Mary Breslin, CFE, CIA
Recently, I spoke about fraud at the Federal Deposit Insurance Corporation for their investigators. My day was off to a rocky start, as I accidentally burned a big hole in my pink crepe suit jacket while trying to use the steam function on the hotel iron
to rid it of a few wrinkles. Normally I would be traveling for the entire week and would have multiple backup outfits, but not this time. I was trying to stay ahead of bad weather, so I made a mad dash to the Washington, D.C., area and back in 24
hours, and had only brought the one suit.
As long as I don’t fall down on stage (it has sadly happened), I don’t get flummoxed too easily and I figured I could conjure up a “you’ll never believe what happened to me on the way” story and use humor to detract from my unintentional fashion statement.
But once I started my talk, I forgot all about it until my hand accidentally rubbed the now stiff (read: charred) fabric to remind me, and I made a joke about it to the crowd. I told them it is like some frauds — you didn’t notice it until I pointed
it out, and now you can’t un-see it. Many came up to me after and commented that it was true; they hadn’t noticed the gaping hole with the burned outline on my jacket until I mentioned it, and then they couldn’t stop seeing it.
This happens frequently with fraud. We spend a lot of time and effort looking for concealment efforts, but what about the frauds that aren’t actually concealed? What about the frauds that hide in plain sight? As an auditor I spend a lot time looking at
controls and trying to understand how they could be circumvented, and by who, but fraudsters don’t necessarily need to circumvent or conceal their fraud if the environment itself creates the concealment.
Semi-controlled chaos can provide all the concealment a fraudster needs to hide their fraud in plain sight. I speak about the “illusion of controls” and the “timeliness” of controls, and how both can create an opportunity for fraud. But both also create
a naturally occurring concealment as well. Let’s look at timeliness first.
The timeliness of controls
For those of you who have spent time in accounting, think about reconciliations — any type of reconciliation — anything from physical inventories to payroll registers. How many of you ever got behind on your reconciliations? How much more difficult was
it to reconcile the variances after a month went by? Two months? How about six months? It becomes exponentially harder to identify and reconcile the variances as more time goes by. The purpose of a reconciliation is to identify variances and determine
the underlying (root) cause of the problem to correct it and prevent it going forward. What happens when the issue can’t be identified and resolved? Normally, an adjustment is made to the account.
For auditors, think about the last time you sat with someone trying to understand their process and they told you flat out, “Oh, that happens all the time. I just make an adjusting entry.” I bet most of you have experienced that. How many times does an
abnormal activity have to be experienced for it to be considered a normal activity? Surprisingly few. See how that normalized behavior could provide cover for wrongdoing?
Let me give you an example of how unusual, or red flag, behaviors can quickly become “normalized.” Fraud fighters are quick to tell you that something is a red flag when someone inserts themselves in a process in which they don’t belong. For example, the manager
from operations who comes to check on payments for one particular vendor, every month and before payment is due. Fraud fighters know this is a red flag, but let’s look at it from accounts payable’s perspective. The first time he does it, the AP clerk
probably thinks, “Geez, let me do my job; it will get paid on time. Why are you’re here? You don’t check on any other invoices.” The second time they may roll their eyes and provide assurance of it getting paid quickly. The third time they may think,
“Here he comes again. Let me pull up the scheduled payment to placate him.” And after that, every time, even if someone else commented on it, the thought would likely be, “Oh, he always checks on that invoice.” And now, it’s seen as normal and not
unusual or a red flag. Ever witness that in your organization? I have.
The illusion of a control
When is a control not really a control? When it looks good on paper but doesn’t actually do anything. The simplest example of this is review and approval controls. Most of us have experienced the manager who thinks their magic signature equates to a review.
I had a vice president say to me once, “I thought it needing my signature was just a technicality.”
Not all reviews are created equal. To ensure a review is a real review, check with the people whose work is being reviewed — they should be receiving pushback and questions on their work. If they aren’t, there likely isn’t a real review occurring. Over
time they realize their work isn’t being reviewed and that can potentially lead to laziness and sloppiness of work — in other words, errors. Ultimately, it can lead to the opportunity for fraud.
What if all these scenarios — lack of a real review, reconciliations not performed in a timely manner and unusual behavior being normalized — were occurring in the same department? It wouldn’t be that unusual and it would not only create opportunity for
fraud, but it would create a built-in concealment. The illusion of one control, the ineffectiveness due to timeliness of another and the “normalization” of fraudster behavior could provide all the concealment needed to hide a fraud in plain sight.
Fraudsters love these environments of semi-controlled chaos. Sometimes they create them and sometimes they use existing circumstances, but either way, we need to be looking for them.
Once you are aware and looking for these types of environments you will be able to spot them fairly easily. Then they can’t be unseen. Just like the charred hole in my suit jacket.
Until next time, happy fraud fighting.