How Small to Medium-Sized Companies Can Strengthen Their Anti-Fraud Compliance Programs

JA: Mark, senior management attestations. That's a broad topic. I think we should probably start off by asking you to define what this is. Senior management attestations. What are companies attesting to? How does this affect compliance?
MB: Well, in the context of corporate anti-fraud compliance, an attestation is a statement that expresses a conclusion by an individual. In this case, a member of senior management about an organization's implementation of internal controls that help to detect and to prevent fraud. And in my experience conducting occupational fraud investigations involving schemes of various types. Think in terms of theft of cash on hand, theft of cash receipts, fraudulent disbursements, larceny, et cetera. One of the common themes that I've observed has been the failure of companies to fully implement the internal controls that are designed to prevent and quickly detect fraudulent activity. So what I'm describing here is an added component to the compliance program, to have senior members of management sign off or attest that the internal controls that the company has agreed to put in place are indeed in place and have been fully implemented.
JA:Great. We've heard of about controls obviously, and some of the bigger cases that unfortunately have hit the headlines over the last couple of decades, but your focus here is on small to medium companies. Why?
MB: Yes, I think compliance attestations are a good idea for all companies regardless of size. However, larger companies typically have more established and formal compliance programs in place. They've got more compliance resources and therefore, there's less need for help at smaller businesses and contrast senior management often don't think of risk proactively rather they respond after a fraud or a cyber incident has occurred. So attestations can help these small businesses drive improvements in compliance and help to avoid a company being victimized by fraud.
JA: Okay. No, that makes sense. I always like to talk about these things in the context of real life examples, maybe you can give me an example or give our listeners an example from a fraud investigation that you've conducted recently that might help shed more light on what happens when internal controls don't work.
MB: In a typical fraud or cyber investigation. One of the observations will be, this is the control or the internal control that failed, right? Didn't act as it should have in either detecting or helping to prevent the fraudulent activity. And a significant amount of cyber crime involves phishing, or business email compromise schemes. We're seeing this in the news on a very regular basis. Last year, I investigated a scheme that targeted an industrial supply company in North Dakota, the company had an ongoing project and Columbia with a large number of welders working there for several weeks. And what the perpetrator did was he spoofed the email of the manager at the hotel for the welders from the company were staying. And the spoofed email had an added letter I and the email address, which was not easily detected.

So this email was sent by the bad guy to the company's accounts payable manager, requesting payment of an invoice from the hotel and offering a 10% discount if it was paid within 72 hours. That's a typical scenario that you'll see is that sense of urgency that, "Hey, pay quickly and you might get some sort of a discount." And that's indeed what we saw in this example and the message seeking the payment and offering the discount included wire instructions.
JA:Yeah. This is almost like it's urgent. We know you've got controls in place, but this has just got to get done. It's kind of tempting to get the victim to say, "Okay, well, I'll kind of cross the Ts and dot the Is later, but I need to get this out now."
MB: Exactly. That sense of, "Hey, I know you've got whatever of the normal steps might be, but this is a special situation." Let's be practical trying to push the person to make a decision that maybe after the fact they would come to regret. And again, that's the very purpose for having controls in place to prevent that type of bad behavior. And in this case, again, this is at the company, the AP manager, he did in fact recognize the hotel manager's name and the email because he had had prior communications, but he did not detect that slight difference in the email address. Again, this is a phishing attack. He also did not check to see if the attached wire instructions were different from the wire details already in file. This was really the big mistake.

And the company had a policy in place that required verbal confirmations of wires if, and there's really two scenarios if one it's a new vendor or two, if there's a change in the vendor's wire details. So in this instance it should have been recognized as a change in the vendor's wire details. Unfortunately, the AP manager did not verbally confirm which would've meant a phone call back to the hotel, and then the hotel presumably would've said, "We did not send this invoice." And then maybe upon closer scrutiny, they would've recognized this as a phishing attack, but the AP manager did not do that. Went ahead and wired the funds to the fraudster. So in this scenario, the company had a control in place. The requirement that wires be verbally confirmed prior to execution, but the manager did not follow the protocol. And that's what exposed the company to fraud.
JA: It's interesting. Sometimes people tend to think of controls as this big book of documented procedures and big books of document procedures, a lot of times will get put on the shelf and people will go about their business. This kind of reminds me of case that I did so several years ago, where there was a control in place where checks, manual checks over a certain amount needed to have two signatures. That's all well and good, but the primary signer just had a rubber stamp of the second authorized signer to expedite thing from a standpoint of, we need to be very, very practical. We need to get this out and you can probably figure out what happened there.

The control was in place, but it wasn't implemented properly. It wasn't monitored. And there was a very, very easy workaround and it turned out it was a workaround that almost everybody who was in place in management knew about. But getting back to your example, which was really around controls around wires, what are some other key anti-fraud controls that you've seen or that you recommend?
MB:When I think of anti-fraud controls, I generally break them into four categories. And by no means, this an exhaustive list, but at least for me, it helps to break them into these different groupings. And then it helps to shed some light on the types of controls that would be relevant from a fraud perspective. So the first one, the payment controls that we've touched on requiring verbal confirmations of new wires or changes to the bank details that are existing vendor. Also it require multifactor authentication especially for online banking, for instance.

A simple user ID and a password will not be sufficient to prevent fraud. We see that all of the time. That's a pretty basic one, but again, it's not enough to have it as part of your big book of procedures. You got to have it fully implemented. You got to make sure that personnel are following the prescribed procedures set out in the controls. Second category is vendor controls. The key here is that you want to be making sure that there's at least two employees involved when a new vendor is added, in a typical scenario, you'd have one of the employees create the entry and a second to review and approve the new entry. Make sure that there's segregation of duties there to prevent a single person adding a new vendor.

Third category is changes to payroll, similar to controls around vendors when a new employee is added or when an employee leaves a company, those steps need to include two individuals in the process. So that not a single individual is able to add an employee or delete an employee from the payroll. Also payroll listings should be periodically reviewed for accuracy. This will help to prevent ghost employees or people staying on payroll after they have left the company. And I've seen several examples of this where someone within the company has a scheme involving someone who has left the company. So the former employee continues to get paid. And it isn't detected in some cases for years, which obviously is a great drain on the company and can be quite significant fraud.
JA:Yeah. I saw that in the case, not too long ago. And it was same vac pattern and the same person was responsible not only for terminating employees off payroll, changing addresses and maintaining those profiles. As you can imagine, this person was living very well on multiple paychecks until she got caught. So I hear what you're saying there, I do.
MB:Yeah. And that could be part of the potato chip phenomenon. I think you may be familiar with this Jim, where, you have one potato chip, so you make one change and you end up with one small fraud scheme that you think, "Hey, I got away with that." Just like the bowl of potato chips. You're probably not going to stop there. And so chip by chip suddenly the, the bowl is empty in front of you. And similarly the fraud schemes can grow and grow. And the impact in the company can be quite significant, especially if over time it's not detected.

I have one final time type of internal control. So this is a fourth one. And that's the whistleblower hotline or some sort of complaint mechanism. According to the Association of Certified Fraud Examiners, fraud losses at companies with hotlines were almost 50% lower than in companies without hotlines. So just adding a hotline can make a significant difference. And of course it's not just adding the hotline, it's making sure that the employees know about the hotline. They feel comfortable knowing how to use the hotline. They feel that they'll be protected. There won't be retaliation, et cetera, but that's a key internal control is having some sort of a complaint mechanism in place.
JA:Sure. No, I think that's right. And one of the factors when you talk about hotlines and hotlines being associated with companies that are protected, it's the companies with the hotlines that are the ones that tend to have a more robust and rigorous internal control structure with regard to fraud preventions, it's part of an overall serious anti-fraud environment, but it's definitely a good indicator that, that is present within an organization. Mark, we talked a little bit about attestation before, but let's really get into it. How does the attestation process work, who would be involved in it? What would be the steps?
MB: So there's obviously different ways that this can be designed and it should be designed based on the specific needs of the company. But what I would look to is to include a routine, perhaps quarterly sign off by two or three of the senior executives, and then have them provide details of any exceptions. And so if they're unable to attest that such a can control has been fully implemented, then you'd certainly want to understand why, to what extent was it not fully implemented? What's the exception here? And so capturing of that detail is also key. Typically the CFO has the most responsibility for compliance, at least regarding financial controls. But I do think it's advisable for other senior executives to provide attestations. So companies should consider including others. Again, it's going to depend on the circumstances, but the CEO, the COO, et cetera, and this can help to really reinforce the sense of the compliance responsibility doesn't lie with one individual.

It really should run within the organization, throughout the organization and it absolutely needs to start at the top. So this is another component of that tone at the top. And again, reinforcing the importance of compliance throughout the organization. Other options include adding authority matrix sign off to the attestation process to ensure that appropriate review and approval of key decisions are taking and to include confirmation that key compliance components have been enacted and are being carried out as planned. For example, periodic fraud or cyber risk assessments and periodic testing to confirm compliance, these to the extent that their components of the program. And they should be, then there should be the sub sign off. Again, this could be done on a quarterly basis, but sign off to the attestation that these are in place and that the authority matrix is being followed by senior management.
JA:Mark, thank you for that. We certainly covered a lot of ground today. Like anything else in the world of fraud and forensics, it's still the tip of the iceberg, but in this limited amount of time, do you have any final thoughts that you'd like to share?
MB:I do think it's important to think of compliance programs as evolving over time. They're not static. They need to adapt to the changes in the company's risk profile, as well as changes in the business environment and by including attestations of compliance, and by including such things as authority matrix, sign off small and medium size businesses can drive improvements in compliance and be better prepared to avoid, or at least quickly detect breaches.
JA:Mark, it's always a pleasure to get together with you. Thank you very much for sharing your perspective today with our listeners about what companies can do to prevent and detect fraud.
MB: Thank you Jim, it's been a pleasure.
JA:And thank you for listening to Fraud Forum, part of the EisnerAmper Podcast series. Visit eisneramper.com/FRAUD for more information on this and a host of other topics. And join us for our next EisnerAmper Podcast when we get down to business.