Fraud Detection Incident Response - Wild Apricot › resources › Documents › Seminar Col… ·...

Fraud Detection &

Incident Response

ACFE Central Carolina Chapter

November 4, 2019

[email protected] www.FraudPreventionPro.com

(970) 926-0355

ø

Hal

l H

all

Con

sult

ing,

Inc

orpo

rate

dC

onsu

ltin

g, I

ncor

pora

ted

O

ffic

e: (

970)

926

Off

ice:

(97

0) 9

26-- 0

355

0355

P

O B

ox

PO

Box

626

362

63

M

obile

: (3

12)

560

Mob

ile:

(312

) 56

0-- 9

931

9931

D

enve

r, C

O 8

0206

Den

ver,

CO

802

06

Jo

hn@

John

Hal

lSpe

aker

.com

John

@Jo

hnH

allS

peak

er.c

om

A

BO

UT

YO

UR

SP

EA

KE

RA

BO

UT

YO

UR

SP

EA

KE

R

John J. Hall, CPA

John J. Hall, CPA is the President of Hall Consulting, Inc., the creator of www.FraudPreventionPro.com, and the author of the award-winning book “Do What You Can! Simple Steps–Extraordinary Results”. He has been a business consultant, results coach and speaker for most of his 43-year career. Through live and on-line training programs, conference keynote and technical presentations, business consulting engagements, John helps program participants and client team members: § Identify and improve areas of exposure to business

risk, wrongdoing, and fraud

§ Improve organizational and personal performance

§ Enhance the effectiveness of business processes and individual behavior

§ Improve interpersonal and communications skills

Speaking, training, coaching and consulting areas include:

§ Fraud Risk Management: prevention, deterrence, early detection and effective incident response

§ Business keynote and conference presentations

§ Communication and interpersonal behavior skills programs, including:

ü Establishing business rapport and trust ü Effective interviewing and listening ü Speaking and presenting ü Selling ideas and influencing others to take action ü Leadership, collaboration and influence ü Consulting skills for professionals

§ Intensive One-to-One and small group performance and results coaching

§ Board and senior management anti-fraud consulting

§ Audits of costs incurred in large construction projects and other contractor services In addition to operating his speaking, training and business consulting firm since 1990, he has worked in senior leadership positions in large corporations and international public accounting and consulting firms. John is a Certified Public Accountant (Pennsylvania). He is an active member of the National Speakers Association, the American Institute of CPAs, and the Institute of Internal Auditors.

Meet John at www.FraudPreventionPro.com

Fraud Detection & Incident Response


(970) 926-0355 Page 1

LET’S GET STARTED DISCUSSION QUESTIONS

1. Please complete: “From this fraud seminar, I want to be Better! able to: 2. One question I have about fraud is:

YOUR PAST CASES AND LESSONS LEARNED GROUP DISCUSSION: From one past cases about which you have knowledge, summarize for your group:

1. What happened? 2. How did it get caught? 3. List ‘red flags’ that were present. 4. One lesson learned from the case

What happened? The (insert title) committed fraud by: Here’s how it was caught? Red Flags that were present included: One lesson we learned from this case is:



(970) 926-0355 Page 2

FRAUD RISK MANAGEMENT FRAMEWORK LEVEL 1: FRAUD DETERRENCE AND PREVENTION

1) Visible and vocal leadership 2) Policies on Fraud Responsibilities 3) Active ongoing fraud risk brainstorming 4) Anti-fraud controls 5) Anti-fraud behaviors 6) Anti-fraud “How To” skills training

LEVEL 2: EARLY FRAUD DETECTION

1) Clear statement of detection responsibilities and accountability 2) Detection-based internal controls and behaviors 3) Detection-based examination and audit project steps 4) Effective trusted hotlines 5) Other tip sources 6) Monitoring for red flags and other fraud indicators 7) Special focus on third-party relationships

LEVEL 3: EFFECTIVE FRAUD HANDLING

1) Managers and employees know what happens when the alarm sounds 2) Investigation 3) Loss recovery (including insurance claims and litigation) 4) Control weaknesses are addressed 5) Coordination with law enforcement, prosecutors and other authorities 6) Publicity issues 7) Human resources issues 8) Employee morale issues

Organizations and their auditors must be prepared to address fraud risks at all three levels.



(970) 926-0355 Page 3

AUDIT / INVESTIGATION FLOW DIAGRAM

LawLawEnforcementEnforcement

InsuranceInsuranceCompanyCompany

ControlControlWeaknessWeakness

AuditAudit

ExceptionException

PatternPattern

Review OfReview OfRecordsRecords

InterviewsInterviews

InterrogationInterrogation

TipTip

CaseCaseFileFile

BondingBondingClaimClaim

AuditAuditReportReport



(970) 926-0355 Page 4

THREE-STEP FRAUD DETECTION I. ‘THINK LIKE A THIEF’ PROJECT BRAINSTORMING Look at identified weaknesses and other opportunities from the perspective of how they could be exploited. Documentation should include specific fraud risks identified and a clear bridge to specific project steps, controls and behaviors targeted at detection of related fraud incidents. II. USE DISCOVERY TECHNIQUES AGGRESSIVELY

a) Discovery or Attribute Testing.

These tests have as their purpose surfacing the visible signs of wrongdoing. Such testing can be directed at either electronic or manual records. The use of electronic data analysis tools makes the efficient search of large populations possible.

b) Detection-Focused Interviews.

Targeted interviewing techniques can be an efficient method for surfacing hidden information. They are used to get the “human” information not available in records. In situations where the signs of fraud might not be in the records, the interview may be the only method available to surface needed information.

c) Monitoring for Fraud Indicators.

Examples include:

• Internal information used by management to find problems in operations • Reconciliations, closing entries, adjustments, override transactions and other

available information showing a deviation from normal results • Recurring software-based inquiries

III. DETERMINE THE CAUSE OF ALL FRAUD INDICATORS SURFACED All indicators surfaced should be investigated as to their cause. Follow up on fraud indicators, symptoms and red flags may lead to the discovery of wrongdoing. It also may surface other important non-fraud issues. Either result justifies following all observed indicators through to the determination of their Root Cause.



(970) 926-0355 Page 5

BRAINSTORMING RISKS AND EXPOSURES

The ________________________________________ Could ______________________________________________________________

_________________________________________________________________

COMMIT RED FLAGS / INDICATORS

___________________________________ ______________________________ ___________________________________ ______________________________ ___________________________________ ______________________________ CONVERT (benefit) ___________________________________ ______________________________ ___________________________________ ______________________________ ___________________________________ ______________________________ CONCEAL

___________________________________ ______________________________ ___________________________________ ______________________________ ___________________________________ ______________________________ DETECTION STEP(S)

_________________________________________________________________ _________________________________________________________________ _________________________________________________________________



(970) 926-0355 Page 6

FRAUD INDICATORS, BEHAVIORS, AND RESPONSE DISCUSSION QUESTIONS 1. From a past fraud case, identify a symptom or indicator of the fraud that was

present in the records. 2. List two fraud risks and related red flags relevant to your organization. Be

specific.

BEHAVIOR WARNING SIGNS The most reliable indicators are those that appear in transaction records. Also important are behaviors that are often observed in those committing wrongful acts.

§ Refusing to share transaction information and support that should be available to others with a legitimate need to know

§ High volume of business is directed to suppliers for no apparent reason § Excessive entertainment or gifts from suppliers § Tips or complaints about an individual’s behavior § Unusual travel or work time patterns § Living well beyond one’s means with no reasonable explanation § Rationalization of contradictory behavior § Excessive gambling or other speculation § Substance abuse § Not taking vacations or time off for more than two or three days

Special caution should be demonstrated in following up on behavior symptoms. Be sensitive to privacy. Ask yourself, “If this behavior I observe makes me uncomfortable for some reason, what wrongful actions might the individual be taking in their job that might be evidenced by behavior I see?” React to the fraud exposure, not to the behavior. Look in the records to see if a wrongful act is occurring. Better still – call for help!

AVOID OVERREACTING TO FRAUD INDICATORS. Follow up on the indicator to determine the true cause.



(970) 926-0355 Page 7

DETECTION-FOCUSED INTERVIEWS 1. Most people we interview believe telling the truth is the morally right thing

to do. 2. We have all learned that lying successfully allows us to avoid punishment. 3. Our goal is to create a non-accusatory structured interview where the

subject’s verbal and nonverbal behaviors become indicative of truth or deception.

4. Experienced-based judgment and common sense are needed to analyze

patterns and draw conclusions.

ADEQUATE INTERVIEW PREPARATION IS CRITICAL

1. Background information – personal, physical, mental, attitude

2. Time Lines, Flowcharts and Relationship Charts

3. Possible motives and related theme

4. Use a script?

5. Creating a record of the interview

6. Include a witness?

7. Handling reluctance on the part of the interviewee

8. Denial of access to records

9. Written confirmation

10. Location and room arrangements

11. Contaminants

12. Remember: people lie, embellish, bend and shade the truth

13. Other preparation issues from your experience:



(970) 926-0355 Page 8

MONITORING and DATA ANALYTICS

1. Standard reconciliations 2. Top performance 3. Poor performance 4. Timing differences 5. Suspense accounts and clearing accounts 6. Complaints 7. Overtime by employee

8. Top travelers and earners

9. Consulting and other third party services billings

10. Warranty activity 11. Adjustments and overrides:

· sales prices · receivable accounts · cash accounts · inventory

12. Closing entries 13. Failures 14. Common names or addresses for refunds or credits 15. Goods purchased in excess of needs / slow turnover 16. Duplicate payments 17. Regular meetings with key executives



(970) 926-0355 Page 9

PROCUREMENT FRAUD BRAINSTORMING (Remember the 3 C’s: Commit, Convert, Conceal)

1. Fraud Risk Description (WCGW?):

2. Red Flags, Symptoms, and Indicators in Records or Behavior (WWILL?):

3. Steps Managers Can Take To Prevent This:

4. Steps Managers, Fraud Examiners or Auditors Could Take To Catch It:



(970) 926-0355 Page 10

PURCHASING, ACCOUNTS PAYABLE AND VENDOR FRAUD 1. Payment of invoices to a fictitious or otherwise manipulated entity

The embezzler establishes a fake entity or has control over a real entity, and enters transactions into the payments stream through the vendor master file or as a one-time payment vendor. An invoice is produced and processed. Funds are diverted by check or electronic payment.

2. Kickback or other similar incentives are used to:

a ) Allow the vendor to submit fraudulent billing and approving the payment (goods never received or services never performed, billing more than once for the same item, providing low quality items but billing for the higher quality)

b) Allow excess purchase of property or services c) Facilitate bid rigging d) Maintain the relationship

3. Common Red Flags, Symptoms and Indicators

Fictitious vendors and related payments schemes: a) Photocopied invoices, invoices with signs of tampering, or invoices on plain

paper when preprinted forms might be expected b) No phone number on the invoice; no tax ID number on file c) Address, tax ID number or phone number is the same as an employee,

another vendor or a related party d) Vendor names are a “knockoff” of a well-known business (‘IBN Consulting’) e) The amount of invoices falls just below approval threshold levels f ) Invoices numbers from vendors occur in an unbroken consecutive sequence

Kickbacks:

a) High level manager handles all matters related to a vendor even though this

level of attention might be outside or below normal duties b) Vendors receive a large amount of business for no apparent business reason c) Prices from a particular vendor are unreasonably high when compared to

others, and/or quality of goods or services received from a vendor is low d) Tips or complaints from other employees or honest vendors e) Key contracts awarded with no formal bid process f) Purchase of excess goods

4. Four Examples:

a) Fruit Trees in Las Vegas b) Elevator / Escalator Maintenance c) Dixon, Illinois d) The Controller



(970) 926-0355 Page 11

20 DETECTION SUGGESTIONS – PROCUREMENT & CONTRACTING

1. Analyze bids, looking for patterns by vendor or purchasing agent

2. Confirm losing bids and failure to respond to bids and Requests for Quotations

3. Audit vendors – transaction records, T&E, 1099’s 4. Surprise count and inspect at receiving points

5. Match PO, proof of receipt, and invoice

6. Observe inventory held by others

7. Observe highly tempting items

8. For sole source vendors, confirm existence, prove ownership, test prices, find

other sources, and analyze usage volumes. Verify sole source justification 9. Reconcile inventory, purchases and usage of items subject to pilferage

10. Audit rental of equipment, including equipment rental used by contractors

11. Verify accuracy of items that must be stored in containers (gases, liquids, other)

12. Audit areas where vendors come in, take stock of existing levels, and replenish

stocks on their own 13. Audit purchases that do not go through normal purchasing procedures

14. Audit maintenance agreements

15. Audit property management agreements

16. Audit costs on cost-plus agreements to original documentation. Look for

creative interpretations of the term “cost” by vendors or contractors

17. Pull LexisNexis and D&B reports, and enter vendor names into press databases

18. Use computer to look for multiple PO and split bills

19. Confirm delivery locations

20. Verify address and other master file changes by vendor



(970) 926-0355 Page 12

FRAUD EXPOSURES IN CONTRACTING A. ESTABLISHMENT OF CONTRACT PRICES AND OTHER TERMS

1. Type of Contract (Compensation Basis)

2. Competitive Bidding (selection on the basis of price)

a) Bid Rigging, Collusion, Price Fixing b) Assumption of “integrity” on the bid process

3. Negotiation (selection based on other factors, with or without regard to price)

a) Sole Source b) Bidding that appears to be competitive c) Related Parties or other Non-Competitive Sources

4. Change Orders

B. COST OF THE WORK ISSUES (Cost pass thru-type arrangements)

1. Self-performed work 2. Cost shifting / mischarging 3. Inaccurate / inappropriate cost accounting 4. Inaccurate / inappropriate billing methodologies (including multi-level risk)

C. SPECIFIC FRAUD EXPOSURES

1. Material substitution 2. Using vendors other than those proposed 3. Defective Pricing 4. Buyouts of subcontracted work 5. Labor and related labor burden

a) Raw labor – hours and/or rates b) Labor burden – taxes, insurance, benefits, other allowances (tools) c) Fully loaded rates d) “Errors” in methodologies

• Allocation of indirect costs to direct cost pool (allocation basis) • Application of correct rates to incorrect base (e.g.: union fringes) • Incorrect application of method (overhead rates)

D. COST ACCOUNTING EXPOSURES (by type of contract)

1. Labor and related labor burden 2. Non-reimbursable costs 3. Subcontract costs 4. General conditions 5. Falsification of records



(970) 926-0355 Page 13

COOKING THE FINANCIAL BOOKS 1. REVENUE RECOGNITION

a) Recording fictitious sales to nonexistent customers and recording phony sales to legitimate customers –These schemes normally occur near the end of an accounting period and may involve the issuing of some form de facto reversal of the sale soon after the end of the accounting period

b) Recording revenue on transactions that do not meet the revenue recognition criteria – May include transactions where right of return exists, “bill-and-hold” transactions, accelerated “percentage-of-completion” recognition, and transactions where the earnings process is not complete.

c ) Recognizing revenue in the wrong period – Most common is recognition of revenue on anticipated future sales. Often involves altering dates on shipping documents or keeping the records open until the shipment has occurred.

2. OVERVALUED ASSETS

a) Inflating the value or quantity of inventory on the balance sheet (PharMor) b) Capitalization of costs that should have been expensed (WorldCom) c) Including non-business assets on the balance sheet (boats and exotic cars) d) Failure to recognize impairment losses on long-lived assets

3. UNDERREPORTED LIABILITIES

a) Recognition of assets without related ‘liability effect’ (Enron) b) Understating accounts payable by recording purchases in subsequent

accounting periods, overstating purchase returns, or falsifying documents that make it appear that liabilities have been paid off

c) Failure to record all debt or other liabilities, or recognize contingent liabilities d) Underreporting future obligations such as warranty costs

MANIPULATING NON-FINANCIAL RESULTS

1. VW, Mitsubishi, Nissan and Chrysler

2. ‘Shadow Curriculum’ for elite athletes

3. Side effects from drugs

4. Family Connections

5. School district standardized test results cheating



(970) 926-0355 Page 14

FRAUD RISK MANAGEMENT FRAMEWORK

LEVEL 1: FRAUD DETERRENCE AND PREVENTION LEVEL 2: EARLY FRAUD DETECTION LEVEL 3: EFFECTIVE FRAUD HANDLING

1) Managers and employees know what happens when the alarm sounds 2) Investigation 3) Loss recovery (including insurance claims and litigation) 4) Control weaknesses are addressed 5) Coordination with law enforcement, prosecutors and other authorities 6) Publicity issues 7) Human resources issues 8) Employee morale issues

OBJECTIVES OF INVESTIGATIONS

1. Discover the truth (and the potential deception)

2. Protect innocent parties

3. Document the facts

4. Provide a foundation for removal of wrongdoers

5. Support action by the authorities

6. Support recovery of losses

7. Protect the organization

8. Protect the auditors / investigators

9. Identify and correct any weakness exploited



(970) 926-0355 Page 15

FRAUD RESPONSE IN PLACE & READY – BEFORE IT’S NEEDED Identify the skills and relationships that will be needed when fraud is detected, and assemble the team in advance. Craft the message you want to deliver to employees, customers, the press and others. Know who will be authorized to investigate, handle requests for information, and interface with any outside parties. Incident response resources:

1. Experienced investigators

2. Forensic accountants

3. Information technology experts

4. Computer forensics experts

5. Other technical specialists

6. Security / Loss prevention

7. Internal auditors

8. Human resources

9. Legal and compliance

POTENTIAL BARRIERS TO EFFECTIVE INVESTIGATIONS

1. Failure to recognize fraud as fraud 2. Management commitment and doubt 3. Some executives, attorneys, and human resources leaders 4. Fear of litigation (both legitimate and anecdotal) 5. Labor relations 6. Suspect knows of other fraud (especially fraud for the organization) 7. Suspect is a top performer 8. Suspect is politically protected 9. Uncertainty or conflict over responsibility for investigation

10. Bias in investigations



(970) 926-0355 Page 16

INVESTIGATIONS - WHAT COULD GO WRONG?

DISCUSSION QUESTIONS Some say that Murphy’s Law - “Everything That Could Go Wrong Will Go Wrong” - is in full effect during investigations. Here is a short list of things that could easily go wrong during our work while in “investigative mode”.

a) What action could you take to mitigate each risk?

b) Based on your experience, what additional risks should we add to this list?

1. Exceeding our stated authority

2. Uncertainty about access to facilities, offices, files, desk drawers, company vehicles, and electronic data

3. Uncertainty about taking possession of original documents

4. Access to personal property (brief cases, computer bags, purses, toolboxes, lockers, lunch pails, vehicles, other)

5. Threats – explicit or implicit

6. Legal concerns

7. Career concerns

8. Safety concerns

9. ‘He said – she said’ results of interviews and informal discussions

10. Documents misplaced 11. Disposition of ‘To-Do’ lists 12. Past audit findings and reports 13. Management barriers 14. Others from your experience:



(970) 926-0355 Page 17

INVESTIGATION MANAGEMENT OVERVIEW 1. Investigation is not for everyone. There are inherent risks, and things can go

wrong. The auditor or examiner may be lied to, attacked as to qualifications and professionalism, and subject to scrutiny they have not experienced in the past.

2. Don’t investigate without a policy. Make sure of your authority and the limits of that

authority. Ask: “What will the organization do if I’m sued?” And get a solid answer – preferably in writing. The auditor or examiner is not a deep pocket. But a tactical suit may be aimed at discrediting the individual who performed the work – and thereby weakening the conclusions in the eyes of others.

3. Do not do anything that is unauthorized or illegal. 4. There should be clear policy on when to report to law enforcement or other

governmental authorities.

5. Each fraud incident is unique. Although there are many similarities in fraud cases, there is nothing completely identical from one investigation to another. The actual scope, methodology and strategy in each investigation will vary. However, there are efficiency opportunities from building lists of helpful investigative practices.

a) Develop a Fraud Investigation Checklist. It should include typical steps to be

performed and sources of information.

b) Consider developing an Investigative Resource Guide. Keep track of the types of information needed during an investigation and the sources used to find it. Use the Guide as a tool on investigations and keep it current.

6. Case Reports for Executive Management:

a) Speak to intent: Was it an error or on purpose b) Who did it? Who else was involved? c) Extent of the loss d) Recovery potential or status e) How it was done and the internal control implications

7. Reports for law enforcement and insurance companies:

a) Sequence of events b) Relevant company policies and procedures c) Copies of documents d) Reference review by counsel e) Exclude internal control implications?



(970) 926-0355 Page 18

TRAVEL EXPENSES INTERVIEW You have been asked by your supervisor to interview a mid-level manager about discrepancies in that manager’s expense reports over the past three months. This manager is a 29-year old female. The request occurred because a reviewer in the accounting area noticed what they described as “unusual activity over several months, including both charges and credits, on the manager’s company credit card.” Copies of the related expense reports and support were emailed to you this morning, and your quick review leads you to believe that the questions are legitimate. For example, you notice that explanations for dinners routinely indicate only “business dinner” as the purpose of a meal, entertainment expenses while traveling appear to be excessive, and cash expenditures for taxis, meals and other cash items seem high for the locations visited. DISCUSSION QUESTIONS 1. List two things that you should consider as you plan this interview.

a) b)

2. List two things that could go wrong during this interview. How will you prepare for

these possible challenges? a) b)



(970) 926-0355 Page 19

EXERCISE: WHAT WOULD YOU DO NEXT? 1. EMPLOYEE AND VENDOR ADDRESS MATCH Audit performed a data match of vendor addresses and employee addresses. There was one confirmed match: an IT consultant and one of our mid-level supervisors in Princeton NJ. A quick review of the charges from this consultant show activity of just over $60,000 from nine invoices spread over the last two years. What would you do next? 2. CONFIDENTIAL DATA LOSS? Our IT security team identified a pattern of outbound emails from a supervisor with Excel spreadsheets attached. These emails are addressed to the employee’s Google gmail account, and the spreadsheets appear to contain customer and employee data. The issue has been referred to the audit department for follow up and disposition. What would you do next? 3. SHADING OF OPERATING RESULTS The corporate financial reporting team recently reached out to auditing about a growing number of monthly closing journal entries at one division. These entries appear to manipulate reserves and other accrual accounts. The net result seems to be an attempt to smooth reported expenses and resulting earnings to better match budget expectations. What would you do next? 4. POTENTIAL FCPA VIOLATION The legal staff received an anonymous tip in a letter. The tip alleges that one of our managers in India mentioned making payments to a local zoning official in connection with the renovation construction of one of our facilities. No further details were provided. What would you do next?

Fraud Detection Incident Response - Wild Apricot › resources › Documents › Seminar Col… ·...

Documents

Transcript of Fraud Detection Incident Response - Wild Apricot › resources › Documents › Seminar Col… ·...