As an experienced corporate investigator, having investigated hundreds of various types of fraud cases, it’s really not hard to come to the conclusion that where there is smoke there is usually fire and often times in more than one place. When a client or an individual is alerted to suspicious behavior by an employee/contractor, the investigation generally must focus on the specific allegations. However, it is also important to use the initial investigation opportunity to open a broader review into the suspect for two main reasons:
- To look for motivating factors (a motive); and
- To determine, if he/she may be committing fraud or deviant behavior in other areas not specific to the case. After all, if the individual is involved in some form of fraud or deviant behavior that we are aware of, it is highly probable this extends to other areas as well.
According to the widely accepted Fraud Triangle model developed by Donald Cressey, “…individuals are motivated to commit fraud when three elements come together: 1) some kind of perceived pressure, 2) some perceived opportunity, and 3) some way to rationalize the fraud as not being inconsistent with one’s values.” One of the reasons for opening a broader investigation and not just focusing on the specific allegations is to look for motivating factors or pressure(s) the person may be under that might drive him/her to commit the fraud. People often say “I would never do that” but when faced with varying degrees of perceived pressure, it is difficult to determine the lengths people will actually go to in committing fraud. … Continue reading
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Is the added complexity of a risk-based approach worth the effort? … Continue reading
Preventing organizational fraud demands systematic planning and implementation. This entire process, from inception and assessment to performance evaluation is complex, even in smaller organizations. Yet, the payoff for the effort can be huge.
In this post, we offer an overview of the elements of a fraud prevention program that would be useful in any organization. Summarized from, Managing the Business Risk of Fraud: A Practical Guide, produced by a consortium of associations, the guidelines point to specific steps managers can take to implement an effective fraud prevention program. … Continue reading
Occupational fraud is a huge drain on organizations’ resources, costing an estimated global loss of $3.7 trillion dollars annually. And according to the Association of Certified Fraud Examiner’s (ACFE) 2014 study, just 14% of defrauded organizations are able to fully recover their losses.
Fraud is a very real threat to the bottom line of almost every organization in our economy. But it can be prevented, or at least mitigated.
There are 3 steps in setting up a fraud prevention program in your organization:
- Understand what fraud is and how it is likely to emerge.
- Identify potential sources of fraud in your organizations.
- Take steps to prevent fraud through processes or controls.
Ultimately, a healthy anti-fraud corporate culture that permeates from the top down will make your organization more crime resistant. This will take time to nurture, and it will take continuous effort to sustain, but in the end you can make occupational fraud an extinct disease in your workplace.
… Continue reading
The short answer is that it is much too easy if basic controls are missing.
Cincinnati.com summarizes the missing controls in the case of Covington, Kentucky’s former Finance Director Bob Due in the lead paragraph of the story:
The city of Covington gave complete control over millions of taxpayers’ dollars to one man for more than a decade – an “inexcusable” error that resulted in nearly $800,000 embezzled, the Kentucky auditor said.
This is a classic story about an opportunist who defrauded his employer of almost a million dollars, yet avoided detection for years until he made a mistake in the summer of 2013. All of this loss could have been prevented with standard controls.
For 13 years, Bob Due was able to take money from the city right under the noses of four different mayors and four city managers. All told, he wrote 68 checks to himself, relatives, or fake vendors. In the aftermath, the audit revealed a slew of red flags that should have signaled danger:
- Mr. Due was the IT system administrator with control of financial software, with no oversight.
- General IT security was inadequate, with Due as system administrator.
- Payables procedures were lax, such as the lack of a check register to compare beginning and ending check numbers.
- The Finance Department had no written policies for revenue and collection.
- The city did not have a credit card policy or track issued cards.
As Auditor Edelen put it, “What we have here is a breakdown in oversight. Mr. Due did not have a boss.” … Continue reading