Big Data is becoming a resource in the fraud fighter’s arsenal as more companies are using data analytic software to look for anomalous patterns in internal data. This method has helped some companies monitor more data sources, cutting the time for detection and reducing the costs of fraud.
A recent post by Peter Goldmann of ACFE reports on the rate of adoption of data analytic technology, finding that the largest group is companies that have no data analysis program at all (almost 30%–see the bar graph). … Continue reading
Yet more evidence of the prevalence of financial fraud against organizations has emerged from a recent poll by Kyriba. The poll found that almost 80% of organizations had been victims of fraud. The very high proportion of victims is startling in itself, but it is consistent with information we have presented in previous posts that organizational fraud is a global problem, costing 5% of top line revenue annually.
Almost 30% of the respondents to the Kyriba poll reported suffering financial losses, but we think this is a conservative number in this context. Organizational fraud is a hidden crime that sometimes is difficult to detect, even long after the fact. When organizations do detect fraud, they may have incentives to minimize publicity about the crime, so underreporting is probable.
The poll includes some indications that the fraud was even more costly than reported. 5.6% of respondents reported that they had been targets of fraud but did not know if they had suffered losses, while almost 14% did not even know if they had been targets or not. In fact, a little less than 8% reported that they knew they had not been victims, and it’s a good bet that a few of these simply hadn’t found out yet. … Continue reading
The Office of the Comptroller of the Currency (OCC) is focused on the responsibility of financial institutions—national banks and Federal savings associations—to be responsible for the risk management of business operations whether they are performed internally or through third party vendors.
CIT companies are clearly included in this mandate.
The OCC recognizes that the growing interconnectedness of banks with third party cash management service providers has created new sources of risk due to gaps or inconsistencies of controls that can occur where distinct businesses interface. In everyday terms, this means there can be situations where “no one is in charge.”
Since the OCC is responsible for the security of the overall financial system, it is moving to make banks accountable for the gaps and inconsistencies between them and third party vendors that may pose risk to the system.
This creates specific kinds of difficulties for banks because they can be held accountable for the actions of organizations they do not own. Banks and their third party vendors, including CIT businesses, have different regulatory, standard practice, and incentive profiles, as well as different cultures and assumptions. It will take especially thorough due diligence to write contracts that lay out the important responsibilities and performance expectations for the different parties to get all the entities on the same page.
In these circumstances, monitoring performance takes on greater importance. There is a substantial possibility that unanticipated gaps or inconsistencies will emerge despite careful risk management planning. Banks have a strong incentive to measure performance and find irregularities as quickly as possible. … Continue reading
The short answer is that it is much too easy if basic controls are missing.
Cincinnati.com summarizes the missing controls in the case of Covington, Kentucky’s former Finance Director Bob Due in the lead paragraph of the story:
The city of Covington gave complete control over millions of taxpayers’ dollars to one man for more than a decade – an “inexcusable” error that resulted in nearly $800,000 embezzled, the Kentucky auditor said.
This is a classic story about an opportunist who defrauded his employer of almost a million dollars, yet avoided detection for years until he made a mistake in the summer of 2013. All of this loss could have been prevented with standard controls.
Going Solo
For 13 years, Bob Due was able to take money from the city right under the noses of four different mayors and four city managers. All told, he wrote 68 checks to himself, relatives, or fake vendors. In the aftermath, the audit revealed a slew of red flags that should have signaled danger:
Mr. Due was the IT system administrator with control of financial software, with no oversight.
General IT security was inadequate, with Due as system administrator.
Payables procedures were lax, such as the lack of a check register to compare beginning and ending check numbers.
The Finance Department had no written policies for revenue and collection.
The city did not have a credit card policy or track issued cards.
As Auditor Edelen put it, “What we have here is a breakdown in oversight. Mr. Due did not have a boss.” … Continue reading