account the reality that a fraud, such as cooking the books in a financial statement fraud, could be perpetrated by a member of executive management.
Obviously, some of the team functions could be collapsed into one person who can perform multiple functions. For instance, it could be that internal legal counsel can handle litigation and HR legal issues. Also, the entity may find a person who is an SME in cyber forensics and digital forensics, or IA and digital forensics. The team could be constructed to collapse risk management with executive management. Some entities will not have all of the indicated units but the matrix is still valuable in providing a list of issues to review. It also demonstrates the need for segregation of certain activities where feasible.
Recovery
Part of the response phase is to recover monetary losses due to a fraud. The amount can not only be significant but difficult to recover. The latter is true because most often, the perpetrator has spent or hidden all or most of the ill gotten gain, and there is little to recover from the fraudster.
Recovery can be accomplished by business insurance/bonding, restitution agreements, or civil judgments. Obviously, the latter two are subject to many factors beyond the control of the entity that could impair the entity's ability to fully recover. Thus strategically, the most reliable recovery approach is some form of insurance or bonding of key employees.
Management needs to choose the insurance provider that fits its desires about fraud investigations. Some insurance companies require the client to turn over the fraud investigation to the insurance company and its forensic accounting team, causing the entity to lose control over most of the response to fraud process; that is, management can still work on remediation and termination of employee but loses the opportunity to pursue prosecution and civil litigation in this situation. Sometimes the insurance company chooses to pay off the obligation without any investigation. Thus the entity needs to find a fit of the terms of the provider, the amount of coverage, and management's intentions about fraud response. In fact, a good response plan probably includes both adequate insurance and aggressive litigation procedures in terms of recovery.
