Understanding Fraud Risks andFraud Prevention StrategiesPresented by:Timothy Ball, CFEBrian Lafountain, CPA, CFE
OverviewI. Types of FraudII. The Fraud TriangleIII. Which Employees StealIV. Fraud Detection & Victim OrganizationsV. Most Common Types of FraudVI. Red Flags of FraudVII. COSO Fraud Risk Mgmt GuidelinesVIII. Fraud Prevention StrategiesXIV. Case Studies
DefinitionCOSA defines fraud as any intentional act oromission designed to deceive others, resulting inthe victim suffering a loss and/or the perpetratorachieving a gain.
ACFE’s 2018 Global Study on OccupationalFraud and Abuse– The typical organization loses anestimated 5% of its annual revenues tofraud– Median loss of each individual fraud isapproximately 108,000– About 22% of the cases involvedlosses of at least 1 million
Types of Occupational Fraud Financial statement fraud – 10% of frauds(Wall Street Journal cases) Asset Misappropriation – 89% of frauds(Our Main Focus for today) Corruption Schemes – 38% of frauds(Conflicts of Interest, bribery, etc. )
Occupational Fraud Tree
Fraud by Region
Cost of Fraud
Asset Misappropriation Schemes
Cost of FraudAverage ArmedRobberyYields 250Average WhiteCollar CrimeYields 108,000
Cressey Fraud TrianglePressure/MotiveOpportunityRationalization
Which Employees Steal? Vast majority of frauds were committed by individuals in one ofthe following departments: accounting, operations, sales,executive/upper management, customer service, administrativesupport, finance or purchasing.
Which Employees Steal?
Perpetrators Position
Perpetrators Position
Perpetrator’s Criminal Background
Perpetrator’s Employment History
Perpetrator’s Gender
Perpetrator’s Age
Perpetrator’s Age
Background Checks
Background Checks
Victim OrganizationsWatch Out!How are different kinds oforganizations affected byoccupational fraud?
Types of Organizations
Level of Government Organization
Size of Victim Organization
Industry of Organization
Most Common Schemes by Industry
Detection of Fraud Schemes External audits should not be reliedupon as an organization’s primaryfraud detection method. Only 4% offrauds are detected through theexternal audit. While external audits serve animportant purpose and can havestrong preventative effect onpotential fraud, their usefulness as ameans of uncovering fraud is limited.
Initial Detection of Frauds
Tip Sources
Anti-Fraud Controls Anti-Fraud controls can be a powerfuldeterrent, as well as a proactive preventionand detection mechanism in the fightagainst fraud. Organization can benefit by knowing whichanti-fraud controls are commonly used bytheir peers, as well as which tend to bemost effective.
Most Common Anti-Fraud Controls
Anti-Fraud Controls Effect on Median Loss
Internal Control Weaknesses & Fraud
Fraud Case Results How do organizations react aftera fraud has been discovered? While it is often worthwhile topursue remedial actions againstperpetrators, victims will usuallynot be made whole.
Internal Action Against Perpetrator
Criminal Prosecutions & Civil Suits
Results of Criminal Referrals
Results of Civil Suits
Reasons for Not Referring to Law Enforcement
Red Flags of FraudConditions andsymptoms that existcreating an increasein the risk of fraud.
Red Flags of Fraud Environmental Internal Control Financial Statement Personal
Environmental Red Flags Type of Management Poor Tone at the Top Financial Conditions at Company Opportunities for Advancement Political Environment
Internal Control Red Flags Poor Segregation of Duties Weak Management Oversight No Job Descriptions Management Override Lack of Enforcement of Policies
Financial Statement Red Flags Unexplained Changes inRevenue Changes in Gross Profit Changes in Expenses Inventory Shortages
Personal Red Flags Financial Habits Feelings Others
Financial Red FlagsNeed for Money–Health Problems/Expenses–Life Event–Support of Ex-Spouse andChildren–Maintenance of Life Style
Habit Red Flags Drugs Alcohol Gambling Investing (Day Trader) Life Style
Feeling Red FlagsPerception of Unfair Treatment By Employer Raise Promotion Perks Responsibility DiscriminationResentment of Supervisors Inappropriate Treatment Greater Competence Than Supervisor “Member of Family”Job FrustrationDepression
Other Red FlagsAbruptly Changed Behavior Work Hours Resists taking vacation Displays of Wealth Attitude Toward Work/Coworkers Secrecy Possessiveness
Purchasing Red Flags Payments sent to a P.O. Box No telephone number on invoice No street address on invoice Only one person is thecontact with vendor Name of company has initials in it Similarity in initials to employee Invoices are for services and notmaterials
Payroll Red Flags One person hires employees Same person has the ability to set upand remove employees in system Same person prepares/approvesbudget Employees do not sign time sheets Same person reviews/ approvestotal labor hours Multiple locations with no directsupervision
Kickbacks Red Flags One person selects vendors Same person approves prices forequipment/materials/supplies No competitive bidding No independent review of prices/costs No company policy re: conflict of interest No company policy re: accepting of gifts
Billing/Cash Receipts Red Flags One person prepares invoices andhandles cash receipts Same person opens the mail Same person can write off a bad debt Same person handles customercomplaints No review or supervision over invoicing Poor control over inventory
Behavioral Red Flags During Fraud SchemeAsset MisappropriationLiving Beyond MeansFinancial DifficultiesUnusually Close Assoc w/VendorWheeler-Dealer AttitudeControl Issues, Unwilling to Share DutiesDivorce/Family ProblemsIrritability, or DefensivenessAddiction ProblemsComplained About Inadequate PayNo Behavioral Red FlagsRefusal to Take VacationsExcessive Pressure from Within Org.Past employment related problemsSocial IsolationPast Legal ProblemsOtherExcessive Family/Peer Pressure for successComplained about lack of authorityInstability in Life 20%30%46%0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Should You Focus onPrevention or Detection?Answer: Both Take proactive steps to prevent Be skeptical, informed, and alertin order to detect asquickly as possible
2016 COSO Fraud Risk Management Guidelines1. Establishment of a Fraud Risk2.3.4.5.Management ProgramPerform comprehensivefraud risk assessmentsSelects, develops & deployspreventative and detectivefraud control activitiesInvestigation program andcorrective actionsOngoing evaluations & correctiveaction of the overall program
Managing Fraud RiskThe COSO Fraud Risk Management Guide states:“The board of directors, and top management and personnel at alllevels of the organization — including every level of management,staff, and internal auditors — have responsibility for managing fraudrisk.”"Fraud deterrence is achieved when the organization": Establishes a visible and rigorous fraud governance processCreates a transparent and sound anti-fraud cultureIncludes a thorough fraud risk assessment periodicallyDesigns, implements, and maintains preventive and detective fraudcontrol processes and procedures Takes swift action in response to allegations of fraud, including, whereappropriate, actions against those involved in wrongdoing
Summary of Fraud Risk ManagementComponents and Principles
Principle 1 - Fraud RiskGovernance
Principle 1 – Fraud Risk GovernanceBoard and Senior Management: Makes an organizational commitment to fraud riskmanagement. Supports fraud risk governance. Establishes a comprehensive fraud risk managementpolicy. Establishes fraud governance roles and responsibilitiesthroughout the organization. Documents the fraud risk management program. Communicates fraud risk management at all organizationlevels.
Analytics considerationsPrinciples 1 through 5: Aligned with GovernanceCOSO 2013 FrameworkPrinciplesControl Environment1. The organizationdemonstrates a commitmentto integrity and ethical values2. The board of directorsdemonstrates independence frommanagement and exercisesoversight of the development andperformance of internal control.3. Management establishes,with board oversight,structures, reporting lines, andappropriate authorities andresponsibilities in the pursuit ofobjectives.4. The organizationdemonstrates a commitment toattract, develop, and retaincompetent individuals inalignment with objectives.5. The organization holdsindividuals accountable for theirinternal control responsibilitiesin the pursuit of objectives.Fraud Risk ManagementPrinciples1. The organizationestablishes andcommunicates afraud riskmanagementprogram thatdemonstrates theexpectations of theboard of directorsand seniormanagement andtheir commitmentto high integrityand ethical valuesregardingmanaging fraudrisk.Analytic Considerations Executivereporting Interactivedashboards Targeted analysisaround metrics,compliance andratios
Principle 2 – Fraud RiskAssessment
Principle 2 – Fraud Risk Assessment Involves the appropriate level of management Analyzes internal and external factors Considers various types of fraud Specifically considers the risk of management override of controls Assess personnel or departments involved and all aspects of the fraudtriangle Identifies existing fraud control activities and assesses their effectiveness Uses data analytics techniques for fraud risk assessment and fraud riskresponses Performs periodic risk assessments and assess changes to fraud risk
Analytics considerationsPrinciples 6 through 9: Aligned with Fraud Risk AssessmentRisk AssessmentCOSO 2013 FrameworkPrinciples6. The organization specifiesobjectives with sufficient clarity toenable the identification andassessment of risks relating toobjectives.7. The organization identifiesrisks to the achievement of itsobjectives across the entity andanalyzes risks as a basis fordetermining how the risks shouldbe managed.8. The organization considersthe potential for fraud inassessing risks to theachievement of objectives.9. The organization identifies andassesses changes that couldsignificantly impact the system ofinternal control.Fraud Risk ManagementPrinciples2. The organizationperformscomprehensivefraud riskassessments toidentify specificfraud schemes andrisks, assess theirlikelihood andsignificance,evaluate existingfraud controlactivities, andimplement actionsto mitigate residualfraud risks.Analytic Considerations Surveys & heat maps Media scans andexternal sources suchas industry news Complaints database
Principle 3 - Fraud ControlActivities
Principle 3 – Fraud Control Activities Promotes fraud deterrence through preventive anddetective control activities Considers organization-specific factors and relevantbusiness processes Utilizes a combination of fraud control activities Considers management override of controls Utilizes proactive data analytics procedures Implements control activities through policiesand procedures
Analytics considerationsPrinciples 10 through 12: Aligned with Fraud ControlActivitiesControl ActivitiesCOSO 2013 FrameworkPrinciples10. The organization selects anddevelops control activities thatcontribute to the mitigation ofrisks to the achievement ofobjectives to acceptable levels.11. The organization selects anddevelops general control activitiesover technology to support theachievement of objectives.12. The organization deployscontrol activities through policiesthat establish what is expectedand procedures that put policiesinto action.Fraud Risk ManagementPrinciples3. The organizationselects, develops,and deployspreventive anddetective fraudcontrol activities tomitigate the risk offraud eventsoccurring or notbeing detected in atimely manner.Analytic Considerations ABaC analytics P2P, O2C, T&E,CRM analysis General ledgertransaction analysis
Utilizing data analytics to do morePlan and build tests for: Payment risk scoringAdditional tests forenhanced reviews: Inventory management Vendor risk scoring Salaries & payroll High risk transactions Employee travel &entertainment Revenue recognition orsales commissions Conflicts of interests FCPA/UKBA (corruptionrisks)
Principle 4 - Fraud Investigation andCorrective Action
Principle 4 - Fraud Investigationand Corrective Actiono Establishes fraud investigation and responseprotocols ooooConfidentiality, urgency, evidence preservation, legalprotections, forensic support, investigation protocols,reporting process, root cause and mitigating controls, etc.Conducts investigationsCommunicates investigation resultsTakes corrective actionEvaluates investigation performance
Why a formal investigation programis necessary? Poorly performed investigations Key source of problems not obtained and internalcontrols not improved, Lack of dedicated and experienced forensic orinvestigative skill sets, Lack of routine and repetitive investigation training Development of corrective action plan and monitoringactivities not consistently applies
Monitoring investigation performance Resolution time and investigation costsRepeat incidentsValue of losses recovered and future losses preventedCorrective actions Internal control remediation, business process remediation,disciplinary action, training, insurance claims, extendedinvestigations, civil actions, criminal referrals **Corrective actions for fraud related incidents is an evaluationcomponent within the Federal Sentencing Guidelines
Analytics considerationsPrinciples 13 through 15: Aligned with InvestigativeActivitiesInformation & CommunicationCOSO 2013 FrameworkPrinciples13. The organization obtainsor generates and usesrelevant, quality informationto support the functioning ofother components of internalcontrol.14. The organization internallycommunicates information,including objectives andresponsibilities for internalcontrol, necessary to supportthe functioning of internalcontrol.15. The organizationcommunicates with externalparties regarding mattersaffecting the functioning ofother components of internalcontrol.Fraud Risk ManagementPrinciples4. The organizationestablishes acommunicationprocess to obtaininformation aboutpotential fraud anddeploys acoordinatedapproach toinvestigation andcorrective action toaddress fraudappropriately andin a timely manner.Analytic Considerations Case management Escalation and triage Review workflowmanagement
Principle 5 - Fraud RiskManagement Monitoring Activities
Principle 5 - Fraud RiskManagement Monitoring Activities Considers a mix of ongoing and separate evaluations Considers factors for setting the scope and frequency ofevaluations Establishes appropriate measurement criteria Considers known fraud schemes and new fraud cases Evaluate, communicates and remediates deficiencies
What should organizations do now?The COSO Anti-Fraud Guide sets out a process for on-going, comprehensive fraudmanagement.
Analytics considerationsPrinciples 16 & 17: Aligned with Monitoring ActivitiesMonitoring ActivitiesCOSO 2013 FrameworkPrinciples16. The organization selects,develops, and performsongoing and/or separateevaluations to ascertainwhether the components ofinternal control are presentand functioning.17. The organizationevaluates and communicatesinternal control deficienciesin a timely manner to thoseparties responsible fortaking corrective action,including seniormanagement and the boardof directors, as appropriate.Fraud Risk ManagementPrinciples5. The organizationselects, develops, andperforms ongoingevaluations toascertain whethereach of the fiveprinciples of fraud riskmanagement ispresent andfunctioning andcommunicates fraudrisk managementprogram deficienciesin a timely manner toparties responsible fortaking correctiveaction, includingsenior managementand the board ofdirectors.Analytic Considerations Investigativeprocedures Deep dive analysis Email andcommunicationsreview
Key takeaways and next steps Identify and assign the appropriate ProcessOwner/Champion within your organization Determine the appropriate level of adherence to COSOERM Framework, whether formal, informal or not at all Identify and formalize all anti-fraud and investigationactivities within the fraud risk management program Conduct an assessment to identify gaps, weaknesses andduplicative or ineffective anti-fraud efforts Develop, document and Implement comprehensivepreventative and detective data analytics functions
Case Studies Description of fraud claim Assess risks Discuss forensic procedures Discuss results Discuss controls that could have mitigatedfraud Discuss improvements for future frauds
Case Study #1County Government Case setup–Large department within County Government–Issues surrounding the entry of time and PTO inTime and Attendance system–Allegations included the following:– Employees were sharing login and passwords (to the timeand attendance application) with each other, logging in and/orout for each other prior to late arrival or after early departure– Supervisory employees were manually overwriting punchin/out transactions (i.e. times of punch in transactions)–Assess the risks
Case Study #1County GovernmentWhat type of forensic procedures would you utilize atthe County Department in attempts to confirm ordeny the allegations?What order would you do them in?Why is that important?
Case Study #1County Government Forensic Procedures–Interviews – Director, Supervisors,Attendance ( T&A) Admins, all other staffTime&–Gain an understanding of each individual’s accessrights, and user rights within the T&A system–Work with County IT department to export data fromthe T&A system to list daily log In/Out times duringthe scope period for each employee–Work with County IT Department to identify individualIP Addresses and County Network login In/Out timesduring the scope period for each employee
Case Study #1County Government Forensic Procedures – What did we do?–Reconciled the Log In/Out times in the T&A system tothe Log In/Out times in the County Network to identifyinstances where there were material differences–Interview the individual employees to discuss possiblereason for material differences–Aggregated the total time differences over the scopeperiod to identify the total time that was fraudulentlyreported for each individual
Case Study #1County Government Results–Several individual employees were fraudulently reporting theirtime over multiple years–Several employees were colluding to do so, and then colluding tocover up their schemes–Employees had a rotation whereby they would take turns leavingearly or arriving late and have another employee log them in/out
Case Study #2Local Government Case setup–Law Enforcement Agency–Allegations involved the following:– Officers were submitting manual OT slips for time thatthey did not work– Officerswere submitting OT vouchers for Courtappearances occurring on the same day, as separatecourt appearances on multiple days. Each instancewas guarantee for 4 hours.–Assess risks
Case Study #2Local GovernmentWhat type of forensic procedures would you utilizefor the Law Enforcement Agency?What order would you do them in?Why is that important?
Case Study #2Local Government Forensic Procedures–Interviews – Captain/Chief, officers, administrativeemployees, HR representatives–Determine who is responsible for the timekeeping withinthe Agency–Determine what the scope period is?–Gain an understanding of the T&A package, the manualprocess utilized, and the internal controls in place etc.–What information is available to support hours worked?–Gather all applicable information
Case Study #2Local Government Forensic Procedures – What did we do?–Interviews – Learned that separate Payroll rep’s werehoused within the Local Government and the LawEnforcement Agency– Each process was extremely manual with multiple spreadsheets andseveral manual adjustments needed each pay period–Learned that no time limit on how long after OT wasworked that an employee was required to submit OTvoucher–Discovered that the Director/Chief was not monitoring theOT vouchers closely, nor reconciling the voucherssubmitted for past pay periods
Case Study #2Local Government Forensic Procedures – What did we do?–Examined every OT voucher submitted during the scopeperiod, confirmed appropriate approval, mathematicalaccuracy, and specific circumstances we could verify–Learned that nobody was reconciling the OT voucherssubmitted for Court Appearances to the actual CourtDockets to ensure employees actually had a court case.–We worked with Director/Chief to locate any othertransactions journals or available reports to confirmindividual officer’s activity “on the job” during the OT hourssubmitted– Arrest reports, traffic tickets written, training attended, etc.
Case Study #2Local Government Results–Officers were indeed separating court appearances thatoccurred during same morning session, into separate OTvouchers occurring on different days. Each instance wascontractually guaranteed for a minimum of 4 hours of OT.–Officers submitted OT vouchers, and were subsequentlypaid for time that was never actually worked–No Chief/Director oversight led to disciplinary action–Individual Officers were disciplined and/or terminated
Case Study #3Local Government Case setup–Town Government–Board members had concerns about Clerk and cashprocedures within the operations–Clerk had access to, and control over all finances–Clerk had health problems causing financial strains–Clerk processed several cash transactions for the Townsuch as permits and vital records etc.–Town operated landfill was cash basis operation and therewere concerns with the individual responsible for theoperations
Case Study #3Local GovernmentWhat type of forensic procedures would you utilize atthe Town to confirm/refute allegations?What order would you do them in?Why is that important?
Case Study #3Local Government Forensic Procedures–Interviews – Town Board Members, Town clericalstaff, Town Clerk–Gather information about processes– Cash controls at the Town Office as well as the Landfill– Bank accounts– Use of petty cash–Obtain bank statements for the scope period,including cancelled checks, bank reconciliations etc.
Case Study #3Local Government Forensic Procedures – What did we do?–Conducted Interviews – Learned what type of control the Clerk had overthe cash processes as well as the bank accounts–Interviewed the Landfill Operator to learn of his processes – found thatvirtually no controls were in place to reconcile cash received–Interviewed the Board members to gather additional information relativeto additional allegations and/or concerns–Reconciled the manual transaction logs utilized for the vital recordstransactions to the actual cash receipts for reasonableness–Inspected the transactions in the bank accounts in search of anytransactions appearing to be inappropriate, suspicious, or for personalpurchases–Reviewed the journal entries booked by the Clerk for appropriateness,and investigated where necessary
Case Study #3Local Government Results–Clerk was pocketing most of the cash received to processvital records and/or permits etc.–Clerk was colluding with the Landfill Operator to steallarge sums of cash from the Landfill–Clerk was spending thousands of dollars on personal online shopping and a Town office was full of packages–Third party Accountant was not performing any duediligence, rather just booking transactions as they weretold
Case Study Take-AwaysBe Aware of the Risks / Be Proactive / Professional Skepticism Don’t allow employees to be put in a position where fraud is evenpossible – protect your employees as much as you protect yourorganization Analyze Risk – Continually as:– Systems change– Business activity changes– Positions change – downsizing Segregate duties – use board members, other departments and regular internalaudits to protect risky transactions Establish Open Door and Whistleblowing Policy
Thank you for yourattention.Questions?
The COSO Fraud Risk Management Guide states: "The board of directors, and top management and personnel at all levels of the organization — including every level of management, staff, and internal auditors — have responsibility for managing fraud risk." "Fraud deterrence is achieved when theorganization":
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
ASSESSING AND RESPONDING TO FRAUD RISKS BRNING OBJECTIVES 337 Types of Fraud 338 Conditions for Fraud 339 Assessing the Risk of Fraud 343 Corporate Governance Oversight to Reduce Fraud Risks 347 Responding to the Risk of Fraud
Using a Fraud Risk Assessment Framework 1. Identify potential inherent fraud risks. 2. Assess the likelihood of the identified fraud risks. 3. Assess the significance of the fraud risks. 4. Identify which people and departments are most likely to commit
Handling Debit Card Fraud STRATEGIZE- Debit card fraud and disputes must have a strategy based on evolving fraud. INVENTORY - Inventory all types of debit card fraud and how you mitigate fraud. TRAIN - Train your front line and investigators. DOCUMENT - Clearly document the strategy and fraud management and
Fraud by any other name is still fraud “Relatively few occupational fraud and abuse offenses are discovered through routine audits. Most Fraud is uncovered as a result of tips and complaints from other employees.” Association of Fraud
Investigation Planning and Conducting a Fraud Examination 2016 Fraud Examiners Manual (International) 3.107 The fraud theory approach provides that, when conducting investigations into allegations or signs of fraud, the fraud examiner should make a hypothesis (or theory) of what might have occurred based on the known facts.