On-Demand | A Blueprint to Managing Corporate Fraud Risk During a Pandemic

So what we'll be covering today. So our objectives and outcomes are to offer a practical approach to address the increase vulnerability and heightened risk of corporate fraud that's currently occurring right now. And we'll be covering how to assess areas that corporations are more vulnerable to fraud, fraud prevention and mitigation procedures and actively monitoring for potential fraud red flags. And as you see at the bottom with our learning outcomes, we'll be discussing COVID-19 environment and how has that related to historical events from a crisis perspective and how that impacts fraud. We'll talk about the fraud triangle. We'll talk about the three-line model to fraud mitigation and then really provide practical examples of how you can be implementing fraud mitigation procedures right now to protect your organization. And highlighting red flags that will cover cyber and some global school fraud risks.

What I also did want to mention before we get started here is I wanted to acknowledge and thank our partnership with the Institute of Internal Auditors, the genesis of this presentation related to a corporate fraud white paper that we collaborated with the IIA, titled, the Blueprint to Managing Corporate Fraud During the Pandemic. It was initially drafted in English, then it went global after generating interest by its affiliate firms and is now available in Spanish, Portuguese, Japanese and other potential languages that are in the works. So these will all be available to you and you will be provided with that info on how to download them as part of this presentation. So with that, we will get started with our first polling question. So I'll turn it to you, Lexi.

Luz Rodriguez:Okay, Lexi. Based on the answers, we believe that the majority of the participants are either in the banking and financial services. We wanted to have this information to know what type of users for the information that we are going to provide is going to be applied to. So, thank you for participating, go back to you Nelson.

Nelson Luis:Okay. Great. Thank you. All right. So, what we will be covering here today is ultimately as everyone is living through this pandemic, it really has created an environment that's ripe for fraud, right? And fraud can affect any organization because ultimately, it's a human issue. People's psyche and morale is low right now. So to start, we took a look and as part of our research, looked back at the last great recession that we had and during the '08, '09 financial crisis. And as an interesting statistic, 84% of companies cited some level of fraud occurrence following the recession. So a key question that we have for everyone is, are organization's prepared this time around? And really what happens during these timeframes is people are dealing with so many different issues from the layoffs, potential furloughing, companies cutting back on expenses, people might have excess medical bills.

So the environment to commit fraud for folks for the first time, normally is exacerbated in an environment that we're currently living in. So people try to take advantage of these circumstances, especially with people working from home and things of that nature that we'll be covering here. So the unfortunate reality is that COVID-19 is creating an environment right for fraudulent activity. And then what we're seeing is how organizations are operating and their priorities through these different factors. And ultimately how the actual crisis is intensifying the pressure on management to deliver financial results during a challenging time period.

Okay. So thank you everyone for that. Interesting. So let's keep the statistics in mind. So 67% or so are expecting an increase and 23%, no change. So we wanted to parallel all this. There was an interesting survey that was fairly recently put out by the Association of Certified Fraud Examiners, that's rarely accessible if you were to look for it and we'll give you the link here as well but they've put out a few surveys and it's called fraud in the wake of COVID-19, a benchmarking report, where they really try to aluminate the global pandemic impact of fighting fraud through the current environment. And the survey results indicated that 77% of respondents and this was over 2000 respondents, they compared where the perceptional fraud was at the commencement of the pandemic and then three months later.

And there was a 77% observed increase of fraud during that three month timeframe. And then the next question was, over the next 12 months, how do you anticipate that level of fraud to occur? And 92% indicated that they anticipate a heightened level of fraud. And these were normally folks that are already kind of the fraud fighting business, if you will. So interestingly, it's a bit higher than what we just came up with on this survey but thank you for doing that.

And then we wanted to highlight as part of that survey, there were three areas of specific fraud risk that were highlighted amongst others, where there really has been a sizeable increase. And if this affects any of your organizations, we wanted to highlight them for you. Clearly, cyber fraud has been top of mind, even the FBI created its own site dedicated to this at the commence of the pandemic. And Luz will be talking about this further throughout the presentation. Unemployment fraud, clearly with all the benefits being provided by states, there's a lot of scams being put out there with respect to identity theft and people gaining access to unemployment checks that they are not entitled to. And then lastly, on the payment fraud side, which really could be applicable across a broad range of spectrum. And with that, I will turn it to David to walk through our thesis, if you will, of the steps organizations can be taking to manage their corporate fraud risk.

David Sumner:Thank you, Nelson. So Nelson went through a little bit of background with the current pandemic environment and how individuals think that fraud may impact the organization going forward. And also overlaid that with the ACFE report findings, which I think were very similar to what responses were to the participants in this event. But what we're going to try to do now is dive into what all of us can do about it. And I'm going to break this down on how we can manage the risk of fraud into three separate steps. The first step is going to be to assess, all of you and us are our most vulnerable to fraud.

Second is going to be taking a look at how to implement some additional procedures to mitigate fraud, to protect your organization. And lastly, we're going to be talking about actively monitoring of red flags. And these steps should not really be a surprise to anyone who's an auditor or an internal audit, anyone who looks at financial controls. These are fairly standard steps when addressing certain risks that face your organization.

In step one, we're talking about how to assess where you're most vulnerable to fraud. And one of the most common ways of doing this as a fraud risk assessment and fraud risk assessments are sometimes a session at a meeting or a series of meetings in which the participants take a look at and brainstorm a potential fraud scenarios, their likelihood and impact and what controls exists to address or mitigate those risks. If you've ever attended other trainings CPE programs that address the topics of fraud, I'm sure you've probably seen something very similar to the graphic that's on the screen right now. And that's the fraud triangle.

If you're unfamiliar with this, I'll just quickly describe what it is. And that is that research has shown that for fraud to occur, there must be three elements. There's should be pressure to commit the fraud, an opportunity to commit it and then a rationalization, which is a changing of the internal moral compass in which an individual decides that it's okay to commit some type of fraud. And while presenting the fraud triangle here may seem like a pretty basic step, it's also a very important step though, however to effectively manage the fraud risk during the current environment. I really want us to go right to the foundation of what is occurring right now. If your organization doesn't have a formalized fraud risk assessment process, even an informal discussion can be helpful. And if you're unclear of where to start, you could reach out to any of us on this program or to your trusted accounting advisors.

And so, we're going to go into these a little bit deeper in the next slide. And hopefully it will make little bit more sense to those of you that aren't familiar. So these are the drivers that we may be seeing right now that employees are going to or maybe under during the current environment. And what I want to do is think about these and I want you to think about these because everyone's particular environment is going to be different. Every company has different reactions and different changes to their internal control system as a result of the pandemic. So it's going to be very important that everyone looks at this through their own lens of their own situation. If I'm looking at the pressure column, I see things such as people may have had reduced wages. You may see higher expenses. I think Nelson mentioned a little bit earlier about increased medical expenses.

I think people have also seen layoffs either by an individual or within the family, maybe a two wage earner family now only has one. Also, I think that there's a lot of job insecurity throughout all different parts of the labor market. Just because you have a job today, I think it's possible that someone is thinking about, they may not have one next week, next month. That's a second solely breakdown a person, that type of pressure. You can move sleep, you can be cranky, it stresses our relationships. So those are the types of things that you're going to see in the pressure call. One other thing that I'm certainly experiencing on a personal note is working from home can also add a great deal of pressure. I'm working at home, I have my spouse here, I have my kids who are homeschooling, all of those things can be very distracted and can add additional pressure to your home environment and current working environment.

On the opportunity side, the whole switch to the work from home business model happened fairly rapidly. I don't think most companies really had the opportunity to fully identify the risks for institute mitigating controls. At least in my experience, we were hearing news about this pandemic and then all of a sudden, a week later, we were working from home. Along with the changes in what maybe controls or processes, departmental reductions may have impacted your departments or your team's ability to do their work. You may also have had extended absences due to someone perhaps contracting the virus or having to take care of loved ones who are or even just having to go through quarantine.

Segregation of duties is probably been one of the bigger areas that have taken a hit in the current environment. And that's something that we should all be aware of. If either on our departments or the processes that we control are the ones that we look at, we should be very wary of where segregation of duties may not or may be tossed to the side. I think in a lot of instances and we've seen this at some of our clients in the last couple of months, we've also seen override of controls occur. In order to get things done in a work from home environment, certain processes may have experienced some override and proper approvals may be skipped. So those are a couple of things in the opportunity area that we really need to make sure that if we're in the internal audit or external audit, we understand what's going on. And if you're internally and you're concerned about fraud, you should at least understand where certain procedures or controls have been skipped.

And then the last bit is the rationalization. And a lot of stress, whether it's financial, personal, emotional, those can lead to someone changing their moral compass. Another risk here is if you think about what humans are, at least to me, I think humans are very social creatures. And without having the social interaction that I know a lot of us strive for and feed off of and enjoy, taking that away from us also creates a little bit more pressure and damage to our ability to make the correct decisions. One last area I'd like to point out here is, if you've seen your colleagues being laid off and then you've taken additional responsibilities without a commensurate increase in pay, that’s another reason why you may see someone rationalizing why they may think it's okay to commit fraud.

I'm doing more but I'm not getting paid. Or perhaps I even went got a pay reduction. Those are ways that someone can rationalize why they may all of a sudden go from a good employee, an honest employee, to one that's made a mistake. If your organization or its employees have experienced any of these things such as layoffs or increased workload, change in internal controls, reduced budget to get your work done, and I imagine most of us have, then I think that what I'm trying to say here is that you are undergoing a greater risk of fraud. And that's something that we want to talk about over the next couple of slides.

Luz Rodriguez:Thank you Lexi. I am surprised to see these answers. The highest percentage said no change due to all the current changes, and that many people are now working remotely; we would like to see that some companies actually are increasing the level of spending. Unfortunately, due to the fact that many companies’ income have been reduced, they're also trying to save money on some of the expenses, and the anti-fraud programs are also being affected by those reductions in the budget. Back to you, David. Thank you.

David Sumner:Sure. Thanks. I'm a little bit surprised there too, with the 49 and greater than 50% are either showing a reduction or no change. That's surprising to me because if you have increased risk, usually it's the opposite but I certainly understand that we are in a very unique environment in which you will see the big reduction in available budget. And so, we have two competing priorities here. It's the reaction to risk, as well as the pressure to reduce expenses during times of perhaps reduced revenue. So, very interesting. It's where you have those two competing priorities and some companies will survive without a major fraud and so many not. So on this slide, we're going to get to the underlying reasons and what we're trying to get to in step two, which is after you've assessed your fraud risk, what can you do as an organization to mitigate it?

And we're going to be talking about the three-line model and a three-line model is a way to separate the different responsible parties who are all have some sort of a responsibility towards combating fraud. The first line is operational management. These are the people that are running the departments. These are the people who are approving contracts, people in those types of roles that are dealing with customers or orders or manufacturing. That's the first line. These are the people who are the most knowledgeable of any adaptions or overrides that have occurred during the transition to work from home. So, that's something you should also be aware of.

The second line is the risk and compliance function. They should be looking at the organization as a whole and they should be thinking about how they can be a resource to the first line group and helping them to manage any sorts of increased fraud risk. And even if as a resource, they can be doing lots of different things to help the first line. Lastly, there's the third line, which is the internal audit function or other similar groups. And their role is to test and assess the effectiveness of the controls in the organization.

One of their primary things that they can do is identify the exceptions that were either intended or unintended throughout the organization, as a result from the transition to working from working. Working from home had to happen and what's needed is that internal audit could be a great resource to work with the first line and even the second line to help make sure that everyone is aware of what is actually happening versus what was intended to happen. And so, it's going to be very important that these things, the L three lines work together.

So what we're going to list here, what can each of these three lines or three groups do in order to help to mitigate fraud in the organization? In the first line, I think it's really simple and sometimes when you're looking at ACFE studies that talk about what are the most effective ways to deter fraud, tone at the top is one of the simplest, one of the most cost-effective and a very highly effective deter when it comes to deter in fraud.

Knowing that they changed their procedures, that they have perhaps had some additional segregation duty or some reduced staffing concerns, operational management can get more involved, take a look, be there for your teams, find ways to team and to be more involved so that you understand what everyone is going through and how they're adapting to layoffs or working from home or changes in procedure. Those are all very important steps that operational management should be undergoing.

The tone at the top should also include making sure that if you do see fraud, it's very important that zero tolerance is reinforced. Any different rules for you and me will undermine any organization's anti-fraud message. So if fraud is found, there needs to be zero tolerance.

On the second line is very, very important for the risk management and compliance functions to make sure that they understand and are communicating with the first line as I've said before. One of the ways you can do this is with virtual fraud training, any fraud training and also to make sure that everyone is communicating across the first, second and third line. I think that's a great middle ground for the second line to be and taking the lead for the entire organization. And in terms of what the organization's anti-fraud risks are and how they are reacting to them. And lastly, on the third line, internal audit, the continuous monitoring is very important, keeping up to date and utilizing your analytics, are very cost-effective ways to take a look at what your fraud risks may be.

I would think that if I'm looking, if my major risks are perhaps side letters, because our sales department is under a lot of pressure and there's a risk that they may be offering our customers some generous returns or terms that allow them to perhaps get the product back after a longer period of time. What I would like to do or what they should do is make sure that they're watching in some sort of analytics or continuous monitoring tool, what the actual returns are, take a look and see if there's any increase in credit memos or something like that. One other aspect of the internal audits way that they're being challenged right now is that travel is being restricted. So it's going to be very important for internal audit to figure out ways to audit remotely, just like the external auditors are also going through this same exact challenge.

One last thing, the surprise audits, they can certainly be a disruption to the audit T on the first line. But they're generally in our experience a little bit more effective than planned audits. Nelson, did you want to add a comment there?

Nelson Luis:Yeah. I just wanted to add in here one question that we're getting often that I think aligns well with the three lines that you have here is, what are some quick hit things that we can do being that we're scrambling right now and we're focusing on other areas? So, on the first slide, operational management area there, one thing that we would recommend is how often are you all within the organization looking at your hotline? Are you reminding your employees about the hotline? Interestingly, as we're conducting the research for this paper, as well as speaking with our clients, what we're getting a lot of feedback on is that our hotline has gone dormant. We're not getting the calls as we used to in comparison to the usual volume. Not only domestically but if you have international operations also we're not hearing much from our folks overseas.

So, that's an easy one to send out one of those, did you know or reminder emails with a link to the hotline. And then lastly, which I know we'll cover after is on the third line, internal audit. Interestingly, we mentioned surprise audits at the bottom there and that's really an interesting way to keep folks within the organization on their toes. And then, the organization is in highlighting some of those findings or kind of letting those within the accounting, finance, executive management, which are traditionally the area’s most vulnerable to fraud within the organizations, because they have access and they have the opportunity to create fraud related issues within the organization, informing them that even if it's just one audit that's being performed, it not even kind of providing that much further clarity, other than that, I think that helps, again, quick hit areas that could help increase that sensitivity right now, so that employees know that the organization is still focused on combating fraud. I'll turn it back to you, David.

David Sumner:Thank you. Good comments, Nelson. So if we're looking at the last step, which is to remind us that the first step was to assess your risks, the second was to institute or implement certain controls within your organization. Then the last one is recognizing the red flags of fraud. And these are going to come up through your analytical procedures, they're going to come from, of course, anything from the hotline as Nelson just mentioned. But one of the things that is very important to hear is the ACFE every year puts out every couple of years, I think it's every two years, the study on occupational fraud. Every time this report comes out, the most successful way of identifying fraud is the whistleblower or the test.

And so, what you need to do is empower your entire organization through a hotline, through making sure that they are willing and feel safe to speak up, because sometimes you're going to be actively looking for red flags of fraud through your analytical procedures or other types of things but it would be great if you could empower your organization so that not just the compliance department and not just internal audit are responsible for identifying potential fraud but it's your entire organization that's working together to create an environment that is free from fraud and everyone feels empowered to speak up and not be shouted down or feel that their job is at risk.

The first two steps, you should understand what your risks are and where you're vulnerable. And then those areas that still, if you haven't been able to mitigate certain risks, then what you need to do is you need to make sure that you have some analytical procedures that will cover that gap. And that can be so for example, if it's very difficult for you to implement further steps in your vendor disbursement process, then what perhaps you should just look to implement some additional analytical procedures on vendor approvals either new vendors or for payments. You could look for perhaps add extra scrutiny on new vendor approvals or you could look for payments electronically for any payments that seem to be just below any dual approval thresholds that your organization may have. Take a look at those areas and see if you see any patterns.

Another thing that you might want to be able to look at is hours to complete a task or certain other types of resources. It's a fairly simple analytical procedure, if your assistant has the information to compare hours spent to perform a task compared to pre pandemic rates. You may be able to identify whether or not people working from home may be committing our fraud or perhaps a manufacturing process may be a little bit less attention to detail if maybe there are less people in the plant or people are under a little bit more pressure and maybe there's a little bit more scrap being created than what is really needed. So think about those areas that you've identified from steps one and two, in which you might be able to do some analytical procedures and find some additional red flags.

I'm not going to read all of these but what I would like to do is highlight a couple of them and some examples that we're seeing in the real world. One of the things that we certainly have seen is the payroll protection program, which was a massive governmental program that was set in action very quickly, hopefully that rings a bell not only in the program but also what we're trying to talk about here, which is when you implement something such as going to work from home or implementing a large government program to provide phones to small businesses, in both instances, they were rushed through and not every step of the way might've been contemplated and planned for. It's very simple. You can go to the news and you'll see many examples of people who abuse the payroll protection program, where they've been using those funds for prohibited purposes.

We've seen luxury cars, super cars and jewelry, yachts, vacation homes, paying off personal debt. All these things happened because this was a big government program that was quickly implemented and not all controls were put into place. And I think that's a great parallel to what a lot of companies have done and going to work from home. Another couple of things that we're going to talk about or I'd like to talk about here, are side letters, something that might be very hard to detect. So please, as I mentioned earlier, you should be looking for perhaps unusual trends with returns. And that may be a little bit difficult to find right now, because you may have customers returning goods because they're on sales or their own needs have been reduced.

But that's something that we should all be looking for. Before we go to the next polling question, is there anything else, Nelson or you think we're covering it well?

Nelson Luis:No. I think you write really here is everyone normally is very focused on that third call, the financial statement fraud and I just want to make sure people are keeping in mind the first two pillars. Interestingly right on the asset misappropriation, an easy one that we were in touch with a client about recently is they were seeing continuing TNE being submitted by some of their employees, where in many instances, companies are seeing big reductions in TNE expenditures from their employees because people aren't traveling, they're not doing the lunches and the dinners, et cetera.

So that's an easy one to look at, right? To assess if there's been any areas of manipulation there. And it's normally an easy one for employees to get some extra money in their pockets. And then the last one that we have here, falsifying hours, leading to overstatement of compensation. If you've got an hourly employees, we're getting a lot of questions around this one, because it's challenging to determine how many hours people are actually working when they're on home. So putting in procedures in place there to mitigate some of those risks so that you don't look at that three, six months down the road. And then it's brought to your attention through a tip or you have a bigger issue on your hand that was more systemic. You want to try to identify those issues now, early and nip them in the bud. So back to you David.

Luz Rodriguez:Okay. So now I want us to talk about cyber threats and the risk mitigation about these threats. As you are aware, many people are now working from home and this has increased the risk of cyber-attacks. And one of those types of attacks are stealing the information or maybe asking for ransom where, to give back the information or the key information. Cyber-attacks have increased anomaly since the COVID-19 started. And unfortunately it's been affecting certain areas that are actually trying to help the pandemic to be resolved, such as the hospitals. It's sad to hear that many hospitals, many healthcare industries have been attacked and had to pay a large amount of money to get their information back or to reduce the risk for those hackers to maybe expose the medical information of their clients.

Ways to prevent cyber-attacks are like training the people in the company, reminding them constantly how to be cautious about the clicking on unfamiliar emails or links that you receive. Also, keeping in mind that whenever we're going to make a payment or whenever we had to share information about the financial information, make sure that you send it to the right person, make sure that you are not being requested information by someone that's actually not entitled to receive that information. And also again, be very cautious. If you receive an email, verify that the source, is someone that you know and don't click on any email because that's one of the main ways how hackers are attacking us.

Okay. Now let's talk about global risks. Global risk is a risk that some organizations encounter when they are offering the services in certain areas. The Corruption Perceptions Index or CPI generally defines corruption as the misuse of public power to request for personal benefit. And the levels of corruption go from 100, which is a very clean country to zero, where the corruption is very high; and these ranks include about 180 countries or territories on the levels of public corruption. Multinationals that decide to offer their services in certain countries, had to keep in mind the additional cost that have to encounter or the additional risk they are going to encounter due to the fact that they are now servicing countries that have a high levels of public corruption. Okay, Let's go back to Nelson, who is going to talk about our EA Protect Program.

Nelson Luis:Okay. Thank you, Luz. So really, as we're coming to the conclusion here of our presentation, you've heard a lot about the three steps and what we are providing to you here is I would say five key questions that you could be taking back to your organizations and asking yourselves, how are you all doing? So, the first one there is, we provided examples of the heightened level of pressure and opportunity. So, if your organization is rightsizing or undergoing some other transformational change right now, how does that affecting the psyche of your employees? Are there folks, perhaps, through lack of segregation of duties that in a few months you will be asking yourselves, who's monitoring XYZ risk? And you don't want to be in a position where you say to yourself, wow, actually that person or some of the individuals in that group either were laid off or they were put on other tasks.

So we haven't looked at that. That second bullet, have you canceled your high-risk international assessments? So Luz just highlighted an easy benchmark test is, if you are U.S. based company, are you really focused on your priorities and risks here at home? And are you neglecting perhaps where you have even higher risk in those high risk countries around the world that have low CPI scores? So we're hearing that a lot of companies right now have pushed back those audits in those high risk markets. They are trying to find more desktop approaches to doing that level of work or they're not doing anything at all.

So that's a second area where you might want to think about where do you have that low-hanging fruit of where you have fraud risks, don't neglect the international. Third one that I mentioned earlier about managing your hotline, how active has it been? Are you receiving calls and tips? How does that come pair to pre COVID? So that's a key question for you to think about. If the answer is, we're receiving little or nothing right now, we would perceive that to be a risk. Fourth point, doing more with less. So how can you as an organization adjust to the current environment that we're in?

David talked about forensics data analytics, for example. And we're seeing more and more of that of taking your high risk accounts and high risk transactions and performing that analysis remotely to try to identify those needles in a haystack. And then adjusting accordingly as to how you're going to address those issues. Of which, by the way, is one of the elements that the regulators, the department of justice, for example, has indicated, is important for organizations to have something like that embedded in their programs that's risk-based to demonstrate that they have a robust effective corporate compliance program in place.

So there should be something that companies should be doing now. And then lastly, don't forget the employee sentiment piece, the psyche piece, everyone normally is very focused on the financial misstatement risk but don't lose sight of the people's psyche. So one area that we specifically are supporting clients is we have this program solution that we call EA Protect, which essentially you see in the gray box areas that we're helping clients around. A lot of that right now is being performed remote, desktop type approach. And so you see that first bullet there of the anti-fraud, anti-corruption risk assessments, helping companies look at location screening and selection, like if you are going to do at least one audit internationally, where should it be?

What business unit should it be? What's the level of risk related to that business unit, for example. Are you sending out surveys, questionnaires? That's an easy one that you can do remotely now to assess and keep a pulse on as to the fraud risk in your international markets, the forensic data analytics, which I mentioned and the hotline review. So ultimately, these are procedures that we're seeing clients perform with either internally or with some of their professional service providers. And we are seeing a lot more of an outsourcing or co-sourcing type of arrangement or just having an on call investigation unit, so that you could respond quickly if your company either doesn't have a group like that in house or you might have laid off or furloughed some of those employees.

And the last thing I'll mention, which, we have been finding and engaging in a lot of discussions around is how companies have gotten creative because they have limited budgets, is we have these risks. We know we have these fraud risks but we don't really have the budget. And we saw in the poll here that the predominant answer was that there's not going to be any change to budgets or they might even be decreasing. So one area that could be creative is embedding cost recovery and audits as part of your compliance or internal audit or other plan. And to allow those audits to help fund some of these initiatives that we're talking about here. One example would be exercising your audit rights if you have a business arrangement with a joint venture, a royalty arrangement, a licensing arrangement, doing an AP scrub, for example. So those are creative ways that we're seeing clients trying to allocate dollars from other areas and actually allowing their internal audit compliance departments become revenue generators, which we know would be a welcomed thing right now under this environment.

So with that, I know we're coming up on time and I know that we did receive a few questions. So with this presentation, these are some of the resources that are available to everyone. The blueprint document is available in these four languages. And we're happy to share that information. Everyone can download this presentation as part of the email that you'll be receiving. And we know that there were some questions, so sorry, we could not get to any of them actually. But of the few questions that we did receive here, we will be following up with those that sent them. So thank you for that.

^{Transcribed by Rev.com}