The author's work experiences have primarily been with financial institutions, insurance companies and outsourced billing companies (U.S. health care) operating in the Indian subcontinent. – ed.
Possibly the toughest task for any fraud examiner is preventing and deterring fraud. Some believe that fraud control and prevention is at its best when the process of detection remains a secret. However, one of the best corollaries to this school of thought is the opposite: Be open about it. Below Krishnan continues his discussion of the remaining five golden tenets of fraud examination. (Read part 1 here.)
RULE NO. 6: PRACTICE THE ART OF OBSERVATION AND LISTENING
I remember a conversation in the movie "Jurassic Park." The main characters pass the enclosures containing Velociraptors, which are extremely intelligent. The park's game warden says about one of the deadly dinosaurs, "When she looks at you, you can see she's working things out. That's why we have to feed 'em like this. She had them all attacking the fences when the feeders came." One of the scientists asks, "The fences are electrified, right?" The game warden replies, "That's right, but they never attack the same place twice. They were testing the fences for weaknesses, systematically. They remember."
This is true in organizations, too. Fraudsters find flaws by constantly testing "the fences" of verification processes. We need to anticipate the weakest parts of the fences by:
- Knowing what/where/which controls to place.
- Knowing the effectiveness of the controls already placed.
During a visit to one of our offices, I saw an interesting ad in a nearby shop. It offered help in procuring Permanent Account Number (PAN) cards. (PANs are unique registration numbers provided by the Indian government's income tax department.) The shopkeeper assured three services: premium, regular and non-resident Indian (NRI). Premium would be delivered within a week, regular would be up to one month and NRI was for Indians who were settled abroad. This was at a time when the regular process required 45 days minimum to get a PAN card request processed.
One of the documents we were accepting for ID proof was the PAN card, so it was critical to stop locals who were forging these cards. We had to connect with officials and update our teams on identification mechanisms provided by the issuing authority to counter such schemes.
To date, such market visits help us validate the effectiveness of our controls.
RULE NO. 7: BEWARE OF DECOYS
The most important lesson for this rule is derived from rule No. 1: Never underestimate customers, support groups, internal employees, etc. The popular card game "Bluff" comes to mind. The best strategy is to be true in large turns (three to four cards at one go) and turn in single false additions. A good player spots the bluff. That's where fraud examiners come in.
I remember a time when business scaled up, the market was in its boom period and the volumes were high. Cases were bottlenecked at various stages, our teams were struggling with large volumes and the underwriters spent long hours fitting cases correctly into portfolios while also looking at their specifics and authenticity.
To ensure quality, special task forces were asked to do sampling. The sampling pattern adopted by this group was taken in the pattern 1, 4, 9, 11, 14, 19. We investigated a standard 15 percent of the cases.
The sampling was representative. The underwriters were satisfied because the results were the same — 100 percent positive on verifications. Because we knew the past history of patterns identified in that particular city, a bird's-eye view suggested that it needed deeper review.
We changed the sampling pattern slightly, and the results changed. We realized that the teams had been observing the pattern of sampling and somehow were aware of the sampling percentages. They converted these percentages into "targets." What would be the winning situation? They put the cases in the files they knew were accurate in the orders of 1, 4, 9, 11, 14, 19 so that proposals would go through smoothly without reworking them.
Many times our control mechanisms are identified without our knowledge. The executives threw in decoys knowing very well that we would catch them and therefore hoped we'd miss the loans that weren't sound investments for the banks. We checked the decoys and found them in perfect order. A sampled representative case (decoy case) that checks out is rarely checked again for other triggers of fraud. We checked the decoys and uncovered the true fraud.
RULE NO. 8: COMMON-SENSE APPROACHES ARE BEST
My boss introduced me to the genius of common-sense approaches, and his wisdom has informed my every examination.
One of my students had an interesting case. His former organization had an application for one of its banking products that required each customer to sign documents 41 times. (Regulations stipulate that anyone wanting to buy a banking retail product must apply in person. Banking retail products are consumer loans, such as auto loans and personal loans.) In one application, a breach had been identified: 38 signatures were genuine, but three appeared to be different.
The officers at the organization reviewed the document and found forgery. However, the three places where the signature was reported "different" hadn't actually required a signature. When the student asked the processing team why they wanted the signatures, they replied, "As per process it is required." They tracked down the original person who had required the signatures. He explained that during his tenure the number of corrections were so high that he wanted to be sure that customers had read particularly important clauses and had required them to sign their names near these clauses.
However, customers had followed this rule long after it had lost its relevance because the clauses had been amended. Nobody stopped to ask, "Why are we doing this? Is this signature relevant and required here?"
By rejecting the application, the organization had inadvertently cultivated fraud through their process. By design, the customer didn't need to sign in the three spaces, and so he didn't sign. Expecting the sales executive to get the three spaces signed from the customer who had to travel from miles away was irrational. But because the signatures were missing, the organization declared it a forgery. Many of our supervisors still follow the process without understanding why.
Organizations often keep outdated controls and processes because it makes them feel secure. However, applying common-sense and layman logic has helped us to improve processes and controls without increasing costs. This is the easiest and the best fraud deterrence mantra.
RULE NO. 9: ROOT CAUSE ANALYSIS THEORY
Donald Cressey's Fraud Triangle shows three key factors leading to fraud: opportunity, pressure and rationalization. We've observed that each of these factors has a certain set of "spheres" acting around them. Our experiences have indicated that in 80 percent of our investigations and fraud analyses the chart below holds true.
India's popluation is so large that survival of the fittest rules; people fight to retain jobs, opportunities, roles, rewards, monetary benefits and promotions.
| FACTORS | REFERS TO |
| Process (Opportunity) | - Loopholes in process.
- Process without proper controls.
- Processes that are loosely defined and open to misuse.
|
| Controls (Opportunity) | - Loopholes in control mechanisms.
- Inadequate controls.
- Controls with manual intervention.
- Inadequately governed controls.
|
Power (Opportunity)
Exercise of, which leads to:
- Financial — causing pecuniary loss.
- Regulatory — causing pecuniary and other losses as deemed by the regulator.
- Reputation — depreciation of goodwill.
| - The act of granting sweeping powers to any personnel.
- Powers that don't need justifications while being exercised (creating financial/reputation/regulatory liability for the organization).
- Powers exercised that aren't under the ambit of any audits.
- Powers granted to personnel who are either new to the organization or have risen up the hierarchy very fast.
|
| Network (Opportunity) | Employees having the power to influence key functions and network all functions towards a common goal, e.g., a person who can influence departments of finance, IT and operations simultaneously towards achieving a target. |
| Domain expertise (Opportunity) | Expertise in select domains giving persons advantage over others in control positions who are not as adept. |
| Monetary (Pressure) | The dire need for money. |
| Process & rules (Pressure) | Employees being governed by processes and rules, the non-adherence of which would lead to the employee being reprimanded. The repercussion of non-adherence could be perceived or actual. |
| Ego/vendetta (Pressure) | - Employees who have large egos, leading to jealousy, hatred leading to unethical behavior (with/without their knowledge), internally pressurizing themselves, boosting their ego.
- Employees who are excessively competitive and cut competition by unethical means because of their inner pressure to be the top performer.
- Employees who are vengeful because they perceive harm caused to them by another employee or group of employees. Perception of threat pressurizes them, which leads to a cycle of unethical behavior until perception of threat dies.
|
| Altruistic (Pressure) | Employees who violate/deviate from defined processes under the pretext of "greater good of all." All could be a small group, society overall or a certain segment of society. |
| Sustenance (Pressure) | Employees who violate processes to protect "the self" from harm — physically, mentally or on financial grounds — to merely survive in the race for existence. |
| Upbringing & family (Rationalizing) | These refer to the family and inner circle immediately around the employee. Typically, a function of the aspirations of the near and loved ones, which guides and influences the way a person thinks and acts. An individual's ability to rationalize an action will also be a function of his or her upbringing and value systems inducted by family. |
| Culture & background (Rationalizing) | These refer to societal expectations. Interactions with the society, the immediate circle of influence, benefits vs. duties defined by societal circles. |
| Persona (Rationalizing) | Value systems of the employees. Basic DNA determining the levels of values and ethics, and the individual's perception of these. Definition of ethics would differ from person to person. This difference itself would determine the ease of rationalization. |
| Belief systems (Rationalizing) | The person's beliefs: emotional, religious perceptions. |
| Preferences (Rationalizing) | Individual preferences, learning and past experiences. |
Rationalization and employee pressures are beyond our control. However, misuse of opportunity should never go untreated.
RULE NO. 10: CURTAIL PROCESS LAPSES
Our root cause analysis methodology, which we use widely in different proportions based on case requirements, includes:
- Conducting a root cause analysis every time a lapse in process is identified.
- Investigating until the perpetrator is uncovered.
- Identifying problems in processes is more important than punishing the perpetrators.
The first stage of a fraud is a lapse. Many times a lapse isn't taken seriously. A series of such lapses over a period of time encourages the rationalization of the employee committing the lapse so that it becomes difficult for us to distinguish between design and practice. Newer practices take over what was originally designed until the organization starts to lose out either on reputation or monetary grounds. If the practice remains uncurbed even at this stage, the employee is encouraged to continue until the scheme is caught.
Any organization will want to standardize what it does and call it a process. A process that's tested for inherent pitfalls, risks and hazards, and is mitigated suitably then becomes design. This design is then documented along with benchmarks and metrics and becomes a manual. These are communicated and trained to every official for effective standardization of output with minimal defects/loss. Losses within the expected range of design will be bearable. However, where losses are due to lapses that are avoidable, it becomes the duty of every fraud risk officer to identify and weed out such lapses before practices become opportunities for people to rationalize the quick money that they can make. Vigilance starts around you with the smallest process lapse or aberration in design implementation.
The author wishes to thank ACFE Vice President and Program Director Bruce Dorris, J.D., CFE, CPA, CVA, for inspiring him to put this information to paper.
Vivek Krishnan, CFE, is a zonal credit manager for India's largest private-sector bank. His opinions he expresses or implies in this article are solely his own and don’t reflect those of his employer, which isn’t liable for his views.