Is your fraud risk assessment designed to fail?

In the beginning of my career, someone once told me, "People commit fraud, not internal controls." So, if we are to perform a proper analysis of fraud risk, then we need first to assess people. No, I do not mean a psychological profile. To me, it means the opportunity the person has by virtue of the position in the business cycle. Or by their sophistication to conceal the fraud scheme. Or, by understanding the natural vulnerabilities that exist within their business system.

Without this analysis, your fraud risk assessment is simply an academic exercise to satisfy a standard. Or more bluntly, your fraud risk assessment is designed to fail. Sorry!

Start with the Sophistication of the Perpetrator

In our risk assessment, we have five categories of offenders. The first-time offender, repeat offender, crime groups, management, and external parties. Who the external offender might be depends on where we are in the business cycle. For instance, in the expenditure cycle, the external party is the vendor, and in the revenue cycle, it would be the customer, etc.

With each category, we need to understand how they would commit the scheme (fraud scenario) and how they would create the illusion of propriety (concealment strategies). Then, we need to consider whether we have the right preventive and detective controls to mitigate the fraud risk for each category of offender.

Now, let’s look at a real-life example of how an organized crime group committed a theft of assets scheme.

Real Life Fraud Example

Three individuals were sentenced recently for their participation in a scheme to defraud the Georgia Department of Labor (GaDOL) out of tens of millions of dollars in benefits meant to assist unemployed individuals during the COVID-19 pandemic.

According to court documents and evidence presented in court, from March 2020 through November 2022, three individuals and their co-conspirators caused more than 5,000 fraudulent unemployment insurance (UI) claims to be filed with the GaDOL, resulting in at least $30 million in stolen benefits.

To execute the scheme, the defendants and their co-conspirators created fictitious employers and fabricated lists of purported employees using personally identifiable information (PII) from thousands of identity theft victims and filed fraudulent unemployment insurance claims on the GaDOL website. The conspirators obtained PII for use in the scheme from a variety of sources, including by paying an employee of an Atlanta-area health care and hospital network to unlawfully obtain patients’ PII from the hospital’s databases, and by purchasing PII from other sources over the internet. Using victims’ PII, the three perpetrators and their co-conspirators caused the stolen UI funds to be disbursed via prepaid debit cards mailed to various locations. The identity theft victims and unwitting participants were purported employees of several fictitious companies, which were created to execute this fraud scheme. 

FYI, we know that unemployment fraud was rampant in all states during COVID. So, was this a COVID issue or the failure of the state unemployment offices to understand how a crime group could perpetrate unemployment fraud? Let’s be honest, individuals have been committing unemployment fraud since the beginning of unemployment insurance.

Let’s look at the two fraud risk statements: Expected and unexpected

Put on your auditor hat and start by creating your fraud risk assessment by creating two different fraud risk statements

• A real person files for unemployment benefits through a real company based on a false pretense. (Expected fraud risk statement)

• Organized crime groups take over the identity of a real person (assumed identity) and submit a false unemployment claim through a fictitious company, with the payment deposited in a prepaid debit card. (Unexpected fraud risk statement)

What makes the expected fraud scheme different from the unexpected fraud risk statement?

1. 1. The scheme was perpetrated by a crime group rather than a single individual falsely claiming a benefit.
2. 2. The perpetrator stole a real person’s identity (assumed the identity scheme).
3. 3. Perpetrators created false companies.
4. 4. Payments were to prepaid debit cards rather than a person’s bank account.
5. 5. Schemes committed during a crisis. (Actually, this is a vulnerability that should have been considered. Very much like a disaster recovery plan)
6.  

Without access to the various state unemployment office fraud risk assessment documents, we can only surmise what they say or do not say. We can also only guess what internal controls they had in place and what internal controls they did not have in place.

If I may, let’s talk about a few strategies that may have prevented this fraud or at least minimized it.

By understanding how the category of person committing the fraud risk statement, we can better identify the right internal controls for each fraud risk statement. In this case, here are some things that could have been considered a red flag

1. 1. The creation date of the fictitious companies.
2. 2. The fact that there was no payroll reported for the fictitious companies.
3. 3. Payments to debit cards (have additional scrutiny)
4. 4. Employees (assumed identity) receiving the unemployment benefit would have had payroll reported under a different company.
5.  

The Million Dollar Question

So, was their fraud risk assessment process designed to fail? I think you know the answer.

Fraud Trivia

1. 1. According to The Times of Israel, between 2017 and 2019 he allegedly conned 1 billion dollars from people and banks in a Ponzi scheme. Simon Leviev, born 27 September 1990
2. 2. According to The Washington Post, following the release of the documentary, the movie has become the most ever watched Documentary on Netflix, and was nominated for five Emmy awards. The Tinder Swindler
3. 3. In what year did his legal troubles start? 2011
4. 4. Which countries was he arrested for using a fake passport? Israel, Jordan, Finland, and Greece.
5. According to The Times of Israel, in 2020, he pretended to be a medical worker to get the “COVID-19 vaccine early”.

So many times, I hear auditors say, "You need to think like a thief." So, do you think you could think like Simon? Could you pull off these schemes? In my opinion, think like an auditor. You need to know fraud risk, fraud concealment, internal control theory, and the principles of fraud auditing better than the thief.

There is little doubt that AI is creating new opportunities for individuals to perpetrate fraud schemes. Voice-overs or creating the image of someone are being used to gain access to your business systems. Your phone rings, and it looks like someone you know is calling you. But before all of this wonderful technology, let's see Hollywood already perpetrate some of these schemes. Please name the person

1. 1. Which male actor portrayed a woman in order to obtain a job?
2. 2. Which male actor portrayed a woman in order to see his children?
3. 3. Which film star plays a singer who achieves fame by pretending to be a man pretending to be a woman? Crazy huh!
4. 4. In the risqué role that sexed up her most commercially successful film, who is all sparkle and sizzle, forever popularizing her title character as history’s foremost femme fatale? 
5. 5. Portrayed by numerous, Oscar-winning actors, the most well-known adaptation of the Patricia Highsmith character is __________? This is one of the great characters in film and literature, and may be cinema's foremost imposter.
6. 6. Because he is a classic, he cannot be left off the list. He now works for the FBI.
7.  

I am not minimizing the fraud risk created by AI, but in many ways, Hollywood understood how to create impostors a long time ago.