Building Processes To Detect Fraud
September 2007
Who in your organization is responsible for
detecting fraud? This is the first question that needs to be asked when developing
an internal process to discover vulnerable areas that are susceptible to fraudulent
acts.
by Scott Langlinais
Langlinais
Fraud and Audit Advisory Services
One fraud that would have been worth detecting early was perpetrated at Patterson
Energy, where the former Chief Financial Officer Jonathan Nelson embezzled almost
$78 million over 7 years. It began when Mr. Nelson gained access to the company
checkbook and wrote checks to himself and to a fictitious vendor he created
called Chisum Capital. He stamped the Chief Executive Officer's signature on
some checks then altered accounting records so the transactions appeared legitimate.
It snowballed from there as Mr. Nelson gained access to wire transfers and created
new fictitious vendors. Twice he was able to wire $10 million to a personal
bank account.
An Internal Approach to Fraud Detection
To detect fraud, managers and personnel must first understand the primary
risks within their areas. If you manage a department and have no idea where
to start, here is a good suggestion: What fraud could occur in your department
that would get your company's name in the paper? List the perpetrator (by the
position, not by name) and the fraud.
In the Patterson Energy example above, the risk might have been stated as
follows: An accounting officer uses a fictitious vendor scheme to steal money.
There are actually several risks that stem from the fraud (an accounting officer
executes and settles large wire transfers without review; an employee executes,
approves, and accounts for his own expenditures), but we will examine only the
fictitious vendor risk to demonstrate the detective approach.
Identify Fraud Symptoms
For our stated risk, we must understand the symptoms of such a fraud. How
would the fraud appear in the company's books and records? Continuing with our
fictitious vendor example, we would have to consider the following symptoms.
- A vendor address (Chisum Capital) has the same address, tax ID, or contact
phone number as an employee (Mr. Nelson).
- Payments are made to a vendor without an approved purchase order.
- Expenses are coded to a "black hole" account that nobody reviews.
- Large transfers are made to a vendor for an even amount (such as the
$10 million transfers made by Mr. Nelson to his personal account).
- Expenditures to a single vendor are expanding rapidly and consistently
over several quarters.
This is merely a short list of symptoms for a false vendor scheme, and we
have only dealt with a single risk. When I coach managers and auditors on fraud
detection within their areas, I am usually at a white board for 2 or 3 hours,
listing several key risks with as many as 10 to 15 symptoms listed for each
risk.
Let us digress for a moment to discuss the difference between symptoms of
the fraud and control weaknesses. It appears that in the Patterson case, Mr.
Nelson had access to liquid assets and the executive signature stamp. He also
possessed the ability to post accounting transactions. This is a flaw in segregation
of duties, which is a control weakness, but not a symptom of fraud. Also not
listed: no one was apparently reviewing Mr. Nelson's transactions. This is also
a control weakness, but not a symptom of fraud.
Weak controls increase the opportunity for someone to perpetrate fraud, but
they themselves are not symptoms. Be careful not to list control weaknesses
as symptoms of fraud when analyzing risks.
Build Detection Processes
Now that we have a risk and its symptoms fleshed out, we can begin to build
processes to detect those symptoms. We can recruit several departments and several
people within those departments to help the company detect a false vendor. For
example:
- Internal Audit performs computer assisted audit techniques every quarter
to extract vendors from the system with addresses, tax IDs, or contact numbers
that match employees'.
- Accounts payable pulls and reviews all checks cut without a purchase
order.
- External auditors perform extensive testing on nonstandard general ledger
accounts receiving heavy activity.
- Executives review in committee all payments over a million dollars.
- A financial analyst who has no authorization to perform accounting entries
and has no access to liquid assets traces accelerating expenditures to supporting
documentation and seeks confirmation of receipt of goods or service.
These are just some examples of controls that a company might build into
their organization, and though some of these controls might not work for your
company, the beauty of this fraud detection process is that your lists of risks,
symptoms, and detective controls are limited only to the creativity of the people
participating. The controls your company designs will vary based on the company's
overall appetite for risk, the will of the executives to detect fraud, the politics,
commitment of the employees, and the resources available.
Follow-up and Communication of Symptoms
The final step in the fraud detection process is to follow-up on all symptoms
observed. Once your detective controls are in place, managers and staff must
understand their role within the control environment. If anyone identifies a
symptom of fraud, then they must follow up on it. This means that the person
who stumbled across the symptom first seeks supporting documentation for the
transaction—missing or incomplete documentation is the number one symptom of
fraud. If there is no documentation, existing documentation is inadequate, or
something still smells funny about the transaction, then it is time to go into
investigative mode, but not necessarily by the person who discovered the symptom.
Your company's fraud policy, code of ethics, or intranet should have a clear
indication of which department is responsible for investigating fraud. It should
also be clear to everyone that managers and staff do not investigate their own
frauds; a botched investigation or cover-up has the potential to cause far more
damage to an organization than the actual fraud, but at a minimum will severely
aggravate the situation. The person who detected the symptom may follow up on
the symptom to the point where they suspect wrongdoing, but at that point, the
investigation must be turned over to designated, trained personnel either in
internal audit, security, or a special investigative unit.
In addition to a clear assignment of responsibility for investigating fraud,
your company should promote the methods of communication for wrongdoing. In
response to Sarbanes-Oxley, companies were required to maintain an ethics hotline
for reporting wrongdoing, but companies that are serious about combating unethical
behavior maintain redundant lines of communication in case one of the pathways
is blocked, monitored poorly, or monitored by someone suspected of being involved
in the fraud.
In our Patterson example, it would have done no good for an employee of the
CFO to report to him their concern about the $10 million wire transfers, so
there must be another pathway available. In addition to the hotline, most public
companies have some form of internal audit department that should have protection
and regular open communication with the board. Executives can also foster an
open-door policy. There should always be a way for personnel concerns to be
voiced to the legal or human resources department.
Responsibility for Fraud Detection
Back to the original question: Who in your organization is responsible for
detecting fraud? Hopefully the answer became somewhat clear as you were reading.
You are. And so is everyone else around you. Who better than an accounts payable
clerk to see an expense report cross their desk with photocopied receipts on
it? Who better than an accountant reconciling a bank account to see that undocumented
transfers out of the account are growing at an alarming rate? Who better than
a construction manager to see that a contractor working on a new corporate headquarters
is billing your company for work performed by Rusty the company mutt?
If you are a company executive or manager, then it is up to you to communicate
to your subordinates that fraud detection is their responsibility, and it would
not hurt to emphasize where the communication channels reside to report wrongdoing.
Assemble a meeting of some of your staff, for at least an hour but up to a half
or full day if necessary, to brainstorm the risks in your area. Ask everyone
how people could steal money, cook the books, or violate regulations in your
area, and write down all the risks. Invite to your meeting all different levels
of employees from different educational and experience backgrounds, at least
one accountant and auditor, and certainly include the "old salts" from operations
who have been around long enough to have seen or at least heard about many frauds.
Once the risks are listed, select the most concerning ones and determine
what those risks would look like in the books and records. From there you can
check your processes to evaluate whether they enable your departmental staff
to detect the symptoms; if not, then it is time to implement new processes.
Regardless of whether or not the processes are already in place, the final
act of the meeting will be to emphasize to all employees that it is their responsibility
to detect fraud in their area, and once it is suspected, to communicate it through
the proper channels. Hold this type of meeting once or twice a year to revisit
the risks and analyze your processes, and you will build a set of controls that
make your organization or department hostile toward fraud.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.