45
Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Embed Size (px)

Citation preview

Page 1: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Fraud

The Environment of Fraud

Preventing Internal Fraud

External Fraud

Page 2: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

AcknowledgmentsMaterial is from: Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008 The Art of the Steal, Frank Abignale, Broadway Books, 2001 CISA Review Manual, 2009 Check Fraud: A Guide to Avoiding Losses The Art of Deception, Mitnick & Simon, Wiley & Sons, 2002

Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside

Reviewers:

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Page 3: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

ACFE 2012, 2014 “Report to the Nations on Occupational Fraud and Abuse”

The Problem

Organizations lose 5% of revenue annually due to internal fraud

Average scheme lasts 18 months, costs $140,000

20% costs exceed $1M Smaller companies suffer

greater average $ losses due to inadequate controls

Amount recovered following an Incident of fraud

Page 4: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Internal or Occupational FraudDefinition

Violates the employee’s fiduciary responsibility to employer

Is done secretly and is concealed Is done to achieve a direct or indirect

benefit Costs the organization assets, revenue, or

opportunity

Page 5: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Fraud CategoriesCategories % of

Cases, $ Average

Examples

Asset Misap-propriation

85%

$130,000

Theft of checks, cash, money orders, inventory, equipment, supplies, info

Bribery & Corruption

37%

$200,000

Bribe to accept contractor bid or Kickback, Collusion, Bid rigging.

Extortion: threat of harm if demand not met;

False Billing: Providing lower quality, overcharging

Conflict of interest in power decision

Corporate espionage: Sell secrets

Financial Statement

Fraud

9%

$1 million

($4 million in 2010)

Revenue Overstatement: False sales

Understating Expenses: Delayed or capitalization of expenses

Overstating Assets: No write down of uncollectable accounts, obsolete inventory, …

Understating Liabilities: Not recording owed amounts

Misapplication of Accounting Rules, etc.

Page 6: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Legal Considerations of Fraud

Intentionally false representationNot an errorLying or concealing actionsPattern of unethical behavior

Personal material benefit Organizational or victim loss

Page 7: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Key Elements of Fraud

Motivation: Need or perceived need

Opportunity: Access to assets, information, computers, people

Rationalization: Justification for action Oppor-

tunityRational-

ization

Moti-vation

3 KeyElements

Page 8: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

How Fraud is Discovered

ACFE “2014 Report to the Nations on Occupational Fraud and Abuse”

Tips provided by employees 49%, customers 21.6%, anon.14.6%, vendors 9.6%.

Page 9: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Collusion

Collusion: Two or more employees or employee & vendor defraud together

2012 Global Fraud StudyAssoc. of Fraud Examiners

Page 10: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

2012, 2014 Global Fraud StudyAssoc. of Fraud Examiners

Who Does Fraud? Most $$$ internal frauds committed by longer-tenured,

older, and more educated staff Executives commit most expensive fraud: $500K

Median manager fraud: $130K Median line employee fraud: $75K

Most hit: Banks/financial industries: 16.7% Government/public administration: 10.3 Manufacturing: 10.1%

95% have no criminal convictions related to fraud To steal a lot of money, you must have a position of

power and access: highly degreed > HS grad older > younger people

Page 11: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Discussion Points

What types of fraud could computer programmers or system administrators commit?

For each type of fraud, what methods may help to prevent such fraud?

Page 12: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Example 1:Financial Statement Fraud

Executives, Wall Street have high expectations: employees needed to meet

the standards. To meet these standards, it may be necessary to play the game, and

financial statement fraud may be accepted.Methods of such fraud may include: manual

adjustments to accounts or improper accounting procedures

Page 13: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Managing Fraud Risk: A Practical Guide for Directors and Managers, Steve Giles

Example 2: Corruption

The Director of a subsidiary always purchases goods from 2 large

organizations, who provide rebates for large purchase quantities. The director negotiated contracts and pocketed the rebates to an off-shore bank account.

Local vendors are upset that their bids are ignored.

Page 14: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Example 3: Asset Misappropriation

A manager took money from one account, and when payment was due, paid via

another account. When that was due, she paid via a third account, etc.

This lapping went on for years and was finally caught when a sickness resulted in

her being absent from work for an extended period.

Page 15: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Asset MisappropriationVocabularySkimming: Taking funds before they are recorded into company

recordsCash Larceny: Taking funds (e.g., check) that company

recorded as going to someone elseEmbezzlement: Abusing a business privilege for personal gainLapping: Theft is covered with another person’s check (and so

on)Check Tampering: Forged or altered check for gainShell Company: Payments made to fake companyPayroll Manipulation: Ghost employees, falsified hours,

understated leave/vacation timeFalse Shipping Orders or Missing/Defective Receiving

Record: Inventory theft

Page 16: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Detecting & Preventing Fraud

How to Recognize Fraud

How to Prevent Fraud

Info. Systems Applications

Page 17: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Fraud & Audit

Audits are not designed to detect fraud Goal: Determine whether the financial statement

is free from material misstatements. Auditors test only a small fraction of transactions Auditors must:

Be aware of the potential of fraud Discuss how fraud could occur Delve into suspicious observations and report them

Page 18: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Red Flags Significant change in lifestyle: New

wealth Addiction:

Gambling, drug addiction, infidelity

Criminal background Chronic legal problems Dishonest behavior in general Beat the system: Break rules

commonly Dissatisfaction with job

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Statistics: ACFE

Page 19: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Work Habits of Fraudsters

One or more: Justifying poor work habits Desperately trying to meet performance goals Over-protective of certain documents (poor

sharing or avoids documentation) Refusal to swap job duties Consistently at work in off-time (early or late)

or never absent

Page 20: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Potential Transaction Red Flags

Unusual transactions: Unusual timing, too frequent or infrequent Unusual amount: too much or too little Unusual participant: involves unknown or closely-

related party Voided checks or receipts, with no explanation Insufficient supervision Pattern of adjustments to accounts Different addresses for same vendor, or vendors

with similar names

Page 21: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Fraud Control TypesTime ofFraud

Detective Controls:Finding fraud when it occurs includes:Anonymous hotline*->Surprise audits*->Monitoring activities->Complaint or fraud investigationMandatory vacations

After Fraud Before Fraud:***BEST***

Preventive Controls**:Preventing fraud includes:Segregation of DutiesEthical CultureInternal controls: Physical & data security Authorization (Passwords, etc)Signed DocumentsFraud educationEmployee Support ProgramsBackground checks

CorrectiveControls:Punishment->Amend controlsFidelity InsuranceEmployee Bonding

Page 22: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Techniques to Discourage Fraud

Oppor-tunity

Rational-ization

Motivation

KeyElements

Segregation of dutiesChecks and balancesJob rotationPhysical security of assetsBackground checksMandatory vacationsExamination of required documentation

Trained in policies and proceduresPolicy enforcementSr. Mgmt models ethical behavior to customers, vendors, employees, share holders

Realistic job expectationsAdequate payTraining in job duties

Page 23: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

CISA Review Manual 2009

Segregation of Duties

Origination Verification

Authorization Distribution

Double-checks

Approves

Acts on

Page 24: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

CISA Review Manual 2009

Compensating ControlsWhen Segregation of Duties not possible, use: Audit Trails Transaction Logs: Record of all transactions in a batch Reconciliation: Ensure transaction batches are not

modified during processing Exception reporting: Track rejected and/or exceptional

(non-standard) transactions Supervisory or Independent Reviews

Separation of duties: authorization, distribution, verification

Page 25: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Software to Detect Fraud

Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs.

Detect unusual anomalies such as unusual amounts or patterns

Compare vendor addresses and phone numbers with employee data

Use Range or Limit Validation to detect fraudulent transactions

Logged computer activity, login or password attempts, data access attempts, and geographical location data access.

Page 26: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

Red flags software can detect

Out-of-sequence checks Large number of voids or refunds made by

employee or customer Manually prepared checks from large company Payments sent to nonstandard (unofficial) address Unexplained changes in vendor activity Vendors with similar names or addresses Unapproved vendor or new vendor with high activity

Page 27: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Encourage Security in IT Departments Physical security Segregation of duties Employee monitoring Surprise audits Job rotation

Examination of

Documentation

Quality Assurance

ProgrammerAnalyst

BusinessAnalyst

Page 28: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank Abignale, Broadway Books 2001

Business Application Checks

Checks locked up; access restricted Physical inventory of checks at least every

quarter New accounts payable vendors’ existence

and address double-checked by management Returned checks sent to PO Box and

evaluated by someone independent of Accts Payable

Page 29: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Question

What is the MOST effective means of preventing fraud?

1. Effective internal controls

2. Fraud training program

3. Fraud hotline

4. Punishment when fraud is discovered

Page 30: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Question

A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that:

1. The vendor was a phony company2. Purchases from the vendor did not result in

inventory received3. The initials for the vendor matched an employee

in the accounting dept.4. Management did not authorize new vendors with

a separate phone call

Page 31: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Question

What is: Origination, Authorization, Distribution, Verification?

1. Four stages of software release

2. Recommended authority allocations for access control

3. Stages for development of a Biometric Identity Management System (BIMS)

4. Categories for Segregation of Duties

Page 32: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

From: The Art of the Steal, Frank Abignale, Broadway Books 2001 & Check Fraud: A Guide to Avoiding Losses

External Fraud

Social Engineering

Check Fraud

Other Scams

Page 33: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Red Flags RuleRed Flag Category

Example Red Flag Cases

Suspicious Documents

Identification or application looks forged or altered. Info is inconsistent btwn ID, what client says, and their records. Picture or signature differs.

Personal Identifying Information

Info matches other clients Info. looks suspicious: phone number is answering service; SSN is on Death

Master File; info. inconsistent with credit report. Incomplete application and client fails to submit additional info Client cannot provide authenticating info beyond name address phone

Account Activity

A major change in spending or payment habits. A change in address, followed by unusual requests: e.g., multiple credit cards. Initial use of credit card shows unusual activity: first payment only; purchase of

products easily converted to cash: electronics, jewelry. Inactive accounts become suddenly active. Mail is undeliverable but transactions continue.

Warnings from a Credit Agency

Changes to a credit report, inconsistent with client’s history. Indication of fraud, credit freeze or other abuse. Changes in recent credit transactions: increase in inquiries or new accounts.

Other Sources

Tip indicates an account has been opened inappropriately or used fraudulently.

Red Flags Rule

Page 34: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of Deception, Mitnick & Simon, Wiley, 2002

Social Engineering I

Email: The first 500 people to register at our Web site will win

free tickets to … Please provide company email address and choose a

password

You received a message from Facebook. Follow this link … log in.

Social engineering: Getting people to do something they would not ordinarily do for a stranger

Social engineering is nearly 100% effective

Page 35: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Social Engineering II

Telephone call from ‘IT’: Some company computers have been

infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix…

We need to test a new utility to change your password…

Page 36: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Social Engineering III

Phone call 1: “I had a great experience at your store. Can you tell me

manager’s name, address?”Phone call 2: “This is John from X. I got a call from Alice at your site

wanting me to fax a sig-card. She left a fax number but I can’t read it can you tell me? What is the code?

“You should be telling me the code…” “That’s ok, it can wait. I am leaving but Alice won’t get

her information…” “The code is … “Phone call or fax 3: “I need … Code is …”

Page 37: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of Decption, Mitnick & Simon, Wiley 2002

Social Engineering Techniques

Learns insider vocabulary and/or personnel names

Pretends legit insider: “I am <VP, IT, other branch, other dept>. Can you …?”

Pretends real transaction: Helping: I am in trouble <or> you need help due to … <My,Your> computer is <virused, broke, busy, don’t

have one>. Can you <do, tell me> …? Deception: Hides real question among others.

Establishes relationship: Uses friendliness to gain trust for future tasks

Page 38: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Combating Social Engineering

Verification Procedure Verify requester is who

they claim to be Verify the requester is

currently employed in the position claimed.

Verify role is authorized for request

Record transaction

Organization security Data classification

defines treatment Policies define guidelines

for employee behavior Employees trained in

roles, need-to-know, and policies

Page 39: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank W Abagnale, Broadway Books 2001

Fraud Scams

Get a receipt from the trash, ‘return’ a product Copy gift certificate and cash in at multiple

locations Markdown sale prices reimbursed with receipt –

copied and collected at multiple locations Fake UPC numbers to pay low prices then return

at higher price. If receipt total is sufficient, scam may work.

Page 40: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank W Abagnale, Broadway Books 2001

Preventing Scams

Receipts must have security marks on them (e.g., two-colored ink on special paper, or better: thermochromatic ink)

Line-item detail on receipts and sales records in company database

Garbage bins which may receive receipts should be protected from access (e.g., bank garbage bins)

Register gift certificates – unique numbers Shredders should be used for any sensitive information Protect against shoulder surfing or device attachment for

card readers

Page 41: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank W Abagnale, Broadway Books 2001

Check Fraud ExamplesAltered Checks: Chemicals are used to erase the payee or amount, then re-

printed OR check is appended to. An Argentinian modified a ticket-overpayment refund check from Miami,

changing a $2 check to $1.45 MillionCounterfeit Checks or Identity Assumption Someone in your checkout line views your check, or does yard work for

you Fishes in a business’s in-mailbox or home’s out-mail for a check Checks can be purchased on-line or mail orderTelemarketing Fraud: “You’ve won a prize” or “Would you like to open a VISA?” “Now give me

your account information.”Hot Check: “Insufficient Funds” 90% of ‘insufficient funds’ checks are numbered between 101 and 200 account opening year is printed on check

Page 42: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank W Abagnale, Broadway Books 2001

Be Careful Printing Checks!

Paychecks & Accounts Payable should not be printed on blank check paper

Laser printer is non-impact (ink does not go into paper but sits on top) Easy to remove printing ‘Laser Lock’ or ‘Toner Lock’ seals laser printing

Matrix printer puts ink into the paper Chemical ‘washing’ removes the print

Good Practices Use larger printing: 12 font Reverse toner in software: white on black Control check stock and guard checks Check your bank statements – you have 30 days

Page 43: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Check Fraud: A Guide to Avoiding Losses

Check Security Features

Watermark: Subtle design viewable at 45-degree angle toward light. Cannot be photo-copied

Void Pantograph: Background pattern of checks. When photo-copied, the background patter disappears or prints ‘VOID’

Chemical Voids: When check is treated with eradicator chemical, the word VOID appears

Microprinting: When magnified, the signature or check border appears to be written words. The resolution is too fine for a photo-copier

3-Dim. Reflective Holostripe: Metallic stripe contains at least one hologram, similar to credit card.

Security ink: React to eradication chemicals, distorting checkThermochromic Ink: Ink reacts to heat and moisture by fading and

reappearing

Page 44: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

The Art of the Steal, Frank W Abagnale, Broadway Books, 2001

Processing Money Orders

Money order information provides info on a ready checking account

Non-negotiable incoming wire account prevents out-going checks

I would like to send you a money order. What is your account number?THANK YOU SO MUCH!!!

Page 45: Fraud The Environment of Fraud Preventing Internal Fraud External Fraud

Study Questions

What are the key elements of fraud, and what techniques can be used to counteract these key elements?

What are the three categories of fraud? What are the legal considerations of fraud? Who commits fraud, and who commits the most expensive

fraud? What are the red flags of potential fraud? How does social engineering occur, and how can it be

prevented? Apply the concept of segregation of duties.