Secure your fraud zone defense

Congratulations! You have a fraud hotline, but now what? It’s useless without investigation and communication. The author outlines his experiences creating a fraud mitigation program for his multibillion-dollar company.

The ethics hotline of the company I work for, which provides home automation and security systems, annually receives more than 100 allegations of fraud. However, prior to 2014, no one adequately investigated actionable information, and no one investigating the allegations communicated with other departments. The lack of communication became obvious during an investigation in which we identified more than seven hotline calls going back two years that, if we’d properly investigated, could’ve led to the early discovery of an asset misappropriation scheme.

The inaction cost our company more than $100,000. Had we properly investigated the first allegation the loss to the scheme might have been only $7,000. Employee morale in this location deteriorated because the reporting employees became increasingly despondent and ultimately threatened to go to local media if the company didn’t do something.

We knew things had to change.

Change, but how?

I’d previously worked for an international forensic accounting firm and had several progressive roles in various internal audit departments. In my prior internal audit roles, I’d conduct internal investigations only when the need arose. Then in July 2014, I assumed the role of forensic auditor with my current employer in which I’d investigate fraud schemes daily. Naturally, I was excited by the opportunity.

Shortly after assuming my new role, I discovered my predecessor had only been responding to hotline calls. She completed her investigations in a thorough manner and prepared detailed investigation summary reports. However, she never shared the reports and their findings with management, and she took no steps to determine the extent of the asset misappropriation schemes and identify or remedy the control gaps that allowed the schemes to occur. Essentially, she handled each investigation as an isolated occurrence. Obviously, we had serious control gaps that created the opportunities for these crimes to flourish. I believed that if we were to examine the frauds we’d identify multiple people in the company who were executing the same type of asset misappropriation scheme independent of each other.

My company installs the equipment for the monitored home automation and security systems in customers’ homes or businesses. A basic system might cost the company more than $1,000 up front in parts, labor and commissions by the time employees install the units at no charge to the customers. In exchange, we charge customers a monthly monitoring fee and require the customer to sign a multiyear contract with early termination penalties. Our preferred methods of payment are credit cards or checks via automated clearinghouse (ACH). Our sales representatives are 100 percent commission-based.

Prepaid credit card abuse

The first major defalcation scheme I identified was the abuse of prepaid credit cards (reloadable gift cards that can be purchased at many retailers). A prepaid credit card appears to our billing and collection system as a credit card regardless of whether it has a balance on it. In this scheme, our sales representative would provide the customer a prepaid credit card to facilitate installation, which isn’t a method our company approves. Installation triggers the sales representative to receive a commission. Often the company would receive either no payment or just one payment on the card. The customer would enjoy monitoring services for six months prior to deactivation because of nonpayment. We’d never recover the installed parts or claw back the unearned commission.

As luck would have it, I’d soon cross paths with a kindred spirit in our information technology department who had been observing patterns in credit card abuse and was eager to investigate the matter further. By some strange twist of fate, we both share the first name, Grant. Together, the Grants would combine my forensic auditing background and his data analytics skills to conduct a companywide investigation on more than six months of credit card transactions.

A credit card number has 16 digits. The first six digits are the bank identification number (BIN), which identifies the institution that issued the card. From the BIN number, we can tell who issued the card (ex., Visa/MasterCard) and what type of card it is (gift card, prepaid, credit, etc.). To conduct our investigation, we had to match credit card transactions to a BIN database to identify prepaid credit card usage.

Step 1: Establish a fraud committee, your anti-fraud dream team.

I conducted several investigations that included interviewing customers and sales reps. We learned that the reps were telling customers that the service was free for the first six months, and if they weren’t satisfied with the service they could simply stop paying. The results were almost a complete loss to the company.

After presenting the results to my boss, she gave me a new challenge: establish a fraud committee. It would need to:

• Collaborate with other departments on investigating allegations of fraud.
• Identify the control weaknesses that the perpetrators exploited to defraud the company.
• Take appropriate action against those involved in any wrongdoing.
• Advise senior management on how to remediate control gaps and deficiencies.

At the time, I remember thinking that this was a rather ambitious request.

Building a dream anti-fraud team

All organizations are subject to fraud risks. An internal audit department’s role in conducting investigations is to identify the control lapses or gaps that facilitate a defalcation scheme. My goal was to solve these problems and create stronger controls that could reduce or eliminate any scheme. A company has the fiduciary responsibility to design, implement and maintain an internal control environment to protect corporate assets from the threat of misappropriation. Plus, an organization has a moral obligation to establish a functioning internal control environment to protect the employees from themselves.

The initial challenge in establishing a fraud committee was to identify the ideal potential members. Conducting fraud examinations daily brings me in contact with leaders from our legal, human resources and corporate security departments, so I recruited from this group. It didn’t take much convincing for these leaders to enthusiastically accept roles on the fraud committee.

Of course, when you’re considering who to be on your committee identify those who routinely demonstrate a high degree of character and integrity. And include a wide range of skill sets. For example, I’ve tremendously benefited from having direct access to a legal opinion when I’m investigating or interacting with a third party.

Our initial fraud committee consisted of:

• Myself and the vice president of internal audit.
• Compliance officer (who just happened to be our head of litigation).
• Senior manager of labor and relations.
• Director of corporate security.
• Director of employee relations.
• Manager of business continuity.

The fraud committee meets biweekly, which provides enough time between meetings to make progress on examinations but keeps the committee abreast of new developments.

During our first meeting, we established the mission statement: “Coordination of resources and information sharing in order to conduct complete and comprehensive investigations.” I prepared an agenda for each meeting that included all new, open and closed investigations.

During meetings, I presented and discussed all new investigations including allegations, individuals involved and histories of the locations. I updated the committee on the progress of all open investigations. Finally, I provided a summary of the findings on all closed investigations.

The committee provides input and guidance on their knowledge of the individuals involved, the location and the compromised control procedure. The committee assigns or reassigns cases to other members of the committee to make sure the most appropriate department leads an investigation.

The fraud committee became the foundation of our fraud mitigation program.

Evolution of the fraud mitigation program: Advising senior sales and field leadership

Now that we had implemented a fraud committee, we needed to establish a method to tell senior leadership about the control gaps leading to fraud. Most of the investigations I conduct are classified as asset misappropriation schemes. My company has a sales force that’s compensated by commission only. We install approximately $400 million in parts annually in customers’ homes and small businesses. Most of my investigations involve either unearned sales commission or inventory theft schemes. The wide range of schemes that employees devise is impressive, and we’re always discovering new and innovative ways they defraud the company.

We gave our first informal presentation to the president of operations and the president of sales. We soon began meeting regularly with upper management on fraud-related agendas. Attendance at these top-management meetings quickly grew, and the structure of the meeting evolved.

This sales and field leadership meeting now includes approximately 15 senior leaders including many of the organization’s presidents and vice presidents. Every six to eight weeks I prepare a formal report including audit recommendations, fraud schemes and significant investigations and present it to the group.

The group discusses audit recommendations and assigns them to an appropriate party with the goal of eliminating the control gap by the next meeting. The audit recommendations presented during these meetings could be best described as critical control gaps that, if exploited, could result in substantial financial losses.

As our meetings with senior leadership evolved, we decided to include our regional vice presidents (RVP) via conference calls because each RVP is responsible for $750 million at minimum in recurring revenue. Operational control deficiencies are a threat to the regional profit-and-loss statements and so are significantly important to these leaders. Now, after each sales and field leadership meeting I individually brief each RVP on investigations in their region.

Our meetings are informal conversations about the ongoing and completed investigations in the region and their direct reports’ performances. We also now include the regional human resources generalist in the calls with the RVPs to provide better support for each RVP and to obtain assistance in the examinations. I’ve observed many instances in which the RVPs enacted remediation plans across their entire regional footprints based on these calls.

The RVPs are now referring their direct reports to me for forensic audit services. The interaction and communication has helped to establish trust between the internal audit department and management. For example, one of our area general managers (AGM) identified inventory anomalies in one of his branch locations. The AGM called me and requested a forensic audit of inventory usage in one location because of the trust our meetings had established. As a result, we identified seven employees stealing tens of thousands of dollars of inventory.

‘Ethics in Action’

Our legal department conducts annual companywide training on our code of conduct and also a separate quarterly “Ethics in Action” training program on current concerns. All employees must attend both programs. The fraud committee contributes case material to the “Ethics in Action” training and serves as an editorial review board. Our real-world examples illustrate ethical concerns.

Our company expects sales reps to prospect their own sales leads — what we call “self-generated leads.” Call centers field potential customer inquiries, and reps attempt to make sales. If a customer requests a sales rep to come to their home or business, the rep will send the lead to a local sales rep for follow up — what we call a “company-generated lead.” Self-generated leads pay higher commissions  than  leads we provide because of the extra work sales reps must do to obtain the leads and ultimately the sales. Therefore, the reps have a significant incentive to close self-generated leads.

Our first quarter “Ethics in Action” of 2017 highlighted a common sales fraud scheme in which some reps would convert company leads to self-generated leads. The company traditionally gave the reps the ability to change customer information (name, address, etc.) to correct errors in the original lead. However, this allowed the reps to simply reenter a company lead as a self-generated lead by making minor alterations to the customer content. We estimated the cost of this one scheme alone exceeded more than $1 million annually in unearned commissions.

The focus of the training was on how to make legitimate changes to the customer content of a company lead without creating a new self-generated lead. We often see a decrease in fraudulent activity once employees complete the training, which was the case here.

Hard work rewarded

Success in establishing a successful fraud mitigation program is the result of working with a committed group of professionals dedicated to a high degree of personal and professional integrity. Our journey from an ambitious challenge to fruition has been an evolution of figuring out what worked best for the organization.

Our fraud mitigation program now consists of:

• Fraud committee.
• Senior sales and field leadership.
• Meetings with our regional vice presidents.
• Mandatory training on the code of conduct.
• Quarterly “Ethics in Action” training on timely ethical concerns.

Our investigations have uncovered fraud along most of the Fraud Tree spectrum. We’ve uncovered schemes involving employees, subcontractors, vendors and dealers, including asset misappropriation, potential financial statement concerns, corruption and collusion.

As a result of the fraud mitigation program, the company is (or has):

• Performing credit checks on prospective customers. Credit checks have reduced overall customer attrition since implementation.
• Creating exception reports and sending them to regional leaders for review. For example, sales reps now are evaluated on their personal attrition rates, “zero pays” customers and prepaid credit card activity. In addition, inventory discrepancies are identified and followed up by the regional leaders. If fraud is suspected, I’ll initiate a fraud examination.
• Eliminated or reworked fraud-ridden loyalty programs to include functioning detective or monitoring controls.
• Closed controls gaps in subcontractor billing.

These changes help reduce or eliminate fraudulent activity that had plagued the organization and cost millions of dollars annually.

Our fraud mitigation program has become a strong pillar in the company’s fraud governance program. I wish you success in your journey.

More help: Guide on managing fraud risk

Grant Wahlstrom, CFE, CPA, CIA, is the forensic audit manager with a privately held corporation with approximately $4 billion in annual revenue. His email address is: grantwahlstrom@gmail.com.

More help: Guide on managing fraud risk

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its Internal Control—Integrated Framework, a framework recognized worldwide for designing, implementing and conducting internal control.

COSO revised this original framework in 2013 to include 17 additional principles to assist in creating an effective internal control system. One of these principles, Principle 8, specifically addresses the importance of organizations considering “the potential for fraud in assessing risks to the achievement of objectives.”

To provide best-practices guidance for organizations to follow when implementing this principle, COSO partnered with the ACFE in 2016 to create the Fraud Risk Management Guide. The joint report, along with the tools and resources on this site, is designed to aid organizations in effectively establishing an overall fraud risk management program.

See ACFE.com/fraudrisktools to purchase the new Fraud Risk Management Guide and download its executive summary. You can also access frameworks and reports plus free tools such as interactive scorecards, a library of anti-fraud data analytic tests, risk assessment and follow-up action templates, and points-of-focus documentation templates.

Also see “Winning the risk game: COSO and the ACFE release new guide on managing fraud risk,” by David L. Cotton, CFE, CPA, CGFM; Sandra Johnigan, CFE, CPA/CFF; Leslye Givarz, CPA, Fraud Magazine, January/February 2017.