Scott Langlinais | December 1, 2009
The "Five-Step Approach to Fraud Detection" is a strategy I use to detect fraud in any area, and a template I provide to company executives and managers when helping them establish control systems design to detect fraud in their day-to-day operations. This is the first in a series of articles in which I will demonstrate how you can apply this strategy to your own environment.
Here is the Five-Step Approach:
Step one halts most people because if you have no idea what can go wrong in your area, the rest of the strategy collapses. This begins a series of articles in which I will walk through some very common and dangerous frauds that affect all organizations, regardless of industry, to help you understand how to apply the strategy to create an environment hostile toward fraud.
Whether I am performing a tactical review of an area or discussing fraud-prevention strategy with executives, I always begin with a "What Can Go Wrong" list, in which I list potential perpetrators and fraud acts. Considering the risk of employees using company money to fund personal expenditures, here is a list of what can go wrong:
Former CFO of Patterson-UTI Energy, Inc. admits to embezzling more than $77 million from employer … Between 1998 and 2000, [the CFO] forged approximately 38 checks, totaling approximately $4,639,750.00. Each check was made payable to [the CFO] or … an entity created and controlled by [the CFO]. 1
An Information Technology Director in charge of purchasing expensive network hardware established a shell company to stand between his employer and their legitimate network hardware vendor. The Director would make a legitimate purchase from the vendor, and the vendor would ship the product to the employer. However, the Director instructed the vendor to invoice his shell company, which would in turn mark-up the true cost of the hardware and invoice his employer for the higher amount. The employer thus paid $5 million extra for the products, which the Director kept and used for personal purchases.
In the latest setback for the corporate governance movement, Yale University's School of Management is quietly forcing out the prize-winning head of its International Institute for Corporate Governance … [The perpetrator] allegedly double-billed Yale for about $150,000 in business travel expenses since mid-2001. 2
Top Roslyn school officials and their friends and family siphoned off more than $11 million of district money … revolved around the abuse of district credit cards originally issued to [the perpetrators who] in turn handed out the cards to family and friends until 74 cards were circulating among 13 people. Between 1997 and last year, they charged $5.9 million for personal use. 3
Typically, my "What Can Go Wrong" documents for a particular area will list at least two or three dozen frauds stated in a single sentence or two. My lists typically do not elaborate the frauds to the extent you see above, but for our purposes here it was necessary for you to see some details about the frauds. For instance, I might state the first fraud above as follows: "The CFO forged checks made payable to himself or an entity controlled by him."
It is important to list both the perpetrator and the fraud act when you create your own exposure lists. Resist the urge to eliminate the perpetrator; their inclusion in your list brings the fraud to life, gives your list a sense of action.
As you can see, these are big frauds perpetrated by high-level folks. Too often we focus on the easy targets—the clerk in the corner rather than the company's rainmakers. Your most dangerous frauds will be those perpetrated by your executives, so be sure to include them as potential perpetrators.
The next step in the process is to list the symptoms, or what these frauds would look like in the books and records. Here is a short list derived from the frauds listed above—you are likely to come up with many more symptoms:
Again, these are just a few, but you will notice that I did not list a single control weakness. A control weakness is not a symptom of fraud. Just because a control is present, does not mean a fraud is not occurring. Conversely, just because a control is absent does not mean a fraud is occurring. Just because someone smokes does not mean they have lung cancer, and just because they do not smoke does not mean their lungs are clear. A doctor must look for the symptoms.
In each of the frauds listed above, it can be assumed that some controls were present. In the first fraud, the company had a control in which the CEO signed checks above a certain amount—the CFO simply forged the signature. So if we ignored the area just because we heard proper controls existed, then we would have missed a massive fraud.
This is the last step I will discuss in the five-step approach to fraud detection; the other two are self-explanatory. If you perform audits, your step here is to include symptom detection in your audit programs. Auditors: look for symptoms of fraud! Quit looking for approval signatures and thinking your work is done; every fraudulent disbursement or expense report I have seen in my career had an approval signature on it. This does not mean someone approved the frauds, it just means the approver failed to pay attention, did not take their authority seriously, did not have time to properly review the item, or did not understand (or care about) what they should have been looking for.
If you manage an operational or finance/accounting unit, design processes to detect symptoms. Managers generally understand how to establish preventative controls: approval signatures for checks over a certain amount, requiring original receipts on expense reports, three-way matching approved purchase orders to invoices to packing slips. What managers are not so good at are establishing processes to detect frauds after the perpetrator has run the gauntlet of front-end controls. It is like a rancher who builds a fence around his livestock but has no way to catch the thief who has jumped the barrier.
Following are some audit tests/detective processes designed to catch the symptoms listed above.
Of course, the descriptions of these tests are too general to properly implement, but they should provide you with an idea about how to construct detective procedures within your own environment. Good luck in finding employees who use company money for personal reasons!
See part 2 in this series, "Know the Symptoms of Occurrence."
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes