Fraud Smart E-Book

Table of Contents

Cover

Title page

Copyright page

Preface

WHY FRAUD SMART?

WHAT DOES THE BOOK COVER?

OUR APPROACH TO PREPARING THE BOOK

Part I: Understanding the Threat

1 What Do We Mean by Fraud?

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

2 A Wide Range of Threats

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

3 The Global Scene

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

4 Building Your Fraud Smart Toolkit

KEY LEARNING OBJECTIVES

PART I MULTICHOICE QUIZ

Part II: Appreciating Respective Responsibilities

5 Fraud Smart Roles and Responsibilities

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

6 Fraud Smart Skills Profile

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

7 Fraud Smart Training Needs

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

8 Building Your Fraud Smart Toolkit

KEY LEARNING OBJECTIVES

PART II MULTICHOICE QUIZ

Part III: Embracing Sound Ethics

9 The Moral Compass

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

10 Implementing Values

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

11 Whistleblowing

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

12 Building Your Fraud Smart Toolkit

KEY LEARNING OBJECTIVES

PART III MULTICHOICE QUIZ

Part IV: Recognizing Red Flags

13 The Ingredients of Fraud

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

14 Why People Slip Up

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

15 Recognizing Red Flags

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

16 Building Your Fraud Smart Toolkit

KEY LEARNING OBJECTIVES

PART IV MULTICHOICE QUIZ

Part V: Mastering Suitable Controls

17 The Control Concept

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

18 Basic Controls

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

19 Fraud Smart Risk Management

WHAT CAN GO WRONG?

WHAT DO THE EXPERTS SAY?

OUR MODEL EXPLAINED

OUR THREE KEY CONCLUSIONS

20 Building Your Fraud Smart Toolkit

KEY LEARNING OBJECTIVES

PART V MULTICHOICE QUIZ

Appendix A: Corporate Fraud Smart Policy

AIM OF THE FRAUD SMART POLICY

DEFINING FRAUD

FRAUD SMART ROLES

FRAUD SMART COMPETENCIES

FRAUD SMART REPORTING

FRAUD SMART CONTROLS

APPENDIX: FRAUD SMART INVESTIGATIONS

Appendix B: Multichoice Quiz: Answers

Appendix C: Fraud Smart: Your Score Sheet

Index

This edition first published in 2011

Copyright © 2012 John Wiley & Sons Ltd.

Registered office

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom.

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

The rights of the author to be identified as the author of this work have been asserted in accordance with the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

Pickett, K. H. Spencer.

 Fraud smart / K.H. Spencer Pickett.

p. cm.

ISBN 978-0-470-68258-6

 1. Employee theft. 2. Employee crimes–Prevention. 3. Fraud–Prevention. 4. Auditing, Internal. I. Title.

 HF5549.5.E43P53 2012

 658.4'73–dc23

2011044327

ISBN 978-0-470-68258-6 (hbk), ISBN 978-1-119-94477-5 (ebk),

ISBN 978-1-119-96047-8 (ebk), ISBN 978-1-119-96046-1 (ebk)

A catalogue record for this book is available from the British Library.

WHY FRAUD SMART?

After spending a decade performing and managing fraud investigations in a large organization, I spent a further decade delivering regular fraud awareness seminars for groups of non-specialists from many different organizations. My conclusion is that, in most larger organizations, the workforce can be roughly divided into three main groups:

The first group will gain no benefit from reading this book, as it will not help them plan new frauds. The second group will already have a good knowledge of fraud-related issues and will be aware of the concepts and advice described here. It is the third group who will gain most from reading the book, as a way of getting to grips with fraud by appreciating its potential impact on most organizations.

The aim of the book is simple:

To move parts of the workforce that are firmly stuck in the third group to becoming Fraud Smart, so that everyone gets involved in the fight against fraud.

From my experience, it is only by involving everyone that we can generate a Fraud Smart workforce who understand the need to take risks, trust their colleagues and drive business success, but are also on guard for dishonesty, whenever and wherever it occurs.

WHAT DOES THE BOOK COVER?

The book is based around a five-part Fraud Smart cycle, which starts with appreciating the risk of fraud and ends with mastering controls over this risk, as set out in Figure 1.

The five-stage Fraud Smart cycle encapsulates our 20 chapters, as is clear from the list of contents. A brief synopsis follows here.

Part I: Understanding the Threat

Chapters 1 to 4 deal with the basic concept of workplace fraud and that the threat of fraud is wide ranging and is a serious concern for almost all organizations, whatever their business and regardless of whether they are private sector, public sector or not-for-profit entities.

Part II: Appreciating Respective Roles

Chapters 5 to 8 consider the roles of different groups within an organization and how they fit together to ensure that fraud is kept on the run. In turn, these expectations can mean that we ask ourselves and our colleagues whether we have the right skill set to cope.

Part III: Embracing Sound Ethics

Chapters 9 to 12 deal with the fundamental concept of business ethics. If we were all honest all of the time, there would be little or no fraud to worry about.

Part IV: Recognizing Red Flags

Chapters 13 to 16 take us into the new role of being proactive about fraud. This calls for Fraud Smart employees who know what to look for and how to report suspicious behaviour.

Part V: Mastering Suitable Controls

Chapters 17 to 20 complete the Fraud Smart cycle by asking that we all get involved in making sure that safeguards against fraud are in place and working. In other words, the risk of fraud should be properly managed alongside the wider business risks that face all organizations.

OUR APPROACH TO PREPARING THE BOOK

To explain our approach, we need to go through some of the principles that we have adopted to help non-specialists become Fraud Smart.

Simple

The book is aimed at managers, supervisors, team leaders and front-line employees who have no specialist knowledge about fraud and fraud control. Each chapter is short and simple and we avoid the use of technical or legal jargon. For example, there is no detailed coverage of fraud investigations as, because of the rigours of the criminal justice system, we do not expect non-specialists to get involved in forensic work. What we do expect is for everyone to appreciate the damage fraud can do, how it occurs, what to look out for and how it may be controlled. Each chapter has a consistent structure that should become familiar as you work through the text.

References

We do not try to document the wise words of the many thousands of experts and knowledgeable specialists in terms of providing a huge list of references throughout the book. This can become offputting; in addition, it is possible to search the websites of the Association of Fraud Examiners, the Institute of Internal Auditors, the larger accounting firms as well as the various accountancy bodies around the world, law enforcement agencies and the many fraud advisory bodies, which will together provide a rich source of information on anti-fraud measures. To keep things manageable, we have drawn from two authoritative sources for our main references, in the section in each chapter entitled ‘What Do the Experts Say?’. Managing the Business Risk of Fraud: A Practical Guide, sponsored in 2008 by the Institute of Internal Auditors, the American Institute of Certified Public Accountants and the Association of Certified Fraud Examiners, also has an appendix providing a list of useful references for exploring this topic in more detail. Report to the Nations (On Occupational Fraud and Abuse) 2010 Global Fraud Study was published by the Association of Certified Fraud Examiners (ACFE), whose website is dedicated to fighting fraud. Both references can be found at www.acfe.com.

Illustrations

There are thousands of frauds reported in the press, in specialist books and in articles on the subject. We have chosen not to fill the book with endless examples using detailed case studies that can become tedious. Our approach has been to note a few illustrative (rather than factual) cases from the UK and the USA, in the section ‘What Can Go Wrong?’. Again, having had your appetite stimulated, you can go on to explore documented past cases using any basic search engine.

Toolkits

Each part of the book’s Fraud Smart cycle has a closing chapter on ‘Building Your Fraud Smart Toolkit’. This uses the conclusions from each chapter to work out what you can do to respond to the issues that have been raised, as part of your personal development strategy.

Models

Most chapters contain a simple model that is used as a frame to address the main issues that are being considered. This is a useful tool for creating some structure to the discussion and the models are designed to aid understanding rather than contain complex detail, in line with our promise to keep things simple.

Consistency

Each chapter has a similar structure to help instil a feeling of familiarity.

Self-Assessment

We have designed a set of multichoice questions that will help you assess the extent to which you have benefited from reading the book. The answers can be found in Appendix B. Please have a go at these questions and record your score in Appendix C.

You can use this book as a basic introduction to the topic, and as a springboard to inspire you to attend training, read more detailed books and delve further into the threat from fraud at work and how this threat can be better managed. We hope that you can work through this book and reflect on ways in which you can sharpen your level of personal alertness and become Fraud Smart.

Fraud can involve mundane activities such as employees regularly taking home small items of office equipment, right through to complex schemes established by executive directors for manipulating the financial statements to pump up the share price of their failing company. In this book we are mainly concerned with employee fraud, which affects small businesses, larger companies, public-sector organizations and the many types of not-for-profit entities that exist in developed and developing countries across the world. Our goal is to help raise awareness among non-specialists to help get everyone involved in the fight against fraud. Organizations that succeed in fighting fraud will benefit, while those that do not may well see their reputations suffer as they become targets of their own employees and even of outsiders, who launch attacks either alone or by colluding with these employees.

One argument suggests that fraud against businesses and government agencies is growing at an alarming rate and we now need to take a firm stance or suffer the consequences. This book is based around the Fraud Smart cycle, which covers five key aspects of helping non-specialists get to grips with fraud at work, as set out in Figure 1.1.

This chapter sits within the first part of the Fraud Smart cycle, Understanding the Threat, and provides an outline of some of the more common types of fraud.

WHAT CAN GO WRONG?

If we fail to get a handle on fraud, there is much that could go wrong. In the past, on discovering that one of their employees was acting in a dishonest manner many organizations would seek out the easiest way to get rid of the problem. This often involved a secretive meeting with the employee, the manager and someone from human resources to force the culprit’s resignation, so that he or she would simply go away, as would the problem. A successful outcome would mean that some kind of repayment might be secured and the whole affair would be hushed up. This ‘old-style’ solution meant that there was no need to ensure that employees were aware of the potential for fraud, or indeed to design any fraud-management process. Bad apples would be quietly removed and it was business as usual, with any losses simply written off, while the culprit would often seek out a new victim.

We can consider the way in which problems can arise by looking at two brief illustrative case studies taken from the UK and the USA. To set the scene, we can turn to the Times newspaper for inspiration:

Frauds, like economies go in cycles. As boom turns to bust, frauds emerge with the inevitability of a hangover after a party. During the celebrations, there are more opportunities to pick pockets and less chance of getting caught. In the cold light of day, people check their wallets and call the police. With the economic boom coming to a crashing end, the wave of frauds has arrived right on cue.

David Wighton, Business and City Editor, The Times, December 20 2008, News, page 3

High-powered people can get together and plan to defraud a funding body:

A manager who has a responsible position can abuse this position and, along with others, commit fraud:

The ‘sweep it under the carpet’ approach no longer works, as this simply encourages dishonesty if the only sanction when caught is enforced resignation. The threat of fraud has grown not only due to the economic downturn but also because management layers have been removed, and low-paid junior staff now have much more responsibility, including instant access to customer information as online commerce becomes the norm. We can mix into this potent cocktail the fact that people frequently move jobs and often have no time to bond with their employer and create strong ties of loyalty. Meanwhile, organized crime gangs have replaced their guns with virtual but much more lethal weapons in the form of online access to try to defraud large organizations.

There is no way to combat these developments other than by making sure that the workforce throws itself into fraud control and by installing a robust anti-fraud strategy. Any failure to do so may result in a vulnerable business being subject to continual fraud and abuse, and staff as well as customers becoming demoralized by a poor corporate reputation. It does not stop there, however, as a further trend is for companies to be fined if they fail to control fraud in an appropriate manner.

WHAT DO THE EXPERTS SAY?

As explained in the Preface, we have drawn from two main sources of expertise to help explain Fraud Smart management, as follows:

These two publications contain extremely useful guidance and some of the extracts that are relevant to this chapter are noted. We start with a definition of fraud taken from Managing the Business Risk of Fraud: A Practical Guide:

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

(MBRF, page 5)

The guide goes on to warn about the menace from uncontrolled fraud:

All organizations are subject to fraud risks. Large frauds have led to the downfall of entire organizations, massive investment losses, significant legal costs, incarceration of key individuals, and erosion of confidence in capital markets. Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organizations around the globe.

(MBRF, page 5)

We can turn now to the Report to the Nations for a frightening estimate of the scope of fraud internationally:

Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud. Applied to the estimated 2009 Gross World Product, this figure translates to a potential total fraud loss of more than $2.9 trillion.

(ACFE Report, page 4)

This sky-high figure of a $2.9 trillion potential loss sets the scene for the rest of the book. We return to this report for more information on the quoted figure:

Asset misappropriation schemes were the most common form of fraud in our study by a wide margin, representing 90% of cases – though they were also the least costly, causing a median loss of $135,000. Financial statement fraud schemes were on the opposite end of the spectrum in both regards: These cases made up less than 5% of the frauds in our study, but caused a median loss of more than $4 million – by far the most costly category. Corruption schemes fell in the middle, comprising just under one-third of cases and causing a median loss of $250,000.

(ACFE Report, page 4)

You can see from these statistics that fraud is not harmless, victimless and therefore of low concern. It is unfair, since it diverts funds from the people and entities that have a legal right to those funds. Moreover, it has been found that fraud can be used by organized crime to fund other serious offences such as drug dealing and people trafficking. In some cases an entire business can collapse if it has been defrauded by an employee. There is good reason for employees, partners, associates and customers at all levels to help combat fraud as far as possible.

OUR MODEL EXPLAINED

We have developed a simple model, shown in Figure 1.2, to illustrate one way of dealing with the issues raised in this chapter.

Our model suggests that we can view fraud as affecting at least four main aspects of an organization: its income received, its spending, its data (or information) and its assets. We can explore these issues by briefly considering each separate part of our model in turn.

Income

Income is an obvious target for fraudsters, in the sense that if it can be diverted into someone else’s bank account then it becomes the income of the beneficiary. In one case cheques due to the company were intercepted by postroom staff and given to a criminal gang, whose members altered the payee and paid them into a specially established bank account. An even better fraud involved the gang setting up bank accounts in the same name as the company so that stolen cheques could be banked unaltered.

Income is thus due to the company but diverted to the fraudster. One problem for the fraudster can occur when the company continues to chase the debtor and the fraud eventually comes to light.

There are several questions that can be asked to assess how far income could be at risk, including:

All income belongs to the organization and it is at risk if it is not carefully controlled. The issue is whether the controls are sound enough to protect all sources of revenue. The key question to ask is: Can funds due to the organization be intercepted and diverted?

Expenditure

Expenditure is also a target, in that fraudsters will try to achieve payment to themselves (or an associate) by diverting funds so that they fall under their control. A clever accounts staffer may be able to invent false supplier accounts as well as their own special bank account and arrange one or more payments from the company. Bid rigging, where contractors conspire to set the rates for projects that a company is letting, means that the company in question will not achieve value for money and will end up spending more on its contracts. One reprographics manager set up a printing company and then sent out subcontracted jobs to this same company. Meanwhile, he did the jobs himself by using his employer’s printing facilities at weekends, which he also claimed as overtime.

There are several questions that can be asked to assess how far expenditure could be at risk, including:

Authorized spending can end up in a fraudster’s account if it is diverted there, while unauthorized spending can be generated by circumventing disbursement controls. The key question to ask is: Can payments be activated so that they end up in a fraudster’s account or be misapplied in any way?

Assets

The theft of corporate assets can be widespread in companies that hold equipment, inventory and stocks of finished goods. This is an age-old problem. The theft of cash bags is a further problem if the organization has cash receipting and movement systems in place. Misuse of company resources is a different type of problem, where in extreme cases an employee may run their own business using company facilities. One manager of a children’s home over-ordered food supplies and his deputy and caretaker would help him take home the excess food once or twice a week. Meanwhile, the manager’s wife ran a catering firm and used this food to reduce her outgoings.

There are several questions that can be asked to assess how far assets could be at risk, including:

Many organizations have an edge over their competition through the information they hold on markets, financial products, partners and customers. Together with other assets, this information can be at risk.

The key question to ask is: What assets are at risk and could they be accessed in an inappropriate manner?

Data

Data, information and company intelligence present a growing problem in terms of the fraud angle. Straight data loss is an issue that is compounded where these data can be used to perpetrate fraud. In fact, there is a black market in personal data that can be used by opportunist fraudsters, who access the files and pass on relevant data relating to personal and financial details to criminal gangs who can take advantage of the facility.

Banking details, national insurance numbers, addresses, credit details and other personal data are being hoovered up by large organizations to power their customer information systems, but nonetheless pose a threat whenever there is a breach of security. It has been known for customer service employees to photograph customer screens on their mobile phones and pass this information on to outsiders, who create false accounts or address changes to divert funds to their control. Victims of identity theft then face an uphill battle to reinstate their identity and they rightly blame the organization for allowing their details to be stolen.

There are several questions that can be asked to assess how far data could be at risk, including:

Data and the more common store of information that ‘knowledge-based’ companies now harvest are at risk as the increasingly most sought-after aspect of organizational resources. The key question to ask is: How can we protect the vast amount of information held on our corporate and local systems?

There are obvious parts of the organization that are at risk of fraud in all but the smallest of organizations. The sad fact of human nature is that if something can go wrong then at some point in the future it probably will go wrong. One view is that frauds do not just happen, they are allowed to happen because no one thought to ask key questions about areas that are at risk.

OUR THREE KEY CONCLUSIONS

There are three main conclusions that we can draw from our discussions and suggestions. These conclusions will be used to drive your Fraud Smart toolkit, which you will be designing at the end of this part of the book:

In the end, protecting income, expenditure, assets and data is about protecting the organization’s reputation. We said in the Preface that everyone who works for or is associated with a larger organization should appreciate what fraud is and its ramifications. What we need to add now is that this stance is not a nice-to-have but more of a must-have approach, which means that ideally the entire workforce should possess the basic knowledge conveyed by this book.

Fraud is not like other risks, as it tends to represent a direct threat to an organization rather than a potential opportunity. Having said that, there is a slight argument that some commonplace frauds, say online fraud or overseas bribes, may be seen as opportunities to gain an edge by allowing an astute company to boast about its safeguards in contrast to the competition.

As we say in Chapter 1, this book is based around the Fraud Smart cycle that covers five key aspects of helping non-specialists get to grips with fraud at work. This is repeated in Figure 2.1.

This chapter sits within the first part of the Fraud Smart cycle, Understanding the Threat, and covers some of the better-known frauds that affect most organizations.

WHAT CAN GO WRONG?

The problem with fraud is that it may not be seen as a real threat. There are several reasons for this. The organization may feel that it is something that happens to other entities, not itself, and some frauds, particularly low-level abuse, are pretty much concealed, in that management does not know they are happening. So the true extent of fraud and the damage it can cause may not be properly acknowledged by senior managers and work teams, who just want to get ahead and not have to worry about too many cumbersome controls. However, if the threat of fraud is not fully appreciated, particularly the more unusual kinds, there is a great deal that could go wrong.

We can consider how problems can arise by looking at several brief illustrative case studies taken from the UK and the USA. The first involved a police officer.

The ‘it could never happen to me’ stance can be heart-breaking when it does in fact happen. Doing business with a well-known, tried-and-trusted representative, who is consistently successful among a small group of elite people in the same city, could be seen as one way of ensuring that nothing can go wrong. When this simple business model fails, however, it can have catastrophic effects, as shown by our next case study.

Fraud occurs wherever it can, and this can be anywhere. Our next example involves a trusted manager who used loose procedures to conspire with an outsider.

Huge amounts can be obtained by simply creating false invoices and seeking to get these paid.

Simple documents such as timesheets can be falsified to create a fraud.

Some frauds are not particularly obvious and they can involve an abuse of company resources which goes on for some time.