Red flags… …Now what? - Association of College ... · Red flags do not mean fraud ... Internal Auditing and Fraud IPPF Practice guide Pg 19 0 50 100 Level 1 - Initial (C haotic)

8/29/2016

DRAFT FOR DISCUSSION 1

Red flags……Now what?

Mohammad ShehabAndrew Cartwright

[email protected] [email protected] http://www.aub.edu.lb/safereporting

1

Red flags…… Now what?

• Most employees do not know what to do when they identify red flags even when the latter arehighly correlated with fraud.

• Management jumps to conclusions when detecting red flags and takes uncalculated actions thatmight aggravate the situation instead of solving the problems encountered.

• This session provides better practices to respond to identified red flags to help businesses indetecting possible frauds and drafting reasonable remedial action plans.

2

8/29/2016


Red flags…… Now what?

1.A quick overview2.Definitions, theory3.Questions of Principle – Better Practices

• Fraud Risk Management• Fraud Risk Assessment• Fraud Prevention• Fraud Detection• Reporting allegations, Assessment, Investigation

4.Some examples

3

Overview

“The variation is always in the system. A bad system

will beat a good person… every time.”

William Edwards Deming

4

8/29/2016


Overview

Red flags do not mean fraud Be proactive and know your business Always follow up – analyse, observe, enquire Red flags can identify areas for improvement

What is the economic substance? Does value leave the company? How?

The difference between canny businesspractices and unethical behavior can seemarbitrary to the uninformed

5

• Government, Publicly traded, Private, Private Not-For-Profit

• Laws, rulings, regulations, policies, procedures,contracts, standards, guidelines, better practices

• Country, sector, business opportunity, delivery channel,lines of business, business processes, product, service,supply chain, transaction, local, remote, manual,electronic, accounting systems, function, employee,customer, supplier, stakeholder, organizational culture,reputation

• The complex weave of people, activities, things, location,time and organization

Overview

6

8/29/2016


•2015

5

2015 data and graphs overlaid 2014 webtool

OverviewTransparency International (TI)

7

Lying,Cheating

StealingWaste

&Abuse

8

8/29/2016


What are the main assets of Google, Oracle,Microsoft, …? If an employee took data

Is it time toupdate ouroccupationalfraud tree?Or…?(Managing Bus RiskFraud p 27)

from an IT company, how best to classifythe conversion? Corruption orMisappropriation? Both? Intangible Assets

Intellectual Property

Misuse of Data

Theft

9

Definitions and theoryCressey’s hypothesis

• Perceived non-shareable financial need• Important to solve it in secret to maintain status

•• General and technical circumstances

• V• What makes it acceptable for the perpetrator?

• Making the fraud triangle….

Rationalization

Pressure

Perceived Opportunity

Rationalization

10

8/29/2016


Definitions and theoryRed flags and risk

• Situational pressures and opportunity (p.1.205)• (Cressey’s works in sociology and psychology)

• Vulnerability faced when an individual combines allthree elements (p.4.701)

• Classified by 3 conditions(AU §316.85 – SAS 99 and SAS 113)

What’s a Red Flag?

Fraud Risk

Fraud Risk Factors

11

Definition and examplesOpportunity

• The opportunity to commit fraud arises whenemployees have access to assets, includinginformation, that allows them to both commitand conceal.

• Weak or non-functioning internal controls• Poor management supervision, review and

approval• Misuse/abuse of one’s position and authority• Collusion

12

8/29/2016


Consider the opportunities!• What is your business? How big is it?• In what locations do you operate?• In what operations could a fraud occur?• What type of fraud is likely in the area?• What would the fraud look like?• What would it look like in the books and

records?• When could the fraud occur?• Report to the Nation CAN HELP

13

ACFE Report to the Nation 2016

14

8/29/2016


OverviewHow mature is your environment?

Internal Auditing and FraudIPPF Practice guide Pg 19

0

50

100

Level 1 -Initial (Chaotic)

Level 2 -Repeatable

Level 3 -Defined

Level 4 -Managed

Level 5 -Optimizing

Maturity Model (adapted from CMM model)

15

Questions of PrincipleBetter Practices

•• Do you have a fraud risk management program?

•• Do you assess fraud risk exposure periodically?

•• Have you established fraud prevention techniques?

•• Have you established fraud detection techniques?

•• Do you have a reporting process and a coordinated approach to

investigation?

Principle 1:

Principle 2:

Principle 3:

Principle 4:

Principle 5:

16

8/29/2016


8/29/2016 17

Red flags – Now What?1. Fraud Risk Management

• Roles and responsibilities• Policies• Quality assurance• Monitoring and review

• Code of ethical conduct• Risk appetite / risk management• Conflict disclosure• Safe-reporting / whistle-blower• Fraud policy

• Suspicious transactions• Fraud response

Do you have a culture of compliance?

17

• What are your processes?

• What weaknesses exist?

• How might the weaknesses be exploited?

• How can controls be overridden / exploited?

• How can the exploit be concealed?For example – Sales / Revenue

Red flags – Now What?2. Fraud Risk Assessment

18

8/29/2016


• Sales trends out of line with industry• Sales exactly meet budget or expectations• Sales on tax return differs from sales reported in financial

statements.• Mis-match between revenues and proportionate taxes• Excessive returns after period end• Side agreements identified in confirmations• Missing documentation• Unusual increase in the number of days sales in receivables• Customer invoice shows extended payment terms or unusual

return allowances

Red flags – Now What?2. Fraud Risk Assessment - Revenue

19

id e n ti fi e dF ra u d r is k s a n d S c h e m e s L ik e li-

h o o dS ig n ifi-c a n c e

p e o p lea n d /o r

D e p a rt-m e n t

e x is tin ga n ti-

fra u dC o n tro ls

C o n tro lse ffe c -

tiv e n e s sa s s e s s

m e n t

re s id u a lris k s

F ra u d ris kre s p o n s e

F ina nc ia l r e p o r t ingR e v e n u e r e c o g n it io n- B a c k d a tin g a g r e e m e n ts- C h a n n e l s tu f f in g- I n d u c in g d is tr ib u to r s to a c c e p t m o r e p r o d u c t th a n n e c e s s a r y- H o ld in g b o o k s o p e n- V ia r e c o r d in g d e ta il tr a n s a c tio n s in a s u b - le d g e r- V ia r e c o r d in g to p - s id e j o u r n a l e n tr ie s- A d d it io n a l r e v e n u e r is k sM a n a g e m e n t e s tim a te s- S e lf in s u r a n c e- A lte r in g u n d e r ly in g d e ta il c la im s a n d e s tim a te d a ta- F r a u d u le n tly c h a n g in g u n d e r ly in g a s s u m p tio n s in e s tim a tio n o f lia b ility- A llo w a n c e f o r b a d d e b ts- A lte r in g u n d e r ly in g A /R a g in g to m a n ip u la te c o m p u ta tio n- F r a u d u le n t in p u t f r o m s a le s p e r s o n s o r c r e d itd e p a r tm e n t o n c r e d it q u a lity- A d d it io n a l e s t im a te sD is c lo s u r e s- F o o tn o te s- A d d it io n a l d is c lo s u r e s


20

8/29/2016


identifiedFraud risks and

Schemes Likeli-hood

Signifi-cance

people and/orDepart-ment

existing anti-fraud Controls

Controlseffec-

tivenessassessment

residualrisks

Fraud risk response

Financial ReportingRevenue recognition• Backdating agreements

Reasonablypossible

Material Sales personnel Controlled contract administration system Tested by IA N/A Periodic testing by IA

• Channel stuffing Remote Insignificant N/A N/A N/A N/A N/A• Holding books open Reasonably

possibleMaterial Accounting Standard monthly close process

Reconciliation of invoice register to general ledgerEstablished procedures for shipping, invoicing, and revenue recognitionEstablished process for consolidation

Tested by IATested bymanagementTested by IATested by IA

Risk ofmanagement override

Testing of late journal entriesCut off testing by IA

• Late shipments Reasonablypossible

Significant Shipping dept. Integrated shipping system, linked to invoicing and sales registerDaily reconciliation of shipping log to invoice registerRequired management approval of manual invoices

Tested by IATested bymanagementTested by IA

Risk ofmanagement override

Cut off testing by IA

• Side letters/ agreements Probable Material Sales personnel Annual training of sales and finance personnel on revenue recognitionpracticesQuarterly signed attestation of sales personnel concerning extra contractualagreementsInternal audit confirming with customers that there are no otheragreements, written or oral, that would modify the terms of the writtenagreement

Tested bymanagementTested bymanagement

Risk ofoverride

Disaggregated analysis of sales, salesreturns, and adjustments bysalesperson

• Inappropriate journalentries

Reasonablypossible

Material Accounting & Finance Established process for consolidationEstablished, systematic access controls to the general ledgerStandard monthly and quarterly journal entry log maintained. Reviewprocess in place for standard entries, and nonstandard entries subject totwo levels of review

Tested by IATested by IATested bymanagement

Risk ofoverrideN/A N/A

Data mining of journal entrypopulation by IA for:• Unusual Dr/CR combinations• Late entries to accounts subject toestimation


21

8/29/2016 22

Red flags – Now What?3. Fraud Prevention

• Tone at the top• Culture of compliance• Awareness• Planning / organization• HR hiring and evaluation

procedures• Physical / Logical

Safeguards

• 3 Lines of Defense• Authority limits• Transaction Controls• Adequate Review and

Supervision• Timely, reliable, faithful,

complete and accuratereporting

Do you have effective controls?

22

8/29/2016


• Regular part of business

• Use external & internal information

• Formally and automatically communicate toappropriate leadership

• Use results to improve controls

• Take time to think about what you see

Red flags – Now What?Principle 4. Fraud Detection

23

• A review / investigation is a project• Do you have a plan that is clear about

• Scope and objectives• Resources• Time• Quality• Risk• Your protocol

• Begin with the end in mind

Red flags – Now What?Principle 5. Reporting / Investigation

24

8/29/2016


Owners

Individuals &/orevents

threats assets

mitigations

weaknesses

risk

wish to use/abuse and/or may harm

to

to

give rise to

leading to

value

wish to minimize

that increase

thatexploit

to reduce

that mayhavethat may be

reduced bymay be aware of

require

How does the value leave the company?

25

SafeReports

ManagementReview

InternalAudit

InternalControls

Accident

Other

Allegation

Categorize

EvaluationVerification

ObservationAnalysis

IT Forensics

ObjectiveSetting

InitialInterviews

InitialAssessment

Notification

EvidencePreservation

Document& Data

Collection

Stop Loss

InterviewsProfiling

Document& Data

Analysis

Investigation

Background &Assumptions

OpinionConclusions &

Recommendations

Informationand Document

Summary

Findings

Request forNecessaryDocuments

Exhibits

Reporting

QualityReview

AdministrativeResolution

CivilRestitution

CriminalProsecution

ExternalReporting

ImplementControl

Improvements

Remediation


26

8/29/2016


• Remember that an error is just an error

• Be sceptical

• Always follow up

& ReportAnalyseObserveEnquire

DiscussEvaluateValidate


27

• Appreciate the system• Access data, understand flows

• Understand the variation• Stratify with a focus on the unusual• Systemic, outliers, errors, …. fraud?• Documentation irregularities?


28

8/29/2016


For example• Accounting Systems

• Revenues, receivables, receipts

• Purchases, payables, payments

• Inventory, conversion, cost of goods sold

• Personnel, payroll


29

Interviews• People

• Assume people are trustworthy – develop a rapportand sensitivity to lying

• Be conversational

• Be persistent and non-confrontational

• Remember, you can learn a lot, just by listening


30

8/29/2016


8/29/2016 31

Matching• People• Activities• Things

• Location• Time• Organization

(structures)

Your goal is to reveal the true economicsubstance of the transactions


31

Procurement

32

8/29/2016


Case # 1: A Nurse or a Thief ???

33

Over Billing

34

8/29/2016


The AllegationsPlausible scenario

Lack ofsegregation of

duties

PreliminaryReview

Analysis and enquiryInventory count

Tracing to medical reportsReconciliation receiving vs. billingResults

Results did not supportthe allegationsWhat’s wrong?

Other hypothesis?

35

Over Billing

Barcode Reader

Windows switch user

Multiple Billing sessions

36

Error

8/29/2016


Comparison

37

Error

Lessons Learned

Fraud Policies and procedures

Presumption of innocence

No Department should investigate itself

Safe Reporting

38

Error

8/29/2016


Case # 2 & 3: Social Media & Fraud

Larceny

8/29/2016


Larceny

Larceny

8/29/2016


Lessons LearnedUnderstand the process in question.

CCTV in critical areas - installation and data storage.

Database should store passwords Encrypted.

Encrypted answers to security questions

Use different passwords for different systems

Disable administrative passwords used by former employees.

Enable and validate activity logs.

MisuseOfData

Larceny

Case # 4: Privacy & Emails

Is Business emailPrivate?

8/29/2016


Some Questions to consider– 1.Does email constitute an official university record? Or,

– 2.Is it personal information?– What if any privacy principles or rules apply?

– 3.What has the company officially said about email?

– 4.If email forms an official record, can anyone other than the user ever accessthe email?– Precedents?– What circumstances may apply?

– Continuity of service– Security– Audit– Legal– Other?

45

Some Questions to consider– 5.If anyone other than the user has access to email, who may, and under what

circumstances/methods?– Supervisors?– President?– Legal Counsel?– System Administrators?– Internal Audit?– External agencies?

– 6.What are the relevant policies?

– 7.What is a reasonable protocol?– For access to current email (i.e. today’s email boxes)– For access to historical backups (encrypted whole database files)

46

8/29/2016


Some Questions to consider– What are the grounds for believing the things to be searched for exist?

– What are the grounds for saying that the things to be searched for are at theplace to be searched?

– What are the grounds for saying– a) the offence has been committed as described or that– b) the operation requires the information, or that– c) an emergency exists the resolution for which may lie within?

– How will the things to be searched for afford evidence of the commission ofthe offence alleged?

– What are the grounds for saying that the place to be searched is at thelocation identified?

47

Some Questions to consider• The decision maker should be satisfied:

– that an offence has been committed or is suspected of being committed;– that the location of the search is specific (a building, receptacle, place,

record);– that the item sought will provide evidence of the commission of the

offence or that the possession thereof is an offence of itself;– that the grounds stated are current so as to lead credence to the

reasonable and probable grounds;– that there is a nexus between the various considerations set

out.

• What factual grounds exist to support the conclusion?

48

8/29/2016


Quaternary Privacy‐Levels Preservation in Computer Forensics Investigation Process6th International Conference on Internet Technology and Secured Transactions – 2011

Halboob, Abulaish, Alghathbar

TABLE 2. INVESTIGATION STEPS NEEDED FOR THE ENFORCEMENT OF QUATERNARYPRIVACY LEVELS

Main Invest igation steps Invest igat ion sub-steps Level-0 Level-1 Level-2 Level-3

Invest igat ion Planning and Preparing Awareness x x x x

Search warrant x x x x

Authorizat ion x x

Ident ificat ion of tools/equipments x x x x

Chain of custody x x x x

Securing crime scene x x x x

Digital Evidence Collection Normal select ion x x

Select ive Collect ion opt ional opt ional x x

Digital Evidence Preservat ion Evidence authent icity x x x x

Access control opt ional x opt ional x

Audit t rail opt ional x opt ional x

Digital Evidence Analysis Normal analysis x x

Effect ive and efficient analysis opt ional opt ional x x

Digital Evidence Presentat ion Report ing x x x x

Evidence presentat ion x x x x

Recommendat ion x x x x

Case closure x x x x

49

Balance privacy, confidentiality, anonymity, timeliness, reliability

Privacy Policy on Electronic Communication and Files

Clear Authority for investigations

Appropriate tools to investigate and search

Preserving electronic evidence

Searching and Seizing Computers and Obtaining Electronic Evidence inCriminal Investigations, July 2009 www.justice.gov

Lessons LearnedPrivacy

8/29/2016


Other thoughtsAccept that data loss will occur

Understand greatest areas of weakness

Focus on prevention rather than response

Policies, procedures, authorities and roles

Culture of compliance

Clear communication on a need to know basis

Trust is not a control

No department should investigate itself

Privacy

Case #5 - Cash Register and CreditCard Fraud - A Safe Report

In Canada –

• Some refunds were made by a storemanager that didn’t make sense

Initial Assessment?

• Let’s have a look at the sales journal

52

8/29/2016


Cash Register FraudRed FlagsRed Flag #1• Specific customers with several same day

equal value deposit / refund transactions

Credit card report?

Red Flag #2• Refund credit card different from deposit

credit card

53

Misappropriation

Credit Card FraudInvestigation

Is it systematic? Deliberate? Intentional?

Obtain supporting documents• monthly sales invoices and refunds with

original credit card transaction tapesattached

• all transactions from our credit cardprovider

54

Misappropriation

8/29/2016


Credit Card FraudInvestigation

Obtain supporting documents• deposits and refunds on our credit cards• corporate purchasing card transactions• an expense claim from several years before

Interview strategy• Outside in – Senior manager, one employee

55

Misappropriation

Credit Card FraudFindings

• 22 phantom customers

• 207 transactions, $133,123.54

• Charged to a corporate purchasing card

• Refunded to a personal credit card

http://www.oakbaynews.com/news/119857939.html

56

Misappropriation

8/29/2016


Trust is not a control

Segregation of duties

Avoid giving corporate credit cardsto personnel responsible for revenue systems

Match transactions across systems

Lessons Learned

Red Flags – Now What?Summary• Red flags are NOT evidence that fraud is

actually occurring.• Effective Internal Control limits fraud• Make sure people know to report• Be proactive and know your business• Always follow up - analyze observe enquire

58

8/29/2016


Questions of PrincipleBetter Practices

• Fraud Risk Management

• Assess Fraud Risk Exposure

• Establish Fraud Prevention Techniques

• Establish Fraud Detection Techniques

• Safe Reporting processDefined Approach to Investigation

Principle 1:

Principle 2:

Principle 3:

Principle 4:

Principle 5:

59

Red Flags – Now What?Next Steps• Build on what you have

• Build partnerships – share knowledge

• Proceed step by step, project by project

• Be skeptical and diligent

• Be non-confrontational

60

8/29/2016


61

Red Flags

“At the top, one works on the right problems with

the wrong information. At the bottom, one works

with the right information on the wrong problems.”

Arnold J. Meltsner

62

So Now What?

8/29/2016


?Andrew Cartwright Mohammad [email protected] [email protected]

http://www.aub.edu.lb/safereporting

63

Useful References

Red Flags of Fraud http://www.osc.state.ny.us/localgov/pubs/red_flags_fraud.pdf

Investigation of failure to uncover Madoff http://www.sec.gov/spotlight/secpostmadoffreforms/oig-509-exec-summary.pdf

The World's Largest Hedge Fund is a Fraud http://www.jdsupra.com/post/fileServer.aspx?fName=54539da2-994e-43b5-b271-19fbb7e723e3.pdf

Fraud Prevention Check Up http://www.acfe.com/fraud-prevention-checkup.aspx

ACFE Report to the Nation 2014 - Victim Organizations http://www.acfe.com/rttn-victim-organizations.aspx

ACFE Report to the Nation 2014 - Detection methods http://www.acfe.com/rttn-detection.aspx

64

8/29/2016


Useful References

Managing the Business Risk of Fraud - Executive Summary http://www.theiia.org/media/files/fraud-white-paper/Fraud%20Exec%20Summary.pdf

Managing the Business Risk of Fraud https://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/managing-business-risk.pdf

Android Malware Hummingbad http://www.dailydot.com/debug/hummingbad-malware-infects-85-million-android-device-makes-300000-per-month/

IIA - Internal Auditing and Fraud - MEMBERS

https://na.theiia.org/standards-guidance/Member%20Documents/Fraud_PG_FINAL__12-09-2009_.pdf

IIA - Auditing Anti-bribery and Anti-corruption Programs - MEMBERS

https://na.theiia.org/standards-guidance/Member%20Documents/PG-Auditing-Anti-bribery-and-Anti-corruption-Programs.pdf

IIA - GTAG - Fraud Prevention and Detection in an Automated World - MEMBERS

https://na.theiia.org/standards-guidance/Member%20Documents/GTAG_13_12_2009.pdf

Dilemmas in the General Theory of Planning http://www.uctc.net/mwebber/Rittel+Webber+Dilemmas+General_Theory_of_Planning.pdf

65

44%

33%

22%

21%

18%

17%

15%

12%

9%

9%

9%

8%

7%

7%

6%

6%

6%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Living Beyond Means

Financial Difficulties

Unusually Close Association with Vendor / Customer

Control Issues, unwillingness to Share Duties

'Wheeler- Dealer" Attitude

Divorce/ Family Problems

Irritability, Suspiciousness, or Defensiveness

Addiction Problems

Complained About Inadequate Pay

Past Employment-Related Problems

Refusal to Take Vacations

Excessive Pressure from Within Organization

Social Isolation

Complained About Lack of Authority

Excessive Family / Peer Pressure for Success

Instability in Life Circumstances

Past Legal Problems

Beha

viou

ral R

ed F

lags

Behavioural Red Flags Displayed by Perpetrators

ACFE Report to the Nation2014

66