1 / 55

Combatting Fraud

Combatting Fraud. Security Planning Susan Lincke. Objectives:. The student shall be able to: What are the key elements of fraud, and what techniques can be used to counteract these key elements? What are the three categories of fraud and what crimes do they include?

lelaine
Télécharger la présentation

Combatting Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Combatting Fraud Security Planning Susan Lincke

  2. Objectives: The student shall be able to: What are the key elements of fraud, and what techniques can be used to counteract these key elements? What are the three categories of fraud and what crimes do they include? Define skimming, larceny, embezzlement, lapping, shell company, payroll manipulation, ghost employees. What are the legal considerations of fraud? Who commits fraud, and who commits the most expensive fraud? What are some red flags of potential fraud? How does social engineering occur, and how can it be prevented? Define the four roles of segregation of duties. Describe the purpose of the 3 stages of a fraud investigation.

  3. The Problem Amount recovered following an Incident of fraud • Organizations lose 5% of revenue annually due to internal fraud • Average scheme lasts 16 months, costs $130,000 • 22% costs exceed $1M • Smaller companies suffer nearly 2x $ losses due to inadequate controls ($200,000) ACFE 2018 “Report to the Nations on Occupational Fraud and Abuse”

  4. How long fraud lasts before discovery

  5. Internal or Occupational Fraud Definition Violates the employee’s fiduciary responsibility to employer Is done secretly and is concealed Is done to achieve a direct or indirect benefit Costs the organization assets, revenue, or opportunity

  6. Fraud Categories

  7. Fraud is an International Problem International Fraud Fraud Allocation by Type (some types) 2018 ACFE Report to the Nations: Global Study on Occupational Fraud and Abuse

  8. Legal Considerations of Fraud • Intentionally false representation • Not an error • Lying or concealing actions • Pattern of unethical behavior • Personal material benefit • Organizational or victim loss

  9. Moti- vation 3 Key Elements Oppor- tunity Rational- ization Key Elements of Fraud Motivation: Need or perceived need Opportunity: Access to assets, information, computers, people Rationalization: Justification for action

  10. How Internal Fraud is Discovered Tips provided by employees 53%, customers 21%, anon.14%, vendors 8%. ACFE “2018 Report to the Nations: Global Study on Occupational Fraud and Abuse”

  11. Collusion Collusion: Two or more employees or employee & vendor defraud together ACFE 2018 Global Study on Occupational Fraud and Abuse

  12. Who Does Fraud? • Most $$$ internal frauds committed by longer-tenured, older, and more educated staff • Executives commit most expensive fraud: $850K 19% • Median manager fraud: $150K 34% • Median line employee fraud: $50K 44% • Most hit: Private company 42% $164,000 • Public Company: 29% $117,000 • Government: 16% $118,000 • Not for profit: 9% $75,000 • 96% have no criminal convictions related to fraud • To steal a lot of money, you must have a position of power and access: • men > women by 75%; higher $ • Longer tenure higher $; 1-5 years higher % 2018 Global Fraud Study Assoc. of Fraud Examiners

  13. Discussion Points What types of fraud could computer programmers or system administrators commit? For each type of fraud, what methods may help to prevent such fraud?

  14. Example 1:Financial Statement Fraud Executives, Wall Street have high expectations: employees needed to meet the standards. To meet these standards, it may be necessary to play the game, and financial statement fraud may be accepted. Methods of such fraud may include: manual adjustments to accounts or improper accounting procedures

  15. Example 2: Corruption The Director of a subsidiary always purchases goods from 2 large organizations, who provide rebates for large purchase quantities. The director negotiated contracts and pocketed the rebates to an off-shore bank account. Local vendors are upset that their bids are ignored.

  16. Example 3: Asset Misappropriation A manager took money from one account, and when payment was due, paid via another account. When that was due, she paid via a third account, etc. This lapping went on for years and was finally caught when a sickness resulted in her being absent from work for an extended period.

  17. Asset MisappropriationVocabulary Skimming: Taking funds before they are recorded into company records Cash Larceny: Taking funds (e.g., check) that company recorded as going to someone else Embezzlement: Abusing a business privilege for personal gain Lapping: Theft is covered with another person’s check (and so on) Check Tampering: Forged or altered check for gain Shell Company: Payments made to fake company Payroll Manipulation: Ghost employees, falsified hours, understated leave/vacation time False Shipping Orders or Missing/Defective Receiving Record: Inventory theft

  18. Detecting & Preventing Fraud How to Recognize Fraud How to Prevent Fraud Info. Systems Applications

  19. Fraud & Audit • Audits are not designed to detect fraud • Goal: Determine whether the financial statement is free from material misstatements. • Auditors test only a small fraction of transactions • Auditors must: • Be aware of the potential of fraud • Discuss how fraud could occur • Delve into suspicious observations and report them

  20. Red Flags • Living beyond means • Financial difficulties • Close association with vendors, customers • Control issues, no sharing duties • Divorce, family problems • Wheeler-dealer attitude • Dissatisfaction with job: complaints of pay, no authority • Excessive pressure: organization or family • Addiction • Irritability, defensiveness Report to the Nations on Occupational Fraud and Abuse: 2018 Global Fraud Study. ACFE.

  21. Work Habits of Fraudsters One or more: Justifying poor work habits Desperately trying to meet performance goals Over-protective of certain documents (poor sharing or avoids documentation) Refusal to swap job duties Consistently at work in off-time (early or late) or never absent Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

  22. Concealment Methods Created fraudulent physical doc’s 55% Altered physical documents 48% Created fraudulent transactions 42% Altered transactions in accounting 34% Altered electronic doc/files 31% Destroyed physical documents 30% Created fraudulent doc/files 29% Created fraudulent journal entries 27% Duration of Fraud until Discovery 12 mos. 24 mos. 30 mos. Cash on hand Register disbursements Larceny Billing Expense reimbursements Financial statement fraud Check/payment tampering Payroll

  23. Potential Transaction Red Flags Unusual transactions: Unusual timing, too frequent or infrequent Unusual amount: too much or too little Unusual participant: involves unknown or closely-related party Voided checks or receipts, with no explanation Insufficient supervision Pattern of adjustments to accounts Different addresses for same vendor, or vendors with similar names

  24. Fraud Control Types Time of Fraud Before Fraud: ***BEST*** After Fraud Preventive Controls**: Preventing fraud includes: Segregation of Duties Ethical Culture & Policies Internal controls: Mgmt review Mgmt-signed Documents Fraud training Audits: Internal & eternal-> Fraud risk assessment Employee Support Programs Background checks Detective Controls: Finding fraud when it occurs includes: Anonymous hotline*-> Surprise audits*-> Proactive data*<- monitoring Complaint or fraud investigation Mandatory vacations Rewards for whistleblowers Corrective Controls: Punishment-> Amend controls Fidelity Insurance Employee Bonding

  25. Motivation Key Elements Oppor- tunity Rational- ization Techniques to Discourage Fraud Realistic job expectations Employee support programs Adequate pay Training in job duties Trained in fraud: mgmt. & employees Mgmt. certifies financial statements Policy enforcement Code of conduct Sr. Mgmt models ethical behavior to customers, vendors, employees, share holders Segregation of duties Proactive data analysis Internal audit dept. Mgmt review External audit Job rotation/mandatory vacation Physical security of assets Background checks

  26. Segregation of Duties Authorization Distribution Approves Acts on Double-checks Origination Verification

  27. Compensating Controls When Segregation of Duties not possible, use: • Audit Trails • Transaction Logs: Record of all transactions in a batch • Reconciliation: Ensure transaction batches are not modified during processing • Exception reporting: Track rejected and/or exceptional (non-standard) transactions • Supervisory or Independent Reviews

  28. Software to Detect Fraud: Data Monitoring and Analysis Provide reports for customer credits, adjustment accounts, inventory spoilage or loss, fixed-asset write-offs. Detect unusual anomalies such as unusual amounts or patterns Compare vendor addresses and phone numbers with employee data Use Range or Limit Validation to detect fraudulent transactions Logged computer activity, login or password attempts, data access attempts, and geographical location data access. ACFE report shows % fraud by industry

  29. Red flags software can detect Out-of-sequence checks Large number of voids or refunds made by employee or customer Manually prepared checks from large company Payments sent to nonstandard (unofficial) address Unexplained changes in vendor activity Vendors with similar names or addresses Unapproved vendor or new vendor with high activity

  30. Encourage Security in IT Departments • Physical security • Segregation of duties • Employee monitoring • Surprise audits • Job rotation • Examination of Documentation Quality Assurance Programmer Analyst Business Analyst

  31. Business Application Checks Checks locked up; access restricted Physical inventory of checks at least every quarter New accounts payable vendors’ existence and address double-checked by management Returned checks sent to PO Box and evaluated by someone independent of Accts Payable

  32. Question What is the MOST effective means of preventing fraud? • Effective internal controls • Fraud training program • Fraud hotline • Punishment when fraud is discovered

  33. Question A woman in the accounting department set up a vendor file with her own initials, and was able to steal more than $4 M after 3 years. The auditor should have found that: • The vendor was a phony company • Purchases from the vendor did not result in inventory received • The initials for the vendor matched an employee in the accounting dept. • Management does not authorize new vendors with a separate web search and/or phone call.

  34. Question What is: Origination, Authorization, Distribution, Verification? • Four stages of software release • Recommended authority allocations for access control • Stages for development of a Biometric Identity Management System (BIMS) • Categories for Segregation of Duties

  35. External Fraud Social Engineering Check & Receipt Fraud A Fraud Investigation

  36. Social Engineering

  37. Red Flags Rule Red Flags Rule

  38. Social Engineering I Email: The first 500 people to register at our Web site will win free tickets to … Please provide company email address and choose a password You received a message from Facebook. Follow this link … log in. Social engineering: Getting people to do something they would not ordinarily do for a stranger Social engineering is nearly 100% effective

  39. Social Engineering II Telephone call from ‘IT’: Some company computers have been infected with a virus that the anti-virus software cannot fix. Let me walk you through the fix… We need to test a new utility to change your password…

  40. Social Engineering III Phone call 1: “I had a great experience at your store. Can you tell me manager’s name, address?” Phone call 2: “This is John from X. I got a call from Alice at your site wanting me to fax a sig-card. She left a fax number but I can’t read it can you tell me? What is the code? “You should be telling me the code…” “That’s ok, it can wait. I am leaving but Alice won’t get her information…” “The code is … “ Phone call or fax 3: “I need … Code is …”

  41. Social Engineering Techniques • Learns insider vocabulary and/or personnel names • Pretends legit insider: “I am <VP, IT, other branch, other dept>. Can you …?” • Pretends real transaction: • Helping: I am in trouble <or> you need help due to … • <My,Your> computer is <virused, broke, busy, don’t have one>. Can you <do, tell me> …? • Deception: Hides real question among others. • Establishes relationship: Uses friendliness to gain trust for future tasks

  42. Combating Social Engineering Verification Procedure • Verify requester is who they claim to be • Verify the requester is currently employed in the position claimed. • Verify role is authorized for request • Record transaction Organization security • Data classification defines treatment • Policies define guidelines for employee behavior • Employees trained in roles, need-to-know, and policies

  43. Example 4: Multi-call Social Engineering Example for Medical Scenario John is getting a divorce from Susan. He has a new love, Alice, who he would like to spend more time with. He has considered what to do with his two school-aged children, Jim and Ann. He figures that if Susan retains custody, he will owe a considerable amount in alimony. Frankly, he would like to keep the money. Plus, if he keeps them during the week, Susan can care for them on weekends, leaving his weekend free for golf and quality time with Alice. However, Susan won’t give up the kids easily. Her first love is her children. He has always been too busy – golfing, business, … affairs - for kids. She will want to retain full custody, and she has been a great full-time Mom up until now. So how to fight this? He has heard from an old friend that she has cancer. If the cancer is serious and he can prove it in court, perhaps she can be judged to be inadequate. If she is on chemotherapy … who will take care of her and the kids? It would be best that he be given main custody (hopefully weekdays). He decides to ask Alice for help. First he needs to find out which doctor Susan is seeing. Then he needs to get her records. Finally he can talk to his lawyer about the best way of presenting this part of the case. Alice agrees to place the calls to potential doctors.

  44. Call 1: Find Doctor Date: July 2. 3:05 PM. Office: This is Dr Anderson’s office. How can I help you? Caller: This is Susan Armstrong. I will be going away to help my Mother soon. I think I have an appointment coming up, and I lost the appointment card. Can you check? The appointment would be for Susan Armstrong. Office: What is your address and home phone number? Caller: 262-408-4722. 1245 N Ridge Ave. Kenosha. Office: Yes, I see you have an appointment next Wednesday at 2:30. Caller: Good! Well, I think I will leave to visit Mom right after that appointment. Thank you so much, it is now on my calendar. Also – did my PPO pay off my last visits, or do I owe anything extra? Office: Well we are still awaiting payment for your last appointment at the hospital on June 5th, but the previous visits have all been paid. But they usually take about a month or two to pay. Caller: Thank you, I will see you next Wednesday at 2:30!

  45. Call 2: Obtain Medical Records Date: July 8 10:42 AM. Office: This is Dr Anderson’s office. How can I help you? Caller: This is Susan Armstrong. I will be visiting another specialist for a problem with my leg and foot. She would like to see my prescriptions and my medical history. I would also like a copy for my own records. Can you fax me a copy of my records, and I will be sure to bring the records to the new doctor? Office: Well, you will have to come in to sign for a copy of your records. Also, doctors usually prefer to have the records sent directly to them. Caller: I think it is most important that I have the copy, and the doctor said it was ok if I brought my records in. Hmm. I don’t have a car available. Can my husband sign for them and pick them up? Office: No, it needs to be you. Caller: What if I request a copy in writing, and use our fax machine to send you my signature? Office: I think that would be acceptable. Our fax number is 262-488-2122. Should we fax the records to the fax number where we get the letter from?

  46. Call 3: Report Success Caller: Yes, that would be extremely helpful. What do I need to include in the letter? Office: Please include your name, the information you need, the location where the information should be faxed to, and why you are asking for the information. Also include your printed name and signature. Caller: No problem! Thank you so much for your help. Office: Any time… Date July 8, 6:45 PM Alice: John! We got her medical information! I hooked the laptop up to a phone line at my friend’s office, in the conference room, and sent the fax from there. It will be difficult to trace it back to us. John: And the records say… Alice: She does have breast cancer. John: Great! Thanks so much! The scam was successful! Can you consider how a doctor’s office can prevent such a scam?

  47. Fraud Scams Get a receipt from the trash, ‘return’ a product Copy gift certificate and cash in at multiple locations Markdown sale prices reimbursed with receipt – copied and collected at multiple locations Fake UPC numbers to pay low prices then return at higher price. If receipt total is sufficient, scam may work.

  48. Preventing Scams Receipts must have security marks on them (e.g., two-colored ink on special paper, or better: thermochromatic ink) Line-item detail on receipts and sales records in company database Garbage bins which may receive receipts should be protected from access (e.g., bank garbage bins) Register gift certificates – unique numbers Shredders should be used for any sensitive information Protect against shoulder surfing or device attachment for card readers

  49. Check Fraud Examples Altered Checks: Chemicals are used to erase the payee or amount, then re-printed OR check is appended to. • An Argentinian modified a ticket-overpayment refund check from Miami, changing a $2 check to $1.45 Million Counterfeit Checks or Identity Assumption • Someone in your checkout line views your check, or does yard work for you • Fishes in a business’s in-mailbox or home’s out-mail for a check • Checks can be purchased on-line or mail order Telemarketing Fraud: • “You’ve won a prize” or “Would you like to open a VISA?” “Now give me your account information.” Hot Check: “Insufficient Funds” • 90% of ‘insufficient funds’ checks are numbered between 101 and 200 • Account opening year may be printed on check

  50. Check Security Features Watermark: Subtle design viewable at 45-degree angle toward light. Cannot be photo-copied Void Pantograph: Background pattern of checks. When photo-copied, the background patter disappears or prints ‘VOID’ Chemical Voids: When check is treated with eradicator chemical, the word VOID appears Microprinting: When magnified, the signature or check border appears to be written words. The resolution is too fine for a photo-copier 3-Dim. Reflective Holostripe: Metallic stripe contains at least one hologram, similar to credit card. Security ink: React to eradication chemicals, distorting check Thermochromic Ink: Ink reacts to heat and moisture by fading and reappearing

More Related