Going on the Offensive: Blocking and Tackling to Minimize Fraud

Size: px

Start display at page:

Download "Going on the Offensive: Blocking and Tackling to Minimize Fraud"

Pierce Griffin
5 years ago
Views:

1 Going on the Offensive: Blocking and Tackling to Minimize Fraud

Director- Global Disputes & Investigations (267) 261-4947 Linda Goldstein

2 Welcome and Introductions Linda Goldstein Director, Compliance & Privacy Associate General Counsel MARY SMITH CEO Jonathan Marks CPA, CFE Managing Director- Global Disputes & Investigations (267) Linda Goldstein Co-Leader of Dechert s White collar & Securities litigation practice (212) Rich Sedory 2

3 Going on the Offensive: Blocking and Tackling to Minimize Fraud Today s Proposed Agenda The Faces of Fraud Understanding What it Is 10 minutes Selected Case Studies - 20 minutes Internal controls - Why and where they fail 15 minutes Pulling it all together Fraud risk management (FRM) 10 minutes Communication and Coordination (GC, CCO, Internal Audit, auditors and regulators) 5 minutes Using Data Analytics 5 minutes Training to Catch Fraud Using Red Flags 5 minutes Employee Exit Interviews: Key questions to ask - 5 minutes Q&A 15 minutes 3

Fraud schemes have for the most part have not changed; however, based on what we are seeing in practice the method(s) used to conceal the fraud and how the fraud converts to benefit those who are

4 Faces of Fraud The environment we live in today is rapidly changing and thus there is no fixed face of a fraudster. Today we need to consider the extended enterprise and those third-party relationships when we consider the risk of fraud or are doing an investigation. Fraud schemes have for the most part have not changed; however, based on what we are seeing in practice the method(s) used to conceal the fraud and how the fraud converts to benefit those who are duplicitous now increasingly include such factors as relationships with third or outside parties (collusion, especially when its bribery or corruption) and the use of technology. We typically think of pressure, opportunity and rationalization as the primary drivers of fraud; however, today we suggest adding competence and arrogance to the mix. 4

Risk taker Dependable Creative Problem solver Assumes

5 Typical Profile: Professional Profile: Me and Probably You? INNOVATOR/MANAGER Predictable Unpredictable Confident Fearful Risk taker Dependable Creative Problem solver Assumes responsibility SALESPERSON Control Express Ask Tell Passionate Outgoing Friendly 5

Egocentric Deceptive Secretive Moody Without a conscience

6 Typical Profile: White-collar criminal RANDOM ACTOR Predictable Unpredictable Confident Fearful Hot-tempered Egocentric Deceptive Secretive Moody Without a conscience Anxious SALESPERSON Control Express Ask Tell Passionate Outgoing Friendly 6

7 Some ACFE Data Offender profile 67% male; 33% female 52% aged years (9% incidents over 55s) 25% with organization for more than 10 years (6% less than 1 year) 55% acted alone 57% of corruption cases involved collusion 87% never charged or convicted of a fraud-related offence before Median losses (US$) owners $500k; managers $130k; employees $75k Top 5 behavioral red flags 44% living beyond means 33% financial difficulties 22% unusually close association with vendor / customer 21% control issues; unwillingness to share duties 18% wheeler-dealer attitude 7

8 Components of a Fraud Act or actions that can be internal or external (fraud schemes) Concealment (deception or deflection) Conversion 8

9 Case Studies 9

10 Brokerage Firm Ponzi Scheme Ponzi scheme perpetrated by manager of branch office Successful salesperson with Mr. Clean reputation Exploited weak controls over producing branch office manager: Customer activities overseen by a junior employee Ability to evade correspondence review Self-authorization of disbursements from customer accounts No checks on customer change of address 10

which had made offshore payments to foreign distributor New business conduct code prohibited offshore payments Subsidiary s executives arranged to

11 Medical Company FCPA Violations Payments in the form of commissions were paid to physicians (surgeons) to use company s medical devices and pharmaceuticals Payments were made through a web of distributors and agents using off-shore accounts Practice entrenched in newly acquired subsidiary which had made offshore payments to foreign distributor New business conduct code prohibited offshore payments Subsidiary s executives arranged to acquire foreign distributor to perpetuate payments Inadequate due diligence in light of known high risk practice of offshore payments and other red flags of bribery 11

run by founder s family members Weak corporate governance

12 Food Company Accounting Fraud Accounting fraud concealed billions of dollars of debt and non-existent cash Affiliates run by founder s family members Weak corporate governance Controlling CFO known to bully auditors Culture: Failure to come clean 12

13 Internal Controls There are several possible causes of internal control failure. The UK Turnbull Report (in paragraph 22) gives examples of causes of failure but this list is not exhaustive. Poor judgment in decision-making. Internal control failures can sometimes arise from individual decisions being made based on inadequate information provision or by inexperienced staff. Human error can cause failures although a well-designed internal control environment can help control this to a certain extent. Control processes being deliberately circumvented by employees and others. It is very difficult to completely prevent deliberate circumvention, especially if an employee has a particular reason (in his or her opinion) to do so, such as the belief that higher bonuses will be earned. Management overriding controls, presumably in the belief that the controls put in place are inconvenient or inappropriate and should not apply to them. The occurrence of unforeseeable circumstances is the final cause referred to in the Turnbull Report. Control systems are designed to cope with a given range of variables and when an event happens out with that range, the system may be unable to cope. 13

14 Common Deficiencies in the Design of Controls Inadequate design of internal control over the preparation of the financial statements being audited. Inadequate design of internal control over a significant account or process. Inadequate documentation of the components of internal control. Insufficient control consciousness within the organization, for example, the tone from the top and the control environment. Absent or inadequate segregation of duties within a significant account or process. Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting). Inadequate design of information technology (IT) general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs. Employees or management who lack the qualifications and training to fulfill their assigned functions. For example, in an entity that prepares financial statements in accordance with generally accepted accounting principles, the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the entity s financial transactions or preparing its financial statements. Absent or Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity s internal control over time. The absence of an internal process to report deficiencies in internal control to management on a timely basis 14

15 Common Failures in the Operation of Internal Control Undue bias or lack of objectivity by those responsible for accounting decisions, for example, consistent understatement of expenses or overstatement of allowances at the direction of management. Misrepresentation by client personnel to the auditor (an indicator of fraud) Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner. Management override of controls. Remember: Internal control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Source: COSO

16 What We Are Seeing in Practice Common Breakdowns Inadequate due diligence and verification of third parties No or Lack of supporting documentation expenses and other expenditures Lack of controls over the chart of accounts Ineffective Accounts Payable payment review and approval Untimely reconciliations Commission payment review and approval Inadequate or non-existent contract reviews by legal Ineffective segregation of duties Inadequate ethics and compliance training Under resourced or unskilled internal auditors 16

17 The Use of Red Flags to Detect Fraud What is a Red Flag? An observable event or action(s) that links to a concealment strategy that causes someone to stop, assess the situation, and investigate 17

18 The Use of Red Flags to Detect Fraud Does the anomaly have supporting documentation? Does the documentation appear to be falsified, altered, or fictitious? Does the transaction and its reflection in the financial statements make sense? Does the transaction make sense in light of the company s operations, goals and objectives? Does the totality of this and similar transactions make sense analytically when evaluated in comparison to the economy, the industry, key competitors and other related accounting numbers within the organization? Does the transaction have proper approval and the proper authority levels? Does anything else about the transactions or its nature make it appear suspicious? 18

19 Some Thoughts on How We Can Deter Fraud! Establishing a positive control environment Good Tone From the Top does not mean you have an ethical environment or culture! Proper assignment of authority and responsibility Disciplinary actions in the event of ethical violations and these actions should be consistently applied across the organization, regardless of position Ensure there is an adequate system of internal controls (focus on risk) Conduct regular or surprise audits because it creates a perception of detection for potential fraudsters Provide clear channels of communications to an organization's employees and stakeholders such as vendors, customers and outsiders to report suspected fraud or control violations such as whistleblowing or ethics hotlines Periodically perform independent evaluation of an organization's governance, risk, and compliance process 19

20 Fraud Risk Management Programs While each organization needs to consider its size and complexity when determining what type of formal documentation is most appropriate, the following elements should be found within a fraud risk management program: Roles and responsibilities Someone needs to own the process! Senior level commitment Fraud awareness. Affirmation process Conflict disclosure Fraud risk assessment Reporting procedures and whistleblower protection Investigation process Corrective action Quality assurance Continuous monitoring Source: AICPA Managing the Business Risk Of Fraud: A Practical Guide

21 Communication and Coordination General Counsel Compliance Internal Audit

22 General Counsel, Compliance, and Internal Audit The General Counsel, Compliance and Internal Audit serve very important, but different roles in the risk management framework. The general counsel s function has expanded over the years to include advising the board on their legal and regulatory risk oversight responsibilities. Furthermore, their role now includes working closely with compliance, internal audit, and the business to identify, assess, and mitigate if possible any legal risks. The compliance function, in its most fundamental sense, is the system or process that is meant to reasonably ensure that a firm is complying with all applicable laws, rules, regulations, codes of conduct, firm policies, and standards of good practice. Compliance shouldn't be rendering legal advice. A key role of the internal audit function is to monitor and evaluate the firm s adequacy, implementation, and performance with respect to risk controls within all aspects of the firm's businesses.

Technology: Using Data Analytics The primary reason to use data analytics to tackle fraud is because a lot of internal control systems have serious control weaknesses.

23 Technology: Using Data Analytics The primary reason to use data analytics to tackle fraud is because a lot of internal control systems have serious control weaknesses. In order to effectively test and monitor internal controls, organizations need to look at every transaction that takes place and test them against established parameters, across applications, across systems, from dissimilar applications and data sources. Most internal control systems simply cannot handle this. On top of that, as we implement internal systems, some controls are never even turned on.- Source: ACL

24 Training to Catch Fraud Using Red Flags

25 Training

26 Categories of Red Flags Data Documents Controls Behavior

27 Data Unusual timing of transactions. This includes the time of day, the day of the week, or the season. Frequency of transactions. Transactions that are occurring too frequently or not frequently enough are suspicious. Each organization has its own operating patterns, and the transactions should be booked accordingly. Unusual amounts recorded. Take notice of whether an account has many entries that are large, round numbers. Consider whether some of the transactions in the account are far too large or far too small. Questionable parties involved. Should the organization be paying an outside party? Is a payment being made to a related party? Is the company paying large sums to a vendor whose name is not easily recognizable? Business purpose! 27

28 Documents Missing or altered documents or entries Evidence of backdating documents No original documents available Documents that conflict with one another Questionable or missing signatures on documents 28

29 Lack of Controls Lack of controls in general Unwillingness to remediate gaps Poor tone from the top Segregation of duties (excuse!) Management with no clear position about conflicts of interest Lax rules regarding authorization of transactions Untimely reconciliation of or failure to reconcile accounts 29

30 Behavior Rationalization, changes in behavior, contradictory behavior, or recurring negative behavior patterns Lack of stability Inadequate income for lifestyle Resentment of superiors and frustration with job Emotional trauma in home or work life Undue expectations from family, company, or community Financial difficulties 35.7% Living beyond means 34.4% Divorce/family problems 20.6% Unusually close assoc with 17.2% Control issues, unwillingness to 15.1% "Wheeler-dealer" attitude 15.1% Irritability, suspiciousness, or 10.7% Addiction problems 10.0% Past employment-related problems 8.6% Complained about inadequate pay 6.9% Instability in life circumstances 6.5% Refusal to take vacations 5.5% Past legal problems 5.5% Excessive pressure from within 4.5% Complained about lack of authority 4.1% Excessive family/peer pressure 2.7% 0% 5% 10%15%20%25%30%35%40% Percent of Cases

Exit Interviews An exit interview is often an overlooked tool for tightening up internal controls and uncovering ethics issues or worse fraudulent behavior.

31 Exit Interviews An exit interview is often an overlooked tool for tightening up internal controls and uncovering ethics issues or worse fraudulent behavior. Those on their way out the door generally have nothing to lose. Therefore, they are more willing to honestly answer questions like,.are you aware of any ethics violations or fraudulent behavior in the organization?

32 Q & A