|
|
ITS 4450 - Fraud Risk Assessment Tools and Investigation
Chapter 3, Fighting Fraud: an Overview, Chapter 4, Preventing Fraud
This lesson presents some background material from chapters 3 and 4.
Objectives important to this lesson:
- Ways to fight fraud
- Detection
- Investigation
- Legal action
- Expect honesty or dishonesty?
- Culture of honesty
- Removing opportunities
- Summary of concepts
- Comprehensive approach
- Default model
- Recommended model
Concepts:
Chapter 3
The author tells us that this chapter is an overview of the rest of the
text, so we will get more details about each of the topic in it in later
chapters. After that statement, the chapter presents a new example case.
The company in the example suffered large losses to three frauds, causing
the company to seek better protection from them. This takes us to the
discussion of methods to fight fraud.
We are introduced to four methods to fight fraud:
- prevention - the most cost
effective method, since it prevents losses: try to reduce pressures
and opportunities, which makes it take more rationalization to commit
a fraud
- early detection - finding a fraud before it grows to its full
potential
- investigation - looking for evidence of the fraud
- legal follow-up action/resolution - prosecution or other resolution
choices
Under the topic of prevention,
the text recommends two steps: create a culture
of honesty and ethics, and mitigate the risk of fraud by eliminating
opportunities.
So how do we create a culture?
- lead by example: make it known
that your executives are acting and working honestly
- try to hire and retain
ethical employees: check references and backgrounds, and test for honesty
early in their time on board
- write, teach,
and remind staff of a code
of conduct that requires honesty; such codes are required by
the Sarbanes-Oxley Act of 2002
- create and maintain a positive work
environment; on page 75, the text presents a list of ten factors
that make an environment less positive
- adopt a policy of handling
fraud that deals effectively
with it and with those who do it
The text warns us that 40% of
people (executives or "regular" employees) will behave dishonestly
if their personal ethics tell
them to do so. 30% will be honest,
and 30% will be dishonest
at every opportunity. This should reinforce the importance of reducing
the number of opportunities for dishonesty.
The text moves on to discuss assessing and mitigating risks.
- determine where a fraud is possible in your organization, and create
controls to make it less possible
- determine what jobs are more likely to have opportunity to commit
a fraud, and create preventive and detective controls around those jobs
- determine what types of fraud are still possible after the controls
have been implemented, and install controls to detect those particular
acts
- monitor the actions of employees
- use internal and external auditors to check actions and controls
It is worth pausing here to remember a few details about controls. Controls
are meant to reduce risk, not just of fraud, but of any attack
against the organization. Security controls
can be devices, procedures,
or policies that are meant to
increase security for an enterprise. Increasing
security can also be described as decreasing
risk. We can classify security controls as one of two
types:
- administrative controls -
These include the procedures
to create security policies and the security
policies themselves. Security policies are rules about "the actions
that users may do, must
do, and cannot do".
- technical controls - Actions
that are performed by devices
(technical solutions).
Both types of controls have the same subtypes:
- deterrent controls - used
to discourage attacks; applied
before an attack; example: warning
attackers that we are protected
- preventive controls - used
to prevent attacks; applied
before an attack; example: using
a firewall to block traffic
for specific ports
- detective controls - used
to detect an attack or intrusion; applied during
an attack; example: using a Intrusion
Detection System
- compensating controls - alternative
controls that are used when normal controls are not possible; applied
during an attack; example: disabling
switch ports to isolate devices or LAN segments
- corrective controls - used
to reduce damage and restore
to service; applied after
an attack; example: using an emergency
cleaning program on a USB memory stick, so that a computer can
be usable
The text emphasizes that preventative and detective controls are most
effective for fraud. We must rely on detection in many cases because
the person committing the fraud may have found a new opportunity, or may
have authority to do whatever they want, making it unlikely that we have
installed an effective preventive control. A useful part to add to the
code of conduct is a method of reporting suspected fraud. Most frauds
are detected by coworkers and managers, not by auditors. The text cautions
us to investigate allegations carefully, because many reports do not lead
to an actual fraud.
The text discusses investigation, telling us that there must be a reasonable
suspicion and management approval for an actual investigation
to begin. An investigation may produce one of more of these types of evidence:
- testimonial evidence - gathered by interviews, interrogation,
or honesty tests
- documentary evidence - gathered from data, documents, notes,
or email
- physical evidence - may include fingerprints, stolen goods,
identifying number on recovered goods, and other classic evidence of
a crime
- personal observation - evidence that is observed by an investigator
Another
way to approach an investigation is to consider it from the elements of
the Fraud Motivation Triangle, which we have discussed. The investigation
attempts to uncover each of the three elements that contribute to the
fraud that are descriptive of the criminal.
A third approach is to consider the three elements of the Fraud Element/Action
Triangle, which we have not discussed. It is shown on page 82, and
in the image on the right. It concentrates on three characteristics of
the crime itself:
- theft act - the investigation attempts to gather evidence of
the act or to catch the thief in the act
- concealment - the investigation looks for data and documents
about how the act was concealed
- conversion - the investigation searches for evidence that the
thief has spent, used, or sold the stolen assets
The text offers more suggestions about conducting an investigation, stressing
that one investigates to find the truth, that investigators must be impartial,
and that care should be taken not to cause human tragedy, such as the
example of an embezzler who committed suicide the night that he was contacted
about being investigated.
As discussed in a previous chapter, legal action can involve criminal
prosecution, civil prosecution, or both. Criminal prosecution has a higher
standard for finding guilt.
Chapter 4
Chapter 4 begins a detailed discussion of preventing fraud. It repeats
a story we have already seen about a bank employee who embezzled over
half a million dollars from her bank. This was not discovered until she
retired. The text points out that preventing the fraud is less
costly than discovering it and possibly never getting back the assets
that were taken. It begins its presentation on prevention with a discussion
of promoting a culture of honesty.
In the previous chapter we were told to try to hire
and retain ethical employees,
check references and backgrounds, and test for honesty early in their
time on board. The text adds a few new ideas to this group:
- do NOT ask the questions listed on page 109 that are prohibited in
job interviews, unless you can prove that they are relevant to the performance
of the job
- train those who hire staff to use approved methods of checking references
and interviewing
- state at the outset that all information given by an applicant must
be accurate, and that the applicant must swear that it is
- train staff in acceptable and unacceptable behaviors, making it clear
that unacceptable behavior will have specific consequences
- create a method for employees to report unacceptable behavior, and
make it known to all employees what that method is
- expect good behavior from employees, and make that expectation known
- establish an employee assistance program, one that allows employees
to get help with the pressures they may feel that could lead to fraud
or other misconduct
Consider the list of factors on page 116. The text tells us that they
contribute to increasing risk of fraud in a workplace. Many can be addressed
by the steps listed above.
The text turns to eliminating opportunities for fraud to occur. Consider
the points in figure 4.2. They are classic methods for reducing risk of
fraud:
- segregation of duties (preventive) - for example, purchases must be
requested and carried out by people in separate jobs, making it less
likely that the process can be abused by a single person
- authorizations (preventive) - example: acquisition, disposition, and
movement of assets must have multiple approvals
- physical controls (preventive) - restrict physical access to assets
to those who actually need it
- independent checks (detective) - conduct audits of activity by people
outside the work area, or outside the company, being audited
- documentation (detective) - require and maintain a paper/electronic
trail for all activities
Regarding the effectiveness of a reporting mechanism, the text presents
four elements that defeat a "whistle blowing program"
and four elements needed for its success:
Defeating elements
- lack of anonymity
- culture of misconduct
- unclear policies about conduct
- lack of awareness of the system
Necessary elements
- anonymity
- program is independent of the people/area being reported
- several reporting channels are available, such as phone, email, web
site, or standard mail
- follow-up on reports must happen
The text also recommends, as it has before, that there be expectation
of punishment for misconduct.The author reports that in environments
in which fraud is punished only by losing one's job, there is more fraud
than in environments that prosecute offenders.
Regular audits
that find fraud make it less likely that employees will commit fraud.
Make general information about audits available to employees, redacting
names and other identifying information from such information. Details
about ongoing investigations and court cases are not for general
consumption.
On page 126, we are given two graphics. The first is figure 4.4, which the text calls the current model for handling fraud in many organizations. It is a cycle with four phases:
- incident - an organization becomes aware that a fraud has taken place
- investigation - the investigation typically conducts interviews and examines documentation, and may not lead anywhere
- action - assuming a perpetrator is found, the company
typically will choose 1) to do nothing, 2) to fire or transfer the
perpetrator, or 3) fire and prosecute the perpetrator
- resolution - this phase may include replacing the employee, conducting the court case, and/or adding new controls
In the current model, the organization does not become more proactive, and the risk of more fraud is not significantly reduced.
The second graphic on page 126, figure 4.5, shows a six step
approach to fraud. It is not a cycle, because all six steps can happen
at any time.
- tone at the top - set expectations for behavior, modeling it with top level staff
- education and training - tell staff about expectations, not
once, but regularly; they are expected to behave responsibly, to expect
punishment for misbehavior, and to report misbehavior that they suspect
- integrity and risk controls - security controls need to be
evaluated and modified when there are changes in the business of the
organization
- reporting and monitoring - the potential perpetrators should be made aware that the company is watching what everyone does
- proactive fraud detection - conduct detection efforts regularly, and make it known to employees that you are doing so
- investigation and follow-up - establish procedures for
investigation, have trained staff who do it, and establish how
resolution will be sought in all cases
An organization that follows the model above will experience
less fraud, will detect frauds that occur earlier in their execution,
and will deter staff from thinking that fraud is not going to go
unpunished.
|