Fraud Risk Management: Fraud Risk Has Been Rising And It's Likely to Continue

We have released the final report on the effectiveness of corporate fraud risk management. The report is the result of a study which compiled opinions on the risk of fraud and the effectiveness of corporate fraud risk management. While the study participants almost universally agreed that the risk of fraud has increased during the economic downturn over the past 24 months, many believe that the risk will continue to rise over the next 24 months.

Some of the results include:
- Fraud risk will continue to rise over the next 24 months
- Highest fraud risk lies with suppliers
- Executives say highest fraud risk is in Asset Misappropriation (false billing schemes)
- Internal Auditors say highest fraud risk is in Asset Misappropriation (Expense Reports)
- Employee tip is the #1 way fraud is uncovered
- Code of Ethics is #1 Fraud Prevention strategy

It is well known that the risk of fraud is present in almost every business regardless of size, shape, and complexity. The risk could materialize itself in an employee, a vendor, a client, or in the boardroom. It could be “detrimental” by bleeding company assets or “beneficial” by artificially inflating company financial statements. These frauds could play out in scenarios that are quite varied, and be concealed by strategies that are sophisticated and complex. The report reveals some of the strategies corporations use to combat the risk of fraud.

The study compiled opinions of Executives and Internal Auditors from private, public, and not-for-profit organizations, spanning many industries on strategic planning for fraud prevention, detection, and deterrence. One of the goals of the study was to provide information that would allow companies to evaluate the investment in fraud risk management. This is the second study Vonya Global has conducted on this topic; the first was released in 2009. The study compiles opinions about risk management strategies employed to combat fraud.

To download a copy of the report please visit Vonya Global’s home page: www.vonyaglobal.com.

---

This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. If you would like more information about Vonya Global or if you have a questions for Steve, you may him through this blog, the company website, twitter, or his LinkedIn Profile.

Data Analytics: Providing Greater Internal Audit Depth During A Turbulent Economy

Data Analysis through Computer Assisted Audit Techniques (CAATs) is an efficient way to test transactions, providing 100% assurance on the effectiveness of Internal Controls. Using basic tools such as Microsoft Excel and Access, advanced tools such as ACL or IDEA, or the tools embedded in ERP applications has been a best practice for years but has often been viewed as a luxury, not a necessity. This year, during this economy, using CAATs has become absolutely critical.

Obviously budget pressures have gone through the roof, resulting in massive global layoffs. Reductions in work force, especially to the accounting department, create enormous pressure on the employees who remain. Requiring employees to take on more responsibility often increases the likelihood of errors and misstatements. Added pressures like salary freezes combined with less oversight can tempt an otherwise honest employee to cut corners or commit fraud. The risk of financial misstatement doesn’t get any higher.

A critical way to respond to these challenges is to increase (or initiate) the use of data analytics. This approach evaluates and monitors data from every transaction processed by a company to identify anomalies. Applying data analytics to review transactions in accounts payable, advertising, freight, health benefits, construction, and other areas can yield hundreds of thousands or more in savings and recoveries. When this process is done by management instead of internal audit, errors are identified sooner and with more precision.

CAATs have been around for more than 20 years and those experienced in using CAATs have had experience ranging from good to fabulous. Unfortunately CAATs have typically been used only by Internal Audit Departments and only on selected audit projects. The inconsistent usages of CAATs make it difficult to maintain the knowledge and experience to make CAATs a regular and sustainable part of the audit process.

With the status of the economy, CAATs have become an essential part of effective Corporate Governance. The first step is gaining the basic knowledge to make CAATs part of the oversight process. The second step is sharing the knowledge throughout the Internal Audit department and management ranks. The third step is imbedding the process into the fabric of the organization to make it sustainable and continuous. Getting more oversight with less effort is possible today by simply leveraging CAATs, a technology most companies already employ.

To learn more about how to make CAATs a routine part of the audit process, please contact Vonya Global for a free consultation. Leveraging readily available software tools in combination with proprietary methodologies, our team of data analysis experts focus data analytics at common problem areas to help our clients recover overpayments and develop a sustainable approach to continuous auditing.

ACL is a registered trademark of ACL Corporation and IDEA is a registered trademark of Caseware IDEA.

---

This article was contributed by Joe Oringel and Kim Jones of Visual Risk IQ, a thought leader in Continuous Auditing and Monitoring. For more information on Visual Risk IQ, please visit their web site at www.visualriskiq.com.

Study Launched on the Strategic Role of Internal Audit

Vonya Global is surveying a cross-section of Executives and Internal Auditors from both public and private organizations in a variety of industries to evaluate their opinions regarding the strategic role of internal audit. This is a follow up study to one conducted in 2008. The results of the 2008 study revealed a expectation gap in the strategic role internal auditors play in their organizations. This follow up study will compare how expectations may have changed in light of continued risks of fraud, financial statement errors, environmental risks, security breaches, and privacy concerns.

One executive from the previous study stated the following: "Internal Audit could improve its capabilities in evaluating the effects of strategic and business risk on the overall risk profile of the Company. This would also enhance the primary mission of internal audit to look for potential financial issues.” This statement, along with many others, reveal the importance of internal audit becoming more than a financial compliance function. The results of this new study will highlight whether or not internal audit has taken steps in this direction.

To participate in the study, please visit the Vonya Global website: http://www.vonyaglobal.com

Responding to Fraud Risk: the CAE’s Role

Background: The Association of Certified Fraud Examiners (ACFE) conducts a bi-annual study on fraud investigations, the results of which get summarized in the ACFE Report to the Nation. The most recent report was issued in 2008 and revealed the following:

- U.S. organizations lose 7% of their annual revenues to fraud
- There is approximately $994 billion in fraud losses each year
- Fraud schemes typically last for at least 2 years before they are caught
- Corruption was the #1 scheme at 27% of all reported fraud cases
- False Billing was the #2 scheme at 24% of all reported fraud cases
- Frauds are most likely to be uncovered by a “tip” rather than any other method, including audit
- Roughly 38% of Frauds happened at small companies (>100 employees)
- Roughly 42% of Frauds happened at large companies (1,000+ employees)
- Roughly 39% of Frauds happened at Private Companies
- Roughly 28% of Frauds happened at Public Companies

What these statistics prove is while fraud may not happen at every company; no company is immune to fraud risk. As an inherent risk to business, fraud should be included in Enterprise Risk Management (ERM). Methods for managing and controlling the risk of fraud should include strategies for fraud prevention, fraud detection, and fraud deterrence.

The Chief Audit Executive (CAE) must be involved in the organizational anti-Fraud strategy. As with other business risks the CAE should be assessing Fraud Risk and evaluating the effectiveness of the anti-Fraud strategies. Here is a sample list of strategies:

Fraud Prevention

- Anti-Fraud Tone at the Top
- Strong Corporate Governance and Internal Control Environment
- Policies and Procedures to reflect mindset and actions
- Hire ethical employees (Background checks, signed forms, etc.)
- Code of Conduct – signed by every employee
- Conflict of Interest Statement (employees and business partners)

Fraud Detection

- Establish a Hotline
- Fraud Risk Assessment
- Fraud Penetration Study based on Schemes and Concealment Strategies
- Incorporate Fraud in every phase of an audit (SAS 99)
- Create/utilize a Red Flags Database
- Implement effective SOX Fraud Controls
- Data mine instead of sample testing
- Create a Toolkit including a resource roster of experts (Fraud expert, Investigator, Data mining, etc.)
- Continuously Monitor Transactions for possible Fraud

Fraud Deterrence

- Create an Internal Audit department
- Publicize Ethics Hotline
- Publicize Internal Fraud Cases and Punishment
- Publicize Continuous Monitoring Program

Vonya Global and the ACFE are not affiliated. Information in the opening paragraph is sourced from the ACFE 2008 Report to the Nation, which can be downloaded at the ACFE website.

Corporate Crime Task Force Created

It was announced on November 17th that President Obama's administration has created a Corporate Crime Task Force. U.S. Attorney General Eric H. Holder Jr. said, "Mortgages, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."

The L.A. Times reported, "The Financial Fraud Enforcement Task Force will attack what Holder called "unscrupulous executives, Ponzi scheme operators and common criminals" in much the same way that a similar task force created in 2002 by former President George W. Bush went after corporate malfeasance following the accounting scandals at Enron Corp. and WorldCom Inc."

The article continued: "The Fraud Enforcement and Recovery Act authorized $245 million annually in 2010 and 2011 to hire hundreds of prosecutors, agents and other federal officials to pursue financial fraud. It also strengthened and expanded money laundering laws and other statutes to apply to fraud committed by private mortgage lenders."

Is this something that should worry executives and corporate boards? Or... is this much ado about nothing?

A Proactive Response to Fraud Risk and Fraud Detection - The Fraud Penetration Study

One of the few truly proactive approaches to fraud prevention and detection, a Fraud Penetration Study is the application of specific audit procedures to increase the likelihood of detecting fraud in a core business system. Unlike the traditional audit approach, the Fraud Penetration Study does not focus on controls or control effectiveness, but rather the authenticity of the transaction.

There are six steps to the Fraud Penetration Study: Risk Identification, Scenario Development, Concealment Analysis, Scoping, Data Mining, and Fraud Analysis.

• Fraud risk identification starts with understanding the types of fraud risk. The starting point is accepting the concept of inherent fraud schemes. Once this concept is accepted, the auditor must understand how the scheme would occur in the specific business system; often times referred a fraud scenario.


• The fraud scenario is built from understanding the variations of the scheme based on the opportunities for fraud, entities involved, internal controls in place, and business processes currently performed. In essence, the fraud scenario is how the inherent fraud scheme would occur in a company’s business process.


• After the fraud scenario is developed, the auditor must identify and understand the common concealment strategies used to hide the fraud in this scenario. Common fraud concealment strategies are false documents, false representations and false approvals. The auditor should identify the red flags associated with the concealment strategies.


• The structure of the fraud scenario defines the audit scope for the audit plan. The audit plan may have several fraud scenarios, but each fraud scenario needs its own data mining plan and its own fraud audit procedures. Also, the audit plan provides the auditor with the necessary information to find and reveal the fraud scenario.


• Using a data mining tool like ACL(1) or IDEA(1), a sample of vendors would be selected consistent with the fraud data profile for the identified fraud scenario. Building the fraud data profile is the most important step in the fraud audit process. The goal is to select a biased and discreet number of transactions that are more likely to be fraudulent on which fraud audit procedures can be performed.


• The purpose of the fraud audit procedure is to gather evidence that is created and stored external to the perpetrator to form the basis of the Fraud Analysis. The procedure should be designed to pierce the concealment strategy. In the false billing scheme, the weakness of the concealment strategy is that the vendor does not exist. If the auditor develops an audit procedure to show that the entity does not exist, the concealment strategy will be unveiled, and the fraud exposed.

Using this methodology, you will find out if there is fraud in your business and if done well, you will find it within the first 3 days of analysis.

---

1 ACL is a registered trademark of ACL Corporation and IDEA is a registered trademark of Caseware IDEA.

Looking for Ghost Employees in a Retail Environment

Payroll Fraud, specifically “Ghost Employees” can create a significant financial burden on companies. How much? Well, according to Occupational Fraud and Abuse, by Joseph T. Wells, Obsidian Publishing Co. Inc., Ghost Employee Fraud has the highest median loss relative to all payroll fraud schemes at $275,000 per case. If it is happening at your company, it is hurting your company. Unfortunately for those of you in retail, you are one of the most susceptible.

What can be done?

A large retail organization, one of the Fortune 500 with well over 200,000 employees, has retained Vonya Global to search for Fraud in Payroll. Specifically we will be looking for Ghost Employees which (in our methodology) includes Fictitious Ghosts, No-Show Ghosts, Pre-employment Ghosts, Terminated Ghosts, Temporary Ghosts, Family/Friend Ghosts, and Temp Agency Ghosts.

Unlike an investigation, this project is a proactive approach to fraud detection. The company has no evidence or indication that payroll fraud is occurring, however they understand that based on their size and their industry they are susceptible. Our approach takes an inventory of all payroll data and files. Once we have all the information we will segregate it into groups with similar characteristics and through detailed data analysis we will identify anomalies. We are confident that we will identify Ghost Employees and as a result return hundreds of thousands of dollars to the company.

Contact us if you would like to find out more about this project or how we would help you identify fraud in your business.

Fraud Detection Workshop in Chicago October 27 - Afternoon Session Added

Due to popular demand an afternoon session has been added to this workshop. The session will begin at 2:30 pm and conclude by 5:00 pm. Admission is free but registration is required. Please confirm by October 20, 2009.

About the Workshop
Fraud schemes are not complex. Yet, fraud is rarely caught until it is too late. Why? Understanding the fraud scheme is not enough. Identifying the fraud concealment strategy and how it is portrayed in data is the only way to detect fraud. It is essential to learn how to detect fraud before it is too late.

Data mining is the key tool to locate and recognize fraudulent transactions. This workshop will demonstrate:

- How to build a fraud scenario approach
- How to map data fields to fraud scenarios
- How to interpret data for patterns and frequency of fictitious vendors
- How to build the fraud audit plan to include data mining

Please visit the Vonya Global website to register or request additional information.

FINAL REPORT: Strategic Plan for Fraud Prevention, Fraud Detection, and Fraud Deterrence

Vonya Global surveyed Executives and Internal Auditors from private, public, and not-for-profit organizations, spanning many industries to gather opinions on strategic planning for fraud prevention, fraud detection, and fraud deterrence.

"Companies should do more to deter and detect fraud. Costs go far beyond the simple dollars someone steals or gains through materially misstated financial statements. Loss to employees and stockholders can be substantial.”
- Internal Auditor Response


Historically, there have been several studies conducted about fraud and fraud statistics, but none that deal directly with the strategic plans to manage fraud risks. The timing of this study is appropriate due to the heightened sensitivity to fraud due to the economic conditions. It seems more groups, including regulatory bodies, investors, clients, and suppliers are increasingly concerned about the ability to demonstrate effective fraud prevention and fraud detection strategies.

One of the goals of this report is to help organizations begin to evaluate the investment in fraud prevention, fraud detection, and fraud deterrence to determine if there are more effective ways to manage fraud risk.

A copy of the full report can be downloaded by following this link: Fraud Prevention, Fraud Detection, & Fraud Deterrence Report

Fraud Detection: An Executive Briefing on Data Mining Techniques

Fraud Detection Workshop, October 27, 2009

Fraud schemes are not complex. Yet, fraud is rarely caught until it is too late. Why? Understanding the fraud scheme is not enough. Identifying the fraud concealment strategy and how it is portrayed in data is the only way to detect fraud. It is essential to learn how to detect fraud before it is too late.

Data mining is the key tool to locate and recognize fraudulent transactions. This workshop will demonstrate:

• How to build a fraud scenario approach
• How to map data fields to fraud scenarios
• How to interpret data for patterns and frequency of fictitious vendors
• How to build the fraud audit plan to include data mining
  

The workshop will be held in Chicago, IL USA on Tuesday, October 27, 2009. The session will run from 8:30 am through 11:00 am. Coffee and a light breakfast will be served.

http://www.vonyaglobal.com/fraud-detection-workshop.html