Fraud Auditing, Detection, and Prevention Blog

A Vulnerability Assessment Approach to Fraud Auditing

Jun 12, 2022 7:43:27 PM / by Leonard W. Vona

Last Month's Trivia answers

What are the 10 most common sources of food fraud? Hint: Identify the food item.

According to scientists, the most common sources of food fraud are olive oil, milk, honey, saffron, orange juice, apple juice, grape wine, vanilla extract, and fish. Think about that the next time you go to the grocery store!

Why is this important to the audit profession?

Food Fraud, or what the FDA calls “Economically Motivated Adulteration (EMA),” is the intentional sale of food products that don’t meet recognized standards for economic gain. The ramifications of Food Fraud can include damage to brand reputations, damage to revenue for food retail businesses and processing establishments, and health complications for the consumer due to its impact on food safety. Food Fraud is a global business worth more than$50 billion annually. -- Food Safety Net Services. Think of all the products sold in the world. How is your fraud risk management program working?

Introducing a New Approach to Thinking About Fraud Risk Management

Last month we discussed another way of looking at fraud risk management. One of the concepts was a vulnerability assessment. This kind of assessment is quite common when we discuss computer security, physical security, or employee security. But for some reason, the concept is not common in fraud risk management.

What are the common definitions of a vulnerability assessment?

To understand how a vulnerability assessment can be applied in fraud risk management, let’s first take a closer look at how it is commonly viewed.

  • A vulnerability assessment is a process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. -- Wiki
  • Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. -- CSCR Computer Security Resource Center.
  • Vulnerabilities are the gateways by which threats are manifested. -- SANS GIAC Security Essentials Training Manual
  • Physical Vulnerability Assessment: It is essential for vulnerability assessors to try to assume the mindset of the adversaries and to look at vulnerabilities, attacks, and possible countermeasures from their perspective. Unfortunately, a lot of what passes for Vulnerability Assessments is actually Threat Assessment or relatively mundane checking of compliance with formal security regulations and guidelines. -- Roger G. Johnston, Vulnerability Assessment Team, Nuclear Engineering Division, Argonne National Laboratory, Argonne, IL
  • The primary intent of a Threat and Vulnerability Assessment is to best understand the criticality of assets, vulnerabilities to those assets, and mitigating countermeasures necessary to protect those assets effectively. -- Kroll Security Consulting

The Definition of Threats, Vulnerabilities, and Fraud Risks for Auditors

Vulnerabilities: Points in the internal control structure that can be exploited.

Exploit: the means through which a vulnerability can be leveraged by a fraudster. The person may be an internal or external person. The internal person may be a control owner or an employee that has access to the business system via their normal job duties. The external person may be in collusion with the internal person or may simply hack the system.

Threats: Possible danger (fraud risk statement) that someone might exploit a vulnerability in our internal control structure thereby causing monetary or non-monetary harm.

Fraud Risk: An intentional and concealed threat that is designed to cause harm to the organization by exploiting the natural vulnerabilities that exist within our overall internal control structure.

Vulnerability Assessment & Fraud Risk Management.

Conducting a vulnerability assessment starts with identifying the threats. These are known in the auditing profession as fraud risk statements. In previous blogs, we have discussed a methodology for creating fraud risk statements. (reference)

The next step is to build a comprehensive understanding of the potential attackers who could exploit our internal controls. Then we need to identify how those potential attackers link to our internal control system. 

II want to introduce a concept, I call the “internal control inhibitors.” The inhibitors are those actions that cause the internal control to fail. This could be collusion, management override, nonperformance of a control procedure, lack of understanding of a control procedure, the sophistication of concealment, etc. These inhibitors should be viewed as vulnerabilities. You should build a list of vulnerabilities relevant to your organization. 

Caution: we should not discuss the mitigation factor or why the internal control will stop the fraudster. Vulnerability analysis is the exact opposite of what we have been taught. Rather, we’re looking at the inherent weakness of internal control, or the "what if" the internal control fails. 

Now that we have an understanding of the what and when we should discuss the how. How will can the perpetrator create the illusion that the transaction is authentic and valid? I refer to this as the sophistication of concealment. This is the underlying reason why many fraud schemes go undetected. The more sophisticated the concealment, the less likely it is to be detected.

The goal of the vulnerability assessment is to understand where and how our internal controls are vulnerable. Rather than thinking of them as weaknesses, it’s more beneficial to think of them as natural vulnerabilities that exist in every internal control system. Remember, knowledge is power. 

The practical application for fraud risk management. 

In my November 2021 blog, I listed various real-life fraud schemes(link). A look at a real case can also help with our discussion of the concept of vulnerability analysis. 

“Cecile Nhung Campbell, an accountant at Kia Motors in Irvine, CA, was short on cash and decided to abuse her employer’s lack of anti-fraud protocols. She set up a phony out-of-state company and sent bills to her employer totaling over $1M.” -- AppZen Web Site

What was the fraud risk statement in this case? 

Fraud Risk Statement: The accountant acting alone caused a shell company to be set up on the vendor master file, process a purchase order, and approves a fake invoice for goods or services not received causing the diversion of company funds.

This scheme is as old as dirt. So, how did the accountant exploit the natural vulnerabilities in the internal control system in her company and how could that happen in your company?

Exploit: Internal accountant using her position of authority to initiate and process a transaction. You could say that the problem was that management placed too much trust in the accountant. Having too much trust is a vulnerability. But if you stop there, you defeat the purpose of the exercise.

Vulnerability: The new vendor procedures were not sufficient to determine if the vendor was a real company. The three-way internal invoice match relied on the accountant’s approval. Since the accountant was not identified as a potential perpetrator, the controls were not designed to stop her.

This was concealment, at the most basic level. The accountant created the illusion of a vendor. At a more sophisticated level, she might have assumed the identity of a real company in the marketplace, used a dormant vendor already in the accounts payable system, or set up a look-alike vendor scheme. 

Once you understand the vulnerabilities, you can do a better job of stopping this fraud scheme in your company, You can develop better fraud prevention, detection, and deterrence internal controls. 

In next month's, blog, I will discuss the importance of fraud education.

Fraud Trivia: Famous Scammers

  • What is the name of the first “confidence man”?
  • What is the name of the first “confidence queen”?
  • Who sold an imaginary country?
  • Who sold the Eiffel tower?
  • Lastly, who is famous for selling Brooklyn Bridge, Madison Square Garden, Metropolitan Museum of Art, Grant’s Tomb, and the Statue of Liberty?

Why is this important to the audit profession?

(Answers will be published in next month's blog)

Topics: Fraud Auditing, Fraud Detection, Vulnerability Assessment

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.