While developing a fraud control process, it is extremely challenging to know what to protect and how to protect it, if one does not first of all carry out a risk evaluation to see where the risks lie in the organization (except for a fraud that has already occurred!). That would include the assets, the fraud schemes, related red flags, and the residual risk in view of what controls are in place to control the risks present. Fraud prevention and risk assessment both deserve a detailed debate, so they are separated in this book.
The aim of every antifraud programme is to prevent fraud, not just to detect it. Detection is certainly tied to prevention, and the two together provide the system of antifraud controls. This unit presents the components of a successful antifraud control system.
Prevention Environment
A key to effective fraud prevention is to understand the entity's culture and try to change it, if essential. Some happenings and approaches can help in achieving this goal. The important prevention elements that are discussed here are largely applied to an entity, and not essentially directed toward a particular fraud.
Corporate Governance Structure
Investigation had shown that weak corporate governance was related with all of the major financial frauds. For example, the COSO Landmark Study (1998) studied 200 of the 300 fraud cases investigated by the Securities and Exchange Commission (SEC) from 1987 to 1997. The investigators found a characteristic pattern of higher officers involvement in those entities investigated. Seventy-two percent of the cases identified the chief executive officer (CEO), and 43 percent named the chief financial officer (CFO) as being involved with the fraud. In addition, according to Wheel, Deal and Steal, the majority of the board is directed by a former or current CEO.
Flaws/weaknesses stated in report were summarized as follows:
Board members who were not self-regulating
Board members with significant fair play
Board controlled by insiders
Board members with less board experience
Audit committee members who knew slight about finances or auditing
Boards and audit committees that did not come across
Top directors involved in the frauds
No audit committee
From the weaknesses/flaws listed here, the basic features of governance are clear .For example, audit committees are responsible for employing an unspecified tips and complaints system and a whistleblower system. In summary, good corporate governance contains energetic, trained, and independent members of the board and especially the audit committee.
Tone at the Top
Irrespective of the corporate governance organization, management's style sets the quality for the organization. Even though it is an old saying, occasionally ignored, often misrepresented, the tone at the top is still a key to preventing fraud. If one reviews the major scandals of recent years, in almost every case, an executive was involved. That executive typically mistrusted people and kept as much of the financial affairs as possible concealed from auditors. Thus there was obviously no antifraud system at the top in Enron, WorldCom, Tyco, and others. If main managers, and the board of directors where it exists, continually talk about fraud, communicate fraud policies, and inspire everyone to be involved in preventing and detecting fraud, then the entity finally will develop an antifraud system. Without the stress and support of key management, it is almost difficult to have such a system.
Realistic Financial Goals
A common constituent of the major frauds was the exaggerated objectives set for corporate performance. In financial frauds of the past, almost every goal and policy of the entity revolved around increasing profits to an abnormal level for that industry and/or that entity. If the entity's leaders, particularly the board, can avoid setting impractical financial goals, there will be less pressure on the executives to reach those financial goals. Balancing those objectives with any negative influence is a delicate job.
As discussed, one of the legs of the fraud triangle is pressure (motivation), and impractical financial goals automatically make this leg. Management can always predominate controls or plan at some level, which is a second leg of the fraud triangle-opportunity. That situation means only the executive's ethics (rationalization-the third and final leg) will prevent that executive from committing a financial fraud, if impractical performance goals exist.
Procedures and Policies
Procedures define actions while Policies define entity objectives and principles; the entity takes actions to achieve the objectives. Policies and procedures document the actions and transactions determined to be corrupt, as well as how violations will be treated. Therefore, the groundwork for an antifraud system and environment for any entity serious about preventing fraud is a fraud policy and carefully constructed procedures based on policy. SOX essentially require publicly-traded companies to have a morals strategy. Companies without a written morals strategy must state so in their 10-K forms and explain why they do not have one. A fraud policy becomes the source document for developing fraud prevention procedures, actions to detect fraud, and actions in response to a fraud, and thus effect the efficacy of an antifraud system or environment.
To have an active antifraud system, an entity should have policies and procedures that:
Define frauds
Describe application of controls for antifraud
Describe publication and communication of policy
Describe training
Describe event reporting procedures
Describe testing of antifraud controls
Describe practical fraud audit measures
Define investigation policies and procedures
Describe the examination of evidence
Describe activities taken in fraud audit
Define resolutions to frauds
The establishment of a written moral principles or fraud policy is inadequate by itself. Effective systems include a means of communicating. An example would be to include moral values and fraud in employee orientation platforms. Important to the success of the policy is a checking and compliance system. In investigation directed on frauds and cooperatives, it was found when all three-policy, communication, and compliance-are present; fraud cases were statistically considerably less than any other situation.
Merely about one-tenth of the entities with a morals strategy had any compliance mechanism in place. Morals strategies can be based on values or principles. Instead of a detailed list of strategies and procedures, a few of values are selected as representative of the entity. With this method, employees must accept the values, which must be embedded in the culture and implemented by actions. Essentially, entities must consider the human element of the organization's system. Although a countless of factors influence system, some are more important than others. The people are a large component of system. Building an antifraud system that fits the people, the business operations, and the organization as a whole will ensure that fraud is controlled to the degree possible.
Perception of Detection
Perception of detection is a very important element of fraud prevention measures. In fact, based on years of law enforcement and criminal justice experience, crime experts say the best warning to crime, including fraud, is the perception of detection. Because white-collar criminals who commit fraud tend to have some personal code of ethics, this technique is even more effective in preventing fraud than it is for ''street'' crimes. The fear of jail, embarrassment, or loss of family bonds are the reasons for many potential fraudsters to cause them to stop, think, and decide it is not worth the total cost. The best thing any entity can do to minimize fraud is to find a cost-beneficial way to increase the perception of detection. Some techniques to increase the perception of detection comprise:
Surveillance
Anonymous tips
Surprise audits
Prosecution
Enforcement of ethics and fraud strategies
Catch me if you can!
Surveillance
Surveillance cameras or other surveillance methods can be a good perception of detection method in those places where assets are at high risk, such as mailrooms where mail that contains checks and/or cash is opened. If surveillance is going to be applied as a countermeasure against fraud, it is best to publicize it that it is in place. One must make sure to monitor the surveillance in such a way that people will believe someone is actually following up on doubtful activities. Unethical staffs will test the efficacy of surveillance to see if it is really monitored and used by someone to actually follow up on doubtful activities. It is possible to use ''dead'' or fake cameras but only in combination with live cameras with monitoring and efficient follow-up.
Anonymous Tips
Tips are the best method in detecting frauds. However, they are also a prevention measure. The reason is simple. If employees know there is an anonymous tips system and anyone who sees something doubtful can turn them in, then it begins to serve as a perception-of-detection preventive measure. Best practices for anonymous tip programmes include applicable involvement of management, independent handling of complaints by a third party, and using several communication methods (phone, letter, email, etc.). Above all, make it easy, useful, and comfortable for employees to provide a tip.
Surprise Audits
Internal audit is the top placed practical method of detection (per the Association of Certified Fraud Examiners [ACFE] Report to the Nation [RTTN] statistics). But surprise audits by either the internal audit function or appointed fraud auditors are even more effective. These audits serve a similar purpose in detecting frauds (which can then be considered for further preventive measures). The fact that surprise audit was unexpected can create a perception of detection. Fraudsters do not know when the fraud auditor is going to show up, so they cannot prepare to fool the auditor. In fact, in at least one fraud, a fake declaration of a surprise audit (the internal auditor was attempting to play a joke) caused the manager of the business unit to confess to a fraud.
Prosecution
A lot of benefits can be gained by prosecuting fraudsters to the maximum extent of the law. It is true that there is some disadvantage in a public trial, and even some risk that the prosecuting agency may fail to do its job successfully. But the benefit is not just obtaining justice for the single event and justice for the fraudster. Prosecuting someone sends a strong message about perception of detection: If one commits a fraud and gets caught, this entity is going to seek prosecution and perhaps detention. Most experts agree that prosecution is crucial to maintaining an active level of perception of detection.
Enforcement of Ethics and Fraud Policies
An entity should have determined in advance what it would do if a fraud occurred; in specific, what penalties would be stated for what kinds of frauds and levels of fraud. Then the entity would need to make sure to monitor and follow through with its stated penalties for fraud. Failure to follow its own guidelines for punishment of frauds is worse than having no fraud policy at all. It is emotionally difficult to make these kinds of decisions after a fraud has occurred, and those emotions may inhibit the best decision.
Catch Me If You Can!
The greatest perception of a detection measure is to catch a fraudster, prosecute him, and announce what has been done. A recently captured fraudster can considerably increase the perception of detection, as it serves as a living example and reminder that this entity is serious, capable of detecting frauds, and prepared to prosecute. Additionally, rewarding employees who contribute to detecting fraud contributes to an antifraud system.
Classic Approaches
An assessment of the classic approaches to the reduction of employee theft, fraud, and stealing is helpful in developing an effective fraud prevention and control program. Here are the examples of classics approaches:
Directive approach. The directive approach is aggressive and influential. It says: ''don't steal. If you do, and we catch you, you'll be dismissed.'' When an entity does little or nothing to prevent fraud, it is perhaps taking this approach. If a fraud did occur and was detected, management would probably dismiss the employee-and probably would not act against the fraudster. Management most likely would be shocked that someone would commit a fraud against the entity.
Preventive approach. In the preventive approach, potential fraudsters are identified using various methods, including background checks for criminal records and credit reports. Internal controls can be used in the preventive approach. Namely, assignment of duties can diminish the risk of fraud at least to the point where management must dominate controls or persons must connive to commit fraud, which are always possibilities.
Detective approach. In the detective approach, management sets up accounting controls and an internal audit function to screen potential frauds. The internal audit function periodically verifies the validity of transactions and confirms the existence of assets. Between the periodic audits, management depends on the accounting controls to detect any fraud that might occur.
Observation approach. The observation approach depends on physical observation of assets and staffs. Management observe employee conduct for suspicious behaviours or actions. The amount of stocks of valuable and transportable goods is also monitored in person or by other means, such as cameras. The goods include valuable and transferable inventory, cash, and other such assets.
Investigative approach. According to investigative results, the investigative approach follows up on inconsistencies. For example, the entity would follow up on claims of theft. For certain negative, or positive, alterations in inventory, goods, materials, purchases, and product costs, the entity would follow up to determine the nature and extent of the loss and who the likely criminals might be.
Insurance approach. This approach depends on adequate insurance coverage to cover losses that might occur due to a fraud. Even though this approach clearly does not reduce employee theft, it does moderate the financial shock when fraudulent losses occur.
Other Prevention Measures
Other than common (environmental, cultural, and corporate) prevention measures, specific prevention measures can be applied to minimize fraud. The key employees-those who have control or access over valuable and transferable assets such as cash or checks-need to be the object of prevention measures and fraud countermeasures. An entity should consider the suitable prevention measures that would hold these employees answerable for handling valued assets.
Background Checks
One very effective prevention measure is to use background checks for key employees. Although a background check can reveal potential problems, it is not a 100 percent effective means of identifying potential fraudsters and not always cost effective for all employees. A background check could disclose a criminal record and/or high debt. Either of them could be reasoning not to hire the person. The high debt is evidence that the pressure (economic or financial pressure in this case) leg of the fraud triangle is already present. The criminal record shows the history of committing crimes before and readiness to commit a fraud (relates to justification).
According to the ACFE 2008 RTTN, only 7 percent of fraud culprits in the study had previous criminal history, and only 12 percent had been previously terminated by an employer for fraud-related conduct. Another related, simple, and sometimes ignored measure is calling potential employee's references. There have been examples noted where a fraudster made a mistake in the references or confidently supposed no one would check and a single, simple phone call had a big influence on the appointment decision.
Regular Audits
The regular audit can serve as a prevention measure. However by nature regular audits are detective, they could increase the perception of detection and thus serve as a prevention measure. However, if the auditors use some effective audit tools and techniques to look for ongoing fraud violently, that would serve as a prevention measure. A key to the effectiveness of regular fraud audits is to identify, review, and analyse irregularities.
In a couple of the major financial frauds of recent years, the internal audit function was disabled and not allowed to do anything serious with financial information, but kept busy with other kinds of audits. The CEOs for those companies were taking no chances that some hard-working internal auditor might upset their scams. That happened where one internal auditor came in late at night and secretly examined financial records to which she was not allowed access during the day by the senior executives. Eventually, she disclosed the financial fraud and exposed the fraudster CEO.
In a separate occasion, a small university newspaper office in USA had one accountant who did all of the accounting. A retired accounting professor was conducting regular audits of the newspaper accounts. In April of a certain year, the retired professor informed the university president that this year would be his last audit. He recommended that the president find a replacement or put an internal audit function into place. Up until this time, the university did not have an internal audit function. In mid-October, a university VP got a call from the newspaper printing vendor. The vendor representative said the company was not going to print the next issue of the university newspaper because it had not been paid in some time. The VP checked into the records and found the accounting clerk had stolen thousands of dollars. Strangely enough, she began to steal in May of that year. Clearly the regular audit had served as a perception-of-detection measure for her, but once removed, she was able to justify the fraud.
Internal Controls
The fraud triangle consists of opportunity, which is basically an alternative expression for internal controls. Of the three legs, a fraud auditor or professional has little if any ability to affect pressure or justification, though management can create a positively influencing environment for those aspects. Pressure and justification aspects happen mostly in one's mind and can be difficult to observe directly. Specific control activities can restrict the chance to commit fraud and are more easily observed. Thus the control environment, specifically antifraud control activities, can act as preventive fraud measures. Factually, the most common error with regards to fraud in control activities (aligned with corporate governance as discussed earlier) is insufficient and unmonitored assignment of duties. Other internal controls include the followings:
Appropriate authorization procedures
Satisfactory documentation, records, and audit trail
Physical control on assets and records
Independent checks on performance
Checking of controls
Invigilation
A different form of surveillance is invigilation. In invigilation, the fraud auditor creates a perfect environment that should be fraud-free. That is, it is a high profile, well-staffed fraud audit. Because employees will be very careful to not commit fraudulent activities during such a time, the invigilation serves as a standard of what the entity should be earning in revenues. By analyzing the revenues during the invigilation against other time periods, a fraud auditor can determine if frauds are occurring regularly outside the invigilation.
Invigilation is mainly useful for off-the-books frauds for which normal detective methods are fairly useless. Invigilation provides a point of reference to verify existing revenues and enables management to determine whether skimming or some other off-the-book scheme appears to have been carried out.
Accounting Cycles
One way to implement prevention measures is to examine the accounting business processes in their natural cycles. Considering some of the common characteristics of frauds in these areas is a way to develop effective prevention measures. Here we present a few examples to illustrate preventive measures that might be affected.
Generalizations
First of all it should be noted how accounting transactions and cycles are specific to any given organization. The specificity can be due to the industry, strategy, size, culture, organizational structure, capital structure, and various other factors. The important fact to gather from this is that to prevent or detect fraud, one must understand the underlying processes and the situational environment. No frauds occur within an empty space.
Organizational size is one of the most important factors to consider in fraud control. Size greatly influences assignment of duties, a critical area to fraud prevention and detection. Size is also a factor when it comes to the type and amount of fraud committed .Size is a factor when it comes to the control method; large organizations are characteristically more complex, and therefore more difficult to control in most aspects, but have more control resources to expend. The opposite is true for smaller organizations. This generalization does not always hold true. For example, allotment of duties is hard to implement in small organizations as a preventive control but is easier to detect as the organizational structure is generally much thinner and more tightly connected. Again, the critical point here is to understand the organizational context and the fraud environment factors at hand.
Even though each organization's accounting transactions and cycles differ, on some level they are the same. Only a few of basic accounting cycles exist. Though fraudulent transactions take on many forms, their constituent is the same.
Sales Cycle
One common pattern in the sales cycle is lapping. For a person to carry on a lapping scheme for an extended period of time, she cannot afford to take more than a day or so at a time off work. Two possible prevention measures for lapping are:
(1) Forced rotation of duties
(2) Forced taking of vacation.
Assignment of duties can help prevent frauds such as stealing and write-off schemes. In many cases, a simple independent authorization step needs to be added to the business process.
Purchases Cycle
In the purchases cycle, the highest percentage of frauds revolves around fraudulent payments. One common fraud is a shell company. To commit this fraud, a party needs to add dealers to the authorized list. Again, many fraud schemes could be blocked by assignment of duties, often a simple independent authorization step. This measure should help to prevent unnecessary interfering, false voids, and false refunds. Transactions with related parties, both in prevention and detection controls, should be carefully inspected, as this situation is another common area for fraud in pay-outs.
Payroll Cycle
In the payroll cycle, common schemes to consider include ghost employees. An independent party could be used to add employees to the authorized payroll file. Another prevention method is to cross-check payroll against human resource (HR) records once in a while. A ghost employee will be in the payroll but not the HR file. Forced rotation of duties and vacations in the payroll manager area is possibly a good prevention measure as well. Another critical point is the attention to people in and associated with the organization. HR, of course, is highly focused on getting the right people and, after all, people commit fraud. A thorough hiring process can be an effective fraud prevention technique.
Fraud response
The three basic phases of an antifraud programme are;
Prevention
Detection
Response
The response phase is necessary if a fraud is detected. Because an entity clearly wants to detect all frauds committed against it, management should think about what its response would be before a fraud actually occurs. Chronologically, this phase is likely to be the first or second (a fraud risk assessment may precede this step ;) to be performed in terms of planning and developing policies and procedures for an antifraud programme.
Fraud Policy
Most likely, the best place to begin developing an effective fraud response is to develop a suitable fraud policy. There are numerous reasons why this step should occur before a fraud ever occurs, and before developing specifics in an antifraud program, which will be brought out later. There are several issues to consider addressing when creating the fraud policy. First, a proper definition of fraud is important.
For example, if an employee ''borrowed'' the employer's digital camera, makes pictures of his/her personal property, uses the entity's computers to set up an account at ebay.com, and to manage that account to sell his/her stuff, and does so on company time-is that a fraud? A judge or jury may struggle with the belief that it is a fraud. But if the entity had used the Association of Certified Fraud Examiners (ACFE) definition, built it into its fraud policy, and had employees sign a copy indicating their agreement to obey to that policy, there would be much less doubt in a courtroom about the definition of a fraud in that case.
The same could be said about employees ''borrowing'' heavy equipment (e.g., backhoe) for the weekend to do some work for themselves or friends because it is not being used until next Monday. So the entity should determine what actions it would consider fraud and carefully craft a definition as a key part of the fraud policy.
Issues to consider in defining fraud would include:
Any deceitful or fraudulent act
Violation of trustworthy responsibilities
Misuse of funds, securities, supplies, or other entity assets
Unofficial use of the entity's assets; such as equipment for personal use, or computers used for personal gain
Misstatements in the handling or reporting of money or financial transactions
Exploiting as a result of insider knowledge of entity activities
Disclosing confidential and exclusive information to outside parties
Revealing to other persons securities activities engaged in or considered by the entity
Accepting or looking for anything of material value from contractors, dealers, or persons providing services or materials to the entity. Exception: Gifts less than $50 in value
Destruction, removal, or inappropriate use of records (paper or digital), furniture, fixtures, or equipment
Harmful activities directed at the entity's computers, systems, or technologies
Any violation of a relevant illegal act
Any similar or related anomaly
Management should include in the entity's policy how irregularities that are detected or suspected will be handled. The policy should specify who, what, where, when related to any tips, complaints, or whistle blowing, especially where such reports of suspicion should be reported. The policy should also discuss how to maintain the secrecy of consultants. There should be some formal structure established to handle those reports and to make decisions on what to investigate, and how investigations will be handled. The policy should discuss how the entity will take care to avoid mistaken accusations, false accusations, or alerting suspects that an investigation has been undertaken. No information about the nature of any investigation or status of an investigation should be allowed except as authorized by management or required for legal reasons.
The policy should express the need to maintain the appropriate level of privacy, especially the protection of the rights of innocent employees who might get accidentally involved into an investigation, including informers and consultants.
Fraud Response Team
Once management has developed a formal structure for handling fraud on paper, it needs to identify people, positions, or units to be responsible for the different procedures specified in the fraud policy. The ACFE has provided a tool to assist this part of fraud response which is referred as a ''fraud policy decision".
Fraud Response Team and SMEs
Legal/Litigation: trials, knowledge of successful prosecutors, civil litigation
Legal/HR: legal termination of fraudster, legal issues in investigating an employee
Forensic accounting/CFE: fraud investigation, fraud/legal evidence, proper interviews
Digital forensics: data withdrawal for evidence
Cyber forensics: evidence inserted in IT, hidden in IT, potential cyber sources of evidence
Executive management: manage all important decisions of the process and follow up
Internal audit: support the investigation, evidence collecting, controls therapy
Public relations: avoid publicity, manage publicity, manage public responses to fraud
The team definitely needs an SME (subject Matter Expert) in forensic accounting and fraud investigation. Some people make the mistake of thinking a fraud audit is the same as a financial audit, and that expert financial auditors or internal auditors will be able to successfully audit for evidence and/or conduct a fraud investigation. Nothing can be further from the truth. The approach to a fraud audit is extremely different from a financial audit, and a CPA who is not trained or experienced in fraud investigations will be lacking in his or her capability to successfully conclude a fraud audit or investigation.
Obviously, executive management should be part of the response team. Senior management will need to be involved with the key decisions of the investigation, and will certainly want to follow up with some therapeutic activities to prevent fraud from happening to the entity again. One key duty of management would be to provide a calculated means to recover the financial loss and assign responsibility of that process. However, in making the decision of who represents executive management, the entity should take into account the reality that a fraud could be committed by a member of executive management.
Apparently, some of the team functions could be shrunken into one person who can perform multiple functions. For example, it could be that internal legal counsel can handle legal actions and HR legal issues. Also, the entity may find a person who is an SME in cyber forensics and digital forensics, or IA and digital forensics. The team could be constructed to break risk management with executive management. Some entities will not have all of the indicated units but the medium is still valuable in providing a list of issues to review. It also demonstrates the need for assignment of certain activities where possible.
Recovery
Recovery of financial losses due to a fraud is part of the response phase. The amount can not only be significant but difficult to recover. The latter is true because most often, the criminal has spent or hidden all the money, and there is little to recover from the fraudster.
Recovery can be accomplished by following means;
Business insurance/bonding
Repayment agreements
Civil judgments
Obviously, the latter two are subject to many factors beyond the control of the entity that could impair the entity's ability to fully recover. Thus advantageously, the most reliable recovery approach is some form of insurance or bonding of key employees.
Management needs to choose the insurance provider that fits its desires about fraud investigations. Some insurance companies require the client to turn over the fraud investigation to the insurance company and its forensic accounting team, causing the entity to lose control over most of the response to fraud process; that is, management can still work on termination of employee but loses the opportunity to follow prosecution and civil proceedings in this situation. Sometimes the insurance company chooses to pay off the obligation without any investigation.
Thus the entity needs to find an insurance provider that is fit in the terms of amount of coverage, and management's intentions about fraud response. In fact, a good response plan probably includes both adequate insurance and forceful court case procedures in terms of recovery.
