Consider this hypothetical scenario: The external auditor for a reputable Fortune 500 conglomerate uncovers an accounting anomaly that, at first, appears innocuous. A few payments cannot be accounted for. An investigation soon leads to the embarrassing discovery that a high-level manager, over several years, had embezzled more than $10 million from the company resulting in the need for an earnings restatement and a slew of negative publicity.
Think this can’t happen in your company? Think again. Threats from fraud are dynamic. Vulnerabilities evolve based on an organization’s people, policies, processes and practices. It is, therefore, critical that organizations identify fraud risk and evaluate the potential indicia of fraud within their financial and operational processes.
For financial executives, that often begins by understanding how the organization defines fraud. Some focus on intentional acts that result in a material misstatement in financial statements, while others are more expansive and consider deception, illegal acts, falsities and the misuse or misapplication of an organization’s assets.
Organizations often define fraud in their fraud control policy, which describes its strategy and framework for how fraud is to be addressed on a proactive and reactive basis. This includes clearly defined roles and responsibilities for the evaluation, mitigation, monitoring and investigation of fraud within the organization.
No matter how an organization defines fraud, it is important that financial executives know what it means in the context of their functional area of responsibility. That means everyone from the chief financial officer, controller, treasury and cost accounting departments to the accounts payable and receivable clerks, and all those in between.
Establishing a common understanding of the types of fraud that could impact the organization is also critical to the ability of the executives to help combat fraud. Whether schemes involve fraudulent financial statements, asset misappropriation or acts of corruption involving bribery, conflicts of interest or illegal gratuities, those in finance often see indicators and patterns of fraud before other functions in the organization are able to put the pieces of the fraud puzzle together.
For that reason, it is critical that financial executives have a heightened awareness of the types of red flags — or warning signs — that raise concerns about the propriety of a transaction or the parties involved. This is particularly so as the transaction relates to compliance with the organization’s policies and procedures, as well as compliance with applicable laws and regulations.
Once the finance department identifies red flags, it is critical that they be escalated for further review prior to disbursement of a payment or execution of a transaction. Depending upon the nature and number of red flags, this ultimately may involve discussion and disposition with the chief compliance officer, chief audit executive and/or general counsel.
A list of red flags, as well as the process of responding to them, may be addressed within individual finance and accounting policies, as well as outlined in the organization’s fraud control policy.
The organization should leverage information obtained by financial executives about questionable payments and transactions, along with internal control gaps or weaknesses identified during their daily course of business, as a data point within its fraud risk assessment process.
In fact, many organizations include finance professionals on their fraud risk assessment teams in order to facilitate information gathering and discussion about key fraud risk and controls within financial processes.
As process and control owners, financial professionals also provide critical perspective in helping management to prioritize the organization’s fraud risk according to the likelihood or probability that a fraud risk event could occur, along with its significance or impact to the organization. Financial executives often have a unique and informed outlook on how well fraud controls are operating and the extent to which they actually mitigate fraud risk.
Further, in the context of global organizations, financial professionals often have keen insight regarding differences in the structure and design of financial processes, policies and controls at international locations, which is necessary when considering the organization’s ability to prevent and detect fraud risk.
Internal auditors, often working in partnership with financial executives, are focusing on fraud risk management efforts, as well (see the below, The Nature of Fraud Is Changing).
Continuous, cascading communication about fraud schemes and red flags is another factor that may impact how successful financial professionals are in helping the organization to mitigate its fraud risk. Some organizations fail to talk about these issues over fear that discussion may provoke new incidents of fraud.
To the contrary, open dialogue about fraud risk reinforces the responsibility of financial professionals to monitor and report proactively suspicious behavior or incidences of fraud, as well as to cooperate in investigations.
Many organizations now provide formal fraud risk awareness training and workshops to their finance executives. They also encourage informal discussion during regularly scheduled team meetings to help break the barrier of the once “taboo” topic of fraud.
In addition, some even provide their finance teams with a “top 10 list” of fraud schemes and red flags that is refreshed periodically in order to help the organization stay vigilant in the fight against fraud.
Though financial executives play a very important role in helping organizations to understand their fraud risks, they also are vital in the continuous monitoring of payments and transactions.
Fraud monitoring activity varies among organizations based upon their individual fraud risk profile. Some utilize sophisticated software to comb constantly through electronic data files, while others manually review the results of system-generated reports on a daily, weekly, monthly, quarterly and/or annual basis. They may also utilize vertical, horizontal and ratio analyses in order to help identify potentially troublesome transactions.
Among examples of fraud schemes that are frequently the focus of finance professionals’ monitoring activity are fictitious revenues, concealed assets and liabilities and improper asset valuation.
Fraud monitoring activities are often decentralized, lacking the necessary connectivity to identify indicators of suspicious activity efficiently and effectively across finance and operations. However, many organizations are now taking a second look at what information is required to adopt a more holistic approach to fraud monitoring and how to better leverage their accounting and enterprise resource planning systems to detect patterns, trends and anomalies in a more strategic and integrated manner.
Though financial executives consider internal and external fraud risk that may impact the organization, some fraudsters, rather unfortunately, can be found “close to home.” The 2012 Report to the Nations on Occupational Fraud and Abuse, published biennially by the Association of Certified Fraud Examiners, found that 22 percent of those perpetrating fraud were in accounting and 3.7 percent were in finance. It is therefore important that professional skepticism be applied equally in contemplation of who within an organization is susceptible to the siren call of fraud.
Fraudsters constantly adapt their methods and schemes to an organization’s internal control structure. As a result, awareness continues to be the key factor to weed out the fraud and for financial executives to help in those efforts.
Top 10 Red Flags of Fraud
For the chief financial officer and controller, red flags to watch for:
1. Controlling or domineering management personalities.
2. Significant and/or subjective judgment in estimates.
3. Frequent changes to estimate procedures.
4. Unexpected areas of profitability.
5. Recurring negative cash flows during periods of earnings growth.
6. Omissions or inaccuracies in financial data.
7. Revenue reported after established cut-off periods.
8. Rapid growth compared to peers.
9. “Abnormal” pressure or involvement of management in selection of accounting principles.
10. Write-offs for loans provided to directors, officers and management.
Examples of red flags for treasury and corporate finance are:
1. Financing that requires “quid pro quo” relationships.
2. Requests to establish bank accounts in nonoperational locations.
3. Excessive number or frequent changes in bank accounts.
4. Frequent reallocation of funds between accounts.
5. Budget activity that is repeatedly “right on the money.”
6. Recurrent reclassification of expenses.
7. Request to shift expenses between corporate entities.
8. Leasing arrangements that involve “sweetheart deals.”
9. Constant replenishment of petty cash funds.
10. Unusual ratios between budget and actual expenses.
The Nature of Fraud Is Changing — So, Too, Are the Ways to Address It
As companies rely more heavily on “big data” — both internally and externally generated — to drive decision-making, new forms of fraud are targeting this information. According to the latest results from Protiviti’s Internal Audit Capabilities and Needs Survey, more organizations recognize these new fraud risks and are looking to apply leading-edge techniques (e.g., data analytics and continuous monitoring) as part of their fraud prevention, detection and mitigation activities.
The need to improve fraud risk assessment and monitoring — while continuing to improve auditing technologies and computer-assisted audit techniques (CAATs) — points to the changing nature of fraud. As organizational use and dependence on information systems and the big data within these systems increase, fraudulent activity necessarily grows more technologically sophisticated. To keep pace in both preventing and detecting this type of fraud, organizations need to apply more sophisticated techniques and tools themselves.
The sustained drive to improve the use of CAATs and to apply new data analysis tools to auditing activities comes amid an ongoing evolution from manual, time-intensive auditing toward technology-enabled auditing practices. These leading, technology-aided processes facilitate reviews of virtually every transaction and piece of data on a continuing basis.
As organizations and their internal audit functions look to manage and mitigate the risk of fraud in an efficient and cost-effective manner, there are a number of key questions they should address.
- Are there processes in place to determine whether the internal audit function’s fraud risk management capability is current and sufficiently robust given the organization’s ever-increasing supply of data and its growing reliance on internal and external data?
- Does the internal audit function maintain an ongoing awareness of new (and often data- and information-related) fraud risks? To what degree do existing fraud prevention, detection, monitoring and investigation activities address the organization’s specific data- and information-related fraud risks?
- Does the organization sufficiently leverage data analysis and technology-enabled audits to prevent, detect, monitor and investigate fraud, as well as to ensure compliance with applicable laws and regulations?
- Does the internal audit function, and the organization as a whole, recognize the value that continuous auditing, continuous monitoring, and other data-analytics tools and capabilities bring to the internal control environment (and to internal audit’s advisory capabilities)?
- What computer-assisted audit techniques and data-analytics tools does the internal audit function currently utilize? Are there opportunities to upgrade existing tools and/or add new tools in a way that will increase the effectiveness and cost-efficiency of internal audit’s work?
- To what degree are management and business process owners involved in continuous auditing and continuous monitoring efforts, and where are there opportunities to strengthen this collaboration?
For more information, read the 2013 Internal Audit Capabilities and Needs Survey Report, available at www.protiviti.com/IASurvey
Pamela Verick is a director in Protiviti’s Investigations & Fraud Risk Management practice and responsible for its fraud risk management offerings.