Recognition of the Anti-Fraud Profession, Part 2

Pressed by heightened fraud awareness, the global business world is defining the differences between the fraud examiner and internal roles. Learn the distinctions plus the role and the necessary core knowledge of the anti-fraud professional.

George, the CEO of a medium-sized manufacturer, learned the importance of having anti-fraud professionals on his staff when two Certified Fraud Examiners successfully conducted an investigation of an internal kickback case. George is also learning how the emerging anti-fraud profession is becoming a distinct discipline.¹ 

AUDIT AND FRAUD EXAMINATION 

Under COSO's Enterprise Risk Management Framework, internal auditors have no responsibility for detecting fraud and investigating cases but are required to give independent assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Any additional activities carried out by internal auditors should be in the context of, and not prejudicial to, this primary role. Internal auditors should:

• Investigate the causes of fraud
• Review fraud prevention controls and detection processes put in place by management
• Make recommendations to improve those processes
• Advise the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed
• Bring in any special knowledge and skills to assist in fraud investigations or leading investigations where appropriate and requested by management
• Liaise with the investigation team
• Respond to whistle-blowers
• Consider fraud risk in every audit
• Have sufficient knowledge to identify the indicators of fraud
• facilitate corporate learning² 

The role of the internal auditor isn't diminished but shifted to evaluate the controls. The role of the CFE, therefore, is to perform all fraud-related tasks except for evaluating the systems set and activities performed.

However, in this evolving role, as stated in the Institute of Internal Auditor's Standards for the Professional Practice of Internal Auditing, "the internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Internal auditors evaluate fraud risk and internal controls and report on their findings. They should work in conjunction with an entity's anti-fraud professionals for follow-up to fraud risks that are identified.

As stated in the 2002 Management Antifraud Programs and Controls Report (issued jointly by the ACFE, AICPA, IIA, et.al.), internal auditors should determine if:

• The organizational environment fosters control consciousness
• Realistic organizational goals and objectives are set
• Written policies (such as a code of conduct) exist that describe prohibited activities and the action required whenever violations are discovered
  appropriate authorization policies for transactions are established and maintained
• Policies, practices, procedures, reports, and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas
• Communication channels provide management with adequate and reliable information
• Recommendations need to be made for the establishment or enhancement of cost-effective controls to deter fraud
   

MANAGEMENT OF ANTI-FRAUD PROGRAMS AND CONTROLS 

For illustrative purposes, a thorough examination of a company's organization to identify fraud risk might entail assessing the organization, its people, operating and reporting controls, physical assets/computer security, and special techniques such as brainstorming sessions as described in SAS 99.³  

ROLE OF THE ANTI-FRAUD PROFESSIONAL 

Management often asks anti-fraud professionals to perform qualitative risk analyses. Here are five standard components:⁴ 

Identification of Assets to Protect
In the internal fraud risk assessment, the assets to identify would be such items as currency, checks, credit, inventory, equipment, etc. Prioritize each asset based on its criticality to the entity. Obviously, depending on the type of business, the list of assets and an asset's criticality rating will vary. For example, currency will be a critical asset to a food market but might not be listed on a manufacturing company's critical asset list.

Identification of Threats to the Assets
Threats to the financial assets of an organization are the fraud schemes or acts perpetrated to steal or abuse those assets. The most common internal fraud schemes are cash skimming, cash larceny, misappropriation of inventory and equipment, check tampering, purchasing and billing, payroll, expense, conflicts of interest, corruption, and financial statement fraud.

Determination of Probability of Occurrence
Experience has shown that determining the probability of the occurrence of a loss event can be more of an art than a science. The anti-fraud professional must:

• Assess the likelihood of fraud in the entity based on the internal controls environment, the resources to address fraud, the management support of fraud prevention efforts, and the organization's ethical standards
• Gather all available empirical evidence of organization fraud such as prior reports of fraud incidents, unexplained losses, previous audit findings, and customer or vendor complaints
• Gather information available from other organizations of similar size and industry about losses from internal fraud
• Research information from fraud surveys such as the ACFE's 2006 "Report to the Nation on Occupational Fraud and Abuse."

Determination of Impact of Loss
The anti-fraud professional will use the same gathered information to identify the probability of occurrence. Also, information such as the financial condition of the organization, value of the assets, criticality of the assets to the organization, and revenue produced by the assets will be needed. Determine if the loss will have a material effect on the organization's financial statement.

Once the anti-fraud professional gathers the necessary information to identify the assets to be protected, the threats to those assets, the probability of a loss event from those threats, and the impact of a loss event to the organization, it's time to assess the controls and prevention measures in place to protect the assets.

Fraud Prevention
Preventative measures are different from controls. They're intended to prevent fraud before it occurs. Control measures are intended to not only prevent but also detect and deter fraud if it does occur. Both preventative and control measures are important in reducing the opportunity for fraud and increasing the important "perception of detection" among employees.

The assessment of preventative and control measures requires a thorough review of the accounting policies and procedures; fraud-related policies and procedures; interviews with management and employees; testing of controls compliance; observation of control activities; review of previous audit reports; and review of previous reports on fraud incidents, shrinkage, and unexplained shortages.

Once the assessment of current fraud controls and prevention is completed, vulnerability tests should be performed. Then the anti-fraud professionals will develop the appropriate recommendations for management to counter fraud-related risks.

There are four standard approaches to address risks:

• Avoid the risk by eliminating an asset
• Transfer the risk by purchasing some type of fidelity insurance or bond
• Mitigate the risk by implementing appropriate countermeasures such as prevention and financial controls
• Assume the risk if it determines that the probability of occurrence and impact of loss are low⁵  

The entity could also elect to combine the above approaches.

CORE KNOWLEDGE FOR AN ANTI-FRAUD PROFESSIONAL 

The risk officer dealing with fraud issues should have a good set of core competencies and contemporary skills. Required are auditing and accounting knowledge, communication skills, computer forensics proficiency, and the continued knowledge of emerging new ideas in the fraud examination discipline.

Auditing and Accounting Knowledge
Most corporate fraud cases include accounting aspects and manipulation or falsification of accounting documentation. An anti-fraud professional should possess excellent auditing skills and a thorough understanding of accounting systems, internal controls, and Generally Accepted Accounting Principles (GAAP) but also consult with auditors and accountants to fill gaps in skills and knowledge.

Communication Skills
The ability to deal effectively with people is paramount for an anti-fraud professional. Obviously, an excellent interviewer needs to be able to speak and listen well to elicit valuable information. And the fraud examiner should be able to translate a complex case into simple language for the written report.

Famed 19^th century detective, Allen Pinkerton, said that a professional should possess the qualifications of prudence, secrecy, inventiveness, persistency, personal courage, and above all, honesty.⁶ 

Computer Forensics Proficiency
Because most accounting systems and records are now in electronic form, computer forensic skills are an essential component of the anti-fraud professional's tool box. Electronic data analysis and data-mining techniques are routinely used in most fraud examinations. Knowledge of programs such as ACL, IDEA, MS Access, or EXCEL is now required for an efficient review.

INDISPENSIBLE PROFESSION
Fraud is a social phenomenon and constitutes a business risk. This analysis has shown that management needs to deal with this fraud risk with the help of trained anti-fraud professionals and auditors who will evaluate an entity's existing anti-fraud controls and structures and introduce needed procedures.

As countries come to accept the anti-fraud profession they could, as many do with audit professionals, codify regulations on many levels including minimum employment requirements. This concept requires much discussion.

It's evident that the 21st century is witnessing the emergence of the new anti-fraud discipline, with management playing a decisive role. It's time to give this profession the recognition it deserves.

Dr. Haluk F. Gursel, CFE, CGFM, CPA, is the president of the Switzerland Chapter of the ACFE. Gursel has been a fraud fighter for more than 39 years. He has written several books and articles, is a professor at the Webster University Geneva Campus in Switzerland, and has received several honors including the ACFE award for outstanding achievement in anti-fraud education.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.  

¹ This is a fictitious case.
² "Fraud Position Statement." The UK and Ireland IIA. April 2003.
³ Pollard, Bill. "Proactive Fraud Risk Reviews." Paper presented at ACFE's 15^th Annual Fraud Conference, Las Vegas, Nev. July 2004.
⁴ All information from "SAS 99: Consideration of Fraud in a Financial Statement Audit" (Specifically, information from an exhibit contained in the document within SAS 99, "Management Antifraud Programs and Controls: Guidance to Help Prevent, Deter and Detect Fraud.")
⁵ Cook, CFE, CPP, Larry E. "Risky business: Conducting the internal fraud risk  assessment." Fraud Magazine. March/April 2005.
⁶ Pinkerton, Allen. Cited in the introduction of the "Fraud Examiners Manual." Association Certified Fraud Examiners. 2005 edition.