Developing a strategy to fight fraud


By Andrew Durant, CFE, FCA

Fraud Prevention: The latest techniques 

  

Presented at the ACFE's 15th Annual Fraud Conference
Las Vegas, NV
 

 

Does your organization have a strategy to fight fraud? It's not enough just to detect and investigate fraud, but a well-rounded anti-fraud program will also have taken measures that will prevent fraud. Once this is implemented, everything else will fall into place. Learn how you can develop strategies that will work for you.

 

Introduction 

One of the biggest challenges for the fraud examiner is to persuade management that the risks of fraud cannot be underestimated. Those who have not suffered from fraud previously will be unaware of the risks and costs. Management may simply think in terms of the direct financial costs but need to be encouraged to look further.

These include:

  Consequential loss
  Legal and investigative costs
  Regulatory fines
  Management time
  Increased insurance premiums
  Loss of key staff and customers
  Increased cost of/inability to raise new finance

Fraud can never be eliminated from business entirely, simply because collusion can always overcome normal organizational controls. To combat fraud needs a different and fresh approach that will need to cover all aspects of the fraud cycle:

  Fraud deterrence and prevention
  Fraud detection
  Fraud investigation

As a starting point, I would recommend an approach that includes the following components:

  Establish the right culture
  Establish a whistle-blowing policy
  Identify the risks
  Implement effective controls
  Increase awareness of the risks
  Plan for the worst
  Recruit the right people
  Search for suspicious transactions

Recruitment  

Background
Before a company opens its doors to new employees, managers should stop and ask themselves "Do I really know this person well enough to trust them with my money, confidential information, and above all my reputation?" Many companies believe that their recruitment procedures will deal with this question. However, they should bear in mind that a Mori poll revealed that:
 

  30% of employees admitted to lying while applying for jobs;
  18% of employees think it is necessary to exaggerate on their curriculum vitae;
  34% of managers do not check the background of applicants; and
  36% of organizations state that untruths on CV's cost them significant time and money.

When carrying out investigations, I often find that the suspect has a checkered history, not disclosed during the recruitment process. Time and money spent at this stage can save thousands of dollars in investigation and legal costs when a fraud comes to light.

In the case of Barings Bank, a major fraud case in the UK, Nick Leeson failed to declare County Court Judgments (for outstanding debts) against him and the Securities and Futures Authority turned him down for accreditation. His employer, Barings, failed to detect this and sent him to Singapore where he successfully applied to operate as a trader. The rest is as they say, "history."

Many employers are just as lax when it comes to recruitment of senior staff, including directors. In fact there seems to be an inverse relationship between the seniority of staff and the level of due diligence performed. There is a presumption that a previous employer must have carried out appropriate checks. This should not be assumed.

Organizations should check each new candidate thoroughly. The more senior the position, the more thorough this checking should be. Senior staff has more opportunity to commit fraud as they are in positions of trust and tend to have the ability to authorize payments and approve contracts. They are also more likely to commit frauds that can permanently damage their organization.

Checks should also cover an individual's complete work history. In the case of Mr. Dunlap, the checks did not go back far enough. If they had, they might have uncovered the fact that he "was terminated" after seven weeks by one previous employer and after two years by another. Sunbeam Corp. would then have been able to make an informed decision based on full information.

Apart from a criminal record check, what else should you be doing?
 

  Confirm name and address
  Confirm educational qualifications
  Check membership of professional bodies
  Confirm employment history
  Check financial status
  Confirm directorships held and any disqualifications
  Media and Internet search

On-Going Process 

Vetting is not only for new employees. It should be an on-going process across the whole workforce. For example:
 

  What if an individual commenced employment many years ago when vetting was less rigorous?
  What if an individual's circumstances have changed such that they now find themselves under severe financial pressures?

When staff with more than ten years of service is responsible for one-third of all frauds, you can easily see why it is important to adopt continual vetting procedures.

Based on my experience in fraud investigation, I recommend organizations consider the following Do's and Don'ts as part of their hiring process:

 

Do 
Don't 
Ask all potential employees to complete a detailed application form  Rely only on a curriculum vitae provided by the applicant 
Look for gaps in employment history  Limit checks to, say, the last ten years only 
Request written references and check by telephone  Accept "to whom it may concern" reference letters 
Check all qualifications  Accept copy certificates 
Carry out in-depth due diligence in relation to senior employees  Assume a previous employer has carried out full and proper due diligence 
If possible, obtain details of criminal records  Accept verbal representations at face value 
Carry out checks on temporary and contract staff as well  
. 

Codes of Conduct
Background
Laws were established from the outset of civilization as people will always "push the boundaries." They therefore need to know what those boundaries are.

When carrying out investigations you will sometimes hear, "I didn't know that was wrong - where does it say I cannot do that?" This is why it is so important that a company set out in black and white exactly what is acceptable and what is not acceptable. It is only when companies do this that staff will be put on notice that certain behavior is unacceptable. The key is to prevent the staff that has been recruited from straying from the "straight and narrow."

Aims of the Document
The aim of a corporate policy is to demonstrate to both employees and the outside world that the company is taking the threat of dishonesty, fraud, and theft seriously. By issuing a detailed policy, it clearly sets out what is considered to be dishonest and warns any potential wrongdoers that the consequences of being caught will be serious.

The effect therefore will be to deter any potential wrongdoers thus resulting in reduced losses from any wrongdoing and reduced costs in respect of investigating any wrongdoing.

Contents of the Document 

There should be a general policy statement on ethics and the company's attitude to dishonesty, fraud, and theft. Other matters that should be considered include:
 

  Does the policy make a distinction between fraud committed by employees, suppliers, customers etc.?
  Is the policy communicated to all staff (e.g., when they are recruited, induction training, extranet etc.)?
  Is staff required to confirm that they understand the policy and that they have complied with it in all respects?
  Does the policy make it clear that it applies to all staff including directors?
  Does the policy apply to all subsidiaries, including those abroad?

Definition of Fraud
The policy should include a clear definition of what is regarded as fraud or theft. For example:
 

  Does the policy set out the company's attitude toward client entertaining and gifts and what action needs to be undertaken on receipt of these?
  Does the policy quantify what constitutes fraud or dishonesty? For example, an overstatement of expenses by $1 might not be considered to be fraud, but continuously over-claiming expenses by $1 might be considered dishonest.
  Does the policy distinguish between the seriousness of different offenses?
  Does the policy include a statement in respect to the misstatement of financial statements or destruction of accounting records?
  Does the policy include a statement in respect to conflicts of interest?
  What policies are in place to inform customers/suppliers that a code of conduct is in operation?

Whistleblowing Policy
Background
When appointed to carry out investigations, the first point of call are members of the staff. The reason for this is that they are the "eyes and ears" of a company. They know exactly what frauds are going on and who is doing it. They are an extremely valuable resource that companies are failing to utilize. What makes things worse is that if used properly they could have stopped the fraud much earlier. An even better source of information for the investigator is an ex-employee as they have less to lose by blowing the whistle.

Based on my experience, the following levels of fraud are identified and reported by different groups:
 

 
%
Management
20
Internal auditors
25
Employees
40
External auditor
10
Chance
5


For those current members of staff that do blow the whistle, the consequences can be disastrous. Far from being hailed as corporate heroes and saving the business from potential financial ruin, my recent experience is that three out of four whistleblowers are sidelined or their careers blighted by their honest actions.

In one case, a whistleblower alleged that a number of long-term members of staff had colluded over a number of years to de-fraud their employer of hundreds of thousands of dollars. The whistleblower was a relatively new member of staff and had discovered what appeared to be, in fact, an open secret. She brought the matters to the attention of management who reluctantly initiated an investigation. However, management only wanted a covert investigation to take place and would not authorize staff interviews or allow investigators to be present on-site. This and the fact that there was a "culture of fear" within the company meant that it was very difficult to obtain any evidence. However, the whistleblower continued to provide information to management who passed on some to the investigators. Eventually, management decided to cease the investigation on the basis that it was not producing any conclusive results.

Many publicized cases from recent times that have highlighted how whistleblowers are ostracized, bullied, demoted, over-looked for promotion, or treated so badly their jobs become untenable.

The current economic climate has another effect as well. Whether it is true or not, staff are under the perception that jobs are at risk. The newspapers carry stories every day about company redundancy programs, cut backs, falling profits, and closures. This leads to a fear factor among employees that leads to a belief that they will increase the likelihood of losing their jobs if they stick their head above the parapet.

If they still feel that they have to say something, employees will do this anonymously. Although this is better then nothing, it can mean that companies go on "a wild goose chase." In many of the cases where I have investigated anonymous allegations, the whistleblowers had good intentions but some of the allegations have been partially or totally incorrect. If the company had been able to speak to them, the whistleblowers would have been asked further questions. This would have resulted in more accurate information about the allegations already raised, eliminated other allegations, and identified new areas that needed investigation.

Employers should be encouraging whistleblowers to come forward as the quicker a business can spot fraud, the better. Not only does early detection diminish the damage to a firm's reputation, but it wastes less of management's time, and ultimately costs the business less.

This is why having a robust whistleblowing policy in place is good practice. Having such a policy might also discourage potential whistleblowers from approaching the press as a first resort. In addition, businesses need to engender a culture in which employees believe their concerns will be taken seriously, and that the protection afforded by the law and policies is real.

Therefore, it is imperative that all companies should set up a "whistleblowing" policy to ensure that all complaints are seriously investigated and consider the way whistleblowers are rewarded.

Increase Awareness of Risks
Fraud examiners have a wealth of experience that has been obtained through investigation. One of the positive steps that they can take is to pass this experience back to company management and staff through an education process.

Most employees and management will be unaware of the risks faced by their organization. Without knowing what the risks are, they will be unable to take corrective action.

Based on my experience, small and medium sized companies are the most at risk. The reasons for this are as follows:

  These companies are often owner managed businesses and therefore the shareholders/directors believe that they are close enough to the business to identify fraud if it happens.
  Shareholders/directors have also been involved in the recruitment process and therefore trust the people who work for them.
  The businesses are relatively small and therefore there is inadequate segregation of duties (see below).
  The businesses tend not to have internal audit functions, etc.

The methods that the fraud examiner can take to increase awareness of the risks faced by companies include:

  Lectures to management and staff on general fraud. awareness
  Presentation of case studies.
  Use of the company intranet.
  Articles in company magazines.

Implement Controls
Once a fraud examiner has carried out the above steps, he will then be in a position to implement specific controls to prevent fraud. If the right candidates have been recruited, the company has an effective code of conduct and whistleblowing process, the need for effective controls will be less urgent. The opposite is true if the company has not recruited the right candidates or established a code of conduct and whistleblowing policy. In fact, without having dealt with the issues referred to above, a company will find that implementing effective controls may not have the desired effect as staff will work out how to defeat these controls.

The fraud examiner will first want to identify the high-risk areas. This can be achieved through a workshop attended by management and staff from different areas of the business (e.g., accounting, warehouse, operations, marketing etc). Each will have a different perspective that may be counter to another attendees' perspective.

Having identified the risk areas (e.g. procurement of IT equipment etc.), the fraud examiner will want to review the following:

  Lack of segregation of duties
  Lack of physical safeguards
  Lack of independent checks
  Lack of authorization
  Overriding of existing controls
  Ineffectiveness of existing controls
  Inadequacy of the accounting system

Data Mining
Background
Data is a fundamental element in any organization's ability to manage its business; it is collected from a wide variety of sources, stored on many different systems, and is regularly used for marketing and sales activities. However, the use of this data in fraud detection is frequently overlooked.

The likelihood of identifying potentially fraudulent activity can be significantly enhanced through the regular application of data mining tools and techniques, although these are not foolproof and must be run in conjunction with other activities designed to reduce the threat of fraud.

Technology as a Tool
People commit frauds, but as technology plays an increasingly important role in business life, the fraudster often leaves warning signals of his activity in an organization's systems.

Each transaction will leave a trail. Increasingly, in order to enhance the way an organization does business, databases have been developed to store huge amounts of transactional and standing data from accounting, sales, purchasing, and payroll functions. This is used for marketing, forecasting, and reporting but rarely for detecting and predicting fraud.

Also, my experience has shown that this data can be a key factor in developing and implementing a fraud risk management strategy.

Use of Spreadsheets
Data mining in its simplest form may take the form of a "sorted" Excel spreadsheet where the fraud examiner is trying to identify the largest suppliers or customers. A further development of this is to track expenditure with the largest suppliers over time. This can be achieved using pivot tables in Excel followed by the charting function.

In the following example, a supplier named "Sundry Payments" was identified. Charting expenditure over time identified a single payment of over £1.3million to this supplier. Further investigation showed that it had been paid to a fictitious company.

307_chart.GIF

Use of Databases
The next stage in data mining is the use of databases to run complex queries. Microsoft Access is an extremely powerful tool which many fraud examiners will be able to use. More complex databases include ACL and WinIdea. These may require specialist knowledge. However, they can analyze large amounts of data and produce complex queries that can be automated.

In the following example, a series of transactions just below $50,000 were identified which happened to coincide with the authorization limit for the company.

307_chart_2.GIF  

Databases can also be used to identify suspicious transactions around points in time.

In the following example, a series of supplier transactions were analyzed and showed transactions being processed over the weekend. This client did not open its offices on Saturday and Sunday.

307_chart_3.GIF  

Fraud Response Plan
Introduction
When fraud comes to light, the actions taken in the first few hours, days, or weeks will be key in limiting the damage that is done to the company. It is no good "making it up as you go along" and "proper planning prevents poor performance."

The plan should identify at least one individual to whom fraud or suspicion of fraud should be reported. Those concerned should then receive proper training and guidance on what to do once the fraud has been reported.

These individuals should always be contactable (i.e., 24/7) as a fraud can come to light at anytime. Employees will need to know whom to contact and how to contact them. Also, many frauds are now conducted on an international scale and company operations may be carried out abroad. In a move to make businesses efficient, multi-shifts means there is 24-hour production in some businesses.

The individuals chosen to sit on the fraud response team will need to have appropriate seniority and independence - they should not be in a position where a conflict of interest could arise.

After the initial report of fraud, the company may consider creating a larger group that would be responsible for managing the investigation or other response. If this is the case, then plans will have to be put into place to contact the other members of the group to discuss next steps. The plan should therefore consider:

  What constitutes a fraud which requires the attention of the larger group?
  Who makes the decision as to whether the larger group should be consulted?
  When should the group meet and report by?

Powers of the Group
The powers of the group should be set out in writing so that it is clear they have the power to act. The powers should be sufficient to ensure that they can carry out their role without hindrance or delay, both internally or externally. The group may need to consult the board of directors and should have the ability to do so directly.

Responsibilities of the Group
The outcome of an investigation may vary depending on the size of the fraud, whom was involved, or how it was perpetrated. The group will therefore have to make an initial assessment as to what action would be desirable. The group will have to take action to:

  Suspend or dismiss the persons involved
  Prevent further losses
  Recovery of any losses incurred
  Pursue criminal action

The group may also have to consider what should be communicated and to whom. It will be almost impossible to keep the details of the fraud from other members of staff. Once staff becomes aware of the fraud, it will then spread to the press, investors, unions, customers, suppliers, and investors. Therefore, the group will have to determine:

  Whether the PR department has been briefed on how to respond to press enquiries.
  At what stage investors will be informed.
  Whether unions should be regularly briefed.
  How suppliers will be informed if one of their employees is involved.

If the company has insurance coverage, the insurance company will need to be informed at an early stage to ensure that coverage applies and that, if it wishes, it can involve its own professional advisors in the investigation process.

Whom to Contact for Assistance
At some stage during the investigation process, it is likely that outside assistance will be required. At the lowest level, this may be a locksmith who is required to change office locks on a Sunday night. Details of any individual or entity that is likely to be able to assist should be obtained before it is required - this includes contact details out of normal working hours.

Contact with the Police
Companies have historically wanted to avoid informing the police as they are afraid of any adverse publicity. Once reported to the police, directors believe that they will lose control of the investigation. This may have been true in the past but the police are now better equipped to investigate fraud.

There are also positive aspects to reporting fraud to the police. It sends a very strong sign to the workforce and can act as a strong deterrent to any potential fraudsters. If they think that the company will prosecute them, they could then lose everything else, including family and friends.

The company will therefore have to determine what its attitude toward reporting offenses to the police is. It will have to separately establish its obligations in relation to regulators.

Andrew Durant is the partner in charge of BDO Stoy Hayward's Fraud Investigation and Recovery Services Team. Prior to joining BDO Stoy Hayward he was a partner at a Big 5 accounting firm where he was recruited to help establish their fraud investigations group.

Mr. Durant has extensive experience of conducting investigations in many industries including banking, retail, entertainment, food and drink, transport and engineering. He has also conducted investigations on behalf of the Bank of England, the Department of Trade and Industry, the European Commission and the Bahrain Monetary. Many of the frauds have had international aspects and led him to investigations in Africa, the Middle East, the United States and Continental Europe.

He is used to working closely with senior directors, internal auditors, legal advisors and prosecuting authorities in order to affect both criminal and civil proceedings.

Andrew Durant is a member of the Investigation, Prosecution and Law Reform working party of the Institute of Chartered Accountants in England and Wales' Fraud Advisory Panel. He is also a Certified Fraud Examiner.

Numerous of his articles on fraud investigation and prevention have been published and he has also lectured widely on fraud related subjects.




An error has occurred. Please verify that your web.config is correct and that you have granted sufficient database permissions. Below is the captured exception:
System.NullReferenceException: Object reference not set to an instance of an object. at Ektron.Cms.Controls.SocialBar.ReadAll() at Ektron.Cms.Controls.SocialBar.Fill() at Ektron.Cms.Controls.SocialBar.RenderContents(HtmlTextWriter writer)


 Your Rating:
Your Review:
  
Reviews
 
By Anonymous
 
By Nkateko
 
By Anonymous
 
By Harun