Words have power, but words can also create confusion.
One of my personal complaints about the professional literature regarding terms used to describe fraud risk. We use so many terms interchangeably that I believe it creates confusion. Let’s try to cut through that confusion by implementing better definitions.
For instance, what is the difference between a fraud scheme, a fraud scenario, a fraud risk statement and a fraud risk?
And, is the phrase “fraud scheme” the correct phrase for our profession? I raise this question because the new standards use the phrase “fraud scheme”.
Before I start, let me explain that in this blog I will not provide any answers to the phrase “Deeper Understanding of Fraud Schemes.” Rather, I will only raise questions regarding the phrase. To be honest, If I was a CAE, I am not sure what the profession wants me to do.
With that said, I praise the profession in recognizing the importance of gaining a deeper understanding of fraud schemes facing our companies. Maybe, I am talking out of both sides of my mouth. Remember, my blogs are designed to make you think.
So, think about this: Fraud is not predictable as to when it will occur but is fairly straight forward as to how it will occur.
Many years ago, the IT auditor was created. In fact, I was an IT auditor in 1979. For the last 40 years, however, I have been a fraud auditor. Unfortunately, unlike IT, the profession does not recognize the title of fraud auditor.
In my opinion, it is time for the title of Fraud Auditor to be created and recognized by the profession. Auditors are not born with fraud risk or fraud audit knowledge or fraud skills. I suspect that college courses are not designed to provide this knowledge. If the profession is serious about a “more proactive approach to fraud detection” it is time to recognize that this will require auditors to develop and gain a new set of skills. I recommend that every audit department invests in human fraud risk intelligence.
Current audit standards call for us to use a mitigation standard when it comes to audits This means that unless you want to be an outlaw, your assessment will end with mitigate. However, the question I want you to ask yourself is, right now do we have enough information to properly assess the mitigate question?
Let me introduce a new model for assessing fraud risk mitigation. Before you read my blog, remember sarcasm is good, if it makes you think. Remember our theme, to look behind the curtain. The curtain is the current professional audit standards.
We're continuing with my thought process of looking behind curtains in fraud risk, but with a slight change. This time, we're looking behind a new curtain.
This month I will present at a conference a new approach to fraud risk assessment. It is the cumulation of my 40 years of experience in building the fraud audit model.
Businesses face a growing threat of account take over attacks as fraudsters become more sophisticated and take advantage of advances in technology. This week, we're pulling back the curtain to take a closer look at them and how to add this to your fraud protection strategy.
Fraud Trivia: Phishing
Phishing is a prevalent type of social engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames and passwords, and/or financial information. Phishing is consistently named as one of the top 5 types of cybersecurity attacks.
The theme of the last three blogs was “look behind the curtain” in order to tell the fraud story. Upon reflection, maybe I did not tell the entire fraud story. Maybe, I did not look behind the right curtain. So, this month, we are going to look behind a different curtain.
This month, we're pulling back the curtain again to take a look at a look at what could be going on even when everything seems to be fine on the surface. We'll consider what can happen despite the appearance of effective internal controls and how to uncover it.
