Fraud and Fraud Detection. Gee Sunder

Чтение книги онлайн.

Читать онлайн книгу Fraud and Fraud Detection - Gee Sunder страница 4

Fraud and Fraud Detection - Gee Sunder

Скачать книгу

In terms of occupational abuse, common examples include actions of employees:

      • Accessing Internet sites such as Facebook and eBay for personal reasons.

      • Taking a sick day when not sick.

      • Making personal phone calls.

      • Deliberately underperforming.

      • Taking office supplies for personal use.

      • Not earning the day’s pay while working offsite or telecommuting.

      There is an endless list that can fall under the term abuse, but no reasonable employer would use this word to describe any employee unless the actions were excessive. Organizations may have policies in place for some of these items, such as an Acceptable Internet Use Policy, but most would be considered on a case-by-case basis, as the issue is a matter of degree that can be highly subjective. There would unlikely be any legal actions taken against an employee who participated in a mild form of abuse.

      

ANOMALIES VERSUS FRAUD

      In the data analysis process, “Detecting a fraud is like finding the proverbial needle in the haystack.”2 Typically, fraudulent transactions in electronic records are few in relation to the large amount of records in data sets. Fraudulent transactions are not the norm. Other anomalies, such as accounting records anomalies, are due to inadequate procedures or other internal control weaknesses. These weaknesses would be repetitive and will occur frequently in the data set. Sometimes, they would regularly and consistently happen at specific intervals, such as at month- or year-end. Understanding the business and its practices and procedures helps to explain most anomalies.

      

TYPES OF FRAUD

The Association of Certified Fraud Examiners (ACFE) in the 2012 Report to the Nations3 outlines the three categories of occupational fraud and their subcategories in Figure 1.1.

Figure 1.1 Occupational Fraud and Abuse Classification System

      Source: Association of Certified Fraud Examiners

      It was found that:

      As in our previous studies, asset misappropriation schemes were by far the most common type of occupational fraud, comprising 87 % of the cases reported to us; they were also the least costly form of fraud, with a median loss of $120,000. Financial statement fraud schemes made up just 8 % of the cases in our study, but caused the greatest median loss at $1 million. Corruption schemes fell in the middle, occurring in just over one-third of reported cases and causing a median loss of $250,000.4

      Among the three major categories – corruption, asset misappropriation, and financial statement fraud – there are far more types of occupational fraud in the asset-misappropriation category. There are many known schemes and areas where fraud may occur. Thefts of cash on hand have been occurring ever since there was cash. With globalization and the availability of the Internet, newer and more innovative types of fraud are coming to light.

      An example is the case study published in Verizon’s security blog titled “Pro-Active Log Review Might Be a Good Idea.”5 A U.S. – based corporation had requested Verizon to assist them in reviewing virtual private network logs that showed an employee logging in from China while he was sitting at his desk in the United States. Investigation revealed that the employee had outsourced his job to a Chinese consulting firm at a fraction of his earnings. The employee spent most of his day on personal matters on the Internet. The blog notes that the employee’s performance reviews showed that “he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”

      Clearly there was no dispute with the quality of work submitted and he had met all deadlines. While the employee did misrepresent that the work was his, the company did not suffer any direct financial loss. Other than violating security policy of permitting unauthorized access to the network, at most, the employee abused company resources by browsing the Internet for most of his workday.

      Would any of this have been an issue if the employee were a contractor who subcontracted his work out (assuming that there were no objections with the login procedures)?

      

ASSESS THE RISK OF FRAUD

      It is not possible to eliminate fraud risk in any given area other than to avoid it all together. A company may choose not to deal with a particular vendor or purchaser. They may choose not to acquire assets that need a high level of protection or to expand or do business in an unstable country. Alternatively, they may select an exit strategy if the risk is found to be too great. Avoidance would have been the result of either a formal or informal risk assessment. A risk analysis would have been considered and found that the cost outweighs the benefits.

      Some risks will be assumed without additional control features being implemented, since the cost of implementation would be higher than the expected loss. For example, banks issuing credit cards may be able to reduce fraudulent charges if they implement new high-tech security measures, but the cost in terms of dollars or customer inconvenience would be higher than the cost of fraudulent transactions. Fraud is a cost of doing business and it needs a cost-to-benefit or return-on-investment analysis. The risk assessment aids in the determination of the level of controls to implement while balancing acceptable risk tolerance against costs of reducing the risk.

Risk = Impact × Probability (threats and vulnerabilities)

      In most cases, the company will seek to mitigate the risks by implementing controls. These could be preventative, monitoring, or detection controls. Risk can also be mitigated by purchasing insurance or, in the case of certain employees, requiring them to be bonded.

      It may be determined that costs exceed the benefits of preventing fraud in a particular area. However, investments in measures to detect rather than prevent the fraud may be an acceptable risk given the lower costs and likelihood of high losses. Detective measures must also be factored into any risk assessment.

      The decision on how far to go will depend on the risk assessment and the reason for performing the risk assessment. It is a management decision as to what level to take the response to the risk of fraud. The decision will be primarily based on why the fraud risk assessment was undertaken in the first place. Was it due to audit or regulatory requirements? Was it management’s desire to evaluate the internal control system? Was it to reduce the cost for fraud?

      A risk assessment will identify potential areas of fraud, whether internal or external, directly or indirectly, and how vulnerable or how likely the threat is to occur. Factors that determine the probability component include:

      • The industry or nature of the business

      • The values and ethics of senior management and employees

      • Internal controls – preventive and detective

      • Business environment – local versus multinational, small versus large, brick-and-mortar versus Internet, geographic location, economic conditions

      • Likelihood

Скачать книгу


<p>2</p>

Steve W. Albrecht et al., Fraud Examination, 4th ed. (Mason, OH: Cengage Learning, 2012).

<p>3</p>

“Association of Certified Fraud Examiners – 2012 Report to the Nations,” accessed June 17, 2013, www.acfe.com/rttn.aspx.

<p>5</p>

Andrew Valentine, “Case Study: Pro-Active Log Review Might Be a Good Idea,” Verizon Enterprise Solutions, accessed April 24, 2014, www.verizonenterprise.com/security/blog/index.xml?postid=1626.