Fraud Prevention and Detection 2010 - PAPERS - Home

www.cheeversco.com 1

Fraud Prevention and Detection

2010

Jim Downing, Chief Compliance OfficerCheevers & Company

Member CHX/FINRA/SIPC


Disclaimer:The findings and conclusions in this

presentation are those of the author and do not represent the views of Cheevers & Company, its employees, owners, or affiliates. Nothing in this

handout or presentation constitutes legal advice. References Used in this Presentation:

2008 Report to the Nation on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners, Inc. Donald R. Cressey, Other People’s Money (Montclair: Patterson Smith, 1973) Albrecht, W.S., Howe, K.R., & Rommey, M.B. (1984). Deterring fraud: The internal auditor's perspective. Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation.

Jim Downing, Chief Compliance Officer Jim Downing serves as Chief Compliance Officer for Cheevers &Company. He brings with him 10 years of experience in SRO regulation,compliance, securities law, finance/accounting and risk management.Prior to joining the firm, he was a Compliance Examiner at FINRA wherehe was selected for several special projects including the mutual fundbreakpoint sweep. Following five years with FINRA, Jim joined SunGardInstitutional Brokerage where he was a Compliance Officer overseeingthe institutional trading desk. Jim played an integral role in thecompany’s international expansion. Jim has a Master of Science inAccounting from Roosevelt University and is also a Certified FraudExaminer. Currently, Jim is enrolled in the Executive Juris Doctorateprogram at Taft Law School and is a member of the National Society ofCompliance Professionals.

Jim maintains his Series 7, 24, 27, 53 & 63 registrations with FINRA.

3

About the Presenter


Objectives of the Presentation Understand why fraud occurs Commonalities and findings that identify factors existent in fraud

Fraud Prevention Employee and management awareness Risk Analysis & Internal Controls Essential Methods of Prevention

Fraud Detection Internal Fraud External Fraud Fraud detection techniques

Q&A Session


Fraud Facts

Data from ACFE 2008 Report to the Nation

Presenter

Presentation Notes

Note that fraud is not limited to one gender, employee type, or age.


Fraud Facts – 2008 ACFE Report to the NationEstimated that U.S. organizations lose as much as 7% of their annual revenue to fraud (p. 4).

Fraud schemes cost organizations a median loss of $175,000 (p. 4).

More than one quarter of frauds uncovered involved losses of at least $1 million dollars (p. 4).

46.2% of fraud cases uncovered were found via a tip (p. 18).

A “poor tone at the top” was identified 8.6% of the time as the primary internal control weakness observed by Certified Fraud Examiner’s (p. 43).

What is important to remember is that anyone can commit fraud. If you are interested in learning more information visit the ACFE website at www.acfe.com.


Why Fraud OccursDonald R. Cressey (1919-1987) a noted scholar of fraud hypothesized that a classic model existed for the fraud offender. This became known as the “Fraud Triangle.”

Presenter

Presentation Notes

In most situations all three parts of the triangle will be present in order for fraud to occur. While the fraud triangle is subject to some debate it can be used as an overview to understanding why fraud occurs.


Each Leg ExplainedPressure - Generally constitutes a “non-shareable” problem. This problem can be financial because that is usually the solution, money. For example, the fraudster steals in order to fix the problem. The problem can also be non-financial. For example the fraudster steals from the company because they feel they are not paid enough or out of revenge.

Opportunity – This can be created from witnessing other employees behavior, a known lack of internal controls within the company, or from the knowledge that the fraudster is in a position that could violate the trust of the company. An employee usually needs technical skills to commit the offense (e.g. familiar with accounting system, etc).

Rationalization – This takes place prior to the fraud being committed and contributes significantly to the motivation. Initially, the fraudster does not consider himself as a “criminal.” Thus, there is a need to justify the acts prior to commission. Fraudsters usually rationalize their crimes in three ways: (1) the belief the act is essentially not criminal, (2) the act is justified, or (3) they are part of a general scheme in which they were not completely culpable.

Presenter

Presentation Notes

Pressure - A person losing $50 at the race track may be a problem but it is not always a non-shareable problem. If the person tells his friends about the loss it would not be a secret. Where as having a successful small business that starts to fail could constitute a non-shareable problem because the owner does not want to accept the failure or the owner does not want to tell his family. Opportunity - A CFO at a company generally has wide-ranging discretion regarding the companies financial books and records. If the CFO notices the CEO using company funds for personal use on a regular basis this would provide the knowledge needed to identify the opportunity. The CFO’s technical skill would make it possible for fraud to occur (e.g. embezzlement) by altering the books and records with the intention to hide the act. Rationalization - As in the prior example of the CFO who embezzled funds. He justified that the CEO uses funds for personal expenses thus it is ok for him to benefit from the company as well.


Albrecht StudyDr. Steve Albrecht, Keith R. Howe and Marshall B. Romney, conducted an analysis of 200+ frauds in the early 1980’s and then released a book titled Deterring Fraud: The Internal Auditor’s Perspective. The book presented a list of the top 10 traits of fraudsters and the top 10 traits of organizations environments that were present in the study. While the list is not meant to be all inclusive the findings provide insight into the reasons behind why the people commit the acts and the deficiencies present at the organizations in which they are committed.


Traits of a FraudsterTop Ten traits of a Fraudster1) Living beyond their means2) An overwhelming desire for personal gain3) High personal debt4) A close association with customers (e.g. family, friends)5) Feeling pay was not commensurate with responsibility6) A “wheeler-dealer” attitude7) Strong challenge to “beat the system”8) Excessive gambling habits9) Undue family or peer pressure10) No recognition for job performance

Presenter

Presentation Notes

Note how these factors would be included within the “pressure” or “rationalization” legs of Cressey’s fraud triangle. An example of #5 is the employee who feels that he is not paid enough compared to what he does. His stealing from the company is rationalized by his belief that he earned the money. An example of #9 would be the child whose parents are very successful but he is struggling to keep up with their success. He may commit fraud to show his parent how successful he is so they will be proud of him.


Organizational TraitsTop Ten traits of organizations that enable fraud:1) Placing too much trust in key employees2) Lack of proper procedures for authorization of transactions3) Inadequate disclosure of personal investments/incomes4) No separation of authorization of transactions from the custody of related assets.5) Lack of independent checks on performance6) Inadequate attention to details7) No separation of custody of assets from the accounting of those assets8) No separation of duties between accounting functions9) Lack of clear lines of authority and responsibility10) Department is not frequently reviewed by internal auditors

Presenter

Presentation Notes

Note how these factors would be included within the “opportunity” leg of Cressey’s fraud triangle. An example of #2 would be an employee who is both authorized to cut checks and use the machine that signs them. What would stop the employee from cutting a check to himself, a friend, or a fake business, and then signing it?


Why Fraud Occurs: Managements RoleOne of the key factors in why fraud occurs is a lack of a unified message by a company’s senior management. This can lead to deficiencies that actually enable and perpetuate fraud.

It is important that management communicate their message to the employees to ensure that everyone understands the “tone at the top.”

Effective means of communication are:1) Training2) Initial and annual certification by employees3) Establishing policies and procedures4) Providing resources where employees can locate the tone of management (e.g. an intranet site, procedures, handbooks)

Presenter

Presentation Notes

Effectively communicating managements stance on fraud is as important as establishing policies and procedures. Making employees aware that management takes fraud seriously and that there are controls in place to prevent fraud act as strong deterrents when employees attempt to rationalize their behavior.


Fraud Prevention - AwarenessFraud prevention is essential in managing risk within an organization. Methods exist that are easy to implement and will assist an organization in limiting liability of loss from fraud. Some of these methods will be discussed in this presentation.

One of the most effective fraud prevention techniques is to make employees aware of fraud and the companies efforts to detect and prevent fraud. Organizations should make it known that they monitor for fraud in order to ensure that employees and management are aware of the fact that someone is watching.

Presenter

Presentation Notes

Consider if you were driving and you knew that it would be impossible for the police to monitor the speed limit, would that create an environment where speeding may be done more often? Of course. Now consider that signs are posted along the highway stating “Speeding monitored by Video/Radar” this would create less speeding (note I did not say all speeding as some people will always break the rules). Nevertheless, if your employees know that the organization uses methods to detect fraud they will be less likely to commit fraud.


Fraud Prevention - AwarenessTraining

Training employees about fraud is also important to create awareness. Training can be done internally or externally. New technologies also provide for training via web or phone.

What is essential to any training plan is that it is consistently carried out. Give employees ample time to schedule required training and inform them of penalties for non-compliance. Many vendors provide for training and offer programs to implement on an enterprise wide scale.

It is important to customize any training to your firm to be effective. “Cookie cutter” programs, while informational, can often prove to be ineffective.

Presenter

Presentation Notes

Consistent carried out means to all employees not just some.


Fraud Prevention – Internal controlsOften touted as one of the most important aspects of a fraud prevention program, the separation of duties is essential in reducing fraud within any organization. Each of the following duties should ideally be segregated:

Cash receipts and cash countsBank deposits and deposit receipt reconciliationBank reconciliations and posting of deposits/cashPurchasing and vendor payment functionsPayroll Preparation and disbursementSafeguarding of assets and disbursement of assets

Presenter

Presentation Notes

A general rule of thumb is to consider whether you would need one or two people to commit the fraud given the duties. If it is only one, then it is a good idea to separate these duties.


Fraud Prevention – Internal ControlsSection 404 of the Sarbanes-Oxley (“SOX”) Act requires a company’s internal controls to ensure that all transactions reflect the financial position of the firm. While some entities may not be held to SOX the tenet of clear financial reporting is a good goal. This can be done by:

Ensuring that each transaction is authorized by an employeeEnsuring each transaction is reported to the company and no “off book” transactions occurEnsuring that each transaction is accurately recorded in the company’s books and records.


Fraud Prevention – Risk AnalysisAn organization has an obligation to identify risk as it pertains to every facet of its business. When identifying risk seek out the experts in each department of the organization and ask them their opinion on what risks they see in their respective area of the business. It is important to quantify risk in terms of probability and its effect on the business. Some organizations use a numbered scale or tier risks based on how effectively they can be mitigated.

Presenter

Presentation Notes

When seeking our experts in each department some key questions to ask are: What risks do you see? Do you feel you have adequate resources to do your job? What kinds of training would you like to help do your job better? Try and ask these questions with assurance to the person that their job or department is not on the line. Another important thing to ask is if the manager feels “stretched” or whether they have adequate resources to do their job.


Fraud Prevention – Risk AnalysisRisk Matrix:

Negligible Marginal Critical CatastrophicCertainPossibleUnlikelyRare

From this example an organization can categorize risks into probability and consequence. Once that has been done the risk will then be classified on a scale of red, yellow, or green. Green being a risk the firm is willing to take (or mitigate) and red being something that should be addressed immediately.

Presenter

Presentation Notes

Example of Rare/Catastrophic – terror attack Possible/Marginal – power outage Certain/Negligible – employee out sick Mention black swan events briefly


Fraud Prevention – Risk AnalysisSenior management should conduct risk analysis at least annually to ensure that any potential new risk is addressed. Once the analysis is completed steps should be taken to mitigate risk. Assigning key employees to “own” the risk of their department will help guarantee that preventative steps are being taken. Remember to document the process from beginning to end as an effective audit trail will provide very useful evidence to auditors and examiners.

Presenter

Presentation Notes

This is also important to do for new products or technologies taken on by the firm. New products should be evaluated more than once a year to ensure that all risks are identified.


Fraud Prevention Methods - HotlineHaving a “fraud hotline” is an excellent and inexpensive way to prevent fraud within your organization. Inform employees, vendors, customers, and possibly the public of its existence. The Association of Certified Fraud Examiners 2008 Report to the Nation noted that 46% of frauds were uncovered from tips received from employees, customers, vendors, and other sources. The cost of implementing a fraud hotline is generally minimal compared to the amount that could potentially be saved.

It is important to create procedures for investigating tips received. Make sure that a formal process is in place if a tip needs to be escalated to the organizations audit committee or senior management.

Presenter

Presentation Notes

Ethicsline is a company that offers this product.


Fraud Prevention Methods - TechnologyNumerous vendors provide software to assist organizations in managing risk and fraud. Software can be a powerful tool in today’s digital age and can produce real results when implemented. Consider using software to monitor:Internal/external communications (e.g. email)The organizations banking transactionEmployees personal trading accounts to avoid possible insider trading liabilityConduct background checks and due diligence on employees/vendors


Fraud Prevention Methods – AuditConducting audits is the only way interact with employees, review actual documents, and let employees know the organization is proactive in fighting fraud. Use templates or checklists to ensure consistent methods are being used across the organization.

Utilize sampling to avoid “over reviewing” while onsite.

Focus on most risk intensive activities of firm.


Fraud DetectionFraud detection techniques vary across industries and can be very complex. However, some types of detection techniques are universal and apply to almost every organization. This section will provide “high level” fraud detection techniques that are simple to implement and can possibly uncover fraud.

Fraud is an unfortunate reality in today’s business world. The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation estimated that US Organizations lose as much as 7% of their annual revenue to fraud. Fraud is committed against organizations both internally and externally.


Internal Fraud Detection TechniquesConducting a vendor analysis:

An easy way to spot fraud committed by internal employees is to cross-reference the addresses of the company’s vendors with the home addresses of the employees.

Any match should be closely scrutinized to ensure that a legitimate reason exists.

Presenter

Presentation Notes

The ACFE 2008 Report to the Nation noted that fraudulent billing schemes occurred in 24% of the frauds reported. A simple check of your vendors addresses against your employees addresses could help you avoid this type of problem.


Internal Fraud Detection TechniquesReconcile all bank accounts and close dormant accounts:

Companies often only look to the bottom line on bank statements and do not review for outstanding checks or other red flags (such as breaks in check sequence numbers). Also closing any dormant accounts will prevent an internal employee from misusing the company’s bank relationship to commit fraud.

Presenter

Presentation Notes

A member of the accounting department often commits 29% of fraud (ACFE 2008 Report). Closing dormant bank accounts and effectively reconciling bank accounts can often uncover any impropriety.


Internal Fraud Detection TechniquesMandatory vacations:

While this method seems rather odd it can often provide very useful insight into an employee’s job functions and could uncover any improprieties the employee is attempting to conceal.

It is important to do the employee’s job in their absence, as this will most likely uncover any impropriety.

Presenter

Presentation Notes

This must apply to every employee in order for it to be effective. Minimum of one week is recommended.


External Fraud Detection TechniquesConducting due diligence on every vendor, business partner, and third party that is associated with your company.

Often times company’s conduct background checks on their employee’s but fail to do any due diligence on their vendors or associated parties. Due diligence can uncover financial hardships, regulatory problems, or even criminal activity. The level of due diligence should be commensurate with the activity

Presenter

Presentation Notes

The level of due diligence should be commensurate with the activity (e.g. asking for financials of the company you order office supplies from may be a bit overboard. But if the vendor supplies your firm’s accounting software it may be right on target!).


External Fraud Detection TechniquesKnow your customer: While this may also be a regulatory requirement for your company, using certain methods can often detect fraud being committed against your organization.

Common red flags are: customer residence outside of the company’s area, the customer’s actions are inconsistent with the objectives of the account, and large cash deposits/withdrawals without any explanation.


External Fraud Detection TechniquesImplement controls to prevent social engineering. Social engineering is the act of manipulating people into performing acts or divulging confidential information. The fraudster is usually looking to obtain confidential or proprietary information about the company.

Implementing controls to report this type of activity can assist an organization in detecting whether they have fallen victim to this often used method of fraud.

Controls/Policies to implement include: document destruction, provision of data access, user ID and password management, visitor access, and use of mobile computers outside the company.

Presenter

Presentation Notes

There are five major attack vectors that a social engineering hacker uses: Online Telephone Waste management Personal approaches Reverse social engineering Develop a security management framework. You must define a set of social engineering security goals and staff members who are responsible for the delivery of these goals. Undertake risk management assessments. Similar threats do not present the same level of risk to different companies. You must review each of the social engineering threats and rationalize the danger that each presents to your organization. Implement social engineering defenses within your security policy. Develop a written set of policies and procedures that stipulate how your staff should manage situations that may be social engineering attacks. This step assumes the existence of a security policy, outside the threat presented by social engineering. If you do not currently have a security policy, then you need to develop one. The elements identified by your social engineering risk assessment will get you started, but you will need to look at other potential threats. Policy for visitor management Dumpster management guidelines


Fraud Detection – Uncover Red FlagsFraud detection is a method of uncovering red flags. A red flag is an outlier during the normal course of business that could suggest that a problem exists. There are four basic methods to uncovering red flags that can be used at almost every organization:

1) Surprise audits2) Use of exception reports3) Complaints by clients/vendors4) Financial analysis

Presenter

Presentation Notes


Fraud Detection – Surprise AuditsA surprise audit is one of the most powerful weapons to detect fraud. The surprise visit can catch the fraudster off guard where as an announced visit gives a person time to conceal, or even destroy, important evidence. Some important tips to remember when conducting a surprise audit:May take longerEnsure office will be staffed/openBring list of items to reviewTry not to be adversarial

Presenter

Presentation Notes

A surprise audit is one of the most powerful weapons to detect fraud. The surprise visit can catch the fraudster off guard where as an announced visit gives a person time to conceal, or even destroy, important evidence. Some important tips to remember when conducting a surprise audit: 1) It will almost certainly take more time as the person/office being visited does not have time to prepare. 2) If possible make sure the person/office visited will be open and employees will be working that day. 3) Bring a specific list of documents you want to review and accompany the employee when they are retrieving them. This will avoid the risk of fabrication. 4) Try not to be adversarial. In many instances, you and the employee/office visited work for the same company. 5) Finally, unless the visit is due to a specific incident inform the employee that surprise visits are just part of routine procedure.


Fraud Detection – Exception ReportsWhether from a bank, clearing firm, accounting system, trust provider, or internal system, exception reports play an important role in the detection of fraud.

They can also demonstrate to outside auditors that your organization takes a proactive approach to mitigating risk. In many cases, the exception report provider can even customize the process to find red flags that are unique to your business.

If a report is redundant, it can also be changed to reflect real outliers and not flag every transaction. Contact your counterparties to inquire about the exception reports available to you.


Fraud Detection - Complaints by clients/vendorsHaving proper procedures in place for the reporting and reviewing of customer/vendor complaints is essential. Complaints assist in the detection of fraud because they uncover red flags that might go unnoticed. Important questions to ask yourself about your organization:

Does your organization give customers/vendors the proper means to report complaints? Does it inform them of where they can report a tip? (e.g. 800 number or email)What are the procedures for collecting and reviewing complaints?Do you have training to help employees identify complaints?

Complaints often are responsible for uncovering some of the biggest frauds in history.

Presenter

Presentation Notes

The ACFE 2008 Report to the Nation noted that 46.2% of fraud cases uncovered were found via a tip (p. 18).


Fraud Detection – Financial AnalysisThere are two common types of financial analysis used to detect fraud, vertical and horizontal. Vertical analysis measures the relationship between items on the balance sheet, income statement, or cash flow statement using percentages. Horizontal analysis measures the percentage change between financial statement items over a period of time (e.g. month to month).

Vertical Horizontal

Assets Year 1 Year 2 Change %

Cash $1,000 83% $ 750 60% $ (250) -25%

A/R $ 200 17% $ 500 40% $ 300 150%

Total $1,200 100% $1,250 100% $ 50 4.2%

Presenter

Presentation Notes

Examples of frauds that can be detected via this method: skimming, financial statement fraud, expense reimbursement schemes, inventory theft, etc.


Fraud Resources Assoc. Of Certified Fraud Examiners – www.acfe.com

Federal Trade Commission – www.ftc.gov

National Consumer League Fraud Center – www.fraud.org

FBI White Collar Crime - www.fbi.gov/whitecollarcrime.htm

AICPA - http://fvs.aicpa.org/Resources/Antifraud+Forensic+Accounting/

Ethicsline (hotline provider) - http://www.ethicsline.com/

Auditnet - http://www.auditnet.org/

Internet Fraud - http://www.usa.gov/Citizen/Topics/Internet_Fraud.shtml

http://www.acfe.com/�

http://www.ftc.gov/�

http://www.fraud.org/�

http://www.fbi.gov/whitecollarcrime.htm�

http://fvs.aicpa.org/Resources/Antifraud+Forensic+Accounting/�

http://www.ethicsline.com/�

http://www.auditnet.org/�

http://www.usa.gov/Citizen/Topics/Internet_Fraud.shtml�


Questions?

Fraud Prevention and Detection 2010 - PAPERS - Home

Documents

Transcript of Fraud Prevention and Detection 2010 - PAPERS - Home