Complex business environments require fraud examiners to have diverse skills and holistic points of view to properly address the plethora of business risks. Escape your biases. Consider multiple sets of guidance to stay apprised to increase business transparency and dismantle silos of information.
The ACFE Fraud Tree divides fraud into three major categories: financial misstatement, corruption and asset misappropriation. Yet, sometimes, legal, compliance, audit and investigative professionals take narrower views of fraud risks based on their educational and professional experiences. It’s no surprise that people lean toward areas with which they’re most familiar. To demonstrate, try this experiment at work. Ask an in-house attorney to describe your organization’s top fraud risks. You’ll likely get an answer that leans toward bribery and corruption. Ask an external auditor the same question, and they’ll probably say something related to financial statement fraud. An internal auditor: some category of asset misappropriation or internal control weakness. Cybersecurity professional: a breach, data exfiltration or ransomware scheme. You get the idea.
As CFEs, we need to rise above professional biases and recognize all these areas have potential fraud risks.
Consider the CFE Exam you completed. The core components have remained the same: accounting, law, investigations and criminology. We can never forget to combine these disciplines to properly address fraud risk holistically. An effective fraud risk assessment always brings together multiple professionals with diverse disciplines to address occupational fraud via research, facilitated sessions, data analytics, web-based surveys and other means.
We should review leading anti-fraud guidance from those who have differing perspectives in various departments and perhaps even industries. Much of the guidance from various bodies emphasize incorporating 1) some level of governance and executive management oversight 2) risk assessments and 3) some level of preventive and detective control activities, including analytical procedures. That’s good news.
Perhaps CFEs can minimize bias in their anti-fraud efforts by applying these common-ground themes from the aggregate guidance. Place yourself in practitioners’ roles — such as those in legal, compliance, internal audit, external audit and IT departments — and research their respective publications. For example, the U.S. Department of Justice (DOJ) released in April 2019 its updated guidance, Evaluation of Corporate Compliance Programs, which provides direct questions that U.S. attorneys should ask during an investigation concerning the proactive measures a company has taken to mitigate fraud risks. (I’ll discuss those questions in the next section.) If you work for a large global company, you can bet your general counsel is familiar with this document. (See Transforming corporate cultures by placing CFEs in top echelons.)
The U.S. Department of Health and Human Services and the U.S. Office of Inspector General offer extensive guidance for health-care-related organizations and other industries. The financial services industry — naturally one of the most regulated industries — has extensive guidance and frameworks from such regulatory bodies as the U.S. Financial Industry Regulatory Authority, the U.S. Consumer Financial Protection Bureau and the U.S. Federal Deposit Insurance Corporation, among many others. (Don’t neglect guidance from other nations’ governmental regulatory bodies and industry associations.)
In 2016, COSO partnered with the ACFE to create the Fraud Risk Management Guide. The site also contains tools, templates and analytics ideas to integrate into your fraud risk management program. The COSO/ACFE guide provides five principles for an anti-fraud program that align with COSO’s internal control framework: 1) control environment 2) risk assessment 3) control activities 4) information and communication and 5) monitoring activities.
The principles align with other guidance, particularly with the Institute of Internal Auditors’ material and U.S. auditing standards AU 316, Consideration of Fraud in a Financial Statement Audit.
If you’re a cyber professional, you’re probably familiar with the Center for Internet Security’s Critical Security CIS Controls™, the National Institute of Standards and Technology’s Cybersecurity Framework and the Information Systems Audit and Control Association.
Also, check out the U.S. Sentencing Guidelines’ Effective Compliance and Ethics Program, §8B2.1, and the Organization for Economic Co-operation and Development’s Good Practice Guidance on Internal Controls, Ethics, and Compliance.
Just as the CFE Exam is multidisciplinary so should your body of knowledge of best-practice guidance. This will better ensure that you’re speaking your colleagues’ languages and help unify your organization and rally around its anti-fraud and compliance program. It will also help ensure that you’ll avoid educational or professional biases.
The late American pathologist, Professor Edwin R. Fisher, reportedly repeated the cliché, “In God we trust, all others provide data,” during a subcommittee of the U.S. House of Representatives in 1978.
Analytics is the lubricant for better business transparency and cross-functional communication, which then reduces the risk of bias. This sentiment around demonstrating compliance effectiveness and cross-functional teaming is echoed in the April 2019 DOJ guidance “Evaluation of Corporate Compliance Programs,” which I discussed earlier, that poses three fundamental questions prosecutors should ask to demonstrate compliance effectiveness:
As an example of cross-functional integration, the DOJ guidance calls upon internal audit departments, not just legal and compliance, to work on continuous improvement, periodic testing and review:
“Internal Audit – What is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process? How are audits carried out? What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often does internal audit conduct assessments in high-risk areas?”
Data analytics, which internal auditors know quite well, can play a key role in supporting an anti-fraud and compliance initiative.
However, many organizations struggle with data integration and cross-collaboration around fraud risk management. They cite such challenges as:
These challenges present opportunities for analytics and technology companies to address. One example is Lextegrity Inc., a software company, which a cross-functional team of former in-house counsels and auditors founded. (Neither I nor the ACFE have any financial interest in this company. I include it only as a demonstrative possibility, among many.)
“Traditional compliance software platforms often just digitize paper approval processes in narrow silos, such as ‘gifts and entertainment’ or ‘third-party due diligence,’ ” says Parth Chanda, CEO of Lextegrity Inc. “They often fail to expose actual ‘spend activities’ that may bypass those processes altogether.” Chanda said Lextegrity’s software platform combines the up-front due diligence approval of planned third-party spend with the analysis of actual spend — focused on fraud, corruption and conflicts of interest.
“We built the platform we wished we had when we were in-house,” Chanda says. “One that reduces true risk and avoids bias by combining both pre-approval data and actual spend data in a user-friendly reporting interface.” Prior to Lextegrity, Chanda was the lead counsel for Pfizer’s global anti-corruption program for several years where he and his team brought together multiple stakeholders — from legal, compliance, procurement, internal audit, information technology and finance — to build the company’s compliance and anti-fraud program.
“Businesses are at an inflection point where tools that combine powerful data visualization, transaction-risk scoring and machine learning with a modern cross-platform user experience, will define which organizations have truly effective compliance programs,” Chanda says.
The complex business environment requires diverse skills and a holistic point of view to properly address the plethora of fraud risks organizations face. CFEs should consider multiple sets of guidance from regulators, associations and their respective industries to stay apprised of risk concepts, trends and fraud schemes.
Ensure your compliance and fraud risk task force incorporates a diverse team that can bring multiple skill sets and perspectives to the table — not just a single group of like-minded attorneys or accountants, for example.
Increased business transparency — driven across organizations via data analytics — is the catalyst that operationalizes your compliance and anti-fraud program and delivers key performance indicators to measure success.
Governments traditionally formulate their compliance programs by studying best-in-class organizational programs. So, it behooves you to incorporate innovative programs before you’re required to by law.
Vincent M. Walden, CFE, CPA, is a former Big 4 partner focused on anti-fraud innovation, legal and compliance technology solutions. He’ll be joining the professional services firm Alvarez & Marsal LLP on Nov. 1. In the meantime, contact him at vincentwalden1@gmail.com.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 12 mins
Written By:
Steve C. Morang, CFE
Read Time: 2 mins
Written By:
Bruce Dorris, J.D., CFE, CPA
Read Time: 5 mins
Written By:
Jennifer Liebman, CFE
Read Time: 12 mins
Written By:
Steve C. Morang, CFE
Read Time: 2 mins
Written By:
Bruce Dorris, J.D., CFE, CPA
Read Time: 5 mins
Written By:
Jennifer Liebman, CFE
