Sunday, December 6, 2009

How Do You Recover Funds Lost to Fraud

When developing a Fraud Control Policy an important part of that plan is determine if it is possible to recover funds that the organisation has lost to fraud. A number of issues need to be considered:
  • Does the organisation have insurance for fraud? This has been discussed previously. If the organisation has insurance for fraud, remember that cash flow potentially could be affected until such time as a payment is received.
  • Determine if it is economically viable to take civil recovery proceedings. If the fraudster has a gambling or other addiction it is unlikely that funds will be available. However, if the fruadster has purchased a property or utilisied the funds in some other similar way, funds may be available for recovery. The organisation must remember that the funds that have been taken are the organisations. The organisation should not “feel sorry” for the fraudster.
  • When the fraudster is found guilty, the court may order restitution. However, in this case the organisation must wait until the matter has been through Court. This may take 18 months or more. In this time, the fraudster may have disposed of any funds and assets that they have owned. This is the least favourable of the three alternatives.

Sunday, November 29, 2009

Should Fraud be Reported to the Police

When developing a Fraud Control Policy an important part of that plan is a clear statement as to whether fraud that has been discovered will be reported to the Police. A number of issues need to be considered in making this decision:

  • In some jurisdictions, it is required by law that any serious offence is report to the Police. An organisation needs to understand if such a requirement is in place in their jurisdiction;
  • If an organisation does not report the matter to Police, the organisation needs to consider what message this send to other employees and volunteers;
  • If an organisation does not report the matter to Police, will the person committing the fraud go on to another employer and commit fraud there?;
  • By reporting the matter to Police, the organisation needs to consider if it is likely that the fraud will be reported in the media as it goes through the Court process and the potential damage this could cause the organisation;
  • The organisation’s insurance policy may require the fraud to be reported to the Police.

Sunday, November 22, 2009

Cheque Fraud

Cheque fraud can easily occur and can cost an organisation significant amounts if appropriate controls are not in place.

Cheque fraud can occur in a number of ways:
  • Using false invoices to have a cheque paid in favour of the false business;
  • Changing a legitimate cheque (payee and amount) without having authority to do so;
  • The theft of cheques and the use of those cheques at a later time;
  • Duplication of cheques, especially if they are preprinted by the company;
  • Depositing a cheque into another account without authority.

To prevent cheque fraud, there are a number of possible controls:

  • Reconcile the bank account on a regular basis;
  • Never sign blank cheques. Only sign cheques when details have been completed and there is documentation supporting the payment;
  • Limit the number of signatories on the account and remove signatories when they are no longer required;
  • Ensure that cheques require at least two signatories;
  • Keep all cheques in a safe place to deter theft;
  • Avoid the use of acronyms when completing the Payee;
  • If you are expecting more cheques and they have not arrived, contact the bank and cancel them.

Sunday, November 15, 2009

Using Imprest Accounts

If you operate at a number of different locations or have a number of branches, the use of imprest accounts may be a good solution.

An imprest account is used on the following basis:
  • A set bank account balance (set depending on the spending requirements of the location / branch and on the regularity of the reimbursement (eg. weekly, monthly));
  • Deposits are made to the organisations general account and not the imprest account;
  • A reconciliation of the imprest account is conducted when a reimbursement is required;
  • Signatories to the imprest account are usually people located at the location / branch for ease of use of the account.

The use of an imprest account reduces the risk of fraud as it reduces the possible spending people at the location / branch can undertake.

The imprest account system allows locations / branches to have some autonomy while still being restricted in the amount they can spend and still providing regular support for the expenditure they undertake.

Sunday, November 8, 2009

Travel Expenses

How do you control expenses spent by employees while travelling on work related trips? There are a few options which can be considered, each with their own benefits and risks.

Per Diems


These allow an organisation to reduce paperwork if they have a number of employees and volunteers travelling. A per diem is an allowance which can be easily set by referring to meal allowances as set by the relevant federal government. In Australia, this is set by the Australian Tax Office. If the employee spends more, it will be at their own personal cost. However, if they spend less they keep the amount they did not spend.

The benefit to the organisation is that it knows exactly how much it will spend and has a reduced level of paperwork. The potential cost to the organisation is that the employee spends less and therefore the organisation overpays the employee.

Full reimbursement of costs


In this situation, employees need to provide receipts for all meals and other costs incurred. However, the organisation needs to clearly set out what is and is not acceptable expenditure. For example, no alcohol, no mini bar in the hotel room. If a number of employees and volunteers travel frequently, the administration of this system can out way the benefits of only reimbursing the actual costs incurred. Also employees can spend more than they would under the per diem system because it’s “on the boss” or the organisation is paying for it. The other concern is that receipts are obtained by the employee where these costs are not actually incurred and reimbursement made.

Both systems have advantages and disadvantages. Whichever system is used, there needs to be a clear policy developed for when employees and volunteers are travelling on business.

Sunday, November 1, 2009

Internet Fraud

I am surprised with the number of phishing emails that still arrive in my Inbox every week – most supposedly from banks which I don’t even have a bank account with. But the concerning aspect is that people still fall for the email and click the link, ending up giving their contact details.

So how do people get our information over the internet.

Phishing requires that a person provides their information. It is often via the email process we all see. An email is received from what appears to be a legitimate company (in many instances a bank). The emails advise you of some issue – the bank has had a security upgrade for example – and they need you to verify your information. You click the link and are taken to a web page that looks almost identical to the company you have been dealing with. There you put in your username and login and the hackers have your information.

A Trojan is malware. It is used by a hacker to obtain unauthorised access to the user’s computer system. Trojans are designed to give hackers remote access to the users computer and give them the ability to perform the same functions the user can.

Key logging programs do as the name suggests. The program allows for each key stroke entered by the user is recorded by the program. These programs are used frequently to obtain a persons username and password for internet banking.

No matter what the issue, the preventative measures are the same. Here are some examples:

  • Have appropriate firewalls on computer systems;
  • Have up-to-date virus checking software and regularly check for updates to it;
  • Use a strong password and change it regularly;
  • If it seems to good to be true – it probably is - for example never give your password to anyone;
  • Use security tokens or similar for internet banking.

Sunday, October 25, 2009

Protecting a whistleblower

A question I am often asked is – how do you protect a whistleblower?

Maintaining confidentiality is always the best alternative, but it is often impractical. A great summary of the practical problems that arise with maintaining confidentiality, along with practical alternatives has been prepared by the New South Wales Ombudsman.

A summary of these practical examples, being the minimum steps to be taken in all cases are:

  • Supporting the whistleblower;
  • Providing guidance to the whistleblower of what is expected of them;
  • Provide the whistleblower with information about how the disclosure will be dealt with;
  • Responsibility should be given to someone senior to make sure it is dealt with appropriately and expeditiously;
  • Conduct a prompt investigation; and
  • Respond appropriately.

For more detail on these practical alternatives as well as for when the identity of the whistleblower is or is not likely to become known, click here for the article from the New South Wales Ombudsman.

Sunday, October 18, 2009

Whistleblower Policy

A whistleblower policy establishes a process that allows the board, employees, volunteers and other interested parties the ability to report in good faith any suspicions they may have regarding illegal, unethical or inappropriate actions.

When developing a Whistleblower Policy, the following should be considered:

  • The policy should include protection for all those involved with the organisation, including directors, employees, volunteers and other with an interest in the organisation (eg. members).
  • The policy should clearly set out what should be reported such as fraud, workplace safety issues, misconduct, breaches of policies, any activity that is illegal, abuse of authority etc.
  • The policy should clearly set out to whom and how someone should report suspicions. The person to whom reports are made should carefully be chosen. For example, it is suggested that it is not someone who has access to the organisation’s funds such as the financial controller as these are people who may be the subject of the reports. It is also appropriate to have a secondary reporting person for when the initial person in on leave or if the report is being made about that person. Also these two people need appropriate training on their responsibilities.
  • The option of using an external whistleblowing service should also be considered rather than utilizing an internal person. These services are readily available and should be investigated. The provider of the services will take reports and either provide those reports to an appropriate person internally to investigate or assist the organisation with the investigation.
  • It is recommended that a “line manager” is not an appropriate reporting person. The reasons for this are that it may be the line manager who the report is being made about and therefore it could make it difficult for the whistleblower to make a report. It requires training all line managers with their responsibilities as a receiver of reports rather than one or two people who deal with the issues on a regular basis.
  • When a person reports their suspicions they must be able to do so without fear of retaliation. However, it must also be clearly set out that a person will be dealt with if the report is made maliciously.
  • People should be able to make reports anonymously if they chose. However, people should understand that by making a report anonymously they may slow down the investigation. For example, the investigator cannot check with the person for additional information.
  • To reduce the possibility of anonymous reports, the policy should clearly promise confidentiality to the extent it is possible. For example, it may be necessary to advise law enforcement of the name of the person who made the report.

Sunday, October 11, 2009

Whistleblowing – Friend or Foe?

Many of us dodge the term Whistleblower – is it really a ‘dirty word’?

A whistleblower is someone who comes forward with information that has previously been concealed and it may not just be in relation to fraud. It could be in relation to workplace safety issues, harassment, etc.

Think about some of the well known whistleblowers in recent times - Cynthia Cooper of Worldcom and Sherron Watkins of Enron – by coming forward the information they were able to provide resulted in two of the largest corporate frauds in history being discovered.

No matter whether people like it or not, whistleblowing is one of the most effective ways of discovering fraud. In the 2008 Association of Certified Fraud Examiners Report to the Nation Survey, it was found that 46.2% of cases of fraud were detected by tip off or a whistleblower. The 2008 BDO Not-for-Profit Fraud Survey found that 38% of fraud was discovered by tip off. The statistics speak for themselves.

So how do we make use of the benefits of whistleblowers while protecting our employees and volunteers? We will address these issues over the coming weeks. Stay tuned!

Sunday, October 4, 2009

Resume Fraud – Is It Real?

A great article on “Resume Fraud: The Top 10 Lies” by Christopher T Marguet, CEO, Marquet International Ltd and Lisa JB Peterson listed the top ten to be:

  1. Stretching Dates of Employment
  2. Inflating Past Accomplishments & Skills
  3. Enhancing Job Titles & Responsibilities
  4. Education Exaggeration & Fabricating Degrees
  5. Unexplained Gaps & Periods of “Self Employment”
  6. Omitting Past Employment
  7. Faking Credentials
  8. Fabricating Reasons for Leaving Previous Jobs
  9. Providing Fraudulent References
  10. Misrepresenting Military Record

Falsifying a resume can cost an organisation significant sums if the employee does not have the skills to undertake the role appropriately or the information omitted related to previous fraud matters.

For more on the article by Marquet International Ltd, please click here.

Sunday, September 27, 2009

Using an internal audit facility

An internal auditor can be a great tool to help prevent and detect fraud. The role of the internal auditor can really be what the organisation wants and needs. An internal auditor usually assists in areas of corporate governance and risk management.

An internal auditor can review, test and recommend improvements in controls and processes, test the reliability of the financial reporting process, ensure the organisation complies with standards and legislation as well as deterring and investigating fraud. The board can make use of an internal auditor to cover areas where the board is concerned, is suspicious of inconsistencies or improve controls where gaps or weaknesses exist.

If an internal auditor is appointed he or she needs to be able to report directly to the audit committee or if your organisation does not have an audit committee, a board member such as the treasurer or chair of the board.
For organisations that cannot put a full time internal auditor or have an internal audit department, there are other options. It is possible to either hire an internal auditor on a part time basis (eg. one day a week) or engage the internal audit division of an accounting firm to assist.

Sunday, September 20, 2009

Collusion

Collusion is when two or more people agree (usually in secret) to deceive, mislead or defraud others.

If collusion is occurring, it usually is the result of a breakdown in controls. Collusion does, in some way, cost your organisation money. For example:

  • Consider collusion occurring between an employee and an employee of a contractor who is tendering for major construction works. It is likely that either the tender will be cheaper for the contractor to win and thereby it may result in poorer quality workmanship and / or materials used or may be overvalued and the organisation may be charged more than should be; or
  • As the purchasing officer in the organisation, the employee allows the supplier to charge more than the items could be purchased for elsewhere, thus incurring additional costs for the organisation.

To attempt to avoid collusion:

  • All employees should be required to disclose any potential conflict of interest that may exist;
  • All employees should be required to, at least yearly, sign off that they understand all policies and procedures;
  • Ensure that vendors and suppliers are fully aware that gifts and gratuities are not to be given to employees or volunteers. If they wish to support the organisation, it should be made by way of donation;
  • Ensure employees, volunteers and suppliers have a way of reporting suspected collusion. It is surprising the number of times collusion is picked up by another organisation who also has an employee involved in the collusion.

Collusion is very difficult to discover and also very difficult to investigate as any benefit is usually received by the individual. Any suspicion of collusion needs to be investigated thoroughly.

Sunday, September 13, 2009

Payments

Payments are usually made in one of three ways: cash, cheque or electronic payments. Each payment method has its own risks.

Cash Payments

When making cash payments (eg. out of petty cash) an invoice or receipt should be obtained for every payment made and the invoice / receipt needs to be confirmed to the cash amount paid. The person controlling the cash should not be the same person who reconciles the cash and the invoices / receipts, so any discrepancy can be adequately investigated. The fewer the cash payments needed the better.

Cheque Payments

The question is, is one signature enough? The answer is no. Not even if the cheque is for a small amount. Cheques need to be signed by two people. Also the following should also be undertaken:

  • Cheques should never be pre-signed;
  • When the cheque is prepared for signing, all documents supporting proof of the requirement for payment should be attached;
  • The people who are signing the cheques need to thoroughly review the documents supporting the payment and sign the documents showing the appropriate approval;
  • The amount and payee on the cheque needs to be the same as on the supporting documents and needs to be confirmed by the people signing the cheque.

Electronic Payments

The first thing people who are authorising electronic payments need to remember is that their password for signing in to authorise the payments is the equivalent of their signature on a cheque. A person would not allow a person to forge their signature, so why let a person use their password.

The following should be undertaken when making payments electronically:

  • When the electronic payments are prepared for payment, all documents supporting proof of the requirement for payment should be thoroughly reviewed by the people authorising the payment;
  • The amount, payee and bank account details on the electronic payment authorisation needs to be the same as on the supporting documents and needs to be confirmed by the people authorise payment.

It needs to be remembered that a common way for someone to commit fraud with electronic payments is for the person who sets up the payments puts in their own bank account number instead of a creditor’s bank account number. The people authorising payments need to be aware of this issue.

Sunday, September 6, 2009

Is your identity or your organisations information at risk?

There has been a lot of media about identity theft. However, you don’t just need to worry about someone stealing your personal papers, credit cards, drivers license or passport.

Norton Symantec has released a list of the 100 most dangerous website on the internet and warn about malware.

For details of this very important topic, click here.

Sunday, August 30, 2009

Make sure employees take holidays

One of the common methods of detecting fraud is when the employee is away and another person undertakes their responsibilities. Some tips in relation to detecting fraud by making people take their holidays include:

  • Have a policy that requires employees to take at least part of the annual leave / holidays each year;
  • Have employees trained in other rolls;
  • When an employee takes leave / holidays, another employee should step into the roll;
  • If an employee, while on leave, comes into the office “just to get a few things up to date”, question the need for them to be there and what they are doing;
  • Determine if an employee on leave needs access to the organisations systems (including banking) – if not, deactivate access while they are away.

Sunday, August 23, 2009

Be Aware of Skimming

Skimming is the theft of funds before they are recorded in the records of an organisation. Skimming does not only involve the theft of cash however. It may be the theft of cheques or other types of payments, although cash is the most common.

Examples of skimming include:

  • A sporting club running a food stall – a person working at the stall puts cash from the sales of the food in his or her pocket rather than in the cash tin. At the end of the day, only the cash that has been placed in the cash tin is counted, recorded in the accounting records as income and subsequently banked;
  • As cheques are received into the organisation, an accounts clerk takes the cheques and banks them into a bank account opened in a similar name. From that account the clerk can divert funds to any account;
  • Selling items through a shop run by the organisation, the person does not “ring up” the sale but puts the money in the cash register in front of the customer. When the customer leaves, the person takes the cash out of the cash register.

Skimming can be difficult to discover and also to investigate.

Here are some ideas that may help prevent skimming:

  • Rotate duties. This can be hard when you rely on volunteers (eg. At sporting events or at shops). Rotate the person who takes the cash, rotate the volunteers between shops or stalls or on a reasonably regular basis have someone else undertake the role and compare takings.
  • Conduct reconciliations. For example, a reconciliation may be undertaken of the cash received from a food stall (eg. To determine the number of hamburgers that were sold) to the amount of stock used.
  • As a specific example, for food stalls use tickets. A cashier receives the cash and hands the person a ticket (eg. a blue ticket for a hamburger, red ticket for a hotdog). When the item is cooked, the customer hands over the ticket to the person preparing to food who places the ticket into a box which is locked (with opening on the top for the tickets). At the end of the day, two people who have not worked on the stall count up the cash and the tickets – they should reconcile.

Sunday, August 16, 2009

Take regular computer back ups

This may seem like a common sense statement to make, but unfortunately many organisations do not take back ups of their computer data, or if they do, the back up sits next to the computer which means it would also be damaged, destroyed if a fire occurred or could also be stolen if the organisation was broken into.


There are a number of alternatives for how to appropriately store computer backups, but you need to investigate the options thoroughly.


For example, I was reviewing procedures for an educational facility and found that the IT manager was taking backups home. Unfortunately these backups held information on students and could fall into the wrong hands if the manager’s house was broken into.

Another example, if for small organisations such as sporting clubs which may have the treasurer maintain the accounting records from home. The club needs to determine the best option for maintaining the back up of data. This may be to have one or two other members of the board keep regular back ups in their home safes.

For larger organisations, a safe deposit box at a bank is always a good option.

Other options exist. For example, if you already have an offsite storage facility for your paper records, this may also entitle you to safely store your electronic back ups. You should investigate such options with your provider. However other back up facilities such as online back ups, but these should be investigated thoroughly. For example, who else has access to your information if you are using an online back up service?

Back ups are not just a function of disaster recovery. As an organisation, records need to be maintained for a set period of time (eg. Five years), you should ensure you have a back up methodology that allows you to recover records for that period. This does not mean you have to keep every back up. For example, you may want to keep monthly, quarterly or yearly back ups.

But how does this relate to fraud? There are a few issues:

  • Back ups can show how, over a period of time, a person has hidden the fraud they have committed;
  • Back ups may be the only way to restore records after the fraudster has decided to destroy any evidence they believe may incriminate them;
  • Back ups of programs other than the accounting program (eg emails) can provide a lot of useful information to the investigation such as who the perpetrator has had contact with (eg. Discussions with a real estate agent about purchasing property which may be able to be recovered);
  • If the fraud is referred to law enforcement, back ups may be required as evidence.

Sunday, August 9, 2009

Conflicts of interest

A conflict of interest involves a conflict between a person’s duty and the persons own personal or private interests. A conflict of interest can be an actual conflict or can be perceived or a potential conflict.

A conflict of interest is not necessarily unethical or wrong. However, it is how the conflict is identified and dealt with that is important.

An example of a potential conflict of interest is a board member’s family computer company being given the contract to supply the organisation with new computers and file server. The conflict would not be handled properly if the board member did not advise the board of his interest in the computer company and arranged for no other quotes to be obtained. The conflict would be handled appropriately if the board member advised the rest of the board of his interest in the computer company and whenever the potential contract was discussed and the contract awarded, the board member removed himself from the discussions.

So what should be done to avoid conflicts of interest?

  • A conflict of interest register should be maintained and should be completed by all board members for any potential conflicts of interest;
  • If a conflict of interest arises or potentially arises, the board needs to be advised immediately;
  • Any discussions or other dealings with the issue that resulted in the conflict of interest should exclude that board member, including not being provided any documents such a board papers or copies of tenders received relating to the matter;
  • Do not be involved in any discussions regarding the issues, including leaving the room during any board meetings when the matter is discussed;
  • Do not place yourself in a position that may result in a conflict of interest, eg. accepting a gift from a supplier or contractor or being able to use confidential information for personal gain.

Sunday, August 2, 2009

The Need to Change Passwords

A friend of mine, Micheal, provided a good example of when things can go wrong with passwords. Micheal's comments to last weeks newsletter was:

I had a client where 13 people knew the super-user password to the timesheets application - which fed timesheet data to the payroll program. It had just happened that way over time as people got lax.


Needless to say everyone took advantage of the opportunity to their benefit...

It is important that as people move from position to position within the organisation, their roles are reviewed which includes what systems they should have access to and what passwords they have ability to use. Master passwords should be changed when people who have had access to those passwords change positions or unfortunately, the above may happen.

Sunday, July 26, 2009

Payroll Master File Fraud

Payroll fraud has been a common fraud for many years and continues to be so. One area of the payroll system susceptible to fraud is the payroll master file. Issues in relation to the payroll master file include the following:

  • Unauthorised changes being made to a persons pay classification, pay rates, allowances paid.
  • Adding an additional person on the payroll – ghost employee.
  • Not removing an employee who no longer works for the organisation from the payroll.
  • Unauthorised changing of bank account details.

So how do we go about making it difficult for someone to commit fraud using the payroll master file? The following are examples of controls that will help reduce the likelihood of fraud occurring:

  • Develop an exception report that details any changes made to the payroll at each pay run. The report should be forwarded to someone not in the payroll section and any changes that do not appear reasonable should be investigated.
  • The person who has authority to make changes to the payroll master files does not have authority to process the regular payroll or have access to this section of the payroll function.
  • Develop a report that shows any duplicate payments to one employee or one bank account. Again, this report should be forwarded to someone not in the payroll section and anything listed on the report should be investigated.
  • HR should, on a periodic basis review the payroll for any names of employees that are no longer in the employ of the organisation.

Sunday, July 19, 2009

Be aware of red flags

I find it amazing that every time I do a fraud investigation that I still hear the same comment – “why didn’t we see that”. Every fraud investigation I have done, familiar red flags have been present and unfortunately have gone unnoticed for some time allowing the fraud to go unnoticed.

A red flag is a set of occurrences that are unusual in nature or vary from what would be considered the normal activity of the organisation. It is a signal that something may be wrong or out of the ordinary and needs further investigation. However, it must be remembered that a red flag does not mean that fraud has happened, it is a trigger that something may have happened and therefore the issue needs to be investigated.

There are many red flags. Here are just a few:

  • unexplained items on reconciliations
  • inconsistent or vague responses from inquiries made
  • excess voids or credits
  • multiple remittance addresses for the same creditor
  • lack of segregation of duties
  • infrequent bank deposits allowing cash to accumulate
  • a delay in issuing of monthly, quarterly or annual financial reports
  • key financial or operating personnel leaving the organisation
  • missing assets
  • questionable handwriting on documents
  • a poor culture within the organisation

Sunday, July 12, 2009

Undertake regular bank reconciliations

Undertaking regular bank reconciliations is a very useful fraud detection control. How regularly you undertake bank reconciliations should depend on the number of transactions made through the bank account on a daily basis and the value (in dollar terms) of funds flowing through the bank account. The higher the number and value of transactions, the more frequently bank reconciliations should be conducted (eg daily or weekly). Bank reconciliations should be done at least monthly for smaller organisations with few transactions in number and volume.

Any unusual transactions on the bank reconciliation should be investigated immediately. To hide fraud, a person conducting the bank reconciliations will need to ‘force’ the bank reconciliation to reconcile. To do this, one of the methods used is to create a ‘balancing item’ such as an outstanding deposit. However, that deposit remains as a reconciling item from one bank reconciliation to the next, growing in size as the value of the fraud increases over time.

To confirm that the bank account has been reconciled and actually does balance, the bank reconciliation as well as a copy of the last page of the bank statement should be included as part of the board pack provided for each board meeting.

Sunday, July 5, 2009

Understand why people commit fraud

To be able to be in a position to understand how fraud is committed, reduce the likelihood of it happening and if it does, investigate it thoroughly, we must first understand why people commit fraud.

There are four components to why a person commits fraud, as follows:

Pressure

Pressure on the person is the reason people make the decision to commit fraud. Pressure includes:

  • Living beyond ones means;
  • Greed;
  • Poor credit;
  • Personal financial loss;
  • Unexpected financial needs.

Rationalisation

Rationalisation is how a person who commits the fraud believes what they are doing is reasonable. It must be remembered that rationalisation is in the mind of the person committing the fraud, not what a reasonable person would consider to be rational. Some of the ways a person committing fraud rationalises what they are doing are as follows:

  • “It’s only a loan. I’ll pay it back as soon as I can."
  • “They didn’t give me the pay rise I deserve.”
  • “Nobody will get hurt. It’s only a company not a person.”

Opportunity

Opportunity is what within the organisation allows the person to commit fraud including a lack of controls, poor culture within the organisation or failure of management to handle fraud appropriately. Consider opportunity as follows:


A perceived opportunity
+
Ability to conceal the fraud
+
Avoidance of it being discovered
+
Avoidance of it being punished
=
Opportunity


Capability

Capability means that a person is able to commit the fraud, for example:

  • The person’s position in the organisation provides them with the ability to exploit an opportunity to commit fraud that may not be available to others;
  • The person is smart enough to understand and exploit weaknesses in internal controls and be able to use their position and access to exploit the weakness;
  • The person has a strong ego and confidence that he/she will not be detected or he/she believes he/she could talk himself/herself out of trouble if caught – a person’s arrogance;
  • He/she can coerce others to commit or conceal fraud – he/she has a persuasive personality;
  • He/she lies effectively and consistently – he/she must be able to look management, auditors, investors, bankers and others in the eye and lie convincingly;
  • He/she deals very well with stress – committing and managing the fraud over time can be very stressful.

Sunday, June 28, 2009

Maintain appropriate password security

One of the most frustrating aspects of using a computer at work is the regular reminders to change your password. However, it is also a very important way of reducing the risk of fraud.

Cracking passwords can be an easy process if good protocols are not put in place.

There are three main ways people will attempt to crack a password – guessing, dictionary attack and brute force attack.

Some passwords can easily be guessed by someone who knows the password holder well. Examples of passwords that may easily be guessed include:
  • A password being written on a piece of paper and attached to the person’s monitor;
  • A password not being used at all;
  • Leaving the password as what was set by the system administration – regularly “password” or “admin”;
  • A password being the name of a spouse, child or pet;
  • A password being a person’s favourite type of car, favourite celebrity or band;
  • A password being a combination of the month and year; or
  • A password being the person’s name or using their actual login as their password as well.

Many people also use standards words. In this case a dictionary attack will not take long to determine what the password is.

The last option is a brute force attack which will try every combination of letters, numbers and symbols. The time taken to determine the password will depend on the number of characters and the combination of letters, numbers and symbols. By using a combination of letters, numbers and symbols, there are over 100 possible combinations for each character.

It has been estimated that the time taken to crack a password is as follows:

  • 4 characters = 10 seconds
  • 6 characters = 1,000 seconds
  • 7 characters = 1 day
  • 8 characters = 115 days
  • 9 characters = 31 years
  • 10 characters = 3,000 years

So what does this mean? For the best password security:

  • the greater the number of characters in the password, the better (at least 8);
  • use a combination of upper and lower case letters, numbers and symbols;
  • do not use common words;
  • do not give your password to anyone else;
  • regularly force users to change their password;
  • force users to use a minimum number of characters;
  • force users to use a combination of letters, numbers and characters; and
  • do not allow the password field to be left blank.

Sunday, June 21, 2009

Develop a robust employment screening process

One method of reducing the risk of fraud in your organisation is to ensure you do not employ a person who has previously been convicted of fraudulent activity. To do this, an organisation should undertake an appropriate employment screening process.

The process should be undertaken prior to the final acceptance of an offer of employment and also when an employee is promoted to a management position.

Examples of the type of screening that should be undertaken are as follows:

  • Conduct a criminal history check to determine if the person has a previous conviction for a fraud related offence. Consent will be needed by the potential employee to enable such a search to be undertaken;
  • Verify the potential employees previous work history. Before contacting referees, verify the contact telephone numbers of the referees to ensure you are making contact with the appropriate person;
  • Verify qualifications. Consent may need to be obtained from the potential employee to enable confirmation to be obtained from educational facilities and professional bodies;
  • Give the applicant an opportunity to provide reasons for gaps in employment;
  • Conduct an internet search such as a Google search. It’s amazing what can be found on the internet;
  • Check social networking sites such as Facebook and Twitter for postings by the potential employee.

Sunday, June 14, 2009

Understand what Beyond Reasonable Doubt means

I have conducted many fraud investigations as well as defending people who have been charged with fraud. Something I see on a regular basis is that a person conducting the investigation does not understand the level of proof they need to obtain. It must be proven “beyond reasonable doubt” that a person has committed fraud. Beyond reasonable doubt is the standard of proof that is used by a magistrate, judge or jury to decide if an accused is guilty or not guilty of a criminal charge.

There are different terms for beyond reasonable doubt depending on the country you are conducting the investigation in. However, the ultimate meaning is the same.

The meaning is the proposition that is being presented by the prosecution must be proven to the extent that there is no reasonable doubt that a reasonable person would, in their own mind, consider the defendant is guilty. To be able to provide this level of proof you should also consider if you need to disprove any possible reasons why a transaction, that is subject to the criminal charge, occurred.

Sunday, June 7, 2009

Control the Use of Petty Cash

What is the Risk?

The risk is that someone claims personal expenses through petty cash or makes fraudulent petty cash claims.

How to Mitigate the Risk

While petty cash may only be a small amount when compared to other assets, it is an easy target for a person contemplating committing fraud for the first time. If the person is able to easily defraud the organisation of petty cash, it may encourage the person to continue to commit fraud.

Steps to reduce the likelihood of petty cash fraud occurring includes:

  • Develop a policy that clearly sets out what can be claimed through petty cash with a limit on the monetary value able to be claimed;
  • All claims that are made should have source documents clearly stamped with “Paid” to ensure that they can not be used in a future claim;
  • All claims made should contain supporting documents (eg. receipts and invoices) of items that have been purchased;
  • Petty cash should have adequate physical security (eg. locked in a safe);
  • Put procedures in place to regularly reconcile cash, claims and source documents.

Sunday, May 31, 2009

Understand the role of the external auditor

The role of the external auditor has often been misunderstood. This “expectation gap” has long been explained as being the gap between what the actual requirements and standards required of the auditor and audit process as compared to the expectations of the public as to what an auditor does in the audit process.

It has often been thought that the audit provides certainty as to the accuracy of the financial statements by the auditor undertaking a 100% check of the organisation’s accounts. It has also been thought that auditors should be able to provide early warning if there are solvency problems with the organisation and lastly, it is thought that a primary role of the auditor is to detect fraud.

An example of this can be seen in the BDO Not-for-Profit Fraud Survey 2008. 61% of respondents to the survey gave a reason they did not perceive fraud to be a problem for their organisation was that fraud had not been discovered by the external audit process.

It is important that not-for-profit organisations understand the role of the audit and not to relying solely on the external audit process as a way of detecting fraud. It is also important to consider that auditors, while conducing an audit as per the auditing standards, they are also conducting the audit on a fee paying basis. To undertake an appropriate audit, an appropriate fee is required to be paid.

Auditing standards provide us with guidance as to the auditors’ responsibilities regarding fraud. For example:
  • “The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behaviour which can be reinforced by an active oversight by those charged with governance.” Paragraph 4 of ASA240 (Australian Auditing Standard – The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report)
  • “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected.“ – SAS99 (US Auditing Standard – Consideration of Fraud in a Financial Statement Audit).

Sunday, May 24, 2009

Understand what can and cannot be done to the audit trail of the accounting software

The audit trail of accounting software can be a very useful tool when conducting a fraud investigation, especially when combined with an appropriate and effective IT Policy. An audit trail provides a history of who has accessed the accounting software and what transactions those people have conducted in the accounting software.

An audit trail allows for the examination of access history by users of the software. It shows what users have accessed or attempted to access as well as what those users have changed. An audit trail can also show when someone attempts to by-pass the security that has been put in place. It can act as a method of detecting fraud if people are aware it is reviewed regularly.

Audit trails can also be used as a method of detecting fraud. By reviewing the audit trail it can show patterns of when a person conducts transactions or even potentially turn the audit trail on and off. When fraud investigations have been undertaken, it has been discovered that the audit trail would be turned off and within a short period of time turned back on. During this time the fraudulent transactions were processed.

An organisation needs to understand the security measures attached to the audit trail, if the audit trail can easily be turned on and off and how to protect the data collected by the audit trail.

If the accounting package being used allows, the organisation should have the IT administrator turn the audit trail on and password protect it so that no user of the software can turn the audit trail off or delete transactions within the audit trail.

Sunday, May 17, 2009

Develop appropriate controls over events

Risk

Funds are lost due to theft during the hectic operations of a special event.

Methods to Mitigate the Risk

Many not-for-profit organisations run large fund raising events which can involve the receipt of large quantities of cash.
Such an event can provide a hectic time with potential for large quantities of cash to be stolen. To ensure all cash received is properly accounted for during such an event, the following safeguards may be of assistance:
  • Encourage all donations and purchases to be made by credit card.
  • If donations and purchases are made by cash, ensure controls are in place to control the money that is received (eg. having two people receipting the cash).
  • Have a separate person register donations and purchases to the receipt of funds so that the two can be reconciled at a later time.

Saturday, May 9, 2009

Determine if the organisation wants insurance for fraud

Fraud can cause significant financial stress to an organisation, including significant cash flow problems. Obtaining fidelity insurance may help with that problem. Fidelity insurance covers an organisation for losses caused as a result of fraud.

An organisation needs to make an informed decision as to whether it wants to maintain fidelity insurance or not. When considering this issue, questions to consider include:
  • What will the insurer require to enable a payment to be made (ie. Will it require a full investigation to be completed, will the insurer require a conviction?)
  • How long will it take for the insurer to make a payment? The longer the time it would take, the longer the organisation could suffer financial stress as a result of the fraud.
  • What is the excess of the claim and what is the maximum payout?
  • What is excluded from the policy? For example, one policy I saw excluded forgery – this could potentially exclude fraud where an employee forges a signature on an organisations cheque.

Again, an organisation needs to make an informed decision considering the cost of the policy and the benefits that may flow from the policy if a claim is needed to be made.

Sunday, May 3, 2009

Develop and maintain a fraud risk register

Many organisations maintain a Risk Register, but few of these incorporate specific fraud risks and the associated review undertaken for a risk to be placed on the register.

A Fraud Risk Register can usually be developed from the completion of a Fraud Risk Assessment and should incorporate the following:

· A description of the risk;
· Explain the impact of the risk on the organisation if the risk is not mitigated;
· Assessment of the likelihood of the fraud occurring;
· Assessment of the seriousness / consequence of the fraud;
· What actions need to be taken to mitigate the loss;
· Who will be responsible for implementing the actions to mitigate the loss;
· What is the timeline to implement these actions; and
· The checklist for implementing the actions.

A Fraud Risk Register should be updated on a regular basis (preferably on a yearly basis) or at such times as when there is a change in such things as technology (eg. a new computer system) or a change in services provided or grants received.

Sunday, April 26, 2009

Develop a fraud recovery plan

Planning is the key to dealing with any issue. Fraud is no exception – actually planning what your organisation will do if fraud occurs is best done before the event. When fraud occurs it can be very emotional – it is reasonably common that the person who has committed the fraud is a trusted employee / volunteer and considered a ‘friend’. So planning when people are ‘thinking straight’ (ie. Before the fraud has occurred) is the best option.

Many organisations have a Disaster Recovery Plan (and if they don’t they need to develop one of these also!). For example, a Disaster Recovery Plan can set out what should be done if the computer system fails – where can the server be hosted until a new server is purchased, installed and made operational again. Think of a Fraud Recovery Plan in the same way.

So what should an organisation include in a Fraud Recovery Plan. It should be noted that for a Fraud Recovery Plan to work appropriately, the board will need to pre-approve the use of the plan if fraud does occur. This means that the person who is responsible for the plan needs to be able to implement the plan as soon as fraud is discovered without need to first seek approval from the board – the longer it takes to commence an investigation, the increased likelihood of losing evidence.

Following are some ideas of what should be included:

  • Does the organisation have the internal skills to investigate the fraud. If not, are resources available externally to conduct the investigation and will those skills be available at short notice;
  • As per the Fraud Control Policy, the matter should be reported to the police. Therefore, who will liaise with the police in relation to the fraud;
  • Who will deal with the terminating of the employment of the person who committed the fraud. Will the organisation request the assistance of their lawyers in this regard.
  • If the organisation has insurance against fraud, what is the excess on the policy, what is the maximum amount able to be claimed and when does the insurer need to be notified of the fraud;
  • Will the organisation be at risk of losing funding such as government grants;
  • Will the organisation be at risk of having cash flow problems? If so, is it possible to gain a temporary increase in any overdraft facility;
  • How will other employees and volunteers be advised of what has happened; and
  • How do you manage any reputation risk that the organisation may suffer, such as how will the organisation deal with the media should it become known that fraud has occurred or should the organisation issue a media release about the issue.

Saturday, April 18, 2009

Clearly set out what your organisation defines fraud to mean

There are many definitions of fraud. However, to deter and detect fraud, an organisation needs to clearly define what fraud means to them and maintain a consistent definition across the Fraud Control Policy and any other policy or Code of Conduct where the definition may appear.

Examples of definitions of fraud are as follows.

Butterworths Concise Australian Legal Dictionary defines fraud as:

An intentional dishonest act or omission done with the purpose of deceiving.

Paragraph 9 of ASA 240, the Australian Auditing Standard on The Auditor’s Responsibility to Consider Fraud in an Audit of a Financial Report states:

The term “fraud” refers to an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept, for the purposes of this Auditors Standard, the auditor is concerned with fraud that causes a material misstatement in the financial report. Auditors do not make legal determinations of whether fraud has actually occurred. Fraud involving one or more members of management or those charged with governance is referred to as “management fraud”; fraud involving only employees of the entity is referred to as “employee fraud”. In either case, there may be collusion within the entity or with third parties outside of the entity.

Australia Standard AS8001-2008, Fraud and Corruption Control, defines fraud as:

Dishonest activity causing actual or potential financial loss to any person or entity including theft of moneys or other property by employees or persons external to the entity and where deception is used at the time, immediately before or immediately following the activity. This also includes the deliberate falsification, concealment, destruction or use of falsified documentation used or intended for use for a normal business purpose or the improper use of information or position for personal financial benefit.

Section 408C of the Queensland Criminal Code (this is the definition I work with mostly as Queensland is my home state) defines the criminal offense of fraud as follows:

A person who dishonestly
applies to his or her own use or to the use of any person:

  • Property belonging to another; or
  • Property belonging to the person, or which is in the person’s possession, either solely or jointly with another person, subject to a trust, direction or condition or on account of any other person; or
  • Obtains property from any person; or
  • Induces any person to deliver property to any person; or
  • Gains a benefit or advantage, pecuniary or otherwise, for any person; or
  • Causes a detriment, pecuniary or otherwise, to any person; or
  • Induces any person to do any act with the person is lawfully entitled to abstain from doing; or
  • Induces any person to abstain from doing any act which that person is lawfully entitled to do; or
  • Makes off, knowing that payment on the spot is required or expected for any property lawfully supplied or returned or for any service lawfully provided, without having paid and with intent to avoid payment;

commits the crime or fraud.

When selecting a definition of fraud to use in your anti-fraud program, you need to select a definition that best suits the size and type of your organisation. Do not be afraid to use the definition of fraud as it appears in the criminal legislation in your country or state if a criminal charge of “fraud” is clearly defined.

Sunday, April 12, 2009

Develop a series of exception reports and act on any exceptions

There are often many red flags which, in hindsight, are obvious to those who are left to deal with the aftermath of the fraud.
Risk
The risk is that fraud could be discovered but is not, as the organisation does not recognise the red flags associated with the fraud due to not having approriate exception reporting in place.
Methods to Mitigate the Risk
An organisation should be prepared to develop a series of exception reports that highlight red flags of fraud.
It must be remembered that red flags are just that. They indicate a potential problem. However, if the potential problems are not recognised and then investigated the fraud, if it is occuring, will continue to occur. For that reason, any red flags that are highlighted by the exception reports, need to be investigated.
An example of an exception report is to consider if employees have created false creditors which are being paid by the organisation. To do this involves electronically comparing employee and creditor bank account numbers, street addresses, postal addresses, post codes/zip codes, telephone numbers and mobile / call phone numbers (especially those employees in the accounts payable and payroll departments).
Another simple exception report is to consider variances between actuals to budgets for income that is below budget and expenses that are above budget.
It should be noted that there are numerous exception reports that can be utilised by an organisation. Each organisation should determine which exception reports are appropriate to them.
To make exception reporting easier, it can be computerised. An organisation should take the time to set up the exception reports that are appropriate. Once this initial investment of time has been made, the exception reports can easily be run on a regular basis. Then the investment of time will be investigating exceptions as they arise.

Sunday, April 5, 2009

Utilise an Exit Checklist when Employees Leave

Many organisations use an exit checklist when an employee and/or volunteer leave. However, it needs to be comprehensive so that it covers all areas that could cause detriment to the organisation.

When employees and / or volunteers leave the organisation, it is important that they no longer have access to the organisation’s information and no longer have possession of assets of the organisation.

Risk

The risk is that someone who leaves uses their previously provided information and/or assets to cause detriment to the organisation. This can be done in a number of ways. For example:

  • Remotely accessing a member list and deleting important information or obtaining a copy of the information for future use;
  • Remotely access client information that should remain confidential and allow that information to be released to the public damaging the reputation of the organisation;
  • Accessing the organisation’s premises to cause physical damage;
  • Keeping assets they are not entitled to keep; or
  • Incurring expenses after they have ceased employment.

Methods to Mitigate the Risk

A checklist should be established for when an employee (and in some instances a volunteer) leaves the organisation. The checklist should include all items that need to be returned to the organisation, all authorisations that need to be cancelled and any other matters that should be addressed. This is so an ex employee (or volunteer) cannot defraud the organisation after they leave.

The following is a list (but not an exhaustive list) of matters that should be included:

· Items to be handed back to the organisation:

o Corporate Credit Card

o Laptop / computer / modem / AV equipment etc

o Thumb drives / external hard drives and any other external storage devices

o Software

o Mobile phones and accessories

o Internet connection equipment

o Manuals

o Car and car keys (including all items that should be in the car (eg. First aid kit)

o Fuel card

o Keys / access card to the building, office, cupboards and filing cabinets

o Security tokens for online banking, email access and any other remote access requirements

o Staff identification card and name tag

o Uniforms

· To be changed / closed

o All computer access restricted both in the office and remotely

o Taken off the bank accounts as a signatory

o Password for online banking cancelled

o Security codes for access to the office / building cancelled

It must be remembered that the above are examples only, and a full list of items included on an Exit Checklist will vary from organisation to organisation.

Sunday, March 29, 2009

Maintain appropriate controls over assets

Assets can be a significant investment for many organisations. Ensuring the security of those assets is important, especially considering the different types of assets an organisation has.

Risk

The risk is that assets are taken by employees and / or volunteers and / or external parties of the organisation for personal use and not returned (in effect, the theft of the assets).

Methods to Mitigate the Risk

When developing controls over assets, the following should be considered:
  • Small assets should be secured by using locks or similar security measures where appropriate (for example, a security lock attaching a laptop to a desk);
  • All assets should be tagged with an Asset Number;
  • An Asset Register should be maintained. The Register should include the following information - Asset Tag number, Description of the asset, Date of purchase, Warranty information, Location of the asset.
  • Stock takes of assets should be undertaken at least yearly and any discrepancies to the Asset Register should be investigated. The stock take and investigation of discrepancies should be undertaken by a person who is not responsible for the recording of assets in the Asset Register.
  • If an asset is to be disposed of, it can only be removed from the Asset Register with a properly authorised Asset Disposal Form having been completed as required by the Asset Disposal Policy. Refer to my Blog post on 26 January 2009.

Sunday, March 22, 2009

Determine if controls in place are detection or prevention controls

When developing a set of internal controls or reviewing the current internal controls in place in an organisation, it is important to determine if the organisation has a balance of prevention as well as detection controls.

Prevention controls are those controls that reduce the likelihood of fraud occurring or “prevent” the fraud from occurring. Detection controls are effectively a “back-up” control and are there to detect fraud if the prevention controls have not been effective and have allowed the fraud to occur. Detection controls that are in place should allow for the fraud to be detected as quickly as possible.

Prevention controls can be split into two types – macro and micro prevention controls.

Macro prevention controls are those controls at a strategic level that are in place to prevent fraud from occurring. Examples of macro prevention controls include:

  • Having a board and management structure that lead by example – this is regularly referred to as the “tone at the top”. If the board and management of the organisation do not support fraud prevention and control in the organisation, it is difficult to have employees and volunteers support it.
  • Having an appropriate fraud control plan / strategy in place which employees and volunteers are aware of and receive appropriate training on. This allows employees and volunteers to understand that fraud is not acceptable within the organisation.
  • Having an ethical organisational culture within the organisation. It is important to understand the value of having an ethical organisational culture when it comes to fraud prevention. An ethical organisational culture is considered by organisations to be a primary factor in reducing the risk of fraud.[1]

Micro prevention controls are those controls that effect the day to day operations of the organisation. Examples of micro prevention controls include:

  • Segregation of duties. For example, the requirement to have two people process and approve a payment makes it more difficult for one person to commit fraud unless there is collusion involved or the person committing the fraud by-passes the second person, for example by forging the person’s signature approving the payment.
  • Having two cheque signatories or two passwords required for internet banking again makes it more difficult for an individual to commit fraud.

Examples of detection controls include:

  • Undertaking bank reconciliations on a regular basis and investigating any discrepancies that arise. For example, a common method of hiding a fraud is to “force” a bank reconciliation to reconcile (eg. to include incorrect entries, have a deposit outstanding for more than one reconciliation, have an outstanding deposit increase from one reconciliation to another). By having the bank reconciliation reviewed on a regular basis and conducting an investigation of any discrepancies can allow fraud to be discovered quickly.
  • Prepare realistic budgets and compare actuals to budgets on a regular basis and investigate discrepancies.
  • Conduct exception reporting and investigate discrepancies that arise.

    [1] BDO Not-for-Profit Fraud Survey 2008, Chart 5.5, page 66.