2 Fraud Detection
CHAPTER 2 OCCUPATIONAL FRAUD IS DIFFICULT to detect. While companies have policies and procedures in place, an employee committing fraud tries to circumvent those policies and procedures. The employee is a trusted employee who has legitimate access to various systems and, in the course of their duties, would learn how the systems work. They are well versed in the workings of the business in the normal course of their duties and would have encountered weaknesses in the system. In fact, the employee is likely to have worked around the normal procedures to resolve an issue on behalf of the employer. These sanctioned attempts in circumventing normal procedure would expose a weakness in the system. While policies and procedures are good at stating the employer’s position and also designed to bring common errors and mistakes to light, an employee committing fraud is not making a mistake but deliberately circumventing the systems. Added to this, the employee attempts to use various methods to conceal their actions. Lies are told. Documents are falsified. Transaction recordings are misrepresented. Internal controls are abused. It is impossible for any business to operate efficiently if too many restrictions or controls are put in place to thwart fraud. Employees must be trusted to perform their duties diligently and honestly. They are trusted with assets, tools, and information to do this. Even with honest employees, flaws in the systems or unintentional errors on the part of employees also produce errors. One must balance the risk of potential fraud and the continued operations of an ongoing business concern. We can only observe indicators, symptoms, or red flags of fraud. Once detected, they should be investigated to determine whether there is actual fraud. There will be large numbers of false positives in this area. Because of the volume, many of these are not given the attention that they deserve. For instance, after clearing a recognized symptom in a particular area, other red flags in the same area may be dismissed. Red flags may be internal control irregularities, accounting anomalies, analytical anomalies, tips, and behavioral changes. Business systems are in place to operate a business efficiently. Recording transactions is part of this process. Throughout the processes, there are controls to ensure that the business runs smoothly, safeguards assets, and has accurate recording and reporting. Fraud prevention, deterrence, and detection are objectives of internal controls. Internal control overrides or weaknesses contribute to the most common types of frauds and compromise the purpose of fraud prevention and deterrence. In some cases, there is a legitimate reason to circumvent an internal control. For instance, where there is a new situation not originally contemplated in the design of the control, employees deliberately look for ways to effectively do their job and carry on with the business process. These actions may or may not be formally sanctioned. Good internal control includes: Detection techniques should be focused on any weaknesses in internal controls. Irregularities should be examined and the appropriate actions taken documented. The documentation will assist in implementing corrective measures to the internal controls if necessary. Accounting anomalies are those unusual items associated with the accounting system. The anomalies would be with entries and with backup documents. By their nature, journal entries are to adjust unusual items that are outside of the normal day-to-day accounting system flow. Journal entries are a high-risk area as they allow for concealment of fraud activities. Manual journal entries should be reviewed with care and automated journal entries should be tested. Many accounting anomalies also fall under analytical anomalies. Analytical anomalies are anything that is out of the norm. Things falling outside of normal patterns or new patterns formed can be analytical anomalies. They are anything that is unusual. Examples include: Analytical anomalies may easily occur in business systems where they are not integrated. Unlike enterprise resource planning (ERP) systems where data entered in one module populates all the related modules, many organizations have business systems that do not communicate directly with each other. Extra care has to be taken where data from one system is manually transferred to the consolidation or other systems. Expect a high number of analytical anomalies. One must distinguish high-risk anomalies and low-risk anomalies. Eliminate from review those that normally would occur. Therefore, one must understand the business systems, understand the business, and also understand the industry. Knowledge of these will allow you to separate the normal and expected anomalies from those that have fraud potential. For internal auditors, it is expected that they would have a thorough knowledge of the workings of the business. For external auditors, forensic accountants, consultants, and investigators, they must make themselves familiar with the business entity and its industry. Standard audit steps such as the following must be employed. For detailed flow of business systems, Section 404 of the Sarbanes-Oxley Act enacted by the United States in 20022 (or its counterpart in other countries) is invaluable. In order to annually assess the effectiveness of its internal controls, management must document and evaluate controls that form part of the financial-reporting process. This report outlines in much detail the business systems. Flowcharts typically accompany the report, which would facilitate understanding the business flow. Not only should one have knowledge of the organization, but one should also be familiar with industry practices and with some of the organization’s competitors to establish a baseline or normal business practices. Another red flag area is tips and complaints about alleged frauds or of witnessing unusual events. Tips are investigated more vigorously than most other irregularities or anomalies. It is recognized that people are reluctant to provide tips of fraud or suspicion of fraud. They do not know for sure that the fraud is taking place. Most people shy away from squealing on people whom they associate with and know. They believe that informing on people is just plain wrong or that they are siding with management. There is also the fear of being found out that they informed and will be ostracized by other employees. There may be potential reprisals not only from the alleged perpetrator but also from the supervisor, who may not find the tip credible or may be involved in the fraud. Also many organizations do not have a whistleblowing or integrity hotline procedures in place to make it easy and anonymous for people to provide the tips. The 2012 ACFE Report to the Nations3
Fraud Detection
RECOGNIZING FRAUD