What are the 10 most common sources of food fraud? Hint: Identify the food item.
According to scientists, the most common sources of food fraud are olive oil, milk, honey, saffron, orange juice, apple juice, grape wine, vanilla extract, and fish. Think about that the next time you go to the grocery store!
Why is this important to the audit profession?
Food Fraud, or what the FDA calls “Economically Motivated Adulteration (EMA),” is the intentional sale of food products that don’t meet recognized standards for economic gain. The ramifications of Food Fraud can include damage to brand reputations, damage to revenue for food retail businesses and processing establishments, and health complications for the consumer due to its impact on food safety. Food Fraud is a global business worth more than$50 billion annually. -- Food Safety Net Services. Think of all the products sold in the world. How is your fraud risk management program working?
Last month we discussed another way of looking at fraud risk management. One of the concepts was a vulnerability assessment. This kind of assessment is quite common when we discuss computer security, physical security, or employee security. But for some reason, the concept is not common in fraud risk management.
To understand how a vulnerability assessment can be applied in fraud risk management, let’s first take a closer look at how it is commonly viewed.
Vulnerabilities: Points in the internal control structure that can be exploited.
Exploit: the means through which a vulnerability can be leveraged by a fraudster. The person may be an internal or external person. The internal person may be a control owner or an employee that has access to the business system via their normal job duties. The external person may be in collusion with the internal person or may simply hack the system.
Threats: Possible danger (fraud risk statement) that someone might exploit a vulnerability in our internal control structure thereby causing monetary or non-monetary harm.
Fraud Risk: An intentional and concealed threat that is designed to cause harm to the organization by exploiting the natural vulnerabilities that exist within our overall internal control structure.
Conducting a vulnerability assessment starts with identifying the threats. These are known in the auditing profession as fraud risk statements. In previous blogs, we have discussed a methodology for creating fraud risk statements. (reference)
The next step is to build a comprehensive understanding of the potential attackers who could exploit our internal controls. Then we need to identify how those potential attackers link to our internal control system.
II want to introduce a concept, I call the “internal control inhibitors.” The inhibitors are those actions that cause the internal control to fail. This could be collusion, management override, nonperformance of a control procedure, lack of understanding of a control procedure, the sophistication of concealment, etc. These inhibitors should be viewed as vulnerabilities. You should build a list of vulnerabilities relevant to your organization.
Caution: we should not discuss the mitigation factor or why the internal control will stop the fraudster. Vulnerability analysis is the exact opposite of what we have been taught. Rather, we’re looking at the inherent weakness of internal control, or the "what if" the internal control fails.
Now that we have an understanding of the what and when we should discuss the how. How will can the perpetrator create the illusion that the transaction is authentic and valid? I refer to this as the sophistication of concealment. This is the underlying reason why many fraud schemes go undetected. The more sophisticated the concealment, the less likely it is to be detected.
The goal of the vulnerability assessment is to understand where and how our internal controls are vulnerable. Rather than thinking of them as weaknesses, it’s more beneficial to think of them as natural vulnerabilities that exist in every internal control system. Remember, knowledge is power.
In my November 2021 blog, I listed various real-life fraud schemes(link). A look at a real case can also help with our discussion of the concept of vulnerability analysis.
“Cecile Nhung Campbell, an accountant at Kia Motors in Irvine, CA, was short on cash and decided to abuse her employer’s lack of anti-fraud protocols. She set up a phony out-of-state company and sent bills to her employer totaling over $1M.” -- AppZen Web Site.
What was the fraud risk statement in this case?
Fraud Risk Statement: The accountant acting alone caused a shell company to be set up on the vendor master file, process a purchase order, and approves a fake invoice for goods or services not received causing the diversion of company funds.
This scheme is as old as dirt. So, how did the accountant exploit the natural vulnerabilities in the internal control system in her company and how could that happen in your company?
Exploit: Internal accountant using her position of authority to initiate and process a transaction. You could say that the problem was that management placed too much trust in the accountant. Having too much trust is a vulnerability. But if you stop there, you defeat the purpose of the exercise.
Vulnerability: The new vendor procedures were not sufficient to determine if the vendor was a real company. The three-way internal invoice match relied on the accountant’s approval. Since the accountant was not identified as a potential perpetrator, the controls were not designed to stop her.
This was concealment, at the most basic level. The accountant created the illusion of a vendor. At a more sophisticated level, she might have assumed the identity of a real company in the marketplace, used a dormant vendor already in the accounts payable system, or set up a look-alike vendor scheme.
Once you understand the vulnerabilities, you can do a better job of stopping this fraud scheme in your company, You can develop better fraud prevention, detection, and deterrence internal controls.
In next month's, blog, I will discuss the importance of fraud education.
Why is this important to the audit profession?
(Answers will be published in next month's blog)