Gee Sunder

Fraud and Fraud Detection


Скачать книгу

the business and its practices and procedures helps to explain most anomalies.

      

TYPES OF FRAUD

The Association of Certified Fraud Examiners (ACFE) in the 2012 Report to the Nations3 outlines the three categories of occupational fraud and their subcategories in Figure 1.1.

Figure 1.1 Occupational Fraud and Abuse Classification System

      Source: Association of Certified Fraud Examiners

      It was found that:

      As in our previous studies, asset misappropriation schemes were by far the most common type of occupational fraud, comprising 87 % of the cases reported to us; they were also the least costly form of fraud, with a median loss of $120,000. Financial statement fraud schemes made up just 8 % of the cases in our study, but caused the greatest median loss at $1 million. Corruption schemes fell in the middle, occurring in just over one-third of reported cases and causing a median loss of $250,000.4

      Among the three major categories – corruption, asset misappropriation, and financial statement fraud – there are far more types of occupational fraud in the asset-misappropriation category. There are many known schemes and areas where fraud may occur. Thefts of cash on hand have been occurring ever since there was cash. With globalization and the availability of the Internet, newer and more innovative types of fraud are coming to light.

      An example is the case study published in Verizon’s security blog titled “Pro-Active Log Review Might Be a Good Idea.”5 A U.S. – based corporation had requested Verizon to assist them in reviewing virtual private network logs that showed an employee logging in from China while he was sitting at his desk in the United States. Investigation revealed that the employee had outsourced his job to a Chinese consulting firm at a fraction of his earnings. The employee spent most of his day on personal matters on the Internet. The blog notes that the employee’s performance reviews showed that “he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”

      Clearly there was no dispute with the quality of work submitted and he had met all deadlines. While the employee did misrepresent that the work was his, the company did not suffer any direct financial loss. Other than violating security policy of permitting unauthorized access to the network, at most, the employee abused company resources by browsing the Internet for most of his workday.

      Would any of this have been an issue if the employee were a contractor who subcontracted his work out (assuming that there were no objections with the login procedures)?

      

ASSESS THE RISK OF FRAUD

      It is not possible to eliminate fraud risk in any given area other than to avoid it all together. A company may choose not to deal with a particular vendor or purchaser. They may choose not to acquire assets that need a high level of protection or to expand or do business in an unstable country. Alternatively, they may select an exit strategy if the risk is found to be too great. Avoidance would have been the result of either a formal or informal risk assessment. A risk analysis would have been considered and found that the cost outweighs the benefits.

      Some risks will be assumed without additional control features being implemented, since the cost of implementation would be higher than the expected loss. For example, banks issuing credit cards may be able to reduce fraudulent charges if they implement new high-tech security measures, but the cost in terms of dollars or customer inconvenience would be higher than the cost of fraudulent transactions. Fraud is a cost of doing business and it needs a cost-to-benefit or return-on-investment analysis. The risk assessment aids in the determination of the level of controls to implement while balancing acceptable risk tolerance against costs of reducing the risk.

Risk = Impact × Probability (threats and vulnerabilities)

      In most cases, the company will seek to mitigate the risks by implementing controls. These could be preventative, monitoring, or detection controls. Risk can also be mitigated by purchasing insurance or, in the case of certain employees, requiring them to be bonded.

      It may be determined that costs exceed the benefits of preventing fraud in a particular area. However, investments in measures to detect rather than prevent the fraud may be an acceptable risk given the lower costs and likelihood of high losses. Detective measures must also be factored into any risk assessment.

      The decision on how far to go will depend on the risk assessment and the reason for performing the risk assessment. It is a management decision as to what level to take the response to the risk of fraud. The decision will be primarily based on why the fraud risk assessment was undertaken in the first place. Was it due to audit or regulatory requirements? Was it management’s desire to evaluate the internal control system? Was it to reduce the cost for fraud?

      A risk assessment will identify potential areas of fraud, whether internal or external, directly or indirectly, and how vulnerable or how likely the threat is to occur. Factors that determine the probability component include:

      • The industry or nature of the business

      • The values and ethics of senior management and employees

      • Internal controls – preventive and detective

      • Business environment – local versus multinational, small versus large, brick-and-mortar versus Internet, geographic location, economic conditions

      • Likelihood

      • Industry trends

      • History

      • Resources

      • Internal control

      • Complexity

      • Volume

      • Standards

      • Whistleblower

      • Complaints

      • Moral

      • Impact

      • Value

      • Maximum exposure

      Other issues that must be considered when performing a risk assessment include the possibility of adverse publicity resulting in a loss of consumer confidence, potential lawsuits, violating laws, and the overall impairment to carrying on normal business.

      Appendix D of Managing the Business Risk of Fraud 6 is an excellent example of the fraud-risk assessment framework for revenue recognition risk that can be used as a template for any organization. It can also be modified to encompass any type of risk.

      The template lists various fraud risks and schemes and then associates the following with each of the schemes:

      • Likelihood of occurrence

      • Significance to the organization

      • People and/or department subject to the risk

      • Existing antifraud internal controls

      • Assessment of internal control effectiveness

      • Residual risks

      • Fraud-risk response

      

CONCLUSION

      Understanding what fraud is and the types of frauds allows us to focus on occupational fraud in this book. Being able to assess fraud risk provides us with priorities as to where to invest time and resources to have the largest impact in detecting and reducing incidents of fraud.

      CHAPTER 2

      Fraud Detection

      OCCUPATIONAL