ReCh

Management Centre

Forensic Auditing &

Accounting

6th -17th October, 2008

 ..
..
..
..
.

Contents
Contents..................................................................................................................................................................2

Overview of “Creative Accounting” Techniques and the Red-Flags of Fraud.............................................................1

Introduction........................................................................................................................................................1

Bad Cellular ......................................................................................................................................................5

What is Fraud....................................................................................................................................................5

Facts about Fraud..............................................................................................................................................6

The Fraud Triangle............................................................................................................................................7

The Red Flags for Fraud....................................................................................................................................7

Factors Contributing to Fraud ............................................................................................................................8

How is Fraud Discovered? ................................................................................................................................8

What is a Red Flag?..........................................................................................................................................8

Why are Red Flags important?...........................................................................................................................8

The Importance of Red Flags for Fraud...............................................................................................................8

The Types of Red Flags for Fraud......................................................................................................................9

General Red Flags.............................................................................................................................................9

Opportunity Red Flags.......................................................................................................................................9

Employee Red Flags........................................................................................................................................10

Management Red Flags...................................................................................................................................11

Changes in Behaviour “Red Flags” ..................................................................................................................12

Red Flags in Cash/Accounts Receivable...........................................................................................................12

Red Flags in Payroll.........................................................................................................................................13

Red Flags in Purchasing/Inventory....................................................................................................................13

Lifestyle Fraud.................................................................................................................................................14

Common Types of Fraud..................................................................................................................................16

2
 ..
.
Other Fraud Danger .Signals.............................................................................................................................21
..
..
.
Next Steps ...................................................................................................................................................... 22

Evaluating Red Flags ......................................................................................................................................22

Reporting Fraud ..............................................................................................................................................27

Conclusion ......................................................................................................................................................27

Internal Accounting and Operational Controls and Fraud.........................................................................................28

Internal control structure ..................................................................................................................................28

Internal Controls ..............................................................................................................................................29

Limitations of Internal Controls .........................................................................................................................31

Balancing risk and Internal Controls .................................................................................................................31

Internal Operational Controls ...........................................................................................................................32

Internal Accounting controls .............................................................................................................................36

Components of Fraud Rationalisation ...............................................................................................................38

Fraud Detection Plan .......................................................................................................................................38

Fraud Deterrence Plan ....................................................................................................................................39

White collar crime and Business Risk.....................................................................................................................40

Governance and Business Risk overview .........................................................................................................40

Fraud Theory...................................................................................................................................................41

Limitations of traditional audit techniques...........................................................................................................43

Strategic Fraud Prevention Plan.......................................................................................................................46

Investigations and Expert Witness Testimony .........................................................................................................48

Introduction......................................................................................................................................................48

Purpose of the Fraud Response Plan................................................................................................................48

Action following detection – Stage 1..................................................................................................................49

Action following detection – Stage 2..................................................................................................................49

Initial Enquiries.................................................................................................................................................49

Managers duty of care......................................................................................................................................50

The Fraud Interview.........................................................................................................................................50

Use and protection of evidence.........................................................................................................................52

Appointment of a case manager.......................................................................................................................52

3
 ..
..
..
Police Involvement........................................................................................................................................... 53
.. .................................................................................................................................53
Company Fraud Register
.
Fraud Response Plan review............................................................................................................................53

Fraud case Management Tips..........................................................................................................................54

Guide for Witnesses in SFO Trials....................................................................................................................56

Conclusion - Time for a standard for corporate governance ...............................................................................60

Case Study............................................................................................................................................................61

Differences in control procedures in a manual and a computer environment.............................................................61

Internal Accounting and Operational Controls in functional areas.............................................................................61

Sales Controls.................................................................................................................................................61

Purchase Controls...........................................................................................................................................62

Bank Controls..................................................................................................................................................63

Appendix – Definitions & Resources.......................................................................................................................63

Resources.......................................................................................................................................................63

Definitions Related to Fraud.............................................................................................................................63

4
 Overview of “Creative Accounting” Techniques and the Red-Flags of
Fraud

Week12 – Day 2 to Day4 – 7th to 9Th October

Introduction

Why didn’t you see it? There was fraud and you missed it. Conducting a “should of” after a
fraud happens may show that red flags were present. If you had only recognized the
warning signs, then that loss may not have occurred or been substantially reduced. Based
on a recent survey by the Association of Certified Fraud Examiners (ACFE), occupational
fraud substantially increases organizational costs. It is a myth that fraud is a big scheme
that should have been uncovered sooner and easy to detect. Fraud starts small and just
gets bigger and bigger, until something becomes noticeably different or unusual.

According to a report from BDO Stoy Hayward companies’ trusted internal management
and the people they do business with every day are behind hundreds of millions of pounds
worth of losses every year. Management are robbing you bind says Simon Bevan.

The combination of spiralling debts and desperate employees spells real danger for
business warns Bevan.

Fraud damages the economy. It is not victimless, but it is indiscriminate, hitting both rich
and poor. Fraud is not just about share support operations: it has an impact on individuals
and on the economy as a whole. Fraud involves no violence, and leaves no tangible
visible scars, but it can be devastating in its effects. It is said that 16 people committed
suicide as a result of losses incurred over the Barlow Clowes fraud. It is undoubtedly
costly. The Head of the City of London Fraud Squad recently looked at the historical
picture and discovered that the economic cost of fraud to the UK economy was

~in 1985 was estimated at £1 Billion

~by 1994 had reached £4 Billion

While, the most recent comprehensive study, the third report of the Fraud Advisory Panel,
put the annual economic cost at £14 billion per year; and the authors believed that even
this was an underestimate. This equates to some £230 per head of population

There is also a strong likelihood that a significant amount of commercial fraud is never
reported by companies for fear of gaining a bad reputation. Anecdotally, I have learned
that at least one major insurance company "routinely" receives claims against fraud
insurance policies exceeding £50million, but that these are never reported to the police or
elsewhere.

I believe that we must be seen to tackle fraud effectively, for economic, social,
international and moral reasons.
Economic justification for eliminating Fraud

I have already mentioned cost, both to individuals and the economy as a whole. There is
also another economic aspect. Fraud corrodes confidence: it has a negative economic
effect. It undermines confidence and the standing of our financial services industry and our
global reputation as a place where clean business can be done. If investors lose
confidence in our ability to police our markets, they may take their business elsewhere.
The fact is that a successful economy requires a healthy and well-regulated marketplace
to retain and increase investment. Tackling fraud effectively is important for the reputation
of UK markets.

Social justification for eliminating Fraud

There is a social dimension as well. Social equality requires that we bear down on white
collar crime as effectively as on benefit fraud. Since 1997, the number of Benefits Agency
investigations resulting in successful prosecutions or cautions and penalties as an
alternative to prosecution has risen from 11,700 to 26,958, and over a similar period the
level of fraud and error in Income Support and Job Seekers’ Allowance has reduced by
£180million, or roughly 18%. This work is now undertaken by Job Centre Plus. We need
to match this approach in white collar crime. Tackling fraud effectively demonstrates an
even-handed approach to justice: dealing with white collar criminals as well as those
responsible for the bulk of crime.

International justification for eliminating Fraud

And there is an international aspect. Government wants developing countries to prosper

and free themselves from fraud and corruption – but our own house has to be in order or
we have no legitimacy to tell others to sort themselves out as a condition of aid.

We are determined to play our part in the worldwide effort to tackle international terrorism
and drug trafficking. Fraud, money laundering and the use of the proceeds of crime to
finance further crime are inextricably linked.

Moral justification for eliminating Fraud

Finally, there is an issue about the distribution of the resources of the state – where public
money is siphoned off through fraud; that means less money to go to the pensioner,
disabled person or low-income family who really need it.

In summary, tackling fraud effectively fits in to our wider economic, social and international
agenda.

Mechanisms for dealing with Fraud

In this country we have developed a sophisticated set of mechanisms for regulating the
markets and tackling City and company fraud. Principal among these, in the regulated
sector, is the Financial Services Authority with a wide range of powers of investigation,
and an impressively creative series of sanctions available to it, ranging from withdrawal of
authorisation through to fine, public censure, injunctions, restitution, prohibition orders and
banning orders. The DTI, in its policing of the company sector, has available to it the
nuclear weapon of applying for the winding up of a company, and the ability to bring
disqualification proceedings. The revenue departments are able to exact harsh financial
penalties for revenue fraud.

2
No-one should doubt the effectiveness of these sanctions, or the impact on individuals.
The disqualification proceedings in Barings were heavily fought at a cost of hundreds of
thousands of pounds. In the City, the loss of one’s reputation, and the inability to secure
similar employment, are devastating consequences of being caught out.

But I do believe that there is a range of cases where these sanctions are not by
themselves sufficient, and the public rightly expects:

1. That wrong-doing is marked by a conviction in the criminal courts;

2. A penalty of the kind that might be applied to any other individual guilty of
criminal behaviour. In some cases, prison will be appropriate. The courts are fully
conscious of the devastating blow of conviction and imprisonment for a
professional man. But where individuals abuse their privilege and trusted position
in order to carry out a fraud, relying in fact upon their previously impeccable
character to mask their wrong-doing, prison will often be appropriate. Equally,
courts have chosen to mark the fact that certain frauds, such as insurance
frauds, deserve imprisonment because they are difficult to discover and involve
detailed and carefully planned dishonesty, and that therefore a sentence of
imprisonment is required as a deterrent. The courts also draw a distinction
between cases of honest businesses falling into difficulties, causing a director or
controller to resort in desperation to fraud, with a situation in which a scheme
was from the start a fraudulent enterprise and substantial sums of money and
property were obtained. In such circumstances, quite severe sentences are
passed.

So there are cases where it is clear from the start that a response by a criminal
investigation and prosecution agency is required.

As some of you will know the SFO was established in 1988 as a result of a
recommendation in the Roskill report for the creation of a unified fraud investigations and
prosecution agency which would be responsible for serious and complex fraud cases

The Criminal Justice Act 1987 created the SFO. The distinctive feature was that powers of
investigation and prosecution were given to the Director of the SFO.

The SFO has not always had a fair press, so let me state unequivocally: the record of the
SFO is impressive and it has more than proved its worth.

In its 14 years of operation, the SFO has prosecuted more than 237 cases involving 516
defendants. 366 (71%) were convicted. In the period under Rosalind Wright, 69 cases
have been prosecuted involving 134 defendants. 115 (86%) were convicted. There are no
recidivists in SFO cases: convicted defendants do not reoffend. It is well known that SFO
prosecutions have a deterrent effect. Yet the SFO is delivering these lengthy and highly
complex cases on small resources – an average of 2½ staff per case.

Why is the work of the SFO important?

The money involved in these cases is in excess of £2.5 billion

A successful SFO deters fraud as well as prosecutes it and helps to maintain confidence
in the probity of business and financial services in the UK.

3
Other countries model themselves on the SFO approach.

There are a number of features of SFO work that are distinctive

Multi-disciplinary investigations:

Police Officers seconded on a case related basis

SFO accountancy/financial investigation team’s role is crucial. They analyse financial

information, including statutory accounts, management accounts, and cash flows. They
also manage outside accountants, supervise searches of offices and homes and most
important of all trace the money. The team involves former fraud squad officers, and
others who have gained special financial expertise in their former occupations, but let me
say a special word about forensic accountants.

In the SFO, forensic accountants play a vital role in supporting investigations both
internally and as external appointees. They provide a perspective that other investigators
do not have and are often chosen for their specific experience of the sector which is being
investigated (i.e. insurance on Independent). Forensic accountants also bring not just
numeracy but an inquiring minds (not just what happened but why). They enable the SFO
to focus investigations on issues that are important to a successful investigation rather
than issues which appear curious to an outsider.

Often it is the thoroughness of the work undertaken by forensic accountants which tips the
balance in cases. It is now rare for their work to be challenged because of the painstaking
and methodical approach that they take. Yet they are often the most compelling of
witnesses because they are able to distil the facts down to their lowest sensible level and,
when aided by suitable graphics, are able to show the "whole" picture in clear and simple
terms. They are often used in this respect to tie the case together by showing the
movement of money and documents which makes sense of the other factual evidence
which shows why people do what they are doing.

The SFO uses a considerable number of forensic accountants and many external firms at
any one time. This experience aids both them and the SFO. They get excellent
experience and an appreciation of the criminal process and the SFO gets a cadre of
persons who understand what it wants when it does get involved in cases.

Another key component of the team is the forensic computer and IT experts, who
decipher, explore, and recover computer material

Finally, of course there are the lawyers: the SFO case controller (Lawyer) responsible for
the direction of the investigation and then throughout the prosecution, supported by
assistant case controllers and investigation lawyers

And Counsel appointed to prosecute in the Crown Court who is generally involved early in
the life of the case

4
Bad Cellular

It turns out it was all just a case of cellular static:

The Arthur Anderson partner was on his cell phone when he said "Ship the Enron
documents to the Feds."

But his secretary heard "Rip the Enron documents to shreds."

The rest is history - how clear is YOUR cellular?!

What is Fraud

Occupational Fraud is defined as:

“The use of one’s occupation for personal enrichment, through the deliberate misuse or
misapplication of the employing organisation’s resources or assets.” Fraud encompasses
an array of irregularities and illegal acts characterized by intentional deception.

ISA240 , The international accounting standard on Auditing, defines fraud

as: “ An International act by one or more individuals among
management, those charged with corporate governance, employees or
third parties, involving the use of deception to obtain unjust or illegal
advantage”, while it defines errors: “ An unintentional misstatement in
the financial statements including the omission of an amount of
disclosure”.

5
 The five elements of fraud are:

• A representation about a material fact, which is false,

• And made intentionally, knowingly, or recklessly,

• Which is believed,

• And acted upon by the victim,

• To the victim’s damage.

Fraud, like other crime, can best be explained by three factors:

1) A supply of motivated offenders;

2) The availability of suitable targets;

3) The absence of capable guardians or a control system to “mind the store.”

There are four elements that must be present for a person or employee to commit fraud:

• Opportunity

• Low chance of getting caught

• Rationalization in the fraudsters mind, and

• Justification that results from the rationalization.

Facts about Fraud

According to the ACFE Report to the Nation on Occupational Fraud and Abuse, U.S.
businesses will lose an estimated $652 billion in 2006 due to fraud. The average
organization loses 5 percent of revenue to fraud and abuse. In addition, based on the
ACFE’s survey of more than 1,100 occupational fraud cases, approximately 24 percent of
these cases resulted in losses of $1 million or more.

Collusion: This ranges from employees describing goods as damaged so they can
benefit, to employees colluding to falsify accounting evidence so that they can deceive
external bodies such as auditors, shareholders or banks.

Customer Fraud: A customer pays with stolen cheques or credit cards. A more
sophisticated fraudster may make and pay for a number of small purchases to build up a
credit rating and then place a large order they do not intend to pay for.

6
 Phantom Employee: The fraudster fails to notify the payroll department when an
employee leaves the firm, or notifies the payroll department of a fictitious employee and
then arranges for the salary to be paid into their bank account or that of an accomplice.

Supplier Fraud: Most commonly and employee crates a fictitious supplier with a similar
name to an existing supplier, and then arranges for the payment of its invoices.

The Fraud Triangle

The classic model for fraudsters continues to be Other People’s Money: A Study in the
Social Psychology

of Embezzlement. The Fraud Triangle is a term, which is used to describe and explain the
nature of fraud.

“I want something I don’t have the money for”

While the specific components of each fraud may differ, the fraud triangle may be defined
as this:

Opportunity is an open door for solving a non-shareable problem in secret by violating a

trust.

Opportunity is generally provided through weaknesses in the internal controls. Some

examples include inadequate or no:

•Supervision and review

•Separation of duties

•Management approval

•System controls

The opportunity to commit and conceal the fraud is the only element over which the local
government has significant control.

Pressure may be anything from unrealistic deadlines and performance goals to personal
vices such as gambling or drugs.

The Red Flags for Fraud

Rationalization is a crucial component of most frauds because most people need to

reconcile their behaviour with the commonly accepted notions of decency and trust. Some
examples include:

•“I really need this money and I’ll put it back when I get my pay cheque”

•“I’d rather have the company on my back than the IRS”

7
 •“I just can’t afford to lose everything – my home, car, everything”

Factors Contributing to Fraud

Factors contributing to fraud include the following:

Poor internal controls

Management override of internal controls

Collusion between employees

Collusion between employees and third parties

How is Fraud Discovered?

Occupational fraud can be detected through a number of different methods. The ACFE’s
2006 Survey disclosed that 34.2 percent of frauds were detected through tips, 25.4
percent by accident, and 20.2 percent through internal audits.

What is a Red Flag?

A red flag is a set of circumstances that are unusual in nature or vary from the normal
activity. It is a signal that something is out of the ordinary and may need to be investigated
further. Remember that red flags do not indicate guilt or innocence but merely provide
possible warning signs of fraud.

Why are Red Flags important?

The American Institute of Certified Public Accountants has issued a Statement on Auditing
Standards (SAS) No. 99 - Consideration of Fraud in a Financial Statement Audit - that
highlights the importance of fraud detection. This statement requires the auditor to
specifically assess the risk of material misstatement due to fraud and it provides auditors
with operational guidance on considering fraud when conducting a financial statement
audit. SAS 99’s approach is also valuable for other types of audits.

Being able to recognize red flags is necessary not only for public accountants but also for
any auditor working in the public sector where the potential for fraud to occur exists

The Importance of Red Flags for Fraud

Studies of fraud cases consistently show that red flags were present, but were either not
recognized or were recognized but not acted upon by anyone. Once a red flag has been
noted, someone should take action to investigate the situation and determine if a fraud as
been committed. Sometimes an error is just an error. Red flags should lead to some kind
of appropriate action, however, sometimes an error is just an error and no fraud has
occurred. You need to be able to recognize the difference and remember that
responsibility for follow-up investigation of a red flag should be placed in the hands of a
measured and responsible person.

8
The Types of Red Flags for Fraud

Now that we have discussed what red flags and fraud are, it is time to talk about the types
of red flags and fraud that, unfortunately, are common in the workplace today.

General Red Flags

What are the red flags that are common to most types of fraudulent activity? Red flags that
are common to most types of fraudulent activity can be categorized as employee and
management red flags. Before we give you examples of employee and management red
flags, it is important to understand more about employee and organizational profiles of
fraud perpetrators. According to the 2006 ACFE survey of more than 1,100 occupational
fraud cases, perpetrators have the following characteristics:

Opportunity Red Flags

• Nobody counts inventory or checks deviations from specifications, so losses are

not known.

• People are given authority, but their work is not reviewed.

• Too must trust and responsibility placed in one employee - improper separation of
duties.

• The petty cash box is left unattended.

• Laptops and digital cameras are left out in the open in unlocked offices.

• Employees that are caught get fired, but aren’t prosecuted.

• Supervisors set a bad example by taking supplies home, borrowing equipment for
personal use, padding their expense reimbursements, not paying for personal
long distance phone calls, not recording leave.

• Monthly financial reports are not reviewed by managers.

• There is no internal audit function.

• There is a perception that it would never be detected.

• Lack of detail in the nominal ledger

During the course of my internal audit review I found that many

expenses had been debited to ‘expense dump’ accounts. For example,
Staff bonuses and lunches were being debited to marketing, and were
by-passing the PAYE system.

9
Fraud Perpetrator Profile:

The majority of occupational fraud cases (41.2 percent) are committed by employees.
However, the median loss for fraud committed by managers was $218,000, which is
almost three times greater than the loss resulting from an employee scheme.

Approximately 61 percent of the fraud cases were committed by men. The median loss
resulting from fraud by males was $250,000, which is more than twice the median loss
attributable to women.

Most fraud perpetrators (87.9 percent) have never been charged or convicted of a crime.
This supports previous research which has found that those who commit occupational
fraud are not career criminals.

Nearly 40 percent of all fraud cases are committed by two or more individuals. The
median loss in these cases is $485,000, which is almost five times greater than the
median loss in fraud cases involving one person.

The median loss attributable to fraud by older employees is greater than that of their
younger counterparts. The median loss by employees over the age of 60 was $713,000.
However, for employees 25 or younger, the median loss was $25,000.

Organizational Profile:

Most costly abuses occur within organizations with less than 100 employees.

Government and Not-for-Profit organizations have experienced the lowest median losses.

Management ignores irregularities.

High turnover with low morale.

Staff lacks training.

Employee Red Flags

• Employee lifestyle changes: expensive cars, jewellery, homes, clothes

• Significant personal debt and credit problems

• Behavioural changes: these may be an indication of drugs, alcohol, gambling, or

just fear of losing the job

• High employee turnover, especially in those areas which are more vulnerable to
fraud

• Refusal to take vacation or sick leave

• Lack of segregation of duties in the vulnerable area

10
Management Red Flags

• Reluctance to provide information to auditors

• Managers engage in frequent disputes with auditors

• Management decisions are dominated by an individual or small group

• Managers display significant disrespect for regulatory bodies

• There is a weak internal control environment

• Accounting personnel are lax or inexperienced in their duties

• Decentralization without adequate monitoring

• Excessive number of checking accounts

• Frequent changes in banking accounts

• Frequent changes in external auditors

• Company assets sold under market value

• Significant downsizing in a healthy market

• Continuous rollover of loans

• Excessive number of year end transactions

• High employee turnover rate

In company, there were frequent changes of senior staff based on claims

that they were stealing. It transpired that the MD himself was the
perpetrator and when senior staff got too close to the plot they were
sacked.

• Unexpected overdrafts or declines in cash balances

• Refusal by company or division to use serial numbered documents (receipts)

• Compensation program that is out of proportion

• Any financial transaction that doesn’t make sense - either common or business

• Service Contracts result in no product

• Photocopied or missing documents

• Let your secretary, accounting tech, audit/budget tech, records tech,

administrative assistant do everything.

11
 • Give away your passwords and approval access codes or store them on the
desktop.

• Never look at or verify your monthly financial reports.

• Criticize and disregard institutional policies and procedures

• Management involved in day to day accounting

I was asked to do the accounting in a family company that had seemed

to loose a lot of money, where one of the owners was responsible for the
accounting, and was living a lavish lifestyle in comparison to the other
owners and had now been forced out by the other two family members. I
found that the reason for his lavish lifestyle was the fact there were two
sets of books; He had been invoicing out of two companies, the main one
and a ghost company where he alone was collecting the cash.

Changes in Behaviour “Red Flags”

The following behaviour changes can be “Red Flags” for Embezzlement:

• Borrowing money from co-workers

• Creditors or collectors appearing at the workplace

• Gambling beyond the ability to stand the loss

• Excessive drinking or other personal habits

• Easily annoyed at reasonable questioning

• Providing unreasonable responses to questions

• Refusing vacations or promotions for fear of detection

• Bragging about significant new purchases

• Carrying unusually large sums of money

• Rewriting records under the guise of neatness in presentation

Red Flags in Cash/Accounts Receivable

• Since cash is the asset most often misappropriated, local government officials
and auditors should pay close attention to any of these warning signs.

• Excessive number of voids, discounts and returns

• Unauthorized bank accounts

12
 • Sudden activity in a dormant banking accounts

• Taxpayer complaints that they are receiving non-payment notices

• Discrepancies between bank deposits and posting

• Abnormal number of expense items, supplies, or reimbursement to the employee

• Presence of employee checks in the petty cash for the employee in charge of
petty cash

• Excessive or unjustified cash transactions

• Large number of write-offs of accounts

• Bank accounts not reconciled on a timely basis

Red Flags in Payroll

Red flags that show up in payroll are generally worthy of looking into. Although payroll is
usually an automated function, it is a vulnerable area, especially if collusion is involved.

• Inconsistent overtime hours for a cost centre

• Overtime charged during a slack period

• Overtime charged for employees who normally would not have overtime wages

• Budget variations for payroll by cost centre

• Employees with duplicate Social Security numbers, names, and addresses

• Employees with few or no payroll deductions

Red Flags in Purchasing/Inventory

• Increasing number of complaints about products or service

• Increase in purchasing inventory but no increase in sales

• Abnormal inventory shrinkage

• Lack of physical security over assets/inventory

• Charges without shipping documents

• Payments to vendors who aren’t on an approved vendor list

• High volume of purchases from new vendors

• Purchases that bypass the normal procedures

13
 • Vendors without physical addresses

• Vendor addresses matching employee addresses

• Excess inventory and inventory that is slow to turnover

• Purchasing agents that pick up vendor payments rather than have it mailed

• Internal Control Weaknesses – lack of: segregation of duties, physical

safeguards, independent checks, proper authorizations, proper documents and
records, overriding of existing controls.

• Analytical Anomalies – unexplained inventory shortages,

Analytical review that Petrol costs did not correlate with the number of
vehicles in stock in a car rental company. After further substantive
testing, it was revealed that the company was re-cycling petrol bills via
false petty cash claims.

• Deviations from specifications, increased scrap, excess waste (above industry

standards) purchases in excess of needs.

• Vendor address same as employee address

In a recent assignment I noticed that the gross profit levels were not in
line with the budget. After investigating the production records I noticed
that production wastage was low whereas the finished goods wastage
was circa 10%. Further investigation revealed that stock was sent FOC to
companies on the instruction of the MD.

• Too many voided transactions and returns,

• Unusual cash shortages.

Lifestyle Fraud

Lifestyle Fraud is often committed by trusted employees whom management know well,
so it is important to be on the look out for employee lifestyle issues that may be “red flags”
indicating a fraud risk.

• Some embezzlers are secretive. They don’t want to be caught and will “stash” stolen
funds and be extremely careful with their spending. Other “aspiring” embezzlers want to

14
use, enjoy, share, and show off their fraudulently gained money. Explanations of “new
found” wealth may include:

“My husband/wife just got a great promotion.”

“I have a few little investments that have been doing really, REALLY well.”

“Great Aunt Ethel passed away and I was totally surprised – she left us quite a nice little
nest egg.”

“I finally decided to get rid of some property that’s been in the family for years.”

Fact: In many cases of fraud, perpetrators openly live beyond their means.

Lifestyle Problem Fraud deals with addictions. Someone who is dependent on drugs,
alcohol, gambling or other addictions typically experience a slow tightening noose of
financial pressures. Desperation fuels monetary needs and, therefore, the need arises to
“borrow” funds to ease the financial dilemma. Employees with addiction problems may be
tough to spot. Many people with addictions can function at fairly high or normal levels of
behaviour during work hours. Presented are a few patterns to look for:

• Absenteeism

• Regular ill health or “shaky” appearance

• Easily making and breaking promises and commitments

• Series of creative “explanations”

• High level of self absorption

• Inconsistent or illogical behaviour

• Forgetfulness or memory loss

• Family problems

• Evidence of deceit (small or large)

Financial Pressures are faced by everyone at some period of time. For a number of
reasons, perhaps beyond their control, employees may find themselves in financially
stressful situations due to a variety of factors. These may include:

• Medical bills

• Family responsibilities

• A spouse losing a job

• Divorce

• Debt requirements

• Maintaining a current lifestyle

15
 • College tuition fees

• Gambling debts

• Illicit affairs

• High life style

Obviously not everyone who faces undue pressure commits fraud, but the higher the
stress level, the more distracted and desperate an employee may become. Fact:
Researchers conclude that the most common reason employees commit fraud has to do
with motivation – the more dissatisfied the employee, the more likely he or she will engage
in criminal behaviour.

Common Types of Fraud

Fraud perpetrated through absence of proper documentation

•Pilfering stamps
•Stealing of any kind (e.g., cash, petty cash, supplies, equipment, stock, tools, data,
records, etc.)

•Forgery (not just cheque forgery, e.g. forging department head signatures on
purchase orders)

Fraud perpetrated through override of existing controls and for the benefit of the individual

•Falsifying timesheets for a higher amount of pay

•Lapping collections on customers’ accounts (definition is last page of the
handout)
•Cheque Kiting (definition is on last page of the handout)
•Pocketing payments on customers’ accounts, issuing receipts on self-designed
receipt books
•Not depositing all cash receipts (deposits are not “intact”)
•Creating fictitious employees and collecting the pay cheques (impersonation)

A company I worked at used to employ people on piecework. During the

preparation of Management accounts, I noticed that as the sales went
down, there was no significant fall in the production wages. I discovered
that wages were being paid to people that had left.

16
•Failing to end personnel assignments for terminated employees and collecting the
pay cheques
• Suppressing debit notes from customers

At the start of my career I was involved in credit control for a large

company. The accounts had not been reconciled for some time. As I was
reconciling one of the larger accounts, I noticed that the discrepancy
between our ledger and the customers was due to a large volume of
debit notes that we had no record off.

We got copies of them and found that they related to pricing

discrepancies. We had no knowledge of any pricing irregularities. It was
later found that the sales representative had the debit notes in his draw
and had indeed contracted to sell at the lower price, so increasing his
sales and his commissions but reducing our Gross Profit and in some
cases selling at a Gross Loss.

•Paying for personal expenses with business funds

• Seizing checks payable to vendors
•Recording fictitious transactions on the books to cover up theft

A few years ago I was told of a fraud. Fictitious invoices from suppliers
were being posted to suspense/expense accounts; the supplier accounts
were then cleared by payments and set off against cash receipts. The
Fraud went concealed for two years because the relevant accounts did
not show up on the Sage accounting system. The Sage TB did not show
nominal accounts where the balance was zero.

•Unreimbursed personal calls

•Personal purchases on the procurement card
•Inappropriate charges to a travel or account payable voucher
•Theft of inventory items

My management accounts for the Company and analytical review

revealed a difference between the gross profit margin and the costing
information. My management report to the board of Directors
highlighted this and the risk of fraud by staff as well as actions that were
needed to confirm that this was indeed the case and were necessary to
address the issue.

At the time, stock counts were performed at the month end but there
was no gross profit analysis undertaken on a day-to-day basis. There was
no stock system and there were no random counts of stock or formal
method of agreeing the stock system to the physical stock. Although
stock was kept in a locked room, there were times when it was
accessible to other members of staff.

17
 The managing director implemented the recommendations of the
management report:

1. To use the stock module of the company’s accounting

programme.

2. To perform random stock counts, agreeing the physical stock to

the data on the company’s stock system.

3. To prepare a daily gross profit report based on sales, comparing

this to the gross profit on the management accounts.

4. To restrict further the access to the stock room.

I revealed that there was fraud and that two engineers were stealing the
stock from the stock room and taking it out via the back of the building.
These engineers were required to resign. Following their resignation, the
gross profit analysis agreed to the gross profit margin on the
management accounts and the firm once again became profitable.

•Theft of cash from deposits

•Falsifying time card with time not worked

Fraud perpetrated through the development of false Financial Statements

The Fraud Section obtained an FCPA guilty plea from a former executive
of an international subsidiary of Willbros Group, Inc., a provider of
engineering and other services to the oil and gas industry, who admitted
that he arranged for payment of approximately $1.5 million in cash in
Nigeria. This payment was part of at least $6 million in corrupt payments
promised to Nigerian officials to obtain and retain gas pipeline
construction business in Nigeria. The defendant also admitted that he
participated in a conspiracy involving the submission of fictitious invoices
to fund corrupt payments to Nigerian officials, as well as a conspiracy to
pay at least $300,000 to Ecuadoran officials to obtain a gas pipeline
rehabilitation project in Ecuador.

18
 Three former senior executives of General Re Corporation and a former
senior executive of AIG were indicted on conspiracy, securities fraud, and
other charges stemming from a scheme to manipulate AIG’s financial
statements through, among other things, false statements in reports
filed with the SEC. The Fraud Section and the USAO for the Eastern
District of Virginia executed an agreement with AIG in which the
company accepted responsibility for its actions, resolved its criminal
liability, and agreed to pay$25 million in penalties and to cooperate with
the continuing criminal investigation

After doing a stock check of vehicles, the main Asset I discovered a large
discrepancy between the assets values and numbers in the balance
sheet and the physical count. Sales invoices were being suppressed to
reduce VAT, and money being banked into another company as receipts
from insurance claims or elsewhere.

Fraud perpetrated through the misuse of corporate resources

• Use of the Company’s assets for private use (Tools, rooms, and computers and
software)
• Rental of facilities

Statistics relating to lost productivity due to employee cyber-loafing are

well known, but employee misuse of Corporate IT generally, such as
sending and receiving personal e-mails and using computer applications
for personal purposes, is equally important.

The potential for corporate and company liability stemming from

employee misuse of Corporate IT and at the very least, adverse publicity,
is a serious issue. In one recent example in the Banking sector, one
senior executive misused Corporate IT to access web sites relating to
services offered in a foreign jurisdiction where such services were legal.
The resulting bad publicity was arguably as damaging for the company’s
reputation as a direct financial loss such as internal fraud.

There are many cases of people installing office software on home PC’s
without prior agreement from the Company.

19
Fraud perpetrated through third party intervention

•Increasing vendor invoices through collusion

•Billing for services not rendered and collecting the cash

Fraud perpetrated through false revenue recognition

These sales frauds may also involve collusion between the salespeople and the customer,
or the customer may be another victim. In each of these frauds, however, the ultimate
victim is always the trading entity that employs the manager or the salesperson.

Eric Milne's article, "Damned If You Do or Damned If You Don't?" (Credit

Management in Australia, December 2005, pages 20-21), provides us
with an example of one sales fraud. Eric's topic was focused on phoenix
operators. However, as an unintended bonus, this article also provides us
with an insight on how sales fraud is perpetrated.

Eric's story shows how credit managers are often encouraged by

management and sales managers to open new accounts. However, like
Eric, they are not always given all the details of the new trading terms. In
Eric's situation, the directors of this new business account had operated
another business, which was in liquidation, and had left Eric's business
with a large debt. Subsequently, this new business also went into
liquidation and Eric's business was left with another debt, to the same
directors.

In this case, a sales fraud was perpetrated by the national sales

manager, and possibly the managing director, against the entity that
employed them. They had negotiated a new trading relationship where
the complete terms were not openly known to other employees, such as
Eric, who had a right to know before the new account was authorized.

The motive for their actions was that these managers would have
benefited personally from the increased sales from the new account. Eric
certainly didn't benefit, but was in fact, penalized by the extra work
required to clean up the mess created by others.

Fraud perpetrated through derivatives -reason unknown

Kerviel, 31, a junior trader at France's second biggest bank Société

Générale, is in hiding after he cost his employers €4.9bn in the biggest-
ever trading fraud by a single person. His staggering scheme of fictitious
customer accounts caused five times the damage of rogue trader Nick
Leeson who sparked the collapse of Barings bank in 1995. The French

20
 bank says family problems and mental fragility led its rogue trader to
squander €4.9bn in succession of illegal deals

•Conflicts of Interest
•Nepotism
•Breach of Duty
•Favouritism

Other Fraud Danger Signals

•No supporting documentation for adjusting entries

•Incomplete or untimely bank reconciliations
•Increased customer complaints
•Write-offs of inventory or cash shortages with no attempt to determine the cause

Company Policy must require all cash shortages and other discrepancies
to be signed off by a departmental head

•Unrealistic performance expectations

•Rumours of conflicts of interest

Two consultants who openly argued with each other in a company, and
showed a complete resentment for each other surprised everyone. They
handed their notices in together and set up in competition to the
Company.

•Using duplicate invoices to pay vendors

•Frequent use of sole-source procurement contracts
•Frequent use of journals
•Lots of deleted transactions
•Duplicate invoices
•Missing delivery note books (indicative of sales of stock for cash)
•Inactive customer accounts

21
 A member of staff had problems with his computer. While the in-house
office manager was fixing his PC, she discovered that he had been
raising personal invoices to a customer who had been inactive.

Next Steps

Being aware of red flags is only step one and is usually not enough for the local
government. Once a red flag is identified, you must take action to determine its
effect. Evaluating the red flag may be accomplished by financial analysis,
observation or by any other technique that tests an apparent weakness. Once the
analysis is complete it’s time to move on to correct the situation.

Evaluating Red Flags

What is the effect on the business at hand? Sometimes red flags that have no
financial impact may not require a change in procedure. Remember though, that a
red flag is a warning that something is or could be wrong. If you discover fraud,
then an investigation is usually the next step. If it is just an error, then
steps should be taken to correct the error and a procedure or follow up should be
initiated to prevent it from occurring again. Financial analysis has several
applications when red flags are present. The most common is to determine what
effect it has on the conduct of the local government. For example, what is the
potential as well as the historical loss as the result of the red flag? What is the cost
to prevent a potential loss from occurring and what will it cost to recoup the
identified loss?

Use of Computers and red flags

COMPUTER-ASSISTED TECHNIQUES FOR FRAUD DETECTION

Computer technology gives auditors a new set of techniques for examining the
automated business environment. In fact, the detection of fraud is a perfect
application for computer-assisted audit tools and techniques (CAATTs).

As early as 1982 CAATTs was a powerful audit tool for detecting financial errors.
In recent years, analytical techniques have become not only more powerful but
also more widely used by auditors. But it is only in the last 10 years that the use of
computer-assisted tools and auditing techniques has become standard practice.

Audit software permits auditors to obtain a quick overview of the business

operations and drill down into the details of specific areas of interest. The audit
program can also be extended to perform a 100% verification of certain
transactions and a recalculation of important ratios and figures.

22
Audit software can highlight those individual transactions or red flags that
contain characteristics often associated with fraudulent activity. With audit
software, millions of files can be examined, previous years' data can be used to
identify anomalies, and comparisons can be made between different locations.
Also, computer-based data analysis tools can prove invaluable when addressing
suspected fraud situations.

The techniques and types of data interrogations in modern audit software are
almost unlimited. For example, audit software has many commands that support
the auditor's requirement to review transactions for fraud such as the existence of
duplicate transactions, missing transactions, and anomalies. Some examples of
these routines/reports that will highlight red flags include--

* comparing employee addresses with vendor addresses to identify employees that

are also vendors;

* searching for duplicate check numbers to find photocopies of company checks;

* searching for vendors with post office boxes for addresses;

* analyzing the sequence of all transactions to identify missing checks or invoices;

* identifying vendors with more than one vendor code or more than one mailing
address;

* finding several vendors with the same mailing address; and

* sorting payments by amount to identify transactions that fall just under financial
control on contract limits.

*Patterns such as negative entries in inventory received fields

*voided transactions followed by "No Sale,"

*or a high percentage of returned items

*Taxpayer complaints

*A listing that compares actual vs. budgeted expenditures for employee

reimbursements of expenses to determine unusual patterns

*Duplicate or non existent Social Security numbers for employees or vendors

*Unusual patterns of overtime payments

23
 Audit software can be used to interrogate a company's data files and identify data
patterns associated with fraud. may indicate fraudulent activity. Auditors can use
these data patterns to develop a "fraud profile" early in their review of operations.
The patterns can function as auditor-specified criteria; and transactions fitting the
fraud profile can trigger auditor reviews. Systems can even be built to monitor
transactions on an ongoing basis. Continuous monitoring is a proactive approach
to the early detection of fraud.

Computerized techniques and interactive software can help auditors focus their
efforts on the areas of greatest risk. Auditors can choose to exclude low risk
transactions from their review and to focus on those transactions that contain a
higher probability of fraud.

Audit software also provides auditors with the ability to extract information from
several files, with different database management systems, in order to search for
underlying patterns or relationships among data. For example, reviewing data
from the accounts payable and the contracting databases may reveal a
concentration of contracts with one vendor all initiated by the same contracting
officer, leading to concerns about possible kickbacks.

Today's audit software makes "what if" analysis easy to formulate and perform.
Auditors can form an initial hypothesis, test that hypothesis, and revise it as
necessary based on the results of interactive analyses.

Computerized techniques can assist the auditor in identifying symptoms early in

the life of a fraud. This will serve to reduce the negative impact of many frauds--
before millions of dollars are lost or goodwill is destroyed. Automated routines
that monitor key symptoms and track trends can be a major deterrent of fraud,
preventing some fraudulent activities and identifying fraud almost as soon as it
occurs.

Fraud Detection Using Digital Analysis

A growing area of fraud prevention and detection involves the examination of

patterns in data. The rationale is that unexpected patterns can be symptoms of
fraud. A simple example of the application of this technique is a search for
duplicate transactions, such as identical invoice or vendor numbers for the same
amount.

The existence of duplicates would be an unexpected pattern in the data and

indicate possible fraud.

Another simple digital analysis technique is to search for invoices with even
sterling/dollar amounts, such as 200.00 or 5,000.00. The existence of particular
even amounts may be a symptom of fraud and should be examined.

24
Case Study: Even Amounts

Travel expenses had always been a concern for the auditors of X

Company since it was an area where the controls were weak. Employees
had a maximum per diem rate when travelling but had to submit
receipts to cover the actual expenses. Maximums were also established
for meals: breakfast $10.00, lunch $20.00, dinner $30.00, and hotel
lodging $100.00. The auditors configured the audit software to identify
meal expenses that were multiples of $10.00. These transactions were
compared to receipts to ensure that the amounts expensed were
appropriate. A detailed review determined that many travellers were
charging the maximum rates for meals even though their receipts did
not justify the amounts.

Case Study: Doctored Bills

The auditors reviewed the patient billing system at Company Y to

determine if the appropriate charges were being assessed by health care
providers. An initial analysis of the data was performed to calculate the
ratio of the highest and lowest charges for each procedure. A judgment
was made those procedures with a max/min ratio of greater than 1.30 be
noted and subjected to additional review.

For a particular quarter, three procedures had ratios higher than 1.30,
the highest being 1.42. A filter was used to identify the records related to
the three procedures in question, and additional analysis was performed.
This quickly determined that one doctor was charging significantly more
than the other doctors for the same procedures. A comparison of
charges from the billing system with payments in the accounts
receivable system revealed that the doctor was skimming off the patient
payments. The amount recorded in the receivable system was in line
with the usual billing amount for the procedures. The doctor was unable
to justify the higher prices or explain the difference in the billing and the
receivable systems.

The third ratio compares data from different years, departments or

operating areas, and the like. For example, the ratio of last year's
purchases to current year's purchases for each supplier can point to
symptoms of fraud such as kickbacks in the contracting section. If the
total purchases from a supplier have gone from $100,000 to $400,000--a
ratio of 4.0--further analysis may be in order.

Case Study: Contracting Kickbacks

25
 Jonathan, one of the contracting officers, had devised a great win/win
kickback scheme. The auditors decided to use digital analysis as part of
their review of the contracting section. One of the analyses calculated
the total contract amount by supplier for each of the past two years. A
ratio of current year to previous year was calculated and the minimum,
maximum, average, and highest and lowest five ratios were displayed.
While the average was close to 1.0, the highest and lowest five values
showed that some companies had significant decreases in business,
while others had experienced significant increases in business.

The auditors reviewed the details of all companies that had a ratio of less
than 0.7 or more than 1.30. Totals were calculated by a contracting
officer. For companies with an increase in business, the results revealed
that Jonathan had raised many of the contracts. In comparison, Jonathan
had raised no contracts with the companies that had seen a decrease in
business. The auditors learned of Jonathan’s kickback scheme when they
interviewed salesmen from the companies that had ratios less than 0.7.
Interviews with salesmen from the firms that had increased sales by 1.30
or more added credence to the fraud accusations. Both groups of
salesmen said that they were told they would only get business if they
paid Jonathan a kickback.

Case Study: Signing Authority

The auditors for Z Company were investigating possible fraud in the

contracting section, where thousands of contracts were raised every
month. They used Benford's Law to examine the first two digits of the
contract amount. The results of their analysis revealed that the digits 49
were in the data more often than expected.

Classifying on the contracting officer for all contracts with 49 as the first
two digits determined that the contracting manager was raising
contracts for $49,000$49,999 to avoid contracting regulations. Contracts
under $50,000 could be sole-sourced; contracts greater than $50,000
had to be submitted to the bidding process. He was raising contracts just
under the financial limit and directing them to a company owned by his
wife. *

Use of Direct Observation to detect red flags

Direct observation is the method of choice to determine the effect a red flag has on
an organization. For example, if analysis of overtime for an area suggests that one

26
 person is falsifying time cards, observing the person’s start and stop times is
important. Observation is also useful when employee lifestyle changes are noted,
or to get an understanding of how an area works. Does the employee in fact drive
a new Jaguar on a salary that clearly wouldn’t support it? Whether it is fraud or an
error, action should be taken to prevent the act from occurring again.

Reporting Fraud

In today’s environment, it is essential that local governments have policies and

procedures in place for reporting irregularities and/or suspected fraud. These
policies and procedures need to be clearly communicated to all employees and
reviewed periodically to ensure that they still make sense. In addition to having
policies and procedures in place, employees should be able to communicate red
flags with the appropriate personnel without being concerned for their jobs or
some type of retaliation. If possible, some type of anonymous form should be
developed for employees to fill out. Just remember, the
ACFE’s 2006 Survey disclosed that approximately 34.2 percent of frauds were
detected through tips.

Conclusion

Red flags are warnings that something could be or is wrong. Auditors, employees,
and management need to be aware of red flags in order to monitor the situation
and then take corrective action as needed. Employees who notice that red flags are
ignored may mistakenly believe that it is okay to game the system or that they
won’t get caught. A little fraud soon becomes a large one if left to grow.

27
 Week 2 – Day 1 – 13th October

Internal Accounting and Operational Controls and Fraud

Internal control structure

Common Factors

There are internal control weaknesses that are common elements of fraud or
embezzlement and we must make necessary revisions to internal controls:

Lack of board approved policies - for areas such as lending, investing, borrowing, and
operating expenses;

Lack of segregation of duties - concentrating the control over all phases of a transaction in
one dominant controlling manager, often a single person operation;

Lack of mandatory vacation policy - embezzlements usually require the embezzler's ongoing
attention; therefore, policies that require managers and employees to take at least
one and preferably two weeks' vacation (not a day here and there) reduce the risk
of embezzlements;

Failure to maintain adequate audit trails - audit trails enables the tracing of any given item
through the credit union's books;

Incomplete or inadequate audits or verifications - audits (required at least annually) and

verifications (required at least every two years) must be performed in a timely manner,
under controlled conditions, and independent of credit union management and staff;

Inactive supervisory committees - the committee is the most important single element in
the internal control structure;

Repeated record keeping problems - inaccurate or incomplete records are often used to
hide fraud;

Manipulated bank reconcilements - hides problems from casual review;

Failure to review standard computer reports;

Fictitious loan or share accounts;

Cost of funds far exceeding average stated dividend rates;

Yield on loans far less than stated loan rate in credit unions with low delinquency;

Yield on investments well below the coupon rates; and

Excessive and unexplained operating expense ratios.

28
Alternative Testing Procedures

Fraud and embezzlement schemes are not solely a problem of larger credit unions. In
fact, the very size of small credit unions creates opportunities for a weak internal control
structure and fraud. Officials of smaller credit unions must work within their organizations
to develop methods that will safeguard their members' accounts and reduce the
opportunity for fraud. Suggested reviews and alternative testing methods that the
supervisory committee members or someone independent of the credit union staff should
perform include:

Review of the negative shares report;

Review of un-posted items report;

Review of maintenance reports showing loan due date changes - unwarranted changes to
loan due dates may disguise a fictitious loan or loans not receiving regular payments;

Review of reports showing loans by interest rate - reveals unusually low loan rates;

Review of general ledger suspense accounts - generally used to temporarily "store" a

transaction until all necessary information is available, but can also be used to hide an
unauthorized transaction; and

Review of the reconciliation of cash receipts to cash deposits - daily receipts should be
promptly deposited in amounts readily traceable to the bank deposits.

Conclusion

Internal audit officials are responsible for implementing a system of sound internal controls
and for ensuring that the controls are regularly followed by management and staff.
Although fraud may be uncovered, the annual audit and regulatory examination are not
intended to detect fraud.

The purpose of internal controls is not to entrap employees; rather, good internal controls
provide a working environment in which good employees are not tempted to do something
they would not ordinarily do.

The controls are often monitored by the internal auditing department. Companies that
initiate and consistently follow basic internal controls are less likely to experience fraud
and embezzlement than those whose internal controls are weak.

Internal Controls

Types of Controls Internal controls may be:

• Preventive - designed to keep errors or irregularities from occurring

• Detective - designed to detect errors or irregularities that have already occurred.

• Corrective - designed to correct errors or irregularities that have been detected.

29
 Who is Responsible for Internal Control?
The organization’s leadership is ultimately responsible. Everyone in an organization plays
some role in effecting control. All personnel should be responsible to communicate
problems in operations, deviations from established standards, and violations of policy or
law. Auditors contribute to the effectiveness of controls, but they are not responsible to
establish or maintain them.

Five Components of an Integrated System of Internal Controls

An effective system of internal controls requires: All 5 components working together ––

Control Environment– Risk Assessment– Control Activities– Information &
Communication– Monitoring Everyone in the organization playing an active role.

Internal Controls are Everyone’s Business!

Control Environment

•Ethical tone established by management; foundation for all other components; “tone at
the top” (soft controls) Factors include:

• Integrity & Ethical Values–must be clearly communicated, in writing and by example.

•Commitment to Competence• Management Philosophy & Operating Style•

Organizational Structure

•Human Resource Policies & Procedures–practices related to hiring, training, evaluation,

promoting, compensating, etc.

How do you Evaluate Soft Controls? Subjective - the only valid measure of their
effectiveness may be employees’ perceptions. Most modern internal control evaluation
practices have a strong element of self-assessment,

Risk Assessment

• Mechanism to identify, analyze and manage risks faced by the institution.

• Internal Factors-new personnel, new computer systems/processes, low morale.

• After risks have been identified, they must be analyzed -assess the likelihood of the risk
occurring; estimate the impact of a risk if it does occur; consider how to manage the risk. •
We cannot anticipate every potential risk

Control Activities

Policies (what should be done) and procedures (how it should be done) designed to help
ensure that objectives are achieved.

(Hard controls)Types of control activities: Transaction Approvals, Authorizations,

Verifications Reconciliations Performance reviews, benchmarking, trend analysis.

30
 Physical controls -restrict access to equipment, conduct inventories, secure/count cash,
etc. Segregation of Duties- different people should be responsible for:– authorizing
transactions– recording transactions (accounting)– handling the related assets (custody)–
monitoring transactions (reconciling, verifying).

Information Systems (Soft Controls)–general controls and application controls.

Segregation of duties within IT environment.

Backup and recovery policies & procedures Program development & documentation
controls Hardware / access controls (i.e. passwords) Virus detection software Firewalls

Activities Application controls: Input controls (authorization, validation, error notification –

i.e. field checks, limit checks, sequence checks) Processing controls – batch totals, audit
trails Output controls – listing of master file changes, error listings

Information & Communication

To be able to provide data that accurate, detailed, understandable and in usable form to
the right people in time to allow appropriate action.

Up & down the organization – clear messages from the top regarding philosophy,
objectives and policies, and a means for personnel to communicate upstream.• Across the
organization – individuals and departments sharing information across organizational
lines.

Monitoring

Assessing the quality of performance over time and making any necessary modifications.
Activities include: Management review of financial reports for propriety and trends..Self
assessments, internal audits, external reviews to report and correct deficiencies

Limitations of Internal Controls

Judgement-decisions are made by humans, often under pressure and time constraints,
based on information at hand.

Breakdowns-Employees may not understand instructions or may simply make mistakes.

Errors may result from new systems and processes.

Management Override - high level personnel may be able to override prescribed policies
and procedures.

Collusion - two or more individuals, working together, may be able to circumvent controls.
Cost vs. Benefit - The risk of failure and the potential effects must be weighed against the
cost of establishing controls.

Balancing risk and Internal Controls

Not having an effective balance may cause:

“Too little” means Excessive Risks

31
 Loss of Assets, Donors, Grants & Contracts, State funding- Poor Business Decisions-

Non compliance with laws & regulations- Increased Regulations- Public Scandals

“Too much” means business may be hampered because of Excessive Controls

Increased Bureaucracy- Increased Complexity- Increased Cycle Time- Increase in Non-

Value Added Activities- Reduced Productivity

Internal Operational Controls

A Definition

In accounting and organizational theory, Internal control is defined as a process effected

by an organization's structure, work and authority flows, people and management
information systems, designed to help the organization accomplish specific goals or
objectives. It is a means by which an organization's resources are directed, monitored,
and measured. It plays an important role in preventing and detecting fraud and protecting
the organization's resources, both physical (e.g., machinery and property) and intangible
(e.g., reputation or intellectual property such as trademarks). At the organizational level,
internal control objectives relate to the reliability of financial reporting, timely feedback on
the achievement of operational or strategic goals, and compliance with laws and
regulations. At the specific transaction level, internal control refers to the actions taken to
achieve a specific objective (e.g., how to ensure the organization's payments to third
parties are for valid services rendered.) Internal control procedures reduce process
variation, leading to more predictable outcomes. Internal control is a key element of the
Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes-Oxley Act of 2002, which
required improvements in internal control in United States public corporations. Internal
controls within business entities are called also business controls.

Internal controls have existed from ancient times. In Hellenistic Egypt there was a dual
administration, with one set of bureaucrats charged with collecting taxes and another with
supervising them.

Specific Controls

Management should consider implementing a variety of specific measures to mitigate or

limit operational risks, such as authentication and encryption techniques to ensure the
authenticity of the payer and payee as well as prevent unauthorized access to information
in transit; and edit checks and automated balancing to verify the integrity of the information
relative to the payment order and funds transfer transaction. Additional controls include the
use of certified tamper resistant equipment, logical access controls to verify transactions,
verification of account balances, and the logging of all transactions and attempts to make
a transaction.

Additional internal control measures that management should employ to mitigate

wholesale payment system risk include:

Supervisory

32
 • The procedures for dealing with new suppliers must require them to be screened
thoroughly. The procedures should call for suppliers to provide you with a landline
number and check that you can contact them on that number.

• Payment data verification;

• Clear error processing and problem resolution procedures; and

• Confidential and tamper resistant mailing procedures for sensitive material.

• The operational controls for funds transfer operations require clearly defined
procedures establishing a control environment which provides for the
authorization and authentication of transactions. Financial institutions should
establish effective operational controls that identify and document:

• The original payment instructions from the corporate or individual customer to the
financial institution and other pertinent information (e.g., account officer, branch
manager, terminal entry identity, automated interface identification);

• Every transfer point of data for each step of the manual process (e.g., account
officer, message receipt, authentication, data entry, and payment release); and

• Every transfer point of data for each step of an automated process (e.g., SWIFT
and Telex, message preparation, data entry, and payment release).

• Basic internal controls should be in effect to maintain overall integrity for any
funds transfer operation. However, depending on the complexity and volume of
operations, certain steps may not be applicable for some institutions.
Recommended control objectives for a wholesale funds transfer system include:

• Verifying the accuracy and completeness of the outgoing instruction;

• Protecting original instructions from loss or alteration;

• Authenticating the identity and authority of the sender;

• Ensuring collected balances are available and held for the outgoing payments;

• Ensuring the original unaltered outgoing instruction is entered into the internal
accounting system;

Safety and security

• Maintaining a physically secure environment, with alarm systems, safes, software

tools and CCTV.

• Financial institutions should have funds transfer policies and procedures

addressing both the processing of funds transfer messages and the related
standards for creating and maintaining source documents. Policies and
procedures should include documentation describing all interfaces between the
funds transfer application and other back office and customer-related banking

33
 processes, and should address the controls relating to crediting, debiting, and
reconciling customer and institution account balances. Policies and procedures
should also document institution specific compliance requirements to address
federal and state regulations including OFAC verification procedures.

• Physical and electronic access to sensitive areas and procedures must be

restricted. “One key each”

• Always encrypt data on your computer network

• Take care of pares thrown out; shred anything sensitive

• Ensure your computer system is sound, by using firewall , strong alpha numeric
passwords ( avoiding real words) changed regularly and up to date virus software

• Have a clearly defined fraud response plan so that you can react effectively
should fraudulent activity take place

Divide and Conquer

• Wherever practical, duties must be segregated so that no one person is

responsible for both approving expenditure and authorising payment.

• Dual custody of assets;

People

• Employees must take their vacation entitlement and the work of employees on
vacation must be covered by others.

• All employees' expense claims must be authorised by their immediate managers

before payment.

• New employees must be screened and their references must be checked.

Performance should be regularly appraised and appropriate training given.

• All staff should have formal job descriptions that clearly indicate their
responsibilities and are updated regularly. Organisational structure should be
clear and unambiguous.

• Sickness absence must be monitored and controlled.

• Train employees to avoid phishing

• Set strict staff guidelines about what information they can give to strangers

34
 Management

• Managers must set an example to staff by implementing controls, checking

security and querying decisions and procedures.

Audit

A Company’s internal auditors should conduct periodic independent reviews of the funds
transfer operation, including all pertinent internal policies and procedures. An external
audit can supplement or replace internal audit procedures.

Examiners should perform an evaluation of the Company's audit function to determine

whether audit activities related to operations are comprehensive and effective. Examiners
also should review the auditor's opinion of the adequacy of accounting records and
internal controls for funds transfer operations. The review of audit procedures should focus
on:

The scope and frequency of the internal funds transfer audit program;

The effectiveness of audit procedures in determining any control/operating problems

disclosed since the previous examination and what corrective measures management has
taken;

Audit work papers to ensure they document adherence to prescribed audit procedures;

IT audit coverage of new system enhancements and development projects; and

External audit findings and recommendations.

Information Security

A Company’s information security program should include an effective risk assessment

methodology that includes an evaluation of risks relating to performing high-risk activities
such as funds transfer and other payment-related activities. Management should use risk
assessments based on a periodic review of high-risk activities to develop effective
standards for adequate separation of duties, physical security, and logical access controls
based on the concept of “least possible privilege.”.

Management should establish logical access controls on the funds transfer application that
assign appropriate access levels to staff members working in the wire room or funds
transfer operation. Inappropriate access levels provide the opportunity to create and
transmit unauthorized funds transfer messages. The risk is greater without adequate
separation of duties. Management should ensure no employees have access to more
than one assigned user code unless the code is under dual control. Management should
configure message verification rights to ensure adequate separation of duties between
employees initiating and employees verifying and sending funds transfer messages.

35
 Third-Party Management

Some Companies rely on third party service providers and other financial institutions for
wholesale payment system products and services either to enhance the services
performed in-house or to offer wholesale payment services that are otherwise not cost
effective.

Financial institutions should have adequate due diligence processes, appropriate contract
provisions, and service provider monitoring procedures to ensure they conduct wholesale
payment operations appropriately. Effective monitoring should include the review of select
wholesale payment transactions to ensure they are accurate, reliable, and timely. The
integrity and accuracy of wholesale payment transactions depend on the use of proper
control procedures throughout all phases of processing, including outsourced functions.

Regardless of whether the financial institution’s control procedures are manual or

automated, internal controls should address the areas of transaction initiation, data entry,
computer processing, and distribution of output reports. Financial institutions should also
maintain effective control over service provider access to customer and financial institution
information. Contractual provisions should define the terms of acceptable access and
potential liabilities in the event of fraud or processing errors.

Internal Accounting controls

These are Policies that establish guidelines and procedures related to keeping books and
records that in reasonable detail accurately and fairly reflect the Company's transactions
and dispositions of assets. The Company shall maintain a system of internal accounting
controls to ensure reliability and adequacy of its books and records and proper recording
of all transactions including dispositions of assets.

Policy:

Authorization: The only transactions to be entered into by the Company are those which
are executed in accordance with management's specific approval (as set forth in the
following paragraph) or established, formalized policies and procedures.

Approval: No transaction will be recorded in the accounts of the Company unless it is

within the scope of written policies and procedures or is specifically and formally approved
by an appropriate and designated Employee. Such approval requires the determination
that the transaction (i) has been authorized in accordance with this Corporate Policy and
(ii) is supported by documentary evidence to verify the validity of the transaction.

In particular

There should be a formal system for the authorisation of orders, invoices and payments

Credit notes over a threshold amount must be explained to and authorised by a senior
independent manager before issue.

36
Inventory write-downs must be investigated before authorisation by an independent
manager.

Accounting: All transactions entered into by the Company will be recorded in the
accounts of the Company in accordance with normal, standard procedures. Each entry
will be coded into an account which accurately and fairly reflects the true nature of the
transaction.

In particular

Key balance sheet accounts must be reconciled monthly and the reconciliation reviewed
regularly by senior managers.

Fixed assets must be tagged and checked periodically - this can often be combined with
the regular testing of electrical and lifting equipment.

Ensure that no goods or assets leave a site without a despatch note or other
documentation.

The accuracy of the information should be checked using bank reconciliation, invoice
calculation checks and physical stock counts.

Reporting: All transactions that have been accounted for in accordance with this
Corporate Policy will be accumulated and processed in a manner which will permit timely
preparation of financial statements, reports and data for purposes of internal, public and
regulatory reporting. Such statements, reports and data must be understandable and
prepared in a form sufficient to reflect fully, accurately and fairly the results of transactions
entered into by the Company and to permit proper accountability for assets.

Responsibility: The implementation and maintenance of internal accounting controls,

procedures and records that are adequate in all respects to satisfy the requirements of this
Corporate Policy will be the primary responsibility of the Chief Financial Officer.

Auditing: Compliance with the provisions and requirements of this Corporate Policy will
be tested and evaluated by the Company's Director-Audit Services in connection with the
ongoing internal audit program. All control failures regarding this Corporate Policy will be
reported to management so that deficiencies can be corrected and assurance of
compliance with the terms of this Corporate Policy maintained.

Procedure: The Company will continuously evaluate its internal accounting controls,
procedures and records to ensure compliance with the requirements of this Corporate
Policy. Such evaluation will be documented in a form suitable for inspection by outside
parties, such as regulatory authorities, if the need arises.

The Company will take action to remedy any deficiency in internal accounting controls,
procedures and records to ensure continuing compliance with the requirements of this
Corporate Policy.

37
 The audit services staff, in coordination with the Company's Director-Audit Services, will
ascertain that its audit scope, procedures and programs are adequate (i) for the purpose
of testing and evaluating internal accounting controls, procedures and records and (ii) for
complete reporting of deficiencies in internal accounting controls, procedures and records.

On or before the year end of each year, the Chief Financial Officer and the Company's
Director-Audit Services will prepare a written summary applicable to the preceding fiscal
year which sets forth financial management's evaluation of the Company's internal
accounting controls, procedures and records. Such a summary will consider financial
management's overall evaluation and results of audits performed during the year, internal
and external. For deficiencies noted in the evaluation, remedial action in progress or
contemplated will be set forth in the summary. The summary will be addressed to the
Audit Committee of the Board of Directors.

The Company's Director-Audit Services will, on an annual basis, report to the Audit
Committee of the Board of Directors on the adequacy of internal accounting controls,
procedures and records.

Components of Fraud Rationalisation

Some excuse or validation for actions, such as: I’m just borrowing the money and will pay
it back; it’s only temporary until I get over this financial difficulty.

I need it more than they do, and they will never miss it.

Everybody else is doing it.

No one will get hurt.

It’s for a good purpose.

I deserve it because I’ve been treated unfairly –the organization owes me.

Fraud Detection Plan

The conditions under which fraud thrives have been listed. These included an unhealthy
corporate culture, domineering management, management abusing or overriding internal
controls, low staff morale and weak management. Collectively they reflect the culture of
the organisation. The most effective ways of detecting fraud have been found to be:

1. Internal controls. Eliminate Opportunities for Fraud –Implement a strong system

of internal controls and monitoring, Check employee references, conduct
background checks, Second endorsements on cheques, Train employees in
fraud awareness

2. Internal audit. Use surveillance techniques when appropriate, Proactively audit for
fraud

3. Management review.

38
 4. Whistle-blowers. Use a hotline Create an expectation of punishment

5. Change of management. Create a culture of honesty-Set a good example and do

not tolerate dishonest or unethical behaviour in others. Have a written code of
ethics and make sure everyone is aware of it, .Create a positive work
environment.

6. Anonymous tip-offs. Provide employee assistance programs

7. Outside information. Alert vendors and contractors to company policies

8. Security of passwords.

9. External audit.

10. Accident.

11. Access/exit controls.

This list emphasises the importance of having strong management and a healthy
corporate culture to detect and therefore deter fraud. Physical controls such as passwords
and access/exit controls come at the bottom of the list in detecting fraud but have a big
deterrent effect on potential fraudsters and are very important in reducing fraud.

Fraud Deterrence Plan

Until there is a healthy culture and strong management in all branches and departments of
an organisation, attempts to deter fraud will not be very successful. Only when potential
fraudsters believe fraud will be detected and when whistle-blowers believe they will be
protected will there be an effective deterrence of fraud.

39
 Week 2 – Day 2 – 14th October

White collar crime and Business Risk

Putting white collar crime in perspective

The world's financial capital leaks money like a fishnet. When the flow of
cash is not measured in lorry-loads but in electronic trillions, you don't
need a disguise; an inside job is much easier.

Three such men pleaded guilty last week to a form of bank robbery. The
so-called Natwest Three were accused of defrauding their employer of
some $7m while working with a client called Enron.

One view is that the guilty plea marks a welcome end to a rather
shameful episode in British financial history: the complicity of employees
of one of our biggest banks in a record-breaking corporate collapse.

Another view is that the Three pleaded guilty only because the
consequence if their defence failed before a jury was so horrific: 30 years
behind bars in the US instead of three served nearer home.

Governance and Business Risk overview

Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that

reflects a new way in which organizations can adopt an integrated approach to these three
areas. However, this term is often positioned as a single business activity, when in fact; it
includes multiple overlapping and related activities within an organization, e.g. internal
audit, compliance programs like SOX, enterprise risk management (ERM), operational
risk, incident management, etc.

Governance is the responsibility of senior executive management and focuses on creating

organizational transparency by defining the mechanisms an organization uses to ensure
that its constituents follow established processes and policies. A proper governance
strategy implements systems to monitor and record current business activity, takes steps
to ensure compliance with agreed policies, and provides for corrective action in cases
where the rules have been ignored or misconstrued.

Risk Management is the process, by which an organization sets the risk appetite, identifies
potential risks and prioritizes the tolerance for risk based on the organization’s business
objectives. Risk Management leverages internal controls to manage and mitigate risk
throughout the organization.

40
 Compliance is the process that records and monitors the policies, procedures and controls
needed to enable compliance with legislative or industry mandates as well as internal
policies.

Within the GRC realm, it is very important to realize that if the first one (Governance) is not
in place, the second two (Risk Management and Compliance) become irreverent and
probably cannot be meaningfully achieved. Working on the same logic, if second one
(Risk Management) is not in place then achieving Compliance becomes irreverent and
probably cannot be meaningfully achieved. This is the reason the acronym is designed as
GRC and not other combinations. Governance, Risk, and Compliance are highly related
but distinct activities that solve different problems for different sets of constituents of an
organization.

Fraud Theory

Control fraud theory was developed in the savings and loan debacle. It
explained that the person controlling the S&L (typically the CEO) posed a
unique risk because he could use it as a weapon.

The theory synthesized criminology (Wheeler and Rothman 1982),

economics (Akerlof 1970), accounting, law, finance, and political science.
It explained how a CEO optimized “his” S&L as a weapon to loot creditors
and shareholders. The weapon of choice was accounting fraud. The
company is the perpetrator and a victim. Control frauds are optimal
looters because the CEO has four unique advantages. He uses his ability
to hire and fire to suborn internal and external controls and make them
allies. Control frauds consistently get “clean” opinions for financial
statements that show record profitability when the company is insolvent
and unprofitable. CEOs choose top-tier auditors. Their reputation helps
deceive creditors and shareholders.

Only the CEO can optimize the company for fraud. He has it invest in
assets that have no clear market value. Professionals evaluate such
assets-allowing the CEO to hire ones who will inflate values. Rapid
growth (as in a Ponzi scheme) extends the fraud and increases the
“take.” S&Ls optimized accounting fraud by loaning to un-creditworthy
and criminal borrowers (who promised to pay the highest rates and fees
because they did not intend to repay, but the promise sufficed for the
auditors to permit booking the profits). The CEO extends the fraud
through “sales” of the troubled assets to “straws” that transmute losses
into profits. Accounting fraud produced guaranteed record profits-and
losses.

CEOs have the unique ability to convert company assets into personal
funds through normal corporate mechanisms. Accounting fraud causes
stock prices to rise. The CEO sells shares and profits. The successful CEO
receives raises, bonuses, perks, and options and gains in status and
reputation. Audacious CEOs use political contributions to influence the

41
external environment to aid fraud by fending off the regulators.
Charitable contributions aid the firm's legitimacy and the CEO's status.
S&L CEOs were able to loot the assets of large, rapidly growing
organizations for many years. They used accounting fraud to mimic
legitimate firms, and the markets did not spot the fraud. The steps that
maximized their accounting profits maximized their losses, which
dwarfed all other forms of property crimes combined.

While agreeing that the S&L served as both a “weapon” and a “shield,”
control fraud theory cast doubt on those metaphors. Weapons and
shields are visible; fraud is deceitful. The better metaphors would be
camouflage, or a virus. Control fraud theorists rejected the economists'
metaphor, “gambling for resurrection” (honest but unlucky risk takers).
Gambling cannot explain why control fraud was invariably present at the
typical large failure. There were over 1,000 felony convictions of senior
S&L insiders. Accounting fraud made control fraud a sure thing-not a
gamble. Control fraud theory predicts the pattern of record profits and
catastrophic failure and the business pattern of deliberately making bad
loans. Both patterns are inconsistent with honest gambling.

The identification of the S&L “high fliers” as control frauds and

understanding that they were Ponzi schemes relying on accounting fraud
led to effective regulatory strategies against the wave of S&L frauds. The
Federal Home Loan Bank Board reregulated the industry, curbing growth
(a Ponzi scheme's Achilles heel) while the control frauds were still
reporting record profits and were praised by top economists.

The second use of control fraud theory was to analyze the structures that
produced criminogenic environments that led to waves of control fraud.
Deregulation and de-supervision of the S&L industry, combined with the
industry's mass insolvency, optimized accounting fraud and made
“systems capacity” limitations critical. The mass insolvency maximized
“reactive” control fraud, and the deregulation, de-supervision, and mass
insolvency maximized entry into the industry by “opportunistic” control
frauds.

Fraud waves can cause financial bubbles to hyper inflate (e.g., Texas real
estate during the debacle) and cause regional or systemic injury (e.g.,
during Russia's “shock therapy,” the failures of “the Washington
consensus,” and the U.S. high-tech bubble). Control frauds cause indirect
losses by corrupting politicians and professionals and betraying trust.
When control fraud becomes endemic, it can lock nations in long-term
poverty.

42
 Control fraud theory poses a fundamental challenge to the core models
of finance and economics. The efficient markets (and contracts)
hypothesis requires that markets be able to identify and exclude control
frauds, and the dominant law and economics model asserts that they do
so effectively and quickly. This claim is largely premised on the view that
no top-tier audit firm would give a clean opinion to a control fraud.
Control frauds have consistently falsified this claim. Deposit insurance
was not the key to S&L control fraud. Control frauds deceive “creditors at
risk.” High reported profits allow them to grow rapidly by borrowing and
issuing stock.

To date, most of the work in control fraud discusses looting by the CEO.
However, it also exists in government when the head of state uses the
government to defraud. It can be used to defraud customers (e.g.,
“lemons” scams, in which quality or quantity is misrepresented, or
cartels) and the public (e.g., tax fraud or a toxic waste firm that gains a
cost advantage by dumping in the stream). These forms of control fraud
create real profits and, absent effective enforcement, create a dynamic
that causes fraud to spread. Systems capacity problems can lead to
endemic control fraud in an industry.

As a result of the Sarbanes-Oxley Act and other reforms, a variety of structures

and procedures were put into place to try to prevent or detect fraud. A number of
these reforms involve auditors and the audit profession, in the implicit assumption
that auditors have an important role to play in preventing and detecting corporate
fraud. But a recent Grant Thornton survey (here) shows that many CFOs still do
not feel constrained by their auditors’ oversight, notwithstanding the reform
measures.

Limitations of traditional audit techniques

Mind the Gap!

According to the survey, 62% of the 221 CFOs surveyed believe it would
be possible to intentionally misstate their financial statements to their
auditors. As one commentator in the November 15, 2007 CFO.com
article (here) commenting on the survey put it, these numbers are
"alarming," given that "CFOs – if they’ve a mind to –are in a unique
position, having the necessary information, intelligence and access to
trick auditors in ways that are hard to decipher."

43
Indeed, it is disconcerting that nearly two-thirds of CFOs feel they could
fool their auditors on intentionally falsified financial statements. Clearly,
if such a large percentage of CFOs feel they could, some of them might,
and a few of them will. This intimation of the possibility of undetected
fraud should be disconcerting to investors, analysts, and others
(including D & O underwriters) who rely on auditors’ assurance that the
financial statements are free from "material misstatement."

The disappointment and even anger that investors and others feel when
they find they have been misled by falsified financial statements often
encompasses a sense of frustration that the auditors failed to detect the
fraud. Accordingly, auditors are often named as co-defendants in
securities fraud lawsuits, based on a failure to detect the fraud and the
auditors’ statements that there are no material misstatements in the
financial statements.

But a further Grant Thornton survey finding underscores the theoretical

limitations of audit fraud detection. 83 percent of the surveyed CFOs said
they did not feel that it was even possible for auditors to detect
corporate fraud in all cases. This survey finding embodies the same
sentiment expressed in the November 2006 statement of the heads of
the six leading accounting firms entitled "Global Capital Markets and the
Global Economy: A Vision From the CEOs of the International Audit
Networks" (here). The accounting industry leaders noted that "there are
limits to what auditors can reasonably uncover, given the limits inherent
in today’s audits." They go on to note that while there are audit
techniques whose principal goals are to "ascertain whether fraud has
occurred," these techniques are "not foolproof, nor can they be expected
to be."

The problem for everyone, both auditors and those who rely in their
audits, is that there is, in the words of the industry leaders’ statement,
an "expectations gap." According to the accounting leaders, the gap
arises because "many investors, policy makers, and the media believe
that the auditor’s main function is to detect all fraud, and thus, where it
materializes and auditors have failed to find it, the auditors are
presumed to be at fault." The accounting leaders go on to assert that:

Given the inherent limitations of any outside party to discover the

presence of fraud, the restrictions governing the methods auditors are
allowed to use, and the cost constraints of the audit itself, this
presumption is not aligned with the current auditing standards.

The accounting leaders’ frustration is palpable; they apparently

recognize, as do the CFOs that responded to the Grant Thornton survey,
that management bent on misrepresenting their company’s financial
condition can conceal the misrepresentations from the auditors. But the
reason there is nonetheless an expectations gap is that investors and
others do rely, as they must, on company’s audited financial statements.
Merely naming the problem as an expectations gap, or citing the
limitations of current auditing standards, does not address the problem,
which is that investors and others rely on the audited financial
statements in ways the auditors apparently wish they wouldn’t or believe

44
 they shouldn’t. It almost seems as if the auditors’ message to those who
would rely on financial statements is – don’t (or, at least, not so much).

Given the CFOs’ and the accounting leaders’ recognition of the

limitations of audit fraud detection, it may be well argued that audited
financial statements in fact should not be relied upon. But what
alternative do investors have? The investors necessarily place some
value on the fact that professionals independent of management have
examined the financial statements.

It is nevertheless a significant concern that nearly two-thirds of CFOs

believe they can fool their auditors. And apparently the auditors agree
with the general proposition as well. This ought to make anyone who
needs must rely on audited financial statements very uneasy.

An auditor cannot obtain an absolute assurance that material misstatements in the

financial statements will be detected. There is unavoidable risk involved that some
material financial misstatements may not be detected even auditing has been
completed using proper planning and as per the prescribed auditing standards. The
Auditor can only obtain a reasonable assurance that the material misstatements in
the financial statements will be detected.

The risk of not detecting a fraud is much higher that the risk of not detecting a
material misstatement resulting from an error as frauds are much deeper rooted
and well covered. Normal auditing procedures which are effective in discovering
error are usually not effective enough for detecting frauds.
Management fraud is much more difficult to detect and the auditor may simply not
detect it at all. The opinions of the Auditors are base on what is present before him
and subsequent discovery of fraud or a material misstatement in the financial
statements does not indicate any failure on part of the auditor to obtain reasonable
assurance or absence of professional competence or failure to comply with
auditing standards.

When planning and conduction audit, the auditor must make inquiries of
management, obtain a written assurance that the management has prepared the
financial statements with due care considering the fact that the internal control and
accounting and procedure put in place by the management takes care of such risks.
The management’s assessment of the risk that there may be material
misstatements in the financial statements as a result of fraud. The Auditor must
make enquiries if the management is aware of any known fraud that had affected
the internal control system that the entity is investigating into
Audit risk is the risk that the auditor gives an inappropriate audit opinion when the
financial statements are materially mismatched. Such misstatements can result

45
 from either fraud or error. There are three types of audit risks – inherent risk,
control risk and detection risk.
Strategic Fraud Prevention Plan

A fraud prevention strategy starts with a work environment intolerable to

fraudulent behaviour.

Fraud comes in all sizes ranging from billion dollar cases of corporate fraud to
thousand dollar cases of employee embezzlement to employees overcharging their
expense reports. Therefore, an effective fraud prevention strategy must be multi-
dimensional, considering senior management, employees, and even outside parties
such as customers and vendors. An effective fraud prevention strategy must also
be adaptable to the ever-changing fraud schemes as internal controls and
technology change the operating environments of most companies. So how does a
company develop a fraud prevention strategy without spending millions of dollars
and scrutinizing all of its transactions? One technique is to break the problem into
smaller pieces. Let’s consider 1) the work environment; 2)control systems; and 3)
fraud-specific procedures.

Work Environment

An effective fraud prevention strategy begins with creating a work environment

that defines and reinforces anti-fraud behaviour. This includes how the company
treats its customers, employees and suppliers. No matter how many internal
control systems or anti-fraud procedures are used, there needs to be the proper
“tone at the top” that demands to “always do the right thing no matter what the
cost to the company.”Without a strong anti-fraud culture, opportunity and
rationalization will appear to those individuals with enough pressure to commit the
fraudulent act. A key element to an anti-fraud work environment is a clearly
written fraud policy. This policy should describe the corporate commitment to the
fair treatment of all employees, customers, and suppliers. Any variances from
company policy need to be handled according to the written fraud policy. Any
variances, no matter the size, will limit the effectiveness of the company policy
allowing the rationalization of future fraud activity.

The whistle blower system is also an effective tool for the work environment.
According to the “2006 Report to the Nation on Occupational Fraud and Abuse”
of the Association of Certified Fraud Examiners (ACFE), 34.2%of the initial
reports of occupational abuse resulted from tips. These tips came from employees,
customers and vendors. An effective whistle blower system allows key individuals
to report fraud without the threat of retribution. It is also important to have a
history of prosecuting fraudulent activity. Too often, employees caught
committing frauds against the company are terminated without the negative,
embarrassing consequences of being prosecuted for their crime. Faced with only
termination, the employee often commits the act again at their next employer

46
Control Systems

Control systems include the internal control systems of the company. These
control systems are front lines in the fight against fraud. An adequate system of
internal controls reduces the number of opportunities available to those individuals
with pressure and rationalization.
The importance of internal control systems is evident by Section 404 of Sarbanes-
Oxley. This law requires not only the establishment of a system of internal
controls but also is concerned with how management assesses these controls.
Currently, public companies are spending significant resources, both people and
money, in compliance with this law. ACFE’s “2006 Report to the Nation”
illustrates the importance of control systems with 20.2% of initial reports resulting
from internal audits and 19.2% resulting from internal controls.

Fraud-Specific Procedures

The core of the fraud prevention strategy is the use of fraud-specific procedures.
These procedures are specifically designed to detect fraud, in contrast to the
control activities of the internal control systems which are generally applied to
achieve the control objectives. Whereas control objectives are designed to reduce
the opportunities for fraud, the fraud-specific procedures are designed to test for
the presence of fraudulent activity.

These procedures are analogous to a medical exam. Even though an individual

may live a healthy lifestyle, with proper eating and exercise habits, regular
medical exams are still recommended. During these medical exams, the doctor is
looking for the presence of disease or other medical conditions that if detected
early, can be effectively treated. Similarly, the use of fraud-specific procedures
looks for the presence of fraud-related activities. These procedures should be
performed randomly throughout the year by testing a variety of areas of potential
fraud, including areas such as ghost employees, fictitious vendors, kiting, and
inventory shrinkage. The application of these procedures offers two benefits. The
first benefit is the possible discovery of a fraud in progress. This is a direct benefit
resulting in a reduction of the possible financial damage from the fraudulent
activity. The other is the indirect benefit of reducing the opportunity to commit
fraud. With the presence of these random, fraud-specific procedures, anyone
contemplating a fraud needs to consider the potential their fraudulent activity will
be identified. This unknown may be enough to convince an individual that
opportunity does not exist; therefore the fraudulent activity cannot be successful

47
Conclusion

Fraud is committed by individuals motivated by pressure, opportunity, and

rationalization, working in an ever-changing environment. In order to be effective,
a fraud prevention strategy needs to be multi-dimensional. The strategy starts with
a work environment intolerable to fraudulent behaviour. This work environment is
supported by robust control systems which are monitored and revised to address
current environmental conditions. In addition, these control systems are
supplemented by fraud-specific procedures, designed to identify existing
fraudulent activity.

Week 2 – Day 5 – 17th October

Investigations and Expert Witness Testimony

Introduction

A Fraud response plan is needed so that you can react effectively and quickly
should fraudulent activity take place. The plan defines authority levels,
responsibilities for action, and reporting lines in the event of a suspected fraud or
irregularity. The plan acts as a checklist of actions and a guide to follow in the
event of fraud being suspected

Purpose of the Fraud Response Plan

The plan is designed to enable a Company to:

(i) prevent further loss
(ii) establish and secure evidence necessary for criminal and/or disciplinary action
(iii) notify the Internal Auditor/Group Accountant immediately
(iv) enable the Internal Auditor/Group Accountant to contact the Director of
Finance promptly
(v) determine when and how to contact the police and establish lines of
communication
(vi) assign responsibility for investigating the incident
(vii) minimise and recover losses
(viii) review the reasons for the incident, the measures taken to prevent a
recurrence, and determine any action needed to strengthen future responses to
fraud
(ix) keep all personnel with a need to know suitably informed about the incident as
the investigation develops
(x) help promote an anti-fraud culture by making it clear to employees and others
that the Company will pursue all cases of fraud vigorously taking appropriate legal
and/or disciplinary action in all cases where that is justified

48
Action following detection – Stage 1

When any member of staff suspects that a fraud has occurred, he/she must notify
his/her Line Manager immediately. Speed is of the essence and this initial report
should be verbal and must be followed up within 24 hours by a written report
addressed to the Line Manager which should cover:
(i) The amount/value, if established.
(ii) The position regarding recovery.
(iii) The period over which the irregularity occurred, if known.
(iv) The date of discovery and how the suspected fraud was discovered.
(v) The type of irregularity and what led to it, i.e.:
was there a breakdown in the systems of internal control, or
is there any inherent weakness in the system of internal control which allowed it to
occur?
(vi) Whether the person responsible has been identified.
(vii) Whether any collusion with others is suspected.
(viii) Details of any actions taken to date.
(ix) Any other information or comments which might be useful.

Action following detection – Stage 2

On verbal notification of a possible fraud the Line Manager/Internal Auditor must

immediately contact the Director of Finance. It is a matter for the Line
Manager/Internal Auditor in consultation with the Director of Finance to decide
whether there is prima facie evidence of fraud in which case the police should be
notified immediately, normally by the Line Manager/Internal Auditor. On receipt
of the follow up written report, the Line Manager should forward this to the
Director of Finance.

Internal Audit also has an interest in fraud as the extent and nature of fraud within
a Division can give an indication of the soundness of that Division's systems. The
written report sent to the Director of Finance should therefore be copied to the
Internal Auditor. The rapid discovery and proper reporting of fraud can also be an
indicator of the strength of control within a Division.

The Director of Human Resources should also be informed or consulted as

necessary.

Initial Enquiries

Before completing the report above it may be necessary for line management to
undertake an initial enquiry to ascertain the facts. This enquiry should be carried
out as speedily as possible after suspicion has been aroused: prompt action is

49
 essential. The purpose of the initial enquiry is to confirm or repudiate, as far as
possible, the suspicions that have arisen so that, if necessary, disciplinary action
including further and more detailed investigation (under internal disciplinary
procedures and/or the police) may be instigated. Internal Audit is available to
offer advice on any specific course of action which may be necessary.

Managers duty of care

Managers conducting initial enquiries must be conscious that internal disciplinary

action and /or criminal prosecution may result. If such action is later taken then
under proper procedure the member of staff concerned has a right to
representation and may have the right to remain silent. Utmost care is therefore
required from the outset in conducting enquiries and interviews.
In addition, in order to protect the Company from further loss and destruction of
evidence, it may be necessary to suspend the member of staff concerned
immediately the allegation has been made or following the submission of the
manager’s initial verbal report. Specific advice should be sought from Human
Resources before proceeding.

The Fraud Interview

1. The objectives of a formal investigation will be to establish as many facts

as possible about the case and present them in such a way that will allow
the determination of whether and how Departmental / Agency rules have
been broken, and / or whether criminal offences have occurred.
2. A member of staff has a duty to assist as an employee. A staff member has
the right to make a signed statement. He/she may take a reasonable
amount of time to peruse any statement he/she has provided before signing
it. Interviews will normally be carried out by two Investigation Officers.
3. Where a member of staff has been invited for interview the Investigation
Officer will issue this Code of Practice along with the document ‘Rights at
a Fact Finding interview’ ten working days prior to the interview. All
interviews will be prefaced with a general statement explaining the
purpose of the investigation.

4. Before commencing the interview the Investigation Officers will remind

the member of staff of this Code of Practice and will also advise as
follows: -
“A Report on the findings of this investigation will be issued to Personnel
Branch. Personnel Branch are responsible for considering disciplinary
action, if appropriate, where a member of staff has contributed to a fraud

50
 or other serious irregularity, either directly or indirectly. There are a range
of disciplinary penalties that can be exercised which are outlined in
Paragraph 2.4 of the Code of Practice.”

5. Where during the course of an interview a member of staff admits to

being involved in something which may be a criminal offence he/she will
be advised as follows: -
“We think that what you have just told us may be a criminal offence. This
information will now be referred to Personnel Branch to consider further
investigation. What you have told us may constitute serious or gross
misconduct and I have to remind you that there is a range of disciplinary
penalties that can be exercised against those involved in criminal activity,
including dismissal. This interview is now being terminated”.
Representatives at Interviews

A member of staff who is to be interviewed may, if he/she wishes, be

accompanied at the interview by a work colleague or a Trade Union Official
and the interview may be adjourned to allow for such attendance. If the
member of staff decides that he/she does not wish to have a work colleague or
Trade Union Official present this fact will be recorded and the member of
staff will be asked to sign a record at that stage.
If a member of staff who has elected not to have a work colleague or Trade
Union Official present decides in the course of the interview that he/she would
like to be accompanied or if, at any stage in the interview, it becomes apparent
that a member of staff has failed to carry out his/her duties in a proper manner
which, in itself, might call for consideration of formal disciplinary action, then
a further opportunity will be given for the member of staff to have a work
colleague or Trade Union Official present at the interview.

Role of representatives

A work colleague or Trade Union Official who accompanies a member of

staff at an interview will attend solely as the member of staff’s adviser and
may not answer for the member of staff being questioned; the member of staff
may, however, consult his/her work colleague or Trade Union Official during
the interview. The Investigation Officers will not enter into any discussion
during the interview with the member of staff’s work colleague or Trade
Union Official as to the propriety of the interview, or the conduct of it, or the
proceedings and questioning in general except to clarify the meaning of
particular individual questions if necessary.

51
Transcripts

A photocopy of statements made and responses to questions asked during the

interview will be provided to staff at the close of the interview. A typed copy of
the transcript will be issued to staff for signing

Use and protection of evidence

If the initial examination confirms the suspicion that a fraud has been perpetrated,
then to prevent the loss of evidence which may subsequently prove essential for
disciplinary action or prosecution, management should;
(i) take steps to ensure that all original evidence is secured as soon as possible;
(ii) be able to account for the security of the evidence at all times after it has been
secured, including keeping a record of its movement and signatures of all persons
to whom the evidence has been transferred. For this purpose all items of evidence
should be individually numbered and descriptively labelled;
(iii) not alter or amend the evidence in any way;
(iv) keep a note of when they came into possession of the evidence. This will be
useful later if proceedings take place;
(v) remember that all memoranda relating to the investigation must be disclosed to
the defence in the event of formal proceedings and so it is important to carefully
consider what information needs to be recorded. Particular care must be
taken with phrases such as “discrepancy” and “irregularity” when what is
really meant is fraud or theft.

Appointment of a case manager

Should the initial investigation indicate that there is prima facie evidence of fraud
it is critical that the Line Manager requests the Internal Auditor to oversee and
control the subsequent investigation. The request should be in writing and Terms
of Reference should also be agreed. The Internal Auditor should arrange for an
action plan to be put in place with, as far as is possible, a set timeframe and regular
reviews. The Internal Auditor has full responsibility for progressing the case and
whilst he/she can, and should, call on the assistance of various sources of help at
all stages (technical assistance, personnel, external audit, solicitors etc.) ultimate
responsibility and accountability in progressing the case should remain with that
officer (the Internal Auditor may however appoint a suitably qualified and
experienced Investigation Officer to carry out the detailed investigation work.)
The Internal Auditor should therefore have the necessary authority (i.e. the
appropriate rank and experience) to enable him/her to properly discharge these
duties. The Internal Auditor should also be independent from the matter in
question. It is the responsibility of the Internal Auditor to keep the Director of

52
 Finance abreast of developments. In particular the Internal Auditor should report
all material developments promptly to the Director of Finance for onward
reporting to the Executive Team and Audit Committee.

Police Involvement

If the Line Manager, in consultation with the Director of Finance is satisfied that
there is prima facie evidence of fraud, then they must report the matter to the
police. Consultation with the police at an early stage is beneficial allowing the
police to examine the evidence available at that time and make decisions on
whether there is sufficient evidence to support a criminal prosecution or if a police
investigation is appropriate. Alternatively, the police may recommend that the
Company conducts further investigations and, generally, they will provide useful
advice and guidance on how the case should be taken forward.
If the police decide to investigate then it may be necessary for the Internal Auditor
to postpone further internal action and make suitable adjustments to the action
plan. However, the Internal Auditor should continue to liaise with the police at
regular intervals and report on progress made.

Company Fraud Register

The Internal Auditor should ensure that the Fraud Register, which is held by
Director of Human Resources, is updated with all the appropriate details including
the value of any loss to the Company as a result of the fraud.

Fraud Response Plan review

Following completion of the case, the Internal Auditor should prepare a summary
report on the outcome and lessons learned circulating it to all other interested
parties who must take the appropriate action to improve controls to mitigate the
scope for future recurrence of the fraud.
The report shall contain:
•A description of the incident/issues alleged including an assessment of the value
of any losses;
•The people involved and the means by which the fraud was allowed
to occur (highlighting any control and/or operating weaknesses within
the systems)
• Ascertain all possible facts relating to the alleged fraud;
•Measures needed to prevent a recurrence and a brief risk assessment as to the

53
 viability of these;
• Future recommendations to minimise the risk of such an occurrence;
• A conclusion as to the way forward;
• Any other relevant material

Fraud case Management Tips

i2 software assists fraud investigators in both the commercial and law enforcement
sectors. It is used by police, government and customs organizations, forensic
accountants, auditors and private investigators to tackle many different types of
fraud.

The challenge for fraud investigators is not a shortage of information but knowing
where to target their investigation and how to allocate precious time and resources.
i2 software assists fraud investigators by providing a solution that is easy to use
and delivers the power and flexibility needed for this type of work.
Understand the Information

Once information is captured and organized, fraud investigators need to clearly

understand which pieces of information are relevant and how they relate to each
other. Fraud investigators can use Analyst's Notebook to uncover hidden links in
their data and focus their investigation.

Analyst's Notebook techniques such as link analysis (shown below) can build a
picture of the people, organizations and events involved in any type of fraud
investigation. As the relationships between companies, individuals, accounts and
numerous transactions are uncovered, the working charts grow in complexity.
Investigators can then focus on individual aspects of their case, producing
simplified charts that cut to the heart of the case.

Anal Simp
ytical lified
chart chart
s s like
help this
inve one
stiga allow
tors inve
esta stiga
blish tors
the to
most focu
signif s on

54
 icant
area
s of
an
inve
stiga
tion
and parti
aid cular
deci aspe
sion cts
mak of a
ers case
in .
effec
tively
alloc
ating
reso
urce
s.

From the start of the investigation, investigators can record the details of all source
documents either on cards behind each chart element or through a direct link to a
database. This ensures that when the legal process begins, all documentary
evidence is organized and substantiates the charts.

These charts can be used as visual briefing aids that have proven effective in
communicating complex cases to team members, prosecutors and juries.

Timeline and Money Trail

To more closely examine the actions of fraud suspects, investigators can use
Analyst's Notebook to develop timeline charts that identify the precise sequence of
case related events.

All details from the beginning events to the apprehension of suspects are depicted
in this format. Timeline analysis helps fraud investigators effectively
communicate the timing of case-related events and can be used to summarize the
investigation. As with link charts, each event on the timeline chart includes a
reference to its source document or a direct link to a database.

Sophisticated white collar criminals often go to great lengths to hide their crimes.
Tracking down money, goods or other assets fraudulently obtained can be the
most challenging part of an investigation.

55
Guide for Witnesses in SFO Trials

The explanations below are designed to explain the procedure involved in being a
witness in court and to answer some of the most common questions a witness may
ask.

The Serious Fraud Office is committed to ensuring that the witnesses in its cases
are provided with the fullest possible information and assistance. The Director is
extremely grateful to all of you who agree to give evidence in SFO cases. Being a
witness is a vitally important public function.

As a witness in an SFO case you will have been given the name of the Case
Secretary in the SFO. Do please contact him or her if you have any queries.

If you have lost the Case Secretary's name or have any general questions

To ask, phone the SFO's Public Enquiries number or email

public.enquires@sfo.gsi.gov.uk.

Your evidence

A witness is someone who gives evidence to a court during a trial.

SFO cases are criminal cases and the person on trial is called “the Defendant”. The
name of the defendant is the name of the case:

“ Regina - v - JOHN BROWN “

Your evidence will consist of facts - things you know about or have seen or heard
or experienced. The court needs to hear from people with personal knowledge of
the facts of the case, to enable it to decide whether or not a defendant is guilty of
the offences he has been charged with.

You will probably already have been asked to write and sign a Witness Statement
for SFO investigators. You may also have provided documents or copies of your
documents that have a connection with the case (these are called your Exhibits).

Your evidence may be given verbally, in open court to the judge, jury, defendant
and lawyers; or

Your Witness Statement and Exhibits will be read to the court (without you
needing to be present).

You may already have had a letter from the Case Secretary telling you where and
when the case is going to court.

56
 If you are unsure whether you need to go to court at all - contact the Case
Secretary.

If you have not yet signed a Written Witness statement but have been interviewed
or contacted by SFO investigators some time ago; contact the investigators. It may
be that your evidence is not needed after all.

Preparing to come to court

You may have made your witness statement some time ago and it may deal with
complicated matters. If you feel that you need to refresh your memory by seeing a
copy, please contact the Case Secretary.

It is important that you do not try to recall your evidence by talking to other
witnesses about it. If you know other witnesses already, please be careful not to
discuss the case with them. This could in certain circumstances amount to a
criminal offence

If anyone asks you, or has asked you, about your evidence, contact the case
secretary at once. In very rare cases you may be asked to give a statement, before
the trial, to the lawyers acting for the Defendant.
If you have reason to be worried about meeting the Defendant, his or her relatives,
or any other person, while you are at court, you should inform the case secretary.
If your English is not good and you would like an interpreter, contact the Case
Secretary.

If you have any disabilities or special needs, please contact the Case Secretary
If you have never been inside a court before and would like to arrange a visit
beforehand; contact the Case Secretary. Many local Crown Courts have open days
and guided tours which you are free to join.

You will be repaid your travelling expenses when you have given your evidence.
If you are travelling from abroad, discuss your needs with the Case Secretary. You
may be asked to bring all original exhibits with you to court. You will be allowed
to take these into the courtroom with you, but you will NOT be able to take your
Witness Statement with you. Do NOT bring anything else with you to court unless
asked to do so; but if you have any other documents you think might concern the
case, tell the Case Secretary.

Arrival at court

When you arrive at the Crown Court, please look at the list of cases, which will be
displayed on a Board inside the entrance hall.

57
 The case will be listed under the name of the defendant as “R v (defendant's
name)”, with the number of the court where the trial is being heard. Alternatively,
you could ask a member of the court staff to help you.
You should wait at or near the door of the numbered court. The name of the case
will be on the wall by the door. The Case Secretary will be expecting you and will
introduce him/herself to you.
Do not go into court until you are called. Normally, witnesses are not allowed to
observe any part of the trial, until after they have finished giving their evidence.

You should not talk to other waiting witnesses about the case

Every effort will be made to avoid you having to wait at court for a long time,
before you are called to give evidence. However, delays can happen and can be
affected by a number of matters that are outside our control. Our aim is to ensure
that no witness is required to wait for more than two hours. We will do our best to
achieve this and will ensure that the case secretary at court keeps you informed of
the reasons for any delay and its likely length.

Many courts have a Witness care centre, staffed by volunteers who will help to
make your wait more pleasant.

Court procedure

When the court is ready, your name will be called by the usher and he or she will
show you where to stand.

You will be asked to confirm your full name and address. If you do not wish your
address to be given in open court, discuss your reasons before court with the Case
Secretary.

You will be asked to take an oath or affirm that the evidence you give will be true.

Christians, for example, are required to swear on the New Testament. However,
every court has arrangements in place to ensure that witnesses of different faiths
can take the oath in a form that is appropriate for them. Alternatively if you wish
you will be allowed to affirm instead of swearing an oath. If you have any
concerns about this you should let the Case Secretary or the court usher know.

Giving evidence

After you have taken the oath:

First you will be asked questions by SFO prosecuting counsel. This is called
"examination in chief". Next you will probably also be cross-examined by defence
counsel. Don't worry if you are not asked any questions by the defence - this only

58
 means that they to do not dispute any part of your evidence. Finally you may be
re-examined by prosecuting counsel.
It is also possible that, at any time, the judge may ask you questions. He or she
should be addressed as 'Your Honour', or if he or she is a High Court Judge, as
'My Lord' or 'My Lady'. We will advise you which form of address is appropriate.
Take your time and speak clearly, so that the Judge, the jury and counsel can hear
you. If you do not fully understand a question, you should not be nervous about
saying so. Ask for it to be repeated.
Everyone involved in the trial process, including counsel and the judge are
concerned to ensure that witnesses are given the opportunity to give their evidence
fully and fairly.

If you encounter any difficulties whilst giving your evidence, for example if you
feel unwell and need to leave the court, or you need a chair or some water, you
should ask the judge.

If you wish to correct something you have said earlier, or if you believe that you
need time to refer to any documents, before you answer a question, please do not
hesitate to inform the judge.

If there is a break during your evidence (e.g. for lunch) the judge will warn you
not to talk to anyone about the case during the break. You will have to have lunch
on your own.

After giving evidence

If you would like to stay and listen to the trial after you have given your evidence,
you should ask the Case Secretary who will tell you if there is any reason why it
would not be advisable. For example, if there is any reason why you might be
recalled at a later stage of the case, you would be asked to leave court directly after
you have given your evidence.

After you have given your evidence, please be careful not to discuss the case with
any witnesses who have not yet been called.

The Case Secretary will hand you a Witness Expense Claim form. You will be
entitled to reimbursement of any travelling, any loss of earnings, or other expenses
you have incurred in coming to court. The form will explain your entitlement to
you. It would be helpful if you could obtain and keep receipts for any expenses.
You should receive payment for your claim within 14 days.

59
Conclusion - Time for a standard for corporate governance

Steve Priddy, ACCA's director of technical policy and research, argues that it is
widely accepted that part of the cause of the crisis has been the remuneration and
incentivisation packages for senior figures within the banking world. 'It seems that
their design has become too closely linked to short-term, relatively easy to
manipulate financial metrics,' he says. 'The traders of derivatives want to be able to
"book" profits immediately in order to have them recognised straightaway in the
employers' accounts and, thus, in the bonuses that they are awarded that year.'

ACCA has already led a debate on the use of performance bonuses, advocating
that they be related more closely to long-term financial performance and to
movements in cash flow, rather than profitability. 'This would at least give some
comfort to the owners of banking stock that rewards are not paid out until
proceeds have been banked,' explains Priddy.

He points out that chief executive pay has risen sharply in recent years. Between
1998 and 2007, the average FTSE 100 CEO salary rose 78% - with total
remuneration increasing by 287%, a rise of about 16% per annum. In the same
period, average income went up by 47% and the retail price index by 27%.

It is now time, Priddy adds, to reconsider other aspects of accepted business

practice – including elements of the Combined Code, such as the reliance on non-
executives. 'As business models become more complex - and nowhere have they
become more complex than in the investment banking world - it is claimed that a
fresh pair of eyes is vital to the health of the organisation,' explains Priddy. 'The
problem is that complexity, combined with quantum leaps in computing
technology, has made understanding the investment bank business model
incomprehensible to all but the most dedicated insider.'

Priddy continues that 'there do not appear to be enough chairmen around to chair
the boards of the world's largest listed companies'. This interpretation is the
inevitable interpretation of the relaxation of the Combined Code to allow a
chairman of a UK listed company to also be chaiman of other listed companies.

'All of which suggests we need to revisit some of the fundamentals of corporate

governance as it is experienced in Anglophone cultures,' concludes Priddy. 'A first
step in that process would be evaluating the experience in other non-Anglophone
jurisdictions. And, indeed, considering other forms of ownership and
management, such as that found at the John Lewis Partnership in the UK, or the
two-tier board model that exists in Germany.'

* The full text of Dr Steve Priddy's contribution to ACCA's debate on corporate

governance can be found on the ACCA website, at http://www.accaglobal.com/

60
 Class work

Case Study

You have been given a variance report for the month of August 08. Prepare a
HAIR report highlighting the results of your analytical review and potential issues,
risks and actions that you would like to carry out.

Discuss the issues arising from the task

Differences in control procedures in a manual and a computer

environment

• Ability to carry out 100% checks on gross profit.

• Ability to do more checking because internal audit checks can be done
faster.
• Ability to do a TB check at any time
• Ability to do control account checks at any time
• Ability to take backups that can be stored in remote locations ( showing
last transaction number)
• Ability to prepare a Fraud dashboard
• Ability to prepare a HAIR report faster
• Look at many areas in unison ( number of journals raised, number of
credit notes raised issued, number of credit notes received) and so spot
complicated frauds easier
• Control access through access rights and the ability to see who posted
what
• Reduced staff requirement for regular duties and so making available more
staff for audit.
• Ability to do more random checks

Internal Accounting and Operational Controls in functional areas

Sales Controls

• No and value of credit notes issued

• Journals in sales

61
 • Customers over credit limit

• No of invoices issued

• Overdue debts

• Cash received

• Have payment terms been adhered to

• Outstanding lodgements

• Last sales invoiced to certain customers

• Inspect seasonal changes

• Over and under payments

• Statements need to be sent to customers two weekly

Purchase Controls

• Duplicated payments

• No and value of credit notes received

• Disputed invoices and the dispute reasons

• Journals in purchases

• Suppliers over credit limit

• No of invoices received

• Overdue debts

• Cash paid

• Have payment terms been adhered to

• Outstanding payments

• Last purchase invoices received from suppliers (to hide fictitious invoices)

• Inspect seasonal changes

• Frequency of purchases

• Over and underpayments

62
Bank Controls

• O/s lodgements and payments

• Bank reconciliations (daily, weekly or monthly)

• Look at authorisation limits (Look at transfers below and above limits)

• Review m/e cash balances

• Value of cash receipts

• Look at payments without advices

• Look at LM predicted cash flow and compare to actual cash flow

• Look at the viability of transfers

• Bank take pictures of all payee’s drawing more than a certain amount.

Appendix – Definitions & Resources

Resources

ACCA - http://www.accaglobal.com/

ICAEW- http://icaew.com

AIA - www.aiaworldwide.com/

Accounting web - http://www.accountingweb.co.uk/

Sage – www.sage.co.uk

Tally - http://www.tallysolutions.com/

Definitions Related to Fraud

Cheque Kiting - In a kiting scheme, multiple bank accounts are opened and money is
“deposited” from account to account, although the money never exists. Floating makes
this possible.

Floating is the additional value of funds generated in the process of collection and arises
because the current holder of funds has been given credit for the funds before it clears the
financial institution upon which it is drawn.

Defalcation is another name for employee fraud and embezzlement.

Direct effect illegal acts are violations of laws or government regulations by the company
or its management or employees that produce direct and material effects on dollar
amounts in financial statements.

63
Embezzlement is a type of fraud involving employees’ or non employees’ wrongfully taking
money or property entrusted to their care, custody, and control, often accompanied by
false accounting entries and other forms of lying and cover up.

Employee Fraud is the use of fraudulent means to take money or other property from an
employer. It consists of three phrases: (1) the fraudulent act, (2) the conversion of the
money or property to the fraudster’s use and (3) the cover up.

Errors are unintentional misstatements or omissions of amounts or disclosures in financial

statements.

“Illegal Acts” (far removed) are violations of laws and regulations that are far removed from
financial statement effects (for example, violations relating to insider securities trading,
occupational health and safety, food and drug administrations, environmental protection,
and equal employment opportunity).

Incentive/pressure is a motive a person experiences and believes is non-shareable with

friends and confidants.
1. Psychotic: “habitual criminal” who steals for the sake of stealing.
2. Egocentric: Personal prestige, goal achievement.
3. Ideological: Cause is morally superior, justified in making other victims.
4. Economic: Desperate need for money, greed, economic achievement.

Irregularities are misstatements or omissions of amounts or disclosures in financial

statements that are NOT unintentional.

Lapping is stealing one customer’s payment and crediting the customer’s account with the
payment by another customer. The second customer’s account is later credited by yet a
third customer.

Larceny is simple theft of an employer’s property that is not entrusted to an employee’s

care, custody or control.

Management Fraud is intentional misstatements or omissions of amounts or disclosures in

financial statements. Opportunity is an open door for solving the non-shareable problem in
secret by violating a trust.
1. Weak internal controls
2. Circumvention of internal controls
3. The greater the position, the greater the trust and exposure to unprotected assets.

Predication is any information that gives a fraud examiner (or another person who informs
the fraud examiner) a reason to believe a fraud occurred, may have occurred, or may be
presently occurring. The information may come from an anonymous tip, from an employee
noticing something wrong, or from an auditor noticing something suspiciously wrong.
Unimpeachable integrity is the ability to act in accordance with the highest moral and
ethical values all the time. This is practically impossible, so fraudsters will rationalize:
1. I need it more than the other person.
2. I’m borrowing and will pay it back later.
3. Everybody does it.
4. The company is big enough that it won’t miss it.
5. Nobody will get hurt.
6. I deserve it.
7. It’s for the greater good.

64
White Collar Crime is fraud perpetrated by people who work in offices and steal with a
pencil or a computer terminal. The contrast is violent street crime.

65