ITS 4450 - Fraud Risk Assessment Tools and Investigation


Chapter 3, Fighting Fraud: an Overview, Chapter 4, Preventing Fraud

This lesson presents some background material from chapters 3 and 4. Objectives important to this lesson:

  1. Ways to fight fraud
  2. Detection
  3. Investigation
  4. Legal action

  5. Expect honesty or dishonesty?
  6. Culture of honesty
  7. Removing opportunities
  8. Summary of concepts
  9. Comprehensive approach
  10. Default model
  11. Recommended model
Concepts:
Chapter 3

The author tells us that this chapter is an overview of the rest of the text, so we will get more details about each of the topic in it in later chapters. After that statement, the chapter presents a new example case. The company in the example suffered large losses to three frauds, causing the company to seek better protection from them. This takes us to the discussion of methods to fight fraud.

We are introduced to four methods to fight fraud:

  • prevention - the most cost effective method, since it prevents losses: try to reduce pressures and opportunities, which makes it take more rationalization to commit a fraud
  • early detection - finding a fraud before it grows to its full potential
  • investigation - looking for evidence of the fraud
  • legal follow-up action/resolution - prosecution or other resolution choices

Under the topic of prevention, the text recommends two steps: create a culture of honesty and ethics, and mitigate the risk of fraud by eliminating opportunities.

So how do we create a culture?

  • lead by example: make it known that your executives are acting and working honestly
  • try to hire and retain ethical employees: check references and backgrounds, and test for honesty early in their time on board
  • write, teach, and remind staff of a code of conduct that requires honesty; such codes are required by the Sarbanes-Oxley Act of 2002
  • create and maintain a positive work environment; on page 75, the text presents a list of ten factors that make an environment less positive
  • adopt a policy of handling fraud that deals effectively with it and with those who do it

The text warns us that 40% of people (executives or "regular" employees) will behave dishonestly if their personal ethics tell them to do so. 30% will be honest, and 30% will be dishonest at every opportunity. This should reinforce the importance of reducing the number of opportunities for dishonesty.

The text moves on to discuss assessing and mitigating risks.

  • determine where a fraud is possible in your organization, and create controls to make it less possible
  • determine what jobs are more likely to have opportunity to commit a fraud, and create preventive and detective controls around those jobs
  • determine what types of fraud are still possible after the controls have been implemented, and install controls to detect those particular acts
  • monitor the actions of employees
  • use internal and external auditors to check actions and controls

It is worth pausing here to remember a few details about controls. Controls are meant to reduce risk, not just of fraud, but of any attack against the organization. Security controls can be devices, procedures, or policies that are meant to increase security for an enterprise. Increasing security can also be described as decreasing risk. We can classify security controls as one of two types:

  • administrative controls - These include the procedures to create security policies and the security policies themselves. Security policies are rules about "the actions that users may do, must do, and cannot do".
  • technical controls - Actions that are performed by devices (technical solutions).

Both types of controls have the same subtypes:

  • deterrent controls - used to discourage attacks; applied before an attack; example: warning attackers that we are protected
  • preventive controls - used to prevent attacks; applied before an attack; example: using a firewall to block traffic for specific ports
  • detective controls - used to detect an attack or intrusion; applied during an attack; example: using a Intrusion Detection System
  • compensating controls - alternative controls that are used when normal controls are not possible; applied during an attack; example: disabling switch ports to isolate devices or LAN segments
  • corrective controls - used to reduce damage and restore to service; applied after an attack; example: using an emergency cleaning program on a USB memory stick, so that a computer can be usable

The text emphasizes that preventative and detective controls are most effective for fraud. We must rely on detection in many cases because the person committing the fraud may have found a new opportunity, or may have authority to do whatever they want, making it unlikely that we have installed an effective preventive control. A useful part to add to the code of conduct is a method of reporting suspected fraud. Most frauds are detected by coworkers and managers, not by auditors. The text cautions us to investigate allegations carefully, because many reports do not lead to an actual fraud.

The text discusses investigation, telling us that there must be a reasonable suspicion and management approval for an actual investigation to begin. An investigation may produce one of more of these types of evidence:

  • testimonial evidence - gathered by interviews, interrogation, or honesty tests
  • documentary evidence - gathered from data, documents, notes, or email
  • physical evidence - may include fingerprints, stolen goods, identifying number on recovered goods, and other classic evidence of a crime
  • personal observation - evidence that is observed by an investigator

Another way to approach an investigation is to consider it from the elements of the Fraud Motivation Triangle, which we have discussed. The investigation attempts to uncover each of the three elements that contribute to the fraud that are descriptive of the criminal.

A third approach is to consider the three elements of the Fraud Element/Action Triangle, which we have not discussed. It is shown on page 82, and in the image on the right. It concentrates on three characteristics of the crime itself:

  • theft act - the investigation attempts to gather evidence of the act or to catch the thief in the act
  • concealment - the investigation looks for data and documents about how the act was concealed
  • conversion - the investigation searches for evidence that the thief has spent, used, or sold the stolen assets

The text offers more suggestions about conducting an investigation, stressing that one investigates to find the truth, that investigators must be impartial, and that care should be taken not to cause human tragedy, such as the example of an embezzler who committed suicide the night that he was contacted about being investigated.

As discussed in a previous chapter, legal action can involve criminal prosecution, civil prosecution, or both. Criminal prosecution has a higher standard for finding guilt.

Chapter 4

Chapter 4 begins a detailed discussion of preventing fraud. It repeats a story we have already seen about a bank employee who embezzled over half a million dollars from her bank. This was not discovered until she retired. The text points out that preventing the fraud is less costly than discovering it and possibly never getting back the assets that were taken. It begins its presentation on prevention with a discussion of promoting a culture of honesty.

In the previous chapter we were told to try to hire and retain ethical employees, check references and backgrounds, and test for honesty early in their time on board. The text adds a few new ideas to this group:

  • do NOT ask the questions listed on page 109 that are prohibited in job interviews, unless you can prove that they are relevant to the performance of the job
  • train those who hire staff to use approved methods of checking references and interviewing
  • state at the outset that all information given by an applicant must be accurate, and that the applicant must swear that it is
  • train staff in acceptable and unacceptable behaviors, making it clear that unacceptable behavior will have specific consequences
  • create a method for employees to report unacceptable behavior, and make it known to all employees what that method is
  • expect good behavior from employees, and make that expectation known
  • establish an employee assistance program, one that allows employees to get help with the pressures they may feel that could lead to fraud or other misconduct

Consider the list of factors on page 116. The text tells us that they contribute to increasing risk of fraud in a workplace. Many can be addressed by the steps listed above.

The text turns to eliminating opportunities for fraud to occur. Consider the points in figure 4.2. They are classic methods for reducing risk of fraud:

  • segregation of duties (preventive) - for example, purchases must be requested and carried out by people in separate jobs, making it less likely that the process can be abused by a single person
  • authorizations (preventive) - example: acquisition, disposition, and movement of assets must have multiple approvals
  • physical controls (preventive) - restrict physical access to assets to those who actually need it
  • independent checks (detective) - conduct audits of activity by people outside the work area, or outside the company, being audited
  • documentation (detective) - require and maintain a paper/electronic trail for all activities

Regarding the effectiveness of a reporting mechanism, the text presents four elements that defeat a "whistle blowing program" and four elements needed for its success:

Defeating elements

  • lack of anonymity
  • culture of misconduct
  • unclear policies about conduct
  • lack of awareness of the system

Necessary elements

  • anonymity
  • program is independent of the people/area being reported
  • several reporting channels are available, such as phone, email, web site, or standard mail
  • follow-up on reports must happen

The text also recommends, as it has before, that there be expectation of punishment for misconduct.The author reports that in environments in which fraud is punished only by losing one's job, there is more fraud than in environments that prosecute offenders.

Regular audits that find fraud make it less likely that employees will commit fraud. Make general information about audits available to employees, redacting names and other identifying information from such information. Details about ongoing investigations and court cases are not for general consumption.

On page 126, we are given two graphics. The first is figure 4.4, which the text calls the current model for handling fraud in many organizations. It is a cycle with four phases:

  1. incident - an organization becomes aware that a fraud has taken place
  2. investigation - the investigation typically conducts interviews and examines documentation, and may not lead anywhere
  3. action - assuming a perpetrator is found, the company typically will choose 1) to do nothing, 2) to fire or transfer the perpetrator, or 3) fire and prosecute the perpetrator
  4. resolution - this phase may include replacing the employee, conducting the court case, and/or adding new controls

In the current model, the organization does not become more proactive, and the risk of more fraud is not significantly reduced.

The second graphic on page 126, figure 4.5, shows a six step approach to fraud. It is not a cycle, because all six steps can happen at any time.

  1. tone at the top - set expectations for behavior, modeling it with top level staff
  2. education and training - tell staff about expectations, not once, but regularly; they are expected to behave responsibly, to expect punishment for misbehavior, and to report misbehavior that they suspect
  3. integrity and risk controls - security controls need to be evaluated and modified when there are changes in the business of the organization
  4. reporting and monitoring - the potential perpetrators should be made aware that the company is watching what everyone does
  5. proactive fraud detection - conduct detection efforts regularly, and make it known to employees that you are doing so
  6. investigation and follow-up - establish procedures for investigation, have trained staff who do it, and establish how resolution will be sought in all cases

An organization that follows the model above will experience less fraud, will detect frauds that occur earlier in their execution, and will deter staff from thinking that fraud is not going to go unpunished.


Assignments

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.