I recently had the chance to visit with Joanne Taylor and Ray Dookhie, both Managing Directors at K2 Integrity. In yesterday’s blog post, I detailed their thoughts on fraud and regulatory issues for 2021. In this blog post, I explore best practices in fraud prevention and detection.
We began with an exploration of how organizations should stay ahead of these issues and move from simply a detect mode to a prevent fraud and misconduct mode. Dookhie believes there are several aspects of a fraud and misconduct prevention program. The first is to understand the changes in the regulatory landscape and new regulations as he believes that organizations need to stay informed and even stay ahead of those regulations. The next step is a risk assessment, which he termed as absolutely key along with a gap analysis of the policies, procedures, and financial controls. Dookhie does not believe that financial controls “get enough credit in the compliance world.” (Although being a CPA does help inform this opinion.) This means we would expect that companies should be enhancing their policies, procedures, and controls to address the new risks and emerging risks.
Another key area of fraud prevention Dookhie pointed to is around training, which he believes “you cannot underestimate the power of training, as it is where an organization ensures that their officers, their directors, their employees on the front lines are informed of the risks and then the potential new controls that they may be responsible for.” The final place Dookhie referred to was that an organization must do a good job at understanding the fraud risks and creating a policy and procedure to detect and prevent them. All of these actions should lead to what Dookhie termed an “audit readiness assessment. Given the shift in the new regulatory landscape with potentially new regulations; this all has implications for policies and controls. An organization needs to make sure if the regulators are going to come into an organization, that we understand where the pitfalls in our compliance controls are before they get here.”
We recently had a major fraud enforcement action by the Department of Justice (DOJ). In the settlement, the DOJ listed out the steps for a fraud risk management program. I asked Dookhie how a compliance professional should think through performing a fraud risk assessment in the midst of the continuing pandemic. Dookhie began by noting there is “no single right response. You want to make sure that you’re asking questions in a way that it doesn’t allow for much wiggle room. This makes drafting the questionnaire a key aspect of doing a risk assessment. In the area of a controls assessment, you will need attachments of documents or supporting evidence, of the controls. You should also sample the transactions that they’re approving on a daily basis, just by way of example.”
We concluded by reviewing an audit readiness assessment, which can be used in conjunction with an overall fraud risk assessment. Dookhie said it is a basic “tool for compliance officers to help them stay informed. What the audit readiness assessment does is a very targeted approach to looking at fraud risks. You might do a dry run of what a regulatory audit would look like ahead of the regulators coming in.” From this you could then “design an audit program to stress test your own systems. The ensuing report will just help you improve your compliance program or an aspect of your compliance program.” It should also “hopefully identify some of the pitfalls before the regulators come in.” The bottom line is it can be a tool which helps compliance professionals “really get it right ahead of the regulatory visit or inspection.”
Next, what are the best practices in fraud detection. Surprisingly, the most effective and straight forward tool available to every company to help detect fraud, which is a whistleblower or hotline. Taylor said this is a “really good tried and tested method for detecting fraud.” She pointed to the most recent Association of Certified Fraud Examiners (ACFE) surveys that note whistleblowing tips are the most common way to discover fraud. Indeed, more than 40% of survey participants cases came from a whistleblowing tip. Most significantly, whistleblowing is “nearly three times as many cases as the next most common detection method.” Taylor believes it is very “important for firms to look at their whistleblowing program and try to make sure they are as robust as possible.” The bottom line is that having a whistleblower hotline in place helps firms detect fraud more quickly and minimize losses more effectively than those organizations which do not have a whistleblowing hotline.
However, Taylor cautioned that a company must routinely test its hotline, calling it “a real no-brainer” to do so as regulators will certainly do so. She also noted that there are different channels for whistleblower reports. It can be a hotline with a phone number. Some firms have an electronic platform, some firms have an email address and it is important to test all those channels because you could have a situation where an email address is managed by one person and that person leaves the entity. This could allow notifications to basically go into a void. She pointed to a recent UK case where a major insurance company “forgot to test its line for a period of several months and employees could not make an anonymous report. This was a violation of regulations under the UK Financial Conduct Authority and the firm really landed itself in hot water when a simple kind of periodic test could have identified that issue very quickly.”
Another important part of a fraud detection program is to take a holistic approach, rather than simply a snapshot view. Taylor believes it is “kind of naive really for firms” to wait for an internal or external audit in order to detect fraud. Audits are focused on particular ways of looking at the control environment. But such audits are not necessarily geared as such to detect ongoing fraud “that’s happening right now”. Taylor noted the interim tool is the fraud health check. She went on to further explain that it is wedding “the combination of data analytics, to the organization’s data sets coupled with an investigative mindset and approach to run the data against fraud scenarios that apply to that organization.”
We discussed several types of fraud, such as the traditional pilfering of money from an organization to insider stock trading, to paying for ghosted employee, to the theft of company products, equipment and services and a myriad of a number of actions which could be considered “fraudulent”. Taylor said that this wide variety of frauds call for a variety of detection protocols and skill sets. This means from an old school law enforcement mentality to a 2021 data analytics approach. She emphasized the need for “alignment and cooperation between a fraud team and your cyber security incident management team to counter the sort of crossover between the classic and continuing fraud scenarios.”
I asked Taylor what would be her number one piece of fraud prevention advice as we move into nearly year two of the pandemic. She said it would be around what she and her K2 Integrity team sees repeatedly; “business email, compromise fraud. It can come from the fraudster is posing as either a vendor to the organization or perhaps to the CFO or CEO. We see companies repeatedly having problems in falling for that type of fraud.” She sees a key response as “the training of the treasury team and making sure that staff are trained on malware and phishing attempts, as a continuing part of your fraud program.”
Prevention and detection are two of the three prongs of any best practices compliance program. In light of the changes brought by the Covid 19 pandemic and attendant economic fallout, businesses need to be ready for new fraud schemes. Prevention and detection are key elements to your overall risk management portfolio.