Fraud Auditing, Detection, and Prevention Blog

What’s Behind the Internal Control Curtain? Is it a Fraud Story?

Jul 22, 2024 2:49:59 PM / by Leonard W. Vona

This month, we're pulling back the curtain again to take a look at a look at what could be going on even when everything seems to be fine on the surface. We'll consider what can happen despite the appearance of effective internal controls and how to uncover it. 

From last month's Fraud Questions Friendly Fraud

In last month’s blog I said there are different types of fraud, so have you ever heard of friendly fraud?

  1. What is friendly fraud? It occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services
  2.  
  3. Does it go by different names?  Yes, chargeback fraud, cyber shoplifting, or liar-buyer fraud.
  4. Can you be a victim of friendly fraud? Yes
  5. Can you be a perpetrator of friendly fraud? Yes
  6. What is the estimated annual cost of friendly fraud? A scant 48 billion dollars.

 

Last month, I left you with a cliffhanger for this month’s topic. We all love a good cliffhanger, right? Well, the suspense is over. We’re going to talk about looking behind the internal control curtain.

What are the inhibitors to the successful use of human intelligence in fraud detection? Too many times we stop when we see the evidence of a control. I call this internal control blindness. Controls are great for honest people, but they are also used by dishonest people. This is why you must look behind the curtain.  

Remember, the document and the internal control are the starting points of your story, not the whole story!

Let’s be honest, when we see the evidence of an internal control that appears on face value to be operating effectively, we smile. After all, internal controls are how we manage risk. However, before we go too far, we need to remember that this blog is about fraud risk rather than operational risk. Remember, when people commit fraud, they lie, use deceit, and falsify documents. If there is fraud, that is the story we need to be able to tell.

The evidence supporting the performance of the internal control will be our best lead to the perpetrators. Think like a newspaper reporter. You need to ask who, what, where when, and why.

The theme of my story is to tell how either the control owner falsified the performance of the control or explain how the control owner was tricked. On day one, we do not know which way the story will go. Even if we have an allegation, you must keep an open mind.

It is not our goal to establish guilt but to tell an objective, accurate, and convincing story. So please, keep an open mind.

What I know is that if there is a fraud story, someone must be the perpetrator. According to the fraud triangle, we call this opportunity. That person will be either internal or external to your organization. The person will be committing the scheme alone or in collusion with someone. Remember, fraud opportunity is nothing more than a series of logical permutations.

As the author of the fraud story, I would start with understanding the purpose of the control and how the control mitigates risk. I would also consider the internal control is adequately designed and operating effectively. Yup, start with the compliance story. In so many ways the compliance story becomes our baseline of facts.

As we proceed, we establish who might be involved, and then follow along to see if the story takes an unexpected turn.

Here are the facts, and nothing more than the facts. The control owner has approved the vendor invoice as noted by their initials. The invoice is matched to the purchase order by accounting. Since the invoice was for services, there is no receiving report. Remember facts are not the story; they are simply supporting characters.

Now if there is a fraud story, your theme must be about intentional misrepresentation, omission of pertinent information, or concealment of a material fact. You will start by examining the performance of the internal control, which includes looking at the documents. We need to know which individuals are directly and indirectly involved with the internal control. Think of this as your cast of characters, you know the credits at the end of the movie. You do watch the credits.

To commit the fraud there must be opportunity, who has a better opportunity than the control owner? In today’s fraud story, the control owner is the main character, otherwise known as the perpetrator. As in so many stories, there could be a last-minute twist such as finding out that the control owner was just an innocent dupe. Maybe, the signature was forged? Or, with today's technology, maybe the control owner’s id could have been a part of an account takeover scheme. There are many possibilities.

Let’s start with the misrepresentation theme. The initials signify that the services were received consistent with the purchase order. Truth or fiction? In our fraud story, we must establish that the services were not provided or not provided consistent with the contract. You must gather information that supports the control owner in fact knew the services were not provided.

I would suggest you first gather credible evidence showing that the services were not provided. In this way, we know we have a fraud story because we paid for something that we did not receive.

Next, determine whether the control owner had knowledge that the services were not provided or that the control owner was an innocent dupe. I like to break my story down into smaller stories within the main story.

If your story is based on the concealment of a material fact you must ask yourself what material fact the control owner could have concealed. Could it be that the control owner has an undisclosed beneficial ownership in the vendor providing the services? To make the story more Hollywood-like, let’s assume the vendor is overbilling by not providing the quantity or quality of services contained in the contract. Now the story is getting interesting.

Or could it be a dupe story? Is possible that the control owner is simply lazy and initials everything without careful examination or over relies on his administrative staff? If we think about governance, a key tenet is a commitment to competence. Does the control owner know the difference between right and wrong? So, many questions, so many possible stories.

Continuing with our series on types of fraud:

What are the five types of forgery? Yes, there may be more! Do you know why I selected forgery?

What are three signs of a forged signature? Yes, there may be more!

  1.  

(answers coming next month)

  1.  Demystifying Fraud eBook CTA
  2.  

Topics: Fraud Schemes

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.

Demystifying Fraud eBook CTA

Recent Posts

Subscribe to Email Updates