217 78 23MB
English Pages 188 Year 2012
Corporate Fraud and Internal Control Workbook
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding. The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.
Corporate Fraud and Internal Control Workbook A Framework for Prevention
RICHARD E. CASCARINO
John Wiley & Sons, Inc.
Copyright © 2013 by Richard E. Cascarino. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in printon-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Cataloging-in-Publication Data Cascarino, Richard. Corporate fraud and internal control : a framework for prevention / Richard E. Cascarino. p. cm. — (The Wiley corporate F&A series) Includes bibliographical references and index. ISBN 978-1-118-31710-5 (cloth); ISBN 978-111-8- 47850-9 (ebk); ISBN 978-111-8-47851-6 (ebk); ISBN 978-111-8-47853-0 (ebk) 1. Fraud—Prevention. 2. Auditing, Internal. I. Title. HV6691.C38 2013 658.4’73—dc23 2012022692 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Contents
Preface
vii
PART I: QUESTIONS AND PROBLEMS Chapter 1: Nature of Fraud
3
Chapter 2: Elements of the Crimes of Theft and Fraud
9
Chapter 3: Frauds Against the Individual
15
Chapter 4: Frauds Against the Organization
19
Chapter 5: Fighting Corruption
31
Chapter 6: Role of Ethics in Fighting Fraud
39
Chapter 7: Controlling Fraud
45
Chapter 8: Fraud Risk Management
55
Chapter 9: Investigating Fraud
63
Chapter 10: Computer Fraud and Countermeasures
75
Chapter 11: Legal Issues Surrounding Fraud
91
Chapter 12: Industry-Related Fraud Opportunities
95
PART II: SOLUTIONS Chapter 1: Nature of Fraud
115
Chapter 2: Elements of the Crimes of Theft and Fraud
119
Chapter 3: Frauds against the Individual
123
Chapter 4: Frauds against the Organization
125
v
vi
◾ Contents
Chapter 5: Fighting Corruption
131
Chapter 6: Role of Ethics in Fighting Fraud
137
Chapter 7: Controlling Fraud
141
Chapter 8: Fraud Risk Management
149
Chapter 9: Investigating Fraud
153
Chapter 10: Computer Fraud and Countermeasures
159
Chapter 11: Legal Issues Surrounding Fraud
167
Chapter 12: Industry-Related Fraud Opportunities
169
Preface
T
H IS W O R K BO O K IS T H E CO M PA N I O N , self-study guide to Corpo-
rate Fraud and Internal Control: A Framework for Prevention.
A wide variety of crimes and swindles fall within the broad definition of fraud. From fraud against the individual to corporate fraud and from management theft to identity theft and Net-based fraud, opportunities abound to part individuals and organizations from their respective assets. In the past, many organizations, companies, and government bodies operated in a purely reactive mode to the problem of fraud. That is, only after a fraud had taken place were decisions made regarding how it should have been combated. With the increasing impact of corporate governance legislation and societal changes in recent years, the need to fight fraud in a proactive manner has become paramount. Companies now must accept that there is a corporate responsibility to protect both assets and employees from the temptations and impacts of fraud. At the individual level, fraud impacts each citizen either directly through being defrauded or indirectly through the impact of higher taxation or shopping bills as a result of fraud. Individual fraud also is creating an atmosphere in which individuals who feel cheated and defrauded believe they have the right to retaliate by cheating and defrauding others. The police services are under increasing pressure to combat crime in all of its forms, particularly those of a violent nature. As a result, white-collar crime, corruption, and fraud sometimes is treated as the poor relation at the low end of the resources chain and with priority given to fraud only when it becomes front-page news. Organizations have had no choice but to develop plans and strategies to deter, detect, and, where required, prove fraud utilizing their own in-house control mechanisms and systems of internal control.
vii
viii
◾ Preface
This workbook provides an organized work schedule in the form of selfstudy worksheets for individuals working with Corporate Fraud and Internal Control: A Framework for Prevention. Workbooks do not replace textbooks. They are an additional learning and teaching aid. The difference between a workbook and a textbook is that the workbook is designed to enable individuals to self-evaluate their understanding of the material presented. The workbook measures this understanding using fill-inthe-blank and short-answer questions.
HOW TO USE THIS WORKBOOK Read each of the 12 chapters. At the end of each chapter, try to answer as many questions as you can in Part I of the workbook. Check your answers against the answers found in Part II. There are no trick questions in these quizzes. Standard-format questions are used to help ensure your understanding of the subject matter.
I
PAR T ONE
Questions and Problems
1
CHAPTER ONE
Nature of Fraud
T
HRO UGHO U T HIS TORY, THE DE V ELOPMENT OF NEGOTIA BLE
instruments, from cowrie shells to plastic cards, has led to the creation of a set of rules and conventions for trade and the promotion of smooth and orderly commercial interactions among individuals and countries. The breaking of these rules and conventions helps white‐collar criminals make a living—in some cases a fortune—while evading discovery. In many countries, the courts and judicial system do not afford economic crimes the priority of crimes involving violence.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 1 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Fraud itself is a concept existing within the criminal laws of virtually every civilized country. 2. In most countries, fraud may be deemed to occur when these individual elements exist: An representation about a fact or event is made by an individual or organization. 3
4
◾ Questions and Problems
3. For fraud to exist, such representation be believed by the person or organization whom the representation was made. 4. For fraud to exist, the victim suffer the possibility of or as a result of the misrepresentation. 5. Under South African law, proprietary prejudice is not necessarily required for fraud. 6. Under Arkansas law, occupational fraud and abuses include misappropriation of in the form of , fraudulent disbursements, theft. or personal use of inventory or other . 7. A crime that is commonly confused with fraud is . 8. The misrepresentation leading to fraud can also be committed by means of an admission whereby the perpetrator fails to disclose a . 9. There is no definitive control that can stop all fraud in its tracks. in which deceit 10. Fraudulent activity could be looked on as: any ful practices are resorted to by an organization or representative of an organization with the intent to cause would deprive another of property or other entitlements. 11. The ultimate bearer of the cost of fraud in most cases is . 12. In order to adopt a comprehensive policy toward the minimization of fraud within the organization, a full is required. 13. Much of the corporate fraud that takes place results from poor bookkeeping practices combined with and staff. 14. In general, the motivating factor leading individuals to commit fraud can be defined as a form of . This can take the form of significant financial need (or perceived need) and may include anything from to a simple case of an employee having . 15. For this to translate into a fraud‐enabling pressure, generally some is involved. 16. is the process by which fraudsters can reconcile their behavior in committing the fraud with their own regarding honesty and trust. 17. Opportunity involves the of people to commit fraud in what they believe will be an manner. 18. Most fraud opportunities are created by or weak with an absence of detective controls increasing the probability. 19. Detection involves not only being alert for in business records and areas where internal controls may be ineffectual, but also for red flags in employee and changes in behavior patterns.
Nature of Fraud ◾
5
20. Red flags are indicators that the risk of fraud in a particular area either is higher than is normally tolerable or has increased over a period. Once again, these can be categorized as , changes in behavior, and general personality traits. 21. Typically, the primary objective of fraudsters is to with the secondary, although essential, objective to in order to avoid detection. 22. Frauds can be split into two broad categories: frauds against the and frauds against the . 23. In the past, such undetected fraud was subject to guesstimates with no real indication of the reliability for the figures produced. Recently, has given greater reliability to the estimated values for such fraud. 24. According to the Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse, a typical organization will, in all probability, lose some percent of its annual revenue to fraud. 25. Occupational frauds are much more likely to be detected by than by any other means. 26. It is accepted that certain costs are a necessary part of doing business. Fraud, however, is frequently a cost. 27. In addition to the initial losses, cost of fraud includes the cost of insuring against due to employee dishonesty as well as loss of reputation. 28. Some insurance policies cover costs, but others do not, or cover them only for proven fraud that is covered by the particular policy. 29. One of the main deterrents to insider fraud is the degree of certainty that any attempt will be and that the perpetrator will be caught. 30. It is critical that organizations encourage the reporting of fraudulent activities or suspected wrongdoings by maintaining a strong and , while at the same time giving employees a mechanism and the confidence to carry out such reporting without fear of retribution. 31. Corruption includes the purchasing of intangibles, such as , direct influence, or political appointment, and can be seen in virtually every country in the world. 32. The U.S. Improper Payments Information Act (2002) required public agencies to publish a of the extent of fraud and error in their programs and activities.
6
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. The three elements of the fraud triangle are: a. b. c.
Nature of Fraud ◾
7
2. A bookkeeper employed by a company for 15 years was passed over for promotion because of a disagreement with his supervisor. Despite appealing through the human resources department, nothing was done. Six months later, the bookkeeper resigned and left the company. A new appointment was made and, shortly after this appointment, a shortage was discovered in the petty cash system. Although nothing could be proven, the previous bookkeeper fell under suspicion despite his previous good record. What grounds would management have for suspecting the previous bookkeeper?
8
◾ Questions and Problems
3. As an auditor for the national defense force, you have been sent to audit the payroll section at army headquarters that handles the processing of the military payrolls for the army, air force, and navy. All types of weekly and monthly paid staff are processed in this office. There have been suggestions that payroll data have been tampered with prior to being sent for data capture, and you have been asked to conduct an investigation. What red flags would indicate the possibility of insider participation in such a fraud?
2
CHAPTER TWO
Elements of the Crimes of Theft and Fraud
O
V E R T H E Y E A R S , many different legal defi nitions of fraud have been promulgated, including fraud as a criminal act, fraud as a tort for civil action, and fraud as defined by professional organizations in an attempt to give their members evaluation criteria to judge the sufficiency of evidence gathered. All of these definitions agree in general that in order to be defined as fraud, certain criteria must be met.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 2 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Common law, also known as law, originated in the United Kingdom during the reign of Henry II (1133–1189) and is based on the concept that the decision previously made sets a precedent and should be followed in subsequent cases. 2. The common law offense of is one of the most prevalent offenses committed in today’s society.
9
10
◾ Questions and Problems
3. Some estimates indicate that the average dishonest manager will be in a position to steal times that of an average hourly worker. 4. In order to be classified as theft, normally there would have been a contrectatio, whereby the perpetrator must have actually the object stolen, normally to remove it from the lawful possession of the owner. 5. The act of appropriation itself has two elements wherein the thief the lawful owner or possessor of his or her property and then the thief him‐ or herself of an owner in respect of the property. 6. Intangible assets, such as that can be stolen via electronic means, and online banking, either at the corporate level or via home Internet banking, have created considerably more opportunities for the of funds. 7. A document is anything that can be exchanged for monetary value. 8. In days gone by, document fraud was carried out using the basic techniques of and . 9. Use of high‐quality security paper with and void pantographs made it more difficult to alter a document without changing its , thus making the alteration easy to detect. 10. Artificial watermarks can be simulated via computer; cannot. 11. In the procurement process, a variety of fraud techniques are found, including , bid rigging, supply of , product substitution, defective pricing, and cost/labor mischarging. 12. An alternate form of procurement fraud involves collaboration between an employee working with an in order to defraud the employer through the authorization of bogus or inflated invoices, payment for services or products not delivered, or work that is . 13. Technically, price fixing is an agreement among competitors to fix, , or simply maintain a price at which the goods and services are sold. 14. Price fixing is most commonly found in markets that are and with a declining demand and a distinct absence of product differentiation. 15. is also an anticompetitive activity that involves competitors agreeing in advance which organization will submit the winning bid during a competitive bidding process.
Elements of the Crimes of Theft and Fraud ◾
11
16. Variations on this type of fraud include in which certain competitors agree to submit bids that they know will be unacceptable to the buyer either because of the price or because of the terms of the contract. 17. In the case of competitive bidding for large contracts, agreements may be used as part of a bid rigging scheme. 18. Defective pricing involves contractors inflating their costs in order to or limit their losses. This is normally seen in “cost plus” contracts in which the price quoted is the supplier’s cost plus a certain percentage. 19. A bribe is generally defined as something of value given to a person in a position of authority with the intention of or . 20. Use of to mask bribery with cash amounts being siphoned off as “dividends” to corrupt officials is particularly tricky to identify. 21. When an individual or corporation is in a position to exploit his or her/their own professional or official capacity in some way for personal, family, or corporate benefit, would be classified as a . 22. Where there is a conflict between a decision maker’s self‐interest and the interests of the employer, the employee’s duty is to put the interests of first. 23. occurs when dishonest employees or public officials steal money or resources for their own personal use and includes the use of company assets, such as cars or property, for unauthorized purposes. 24. Industrial espionage may take the low‐tech form of simple Dumpster diving or may involve a more sophisticated attack on the and of the organization’s computer systems. 25. The advent of open systems architectures and is an open invitation to information theft. 26. Hacker tools abound, allowing eavesdroppers to identify unprotected networks or networks with low levels of that are readily susceptible to the use of . 27. Absence of due to undertraining, overtrust in employees, lack of supervision, failure to take disciplinary action when these indicators are found, and lack of an adequate auditing presence are all forms of leaving the door open for the theft. 28. , at its most basic, is the act of making money derived from one source look as if it comes from another source.
12
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. Copying of proprietary data from a computer system is known as:
2. In order to be defined as fraud, certain criteria must be met. These criteria include:
Elements of the Crimes of Theft and Fraud ◾
13
3. Document forgery can be achieved easily using computers even if Fourdrinier watermarks are used. True or false? Explain your reasoning.
4. Red flags for bid rigging include:
14
◾ Questions and Problems
5. Describe the stages of money laundering.
3
CHAPTER THREE
Frauds Against the Individual
I
N C I D EN T S O F PR I VAT E A N D PU BL I C FR AU D are being reported daily in the media, and more and more prosecutions for this offense are being conducted in the various courts.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 3 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. In online auctions, accounts can receive payments in but cannot be used for payments out. 2. With notable exceptions, if the price seems , it may be that the item does not, in fact, exist. 3. frauds would include “dishonest” claims for products and services including “guaranteed” alternative health‐care products or sex aids. 4. make use of malicious coding commonly hidden in spam e‐mail or Web pop‐ups. The coding installs itself and is activated when the computer connects to its normal Internet service provider. 15
16
◾ Questions and Problems
Operating in , the program then disconnects the computer from the normal ISP and establishes contact using a premium rate phone number instead. 5. In a scam, “Congratulations you have won” is a meaningless phrase since you did not buy a ticket and therefore you could not have won. 6. In a typical telephone fraud, targeted victims receive a communication in the form of a , , , or similar informing them that they have won a major prize. phone scams attempt the double scam by approaching a 7. person who has already been the victim of a fraud and may be susceptible to a second fraud. 8. Beware of toll‐free “800” numbers that direct you to a 900 number for which the fees may be extremely high. 9. Charity fraud is a deviation from conventional consumer fraud because donors . For this reason, it may be classified as fraud only if it can be proven that donors were deceived regarding intended use of the donation and the legitimacy of the charity involved. 10. A second class of misrepresentation is . This occurs when a perpetrator makes a statement without necessarily having reasonable ground for a belief in the truth of misrepresented fact. 11. In trying to prove the concealment of material facts, the primary issue to to be determined is whether the supposed fraudster had a the victim due to their relationship or the nature of the transaction. 12. Advance fees frauds involve the offering of services that require an payment in order to cover costs. 13. The fraud is named after the section of the Nigerian penal code that addresses fraud schemes, and these are often very creative. 14. Any individual claiming to represent any form of government, lawyers representing unknown , and who have large sums of money that need to be moved out of a particular country should be viewed as potential fraudsters and reported to the appropriate authorities. 15. Similar to the 4‐1‐9 fraud, frauds offer the opportunity to become the representative for a person or organization looking to expand into your region and seeking a local representative for a variety of reasons. 16. is a form of fraud in which the fraudster lures in customers by advertising goods at an unprofitably low price, and then reveals that the advertised product is not available but that an alternative (more expensive) product is.
Frauds Against the Individual ◾
17
17. In order to demonstrate that a bait‐and‐switch fraud has occurred, it must be proven that the fraud was and was part of a selling scheme. 18. When a fraudulent bait‐and‐switch offer is detected, prosecution requires high levels of and evidence. 19. Larceny by trick includes the taking of property the owner’s consent when that consent was obtained fraudulently or by deceit. 20. The obtaining of something from an individual or organization through coercion or the use of actual or threatened force or fear, including the fear of an official’s office or of economic loss, is classified as and is a criminal offense. 21. The term refers to investment scams where the perpetrator capitalizes the members of a specific group, praying on the members of cohesive groups, such as religious or ethnic communities, the elderly, or professional groups. schemes, where money from 22. Many affinity frauds involve new investors is used to make payments to earlier investors in order to create the illusion that the investment is successful. 23. Potential investors should be very wary of investment schemes offering extremely high profits with returns on investment. 24. A generally is taken to be an operation whereby people participating in the scheme are entitled to receive more money than they invested by reason of recruiting others. 25. When offered investment opportunities, consumers should beware of the technique known as , which occurs when the investment opportunity appears safe because investors will receive its worth in products for sale—products that ultimately may turn out to be low-quality and inflated‐cost items. 26. A Ponzi scheme is one in which no legitimate investment exists and the money from is used to pay off earlier obligations, providing an appearance of legitimacy. 27. In today’s economic environment with higher‐than‐normal levels of unemployment, frauds involving the securing of in return for career enhancement opportunities have mushroomed. 28. The fraud offers a “business opportunity” to make a lot of money in a short period of time with no qualifications or skills required. An advance fee is taken with either no work resulting or no payment for work undertaken.
18
◾ Questions and Problems
29. A site such as godaddy.com will provide information on who a domain, who its administrator is, where the domain is , when it was created, and when the name will expire. 30. As with all frauds against individuals, incredulity and a healthy sense of form the basis for all defense mechanisms.
QUESTIONS: SHORT ANSWER 1. Typical online auction frauds include:
2. What are gifting clubs?
3. The individual elements of misrepresentation include:
4
CHAPTER FOUR
Frauds Against the Organization
E
AC H Y E A R , E M P LOY E E A N D V EN D O R F R AU D S cost organizations billions of dollars. Many companies avoid the negative publicity and embarrassment that comes with publicized fraud cases. As a result, much of what is known about fraud derives from anecdotal experiences.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 4 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Fake references can be difficult to detect since they tend to be to the person or organization seeking finance, as genuine references would be. 2. The most common form of loan fraud, and the most expensive, is mortgage fraud, with the victims primarily being . 3. is generally seen to be more problematic than other forms of mortgage loan origination fraud for financial institutions, as it typically involves multiple loans as well as schemes to gain illicit proceeds from property sales. 19
20
◾ Questions and Problems
4. Fraud for property schemes normally involve minor misrepresentations by applicants regarding their , , or value of other outstanding debts. 5. occurs when borrowers state that they intend to live in the property whereas, in fact, it is intended to be acquired for investment purposes. 6. Use of a involves the borrower being given an independent loan by a second lender without the knowledge or approval of the primary lender. 7. A short sale fraud is a sale in which the lender agrees to sell the property for a value less than the amount owed. 8. A borrower may apply for a loan to purchase a second property. After the new property has been purchased, the borrower will allow the first home to go into foreclosure. This fraud is known as a . 9. remains the most effective form of fraud prevention regarding loan frauds. 10. , , and orders can be used to create a willingness to cut corners in the checks and balances normally carried out in the rush to obtain a large new customer. 11. Many fraudsters establish their credibility by placing small orders, which are paid for on time. Once credibility is established, larger orders are placed with no intention of ever paying for them. Such a technique is commonly known as a fraud. 12. Embezzlement entails the of personal property by the person in possession of that property in which the possession was obtained as a result of trust placed in the embezzler. 13. Bribery has been defined as “the giving, receiving, offering, or soliciting of any ‘thing of value’ in order to a person in the performance of, or failure to perform, his/her duties.” 14. Public corruption—the misuse of public office for personal gain—can occur either through straightforward embezzlement of public money or when public systems , forcing citizens to deliver bribes or make other compromises in order to receive the services they are entitled to. 15. Corruption in the private sector can be as minor as a to get to the or as major as organized crime corrupting employees of organizations for gain. 16. When an organization or person, acting on behalf of another organization or individual, has, or even appears to have, a in the
Frauds Against the Organization ◾
21
activity or a hidden bias and it is not made known to the represented party, a has occurred. 17. A exists between two persons when one of them is under duty to act or to give advice for the benefit of another on matters within the scope of the relation. 18. Where a fiduciary relationship exists, a key element for a successful ongoing relationship is trust that the other party will represent the of the individual or organization that is paying a fee for that trust. 19. A is taken to be a collection of information that is not public knowledge and by the use of which an organization seeks to gain an economic advantage over customers or competitors. 20. Companies typically seek to protect information against unlawful disclosure by their employees or business partners through the use of nondisclosure contracts and agreements. 21. Unlike a , which is for a limited period of time and eventually expires, “confidential” information is taken to be confidential. 22. Techniques such as (taking a competitor's product apart to see how it is put together) may not be illegal if no trademark or patent is infringed. 23. A false claim fraud occurs when a person and makes a false or fictitious representation of falsify as a fact, which results in financial loss to the victim to whom the false representation was made. 24. In some cases of pharmaceutical fraud, drugs may be marketed for uses for which the drugs have not been approved. This use may, in some jurisdictions, be illegal either for physicians or for pharmaceutical manufacturers. 25. Price inflation is a technique used to increase the price charged to government agencies, which are large pharmaceutical users, by charging to low‐volume users so that the , on which government prices are based, appears greater than it should be. 26. Defense fraud may include the substitution of products or products that can considerably improve the profit margin in an area where contracts commonly go to the lowest bidder and profit margins are common. 27. Where contractors use a combination of fixed-price and cost‐plus contracts, shifting costs from contracts to contracts
22
◾ Questions and Problems
increases the profit margin on the fixed-price contract while also increasing the amount that can be charged on the cost‐plus contract. This technique is known as . 28. In addition to claims for benefits, fictitious suppliers of goods and services in disaster relief areas have attempted to place against these funds. 29. As with other heavily funded relief efforts, the potential for wide‐scale fraud, including , charging for , bribery, and corruption, is enormous. 30. Prevention of research frauds involves the use of proper of authorization documentation, insistence on , and independent verification of the and of such records. 31. Fraudulent conveyancing can occur in connection with leveraged buyouts, where the management or owners of a failing organization will cause the organization to on its assets and use the to purchase the management or owners' stock at highly inflated prices. 32. A fraudulent conveyance can be established when a debtor transfers property without receiving in exchange for the transfer, if the debtor is insolvent at the time of the transfer or becomes insolvent as a result of the transfer. 33. Illegal tunneling consists of fraudulently pumping out and assets into the fraudster's own private firms. It also covers the crime of siphoning the organization's into third‐party hands. 34. A controlling shareholder is in a position to dilute the shareholdings of minorities through to new shares. 35. Where ownership vests in large numbers of shareholders, the use of and becomes one of the primary control mechanisms. 36. In many countries, the law indicates that, to be a crime, conspiracy occurs only where there is that a crime be performed and there is an among two or more persons to engage in that crime, and where one of the conspirators commits an to further the conspiracy. 37. involves the use of funds received in payments to conceal a theft of cash.
38.
Frauds Against the Organization ◾
23
is made possible when a financial institution permits the withdrawal of funds from an account based on check deposits that have not yet cleared. 39. Red flags for kiting on check processing may include of checks, use of , use of , or delayed presentation of checks issued. 40. In order to establish credibility, a fraudulent company may claim an association with a well‐known and legitimate company, say by pretending to be a or of an existing and well‐known organization. 41. Frauds frequently come to light as a result of an from a third party regarding misconduct on the part of the organization or an officer. 42. Some manufacturers of color laser printers and color copiers embed a concealed serial number and manufacturing code that prints on every docubill can be traced directly back to ment produced. Thus, a the . 43. Unlike the paper we normally use in business, which is cellulose based, the paper used for money is made from fibers of cotton and linen, known as paper. 44. take a variety of forms designed to defraud the government by claiming Social Security or other benefits to which the claimant is not entitled. 45. In terms of value lost, insurance fraud is the white‐collar crime in the United States. 46. Insurance fraud is taken to occur when a person in order to obtain some benefit or advantage to which he or she is . 47. In the event of a natural disaster, such as an earthquake, flood, or tornado, it is common for insurance companies to be flooded with exaggerated claims in which companies that have suffered a genuine loss seek to dispose of or as disaster damage in order to have a legitimate claim on the insurance policy. 48. A faked death is a common source of fraud. In some cases, the insured have been known to fake their own deaths in order that their “survivors” may make a claim; in others, policies are taken out on “relatives” who have no relationship to the fraudster and whose death is then faked using and other documentation. 49. insurance policy commissions may considerably exceed the commissions for other types of insurance. An unscrupulous agent may sell
24
◾ Questions and Problems
what the buyer believes is one type of insurance and switch it to the more lucrative policy. 50. Card frauds come in a variety of forms. Individuals can be affected by application fraud, when someone falsifies an application in order to acquire a credit card using . 51. are emulation software packages that can be used to create valid credit card numbers and expiry dates for cards drawn on the bank of the fraudsters’ choice. 52. In transactions, such as Internet sales or telephone sales, the merchant normally for charge‐backs on credit cards after fraudulent use, even if the financial institution has authorized a transaction. 53. come in two forms: frauds against a person who is drawing a pension and frauds by the organization supposedly collecting contributions toward pensions. 54. Tax fraud involves the failure to pay , , or taxes. It encompasses the full range of individuals failing to declare income tax revenue authority through large‐value tax evasion schemes perpetrated by large corporations. 55. Illegal insider trading is taken to encompass trading in a security in breach of a and . It is the possession of nonpublic information regarding the security, which makes it a breach of fiduciary trust and therefore illegal. 56. is intended to defraud advertisers who use a type of World Wide Web advertising known as pay per click (PPC). (small‐scale programs 57. Combining click fraud scripts with running scripts from a variety of computers scattered across the Web—a ) unknown to computer owners can create multiple computers on innocent machines and generate high‐volume clicks from an apparent variety of users. 58. The key element of counterfeit goods and intellectual property fraud is that the potential purchaser must .
Frauds Against the Organization
QUESTIONS: SHORT ANSWER 1. How does a bankruptcy fraud work?
2. What are the major documents in mortgage loan applications?
◾
25
26
◾ Questions and Problems
3. Statutes define the crime of embezzlement as:
4. Internal controls to prevent theft of trade secrets or seek redress could include security procedures such as:
Frauds Against the Organization ◾
27
5. Frauds committed against both private and public health care programs may include:
6. In tunneling, expropriation of the firm's value by insiders may take the form of:
28
◾ Questions and Problems
7. Automobile insurance frauds, including motorcycles, trucks, snowmobiles, and the like, encompass an array of schemes including:
8. Common frauds involving pension schemes include:
Frauds Against the Organization ◾
29
9. Differentiate among the protection schemes for intellectual properties including copyright, trademarks, and patents.
5
CHAPTER FIVE
Fighting Corruption
I
N I T S B R O A D S E N S E , corruption may be seen as the abuse of public office for private gain. The term encompasses abuses by government officials, such as embezzlement and nepotism, as well as activities that cross public and private sectors, such as bribery, extortion, influence peddling, and fraud.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 5 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. The term corruption can signify different things to different people and its interpretation is partially based on . 2. Where large‐scale corruption occurs, it typically bleeds resources from the and from the provision of essential . 3. Widespread corruption has the effect of that part of society that cannot afford to pay bribes and kickbacks. 4. In addition to bribery, corruption can take the form of , abuse of public assets, of public monies to private interests, as well as 31
32
◾ Questions and Problems
of privileged information and and executives’ discretion. 5. Overall, corruption can undermine in institutions and governments while and even damaging economies with impacts that can last tens of years. 6. Bribery can become the of doing business where lunches on the company become vacations at company expense, use of corporate assets in return for , and eventually straightforward payoffs for bending the rules in favor of the individual or organization seeking to win the contract. 7. Certain sectors are looked on as particular targets for procurement bribes due to the of the contracts awarded as well as the that make detection of backhanders such as bribes considerably more difficult. 8. The overall objective for procurement rules is to ensure the acquisition of of goods and serthe most appropriate and vices for the lowest overall cost. 9. Prices quoted on contracts can be reduced by products and services to give the impression of best value for money while, at the same time, making the derived from the service contract almost nonexistent. 10. Implementing tendering procedures designed to favor specific organizations and from nonfavored companies is another form of abuse. 11. Sole‐supplier contracts may be offered because of with a particular supplier that has proven the of work or items supplied and the integrity of the supplier throughout the duration of the contract. 12. Effective procurement planning is designed to achieve efficiency and economy in the acquisition of products and services. 13. The duration of the planning phase of procurement is heavily dependent on the risks inherent in the proposed acquisition in terms of as well as and . 14. Where a commodity or service is of but nevertheless has a multiplicity of potential solutions, a is normally used to clarify the scope of the service required as well as the organizations that can supply the requirement. 15. Where the goods and services are of high value but the scope and objectives are from the start, a more formal, structured procurement
Fighting Corruption ◾
33
approach is . This would involve issuing a that outlines the requirements in terms of deliverables, time scale, and measurement criteria. 16. As part of the procurement process, product design is normally spelled out . in the 17. Where bribery has taken place already, the formulation of the request for proposal (RFP) can be tailored the products or services available from a single supplier. 18. The RFP itself should be closely examined and agreed to by all internal parties, including , , and . 19. Value for money can best be achieved through and foreseein the acquisition able contract conditions achieved through process. 20. Few organizations require submitted electronic bids to be and remain so until a set time when they will be publicly. 21. Where a supplier is the sole source or the sole reputable source of specific to operate with a sole‐ expertise or goods and services, it is supplier contract. 22. Where open competitive bidding is inappropriate and restrictive competitive bidding has been selected as the best alternative, of bidders reduces the opportunity for insiders to award a tender to a selected supplier. 23. Prequalification of bidders and supervisory oversight, while helpful as controls, do not in themselves prevent or even guarantee detection of corrupt tendering practices. 24. Technical evaluation is done on the basis that if the goods or services supplied cannot achieve the , it generally matters little how cheaply the goods or services were acquired. 25. In a long‐term project or a project involving the development of a unique product, it may be very difficult to determine and costs, both and , over the life of the project. 26. At the financial tendering phase, the bidder has the opportunity to the contract costs because of the size of the unknown factors. 27. In a costs‐plus tender, costs may be , resulting in an apparent lower bid that nevertheless has the flexibility to be should more costs suddenly appear.
34
28.
◾ Questions and Problems
is the process of validating and verifying all bidder statements and documents submitted to ensure their with the technical, financial, and legal requirements of the bid. 29. Postqualification of the financial bid would involve ensuring the and validity of financial proposals together with the of the funding required for the bidder to maintain an adequate cash flow to sustain operations throughout the project. 30. provides officials with the opportunity to indulge in solicitation of bribes or even, with the addition of physical threats, extortion in order to benefit from payments due for services rendered. 31. The verification and follow‐up phase of the procurement process normally is carried out by a third party, such as the organization’s , with the intent of ensuring that no unacceptable practices occurred during the design, placement, and completion of the contracts. 32. A indicating decisions made, on whose authority, and independently verified by whom will be required throughout the process, but most especially during the verification and follow‐up processes. 33. The intent of the verification and follow‐up is not only to ensure that no unauthorized activities took place during this procurement exercise but that will be applied to the overall process so that the next procurement will run even more smoothly. 34. is a particular variety of favoritism in which preference is given to relatives in employment, salary levels, placement of contracts, awarding of honors, or other abuse of power regardless of the relatives’ . 35. Nepotism can be a talent‐sourcing mechanism in that family members may have been indoctrinated into the from birth and may be placed where natural talent has been shown. 36. Nepotism can conflict with legislation as can antinepotism policies. 37. is a more general form of favoritism involving partiality in business decisions toward friends and associates; the old phrase “It’s not what you know, it’s who you know” is an example. 38. Cronyism is characterized by the conferring of favors on members of a , and may take the form of favoritism in hiring and awarding of contracts. 39. Abuse of authority can be defined as or exercise of power by an official or employee resulting in an adverse impact
Fighting Corruption
40.
41. 42.
43.
◾
35
on the rights of another individual or resulting in advantage or personal gain to the abuser. Corporate culture is a factor of the among members and has as its foundation the structures, communication networks, and processes within the organization as well as the , , , , and vocabulary used. An anticorruption culture will be based on the observance of throughout the organization. The most common reason given for nonreporting is that the individual and is unsure whether he or she should does not know report it. External reporting of fraud should take place by a authority structure to ensure that all external agencies that may have a statutory right to be informed are indeed informed.
QUESTIONS: SHORT ANSWER 1. Identify and describe the three main control opportunities for fighting bribery in public procurement. a.
b.
c.
36
◾ Questions and Problems
2. Identify the 11 stages of a typical tendering process. a. b. c. d. e. f. g. h. i. j. k.
3. What are the main tasks to be achieved in the procurement planning process?
Fighting Corruption ◾
37
4. The implementation phase of procurement is an area where the opportunities for bribery are rife. Name nine such opportunities. a. b. c. d. e. f. g. h. i.
5. Explain the next traits that can lead to fraud. ▪▪ Lack of director independence
▪▪ Poorly structured compensation schemes ▪▪ Adoption of inappropriate (and sometimes illegal) accounting practices ▪▪ Multiple and conflicting use of audit firms
38
◾ Questions and Problems
6. Controls that can help avoid favoritism in the workplace include:
6
CHAPTER SIX
Role of Ethics in Fighting Fraud
W
H EN CO M PA N I E S I GN O R E the need to maintain a strong ethical foundation for themselves and their employees, they open up the floodgates and expose themselves to fraud.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 6 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. As applied in a business context, ethics are intended to provide organizations with the tools required to deal with since many business decisions have an ethical component. 2. Wheelright defined three fundamentals underlying the impact of ethics and decision making: ▪ Ethics involve questions requiring . ▪ Ethics are concerned with the of decisions. ▪ Ethics involve as to what is right and wrong.
39
40
◾ Questions and Problems
3. The most fundamental schism in ethical theory is the division between , which claims that it is possible to know moral wrong from right , and , which claims that we cannot know because all such judgments are and influenced by cultural preferences. 4. The view that morality is culturally relative is known as and is supported by the differences in existing cultural views seen around the world. 5. The reflects a belief that there are effectively no choices. 6. The holds that actions should bring the most good to the most people. 7. draws their base from the consequences of acts. 8. as related to business ethics have, over the years, been propounded by Plato, Aristotle, and Adam Smith among others. direct relationship between 9. Under classical theory, there is business and society’s goals and objectives. 10. Adam Smith stated that, provided there is competition to satisfy customers’ desires, the common good is best served by the pursuit of . 11. The view held by is that business should have societal goals outside of its normal business forms of survival and making profits giving rise to Kant’s view of “business as a good citizen.” 12. Business ethics involve the application of within a commercial context. Such ethics normally exceed the boundaries laid down by law. 13. Sound corporate governance practices call for corporate ethics to be spelled out in in order to deal with any failure of management and employees to comply with laws and regulations affecting an organization. 14. In terms of fighting fraud, one of the most powerful controls is the implementation of a formal . 15. Codes of conduct do not, in themselves, enforce ethical behavior; rather, they should be seen as controls expressing the requirements of the organization in situations where ethical decisions must be made. 16. Most effective codes of conduct combine with . 17. Ethical risk must be measured through a conscious risk evaluation process, leading to by management, with appropriate rewards designed for achievements by individuals who will then be rewarded.
Role of Ethics in Fighting Fraud ◾
41
18. The primary objectives of a review of the corporate code of conduct is to ensure the code is and throughout the organization. 19. In cases where a vendor code of conduct is required, which often occurs when dealing with overseas vendors where different value system may operate, a must exist in vendor contracts, and vendors must agree to abide by the corporate vendor code of conduct. 20. Recommendations for noncompliance with the code of conduct could go as far as of employees, of contracts with vendors for noncompliance with agreements, or even of individuals where the violations breach not only the code of conduct but also the law. 21. In considering insurance fraud, a study in 1997 concluded that the bulk of the population could be broken into four basic groups , , , and . 22. show no tolerance for fraud with a strong support for punishment. 23. also display a low tolerance for fraud but with an understanding why, in some instances, some people might justify the fraud they commit. were fairly tolerant of fraud and believed that everyone was 24. doing it. They saw it as “no big deal” if people took advantage of an opportunity to defraud when presented. 25. were the most tolerant of insurance fraud and other white‐ collar crimes, believing that insurers have only themselves to blame. Although the smallest group, its members had little regard for large institutions, including government and business. 26. Internal reporting does not require individuals to have in order to alert company authorities suspected wrongdoing. 27. One effective way of facilitating fraud reporting is the introduction of a fraud through which organizations or individuals, either external to the company or internal, can report suspected wrongdoing. 28. Where hotlines have proven ineffectual, a common reason is regarding their use. 29. The organization must encourage all employees to submit all concerns and complaints without of any kind and without regard to the position of the person or persons responsible for the complaint or concern.
42
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. Kohlberg defined six stages of individual ethical development. These are: a. b. c. d. e. f. 2. Define the differences between decisions that are both ethical and legal, legal but not ethical, ethical but not legal, or illegal and unethical.
3. Employees themselves have specific ethical obligations to comply with, including:
Role of Ethics in Fighting Fraud ◾
43
4. Internal audit should conduct periodic reviews of the code of ethics/conduct that include:
5. Where fraud is not reported, the reasons given for nonreporting can be varied but may include:
7
CHAPTER SEVEN
Controlling Fraud
T
H E F R AU D P R E V E N T I O N S T R AT E G Y enacted by an organiza-
tion is largely dependent on the nature and needs of the individual organization. The elimination of fraud must become an integral part of the organization’s overall business approach if it is to maintain its effectiveness.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 7 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Corporate governance as a whole relates to the , , and under which businesses are operated, regulated, and controlled, and includes such players as the board of directors and the audit committee as well as internal audit. 2. Corporate governance is associated with the quality of and reduction in instances of fraud.
45
46
◾ Questions and Problems
3. In 2002, the United States enacted the Sarbanes‐Oxley Act (SOX) with the intention of significantly expanding the responsibilities of , , audit committees, and boards of directors. 4. In 2003, the New York Stock Exchange ruled that the board of a publicly traded company be composed of a majority of and that the board’s audit committee consist entirely of with at least one member having expertise. 5. In the implementation of SOX, what appears to have been missed is the principal reason why SOX was created in the first place: to prevent fraudulent behavior by . 6. Organizational culture can be a strong influencer on employee attitudes or and can determine whether employees feel to overstep the boundaries laid down in codes of conduct and commit fraud. 7. Healthy corporate cultures are typified by reductions and , and greater innovation, improved efficiency, and reductions in waste, abuse, and fraud. 8. Improved communication requires that the message has to be on a personal basis with buy‐in to the by all concerned and value system underlying the corporate intent. 9. To be successful in both formulating decisions and designing the structures required to ensure that effective implementation occurs, management must understand the as seen by employees, customers, and suppliers in terms of their and as well as a perception of the company itself. 10. If employees believe that the tone at the top is , the same tone will cascade down through the organization. and 11. Internal controls across the organization must be strengthened with a particular emphasis on fraud prevention in order to both and fraud. 12. Making feedback mechanisms available and known can considerably improve the probability of receiving such information early in the fraud process while losses are still . 13. The major purpose of the board’s audit committee is the of the financial reporting of an organization. 14. Many definitions of corporate governance omit the role of the audit committee, in part because often the audit committee is viewed as a of the full board. 15. The most critical role in the audit committee is that of the , who must have expertise and experience in and the ability
Controlling Fraud ◾
47
to bring together within the committee the skills and knowledge required for the committee to operate effectively while retaining its . 16. To be effective, the audit committee needs to operate under a that spells out its constitution, priorities, areas of responsibility, frequency of meeting, agenda, and reporting responsibilities. 17. An audit should be carried out on the work of the audit committee at least every three years. 18. Everything from the business strategy of the corporation, oversight of the internal audit function, and even the hiring and firing of the CEO may be part of the audit committee’s oversight functions, which its ability to detect accounting irregularities or fraud. 19. The audit committee should, at a minimum, review the and basis. plan implemented by the organization on an 20. Procedures should be established for the , , and in a confidential manner of any anonymous submissions from any stakeholder regarding questionable or areas of potential misconduct. 21. In order to ensure the of the fraud risk management interventions, it is essential that the audit committee understands the and the internal control structures designed to address those risks within the organization. of business transactions and the changing regula 22. With the tions, the committee needs to keep pace with the organization’s efforts to ensure compliance such that any would be detected early and investigated thoroughly. 23. A regular part of the audit committee’s agenda should be the evaluation of audit’s assessment of and the appropriateness of the audit plan to examine the designed to mitigate these risks. 24. As with the private sector, public sector audit committees require , clear communications, and . 25. Most members of public sector audit committees are appointments to ensure the of the audit committees as a whole. 26. A more desirable, effective approach is the proactive design, in which a system of internal control that limits the possibility of fraud occurring is constructed and implemented. If fraud occurs despite the of the internal control structure, fraudulent activities are in a timely manner and to facilitate the and of assets that have been fraudulently removed.
48
◾ Questions and Problems
27. COSO defines internal control . It is effected by , designed to provide regarding the achievement of the three primary objectives of all businesses. 28. Control results from the , , and of management in order to ensure that the organization is working toward the stated objectives. 29. stop untoward events happening but, unfortunately, are never 100 percent effective. 30. are those controls that alert management that an undesirable event has occurred. 31. come into effect after a problem has been detected and serve to limit the extent of damage, recover from damage, and prevent damage from recurring. involve risk being transferred to a third party. 32. 33. are used where human discretion is involved in decision making to indicate the direction that the organization wishes the decision to take. 34. are those things that must be done correctly in order to achieve the business and operating objectives. 35. If the control objective is to ensure that budgetary controls exist, are appropriate, and are enforced, the is that budgetary controls do not exist, are inappropriate, or fail to be enforced on a basis. 36. Physical access is normally restricted to those who it to carry out their job functions and access is granted on a basis. 37. Those controls that have no direct impact on reducing the risk of fraud occurring still may prove beneficial in the of a fraud. 38. One of the more important controls in the area of segregation of duties is the use of . 39. Achievement of the is critical, not the individual used. 40. is essential in organizations where there is difficulty in achieving segregation of duties. 41. All controls operate within the framework of a , a term that describes the overall infrastructure within which other control elements will function. 42. The defines the individual manager’s responsibilities, sets limits of authority, and facilitates the proper segregation of duties.
Controlling Fraud ◾
49
43. The includes the policies and procedures describing the scope and activities of a function, including its relationships with other parts of the organization, as well as the degree to which , such as laws and regulations, impact a function. 44. In the 2010 Report to the Nations on Occupational Fraud and Abuse, where fraud had occurred, respondents indicated that the biggest single element allowing it to take place was a , such as segregation of duties. 45. The Institute of Internal Auditors’ practice guide, Internal Auditing and Fraud, has indicated that where internal audit is assigned fraud duties, it with the appropriate has a duty to ensure that to carry out those tasks are available. 46. The IIA suggests that during audit engagements, internal auditors should always consider in assessing the design of the internal in their working control structure and document those papers. 47. Internal auditors must maintain an appropriate degree of since they are in a position, while focusing on internal controls effectiveness, to uncover common frauds that may exist. 48. may be defined as the methodology for resolving fraud allegations from inception to disposition with sufficient proof to prove or disprove allegations of fraud. 49. Control self‐assessment (CSA) goes beyond the bounds of internal audit by making the as a whole responsible for management control and governance of fraud risks through embracing, planning, and operating a CSA process. 50. Internal auditors operating in a fraud deterrence context may choose to use CSA as a tool to ascertain the state of the and evaluate management’s understanding of in the business process. 51. CSA practitioners must be prepared to handle large quantities of in short periods of time and seek indicators that the fraud risk has increased. 52. are sets of questions used by auditors as checklists to determine whether controls exist. 53. Under CSA, management can be asked to complete a as a form of self‐audit. 54. Control guides are computerized folders containing a description of the expected set of for the operations covered. 55. Interactive antifraud workshops are workshops in which management and staff evaluate the state of antifraud internal controls.
50
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. Explain the differences among the Anglo–U.S. corporate governance system, the German corporate governance system, and the Japanese corporate governance system.
2. Describe the five basic components of corporate culture. a. b. c. d. e.
Controlling Fraud ◾
51
3. The audit committee as a whole should consist of members with the appropriate skills and experience to carry out the committee’s assigned role. Expertise in what areas is required?
4. Independence may be presumed to be impeded where an audit committee member is:
52
◾ Questions and Problems
5. In order to ensure achievement of business objectives, COSO defines five components that would assist management to achieve them. Describe these components. a. b. c. d. e.
6. Employee fraud in the retail environment is perpetrated through a variety of techniques. Nevertheless, certain existing controls can be used to detect retail employee theft and fraud. These can include:
Controlling Fraud
◾
53
SITUATIONAL CASE STUDIES The next three situations resulted in the loss of assets as a result of employee fraud. For each situation: ▪ Identify a procedure that would have detected the fraud. ▪ Recommend a specific control that would prevent or detect future occurrences. Situation 1 ▪ Although most bills are sent to the head office for payment, each manufacturing plant maintains an imprest fund to pay for small, routine purchases. While reviewing the accounts payable at one of the plants, an auditor discovered that a trusted employee had embezzled $150,000 over the last 10 years. Using the imprest fund, the employee had processed and paid fictitious freight bills by using copies of authentic shipments for support. The employee had pocketed the duplicate freight payments.
Situation 2 ▪ While examining a random sample of employee expense reports, the auditor found that members of the sales force routinely submitted for reimbursement altered receipts and duplicate receipts.
54
◾ Questions and Problems
Situation 3 ▪▪ The company had a contract with a tire manufacturer to supply tires for company cars at favorable discounts. As a courtesy, company employees were allowed to purchase tires at discounted prices by placing an order with the office manager, who ordered the tires in the company name. When the bill arrived, the office manager asked employees to make checks payable to him. The invoices were processed for payment through the company’s accounts payable system. As a consequence, 37 tires were billed to the company, and the office manager deposited employee checks to his own account.
8
CHAPTER EIGHT
Fraud Risk Management
W
H EN PEO PL E I N D U LGE I N FR AU D, they do not do so in the
expectation of being caught and punished. They commit fraud because they believe they can get away with it. To implement effective fraud risk management, risks need to be examined from the potential fraudster’s perspective. Where conventional risk assessment methodologies start with inherent risk and move toward limiting those risks by the quality of the system of internal controls, fraud‐related assessment looks at the controls from the perspective of how can they be bypassed, who can bypass them, whether it is known, by whom, and how.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 8 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Fraud‐related looks at the controls from the perspective of how can they be bypassed, who can bypass them, whether it would be known, by whom, and how.
55
56
◾ Questions and Problems
2. Fraud‐related assessment is a critical element in the governance of any organization. In a public company, it falls under the legal to shareholders. 3. is still classified as the risk before taking into consideration risk‐reducing elements; however, the risk in this case is specifically that of fraud. 4. Grouping risks based on causation makes it possible to identify those control elements that, if properly designed and implemented, can be most that a risk will occur or in the effective in if it does occur. 5. A specific will use internal formulas that model a total business risk of fraud in each of the organization’s processes. is a technique that permits the identification of key depen 6. dencies and control nodes within a business entity where fraud could occur. 7. Fraud‐related analysis is a far from foolproof technique. Inherent limitations include in assessing probability of fraud and lack of adequate or accurate information on the potential . 8. can substantially decrease the likelihood of fraud; it alerts management to changes needed to the and links control objectives to the activities required to achieve them. 9. Risk can be assessed as where we have confidence that the current control structure would prevent an occurrence of an undetected fraud. 10. Open workshopping requires by all involved where it is understood up front that anything can be and is on the table. 11. Comparative risk assessment involves a combination of the of fraud occurring and the on the business if it does. 12. Loss of and loss of may be more damaging in the long run than the straight monetary loss inflicted by the fraud. 13. Within the Cascarino cube methodology, the initial workshop is and can operate as a modified Delphi group in which each participant identifies one single fraud opportunity in the business area, assuming there were or that none of the controls worked. 14. The risk workshop is repeated for each of the functional areas in order to draw up a three‐dimensional cuboid representing the ranked against the of those threats for each of the organization.
Fraud Risk Management ◾
57
15. The objective of the cube assessment is to determine whether the various controls intended to a particular fraud risk from a particular fraud threat source are to reduce the risk to acceptable levels, assuming the controls . 16. Within the cube, inadequacy of controls indicates a level of fraud risk at a level, even if all of the controls . Such a vulnerability must be addressed, usually by the introduction of controls. controls have been identified, they can be evalu 17. Once all ated in order to determine which controls can give management the assurance. 18. If, after testing, key controls are found to function as intended, management may be assured that fraud risk is being controlled in an and manner and that the likelihood of a successful fraud occurring in that area from that source, while not , has been reduced to a level within a band of tolerance specified in advance. 19. The three‐dimensional nature of the cuboid enables management and auditors to examine control adequacy and effectiveness in slices of functional areas indicating all fraud risks and threat sources affecting them, slices of threat sources indicating the functional area and fraud risk affected or sliced by showing all threat sources and functional areas affected. 20. Neither the external nor the internal auditor is in place on a day‐to‐day basis. Only can ensure the ongoing efficiency and effectiveness of the system of internal control intended to and fraud. 21. With the expanded role internal audit has to play in fraud prevention, the interpretation of the word compliance has undergone a shift from simply meaning “conforming with the rules” and is now interpreted as “complying with the .” 22. The impact of a widely publicized fraud can extend far beyond monetary losses directly attributable to the fraud itself. 23. In the past, identification of the perpetration of fraud or its concealment by manipulation of the financial records was commonly left to the who would sweep them up at the end of the year during the audit. 24. When the external auditor was focusing on control risk, the control elements designed to prevent or detect a significant fraud were controls that would be evaluated for a material misstatement in the records.
58
◾ Questions and Problems
25. Where fraud is not seen to be the primary focus of the audit, auditors tend to assess the control risk as . 26. If the risk of fraud is assumed to be low, testing will be done. 27. External auditors have been required to revise the assumptions made when assessing the likelihood of significant risks to the financial accounts. As a result, testing has , and the amount of fraud detected has risen accordingly. 28. Auditors must consider whether management could be in a position to fraudulent financial reporting or misapand propriation of corporate assets. 29. Fraud auditors, both accountants and nonaccountants, have a primary focus on the to prevent fraud and offer early detection. 30. Forensic accountants carry out their work by incidences of white‐collar crimes, such as , procurement and contract fraud, money laundering, and the full variety of potential frauds within an organization. 31. On occasion, may also operate in areas that are not fraud‐ related, but where the evidence they uncover may come under public scrutiny and debate. 32. Examiners frequently have to carry out , including employment records or medical records, subject to the restrictions of . The ability to follow an is of critical importance in modern investigations. 33. A critical element in both forensic and fraud auditing is an understanding of the aspects of fraud and the production of evidence (i.e., evidence that would be acceptable in a court). 34. Because a great deal of fraud is now committed using , all fraud prevention, detection, and investigation activities have to take place with the presumption that IT may play a role. 35. Uncertainties can the likelihood that information will be forthcoming from those who are aware of improper activities. 36. Staff members most commonly report wrongdoing by whistleblowing activity where they have about specific actions or transactions that they believe may be harmful to the organization and where there is no other to be followed. 37. Laws and policies may exist to protect whistleblowers, but no policy can force coworkers to a person. is always a concern.
Fraud Risk Management
◾
59
38. Organizations often are concerned that employees will whistleblowing to newspapers and the like to the detriment of the reputation of the company. 39. It is common for organizations to staff against any subsequent claims or legal proceedings brought against them with regard to any whistleblowing activities, whether the wrongdoing is or not, as long the accusation was made in and there has been no malicious intent and falsehood in the information provided. 40. False accusations for malicious purposes are not protected under such laws and normally are dealt with when proven. 41. In the public sector, whistleblowing may pose a unique problem in that the disclosure of information may itself be a crime, resulting in even if the case is the prosecution and imprisonment of the proven.
QUESTIONS: SHORT ANSWER 1. Describe the three types of risk that are normally considered when evaluating corporate risk. a.
b.
c.
60
◾ Questions and Problems
2. One effective risk evaluation model uses a five‐stage process involving: a. b. c. d. e.
3. In assessing fraud risk, major risk categories would commonly be drawn from these categories:
Fraud Risk Management ◾
61
4. In ensuring the fraud threat is mitigated, the internal auditor must determine:
5. To be certified as a fraud examiner, proficiency must be shown in the areas of:
62
◾ Questions and Problems
6. Whistleblowing involves the provision of information that the individual reasonably believes to be true regarding:
9
CHAPTER NINE
Investigating Fraud
T
HE IN V ES TIGATION OF A L L EGATIONS OF W RONGD OING can prove a difficult and daunting task, requiring objectivity, determination, and attention to detail. The investigation’s primary objective is to establish the facts, in such a way that alleged fraud may be proven or disproven, and restitution and punishment may be sought where appropriate.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 9 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Fraud investigation is typically a function triggered by the internal or external recognition of a red flag indicating the potential presence of fraudulent activity. 2. The Red Flags rule requires organizations falling under the authority of fi nancial agencies to implement a written specifically designed to detect the red flags of identity theft in order to spot suspicious patterns when they arise.
63
64
◾ Questions and Problems
3. A single red flag is not proof that a fraud has taken place. Where of such indicators are found, the manager should be more alert for irregularities. 4. In many cases, investigation of fraud reveals an underlying failure of management and poor of company policies and procedures. 5. Reward structures based on , dictatorial management in a power‐driven environment, and constant are breeding grounds for fraud. 6. Managers who play one subordinate off against another and seek loyalty without giving it may create an environment in which fraud is probable. 7. Where a change in a person’s behavior patterns involves , gambling, expensive social life, or extramarital , a pattern of lies and deceptions may emerge. or 8. In behavior, indications such as refusal to take leave may appear unusual but when combined with other indicators may point to the possibility of a fraud. 9. The desire to live a lifestyle that is out of can be a powerful inducement to fraud. 10. Fraud‐prone managers are often and may boast of personal achievements while ignoring the . Such managers comand react with hostility, which monly treat opposition as can ruin working relationships. 11. have carried out a single fraud in response to a single set of circumstances that presented itself. 12. operate where the temptation came in the form of the recognition of a lack of in a specific area. Potential fraudsters may realize that there is an opportunity to perpetrate an ongoing fraud with little chance of . 13. deliberately manipulate the control environment in order to gain the opportunity to perpetrate a specific fraud. 14. Popular ways of fraudulently creating an appearance of corporate growth beyond actual growth are to , delay the recording of expenses, reduce expenses for research and development, or fail to record as an expense. 15. Overstated and inventory levels are common ways to hide corporate fraud.
Investigating Fraud ◾
65
16. Another indication that there may be something wrong may come in the form of growth in exceeding growth in . 17. Fraud at a lower value level can also be indicated by abnormal expense claims or . 18. Despite, or perhaps because of, the heavily nature of modern payroll processing, many of the controls that existed in the manual environment have either or operate with effectiveness. implementation can be a 19. Lack of basic controls or their major temptation to fraud and should be a to management. 20. Any indication that mortgage documentation has been or , including differing type styles as well as , should be cause for immediate investigation. or lack 21. Discrepancies in application forms, such as lack of of as well as significant or unusual changes from handwritten to typed applications, lack of sufficient , or an individual for investwithout a known permanent residence seeking ment property may also signal potential fraud. 22. Errors in payment records can range from incorrect or erroneous tax certificates to irregularities in employer identification. 23. An individual or organization with a dubious past performance on debt in order to acquire further indebtedness. may have to falsify 24. Health care frauds may be carried out against health , personal injury , commercial insurers of compensation claims, government , and workers’ compensation insurance for injury sustained in the workplace. 25. An example of is when medical records place the patient at two different on the same date and at the same time. 26. An example of patient fraud is when claims of treatment cannot be by medical providers. 27. Medical records after the date of treatment is an example of service provider fraud. 28. Patients delaying treatment for work‐related accidents for extended times is an example of . 29. or contracts involve an agreed percentage of profit added to the incurred costs related to the particular contract 30. Anomalies in cost‐plus contracts could include disproportionate movements in with cost increases being applied differently in different types of contracts.
66
◾ Questions and Problems
31. In cost‐plus contracts, the use of may be classified as a cost of material, and such costs may be to cover subcontractor expenditures in to employees to obtain contracts. 32. Even in the case of fixed‐price contracts, may require the submission of pricing data in order to determine the of prices charged. 33. It is critical that the investigation seek an regarding the probability that a fraud has in fact occurred in order to maintain cost effectiveness. 34. means the examination of the totality of circumstances that would lead a reasonable, professionally trained, and prudent individual occurred, occurring, to believe that a fraud and/or occur. 35. Before an investigation can begin, the investigator must be satisfied that exists that would make it inappropriate for him or her to no conduct the investigation. 36. The fraud theory approach is a four‐stage approach that involves the analysis of regarding the , creation of a method of carrying out the fraud, , and refining and . 37. In all cases of fraud investigation, four significant factors must be determined and proved: . 38. A major element of the investigation initiation process is designating a and determine the desired specific person to conduct the course of action. 39. The starting point in any investigation is a of all people who potentially are involved. 40. Rushing the task without fully planning out the project will significantly the probability of a successful outcome. 41. The full investigation starts with the formulation of an to determine the of the alleged fraud. 42. The gathering of evidence may require a approach in order to ensure the availability of the appropriate , , and required to acquire and make sense of the evidence. 43. At all times throughout investigations, both the information obtained and its source should be held unless is essential to the ultimate proving of the case. 44. If the use of professional investigators is warranted, care should be taken over the use of , as their legality can vary from country to
Investigating Fraud ◾
67
country. If evidence is at the start of the investigation, it cannot be made right at a later stage and may jeopardize the whole investigation. 45. Documents may be examined for confirmation of the of fraudulent activities as well as proof that the document has not been from its original form, that the document is itself an or that it contains a valid signature of an appropriate . or 46. Document examination may also reveal and may even be able to recover the original text as it was prior to . sources as well as 47. Data may come from , and may take the form of computerized records or printouts that can be into form for analysis. 48. Anomalous in sequenced numbers may indicate erroneous double processing of transactions or fraudulent double processing. 49. Where business documents, such as purchase orders, invoices, or checks, run in a prenumbered sequence, may indicate an abuse of a known structure in the numbering sequences, or missing documents may indicate the presence of a of fraudulent transactions. 50. is commonly used in examination of financial figures to determine whether movements over time are as expected or not. permits the examiner to evaluate the relationships among 51. individual pieces of data to detect anomalies. 52. Information extracted from a computer system can be analyzed to find abnormalities within the data by comparing the pattern of of data against . 53. For an effective investigation, is a critical communications process. 54. Listening, strange as it sounds, is an function and an skill. 55. It is possible to learn to encourage the person you are speaking to with support. 56. It is important to learn to be sensitive to the clues in the message the speaker is broadcasting and to be when evaluating the information you are listening to. 57. Interviews would normally start as from the suspects as possible in terms of operations or business function.
68
◾ Questions and Problems
58. A fraud interview can too easily turn into an unprofessional with interviews even being conducted . 59. The , , and of the investigation and interview need to be explained; however, this phase should not dominate the interview. 60. An alternative to sequential checklists is the less structured approach where questions are sequenced by business or control objectives. or 61. can leave the interviewee with the impression that you have listened and understood. of the 62. The order in which to interview people depends on the investigation and where the evidence places the interviewee in the chain of events. 63. Whenever possible, that fact that a forensic investigation is in progress should not be made . witnesses, cor 64. Once specific facts have been alleged by the roborating evidence from other witnesses may be sought. 65. Once the evidence gathered to date can clearly identify the and potential , a series of directed questions can be developed. 66. Only once all other parties have been interviewed should the investigainterviewing of the tion phase move toward fraudster. admis 67. It is highly unlikely that any interview will result in sion of guilt, particularly from experienced fraudsters. 68. is the most common form of deception. The interviewee does not actually lie but evades answering by omitting the information that he or she wants to conceal. 69. of having participated in the fraud or having any knowledge of it is another common form of lying. 70. is the most difficult type of lie to attempt and maintain. The liar will require a good memory to remember what has already been said and must be a quick thinker to maintain consistency in the lie. 71. downplays negative aspects of the interviewee’s behavior or performance. 72. may also be used as a lie and is frequently used if a suspect the amount of work conducted or the degree of checking carried out. 73. The use of in answering questions also can indicate lying.
Investigating Fraud ◾
69
74. A polygraph is a measuring device that makes a of various taking place within the subject’s body as a result of psychological stimuli. 75. In polygraph testing, one technique requires that at no stage during the test would any surprise questions be put to the examinee. This technique is known as the . 76. An alternative polygraph testing method is known as the (or ). 77. Polygraph studies indicate that, although it may be possible for someone to be shown as , it is highly unlikely that a will be evaluated as person . 78. Perhaps the most fundamental investigative error is failing to maintain an of evidence gathered. adequate 79. Any break in the may result in the item or document being at trial. 80. Poor documentation of the , progress, activities, evidence gathered, time frames, and personnel involved in conducting the investigation the evidence gathered in the event of a prosecution. can all 81. Whether a prosecution takes place or not, the or lack of internal control has to be remedied in order to prevent repetition of the fraud. and 82. The overall mission would be to provide investigation of significant within an organization. 83. Investigation departments normally assemble and research conduct and practices in order to determine their as well as identify causes and vulnerabilities. 84. In today’s world, with high‐speed movement of funds internationally, retrieving assets can involve a variety of and . 85. Following the phase of information gathering and the phase itself comes the phase in which the accused fraudster may be acquitted or convicted. 86. Four court orders can be sought: (restraining the criminal from transferring or disposing of the asset) and (seizure of the asset by the state) orders as well as and orders. 87. In the United Kingdom, a order may be issued by a court to prevent the disposal of an asset, removal of an asset from the jurisdiction of the court, or any other dealings in the assets prior to final judgment being issued.
70
◾ Questions and Problems
88. The final phase is the phase in which the asset is seized and either returned to its original owner or disposed of by the state as required by law. 89. Use of the Internet as an information source can be highly effective, although care should be taken since much of the information available on the Internet can be , , or . 90. Information available on individuals, although publicly available, may still if not properly by the investigator involve a and may thus be in court. 91. Asset tracing and recovery normally require a documented transaction trail to prove that the seizure sought is against assets derived from the original fraud. offshore 92. The primary mechanisms for moving assets derived include the use of , shell companies established in jurisdictions that maintain bank secrecy with deposits in the form of cash, wire transfers, or bearer instruments.
QUESTIONS: SHORT ANSWER 1. An identity theft protection program typically involves a framework consisting of these four steps: Step 1.
Step 2.
Step 3.
Step 4.
Investigating Fraud ◾
71
2. In their 2011 report, Who Is the Typical Fraudster, KPMG suggest the typical fraudster is:
3. Much of the high-value fraud experienced by organizations is carried out at the managerial level. Red flags in this area could include:
72
◾ Questions and Problems
4. In procurement, abnormalities within the vendor arena could include alerts such as:
Other indicators may relate to the handling of inventory after it has been received. Such indicators could include:
Investigating Fraud ◾
73
5. Overall red flags on labor charges to incurred‐cost contracts include:
6. The fraud investigation is intended to resolve fraud allegations from inception to disposition. The investigation includes:
74
◾ Questions and Problems
7. In conducting interviews, general rules for asking questions include:
8. Asset confiscation involves a three‐part process: a. b. c.
10 CHAPTER TEN
Computer Fraud and Countermeasures
C
O M P U T ER F R AU D involves the use of the computer in some way
to obtain an advantage or cause loss of something of value by dishonest means. With the rapid expansion of information technology into everyday life and business, the opportunities are increasing at an exponential rate.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 10 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. bears primary responsibility for the prevention and detection of all frauds, including information technology frauds. 2. At the heart of the computer, and the target of most fraudulent activities, is the of the organization. 3. Legitimate users can process , and legitimate technical users may be able to manipulate the raw data directly without the need to process transactions by direct manipulation of the data contained in databases. 75
76
◾ Questions and Problems
4. Within the mainframe, the organization’s carry out the business functions as programmed. Built into them are the , such as segregation of duties, reconciliations, user authentication, and the vast array of antifraud controls that organizations have built up over the years. These controls will be dependent on the nature of the business and the types of fraud exposure faced 5. In today’s environment, organizations typically operate in an , environment in which transactions are entered remotely and gain access to the data through a variety of intermediary steps. is placed 6. The more controls that are introduced, the more on the running computer system and the more is required to continue to operate an acceptable level. and run 7. Servers themselves are computers that will store application systems. They also are through which a fraud can be introduced or even perpetrated, depending on the nature of the server. 8. By connecting the wide area networks to such as the Internet, access can potentially be achieved by anyone. With the advent of mobile computing, we have to add to that, . 9. At every stage of processing, controls exist to ensure only and authorized individuals may execute authorized tasks to authorized parts of the system. 10. These controls exist in all modern operating systems, although they be used, at the discretion of the particular organization. 11. Many and accesses can be blamed on lack of lack of of the fraud risk, should the control architecture not be robust. 12. Where the controls are or nonexistent within the business function, the internal controls within the computer system merely will mimic the ineffectiveness of the within the business. 13. Technical users may be , controlling networks, or modifying the operating environment itself. They are in a powerful position because of the they have been granted and the power of the tools they use. 14. The mainframe architecture contains a very technical area in which to apply internal controls, but it is a one. All other antifraud controls within the IT environment rest on this . If their integrity can in any way be compromised at this level, the whole computer environment is open to .
Computer Fraud and Countermeasures ◾
15.
77
into and out of the mainframe operating environment can also serve as control points in which antifraud measures can be or or even . 16. of information moving through networks is an essential weapon in the antifraud armory. 17. utilizes an algorithm to scramble information and render it unintelligible to any party who does not possess the key required to decrypt it and return it to understandable condition. 18. Asymmetrical ( ) cryptography operates with two sepaa message with a rate but related keys. One key is used for second key used to the message. 19. One key of the pair is normally designated the (disclosed to other computers or servers that are sending messages) while the other is kept secret as a retained solely at the receiver’s end. 20. Any attempt to change the encrypted message will result in a when the legitimate receiver attempts to decrypt the message. 21. The degree of effectiveness of such communication encryption depends on the strength of the used and the of the keys. source and was correctly 22. If the message originated from an encrypted, it will be decrypted and acted on as it it were a message from an authorized source. 23. An electronic signature, in effect, encrypts a message with the key, indicates who the message is from, and sends the message. 24. A variation on servers is the use of server . In this scenario, the server administrator divides one physical server into multiple virtual environments using a application. These environments are known alternatively as virtual private servers, instances, emulations, guests, and containers using one of the three common approaches: virtual machine model, , or virtualization at the operating system level. 25. Virtual environments can be made even more since applications processing sensitive business data can be further than is possible on physical computers. 26. Administrators of the virtual environment may, in the nature of their duties, have access to with powerful virtualization management tools. Should be gained to these tools, data integrity may be and fraud enabled.
78
◾ Questions and Problems
27. Internal controls at the virtual level include the proper configuration of the virtual machines to restrict the existence of . Changes to virtual machine files should be monitored independently as a control for unauthorized changes. 28. Wide area network (WAN) communications represent the communication media from workstations to the environment. 29. In addition to the sheer volume that is processed over WAN commuof individual users and the nications, generally the of access rights is considerably more problematic. 30. Encryption has no control influence over the , the of the message. , the validity, or even the 31. Other control mechanisms, such as and other security‐ enhancing protocols, may give additional assurance that fraud via unauthorized access is less likely. 32. At the workstation level, fraud prevention also rests in knowing for certain that the person using a workstation has been as the genuine user, operating from an authorized workstation, via the correct communication lines, and using the authorized . 33. Despite best efforts at user education, passwords and PINs normally are not changed unless the system such changes. 34. If a longer or more complicated password is used, it is common to find that it has been and stored somewhere near the workstation. 35. Passwords often are or shared; it is common to find that a senior executive shares the password with his or her assistant, who is normally the person who enters the computer on behalf of the executive. 36. Names, , birthplaces, in the United States, identity numbers, and credit card numbers are some of the most useful information that identity thieves can get their hands on. 37. sites give users the opportunity to create privacy rules to prevent identity theft attacks, but such rules often are either ignored or badly implemented. 38. A safer option when asked to give a “secret answer” is to choose a password as a answer to any such question and ensure that does not appear on any social site. Ideally, the secondary password should be for each site visited. This can be achieved using the first two or three letters of the site name as a prefix. 39. Many so‐called services utilize a free scaremongering service designed to convince potential subscribers that the only way to avoid
Computer Fraud and Countermeasures ◾
79
a national or international is to subscribe to the newsletter, which then produces regurgitated information freely available on the Internet. 40. Recent estimates indicate that by the end of 2013, one‐eighth of all e‐commerce transactions will take place from a . For such transactions to maintain their integrity, user authentication must be by more powerful and useful fraud detection tools. and permit a vendor faced with a transac41. tion from a mobile device to identify the geolocation of the device and the confirmed authentication of the device identity ( , which can then be compared to the normal device identity and of that particular user. 42. uses the history of transaction patterns to raise the level of in deciding whether to accept the new transaction. 43. Even as recently as three or four years ago, the major threat of impersonation of a user of a mobile device was in which users had installed personal information, bank account numbers, credit card numbers, user ids, and passwords. 44. Even where there is no loss or theft of mobile devices, damage requiring can mean that an innocent user hands over the device personal and corporate information to a third containing party with little or no thought of the information contained thereon. 45. originally evolved as an extension of the traditional client‐server approach to computing in which a network‐friendly client version of a particular application system was lodged on client computers. 46. In terms of fraud risk, exacerbates the risks to information security and privacy since the data as well as the applications are maintained within the itself. 47. Where the data reside in a country other than that of the cloud user, the users may be exposed to regarding future access to their own data in a fraud prosecution as well as issues regarding ownership of the property under the terms of another country’s legislation. 48. Selection of a cloud provider will inevitably complicate application architectures since the existing enterprise solutions will involve architectures. 49. Ensuring that a cloud application will run in an adequate security environment means that the organization must understand its own
80
◾ Questions and Problems
and determine the cloud provider’s ability to deliver security against these criteria. 50. In (SaaS), the intention is to use the provider’s applications running on a cloud infrastructure. 51. When an organization intends to implement business process as a service (BPaaS), where business‐process services may be any business process delivered through the cloud service model via the Internet with access and exploiting Web‐oriented cloud architecattained via ture. 52. The private cloud involves a proprietary architecture or by an individual organization to provide services to internal customers of the organization. 53. From a fraud prevention perspective, it is possible to implement a hybrid combining the advantages of a standard cloud environment for lower‐risk applications while maintaining a behind an adequate firewall for high‐fraud‐risk or sensitive systems. 54. Effective governance in an IT environment involves the implementation of adequate controls to protect the coupled with a monitoring process to alert management to any unexpected incidents in a timely fashion. 55. As part of internal control, the internal auditor has a role to play in assisting management to establish a in which fraud is unlikely to occur, but where it does occur, it will be quickly detected. 56. The IT forensic auditor’s primary obligation is the resolution of IT fraud to prove or disprove allegations of fraud. with 57. Where resources are scarce or the skill to the monitoring is not available in‐house, using to monitor technology should be considered. 58. may be the only control possible in high‐volume transaction processing systems. 59. To be effective in detecting fraud, controls must produce information that is relevant, reliable, and timely. 60. monitoring is designed to ensure that controls function as intended during times of . This type of monitoring is not necessarily restricted to using computerized tools. 61. Continuous monitoring by automated tools, if effective, will give management early alert of within the control environment.
Computer Fraud and Countermeasures ◾
81
62. Monitoring against allows management to monitor the effectiveness of multiple controls, each of which contributes to the control objective in circumstances where it is not to monitor each individual control. 63. Because of the nature of modern systems—high-speed, high-volume, multiple entry points—the control focus typically has been on because the opportunities for as a result of detected problems are minimal. 64. Change control is intended to ensure that, once a program has been put changes that have been into a live environment, only can be implemented in an authorized manner. 65. In all cases where data analytical tools are used, they can be rendered the information they provide. ineffective when users 66. Management must also realize that does not prove fraud. At its most effective, it can only indicate a heightened that an event has fraudulent intent. 67. Overemphasis on continuous monitoring at the expense of a approach can significantly reduce the effectiveness of the overall management of fraud risk. 68. To be effective, the antifraud strategy requires the of all information system owners and the suppliers of operating within the overall mission and strategic objectives of the organization. 69. Using e‐commerce to on customers’ preferences and behavior enables organizations to direct their marketing efforts to targeted customers, allowing cost‐effective market . are one of the hottest areas for consumer fraud with 70. unscrupulous “sellers” advertising products, collecting the payment, disappearing and setting up anew under a different identity, with different e‐mail addresses and telephone numbers. 71. Online auction sites are also becoming of high value to thieves who can sell stolen goods over the Internet for close to instead of having sell through a fence, where the fence makes the bulk of the profits. 72. Multiple versions of e‐commerce are possible, each with its own particular fraud opportunities. However, the primary control objectives remain the prevention of the theft of and prevention of fraudulent transactions against it.
82
73.
◾ Questions and Problems
can be as simple as the retrieval of a preapproved credit card from a mailbox before it is collected, or using the information gathered from a to apply for a new credit card in the victim’s name. 74. involves an electronic purchaser repudiating a purchase by denying the product or service, agreeing to the product or service, or even denying ordering the product or service. 75. The cost of investigating each Internet purchase fraud claim makes it prohibitive; companies are now requiring to cover the insurance cost of such frauds. 76. In the event of an attempted or successful e‐commerce fraud, the most attempt to prosecute or recover assets critical part of any is the and integrity of adequate documentation, whether manual or electronic. 77. Where goods and services have been delivered, and evidence regarding the individual who signed for the receipt are critical. 78. By connecting business partners and creating a , it is possible to reduce costs while simultaneously reducing resupply times. 79. Fundamental in the business‐to‐business e‐commerce arena is the and simple of suppliers both in terms of existence. 80. Any Internet user can, comparatively cheaply, create a Web site offering heavily discounted component supplies and raw material supplies. Once payment is made, the site is closed and the fraudster moves on. the Web sites 81. Slightly more sophisticated fraudsters will of genuine large companies with subtle changes to Web addresses and contact details so that potential trading partners carrying out checks will believe they are doing business with a reliable supplier. 82. Once the identity of the trading partner has been confirmed, must be examined closely in order to determine that all conditions of sale, payment methods, dispute arbitration, national or state laws governing transactions, and rights of inspection are covered. 83. Consumer‐to‐consumer (C2C) is a form of e‐commerce involving consumers selling directly to other consumers—for example, through an such as eBay or through online sites such as Craigslist— where the site serves a conduit to enable C2C trading.
Computer Fraud and Countermeasures ◾
83
84. E‐governance relates to the use of (ICT) delivery of government services to business, citizens, and government. 85. is of paramount importance to any individual or organization involved in e‐commerce. 86. In situations where transactions take place without the physical presence of a payment card (known as [CNP] transactions), liability for confirmation of card users’ identities rests with the and not with the merchant account provider. involve the sending out of a blanket e‐mail purporting to 87. come from victims’ financial institutions in order to collect and authentication information. is an attempt to make the e‐mail fraud more credible by 88. utilizing personalized information already gained from social networks and elsewhere. 89. goes beyond the targeting of employees. Recent attacks have included the targeting of businesses using IT services such as Google AdWords, Yahoo!, and the like. 90. plays on people’s fears that they may already have been compromised and purports to come from the individuals’ or organization’s service provider, which is providing an early alert so that defensive action can be taken. 91. involve the use of a collection of compromised computers to run “bots,” or Web robots (simple programs to carry out fraudulent or malicious activities such as denial‐of‐service attacks or harvesting of e‐mail addresses using spambots as well as other fraudulent techniques). 92. CVV ( ) cracking involves reading the magnetic strip on the back of each card or from the number printed flat on the back of the card. 93. Most e‐mail software permits the attachment of an or file. 94. Users should recognize that the messages sent internally are encrypted between the server and the client but are in the user’s inbox. In the inbox, messages are vulnerable to any user, such as a , who has access to the server on which the inbox resides. 95. In terms of fraud, computer hacking is looked on as the electronic equivalent of . It involves a deliberate and unauthorized access to a computer system.
84
◾ Questions and Problems
96. Hacking is now becoming big business in terms of fraud perpetration. Some groups have developed a business approach. 97. Input frauds normally appear as transactions entered into the computer in such a way that, without disturbing normal systems processing, assets can be obtained without setting off alarm bells within antifraud controls. 98. Throughput frauds typically involve or direct manipulation of information held on the computer disks. 99. An alternative form of throughput fraud can be introduced via , back doors designed into systems from inception, or other malware. 100. Output frauds occur when a correct and valid output is and amended prior to its use for a legitimate purpose. 101. When an IT fraud is suspected, the first task of the investigator is to confirm whether incident and, if so, whether an error was made or whether there was an to defraud. 102. While the investigation is going on, it is important to protect the of both the organization that has been defrauded and the possible perpetrator. 103. An important consideration that can erect barriers to an effective investigation is the need to . involves the hardening of systems to ensure that preven 104. tive controls reduce the of fraud occurring while detective controls exist to produce evidence such that, should a fraud occur, the organization will be able to determine precisely , which systems were involved, and how the fraud was achieved. 105. Should the fraud threat arise as a result of a attack, frequent backups of critical data stored securely may mitigate the impact. 106. Access via networks can be restricted by the use of effective firewalls, , and the use of access control lists on routers. 107. In some high‐security installations, it is felt that it is better to try to track and hackers than simply to the access attempt and leave them to try again. 108. A normally consists of a hardware/software combination intended to demonstrate the forensic acceptability of evidence gathered. 109. An should be put together prior to a fraud occurring so that a potential fraud can be confirmed or dispelled in a time frame that can the damage and scope.
Computer Fraud and Countermeasures ◾
85
110. Determining what probably has happened involves an examination of the local network , potential access routes, and figuring out the actual effectiveness of the preventive and detective measures in place. 111. Acquiring evidence from the computer system initially involves securing the . 112. The system should be shut down by unplugging it directly from the power supply. Under no circumstances should the or be touched or the used to power down the machine. 113. As a general rule, forensic examinations are always conducted on of original media. 114. To be acceptable, the backup copy must be made on a , sector‐by‐sector basis. 115. All examination must take place in a manner that ensures that the evidence remains in its and is not in any way by the examination process. 116. Common mistakes include failing to maintain adequate throughout the examination process, which may result in a failure in the or results produced that the investigator cannot account for. 117. One of the more common mistakes in such investigations involves the underestimation of the or of the fraud. 118. Depending on the nature of the fraud, evidence regarding transactions processed, , e‐mails sent and received, programs executed, and Internet sites visited may all be critical to the of the accused. 119. Critical elements of evidence may include showing who was online at the time of the fraud, transaction logs showing which transactions were entered by which and from which terminal, which programs were used to process the transactions, and who executed the programs. 120. In the course of an ongoing investigation of a fraud in progress, installation of monitoring software on the suspect’s computer can record all events on the computer itself as well as all to and from that address. 121. In efforts to keep up with computer criminals, were drawn up to create categories within which prosecutions could take place. 122. In all cases of fraud, investigators should be aware that, at any time, computer evidence may be challenged as to its , , and .
86
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. Overall, the control objectives and architectures of virtual machines do not change and still remain as:
2. Internal controls that can be readily implemented in order to make computer fraud by the outsider more difficult and easier to detect include:
Computer Fraud and Countermeasures ◾
3. Use of continuous monitoring can help fraud detection by:
4. Designing a monitoring architecture is a combination of:
87
88
◾ Questions and Problems
5. Controls to prevent credit card frauds include:
6. The first stage of protecting the digital assets of the organization from fraud is the development of a framework to identify items to be protected and the nature of their vulnerability as well as the protection required. For each of the digital assets listed, indicate the nature of the vulnerability(s) faced, such as disclosure manipulation. ▪▪ Identity and Social Security numbers
▪▪ Corporate financial information ▪▪ Passwords ▪▪ Personal information ▪▪ Encryption keys ▪▪ Corporate planning information
Computer Fraud and Countermeasures ◾
89
7. The design of the control systems themselves must fit the needs of both the asset class and vulnerability. In order to ensure the design adequacy and implementation effectiveness, the roles and responsibilities of the stakeholders must be clearly identified. Define the roles of: ▪▪ Owners of data
▪▪ Users
▪▪ Security management
▪▪ Internal audit
8. Built‐in security weaknesses exist in many sites. Such vulnerabilities include:
90
◾ Questions and Problems
9. An effective incident investigation methodology was proposed by Mandia and Prosise in 2001 and comprised an 11‐stage process. List the stages. ▪▪ Stage 1.
▪▪ Stage 2. ▪▪ Stage 3. ▪▪ Stage 4. ▪▪ Stage 5. ▪▪ Stage 6. ▪▪ Stage 7. ▪▪ Stage 8. ▪▪ Stage 9. ▪▪ Stage 10. ▪▪ Stage 11.
11 CHAPTER ELEVEN
Legal Issues Surrounding Fraud
F
R AU D M AY BE DEFINED A S THE INTENTION A L USE OF DECEPT I O N , trickery, or other dishonest means to deprive others of their assets
or of a legal right. A victim to fraud is entitled seek redress at law for damages against the party acting fraudulently.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 11 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. Common law traces its roots to the ancient laws of England under which the courts would rule based on and the inherent in the particular society. 2. is the basis under which case law, which derives from rather than legislation, operates and predominates in the United Kingdom, the United States, and other countries previously colonized by the United Kingdom. 3. Disputes under common law are settled using an of evidence and arguments before a neutral arbitrator, judge, or jury. 91
92
◾ Questions and Problems
4. Under civil law, which dates back to the days of the Romans, is seen as the primary source of law, and court systems may act as with precedents overturned based on the court’s interpretation of the law. 5. The legal foundations of many countries are embedded in their , which set out the general frameworks of government. 6. When a case is prosecuted in court, judgment is normally made based on and quantity of evidence presented to the court. the 7. evidence is oral testimony with regard to information obtained from any of the witness’s five senses called to prove a specific act. 8. Real evidence consists of which prove or disprove guilt, such as physical evidence linking the suspect to the scene of the crime. 9. evidence takes the form of printouts, business records, and the like presented to the court. evidence is presented to a jury to demonstrate how an event 10. could have taken place or how the crime could have been committed. 11. Most computer evidence submitted takes the form of evidence. 12. In the absence of direct evidence of a witness, evidence showing levels of authority or job descriptions that indicate the of the accused to commit fraud in the manner in which it happened would also go a considerable way to indicate opportunity. 13. In the United States, evidence gathered in a manner in violation of the constitutional rights of the accused may be ruled in a criminal case. Such evidence is commonly referred to as fruit of the poisonous tree. 14. In bringing an action to court, part of the intention is to attempt in the form of asset recovery. 15. One problem in the asset recovery process is assessing which assets can be linked to the crime as can be seized and which are merely assets of equal value, known as or , which can prove problematic in seeking a seizure order. 16. Proving who has first claim on the defendants’ assets may become a matter of creditors normally are . Victims and favored, and creditors are left without remedy. 17. With the ability to move funds from country to country , asset transfer can stay ahead of all seizure attempts. By the time a warrant is executed, the money may be long gone. 18. Asset movements processed through conventional financial systems normally can be traced via the conventional .
Legal Issues Surrounding Fraud ◾
93
19. A can prevent the disposal of assets or their removal from the jurisdiction of the court that is awarded the order. 20. Other court orders can be sought, including requiring third parties who became embroiled in the commission of the fraud to disclose information that assists in the location of either the accused fraudster or the missing assets. 21. Search orders can be granted where a case has been made and accepted or by a court that the applicant faces serious damage from the fraud and that there is clear evidence that or items exist in the possession of the subject of the search order. and 22. Where the assets removed have been into other assets—for example, money into property—it may be difficult stolen in one country is essentially the legally to prove that same asset as owned in another country, particularly if it is owned by a third party. 23. may prove necessary where corporations have been established specifically to shield owners from any legal obligations by creating the corporation as a separate “legal person.” 24. Fraud can occur when an employer seeks to bypass labor legislation in order to and improve competitive ability at the expense of workers. 25. Workplace fraud exists when an employer misclassifies a worker as a in order to avoid paying unemployment insurance taxes, payroll taxes, workers’ compensation insurance premiums, and the like. 26. When an employer has uncovered a fraud involving , the steps that can be taken against the employee are commonly laid down within the national labor legislation.
94
◾ Questions and Problems
QUESTIONS: SHORT ANSWER 1. Define the difference between actual and punitive damages.
2. In some cases, companies knowingly seek to evade labor legislation by classifying workers as independent contractors rather than employees. In order to legally achieve such classification, an individual must be demonstrably:
12 C H A P T E R T W E LV E
Industry-Related Fraud Opportunities
A
S W I T H A L L F R AU D S , each industry becomes a target for more
directed frauds, and the control mechanisms become more specialized to mitigate the risks of such fraud opportunities.
QUESTIONS: FILL IN THE BLANKS Refer to Chapter 12 in Corporate Fraud and Internal Control: A Framework for Prevention. 1. involves the processing of a financial transaction representing the proceeds of unlawful activity in such a manner to conceal the nature, source, or ownership of the proceeds or to avoid a legal requirement to report such a transaction. 2. In order to fight money laundering, fi nancial institutions often are required to maintain a of any prescribed transactions with such information furnished to the appropriate authorities on request or as required. 3. Combating money laundering involves increased care in the area of 95
96
◾ Questions and Problems
4. When applied at a customer level, is normally based on an analysis of behavior, particularly those behaviors associated with high‐risk or high‐value transactions. 5. With the volume of transactions entered into via banking systems, only the application of techniques using resources can effectively carry out anti–money laundering scrutiny to an acceptable level. be notified 6. Most jurisdictions have a requirement that the in a timely manner of all significant transactions in terms of anti–money laundering legislation with for a financial institution that fails to provide such notification. 7. Many law‐abiding customers find monitoring and notification to be an unwarranted and unacceptable intrusion into the of their financial dealings. 8. A major difference between credit cards and debit cards/ATM cards is the manner in which the cardholder is . 9. For credit cards, authentication is based on recognition of the compared to a record held of the . In many cases, the signature is irrelevant since no actual takes place when a card is used even in the presence of a checkout operator. 10. involves a request for some form of personal information, such as the address or postal code to which a bank statement is sent. 11. In the case of card fraud, unless or is proven, neither the consumers nor the merchants suffer the loss; it falls back on the financial institution. 12. Debit and ATM cards authenticate purely by use of a . Once again, this is vulnerable to skimming as well as obtaining the numbers from third‐party sites. 13. Credit card numbers themselves have a built‐in that can be used to verify whether the number itself is valid. Verification using this number is known as a , after the German computer scientist who invented it. 14. In addition to transactions, fraudsters can manufacture fake credit cards that appear to be legitimate, including the correct graphic, hologram, and information on the reverse. 15. The current direction for card authentication is the incorporation of techniques.
Industry-Related Fraud Opportunities ◾
97
16. Biometrics is a technique based on the underlying assumption that individuals have unique that cannot be reproduced, such as fingerprints, handprints, voice prints, retinas, or . 17. One major problem in the use of biometrics is that, should a breach occur, legitimate users cannot , for example, their thumbprint. 18. From the merchant’s perspective, card fraud becomes a significant problem in sales. 19. In the case of a card not present (CNP) sale, whether by the Internet, mail order, or telephone, the liability rests with the . Most commonly this type of fraud results in a chargeback when the legitimate card the payment. owner 20. remains popular among the fraudsters due to the lack of sophistication required to commit such fraud. 21. of checks normally involves the use of special papers and inks. 22. Check fraud within the organization most commonly takes place when an employee issues a check without . 23. A variation on check fraud involves the issuing of checks on accounts or where there is no intention that have already been of providing funds to cover the amount. This technique is known as . involves utilizing accounts at multiple financial institu 24. tions to create apparently legitimate balances. 25. Counterfeiting generally takes two forms: use of and to modify the information written or printed on a check, or the complete of a fraudulent check, typically using today’s computer technology and high‐quality scanners and printers. 26. A critical component of the control structures preventing check fraud from occurring are employees’ , , and . 27. The fewer personnel authorized to sign checks, the the chances of check fraud being attempted. 28. involve the transfer of money and securities via electronic media with almost taking place. 29. Wire fraud or wire transfer frauds occur when transfer is made to an account that is as the recipient by someone other than an .
98
◾ Questions and Problems
30. Wire transfer frauds tend to occur more in and accounts rather than accounts because the funds available to be transferred are larger. 31. Where payments are made to an organization electronically, a special account should be set up to receive such payments with the bank informed that this should be a account (i.e., an account into which money can be paid but not withdrawn). 32. Fraudsters targeting a specific company have been known to work for the organization for a day in order to receive a with the company’s account number and . 33. Unlike checks that require specified signatories and may require two sigoften are not subject to natories for high‐value checks, such dual control or senior‐level authorization. 34. There has been an enormous increase in online banking due to its associated with such transactions. and the 35. Using a variety of techniques, online fraudsters will steal to target individuals and organizations, using and online the Internet to process financial transactions from home or work. 36. technique involves simple observation of the data entry of personal information into a computer system in order to gain access to Internet banking. 37. Individuals using computers should, wherever possible, avoid access to computer systems containing or information. 38. are used not only to record keystrokes but can record and mouse clicks on screen images. 39. Malware comes in a variety of forms. One sophisticated form is software, where the malware inserts itself in the middle of the user’s transaction in order to steal the and debit money from an account. 40. schemes commonly use e‐mails that appear to originate from within the customers’ own bank prompting, for various reasons, users to log in to the . 41. is a technique involving the redirection of a Web site’s traffic to an alternative bogus site. 42. In some jurisdictions, the of legitimate Web sites is against the law. However, in others, no such legislation exists. 43. Also known as a zombie armies, are computers attached to the Internet that, unknown to their legitimate users, have had
Industry-Related Fraud Opportunities ◾
99
installed to forward transmissions such as viruses or spam to other computers on the Internet. 44. is a technique used by fraudsters to prevent identification by law enforcement officials tracing back through network connections. 45. SSL encryption is based on a that provides the browser with the identity of the Web site and the owner or company as well as the information required to make a . capabilities, users 46. If an e‐commerce site does not provide or organizations should consider carefully the risk inherent in proceeding with the transaction. 47. Where a is provided for the use of customers or guests, it must be kept separate from the normal corporate network so that can enter the organization’s internal systems via this route. 48. Most commercially available routers offer a choice of the level of encryption to be provided. Only or later should be used. Earlier versions can be penetrated comparatively easily. 49. Where wire transfer payments are being made, ensure that two separate individuals, operating from , must participate in the transaction. should be audited frequently, particularly for users who 50. process banking transactions. 51. In the corporate environment, all activities should be initiated from a computer dedicated for this purpose. No other communications, such as e‐mail, should be enabled. 52. In the corporate environment, the safest option is to block except where required for specific corporate purposes. In those cases access should be restricted to . 53. Banks provide a variety of and options in order to deter ACH fraud. These methods include filters, debit blocks, and the use of account numbers to maintain the anonymity of customers’ account numbers. 54. High‐value transactions and accounts with for the processing of high‐value transactions should be on an ongoing basis whenever possible. 55. involves changing the appearance of the proceeds of illegal activities to make them appear as if they were produced by legitimate means.
100
◾ Questions and Problems
56. Medicare frauds can range from the of such information to individuals who have so that they can obtain treatment using the assumed identity. 57. After a fraud, when patient records are prior to treatment, it may be found that the may have an allergy to treatment or may not have an allergy to treatment where the false patient may have the opposite condition. 58. Using the identification information of beneficiaries, bills can be charged for treatments that were , equipment that was , and drugs that were . 59. In Medicare fraud, in addition to the dangers of , misdiagnosis may occur because a patient’s record indicates that certain tests had been carried out with no condition found. on average, 60. Where a region’s population is particularly false claims for pediatric care may not be readily noticed. 61. In order to combat these fraud events, mutually exclusive codes could, for example, involve claims for two or more medical procedures that are clinically similar and would be seen together, where a claim would be either procedure A or procedure B but not . prohibits bribery and kickbacks in any form whether 62. The directly or indirectly offered or received for or items or for referral of patients to providers of services. 63. In order to avoid the possibility of or breaches of the laws protecting health care programs, the implementation of an effective compliance plan can not only prevent fraud but can demonstrate an intention of complying with the law in the event of an breach. 64. Any insurance policy is a legal agreement between the insurer and the insured based on the concept of . 65. The degree of that the customer hold with regard to the insurance company is largely based on their in the marketplace, equitable settlement of claims, and in their processing of claims. 66. Insurance fraud takes a multiplicity of forms that may generally be categorized as internal or external fraud. include such activities as the issuing of , insurance identification cards, or insurance certificates in order to fraudulently collect premiums without actually providing insurance cover the “policyholder” expects.
Industry-Related Fraud Opportunities ◾
67.
101
insurance frauds include fraud schemes where multiple insurance policies are purchased for coverage of a single vehicle or property that is subsequently or so that multiple claims can be made. 68. In the event of damage to property or vehicles, the repairer may, in collusion with a policyholder, bill the insurance company for repairs to damages those actually , either to split the claimed or simply to have additional work over and above the repair of the actual damages. 69. Other fraudulent claims schemes against corporate insurance include claims of or being found in food or drink, vehicle theft, and even fraudulent claims. 70. insurance scams take place when a genuine loss or injury takes place in an uninsured condition. The loss or injury is until insurance coverage is obtained, and then the loss or injury is reported. 71. Car owners should be wary of insurance fraudsters who will use a variety of techniques to enable claims for against a driver’s insurance policy. 72. Insurance companies have substantially increased their expenditure on antifraud measures in recent years, including the establishment of , customer education on the red flags on potential frauds, and the provision of hotlines for reporting fraud. 73. In fighting the fraudster’s use of fake insurance companies, regulators are and of insurance taking a closer look at the companies. 74. The front line of fraud detection in most insurance companies is the staff members who deal with the process. 75. Traditional insurance fraud investigation techniques commonly involve the use of a claims investigation unit (CIU) based on a recommendation. 76. are professionals who are trained in the appropriate methodology to investigate suspected insurance fraud. 77. Obviously, from law enforcement, neighbors, and even family can point the way to detection of . Insurance companies also seek to use the data accumulated to try to predict areas of . 78. Faced with escalating volumes and sophistication of fraud, the insurance industry has responded with aggressive use of to identify events as potential frauds.
102
◾ Questions and Problems
79. Use of can detect patterns within text material as well as identification of abnormal . 80. A variety of services are available through which subscribers can submit abbreviated data of claims that have already been adjudicated. 81. (OLAP), when employed by a skilled analyst, facilitates models of the behavior of individuals or peer groups of indiof behavior patterns in order to identify viduals as well as anomalies in comparison to the typical group profile. 82. testing evaluates each transaction against a predefined rules base in order to calculate an aggregate score that can be compared to so that any claim that exceeds the threshold can be treated as suspicious. 83. combines attributes of both OLAP and rules‐based testing in order to build fraud propensity scores using data mining tools. 84. uses a different form of computerized analysis in order to identify network patterns of . Again, this method can be automated as a continuous monitoring process to identify transactional from related parties. 85. Computer software can be used to analyze , such as claimant interviews or customer service calls. uses information from known fraudulent claims as well as 86. legitimate claims to identify independent variables. 87. Use of fake insurers coupled with schemes can move fraudulent funds overseas using Internet techniques. 88. One of the biggest target groups for insurance scams remain the guar. Investment scams include sales of fake anteed by nonexistent insurance companies and sales of reaping large benefits for the fraudsters. 89. To many people, tax fraud is not a but a minor peccadillo, comparable to drinking alcohol in the days of Prohibition. 90. involves the failure to declare income classified by the local legislation as taxable and is against the law. 91. involves structuring economic activity to take advantage of any legal avenue to reduce the level of taxable income. 92. A is intended to reduce tax due to be paid to a government by reducing the taxable income declared. 93. Legiti mate ta x shelters may i nclude i nvestment i n , employer‐funded , employer‐funded health
Industry-Related Fraud Opportunities ◾
103
insurance, employer‐funded life insurance, investment in real estate, and . 94. The extent of tax evasion can be generally inferred if the can be estimated and declared income deducted. 95. A common method for determining the total economic activity is the use of the of the gross domestic product of the country. 96. When a business charges to the consumer, the taxable within the country. portion must be remitted to the 97. In the case of value added tax (VAT), businesses are normally permitted to offset VAT paid for against their or VAT collected, and the amount is then paid to the taxation authority. 98. A common fraud in a VAT environment is the collection of VAT by organizations that are for such collections and the failure to remit the tax income to the taxation authority. 99. An alternative method of fraud for a VAT‐registered business is simply to the amount of VAT collected. 100. A common method of conducting a VAT fraud is to claim back the VAT for goods and services . occurs when goods and services are purchased within 101. An a European Union member state in which those particular goods or services are for VAT purposes and then sold in another member state for the standard rate. 102. Other forms of indirect taxation fraud include the avoidance of on commodities such as fuel, tobacco, and alcohol. 103. Tax shelters may take the form of investments in accounts, such as , which attract lower tax rates. 104. In some jurisdictions, may be used to fund a secondary business, thus reducing taxable income from the . 105. Nonlegitimate or tax shelters involve mechanisms designed simply to reduce the amount of tax to the government. 106. Offshore tax havens may be identified by specific characteristics, including no taxation or on the relevant income. 107. Bank secrecy continues to be maintained in individual countries, but, under specific and well‐defined circumstances, it can be lifted so that and international requests can be responded to. 108. The obtaining of false driver’s licenses is of particular concern in the United States since these licenses are the most commonly used mechanism for of an individual in nongovernmental areas.
104
◾ Questions and Problems
109. Drivers’ licenses are commonly used at airports for passenger identification and when entering secured areas, as a means of authentication when applying for , and even for crossing borders. 110. is taken to occur when an individual steals another individual’s identification information and uses it for fraudulent purposes. 111. In many cases of Social Security fraud, it has been found that the SSN was within both public and private domains obtained through as well as via theft of the information from , wallets, and purses. is used when an in‐person interview occurs either at a 112. Social Security Administration field office or via telephone. 113. is a mechanism whereby applicants via the Internet are no longer required to print and sign a completed application form and return it for processing. 114. involves an electronic entry by an SSA employee when an applicant has submitted a “wet” signature application form, either in person or by mail. 115. Care should be taken to ensure that, when a has taken place, all personal financial contacts of the are immediately informed so that when the information is published, it is valueless to a fraudster. 116. frauds typically involve the insertion of a few new tiles or shingles, a lot of hammering, and spraying a liquid, even water, on part of the roof to make it look as of it has been repaired. 117. Paving frauds frequently involve the execution of substandard work where no is carried out and a thin layer of tar and sand is laid down, only to disintegrate after a short period of time. 118. Sealant frauds involve the use of substandard materials that generally have very little . 119. Use of loans from governments or financial institutions and lease finance provided for the purchase of may be unobtainable with reduced economic activity, and an increased requirement for and default insurance may be evident. 120. Providing kickbacks and bribes to ensure the acceptance of higher‐priced quotes raises the fraudster’s ability kickbacks and bribes. 121. As with many other industries, frequently have lower levels of internal control simply due to the lack of . Frauds within these organizations are more likely to be detected by or tip.
Industry-Related Fraud Opportunities
◾
105
122. Red flags for fraud typically include repeated use of the same vendors, ignoring purchasing policies, or from a specific supplier. 123. Construction fraud can occur at the stage; red flags here would include bidding sign‐offs by , bypassing bid review procedures, abnormal variations in specifications or contracts, improper contact with the bidder, acceptance of or backdating of bids, and general and unusual patterns in bid awards. 124. Bribery or fraud during a construction project execution can result in an end product that is , defective, or dangerous.
QUESTIONS: SHORT ANSWER 1. Banking fraud is a scheme intended to defraud a financial institution or to obtain the assets under the control of a financial institution by means of fraud. Multiple variations of bank fraud occur, including:
106
◾ Questions and Problems
2. The overall objectives of anti–money laundering activities are:
3. The PCI‐DSS standards themselves include requirements such that all parties to payment card processing including merchants, card issuers, processors, acquirers, and service providers must achieve a minimum standard of protection for cardholder data that includes:
Industry-Related Fraud Opportunities ◾
4. Traditional controls to prevent card fraud include:
5. Internal controls against card fraud at the merchant level include:
107
108
◾ Questions and Problems
6. Check security at the corporate end involves controls such as:
7. Despite their undoubted convenience, there are some drawbacks in the use of ACH debits. These include:
Industry-Related Fraud Opportunities ◾
109
8. One of the main control components in the prevention of money laundering is the implementation of an effective anti–money laundering program. Such programs consist of:
9. Most common forms of health care fraud involve:
110
◾ Questions and Problems
10. At the individual level, awareness and alertness are the primary elements of control activities to prevent health care fraud including:
11. Governments regard tackling taxation fraud as a major imperative in order to protect:
Industry-Related Fraud Opportunities ◾
12. Legitimate tax shelters may include:
111
II
PAR T TWO
Solutions
1
CHAPTER ONE
Nature of Fraud
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
legal untrue, material, intentionally may or may not could, harm, prejudice actual assets, cash theft, noncash assets theft by false pretenses material fact preventive business activity, economic injury the general public fraud risk assessment poorly trained, inattentive pressure, medical expenses, expensive tastes secrecy Rationalization, internal belief system capability, undetectable 115
116
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32.
◾ Solutions
poor management oversight, preventative controls anomalies, behavior traits early warning, pressure sources obtain value, conceal their actions individual, organization targeted measurement 5 tips “denied” losses of assets investigation detected early culture of ethics, integrity access to decision makers “statistically valid estimate”
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. The three elements of the fraud triangle are pressure, opportunity, and rationalization. 2. Management may have suspected the previous bookkeeper because the previous bookkeeper, despite having several years of apparently loyal service, may have become disgruntled with the organization because of the apparent bias of his supervisor regarding promotion and the lack of action from the human resources department. When an employee feels unfairly done by, a feeling of entitlement to the money stolen can develop; therefore, the fraudster rationalizes the theft. 3. The red flags for fraud in such a situation could include staff members exhibiting any of these behaviors: ▪ Sudden increase in the visibility of material possessions ▪ Apparent increase in staff absenteeism ▪ Decreases in productivity and increases in signs of dissatisfaction at work ▪ Mood changes and increased irritability ▪ Borrowing money from coworkers ▪ Refusing promotion ▪ Refusing to take vacation time ▪ Working unnecessary overtime
Nature of Fraud ◾
▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪ ▪▪
Carrying large amounts of cash Rewriting records for neatness sake Work performance levels considerably higher than the norm Dominating and controlling attitudes developing Living beyond their means Disliking their work being reviewed Maintaining close relationships with vendors or customers Exhibiting a strong desire to display material wealth
117
2
CHAPTER TWO
Elements of the Crimes of Theft and Fraud
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
precedent or case theft 12 handled deprives, exercises the rights electronic funds, misappropriation negotiable erasure, cut and paste chemical detectors, physical characteristics Fourdrinier price fi xing, defective products outside vendor, never done raise crowded, mature Bid rigging complementary bidding subcontracting 119
120
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28.
◾ Solutions
increase profits influencing decisions, activities joint ventures conflict of interest the employer Embezzlement integrity, confidentiality cloud computing encryption, wireless sniffers adequate internal controls Money laundering
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Data leakage. This may appear to be theft but does not comply with the common law principles of the offense, which is to deprive the rightful owner of the use of his or her asset. 2. In order to be defined as fraud, criteria to be met would include: ▪ Misrepresentation, involving perversion or distortion of the truth has been made either in the form of spoken or written words or even in the conduct of the accused—for example, nodding of the head. ▪ The misrepresentation has resulted in an actual or potential prejudice to the victim or to a third party. ▪ Nonproprietary prejudice does not necessarily involve direct prejudice to a third party. For example, the production of a forged a driver’s license when charged with the traffic offense. ▪ Intention to defraud. Negligence regarding the truth of a statement is not the same as intent. 3. False. These watermarks are faint designs that are pressed into the paper during the manufacturing process. Artificial watermarks can be simulated via computer; Fourdrinier cannot. 4. Red flags for bid rigging may include: ▪ One or more bidding companies continuing to submit unsuccessful bids with a single company winning most of the contracts ▪ A group of companies consistently bidding for the same contracts with a rotation of the lowest bidder ▪ Sudden reduction in bid prices whenever a new bidder enters the market
Elements of the Crimes of Theft and Fraud ◾
121
▪▪ Consistent subcontracting by winning bidders to one or more unsuccessful competitors in the bidding process
▪▪ The sudden withdrawal of a successful bid and the subsequent subcontracting to the new bid winner 5. Basic money laundering is a three‐stage process: ▪▪ Stage 1. Placement involves the introduction of the illegally gained cash into a legitimate financial institution. Most countries have legislation requiring banks to report high‐value cash transactions. This means that the money has to be broken down into smaller amounts and spread around so that the sheer size of the cash deposit is not given away. ▪▪ Stage 2. Layering involves the movement of the funds using a variety of financial transactions to make its trail hard to follow. This would include such transactions as wire transfers between different accounts, in different countries, in different names, and purchase of high‐value items, such as diamonds, houses, or aircraft, to change the form of the money. ▪▪ Stage 3. Integration involves the reintroduction of the money into the mainstream economy as legitimate assets apparently coming from legal transactions. This may take the form of an “investment” in a legitimate business in exchange for a share of the profits or perhaps the sale of a high‐value asset.
3
CHAPTER THREE
Frauds Against the Individual
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
nondisbursing absurdly low Consumer Rogue dialers, stealth mode lottery letter, e‐mail, mobile text message “Reloading” pay‐per‐call do not expect to receive a product negligent misrepresentation duty of disclosure up‐front 4‐1‐9 dead relatives, officials “middleman” Bait and switch intentional, greater 123
124
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30.
◾ Solutions
documentation, corroborating with extortion affinity fraud Ponzi guaranteed pyramid scheme inventory loading later investors “agency fees” “work at home” registered, hosted skepticism
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Typical among online auction frauds are: ▪ Failure to send purchased items ▪ Failure to pay ▪ Misrepresentation of the item for sale ▪ Switching purchased items and returning a defective equivalent ▪ Sale of stolen goods ▪ Sale of pirated or counterfeited goods ▪ Charging excessive shipping costs ▪ Selling nonexistent goods in order to extract credit card details 2. Gifting clubs frequently purport to be local charitable or church groups with associated joining fees. In reality, many are simply pyramid schemes requiring constant recruitment to survive. Ultimately, the pyramid collapses and joining fees are lost. 3. The individual elements of misrepresentation include: ▪ The making of a material false statement ▪ Prior knowledge of the falsity of the statement by the accused ▪ The degree of reliance placed on the statement by the intended victim ▪ Damages or losses incurred by the intended victim
4
CHAPTER FOUR
Frauds Against the Organization
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
highly complimentary financial institutions Fraud for profit income, ability to pay Occupancy fraud silent second mortgage preforeclosure buy and bail Document analysis Sudden, unexpected, urgent long fi rm fraudulent conversion influence break down payoff, head of the queue self‐interest, conflict of interest fiduciary relation 125
126
◾ Solutions
8. best interests 1 19. trade secret 20. noncompete 21. patent, permanently 22. reverse engineering 23. knowingly, intentionally, material 24. off‐label 25. higher prices, average price 26. inferior, refurbished, low 27. fixed-price, cost‐plus, cross‐charging 28. false claims 29. overcharging, nondelivered services 30. adequate recordkeeping, accuracy, completeness 31. borrow, loan proceeds 32. reasonably equivalent value 33. valuable property, equity 34. closed subscriptions 35. independent board, committee members 36. intent, agreement, overt act 37. Lapping 38. Kiting 39. overissue, bogus checks, postdated checks 40. branch, subsidiary 41. allegation 42. counterfeit, individual printer 43. rag 44. Benefit frauds 45. second largest 46. knowingly lies, not entitled 47. obsolete merchandise, unprofitable business subsidiaries 48. life insurance, forged death certificates 49. Whole life, whole life 50. someone else’s identity 51. Credit card generators 52. card not present, assumes liability 53. Pension frauds 54. direct, indirect, excise 55. duty of trust, confidence 56. Click fraud
Frauds Against the Organization
.
◾
127
57. bots, botnet, zombie 58. believe the article to be genuine
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Under bankruptcy fraud, the fraudster fi les a notice of bankruptcy. All creditors receive a copy of the notice. The fraudster then approaches creditors individually, telling each in turn that they are a favorite and that he or she wants to see them get paid something out of what remains. The creditor frequently settles for a low percentage of the amount owed. After a settlement with one creditor is reached, the fraudster moves on to the next creditor, and the next, until all creditors have settled for a small fraction of the amounts owed. The fraudster then withdraws the petition for bankruptcy, having extinguished most of the debt for a fraction of the original amounts. 2. Major documents in mortgage loan applications include: ▪ An itemized list of all charges imposed on a borrower and seller for the real estate transaction. In the United States, this form is known as a HUD‐1 and is required in all transactions involving federally related mortgage loans. This document would includes all settlement charges and agency commissions indicating whether these costs go to the buyer’s or seller’s account. ▪ The good‐faith estimate form. It is supplied to the purchaser by the lender or mortgage broker to inform the purchaser of all costs and whether or not someone else will service the loan after closure. Again, this form is a requirement in the United States. ▪ A verification of employment form. This form is sent directly to the employer for confirmation of employment and earnings. ▪ Current pay slips. ▪ Wage and tax statements from the employer for previous years. ▪ Previous tax returns. ▪ Bank statements. ▪ Assets statements. ▪ Identification documentation. 3. Commonly, statutes define the elements of embezzlement as including: ▪ The property embezzled must belong to a person other than the accused. ▪ The accused must have an intent to defraud at the time of conversion.
128
◾ Solutions
▪▪ The property must have been converted at some point after the accused had original and lawful possession of it.
▪▪ The accused must have been in a position of trust such that the property was held by him or her for some legitimate purpose. 4. Internal controls to prevent theft of trade secrets or seek redress could include security procedures such as: ▪▪ Fence parameters ▪▪ Visitor control systems ▪▪ Security personnel ▪▪ “Authorized Personnel Only” signs at access points ▪▪ Sign‐in/sign‐out procedures for trade secret materials ▪▪ Use of identity badges ▪▪ Written security policies ▪▪ Confidentiality and nondisclosure agreements In addition, control over logical access to digital information must be maintained, including controls such as: ▪▪ Unique user IDs and passwords ▪▪ Use of firewall protection ▪▪ Segregation of confidential information ▪▪ Use and scrutiny of access logs ▪▪ Restrictions on the use of external computer programs or storage media Human resource controls are also required, including: ▪▪ Conducting background checks on new employees ▪▪ Reminding employees of confidentiality agreements during exit interviews 5. Frauds committed against both private and public health care programs may include: ▪▪ Charges made for nonexistent patients or patients who underwent no treatment but nevertheless were charged. ▪▪ Charges made for services not rendered including diagnostic tests of pharmaceuticals not supplied. ▪▪ “Unbundling” of services, which attract large discounts when performed together as they normally are. Individual billing can result in considerably increased charges. ▪▪ Conducting unnecessary medical procedures including diagnostic tests, treatments, and supply of medical devices. 6. In tunneling, expropriation of the firm’s value by insiders may take the form of: ▪▪ Cash flow tunneling, in which the defrauded organization is encouraged or even forced to buy assets or consumables from organizations
Frauds Against the Organization ◾
129
associated with board directors at inflated prices. In some cases, this may involve acquisition of assets that are unnecessary to the business of the defrauded company. Such transactions may include outright theft as well as fraud. ▪▪ Asset tunneling, which can involve the sale of assets from the organization to individuals or organizations associated with the fraudster at below‐market values or on sale‐and‐leaseback agreements that are financially detrimental to the organization. ▪▪ Equity tunneling, which can involve both equity dilution and freeze‐out. Equity tunneling may involve dilutive share issues, insider trading, and holding on to acquisitions until ultimately minority shareholders can be frozen out. 7. Automobile insurance frauds, including motorcycles, trucks, snowmobiles, and the like, encompass an array of schemes including: ▪▪ The insurance of phantom vehicles through forged title or registration papers in order that a report of theft can be made and a fraudulent insurance claim made. ▪▪ Owner destruction of defective vehicles followed by a claim for theft. ▪▪ Export fraud involving the illegal exportation of an insured vehicle followed by a claim for theft. ▪▪ Thirty‐day specials where an owner of a vehicle requiring extensive repairs will report it stolen and conceal it for 30 days until the claim has been settled. Thereupon the vehicle may be “discovered” and the insurance company now owns a non–roadworthy vehicle. 8. Common frauds involving pension schemes include: ▪▪ Insurance company misrepresentation of allowable tax deductions and exemptions. ▪▪ Pension plan dipping by employers to gain cash needed to run the business. Such frauds can also occur in the diversion of legislated deductions from employees, such as tax payments. ▪▪ Pension plan overpayments by employers and/or employees because of misrepresentation by insurance companies. The promoters and agents receive substantial commission on the plan sales while the employer may be guilty of participating in an abusive tax shelter since the Internal Revenue Service made 412(i) plans reportable transactions. ▪▪ In some cases, investment firms pay commissions to “placement agents” or “introducing agents” when a contract is awarded. This commission becomes a problem only when the person receiving the commission is also an advisor to or trustee of the pension plan or related in some other
130
◾ Solutions
way to either. In such cases, the commission, known as a pay to play, is a bribe, although it is not necessarily illegal. 9. The protection schemes for intellectual properties including copyright, trademarks, and patents are described as: ▪▪ Copyrights were defined as “a set of exclusive rights subsisting in original works of authorship . . . for a fixed period of time.” ▪▪ Trademarks were defined as “any sign or any combination of signs capable of distinguishing the source of goods or services [that] is capable of constituting a trademark.” ▪▪ Patents were referred to as “exclusive rights granted to inventions for fixed periods of time whether products or process is, in all fields of technology, provided they are new, not obvious (involve an inventive step), and have utility (are capable of industrial application).”
5
CHAPTER FIVE
Fighting Corruption
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
culture needy, government services segregating theft, diversion, disclosure, abuse trust, destroying jobs norm, favors values, complexities quality, quantity substituting inferior quality, value precluding previous experience, quality optimum criticality, complexity, cost low cost, request for information (RFI) clear, normal, request request for proposal (RFP) specifically to target 131
132
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43.
◾ Solutions
operational management, legal services, internal audit transparency, open advertising encrypted, decrypted good business practice prequalification detective business objective abor, material, direct, indirect pad underestimated, increased Postqualification, compliance accuracy, adequacy Contract implementation internal auditors full audit trail lessons learned Nepotism, merit very effective, corporate culture antidiscriminatory Cronyism network of “insiders” arbitrary, capricious communications, stories, traditions, rites, rituals shared norms who to report it to clearly defined
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Fighting bribery in public procurement involves three main control opportunities. a. Detection mechanisms involving the use of organizations and individuals with specific skills to identify, investigate, and prosecute bribery and corruption are required. In a modern, computer‐driven business environment, many controls can be implemented electronically to facilitate early detection of patterns that may indicate the presence of bribery or corruption. Knowing that bribery or corruption is happening can, in some cases, be counterproductive if it becomes known
Fighting Corruption ◾
133
that wrongdoing was detected but nothing was done about it. This can have the effect of encouraging others to follow the same corrupt lines in the belief that someone else got away with it, so can I. To reduce the probability of bribery and corruption, both early detection and swift and undesirable punishment are required. b. To prevent and/or detect such corruption early, rules and regulations must be clear and unambiguous and properly enforced. Having the wrong rules and laws in place may encourage fraud and corruption; likewise, ineffectively policing and enforcing even the right laws can have an equally negative impact. Compliance with such rules must become the norm rather than the exception. All involved must have a heightened sense of ethical behavior and a strong resistance to wrongdoing. These attitudes will assist in the generation of a culture of alertness and awareness. c. An across‐the‐board awareness of the negative impacts of bribery has to be cultivated within and around the organizations or government functions concerned. Management, staff, customers, and suppliers must believe that accepting a bribe is against the best interest of the organization and the individual; all must be willing to take the appropriate steps to report any known occurrences and assist in their investigation. As this attitude becomes embedded in the culture of the organizations or national bodies, people begin to see that bribery and corruption are unacceptable not because they will be caught and punished but because they are against the interests of all. Transparency, involving both clarity of the procedural base and the verification that rules were followed, assists in the development of this ethical climate. 2. The 11 stages of a generic tendering process are: a. Procurement planning b. Product design c. Advertising d. Invitation to bid e. Prequalification of bidders f. Technical evaluation g. Financial evaluation h. Postqualification i. Contract award j. Contract implementation k. Verification and follow‐up
134
◾ Solutions
3. Tasks to be achieved in the procurement planning process include: ▪▪ Development of an integrated procurement plan methodology ▪▪ Assignment of roles and responsibilities for the duration of the tendering process ▪▪ Clarification of the business objectives to be achieved and the scope of the work to be tendered for ▪▪ Development of clear measuring criteria and an evaluation methodology to be maintained throughout the tendering process ▪▪ Ensuring a clear understanding of potential service and goods suppliers of the outcomes, tasks, time scales and deliverables required. 4. Nine opportunities for bribery in the implementation phase of procurement could include: a. Amending work orders b. Substitution of inferior‐quality materials c. Charging for work that did not occur d. Inflating material usage or time spent e. Supplying contracted services that do not meet specification f. Overlooking defects in items or services procured g. Incomplete servicing of the contract h. Missing of deadlines i. Simple overcharging 5. Explain the next traits that can lead to fraud. ▪▪ Lack of director independence. This situation is common in organizations where directors have a financial relationship either as primary stockholders or have received personal loans from the organization. Other indicators include company directors who have personal conflicts by serving on the boards of other associated companies, directors who are also employees, and directors who are a key supplier or customer. ▪▪ Poorly structured compensation schemes. A chronic problem in many corporate failures is the inclusion of short‐term rewards, such as sizable annual bonuses or short‐term stock options, as substantial parts of the compensation package. This situation can lead to the adoption of business practices detrimental to the survival prospects of the organization. ▪▪ Adoption of inappropriate (and sometimes illegal) accounting practices. In WorldCom, this involved transferring specific current costs into capital accounts, thus fraudulently concealing operating expenses and enabling the company to report higher earnings. In a similar manner, Enron operated a multiplicity of special‐purpose vehicles that facilitated off‐balance‐sheet accounting, thus concealing liabilities.
Fighting Corruption ◾
135
▪▪ Multiple and conflicting use of audit firms. Utilizing different arms of the same firms to undertake nonaccounting services, such as consulting and outsourcing of internal audit services, placed the audit firms in a situation where a large part of their income was derived from conflicting interests. 6. Controls that can help avoid favoritism include: ▪▪ Avoiding family relationships in the workplace where possible or, at minimum, ensuring no supervisor–subordinate relationship exists. ▪▪ Ensuring that all advancements, compensation, and awards are based solely on performance using an objective and public method for evaluating such performance. ▪▪ Being alert to office gossip, which may indicate the perception of favoritism. Misconceptions must be corrected as soon as possible. ▪▪ Ensuring that the workplace environment encourages all employees to discuss any concerns with at least two independent people at the supervisory level. ▪▪ Conducting performance appraisals separately and at a different time from salary reviews. ▪▪ Introducing incentives that will realign supervisory interest with that of the organization. Even comparatively low levels of incentives can have a disproportionately positive impact on overall performance.
6
CHAPTER SIX
Role of Ethics in Fighting Fraud
ANSWERS: FILL IN THE BLANKS 1. moral complexities 2. reflective choice, consequences, guidance 3. cognitivism, objectively, noncognitivism, moral wrong from right, subjective 4. moral relativism 5. imperative principle 6. utilitarian principle 7. Deontological ethics 8. Classical ethics 9. no 10. individual self‐interest 11. ethical moralists 12. ethical rules and principles 13. codes of ethics 14. corporate code of conduct 15. directive 16. positive generalizations, specific prohibitions 137
138
17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29.
◾ Solutions
active engagement, demonstrably measurable appropriate, properly embedded right to audit dismissal, termination, prosecution moralists, realists, conformists, critics Moralists Realists Conformists Critics substantial evidence hotline poor publicity good‐faith, fear of retaliation
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Kohlberg’s six stages of individual ethical development are: Stage 1. Obedience and punishment orientation Stage 2. Individualism and exchange Stage 3. Good interpersonal relationships Stage 4. Maintaining the social order Stage 5. Social contract and individual rights Stage 6. Universal principles 2. Decisions that are both ethical and legal are the types of decisions management should aspire to make, but there are also decisions that are: ▪ Legal but not ethical, where the organization may have been behaving in an unethical manner although there is, at present, no law forbidding the behavior. In certain jurisdictions, the dumping of toxic waste may be seen to be unethical, but there may be no current legislation forbidding it. ▪ Ethical but not legal, where the organization may be addressing issues from the highest ethical standpoint but still may be in noncompliance with specific statutory legislation. For example, certain companies that refused to fully comply with apartheid legislation in South Africa acted against the law although many saw their behavior as attaining a high ethical standard. Illegal and unethical, where organizations or even individuals may place self‐interest ahead of both ethical and legal considerations.
Role of Ethics in Fighting Fraud ◾
139
3. Employees themselves have specific ethical obligations to comply with: a. The duty of obedience. Employees have a duty to obey all reasonable directions as long as doing so involves no requirement to perform illegal or unethical acts. b. The duty of loyalty. Acts should not be performed against the interests of employers when the person is acting as an employee. This is occasionally disputed with some organizations insisting the duty of loyalty applies 24 hours per day while others agree that it applies only when the person acts as an employee. c. The duty of confidentiality. The intent of this duty is to ensure that information acquired as a result of the operations of the organization is not used contrary to the interests of the organization or to further the interests of either the employee or any other person or organization. This duty is generally taken to cover information obtained during the course of the employee’s activities on behalf of the employer but does not apply if the information is freely available or general knowledge. 4. A periodic review of the code of ethics/conduct should commonly be conducted by internal audit and should: ▪▪ Ensure that well‐established ethical standards exist for acceptable business behavior and establish a climate encouraging good internal control. ▪▪ Review steps taken by the board to establish a formal code of conduct. ▪▪ Evaluate whether the board stresses the importance of the code. ▪▪ Review the program for monitoring compliance with the code of conduct. ▪▪ Review the methodology for keeping the code of conduct up‐to‐date. ▪▪ Obtain updates from management regarding compliance. 5. Where fraud is not reported, the reasons given for nonreporting can be varied but can include: ▪▪ Small or no loss or damage suffered ▪▪ No confidence in police response ▪▪ Too time consuming ▪▪ It was only an attempted fraud ▪▪ Cost implications of investigation ▪▪ Lack of confidence in the ability of the police ▪▪ Desire not to tie up their own resources for years with criminal cases ▪▪ Lack of confidence in the justice system ▪▪ No chance of financial recovery ▪▪ Lack of proof/evidence/witnesses
7
CHAPTER SEVEN
Controlling Fraud
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
rules, processes, laws financial reporting auditors, management independent directors, independent directors, financial dishonest board executives pressured, encouraged turnover, absenteeism understood, accepted organizational tone, values, beliefs corrupt reviewed, prevent, detect controllable oversight subcommittee chairperson, governance, independence formalized charter effectiveness 141
142
◾ Solutions
8. reduces 1 19. fraud strategy, annual 20. receipt, retention, handling, business procedures 21. adequacy, business fraud risks 22. complexity, unauthorized financial movements 23. fraud risk, internal controls 24. independence, accountability 25. external, objectivity 26. effectiveness, detected, remediation, recovery 27. broadly, people, reasonable assurance 28. planning, organizing, directing 29. Preventive controls 30. Detective controls 31. Corrective controls 32. Offset controls 33. Directive controls 34. Control objectives 35. control risk, consistent 36. require, need‐to‐have 37. investigation 38. formal job descriptions 39. control objective, control technique 40. Active supervision 41. control environment 42. organizational infrastructure 43. control framework, external influences 44. lack of internal controls 45. persons, skills and competencies 46. fraud risks, risks 47. professional skepticism 48. Auditing 49. organization 50. control process, fraud risks 51. data 52. ICQs (internal control questionnaires), expected 53. fraud ICQ 54. antifraud internal controls 55. process consultation
Controlling Fraud
◾
143
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. The main differences among the Anglo–U.S. corporate governance system, the German corporate governance system, and the Japanese corporate governance system include these: ▪ The Anglo‐U.S. corporate governance system offers a theoretical system of checks and balances shared among managers, shareholders, and the board of directors. The board of directors is seen to be the source and focus of proper accountability to management and shareholders. Managers are seen as responsible for the daily operations of companies. Shareholders hold the power at the annual shareholders’ meeting to elect the board of directors and vote. ▪ The German corporate governance system is typified by a supervisory board consisting of outsiders, shareholders, and employees as well as a management board consisting solely of insiders. This system is used commonly throughout Europe. ▪ The Japanese corporate governance system consists of a large board of directors primarily made up of insiders but may include government, management, banks, and keiretsu (a group of closely related Japanese companies that own each other’s shares and bonds and give each other preferential treatment as business partners. Each keiretsu is formed around a large bank). 2. The five basic components of corporate culture are: a. Shared values. Whether for good or bad, the fundamental cornerstones of the corporate culture are the values shared between the organization and its employees. The values themselves include the beliefs and aspirations of individuals and the company. b. Corporate and individual goals. If the organization wishes to influence the behavior of its employees in a manner favorable to the company, a clear statement is required of the corporate goals in order for employees to individually align with them. c. Communications. Continuous communication ensures that employees are aware at all times of the environment within which the organization is operating. When hard times are encountered, clear communication encourages employee buy‐in to corporate responses with ownership of the actions decided on. It also facilitates communication upward to make management aware of problems before they can escalate with negative impacts on worker morale.
144
◾ Solutions
d. Consistency of approach. Corporate cultures thrive when their organizations can consistently apply their value systems. Goals and objectives may fluctuate in reaction to market forces, but, when all involved understand what the changes are and why they are being adopted, the culture can support the process rather than being a barrier. e. Celebration of achievement. Where individuals or divisions have performed beyond expectation, the creation and communication of “corporate heroes” is an effective way of spreading the values and helping others aspire to the same levels of performance. In addition, such an approach makes it considerably safer for employees to try and fail than simply to not try. 3. The audit committee as a whole should consist of members with the appropriate skills and experience to carry out the committee’s assigned role. Expertise in these areas is required: ▪▪ The particular sector or industry within which the organization functions ▪▪ Financial expertise ▪▪ Professional skepticism ▪▪ Understanding of best practice in risk management ▪▪ Sound knowledge of governance, assurance, and internal control ▪▪ Skills in business specialties dictated by the needs of the business such as banking, insurance, information technology, taxation, or legal matters 4. Independence may be presumed to be impeded where an audit committee member is: ▪▪ A present or former executive of the company or an associated company ▪▪ A significant, controlling, or dominant shareholder ▪▪ An executive or board member of an entity that is a significant shareholder ▪▪ A significant supplier of goods or services to the organization including those in advisory, audit, or consultancy capacities ▪▪ Associated financially or through close family relationships with a significant shareholder ▪▪ Associated through family ties with any executive of the organization 5. In order to ensure achievement of business objectives, COSO defined five components that would assist management to achieve them: a. A sound control environment. Such an environment requires the correct level of attention and direction from senior management. It is created by ensuring the hiring of managers and employees who possess integrity, ethical values, and are competent. The environment is seen
Controlling Fraud ◾
145
to be a function of management’s philosophy and operating style. In order to be effective, it requires the proper assignment of authority and responsibility together with the proper organization and utilization of available resources. Management must ensure that staff members are trained and developed to the appropriate standard to ensure that staff members can competently exercise control. b. A sound risk assessment process. This process requires that effective methods are implemented so management can be aware of the risks and obstacles in the way of successful achievement of business objectives. Management must establish a set of objectives that integrate all the organization’s resources so that all the departments operate in unison toward achieving the overall objectives. The risk assessment itself involves the identification, analysis, and management of the risks and obstacles to the successful achievement of the three primary business objectives, described earlier. c. Sound operational control activities. Control activities involve the establishment, execution, and monitoring of sound policies and procedures. These help to ensure the effective implementation of actions identified by management as being essential to address risks and obstacles to the achievement of business objectives. Activities include authorization, reviews of operating performance, security of assets, and segregation of duties. d. Sound information and communications systems. These systems facilitate the running and control of a business by producing reports containing financial, operational, and compliance‐related information. The systems utilize both internally generated data and information on external activities, conditions, and events that management needs to be aware of when making decisions and communicating the company’s activities to the outside world. In order for this awareness to happen, appropriate information must be identified, captured, and communicated in a way that enables people to carry out their responsibilities. Effective communication must flow down, up, and across the organization. (Top management must send a clear message to all personnel that control responsibilities must be taken seriously.) For communication to flow effectively, all personnel must understand their own roles in the internal control system as well as how their individual activities relate to the work of others. Personnel also must be able to communicate significant information upward and with external parties.
146
◾ Solutions
e.
Effective monitoring. Effective monitoring ensures the effectiveness of the control process. The entire control system has to be monitored in order to assess the quality of the system’s performance over time. Deficiencies must be reported, with serious matters reported directly to top management. In addition, there must be separate, independent evaluations of the internal control system. The scope and frequency of these independent evaluations depend mainly on the assessment of risks and obstacles and the proven effectiveness of ongoing monitoring procedures. 6. Losses due to employee fraud in the retail environment can come from a variety of techniques, but certain existing controls can be used to detect retail employee theft and fraud. These can include: ▪ Review of cash register transactions, looking for small cash refunds, returns, excessive drawer openings. In older cash registers, this would involve examination of the copy rolls, but in modern registers, this information is digitized and is subject to continuous monitoring using appropriate computer software. ▪ Using technology to increase the frequency of the inventory counting. ▪ Interrogating returned transactions and the voided/deleted/cancelled sales report. ▪ Monitoring of inventory adjustment reports on a daily basis. ▪ Alarming the back door and monitoring it with closed-circuit television. ▪ Periodic spot checking all garbage. ▪ Instituting inventory management automation. ▪ Rotating staff members responsible for incoming goods.
SITUATIONAL CASE STUDIES SOLUTIONS Situation 1 ▪ Test a sample of imprest fund payments with reference to (1) the existence of authoritative approval and (2) the adequacy of supporting documentation. ▪ Separate the authorization and payment function. Require responsible management approval on invoices for imprest fund payments. Require original documentation in support of requests for imprest fund payments. Perforate or stamp original documents after payment to prevent reuse
Controlling Fraud ◾
147
Situation 2 ▪▪ Test a sample of expense reports for (1) the existence of authoritative approval and (2) the adequacy of supporting documentation. The test sample should contain all expense reports for a selected number of employees for a specified continuous period of time. ▪▪ Require responsible management review and approval of all expense reports. Require original documentation for those specific types of expenses in the expense reports requiring documentation. Require responsible management approval for any alteration of supporting documentation. Situation 3 ▪▪ Review company procedures relating to purchasing operations and for handling employee accommodation transactions. ▪▪ Require the purchasing department to have the authority and responsibility for all purchasing transactions. Require the responsibility for the various segments of employee accommodation transactions to be assigned to the appropriate company functional organization.
8
CHAPTER EIGHT
Fraud Risk Management
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
assessment duty of care Inherent risk reducing the likelihood, reducing, impact fraud risk model Process analysis poor judgment, cost of fraud Meaningful risk analysis, control procedures low noncritical participation likelihood, impact reputation, customer confidence open ended, no controls prioritized fraud threats, sources, functional area mitigate, adequate, function as intended too high, work as intended, additional mitigating, most 149
150
18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41.
◾ Solutions
adequate, effective, eliminated vertical, horizontal, fraud risk management, prevent, detect intent of the rules reputational independent external auditor, annual fiduciary not necessarily the same low less increased perpetrate, conceal internal control structures actively seeking, bankruptcy fraud forensic accountants background checks, local laws, electronic audit trail legal, forensically acceptable computers, significant reduce genuine concerns, procedure like, Low‐level retaliation externalize indemnify, proven, good faith severely confidential government, whistleblower
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. The three types of risk that are normally considered when evaluating corporate risk are: a. Inherent risk. Inherent risk is the likelihood of a significant loss occurring before any risk‐reducing factors are taken into account. In evaluating inherent risk, the evaluator must consider the types and nature of the risks as well as the factors indicating that a risk actually exists. To achieve this, a high degree of familiarity with the operational environment of the organization is required. b. Control structure risk. Control structure risk measures the likelihood that the control processes established to limit or manage inherent risk are ineffective. In order to ensure that the controls are evaluated
Fraud Risk Management ◾
151
appropriately, the risk evaluator must understand how to measure the effectiveness of individual controls. Doing this involves identifying those controls that provide the most assurance that specific risks are being minimized within the organization. Control effectiveness is strongly affected by the quality of work and the degree of supervisory control. c. Residual risk. Residual risk is the degree of risk remaining after control structure risk has reduced the likelihood and impact of inherent risk. The objective of the exercise is not to eliminate residual risk but to reduce it to a level that management can accept. 2. One effective risk evaluation model uses a five‐stage process involving: a. Identifying participants in the process by business unit and establishing the key risks from their perspective b. Conducting a high‐level assessment with each of the participants to clarify in their own mind their fraud risk concerns. c. Conducting a workshop with participants drawn from a common business unit in order to elicit their prioritization of the risks and their identification of the key control elements. d. Consolidating business unit results and accumulating them toward the overall corporate fraud risks assessment. e. Based on identified shortcomings, developing a risk response strategy and implementation plan. 3. In assessing fraud risk, major risk categories would commonly be drawn from these categories: ▪▪ Misappropriation of assets ▪▪ Discrepancies in financial reporting ▪▪ Corruption and extortion ▪▪ Avoidance of government regulation ▪▪ Improperly obtained revenue ▪▪ Avoidance of expenses ▪▪ Money laundering ▪▪ Computer fraud and all its forms ▪▪ Loss of confidentiality of information 4. In ensuring the fraud threat is mitigated, the internal auditor must determine: ▪▪ Whether the total organizational culture promotes fraud awareness and controls consciousness ▪▪ Whether written policies exist indicating activities and conflicts of interest, which are prohibited together with the formal reporting cycle of such irregularities and the appropriate action to be taken
152
◾ Solutions
▪▪ The resistance and appropriateness of an authorization architecture for decision making and the processing of transactions
▪▪ The adequacy of monitoring mechanisms and the feedback mechanisms used to convey information regarding wrongdoing to the appropriate level and be able and empowered to take effective action ▪▪ Whether risk probabilities or potential damage levels have escalated and whether the control structure is still appropriate to reduce the overall fraud risks to acceptable levels 5. To be certified as a fraud examiner, proficiency must be shown in the areas of: ▪▪ Fraud prevention and deterrence ▪▪ Fraudulent financial transactions ▪▪ Fraud investigation techniques ▪▪ The legal elements of fraud 6. Whistleblowing involves the provision of information that the individual reasonably believes to be true regarding: ▪▪ Violation of any policies, plans, procedures, rules, or regulations ▪▪ Wastage of corporate assets ▪▪ Abuses of authority ▪▪ Bribery and corruption ▪▪ Sexual harassment ▪▪ Racism in the workplace ▪▪ Dangers to health and safety ▪▪ Damage to the environment ▪▪ Any other form of mismanagement or misdemeanor
9
CHAPTER NINE
Investigating Fraud
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
reactive identity theft protection program clusters supervision, execution short‐term goals, crisis management personal heavy drinking, sexual activity vacation, sick financial reach careless with facts, contributions of others, betrayal Opportunistic fraudsters Repeat fraudsters, internal control, detection Organized fraudsters book sales prior to payment, obsolete inventory accounts receivable accounts payable, inventory levels employee reimbursements 153
154
◾ Solutions
8. computerized, disappeared, reduced 1 19. ineffective, red flag 20. amended, altered, handwriting 21. dates, signatures, employer information, new funding 22. calculations of taxation 23. creditworthiness 24. insurance companies, insurance policies, Social Security benefits 25. medical records fraud, treatment centers 26. changed materially 27. substantiated 28. patient fraud 29. Incurred cost, cost-plus 30. direct and indirect labor costs 31. subcontractors, inflated, kickbacks 32. procurement procedures, appropriateness 33. early resolution 34. Predication, has, is, will 35. conflict of interest 36. available data, hypothesis, testing the hypothesis, amending the hypothesis 37. motivation, opportunity, means, method 38. initial investigation 39. presumption of innocence 40. decrease 41. action plan, scope and extent 42. multidisciplinary, knowledge, skills, disciplines 43. confidential, disclosure 44. covert investigation techniques, mishandled 45. existence, adulterated, original, authorizer 46. alterations, erasures, alteration 47. external, internal, scanned, digital 48. duplicates 49. gaps, cover‐up 50. Ratio analysis 51. Correlation analysis 52. occurrence, predetermined frequencies 53. interviewing 54. active, acquired
Investigating Fraud ◾
5. nonverbal 5 56. noncritical 57. remotely 58. interrogation, illegally 59. background, goals, objectives 60. objective‐based 61. Paraphrasing, summarizing 62. objectives, previously gathered 63. public knowledge 64. neutral third‐party, independent 65. probable fraudster, co‐conspirators 66. direct, supposed 67. explicit 68. Lying by omission 69. Denial 70. Making up a story 71. Lying by minimization 72. Exaggeration, exaggerates 73. qualifiers 74. permanent recording, physiological changes 75. Comparative Question Test 76. Guilty Knowledge Test, Concealed Information Test 77. lying, truthful, telling the truth, lying 78. chain of custody 79. chain of custody, inadmissible 80. investigation plan, invalidate 81. failure 82. objective, fair, irregular incidents 83. irregular, unlawfulness 84. jurisdictions, legislation 85. pre‐investigative, investigative, judicial 86. restraint, confiscation, preservation, forfeiture 87. freezing 88. disposal 89. erroneous, misleading, prejudicial 90. breach of privacy, secured, inadmissible 91. asset movement 92. illegally, offshore trusts
155
156
◾ Solutions
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. An identity theft protection program typically involves a framework consisting of these four steps: Step 1. Provision of reasonable policies and procedures to identify the red flags indicating the possibility of wrongdoing. Step 2. Detection of the identified red flags. Step 3. Policies and procedures spelling out the appropriate actions when red flags are detected. Step 4. Periodic reevaluations of the policies and procedures to ensure their appropriateness and accuracy. 2. In their 2011 report, Who Is the Typical Fraudster, KPMG suggest the typical fraudster is: ▪ Male (accounting for 87 percent of frauds) ▪ 36 to 45 years old (accounting for 41 percent of frauds) ▪ Commits fraud against own employer (accounting for 90 percent of frauds) ▪ Works in the fi nance function or in a related role (accounting for 32 percent of frauds) ▪ Employed in a senior management position (accounting for 53 percent of frauds) ▪ A long‐term employee employed for more than 10 years (accounting for 33 percent of frauds) ▪ Working in collusion with another perpetrator (accounting for 61 percent of frauds) 3. Much of the high-value fraud experienced by organizations is carried out at the managerial level. Red flags in this area could include: ▪ Reluctance to provide information to auditors ▪ Frequent changes in accounting environments ▪ Management domination of the group 4. In procurement, abnormalities within the vendor arena could include alerts such as: ▪ Vendors not present on an approved vendor list ▪ Excessive use of sole‐source vendors ▪ Vendors with no physical address ▪ Vendors with information matching employee information such as addresses, bank accounts, and the like
Investigating Fraud ◾
157
▪▪ Vendor payments that are collected in person rather than being mailed or sent electronically
▪▪ High volumes or values of purchases from new vendors Other indicators may relate to the handling of inventory after it has been received. Such indicators could include: ▪▪ Increased procurement volumes with no increase in business activity or inventory levels ▪▪ Increasing or unusual inventory shrinkage ▪▪ Excess levels of inventory particularly when combined with increased purchases from specific vendors ▪▪ High levels of slow‐moving items in inventory 5. Overall red flags on labor charges to incurred‐cost contracts would include: ▪▪ Sudden shifts in charging patterns ▪▪ Decreases in charges made to contracts approaching their budgeted maximum ▪▪ Employee time charged against the contract when attendance records show an employee was elsewhere ▪▪ Contractor expenditure frequently just below budgeted maximums, never above ▪▪ Constant movements between direct and indirect charging of the same employee ▪▪ Generally poor controls over labor charging 6. The fraud investigation is intended to resolve fraud allegations from inception to disposition. The investigation includes: ▪▪ Obtaining evidence ▪▪ Investigating fraud ▪▪ Taking statements ▪▪ Writing reports ▪▪ Testifying as to findings in detection and prevention of fraud 7. In conducting interviews, general rules for asking questions include: ▪▪ Let the interviewee do the talking and keep the questions short. ▪▪ Avoid multiple‐answer questions. If you offer a choice of A or B for the answer, you may get the truth, you may get a lie, you may get what the interviewer thinks you want to hear, or you may get a best guess based on the alternatives given. ▪▪ Avoid leading questions where the interviewer implies the correct answer within the question. ▪▪ Where possible, avoid closed questions. Yes/no questions are conversation stoppers. Open‐ended questions, such as “Tell me how orders are
158
◾ Solutions
placed” or “How do you know?” are more likely to elicit descriptions of control weaknesses that could have facilitated the fraud. ▪▪ Encourage the interviewee to continue talking using your own body language, such as nods, smiles, and so forth. ▪▪ Listen to the interviewee and adapt your approach based on what you are being told. Asking a question and ignoring the answer is a complete turn‐off for interviewees who actually want to help you. Do not use your interview plan as a checklist simply to be ticked off as you go. Be careful with note taking and recording interviews, as this can cause even a willing interviewee to go silent. Take notes only of what you must (new knowledge, unexpected responses, and the like) during the course of the interview but record all salient points immediately afterward. For evidence to be produced in court, the timing of when notes were taken can be critical with less reliance placed on notes made after a significant passage of time. 8. Asset confiscation undergoes a three part process namely: a. Identify b. Trace c. Seize or freeze
10 CHAPTER TEN
Computer Fraud and Countermeasures
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Operational management raw data unauthorized transactions application systems, business controls online, real‐time operational overhead, computing power information, potential entry points external networks, from anything recognized may or may not unauthorized, training, understanding poorly designed, internal control structures writing programs, additional authorities critical, foundation, penetration Communications, strengthened, weakened, bypassed Encryption Symmetrical key cryptography 159
160
◾ Solutions
18. public key, encrypting, decrypt 19. public key, private key 20. failure 21. algorithm, sizes 22. authorized, genuine 23. originator’s private 24. virtualization, software control, paravirtual machine model 25. fraud resistant, isolated 26. restricted data, unauthorized access, compromised 27. unauthorized devices, detective 28. server 29. authentication, administration 30. accuracy, authenticity, existence 31. secure socket layers 32. authenticated, communication protocol 33. enforces 34. written down 35. passed around 36. birth dates, Social Security numbers 37. Social media 38. standard, unique 39. investment newsletter subscription, economic collapse 40. mobile device, supplemented 41. Device identification, location awareness, device fingerprinting, geolocation 42. Predictive risk analytics, authentication reliability 43. theft of smart phones 44. technical repair, highly confidential, protecting 45. Cloud computing 46. cloud computing, cloud 47. legal issues, intangible 48. dissimilar 49. internal security requirements 50. Software as a service 51. Web‐centric interfaces 52. leased, owned, hosted 53. scalability, private cloud 54. digital resources 55. control environment
Computer Fraud and Countermeasures ◾
56. sufficient proof 57. interpret, technology 58. Continuous monitoring 59. monitoring 60. Continuous observation, normal operation 61. potential defects 62. control objectives, cost effective 63. preventive controls, human intervention 64. authorized, fully tested 65. ignore 66. continuous monitoring, possibility 67. comprehensive antifraud management 68. active involvement, common controls 69. gather information, segmentation 70. Online auctions, nonexistent 71. full value 72. customer data 73. Credit card fraud, social networking Web site 74. Denial of receipt, receiving 75. additional payment 76. follow‐up, availability 77. shipping information 78. virtual supply chain 79. verification, quality 80. sophisticated looking 81. clone, cursory 82. trading contracts 83. auction site 84. information and communications technology 85. Safeguarding confidential information 86. card‐not‐present, e‐commerce business 87. Phishing attacks, passwords 88. Spear phishing 89. Business services phishing 90. Defensive phishing 91. Botnets, repetitive 92. Card verification value 93. encrypted, digitally signed 94. not encrypted, network administrator
161
162
◾ Solutions
95. 96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111. 112. 113. 114. 115. 116. 117. 118. 119. 120. 121. 122.
breaking and entering “hacker for hire” amended or forged modification of live systems viruses intercepted actually occurred, intent privacy rights minimize business disruption Pre‐incident preparation, possibility, what happened denial‐of‐service intrusion detection systems trap, reject forensic response toolkit incident response team, minimize topology physical environment keyboard, mouse, power switch copies bit‐by‐bit original state, adulterated documentation, chain of custody scope, duration files accessed, prosecution log files, user ID covert, communications generic prohibitions relevancy, reliability, admissibility
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Overall, the control objectives and architectures of virtual machines do not change and still remain as: ▪ Access authentication ▪ Segregation of duties ▪ Integrity controls ▪ Integration with nonvirtual environments
Computer Fraud and Countermeasures ◾
163
▪▪ Enforcement of existing antifraud policies ▪▪ Extensive logging of activity as a detective control 2. Internal controls that can be readily implemented in order to make computer fraud by the outsider more difficult and easier to detect include: ▪▪ Personal information should not be disclosed, and care should be taken whenever a computer user is asked for sensitive information. Such information should never be disclosed electronically unless the user is fully satisfied that the requester has a right to know, such as legitimate law enforcement or tax authorities. ▪▪ Passwords should be protected both at the user end and when on mobile devices. In addition, passwords should be changed regularly and should contain a mixture of characters, numbers, and special characters like exclamation marks, question marks, percent signs, and the like. Most passwords are case‐sensitive. Mixing upper‐ and lower‐case characters can make it considerably more difficult for “brute force” attacks to succeed. People entering passwords should beware of shoulder surfers, particularly if they seem to be using a mobile phone at the time. The phone may in fact be videotaping the password entry. ▪▪ Destruction of confidential scrap is essential to prevent ID theft. Shredders, particularly cross‐cut shredders, should be used for any paper product containing personal information, including the user’s name. Modern shredders, not necessarily expensive ones, generally can shred credit cards and even DVDs. Where this facility is available, use it. ▪▪ Doing business via computers means that users have to be sure who they are dealing with electronically. When purchases are made, users must take care to check any agreements implicit within the transaction or policies being agreed to. If there is any doubt at all as to the authenticity or the acceptability of any terms and conditions, do business elsewhere. If businesses utilize free e‐mail addresses, such as Hotmail, Yahoo, or the like, avoid them; it is too easy for them to disappear with whereabouts unknown and then reappear with a new identity mere seconds later. ▪▪ Be wary of special offers, unique bargains, pyramid schemes, Internet auctions, business opportunities, and the like. Some of these are legitimate, but many are not. As with all other too‐good‐to‐be‐true schemes, be wary and be aware. 3. Use of continuous monitoring can help fraud detection by: ▪▪ Providing better access to real‐time indicators of potentially fraudulent transactions by allowing improved speed and quality of detection and management response
164
◾ Solutions
▪▪ Reducing the business impact of frauds by reducing the length of time they go undetected
▪▪ Ensuring corporate compliance with relevant laws and regulations ▪▪ Giving early warning of reduced reliability of computerized antifraud controls 4. Designing a monitoring architecture is a combination of: ▪▪ Identifying and prioritizing risks ▪▪ Identifying the key controls intended to mitigate the risk ▪▪ Identifying the key indicators that would show that the likelihood of achieving the control objectives is declining ▪▪ Implementing automated or manual monitoring of these indicators to identify as soon as possible any decrease in the adequacy of the internal control structures or their effectiveness in achieving the control objectives 5. Controls to prevent credit card frauds include: ▪▪ Ensure cards are signed as soon as they arrive. ▪▪ Carry cards separately in a metallic scan‐proof wallet. ▪▪ If handing over the card to a third‐party, keep a close watch on the card as it is being processed. ▪▪ Open credit card bills promptly, reconcile the transactions against your own records, and report any questionable transactions directly to the card company. ▪▪ Void incorrect receipts immediately. ▪▪ Ensure cards are never loaned or left lying around. 6. The first stage of protecting the digital assets of the organization from fraud is the development of a framework to identify items to be protected and the nature of their vulnerability as well as the protection required. Vulnerabilities include:
▪▪ Identity and Social Security numbers
Vulnerable to disclosure
▪▪ Corporate financial information
▪▪ Passwords ▪▪ Personal information ▪▪ ▪▪ Corporate planning information
Vulnerable to disclosure and manipulation Vulnerable to disclosure Vulnerable to disclosure Encryption keys Vulnerable to disclosure and destruction Vulnerable to disclosure Vulnerable to destruction and to manipulation
Computer Fraud and Countermeasures ◾
165
7. The design of the control systems themselves must fit the needs of both the asset class and vulnerability. In order to ensure the design adequacy and implementation effectiveness, the roles and responsibilities of the stakeholders must be clearly identified. ▪▪ Owners of data have the responsibility to identify who can access the information and what that individual is permitted to do to the information: create it, update it, copy, delete it, or simply use it. ▪▪ Users are responsible for keeping their identities and passwords confidential and not attempting to go beyond their level of authority. They are also responsible for maintaining confidentiality since as users of information, they automatically have read access and, therefore, by association, copy access. ▪▪ Security management is not responsible for deciding the level of security required for a digital asset; that is the responsibility of the data owners, who are responsible for choosing the mechanisms by which the level of security is achieved. Where the owner of the data lacks the knowledge to control access, security management may act as internal consultants to the data owner. ▪▪ Internal audit is normally tasked with the responsibility of assessing the adequacy of the design of the system of internal controls intended to prevent fraud and to test the system’s overall effectiveness and make recommendations regarding ineffective controls. 8. Built‐in security weaknesses exist in many sites. Such vulnerabilities include: ▪▪ Continued use of the passwords that were built in when the software was first installed. This is particularly problematic with passwords that are built into operating systems. ▪▪ Users failing to change their passwords at appropriate intervals depending on the risk levels of individual systems. “Change every 30 days” is still a common rule enforced by the computer systems themselves with no thought given as to whether 30 days is appropriate, inadequate, or overkill. ▪▪ Systems that require no password access whatsoever because they are deemed to be low risk but from where a hacker may be able to bridge over into a secured environment. ▪▪ Lack of corporate policies on the implementation of antifraud internal control architectures and therefore no user education as to their role in fraud prevention. ▪▪ Poor user fraud security awareness at all levels including executives and IT personnel.
166
◾ Solutions
▪▪ Poor personnel policies in which employees are hired without background checks and given unrestricted access to fraud‐vulnerable areas of information systems. ▪▪ Poor operating environment within the company’s IT division where the criteria on which they are measured is focused on systems availability and response times with little or no emphasis on achieving a robust antifraud environment. ▪▪ Lack of overall security enforcement. In some installations, physical security is high and even the mechanics of logical security is strongly enforced. However, if the user manager adopts the attitude “I trust my staff” as the number-one control priority, all of the technical control enforcements are unable to prevent or detect fraud. 9. An effective incident investigation methodology was proposed by Mandia and Prosise in 2001 and comprised an 11‐stage process. The stages are: Stage 1. Pre‐incident preparation Stage 2. Detection of incidents Stage 3. Initial response Stage 4. Response strategy formulation Stage 5. Duplication and the preparation of forensic backups Stage 6. Investigation Stage 7. Security measure implementation Stage 8. Network monitoring Stage 9: Recovery Stage 10. Reporting Stage 11. Follow‐up
11 CHAPTER ELEVEN
Legal Issues Surrounding Fraud
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
precedence, customs Common law, judicial judgments adversarial exchange legislation, inquisitors constitutions quality Direct tangible objects Documentary Demonstrative documentary documentary, ability inadmissible victim restitution proceeds, substitute, equivalent value contract, secured, unsecured electronically 167
168
18. 19. 20. 21. 22. 23. 24. 25. 26.
◾ Solutions
audit trail freezing order third‐party disclosure orders, innocently actual, potential, incriminating documents transferred, transmuted, money, property Piercing the veil reduce costs nonemployee employee deception
SOLUTIONS: SHORT-ANSWER QUESTION 1. Define the difference between actual and punitive damages. ▪ Actual damage usually involves the amount of direct loss that can be shown in court ▪ Punitive damages usually are assessed by the court based on other issues than provable cash losses and may, in some cases, be considerably higher than the amount of money directly attributable to the fraud itself. Loss of customer confidence or even embarrassment may be taken into consideration. 2. In some cases companies may knowingly seek to evade labor legislation by classifying workers as independent contractors rather than employees. In order to legally achieve such classification, an individual must be demonstrably: ▪ Free from day‐to‐day control and direction ▪ Customarily engaged in an independent business of the same nature as the work being undertaken for the present company ▪ Performing similar work for organizations other than the present company on a regular basis ▪ Performing tasks outside of the usual course of business of the company
12 C H A P T E R T W E LV E
Industry-Related Fraud Opportunities
ANSWERS: FILL IN THE BLANKS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17.
Money laundering detailed record data management risk profiling, transactional continuous monitoring, computerized appropriate authorities, significant penalties personal privacy authenticated signature, authentic signature, verification Online authentication negligence, intent personal identification number (PIN) check digit, Luhn check CNP, magnetic strip biometric authentication physical characteristics, facial recognition geometry change 169
170
◾ Solutions
18. card not present 19. merchant, disputes 20. Check fraud 21. Counterfeiting 22. proper authorization 23. closed, paperhanging 24. Check kiting 25. chemicals, solvents, fabrication 26. knowledge, awareness, alertness 27. lower 28. Wire transfers, instantaneous transfer 29. not intended, authorized individual 30. business, government, consumer 31. nondispersing 32. paycheck, routing number 33. direct debits 34. convenience, lower costs 35. identities, credentials 36. Shoulder surfing 37. public, confidential, valuable 38. Keystroke loggers, screen images 39. man‐in‐the‐middle, account information 40. Phishing, bank 41. Pharming 42. impersonation 43. botnets, malware 44. Fast flux DNS 45. certificate, secure connection 46. encryption 47. wireless network, no traffic 48. Wi‐Fi Protected Access 2 (WPA2) 49. two different computers 50. User access rights 51. online banking, separate 52. all Internet access, specific sites 53. blocking, filtering, proxy 54. permission rights, monitored 55. Money laundering 56. selling, no Medicare coverage
Industry-Related Fraud Opportunities ◾
57. checked, genuine beneficiary 58. legitimate, never prescribed, never used, never issued 59. drug misuse 60. young 61. not normally, both simultaneously 62. Anti‐Kickback Statute, providing services 63. deliberate, accidental, intentional, unintentional 64. “utmost good faith” 65. faith, reputation, efficiency 66. Internal frauds, fake policies 67. External, property, stolen, destroyed 68. beyond, incurred, additional monies 69. foreign bodies, faked burglaries, death benefit 70. Retrospective, concealed 71. fake injuries 72. claims investigation units 73. finances, market practices 74. initial claims handling 75. field adjuster’s 76. Certified insurance fraud investigators 77. tips, fraudulent claims, potential vulnerability 78. analysis software 79. data mining techniques, patterns of claims 80. database search 81. Online analytical processing, profiling, clustering 82. Rules‐based, threshold values 83. Predictive modeling 84. Network analysis, interrelated relationships, commonality 85. unstructured text 86. Logistic regression analysis 87. money‐laundering 88. elderly, promissory notes, nonexistent policies 89. real crime 90. Tax evasion 91. Tax avoidance 92. tax shelter 93. pension plans, education, retirement annuities 94. total economic activity 95. published estimate
171
172
◾ Solutions
96. 97. 98. 99. 100. 101. 102. 103. 104. 105. 106. 107. 108. 109. 110. 111. 112. 113. 114. 115. 116. 117. 118. 119. 120. 121. 122. 123. 124.
indirect taxes, appropriate taxation authorities specific goods, services, net not registered underdeclare not received acquisition fraud, zero‐rated excise duty retirement accounts primary income, primary source abusive, legitimately owed nominal taxation domestic tax laws, treaty‐partner authenticating the identity authentication, firearm licenses Identity theft Internet sites, mailboxes Attestation Click and sign Witnessed signature recent bereavement, deceased Roof repair ground preparation sealant effect capital assets, financial guarantees to pay higher small businesses, available personnel, accident transactional, abnormal pricing trends bidding, unauthorized individuals, late bids environmentally destructive
SOLUTIONS: SHORT-ANSWER QUESTIONS 1. Banking fraud is taken to be a scheme intended to defraud a financial institution or to obtain the assets under the control of a financial institution by means of fraud. Multiple variations of bank fraud occur, including: ▪ Money laundering ▪ Card fraud ▪ Check fraud
Industry-Related Fraud Opportunities ◾
173
▪▪ Wire fraud ▪▪ Online fraud 2. The overall objectives of anti–money laundering activities are: ▪▪ Prevention of the use of the financial institution or its infrastructure for money laundering purposes by criminal elements ▪▪ Implementation of appropriate internal controls specific to money laundering in order to detect activities defined as suspicious under the laws of a given jurisdiction ▪▪ Ensuring compliance by the financial institution with all applicable laws and regulations ▪▪ Improving the financial institutions’ knowledge of the financial dealings of its own customers in order to ensure the appropriate management of the financial institutions’ risks 3. The PCI‐DSS standards themselves include requirements such that all parties to payment card processing including merchants, card issuers, processors, acquirers and service providers must achieve a minimum standard of protection for cardholder data that includes: ▪▪ Building and maintenance of a secure network that includes the installation and maintenance of firewalls as well as the changing or removal of vendor‐supplied default passwords and security parameters. ▪▪ Protection of cardholder data, both in a stored form as well as transmission across open networks when encryption is a requirement. ▪▪ Maintenance of a vulnerability management program, ensuring the use and updating of antivirus software and the development and maintenance of secure systems. ▪▪ Implementation of strong access controls in order to restrict access to cardholder data on a need‐to‐know basis. This requires unique computer access IDs as well as the restriction of physical access to cardholder data. ▪▪ Network monitoring and testing to ensure the tracking and monitoring of all accesses both to networks and cardholder data accessible via the networks with security systems and processes required to be tested regularly. ▪▪ Maintenance of an information security policy covering security for all personnel. 4. Traditional controls to prevent card fraud include: ▪▪ Sign the back of the card in permanent ink as soon as it has received. ▪▪ Record all card numbers and keep them securely stored for ease of cancellation in the event of a card loss or theft of a purse or wallet.
174
◾ Solutions
▪▪ Never carry all cards at once. In the event of a theft or loss, canceling one or two cards is considerably less inconvenient than having to cancel all cards. ▪▪ Review statements to ensure the validity of transactions as soon as the statements are received. If possible, it is even better to perform frequent online reviews of card transactions. ▪▪ Be aware of when statements are due and alert the card issuer if statements are late. ▪▪ Shred all documents containing identification information before disposal. ▪▪ Never divulge the credit card number to an unknown Web site even if they ask for it. ▪▪ Never write a PIN number on the card or download it to any third party. ▪▪ Store PIN numbers separately from the cards. ▪▪ Never lend cards, even to close friends or family. The cardholder remains responsible for all charges. ▪▪ Be aware of the possibility of skimming or someone using a cell phone in the near vicinity that could photograph the card or make a video of the PIN entry. ▪▪ When the card is used for a purchase and returned, ensure it is the same card. ▪▪ Notify the credit card company in advance if large purchases are to be made or if the card will be used out of your normal area. Never allow a merchant or service provider to retain your card details on file if requested. Penetration of their system would give your credit card details to potential fraudsters. 5. Internal controls against card fraud at the merchant level include: ▪▪ Address verification systems. In the United States and some European countries, the cardholder’s address or zip code may be confirmed by the bank that issued the card. This is not foolproof since fraudsters, once they have the genuine card information, can look up address information to match the card from social sites on the Internet. ▪▪ Payer authentication programs. This software uses personal passwords to confirm the identity of the card user in a CNP online transaction. Where this program is used by merchants, some of the costs of online fraud may be attributable to the card issuer of many cards. Users may, however, run pop‐up blocking software that will block such authentication requests. ▪▪ Card verification methods. This refers to the use of the security codes imprinted on the card although not encrypted in the magnetic stripe
Industry-Related Fraud Opportunities ◾
175
(CID American Express: CVV2 VISA: CVC2 MasterCard). Where credit card numbers have been stolen, it is less likely that fraudster will have access to these security codes. If the card itself has been stolen or a merchant’s employee has recorded the security code from the back of the card, this control is ineffectual. Nevertheless, requesting this number online or telephonically can deter fraudsters who only have access to the card number itself. ▪▪ Bank Identification Number (BIN) checks. The first six digits of each card identify the issuing bank for the credit card. The name of the issuing bank can be checked at: www.all‐nettools.com/toolbox,financial, which provides the bank name, the funding type, the card type, contact details, and the country of origin. ▪▪ Card pattern recognition. For online purchases, a fraudulent pattern may emerge of multiple purchases to be shipped to the same address using different credit cards. If these purchases are made from the same Internet Protocol (IP) address, there is a strong possibility that a stolen list of credit card numbers is being used. In the same way, where the same card is used with a variety of expiration dates, the fraudster may have access only to the card number and may simply be giving expiration dates until one works. ▪▪ Beware free e‐mail accounts. Where purchases are made from free e‐mail services, the ability to trace the originator of the e‐mail is severely limited. Although many legitimate customers may use such e‐mail addresses, virtually all fraudsters use them in order to remain anonymous. Customers who claim to be businesses rarely use free e‐mail accounts. 6. Check security at the corporate end involves controls such as: ▪▪ Ensuring there have been recent background and credit checks on all employees handling the processing of payments. ▪▪ Ensuring vacation policies are enforced, since it is during vacations that check fraud often comes to light. ▪▪ Ensuring all supplies of checks and other banking documents are stored under lock and key at all times. ▪▪ Limiting the number of authorized signatories. ▪▪ Requiring more than one signature on large‐value checks and notifying the bank of this. ▪▪ Ensuring segregation of duties exists between the check writing, signature, and reconciliation functions. ▪▪ Ensuring all accounts are reconciled promptly and frequently.
176
◾ Solutions
▪▪ Limiting the value of checks that can be drawn on specific accounts with additional controls placed on accounts authorized for the processing of high‐value checks. ▪▪ Using Positive Pay, which warns banks of checks being issued including check numbers, dates, bank information, and amounts. ▪▪ Using Reverse Positive Pay in which the bank sends the organization a list of the day’s presented checks to be matched against the company’s own checks-issued database. Dubious checks can then be viewed online and then paid or returned as appropriate. ▪▪ Reviewing returned checks to ensure no counterfeits have been processed against corporate bank accounts. Counterfeits may be detected through variations in paper, color, perforation, check size, check style, or corporate logo. 7. Despite their undoubted convenience, there are some drawbacks in the use of ACH debits. These include: ▪▪ The need to hand over information regarding bank account details as well as access to a bank account to a third party. ▪▪ Accidental overbilling may be noticed and challenged only after payment has taken place. ▪▪ Accounts maybe overdrawn accidentally if overbilling occurs or if insufficient funds are available at the exact time of processing the debit. ▪▪ Automatic payments discourage the checking of invoices to ensure their validity prior to payment. ▪▪ Fraudulent overbilling may not be noticed if no independent authorization is required prior to payment. 8. One of the main control components in the prevention of money laundering is the implementation of an effective anti–money laundering program. Such programs consist of: ▪▪ Internal controls, policies, and procedures to ensure compliance with the Bank Secrecy Act and subsequent legislation ▪▪ The appointment of a compliance officer to ensure the effectiveness of the AML program covering the everyday operations of the organization ▪▪ Implementation of an ongoing training program covering all employees involved in areas where money laundering could occur ▪▪ The execution of an independent audit ensuring the adequacy and effective implementation of the AML program 9. Most common forms of health care fraud involve: ▪▪ Offering and receiving kickbacks and shared fees for referring patients for diagnostic or medical treatments.
Industry-Related Fraud Opportunities ◾
177
▪▪ Billing for services that were never rendered either using genuine patient information to create fictitious claims or more simply, by padding claims with charges for services or medical procedures that were never carried out during the treatment of a genuine patient. ▪▪ Conducting tests, clinical procedures, or even surgeries that were not medically necessary. ▪▪ Conducting unnecessary diagnostic tests in order to justify increased insurance claims. ▪▪ Representing treatments as medical necessities in order to ensure insurance coverage for treatments not generally covered in terms of the insurance policy. ▪▪ “Upcoding” the treatment actually provided to a patient to claim for a more expensive procedure. This is usually accompanied by changing the diagnosis code of the patient to a more serious condition justifying the additional services. ▪▪ Billing a patient an amount greater than the contribution required by the insurance or even billing the patient for services already paid in terms of insurance contract. ▪▪ Overbilling to the insurance carrier to cover the amount due to be recovered from the patient when the patient claims poverty. 10. At the individual level, awareness and alertness are the primary elements of control activities to prevent health care fraud including: ▪▪ Treating health care insurance information with the same degree of care used for maintaining the confidentiality of credit card information. Carelessness with this information is an invitation to commit fraud. In the same way that credit card information is protected, health insurance information should not be disclosed telephonically or over the Internet. Where an insurance ID card is lost or stolen, the insurance company should be contacted immediately. ▪▪ Offers abound on the Internet and via e‐mail for free health tests or treatments and the provision of a variety of health care services. While there are genuine and generous free treatments and services available, in many cases these are fraudulent offers designed to obtain an individual’s health care information in order to defraud the insurance company at a later date. In addition to the damage this can do to the individual’s health care costs, such fraudulent bills can affect the individual’s health record and may result in future mistreatment of a serious condition. ▪▪ As with credit cards, examination of transaction records and reconciliation of accounts to the patient’s recollection or records of treatment
178
◾ Solutions
received are critical. Where such transactions are expected, the patient’s record should be checked. Where they are unexpected or untimely, the insurance company should be notified immediately of the possibility of a fraudulent transaction. ▪▪ When bills are received or benefit statements arrive, it is the insured’s responsibility to compare these records to their own memory of treatment received or records kept in order to ensure the treatment matches, the dates match, the number of visits match, and no duplicate transactions are being processed. On occasion, this may mean checking previous statements to ensure the transaction was not processed already two or three months ago. ▪▪ All suspected fraudulent bills and transactions should be passed on to the insurance company immediately. Most companies now provide fraud hotlines as well as the ability to report via the Internet. 11. Governments regard tackling taxation fraud as a major imperative in order to protect: ▪▪ Revenue income required for investment in public services ▪▪ Honest, taxpaying organizations from criminal or unfair competition ▪▪ Social objectives underlying taxation levels and specific items ▪▪ Against organized crime that benefits from the financial advantages of tax evasion 12. Legitimate tax shelters may include: ▪▪ Investment in pension plans ▪▪ Employer‐funded education ▪▪ Employer‐funded health insurance ▪▪ Employer‐funded life insurance ▪▪ Investment in real estate ▪▪ Retirement annuities