Building Processes To Detect Fraud

An Internal Approach to Fraud Detection

To detect fraud, managers and personnel must first understand the primary risks within their areas. If you manage a department and have no idea where to start, here is a good suggestion: What fraud could occur in your department that would get your company's name in the paper? List the perpetrator (by the position, not by name) and the fraud.

In the Patterson Energy example above, the risk might have been stated as follows: An accounting officer uses a fictitious vendor scheme to steal money. There are actually several risks that stem from the fraud (an accounting officer executes and settles large wire transfers without review; an employee executes, approves, and accounts for his own expenditures), but we will examine only the fictitious vendor risk to demonstrate the detective approach.

For our stated risk, we must understand the symptoms of such a fraud. How would the fraud appear in the company's books and records? Continuing with our fictitious vendor example, we would have to consider the following symptoms.

• A vendor address (Chisum Capital) has the same address, tax ID, or contact phone number as an employee (Mr. Nelson).
• Payments are made to a vendor without an approved purchase order.
• Expenses are coded to a "black hole" account that nobody reviews.
• Large transfers are made to a vendor for an even amount (such as the $10 million transfers made by Mr. Nelson to his personal account).
• Expenditures to a single vendor are expanding rapidly and consistently over several quarters.

This is merely a short list of symptoms for a false vendor scheme, and we have only dealt with a single risk. When I coach managers and auditors on fraud detection within their areas, I am usually at a white board for 2 or 3 hours, listing several key risks with as many as 10 to 15 symptoms listed for each risk.

Let us digress for a moment to discuss the difference between symptoms of the fraud and control weaknesses. It appears that in the Patterson case, Mr. Nelson had access to liquid assets and the executive signature stamp. He also possessed the ability to post accounting transactions. This is a flaw in segregation of duties, which is a control weakness, but not a symptom of fraud. Also not listed: no one was apparently reviewing Mr. Nelson's transactions. This is also a control weakness, but not a symptom of fraud.

Weak controls increase the opportunity for someone to perpetrate fraud, but they themselves are not symptoms. Be careful not to list control weaknesses as symptoms of fraud when analyzing risks.

Now that we have a risk and its symptoms fleshed out, we can begin to build processes to detect those symptoms. We can recruit several departments and several people within those departments to help the company detect a false vendor. For example:

• Internal Audit performs computer assisted audit techniques every quarter to extract vendors from the system with addresses, tax IDs, or contact numbers that match employees'.
• Accounts payable pulls and reviews all checks cut without a purchase order.
• External auditors perform extensive testing on nonstandard general ledger accounts receiving heavy activity.
• Executives review in committee all payments over a million dollars.
• A financial analyst who has no authorization to perform accounting entries and has no access to liquid assets traces accelerating expenditures to supporting documentation and seeks confirmation of receipt of goods or service.

These are just some examples of controls that a company might build into their organization, and though some of these controls might not work for your company, the beauty of this fraud detection process is that your lists of risks, symptoms, and detective controls are limited only to the creativity of the people participating. The controls your company designs will vary based on the company's overall appetite for risk, the will of the executives to detect fraud, the politics, commitment of the employees, and the resources available.

The final step in the fraud detection process is to follow-up on all symptoms observed. Once your detective controls are in place, managers and staff must understand their role within the control environment. If anyone identifies a symptom of fraud, then they must follow up on it. This means that the person who stumbled across the symptom first seeks supporting documentation for the transaction—missing or incomplete documentation is the number one symptom of fraud. If there is no documentation, existing documentation is inadequate, or something still smells funny about the transaction, then it is time to go into investigative mode, but not necessarily by the person who discovered the symptom.

Your company's fraud policy, code of ethics, or intranet should have a clear indication of which department is responsible for investigating fraud. It should also be clear to everyone that managers and staff do not investigate their own frauds; a botched investigation or cover-up has the potential to cause far more damage to an organization than the actual fraud, but at a minimum will severely aggravate the situation. The person who detected the symptom may follow up on the symptom to the point where they suspect wrongdoing, but at that point, the investigation must be turned over to designated, trained personnel either in internal audit, security, or a special investigative unit.

In addition to a clear assignment of responsibility for investigating fraud, your company should promote the methods of communication for wrongdoing. In response to Sarbanes-Oxley, companies were required to maintain an ethics hotline for reporting wrongdoing, but companies that are serious about combating unethical behavior maintain redundant lines of communication in case one of the pathways is blocked, monitored poorly, or monitored by someone suspected of being involved in the fraud.

In our Patterson example, it would have done no good for an employee of the CFO to report to him their concern about the $10 million wire transfers, so there must be another pathway available. In addition to the hotline, most public companies have some form of internal audit department that should have protection and regular open communication with the board. Executives can also foster an open-door policy. There should always be a way for personnel concerns to be voiced to the legal or human resources department.

Responsibility for Fraud Detection

Back to the original question: Who in your organization is responsible for detecting fraud? Hopefully the answer became somewhat clear as you were reading. You are. And so is everyone else around you. Who better than an accounts payable clerk to see an expense report cross their desk with photocopied receipts on it? Who better than an accountant reconciling a bank account to see that undocumented transfers out of the account are growing at an alarming rate? Who better than a construction manager to see that a contractor working on a new corporate headquarters is billing your company for work performed by Rusty the company mutt?

If you are a company executive or manager, then it is up to you to communicate to your subordinates that fraud detection is their responsibility, and it would not hurt to emphasize where the communication channels reside to report wrongdoing. Assemble a meeting of some of your staff, for at least an hour but up to a half or full day if necessary, to brainstorm the risks in your area. Ask everyone how people could steal money, cook the books, or violate regulations in your area, and write down all the risks. Invite to your meeting all different levels of employees from different educational and experience backgrounds, at least one accountant and auditor, and certainly include the "old salts" from operations who have been around long enough to have seen or at least heard about many frauds.

Once the risks are listed, select the most concerning ones and determine what those risks would look like in the books and records. From there you can check your processes to evaluate whether they enable your departmental staff to detect the symptoms; if not, then it is time to implement new processes.

Regardless of whether or not the processes are already in place, the final act of the meeting will be to emphasize to all employees that it is their responsibility to detect fraud in their area, and once it is suspected, to communicate it through the proper channels. Hold this type of meeting once or twice a year to revisit the risks and analyze your processes, and you will build a set of controls that make your organization or department hostile toward fraud.