Mari Reidy

Monday, 24 January 2005 08:40

The art of fraud prevention

As the saying goes, "It takes a thief to catch a thief." So fittingly, when the federal government needs to consult a fraud expert, it commonly taps into the mind of a convicted felon, many times trading assistance for shorter sentences and plea agreements.

With on-the-job training, professional criminals have the industry knowledge and hands-on expertise that law enforcement needs to help design prevention strategies.

A perfect example of the success of this unique collaboration is Frank Abagnale. A former federal prison inmate, Abagnale joined forces with the FBI more than 30 years ago, agreeing to teach others his proficiency in bank fraud in exchange for a reduced sentence. As a result, a generation of legal and business professionals have studied Abagnale's fraud prevention methodology.

At a recent Frist Center of the Arts presentation in Nashville, Abagnale spoke on the subjects of check fraud, identity theft and embezzlement, passing on tips to preventing fraud. Surprisingly, the master plans of a criminal can be easily foiled by utilizing a few proven best practices and common-sense logic.

The cost of doing nothing

In the United States, financial fraud and identity thieves rob billions of dollars a year from unsuspecting companies. The most popular tactic, check fraud, is estimated to account for more than $20 billion each year and, according to the American Banker Association, is growing at a rate of 25 percent a year.

In addition, recent Uniform Commercial Code (UCC) amendments have challenged businesses with the burden of prevention, requiring businesses to improve their internal controls and create and implement meticulous fraud prevention procedures into their everyday practices. On top of requiring added internal controls, the new UCC regulations restrict a company's possibility of legal retribution. Companies that fail to meet these new standards are left to face the consequences of their actions.

Due to this, Abagnale stresses the importance of thoroughly analyzing all contracts with banks, especially the fine print contractual agreements often explicated on signature cards and disclosures. Often, policies outlined in these contracts limit the time permitted to report discrepancies.

Leveraging the fine print of these contracts, a bank can limit its liability, even when it is at fault, so companies need to be aware of and adhere to these legal guidelines.

The best defense is a great offense

Abagnale recommends several tried-and-tested fraud prevention techniques. Positive Pay, a check-matching program offered by many banks, provides, in his opinion, the strongest defense.

The system compares account and check numbers, dollar amounts and other customer data against the applicable checks, identifying discrepancies before payment. This authenticates the check's quality and accuracy, and functions as a final checkpoint in the payment process.

But no one system can warn off determined intruders. Thus, the best defense includes a combination of best practices. Abagnale encourages the use of checks with multiple security features that are hard to modify or reproduce, especially in light of the recent passing of the Check Clearing for the 21st Century Act (Check 21), which allows substitute checks in the form of electronic images.

Under this law, the bank may be liable for losses caused by a substitute check. Security features that do not transfer to the check image can serve as evidence of the bank's liability.

Other recommendations include reviewing bank statements carefully and promptly, using caution when distributing manual checks and avoiding self-correcting ink, inserting asterisks around the name of payee so additional names cannot be added, storing check inventory and other bank-related documents in a secure area where they can be consistently monitored, excluding officers' signatures from annual reports and filing fraud reports using Form 1099.

Many of these safeguards are easy to identify and implement, and can make it difficult for someone to steal from your company's valuable resources. In addition, incorporating best practices into your company's internal controls can reduce the risk of costly fines associated with noncompliance. The bottom line is clear -- the consequences of ignoring these proven policies can be a costly mistake for any company.

Reach Mari Reidy at (312) 899-7005 or mreidy@crowechizek.com.

Tuesday, 28 February 2006 05:43

Early warning systems

The Association of Certified Fraud Examiners (ACFE) reports that 40 percent of business fraud is discovered through confidential tips from employees, yet only about 33 percent of businesses have hotlines to facilitate these tips.

Because the AFCE also notes that a typical U.S. organization loses 6 percent of its revenue to fraud every year, there is clearly a compelling business case to be made for implementing employee whistleblower hotlines. The AFCE found it curious that so many companies are ignoring or overlooking this opportunity, because confidential reporting mechanisms require relatively little expense and are highly effective antifraud devices.

Section 301 of the Sarbanes-Oxley Act requires publicly traded companies to establish methods for employees to communicate any accounting or financial concerns. Closely held companies and not-for-profit organizations are not bound by Sarbanes-Oxley, but prudence would dictate — and best practices recommend — establishing early warning systems to identify and stop fraud before it leads to costly fines or litigation.

While a locked suggestion box, a post office box or an access-controlled page on a Web site may work, the best option to encourage people to blow the whistle is probably a telephone hotline. This inexpensive solution to a potentially costly problem is universally accessible 24 hours a day, and callers do not need to identify themselves.

Companies that do not want to open and maintain their own hotlines may choose from a number of third-party providers that offer independent hotline services. These providers will usually customize their services to fit an organization’s size, reporting requirements and budgets. Pricing may include an all-inclusive annual flat fee or a nominal set-up charge, plus a per-incident cost.

Develop policies
Simply having a hotline or other reporting mechanism is not enough, however. Companies must communicate regularly with employees in developing whistleblower policies and procedures. They should detail, in writing, what constitutes unethical or fraudulent behavior and give examples of the types of activities that should be reported.

In addition, as part of an effective fraud program, companies should include:

  • Fraud training for employees

  • Clearly communicated behavioral expectations and consequences for noncompliance

  • Employee education on the effect of fraud on salaries, bonuses and other benefits

  • A no-gift policy that is communicated to employees and vendors

Fliers posted at designated locations, inserts in vendor and client correspondence, and training for employees and managers (and customers and vendors, if necessary) are also good ways to reinforce the message.

Of course, whistleblower reports must include enough specifics to allow an investigation. Thus, whistleblower policies should include reporting standards and procedures, along with guidelines for the amount and type of information required. A sample whistleblower policy and tracking report are available on the American Institute of Certified Public Accountants Web site at www.aicpa.org/audcommctr/toolkitsnpo/Whistleblower_Tracking.htm.

Communicate actions
When reports come in to a whistleblower hotline, they should be documented with details of the alleged impropriety and the steps taken to address it. There is no need to publicize particulars, but it is a good practice to communicate general statistics and actions taken so that employees understand the information is not being ignored or dismissed.

In addition to establishing whistleblower policies and reporting mechanisms, companies must demonstrate their commitment to acting on them. Employees must believe that dishonest activities, whether theft, conflict of interest or falsification of records, will be detected and punished.

There is no obligation for privately held companies to adopt fraud-prevention procedures, but doing so can avert losses from fraud and litigation that would be far more costly than the relatively inexpensive mechanisms required to prevent them.

Mari Reidy can be reached at (312) 899-7005 or mailto:mreidy@crowchizek.com

Wednesday, 17 March 2004 12:01

Avoiding the fraud triangle

In this age of Enron, Tyco and WorldCom, it's easy to assume that occupational fraud runs rampant in the business world, and a recent Association of Certified Fraud Examiners (ACFE) survey seems to confirm this.

According to the survey, U.S. businesses lost about 6 percent of their revenue, or $600 billion, to fraud in 2002. The ACFE asserts that this probably underestimates the true costs because a lot of fraud escapes detection and reporting. But businesses may be able to minimize their fraud-related liabilities by familiarizing themselves with the factors and conditions that often lead to fraud.

Identifying and combating risk factors
Businesses should begin by assessing their baseline risks. Many organizations possess certain intrinsic traits that render them particularly vulnerable to fraud, including:

  • The handling of large amounts of cash
  • Inventory items or assets that are susceptible to removal and/or resale
  • Overly ambitious earnings demands from investors or creditors
  • Complicated financial operations

In some cases, there's little a business can do to eliminate such characteristics; a company that manufactures pocket-sized widgets will necessarily carry an inventory of easily misappropriated items. Organizations must therefore develop quick-response plans that they can immediately deploy upon discovery or suspicion of fraud.

The plan should include mobilization of an investigative team composed of a white-collar crime attorney, a certified fraud examiner and a forensic technology specialist, among others.

Recognizing the fraud triangle
Studies indicate that fraud is most likely to occur in businesses where the fraud triangle -- motivation, opportunity and rationalization -- is found. 

  • Motivation. A perpetrator's motivation may grow out of financial need caused by greed, addiction, gambling, poor investments, business reversals or an extravagant lifestyle. It may be work-related, rooted in employee dissatisfaction or the perception of questionable management integrity. A perpetrator also may find motivation simply in the challenge of outsmarting the system.
  • Opportunity. Opportunity represents the only element an organization has any chance of controlling; removing the opportunity may derail potential frauds. Opportunities can come in the form of insufficient job applicant screening, inadequate policies and procedures, overly broad access to information, failure to segregate financial duties and ineffective monitoring of controls.
  • Rationalization. Rationalization allows a perpetrator to reconcile his unethical actions with his own values. The perpetrator must be able to neutralize the fraud in his mind and push aside any consideration of the possibility of inflicting injury on others. Employees who hold a grudge against their employer, for example, find it easier to commit fraud based on rationalizations such as, "They don't pay me what I'm worth; I'm only taking what I deserve," and "Management is dishonest, so I can be dishonest, too." Others rely on rationalizations such as, "I'm only borrowing the money and will repay it as soon as I can," "The company doesn't need the money," or "The company can afford to write it off."

Pre-emptive measures
Formal anti-fraud programs, including adequate internal controls, can go a long way in preventing and controlling fraud. According to the ACFE survey, the single most effective method of detecting fraud is through a tip line.

The ACFE also recommends internal audits, background and reference checks on employees and applicants, and external audits. Management should develop and implement a clear antifraud policy before fraud becomes a problem, and make the consequences of noncompliance, for both the company and the perpetrator, well known to all employees on a regular basis.

Mari Reidy can be reached at (312) 899-7005 or mreidy@crowechizek.com.