By Christ Milienu and Ann M. Butera
Given the current economic climate, it is not surprising that the potential for fraud has increased. Of the 507 Certified Fraud Examiners who responded to a 2009 Association of Certified Fraud Examiners survey, more than half indicated that the number of frauds has increased during the past year. Additionally, 49 percent observed an increase in the dollar amount lost to fraud during the same period. Unsurprisingly, a report issued by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) indicates mortgage fraud has reached an all-time high with more than 64,000 reported incidents in 2008.
Despite these findings, not all organizations are stepping up their fraud assessments and risk management efforts. While it is true that whistleblowers identify most frauds, internal audit departments can still play a vital role in increasing enterprise-wide anti-fraud awareness and practices.
Following are some specific actions you can take as an internal auditor:
1. Create a separate category within audit planning work papers to document significant potential fraud risks and controls associated with the area under review. The description of the fraud risk should include how it could occur (in a scenario that would have a meaningful negative impact to the auditee).
2. Think about the ways perpetrators could benefit from a particular service or product and then imagine the conversion methods that they could or would need to use to gain reward. Be sure to consider potential frauds that could be committed internally by employees and externally by clients or vendors.
3. Review any process maps that have been prepared as part of the current or prior years’ audit planning package or Sarbanes-Oxley compliance efforts and use them to identify how fraud could occur within each process.
4. Create process maps that outline how fraud could happen and identify the controls within the process that are essential to detect or prevent fraud from occurring.
5. Convene brainstorming meetings with clients to discuss an area’s potential fraud risk exposures. Evaluate management’s fraud awareness by asking them to articulate the primary fraud risks in their business; identify the primary controls established to mitigate these risks; and describe the primary monitoring mechanisms used to track the effectiveness of these controls.
6. Review operational controls designed for ensuring transactional accuracy or the elimination of unintended error with a much more stringent and critical focus when attempting to ascertain their effectiveness in preventing or detecting fraud. A fraudster can easily forge a reviewer’s signoff and compromise the effectiveness of manual controls that rely on the integrity of the person originating the transaction to submit it for authentication.
7. Document and evaluate the segregation of duties structure within the area under review as this is an essential component of an effective system of anti-fraud measures. Consider whether fraudsters could override the segregation by creating the illusion of another employee performing their job functions.
8. Look for automated system controls that enforce effective segregation by using unique and confidential authorization because they are always superior to manual controls that attempt to segregate job duties. Monitoring level controls such as a review of maintenance journals or system logs of activity can also be effective at deterring fraud if they:
- Focus on identifying suspicious or unusual activity both at an individual or collective level.
- Apply to a sufficient percentage of the population of transactions.
- Occur at a timely point in the process.
- Have effective escalation and reporting protocols to ensure the appropriate disposition of unusual items.
9. Establish procedures that help to ensure the authenticity and integrity of information provided by clients. For example, you may want to recommend that credit and lending departments take the following steps to help avoid losses caused by misrepresentation of income, assets and/or debt and forged or fraudulent documents:
- Request verification of employment directly from the borrower’s reported employer(s);
- Request verification of deposit directly from the borrower’s reported financial institution(s);
- Request tax history directly from the IRS using Form 4506 or 4506-T (two-year history for self-employed borrowers);
- Secure current credit scores from a third-party credit-reporting agency.
10. Determine the residual fraud risk for each scenario identified as a potential exposure. This risk ranking should reflect the level of potential materiality and estimated likelihood for each fraud scenario on an individual basis and, where appropriate, a collective basis. The ranking should include an analysis of the effectiveness of each anti-fraud control based on the nature of the control (preventive or detective) and the estimated length of time it would take for detection to occur.
Internal auditors should use their risk assessment expertise to clearly define and report on the level of significant potential fraud risk exposures that management believes are acceptable to conduct business. This assessment should also include any recommendations for improving controls that could reduce the level of fraud risk exposure. While internal auditors cannot always prevent fraud, their actions can contribute to an organizational culture that is more aware, alert, and prepared to detect fraud. Remember to think like a criminal, and always ask if management’s fraud deterring controls can be avoided, compromised or eliminated in order to perpetrate a crime.
About the Authors
Christ Milienu, is Vice President, Internal Audit Manager for Old National Bank in Evansville, Indiana. Milienu specializes in audit theory, risk assessment, project management, team building and staff development.
Ann M. Butera, MBA, CRP, President of The Whole Person Project, Inc., an organizational development consulting and training firm, is a frequent conference speaker, and serves on the audit committee for a financial services firm. Butera welcomes your reactions and questions, and can be reached at firstname.lastname@example.org or 516-354-3551.