Who caused the failure of a bank via illicit stock trades? Nick Leeson
Who almost caused the failure of a bank due to illicit stock trades? Jérôme Kerviel
What carpet cleaner was listed on Forbes? Barry Minkow
Which was the first widely publicized case of computer crime to conceal a financial statement fraud? Equity Funding. I remember when this case was first publicized, and I must admit, it started with my fascination with fraud as an auditor.
Fraud Risk Universe: The Science of Fraud Risk
I introduced a concept at this year’s ACFE 2022 Global Fraud Conference that I would like to now share with all my colleagues. Simply stated, it is that the fraud risk universe is the science of identifying all fraud risks both known and unknown impacting all organizations on a worldwide basis. To unpack that, let’s start with explaining the term “science.”
Science is the pursuit and application of knowledge and understanding of the natural and social world following a systematic methodology based on evidence. Source: Science Council.
Systematic Methodology: Fraud Risk Universe
In this blog, I will discuss the systematic methodology that allows us to achieve the goal of understanding all fraud risks facing your organization. The systematic methodology requires us to identify the key elements of the fraud risk universe.
With this high-level structure of the fraud risk universe, let’s take a look at each level.
Who are the offender and victim?
There are two parties to every fraud transaction:
- Victim, a person harmed or injured as a result of a crime, accident, or other event or action. For our purposes, the victim is either your company or someone associated with the business system. I.e., In the revenue system, the victim could be the customer.
- Perpetrator, a person who carries out a harmful, illegal, or immoral act. The perpetrator is someone either internal or external to your organization. There may be one or more perpetrators, I.e., in corruption schemes, there are always two perpetrators.
The first question you must ask: Who are these parties?
The primary category of fraud will provide clues to identifying these parties. For instance, in financial reporting, the perpetrator is typically someone in the financial reporting department or a corporate officer. The victim is the party that relies on the financial statement. In corruption schemes, the perpetrator is typically an internal decision maker in collusion with an outside party. The victim may be either the company or an external party.
As with most rules, there is typically an exception. Vendor bid rigging, another type of corruption scheme, does not have an internal party.
What are the primary and secondary categories of fraud?
The three most common primary categories of fraud risk are financial reporting, asset misappropriation, and corruption. However, other categories would include revenue obtained improperly, expense or liability avoidance, government regulation avoidance, improper obtaining, loss, or use of information. Lastly, you would need to identify those categories associated with your industry.
Each primary category has specific nuances that must be identified and understood. For example, with financial reporting, you must identify whether the misstatement will be an overstatement or an understatement. However, the direction of misstatement is not relevant to asset misappropriation schemes.
The primary categories of fraud risk are broad. To better understand, classify and describe fraud risk, I believe we should create subcategories. To illustrate using asset misappropriation, the secondary categories are:
- Theft of monetary funds
- Theft of tangible assets
- Misuse of assets
- Disposal of assets below fair market value
- Procurement of assets above fair market value
- Lack of business purpose / personal use or benefit
The next step is to identify the fraud risk statements relevant to the business system within the primary category as well as the secondary category of the business system.
Fraud Risk Statement
We use the perpetrator, victim, and categories of the fraud risk universe to create our audit scope. The fraud risk statement describes “what” could happen within each fraud category. It becomes the basis of our fraud risk assessment, fraud data analytics, and fraud auditing.
The five elements of a fraud risk statement are
- Person Committing
- Type of Entity
- Intentional and Concealed Threat (action statement)
- Financial Conversion Statement (How perpetrator obtains financial gain)
- Organizational Impact (monetary or non-monetary)
The number of fraud risk statements is based on the permutations of each element. The number of permutations of each element is a finite number. At this level, we start by identifying the permutations of each element and then use a mathematical matrix theory or what is known as “combinatorics.” The goal of this phase is to understand “what" can happen rather than “how” it can happen.
Fraud Risk Statement by Core Business System
In this phase, we are translating the generic fraud risk statement to the specific business system. In practice, you can go straight to the fraud risk statement phase for the core business system rather than starting with the generic fraud risk statement phase. Let’s take a close look at the following two schemes.
Budget owner acting alone or in collusion with a direct report / causes a shell company to be set up on the vendor master file / processes a contract and approves a fake invoice for goods or services not received / causing the diversion of company funds.
Loan officer acting alone or in collusion with a mortgage broker / causes a customer (straw customer) / to file a loan application, through submission of false documentation causes a loan to be issued based on nonexistent collateral or overvalued collateral / causing the diversion of bank funds.
At first glance, they sound different, but on closer examination, the structure of the two schemes is remarkably similar. They both have the same five components and both involve a false entity. The real difference is that one fraud risk statement is for accounts payable while the other is for loans in a bank.
Unlike the fraud risk statement, the number of fraud scenarios should be viewed as infinite. While I do not believe the number is infinite, I am sure that we can not count or identify all of them. This is why at that phase I classify fraud scenarios into three categories:
- Historical methods that should be anticipated
- Unknown methods that could be anticipated
- Unknown/unknown methods that would not be anticipated but could occur
The goal of this phase is to understand how the perpetrator would commit the fraud risk statement, pierce your internal controls, and create the illusion that the transaction is proper. In my June blog, I discussed the concept of a vulnerability assessment. I encourage you to read it.
In the next few blogs, I will elaborate on each element of the fraud risk structure that I have introduced in this blog. FYI, in next month’s blog, I will discuss the entity structure in the fraud risk statement.
Fraud risk identification is the starting point for making audit the number one reason for fraud detection.
Historical Fraud Trivia: Barings Bank
Last month we identified the person as Nick Lesson, so the following questions are based on the life events published in books regarding Barings Bank.
- Nick worked in the Singapore office: Internally what was the slang term for the Singapore office?
- What was the name of the account Nick used to process his unauthorized trades?
- Why did the auditors fail to detect the unauthorized trades?
- What event caused Nick’s fraud scheme to become visible?
Why is this important to the auditing profession?