They empathize because they do what you do

The ACFE Board of Regents offer their counsel and ruminate on the dynamic anti-fraud profession during the 29th Annual ACFE Global Fraud Conference. From left to right: Alexis C. Bell, M.S., CFE, PI, Chair; Vidya Rajarao, CFE, ACA, Vice Chair; Tony Prior, MBA, CFE, CAMS; Elizabeth J. Simon, CFE, CPA; Ryan C. Hubbs, CFE, CCEP, CIA

The members of the ACFE Board of Regents empathize with you because they do what you do. They, like you, have to contend with technology changes, evolving regulations, cautious management, intergenerational employee cooperation, gigabytes of uncategorized digital evidence and so much more.

But, like you, they also occasionally savor solid evidence discovery, a satisfying case outcome, red tape that unravels and enjoyable mentee relationships.

On Sunday, June 17, at the beginning of the 29th Annual ACFE Global Fraud Conference, Fraud Magazine invited the members of the volunteer Board of Regents to discuss these topics and much more as they grapple with the components of anti-fraud professionals’ work days.

The participants

• Alexis C. Bell, M.S., CFE, PI, Chair: Bell is the founder and managing partner of Fraud Doctor LLC, which provides anti-fraud consulting services. She’s also a published author with expertise in architecting global anti-fraud programs in a variety of sectors, forensic accounting, data analytics and technical training.
• Vidya Rajarao, CFE, ACA, Vice Chair: Rajarao is partner at Grant Thornton India. She’s a national leader for forensic and investigation services in India and the sub-continent and a member of the firm’s global forensic steering committee.
• Tony Prior, MBA, CFE, CAMS: Prior is a director at AUSTRAC, Australia’s AML regulator and financial intelligence unit. He previously conducted investigations into corporate fraud and financial crime. Prior is the founder and president of the ACFE Sydney Chapter.
• Elizabeth J. Simon, CFE, CPA: Simon is the director of ethics & compliance for Cox Communications Inc. She serves on the board of directors of the Atlanta (Georgia) Compliance and Ethics Roundtable.
• Ryan C. Hubbs, CFE, CCEP, CIA: Hubbs is the global anticorruption and fraud manager for Schlumberger Limited. For more than 17 years, he’s conducted international corporate investigations and forensic audits for companies within the energy sector.

FM: How do we as fraud examiners help our organizations get into the 21st century?
Hubbs: We’re getting a lot of requests from management to build artificial intelligence [AI] or do more advanced analytics. The problem at least for the energy sector is that the type of AI that’s being used in the retail and the banking sectors doesn’t necessarily translate yet to contractors, vendors per se, purchase orders. We could do advanced analytics, but the AI is lagging. The data isn’t good or isn’t there, or it’s in multiple systems that you can’t get access to. So, fraud examiners, internal auditors, forensics experts are in a squeeze play. They want to do more in that space, but the data and technology, at least in some sectors, just isn’t there yet.

FM: So, AI is still in its infancy at this point?
Hubbs: It depends. In retail or banking, you can see transactions and see where you’re at and where you’re going and identify fraud anomalies. They can tell you what you want to know about certain types of shoes or pants, or the types of withdrawals or loans that look suspicious. But if you look at a manufacturing organization or an oil and gas company from a transactional basis, I haven’t seen where AI really is coming into play.

Think of the non-structured nature of contracts with multiple entities whether they’re vendors or customers. You’ve got vendors all over the world, and you’ve got employees all over the world issuing purchase orders and doing different things. And then you’ve got that data in multiple source systems. I don’t think we’re at a point where AI is effective yet from an anti-fraud perspective in many sectors.

Rajarao: I think you see more machine learning and AI on the human resources and payroll sides where the data is more structured. We see in Asia where they use a lot of AI and machine learning. And it started out more as an employee retention tool: trying to figure out what employees like, allocating projects, capturing the skills, using resources more efficiently across projects and across locations. But that’s turning into figuring out if someone’s cooking up their expenses and if they’re offsite at some other location, or if they’ve been at a vendor or a customer and you bring them on board as employees.

FM: Do you see your accounting, internal auditing, forensic accounting departments working with human resources right now to detect possible fraud through AI?
Rajarao: Yes.

FM: Is it a formal relationship or are they just helping each other out at this point?
Rajarao: It’s formal. We can use it to track CV [résumé] fraud. Even very senior professionals can be detected after 30 years. The CEO has been a CEO for 10 years, and then you find that he never got his MBA from Harvard. I think that’s the beauty of AI and machine learning. You can use it for multiple resources.

FM: So, can the rest of you see auditing working with HR at your organization?
Hubbs: I can, but with GDPR [EU’s General Data Protection Regulation] and privacy issues, HR data has gotten even more restricted. It was already restricted before for using in corporate investigations, corporate audits. But now it’s even more so. 
Yes, we’re moving more into analytics and machine learning, but not necessarily AI. A lot of the technologies are really good, but from a fraud detection or prevention standpoint you still have to go back to the basics and design them based on how fraud occurs. Fraud examiners play a big role here.

Rajarao: As fraud examiners, external or even in-house, if you have an incident, the expectation from leadership is you’re going to use data analytics. But then you realize that the company just doesn’t have the right data in the first instance. When the data comes it’s not structured, so then you have to put it into a structured form. You can use tools to do that, but then again, you’ll still have some anomalies — false positives, false negatives — that you have to filter out. The expectation from management is that the fraud examiner in the 21st century has this magic wand, which is called advanced data analytics. You’ll get the results tomorrow, and by the third day you close the investigation. That’s far from happening.

Hubbs: You bring a good point. Data analytics may not make my job easier. When you run analytics in your organization and get a few hits, you might think you have a couple of double-billing issues or a couple of bad vendors. But if you run the analytics and it’s spits out 400 or 500 red flags, do you have the people, the resources to investigate them all? And are many of them false positives? But what if you’ve really hit on something, and there’s hundreds or thousands of transactions that are potentially problematic? The data analytics that you thought would solve the problem or help make your life easier might generate more work.

Simon: We actually had that problem in a resource issue. We set up some transaction monitoring for fraud in our finance team, and they got so many false positives that they basically had to give up on them.

Bell: I remember when Benford’s Law became popular as a fraud detection analysis and we were so excited. “This was the most amazing thing!” we thought. When we started looking at really big data sets, like 6 million lines of transactional data in just one quarter, with Benford’s we were getting 32,000 hits just on the first-digit test alone. But we didn’t have the resources to check on all those underlying documents. As a result, people stopped using it. Eventually I added more math to it, so now I can get those original 32,000 down to about 320. It’s just one example where volume can be a real problem.

Rajarao: The more we talk about data analytics, machine learning and AI, I don’t think the fraud space has changed. I don’t think the ground has shifted. It’s still the back-to-basics focus on controls and looking at physical records. Going beyond the data into the metadata: when it was entered and who had the right supervisory rights and administrative rights to enter so the system may show a different pattern. New fraud like ransomware is still old white-collar crime.

Prior: From the Australian and Asia-Pacific region, I do a lot of work with “RegTechs,” regulatory technology companies. We’re talking about addressing money laundering, terrorism financing and financial crime. Australia is the third-biggest RegTech hub in the world. We’re seeing solutions dealing with more automation and machine learning than AI.

There’s a reluctance to adopt these new technologies by banks, financial service companies because they don’t understand them, and they’re reluctant to procure services from nascent, small technology companies that didn’t exist 12 months ago.

FM: How do you influence your management to emphasize anti-fraud issues? What’s our responsibility as CFEs to work with management?
Prior: In my part of the world, in Australia, at the moment we have a royal commission into the banking  and financial services system. There’s a litany of failings reported across the financial institutions. So, with some organizations it’s difficult to address management issues until there’s a significant internal or external issue that brings them to the table.

FM: So, it takes a crisis?
Prior: A lot of the time.

Hubbs: The role of the CFE is similar to that of a doctor. You can tell the organization all day long to do specific things to prevent and deter fraud and look for it. Management might listen to you, maybe contemplate and listen a little bit, but eventually they move on to other things. When you go to your doctor for a routine checkup, do you actually make the changes he or she recommends? It’s only when the doctor identifies specific risks, that change occurs, right? I’ve mostly seen substantive change when there’s a risk to the organization versus a potential benefit. When there’s specific regulatory risk, legislative risk, shareholder risk; that is when you tend to get a little bit more movement of the ball.

Simon: But it’s not just risk. You need the crisis.

Hubbs: Well, that’s where the ball moves the farthest.

Simon: You can talk about risk all day long, and they’ll say, “That will never happen here.”

FM: So, you’re saying when an organization has a heart attack …
Simon: When the diagnosis for cancer comes in, then they’re open to change.

FM: Your doctor says, “You’ve got to lose 20 pounds. Your risk numbers are up.” So, you can either respond or not. But you’re saying, that first heart attack has to happen before an organization does anything.
Rajarao: Some organizations do respond to risk warnings before the heart attacks. Some do take steps. If you tell them there’s a big regulatory risk, and this is your key asset; 60 percent of your revenue is coming from this location and if at that location you have a rogue customer, employee or CEO, they will certainly do something about that. But institutions take time, like individuals. No decisions are made in a vacuum. So, by the time they make those decisions maybe the risk has become real. It’s already materialized.

Bell: Remember, it’s also a function of the maturity of the organization and the maturity of the risk program that they have. So, if you have a mature program then ideally, they will have done their risk assessment, and they would have made a decision that this is within their risk appetite, and they’re not going to make any change at all. But when it’s something outside that risk appetite or tolerance then they’re going to do something, or if they identify something that they never even considered that wasn’t on their risk assessment.

Bell: During our risk assessments of organizations, we show them that if they put in place key anti-fraud measures, then statistically this is what the results would look like. And then they can make a decision: “Does it cost more than my return is going to be, or am I going to spend money for the controls to reduce the fraud?” We build that into the risk assessment so that we can help educate them. Part of our job is to help them see what the fraud trends are, so they can accurately assess them and see if they’re willing to tolerate them or not.

Some companies just have a high-risk appetite. We can present the information to them, but they decide if they’re going to accept the risks. It’s tough for us. You’re speeding down the highway with no seatbelt on.

Rajarao: Organizations say that their competitors are moving so fast, and they’re missing out on great opportunities in new promising markets. So, they rush into those markets without evaluating the risks. The benefits might never materialize, but the fraud might. So, a lot of their actions are driven by market forces and revenue and not necessarily by thoughts about risk appetite.

FM: So, every organization has a certain personality, a certain appetite for risk. Have you seen it start from the top to the bottom? I mean, have you had to influence a CEO, a CFO to think like you? How do you get to that point?
Bell: I had a situation in one subsidiary where they had an immediate massive fraud because they were so fast in getting into a rollout that they didn’t take the time to put anti-fraud measures into place. It was shocking what they didn’t do. I came in to do an investigation for them. I recommended that they stop the rollout until we could do the root cause and find out what happened. Afterwards, they realized that they should have hammered out policies and protocols before they rolled out the new channel. Thankfully, they stopped the rollout in the other countries until proper assessments, policies and procedures could be put into place. So, you take your lessons where you can off your own mistakes or be smarter and learn from the mistakes of others before it happens to you. This is where AI can dramatically speed up the decision-making process by highlighting early indicators of issues.

Prior: Some organizations will have a document in place for a risk appetite. Some sectors are required by law to have a statement, and then you get others who will say things like, “We’ve got no tolerance for internal fraud.”

Rajarao: But do they make sense to you, Tony? I’ve heard these statements. I honestly don’t understand what they mean.

Prior: They’re done from a financial point of view: So, what are we prepared to lose in internal or external fraud over a given financial period? The point, on the other organizations that are possibly less mature or aren’t required to have a documented statement on risk appetite, they might say they don’t have an appetite for financial fraud, but you scratch below the surface and they don’t do anything to achieve that either on the prevention side. Their response is quite lame.

Bell: It’s often not robust.

Hubbs: It goes back to a paper-based compliance program.

Prior: Yes, anyone can say, “We have no appetite for fraud.”

Hubbs: Goes back to just checking the box and not doing anything. Of course, they have a statement saying they don’t condone fraud. I think there are a lot of organizations out there that just follow the minimum guidance and standards.

Bell: I recently had a conversation with a woman who was in charge of their compliance function. I asked, “Where did you get your experience?” She had none whatsoever. So, that’s a red flag to me that that company had chosen to put someone in charge of this function who has no experience at all. Competency is a core risk management component that’s often overlooked in favor of standardized processes.

Rajarao: Well, that’s the point. That they would do the bare minimum required under law.

Hubbs: I think all of these topics really highlight that the role of a CFE today is much more complicated and multi-faceted. We’re dealing with so many variables whether we work for an external firm or an independent firm, if we’re internal auditors, or internal fraud compliance personnel or investigators. We deal with changing technology, regulations, management, revenue, multinational systems, data and transactions. The pace is increasing.

As an example, going back to the EU’s GDPR — trying to get data out of a certain country that has to obey the GDPR is difficult. We never had to deal with this before. We have to let employees know we’re gathering evidence on them. Why would I want the employee to know? We’re looking for fraud. Some people can look at the evidence, but by law others can’t. CFEs have to juggle with a lot.

FM: Incrementally do you think that we’ve made progress as CFEs to be able to get beyond actually talking about fraud and move on how to actually prevent and deter it?
Bell: As CFEs, we need to recognize our limitations. We recently gave a training session at an ACFE chapter where a woman had come up to me afterwards. She’s the only CFE at a community bank, and she’s tasked with doing risk assessments. She said she didn’t know how to do them. I said, “Get someone who knows how to do them for you. CFEs have to be careful not to do things that we’re not qualified for and for which we’re not fully competent.”

They feel pressure. They’re the only one in the entire company, or they’ve been tasked with something; it’s become their job. And some people aren’t willing to say, “I don’t know how to do that.” The ACFE standards require that we not take on a project where we lack the necessary skills or experience to perform the tasks being asked of us.

FM: Many have been emphasizing how the different generations approach work in the office. But doesn’t the onus fall on the more seasoned professionals to help these younger professionals approach fraud examinations in a different way?


Hubbs: Maybe it’s a two-way street. Maybe the younger professionals can show the older fraud examiners new technology and new ways of searching for records. But, you know, even with all the information you have at the end of the day you still have to interview subjects. And I’ve seen cases get dropped or become non-prosecutable because wrong questions were asking during the interview. I’ve seen cases where you may have very little documentation and evidence, but you think something is suspicious. Just from the art of the interviewing you may be able to get the person to confess. Younger fraud examiners must know how to conduct effective interviews.

Bell: Individuals own their own careers, but I think it’s on us as the team leaders to make sure that we initiate the development plan for the team to make sure they get what they need to be effective at their jobs. We have an obligation to pass down and across teams, the knowledge we’ve acquired over the years.

FM: What kind of mentoring experiences have you been through that have been exhilarating, have been inspiring for yourself or possibly have been frustrating? How do you think about working with younger fraud examiners? What are some ways that you’ve been able to inculcate your anti-fraud principles into their professional lives?
Prior: Getting the mentee to understand that it’s not about giving them all the answers. It’s giving them the tools where they can find the answers. I had done some mentor programs when I was with the Australian Federal Police, and some of the mentees thought it was about coming to the mentors with the “50 hard questions” they couldn’t answer. And you do try to steer them where they could get the information or that experience. But giving them the proper anti-fraud tools is most important.

Hubbs: That’s a good point. I see a lot of the younger fraud examiners and auditors who want the answers but do not necessarily know how to get to the answers. As more seasoned fraud professionals, it’s our responsibility to try to think back when we were green, and someone showed us the “how” and not just the “what.” We need to do that same type of learning process with the next generation of fraud professionals.

Rajarao: The biggest challenge is you have to show them by leading. They have to see you doing it. And maybe they have to see you making mistakes, so they can then figure it out themselves. I always make my team write reports. And they can’t just copy and paste from Google findings.

You really have to spend the time and show them and be open to questions because they really have good questions. Better questions than when I was being mentored. And they do challenge you in how we do things.

FM: There is more of an emphasis on multigenerational employees working within any organization. Because we’re going to get people at all different stages in their careers.
Bell: You mentor the individual. You have to look at the individual and what they need. We start with their objectives — what they want to get out of it and we make sure we’re on the same page with that. And that’s the direction, the focus of what we’ll talk about, the biggest task we’ll give to them, where we spend our time together.

You talk about many generations working together. We recently facilitated a full-day, root-cause workshop with the Center for Internal Auditing Excellence of the University of Texas at Dallas. It was 100 people with 10 people at round tables. We identified who the seasoned people were. We made sure that there was at least one seasoned professional at each of the tables accompanied by representative experience of industries and demographics to comprise teams. It was really amazing to see the seasoned executives helping the newcomers. It was so wonderful to see the knowledge transfer.

I’m an adjunct professor teaching in the Financial Crime and Compliance Management graduate program at Utica College. One of my students asked me to mentor her. In going through that process, she said that the lessons she’d learned during the course helped her in her entire life, not just at work. To me that’s very rewarding as a person, not just as a fraud examiner or adjunct professor. And I think we also need to let others mentor us. Am I learning? Have I reached this place where I’m teaching, and now I’ve stopped learning? What am I going to learn next? My partner often says, “If you find you’re the smartest person at the table, it’s time to go sit somewhere else.”

Dick Carozza, CFE, is editor-in-chief of Fraud Magazine.

Emily Primeaux, CFE, is associate editor of Fraud Magazine.