Читать книгу Fraud and Fraud Detection - Gee Sunder - Страница 9

We can only observe indicators, symptoms, or red flags of fraud. Once detected, they should be investigated to determine whether there is actual fraud. There will be large numbers of false positives in this area. Because of the volume, many of these are not given the attention that they deserve. For instance, after clearing a recognized symptom in a particular area, other red flags in the same area may be dismissed.

Red flags may be internal control irregularities, accounting anomalies, analytical anomalies, tips, and behavioral changes.

Business systems are in place to operate a business efficiently. Recording transactions is part of this process. Throughout the processes, there are controls to ensure that the business runs smoothly, safeguards assets, and has accurate recording and reporting. Fraud prevention, deterrence, and detection are objectives of internal controls. Internal control overrides or weaknesses contribute to the most common types of frauds and compromise the purpose of fraud prevention and deterrence. In some cases, there is a legitimate reason to circumvent an internal control. For instance, where there is a new situation not originally contemplated in the design of the control, employees deliberately look for ways to effectively do their job and carry on with the business process. These actions may or may not be formally sanctioned.

Good internal control includes:

• Separation of duties where collusion with someone else is needed to go around the controls.

• Physical safeguards of assets, including information in computer systems.

• Independent checks through monitoring and audits.

• Proper records and supporting documents to validate the transactions and to leave an adequate audit trail.

• Proper authorization for transactions, records, and other activities to ensure approvals and control independent authorization limits.

Detection techniques should be focused on any weaknesses in internal controls. Irregularities should be examined and the appropriate actions taken documented. The documentation will assist in implementing corrective measures to the internal controls if necessary.

Accounting anomalies are those unusual items associated with the accounting system. The anomalies would be with entries and with backup documents. By their nature, journal entries are to adjust unusual items that are outside of the normal day-to-day accounting system flow. Journal entries are a high-risk area as they allow for concealment of fraud activities. Manual journal entries should be reviewed with care and automated journal entries should be tested. Many accounting anomalies also fall under analytical anomalies.

Analytical anomalies are anything that is out of the norm. Things falling outside of normal patterns or new patterns formed can be analytical anomalies. They are anything that is unusual. Examples include:

• Outliers

• Inliers where they are not expected

• Too many or too few transactions

• Unexplained items

• Unusual relationships between items

• Unexpected timing of transactions or events

• Unusual accounts or account balances

• Inconsistencies

• Gaps or duplicates of item numbers

• Unexpected payment methods

• Unreasonable items

Analytical anomalies may easily occur in business systems where they are not integrated. Unlike enterprise resource planning (ERP) systems where data entered in one module populates all the related modules, many organizations have business systems that do not communicate directly with each other. Extra care has to be taken where data from one system is manually transferred to the consolidation or other systems.

Expect a high number of analytical anomalies. One must distinguish high-risk anomalies and low-risk anomalies. Eliminate from review those that normally would occur. Therefore, one must understand the business systems, understand the business, and also understand the industry. Knowledge of these will allow you to separate the normal and expected anomalies from those that have fraud potential.

For internal auditors, it is expected that they would have a thorough knowledge of the workings of the business. For external auditors, forensic accountants, consultants, and investigators, they must make themselves familiar with the business entity and its industry. Standard audit steps such as the following must be employed.

• Tour the business premises to obtain an overview of the business operations.

• Analyze financial statements, reports, and other relevant documents.

• Review the flow of accounting data and other information within the organization.

• Interview relevant employees from different areas and levels. Interviews with auditors, IT staff, and corporate security employees should also be included.

• Obtain the assistance of an experienced employee to assist and to answer questions. While an internal audit employee may be a logical choice to obtain aid, care should be taken that internal audit staff does not provide direct assistance to external auditors where prohibited. The Financial Reporting Council in the United Kingdom introduced this prohibition, effective for audits of financial statement periods ending on or after June 15, 2014.7

For detailed flow of business systems, Section 404 of the Sarbanes-Oxley Act enacted by the United States in 20028 (or its counterpart in other countries) is invaluable. In order to annually assess the effectiveness of its internal controls, management must document and evaluate controls that form part of the financial-reporting process. This report outlines in much detail the business systems. Flowcharts typically accompany the report, which would facilitate understanding the business flow. Not only should one have knowledge of the organization, but one should also be familiar with industry practices and with some of the organization’s competitors to establish a baseline or normal business practices.

Another red flag area is tips and complaints about alleged frauds or of witnessing unusual events. Tips are investigated more vigorously than most other irregularities or anomalies. It is recognized that people are reluctant to provide tips of fraud or suspicion of fraud. They do not know for sure that the fraud is taking place. Most people shy away from squealing on people whom they associate with and know. They believe that informing on people is just plain wrong or that they are siding with management. There is also the fear of being found out that they informed and will be ostracized by other employees. There may be potential reprisals not only from the alleged perpetrator but also from the supervisor, who may not find the tip credible or may be involved in the fraud. Also many organizations do not have a whistleblowing or integrity hotline procedures in place to make it easy and anonymous for people to provide the tips. The 2012 ACFE Report to the Nations9 shows tips as the most common way fraud was initially detected in occupational fraud at 43.3 percent. This is an increase over the 2010 report of 40.2 percent. With whistleblowing legislation in place and organizations implementing tools to facilitate this process for people, the volume of tips will hopefully increase.

Employees are in the best place to witness and detect fraud. They are the best source for information. However, it should be recognized that some tips are provided with malicious intent. The allegations may be false and the tips provided to make trouble for the alleged perpetrator. A tip should be recognized as merely a red flag or fraud symptom and require investigation like any other symptom. An open mind and professional skepticism are needed.

Behavioral and lifestyle changes are another area where employees are best positioned to observe these anomalies. Auditors would likely have no base to compare changes to as they do not know the employee, whereas coworkers see and interact with other employees on a day-to-day basis. Lifestyle changes would be obvious to coworkers. While observed assets can be easily explained away by way of lottery winnings, inheritance, or disposition of investments, the explanation can be just as easily verified.

Similarly, behavioral changes – whether detrimental or good – are best noticed by other staff members. Perpetrating fraud is a stressful action that involves a fear of being caught. The stress triggers unusual behaviour that should be looked into by the organization. This may be out of concern for the employee’s physical and mental health, as well as to determine whether it impairs the organization in its day-to-day operation. The employee may be dealing with personal issues that are causing changes in behavior. This proactive approach is beneficial to the employee and may reduce one of the pressures contributing to committing fraud.