Monday, January 17, 2005
The Perils of Systems-based Fraud
By Patrick Taylor Chief Executive Officer, Oversight Systems
While most IT security focuses on defending the network perimeter from outside attacks, many auditors point out that company insiders present the biggest risk of financial loss from computer hacks. In addition to fortifying their networks' perimeters against the external threats from mysterious computer hackers, enterprises need to focus on eliminating the recognized insider threats of systems-based fraud such as billing schemes, payroll schemes, and check tampering.
Every organization faces the possibility that employees and insiders will exercise their knowledge of systems rules and procedures to commit fraud. Even usually ethical employees who violate application policies to work around inefficiencies within a system can unwittingly stumble upon opportunities for damaging errors, misuse, and abuse.
Reliance on automated financial applications and the technologies that link business processes across multiple data systems only increases fraud risk. Fraud and white collar hacks collectively drain 6 percent of an organization's annual revenue, according to the Association of Certified Fraud Examiners (ACFE). ACFE reports that these losses totaled more than US $6 billion in 2003. The 2003 PricewaterhouseCoopers (PwC) Economic Crime Survey pegged the average loss per company due to fraud at greater than US $2 million.
The ACFE study found that the average scheme lasted 18 months before it was detected. More than half of the detected schemes accounted for losses greater than US $100,000; nearly one in six caused losses greater than US $1 million.
Fraudulent schemes typically target the billing and payroll processes because, quite simply, that's where the money is. Billing processes — specifically a financial system's accounts payable module — pose the greatest fraud risk for organizations, despite internal controls such as segregation of duties.
Ghost Vendors. An accounts payable clerk who routinely adds valid vendors into the system can insert a ghost — or false — vendor into the financial system and process checks that are payable to the insider.
Personal Purchases. Employees are often tempted to buy personal items from their employer's standard vendors through the enterprise billing system. Purchase orders from approved vendors that fall under typical enterprise budgets, such as computers, are often approved with little oversight.
Accomplice Vendor. While not as common as insiders who work alone, employees can collaborate with vendors to commit fraud. Internal controls are not likely to catch fraud schemes that include an authorized vendor producing official purchase orders and receiving payments at a normal address.
Quid Pro Quo and Barter Schemes. Businesses are often at risk of insiders trading valuable goods or services for personal gain. These schemes fraudulently deplete inventory with no benefit for the enterprise.
Returns and Voids. Insiders often dupe their employers by returning an approved purchase item for a refund and keeping the cash after they have expensed it.
Corruption and Price Inflation. Insiders can orchestrate schemes where the enterprise purchases inferior goods at higher than market prices, and the vendor pays the employee a kickback. This scheme can also be played out using a shell company as a vendor, which is actually run by the insider.
P-card Abuse. Many enterprises avoid employee expense reimbursements by issuing purchase cards (P-cards). However, P-cards provide insiders with a direct method of draining cash from the enterprise if their purchases appear to be valid business transactions.
After billing, payroll is the most-frequent fraud target, because ghost employees, improper wages, and fake commissions often fall through the cracks for large enterprises with thousands of employees.
Ghost Employees. Similar to ghost vendors, ghost employees can be entered into a payroll system to produce an ongoing scheme that drains cash from the enterprise with monthly checks paid to nonexistent employees.
False Commission. Commission-based employees can boost their compensation by falsifying sales orders for improper commission checks.
Worker's Comp Schemes. Much like ghost employees, false worker's compensation claims can be entered into a payroll system to drain cash from the enterprise through monthly checks mailed to the insider who orchestrates the scheme.
Falsified Wages. With automated payroll systems, insiders can fraudulently boost the amount of their paychecks if they can access the payroll system.
Outside of the schemes targeting false or invalid bills and employees, insiders can commit fraud by directing their schemes toward valid payments.
Altered Payee. Valid, authorized payments are frequent fraud targets where an insider, such as an accounts payable clerk, alters the payee information. For example, just before checks are run, an insider in the accounts payable system changes payee information to write the check so that he will be able to cash it. The insider also changes the vendor's address or bank routing number to deliver the check or route the payment to the insider. The insider then covers his tracks by reverting the delivery or routing information to the original information.
Forged Checks. Procurement systems that process wire-transfer payments often produce paper checks made out for US $0 with each wire transfer. Insiders can then alter these zero-value checks and cash them for the value to which they are changed.
Forged Endorsements. Refund checks to an enterprise may never enter the financial system if they are intercepted and fraudulently endorsed. In one instance, a payroll manager intentionally overpaid its state taxes, which led the state government to send refund checks. The payroll manager then endorsed the checks "pay to the order of" herself and deposited them in her own account before they ever hit the company's books.
IDENTIFYING IT-BASED FRAUD
As demonstrated by the average size and duration of each scheme reported by ACFE and PwC, auditors must find new ways to identify fraud that exploits financial systems. Because each of the schemes outlined above depends on individual transactions within the financial system, auditors need tools that access the transaction-level data and automate the basic analysis. For the last decade, many auditors have used spreadsheet-based tools for this task. However, spreadsheets rely on seasoned auditors to run the same reports routinely and interpret the results. In essence, auditors have to look for a specific scheme in order to find it.
Technology solutions are now available that tie directly into financial systems and continuously monitor each transaction. The main advantages of continuous monitoring solutions are that they automate the same testing and analysis that an auditor or fraud examiner would perform and apply that analysis across every transaction. Although individually, each transaction may not indicate fraud, continuous monitoring takes into account the context of the transaction, such as when the payee information is altered just before a check run.
The evolution of fraud to target enterprise financial systems presents an often overlooked vulnerability. Auditors should factor these risks when developing their audit plan. To assist and automate much of the financial systems testing, auditors should evaluate technology solutions that provide more comprehensive oversight of all financial transactions.
posted by Brian Moran @ 9:23 AM