© Zack Blanton/iStockphoto

Fraud brainstorming
Planning to find fraud
Audit plans have to be designed to find fraud. Here’s help for your
team on fraud brainstorming: delving into the details, thinking like
a fraudster and using the knowledge of the processes to increase
awareness of where frauds may be hiding.

46 FRAUD MAGAZINE JULY/AUGUST 2012 FRAUD-MAGAZINE.COM © 2012 Association of Certified Fraud Examiners, Inc.
“Routine exams failed Auditing Standards all refer to proper
audit planning and consideration of
Assembling the right people
to uncover the scam,” the indictment fraud schemes. For the most part, the audit team mem-
claimed. The scam represented possi- The “Statement on Auditing bers will be the primary individuals in-
bly the largest potential loss to the Na- volved in a fraud brainstorming session
Standards No. 99: Consideration of
tional Credit Union Share Insurance in advance of an audit so the objectives
Fraud,” also referred to as SAS 99,
Fund (NCUSIF). The frauds, which will remain relatively confidential.
specifically requires fraud brain-
ran through a single credit union, This also will minimize the possibility
storming sessions when reviewing that the target group gets wind of the
resulted in more than $170 million financial statements. Unfortunately, impending audit, especially steps de-
in potential losses, involving bribery, merely having a sentence in the audit signed to detect fraud. Therefore, care-
money laundering, fraudulent loans, scope that states “the audit staff will fully manage and safeguard the inclu-
corruption, kickbacks and even a remain vigilant for fraud during the sion of others in this process.
Ponzi scheme (Credit Union Journal, course of the audit” isn’t enough. CFEs in a fraud brainstorming
June 27, 2011). In recent years, the phrase “the session will bring investigative minds
When the big frauds hit, it doesn’t auditors failed to uncover the ongoing and skill sets to the session. On the
take long for others to ask “where were fraud scheme” has unfortunately been other hand, don’t include manage-
the auditors?” In this instance, the appearing more and more frequently. ment in the session. An auditor must
NCUSIF inspector general noted that Satyam, Tyco, Olympus, Madoff and assume that any employee in the tar-
“numerous red flags were present for get group could be committing fraud,
Healthsouth are just a few of the recent
many years,” including those spotted including management. If they’re in-
large frauds in which auditors and in-
by examiners. The IG stated that exam- volved in the session, they could tip
vestigators missed the warning signs.
iners only performed “their required off the unknown fraudster. And be
Finding fraud is difficult. We all
minimum procedures.” Board meeting careful about including employees
know that. We’re constantly reminded
minutes indicate that the audit reports of the area being audited, such as an
at every audit, fraud and accounting
identified no outstanding issues about ethics or compliance specialist or hu-
conference we attend that fraud is
the credit union operations. man resources professional. Though
inherently hidden. Deception, altera- they could be valuable additions, they
The question beckons: Did the
tion, fabrication and the destruction could leak important information.
auditors properly prepare and plan
to find fraud? Could effective fraud of documents seems to be the norm
brainstorming have helped uncover for all fraudsters, yet qualified anti- Assessing the process(es)
these schemes much sooner? fraud professionals still fall for and/
The audit staff clearly identify the
“If you don’t know what you’re or fail to identify their schemes. Did
process(es) that the brainstormers will
looking for, how will you know when the fraud fighters properly plan and
review during the audit so they can
you’ve found it?” brainstorm for fraud? identify the right fraud risks. Consid-
This sums up the advantage of Fraud brainstorming is more than er the following:
thinking about fraud before conduct- sitting around a table for an hour talk-
ing an audit. An audit plan that’s not ing about how fraud could occur. It in- Process complexity
designed to find fraud may occasion- volves delving into the details, thinking Assess the complexity of the process’
ally by chance find it. However, the like a fraudster and using the knowl- moving parts. The more complex a pro-
fraud detection business shouldn’t be edge of the processes to increase aware- cess, the greater the chance that fraud
built on luck or hope but on proactive, ness of where frauds may be hiding. will slip through the cracks and crevices.
planned and decisive measures. When broken down into its
In most of the published audit- parts, fraud brainstorming encom- Number of transactions
ing standards and expectations for passes: assembling the right people; The more transactions, the easier
auditors, identifying fraud goes hand assessing the process(es), players, fraudsters can hide their crimes. Pay
and hand with the key words “plan” data and environment; developing close attention to those processes that
or “planning.” The American Insti- fraud schemes and audit procedures generate significant numbers of trans-
tute of CPAs, the Institute of Internal based on these schemes; and devel- actions, and design fraud detection
Auditors and the U.S. Government oping fraud triggers. tests accordingly.

By Ryan Hubbs, CFE, CIA, CCSA, PHR

© 2012 Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM JULY/AUGUST 2012 FRAUD MAGAZINE 47
 Fraud brainstorming

Number of dollars,
both large and small
Auditors may be drawn to focus on the
high-dollar transactions that are above a
certain threshold. But a significant fraud
scheme could be occurring just under
established thresholds. In some instanc-
es, the smallest transaction could be the
indicator of a large, ongoing fraud.

Manual vs. automated systems

Discover if a process is manual or auto-
mated. Manual processes may allow for
employees’ manipulation. Understand
the “touch points” in an automated
system in which employees can enter,
change and extract data.

New systems vs. legacy systems

New and legacy systems can pose sepa-
rate unique risks and challenges when
you’re trying to detect fraud. A new © Zack Blanton/iStockphoto
system may cause confusion, operator
errors, manual workarounds and break-
• What have been the previous audit Many audit steps have historically
downs of existing controls in peripheral
findings and responses from manage- worked to identify those situations that
systems. A potential fraudster waits for
ment regarding this process or group? could arise from a direct override of
this sort of turmoil and opportunity.
Auditors who have been routinely ›› Repeated findings? process controls. But, the auditor, dur-
auditing legacy systems for years with the ing the fraud brainstorming process,
›› Management pushback? should also assess instances in which
same checklists and test steps may have
›› Lack of implementation of audit there could be “soft” or indirect over-
become lax and overlook large frauds
recommendations? rides. A routine audit may simply look
committed by longtime employees.
›› Has the process or group received at a CFO’s access to the financial data
Process control by non-employees — any fines from state, local or federal and the ability to make unauthorized
outsourced or contractors agencies? changes, such as a direct overoveride
capability. However, a finance man-
If contractors or non-employees have ›› Has the process or group been in-
ager who’ll make any changes to the
access to processes, audit staff should volved in any lawsuits, complaints
accounting system based on the CFO’s
assess what frauds they could be com- or injunctions? direction, without question, could be a
mitting. Lack of daily oversight and
›› Has the process or group been situation in which the CFO has an in-
control and lack of their definitive re-
responsible for any issues that have direct override capability to alter the
porting structures to the company
affected the health or operation of financials. Evaluating indirect override
could keep these non-employees out of
sight and out of mind. the company? capability requires assessing the influ-
›› Have there been investigations into ence of the decision makers and the
Previous process issues, this area, whether conducted by willingness to act without question.
gaps and errors internal investigators, legal counsel
Consider and identify other issues in- or external agencies?
Assessing the players
volved in a process or group to help Auditors must apply the same critical
paint a more accurate picture of possible Process override or edit eye to each employee, regardless of ten-
fraud schemes: capabilities, direct and indirect ure, position or personal relationship.

50 FRAUD MAGAZINE JULY/AUGUST 2012 FRAUD-MAGAZINE.COM © 2012 Association of Certified Fraud Examiners, Inc.
Because fraudsters don’t wear special • Where’s the data housed? • Wall Street?
outfits or have the letter “F” sewn on • Who has access to it? • Rating agencies?
their shirts, every employee must be • Significant investors or shareholders?
• How is the data generated?
thought of as having the possibility to
›› If manual, ›› Are there pressures to meet or exceed
commit fraud, so design every audit test
• Who creates the data? the targets of competitors?
step with this in mind. When assessing
those employees who are involved in the • What format is it in? ›› Are there any external financial, po-
litical, legal or operational issues that
daily business of managing the process, • Where are the manual data/ could force the manipulation of data
consider the following: documents stored, and who has with the process to be audited?
• Who are the employees, management physical access to the data?
• Lawsuits.
and contractors involved in ›› If automated,
• Recalls.
this process? • Where is the data editable or capable • Loss of market share.
• What are their names? of being manipulated?
• From an internal environment
• What are their backgrounds? • Who can make changes to it? assessment:
›› Do any of them have any previous • Are backups kept, and are they ›› What is the expectation of manage-
disciplinary, ethics or non- accessible? ment and the tone at the top?
compliance issues? • If a fraudster was going to manipu- • Get it done at all cost?
›› Have they ever been disciplined for late, alter or destroy data prior to
• Whatever it takes?
untruthfulness, control deficiencies the audit, what fields or information
would be the easiest and fastest to ›› How are internal goals and metrics
or fraud?
change? set and formulated?
• How long have they been with
• Are employees given incentives for
the company? ›› How could we test if changes were
doing the wrong behaviors?
made?
• Before coming to this department, • Are the incentives unrealistic and by
where did they work? • How does the audit team plan on
their very design entice individuals to
getting access to the data it needs?
›› Does this previous work area inter- commit fraud?
face with the current department ›› Are there strong internal financial
or process?
Assessing the environment
pressures?
One of the most overlooked aspects of
• If so, could they use their knowledge • To meet budget?
conducting an audit is the environmental
of this process and/or contacts in the • Are layoffs possible if this doesn’t get
factors that could have an impact on the
previous area to commit a fraud? done correctly?
area and, especially, the individuals who
• How much approval and decision- are to be audited. This assessment can be ›› Are there enough resources to get the
making authority have they been easily correlated to the “pressure” side of job done?
granted? the fraud triangle. What are those internal • Is one person doing the job of three,
and external pressures or environmen- five, 10?
Assessing the data tal factors that could cause wrongdoing, ›› What is the morale level of the
fraud or unethical behavior to materialize individuals?
By now, the fraud brainstorming pro-
in this department or process?
cess has identified the players or em- • Everyone loves coming to work?
ployees involved in the upcoming audit. • From an external environment
• Everyone can’t wait for 5 p.m. to get
The auditors must be aware that if one assessment:
here fast enough?
or more of those individuals are com- ›› What frauds have been identified in Assessing the environment as part
mitting fraud, there’s a chance that they other companies within this type of of the fraud brainstorming process
could manipulate, alter and/or destroy process? could also be very helpful for the audit
data before the auditors take possession • What difference or similarities does staff in determining the truthfulness and
of it for the audit. Auditors should ques- our process have with them? cooperation of the audited individuals.
tion and assess the reliability of all data ›› Are there any significant forces or
that’s used to support an audit; consider pressures driving external goals or Developing fraud schemes
the following: metrics within this process? The ability of the audit team to uncover

© 2012 Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM JULY/AUGUST 2012 FRAUD MAGAZINE 51
 Fraud brainstorming

How are internal

fraud in the audit will rely heavily on its • Detail what specific players would be
goals and metrics
ability to develop possible fraud schemes involved in each scheme. set and formulated?
and corresponding audit tests that can • Detail how the fraudster would
detect these schemes. In 2006, research convert his or her fraud into a direct • Be open to requesting or accessing
was published by Carpenter et al (2006) incentive, cash, stock, payoff, etc. non-traditional data sources such as
that found that when fraud is present, a No matter how much time is de- employee computer records, emails,
group that interactively brainstorms out- voted to this section, the audit staff can’t phone records or Internet history.
performs auditors brainstorming indi- contemplate or detect all fraud schemes. These records could be extremely
vidually and those that don’t brainstorm, Devote a reasonable amount of time valuable when conducting audits in-
which provides further evidence of the and resources to come up with as many volving contractors, vendors and sup-
benefit of interactive brainstorming ses- schemes as possible, and then move on pliers or when those being audited
sions [See “Financial Statement Fraud: to designing those specific test steps that have to interface with others outside
Insights from the Academic Literature,” will help detect possible fraud. of their own groups.
by Chris E. Hogan, Zabihollah Rezaee, • Fraudsters lie, and since no one iden-
Richard A. (Dick) Riley Jr. and Uma Ve- Developing audit procedures based tifies his or her self as a fraudster, the
lury, Auditing: A Journal of Practice & on identified fraud schemes
audit team must take all statements,
Theory, November 2008]. To transition from developing fraud attestations and affirmations with a
When developing fraud schemes, schemes to developing audit procedures, grain of salt. “Trust but verify” must
consider the following: the audit team should ask: “Knowing be built into every audit test step.
• Start at the beginning of the process what we now know, how are we going to
• Design fraud detection audit tests
and work through until the end. test for these possible fraud schemes?”
with built-in mechanisms that will
Some fraud schemes may rely on The type, scope and size of the audit will
expand scope and sample size or
multiple steps of manipulation or play a significant factor in how you de-
velop and implement fraud audit steps, require additional testing if cer-
alteration in the process. tain indicators or red flags present
as will the availability of adequate audit
• The audit staff ’s knowledge of in- resources. Sample sizes and audit meth- themselves. This also requires pre-
ternal controls shouldn’t be inter- odologies may also differ from organiza- planning by the audit staff as to what
jected here. At this point in the fraud tion to organization, as will various au- could be a triggering event.
brainstorming and audit process no dit standards among internal, external • Develop audit test steps that evaluate
one has a clue as to what is actually and governmental agencies. When plan- the chronological timeline of data,
occurring daily in the audit area. ning the audit procedures, pay attention transactions and information. Can
No schemes or risks are impossible. to the following: things happen in the order in which
Capture the schemes, and don’t rule • Do not openly refer to the audit test they are being presented? Are there
anything out. steps designed to detect fraud as the holes, gaps or anomalies in
• Audit members should build upon “audit test steps for detecting fraud.” the timeline?
other member’s ideas. Many fraud This may make employees nervous
schemes can have multiple moving or may tip off a potential fraudster. Development of fraud triggers
parts. Fraud test steps should simply be The final step in the fraud brainstorm-
• Don’t overlook collusion. referred to as “routine” audit test ing process is the development of fraud
steps and downplayed as much as detection red flags. Design them so that
• Give specific attention to how many possible to those being audited.
times the possible fraud scheme after you identify them, they will trig-
• Consider how the audit team can get ger additional tests for fraud. Audits, as
could go unchecked or be committed
to audit data without alerting poten- well as audit staff, must be able to change
without detection.
tial fraudsters. Is there a way for the and adapt as a situation changes. Those
• Assess single and cumulative dollar team to request data from a separate audit teams that stay the course to a pre-
losses. or parallel means and cross check and planned audit program and fail to recog-
• Detail step by step how the fraudster compare the two? nize the danger or warning signs along
would commit the scheme, including • Design test steps to assess if a fraud- the way, may pass up the chance to un-
manipulating, altering or destroying ster has manipulated, altered, fabri- cover fraud. Some red flags to consider
data. cated or destroyed supporting data. beforehand are:

52 FRAUD MAGAZINE JULY/AUGUST 2012 FRAUD-MAGAZINE.COM © 2012 Association of Certified Fraud Examiners, Inc.
• When asked to provide information interviews and questions are routed mining for precious metals, the amount
for the audit, the individual is reluc- through him or her first. This indi- of upfront planning can help dictate the
tant or hesitant to share information. vidual could be a manager, executive ultimate success of the project. The same
• When asked to provide data or or some other authority figure who holds true for uncovering fraud. The
documentation, the individual fails has oversight over the process being fraud brainstorming framework is rela-
to respond, may be argumentative or audited or may be on the periphery. tively simple; the difficult part is imple-
creates an unusual delay in respond- This individual could be the fraudster menting it. The widespread implementa-
ing to the audit request. using his or her authority to filter tion of fraud brainstorming techniques
information to the audit team. may not only help uncover more frauds
• When asked to provide data or docu- but also lead to more headlines that state
mentation, the individual provides • Data, documentation or information
“the auditors were able to uncover the
the information faster than the data appears to have been manipulated,
long-running fraud scheme.” n FM
could have been retrieved. This could altered, fabricated or destroyed. The
mean the individual had prepared in audit team must stop and regroup and
advance of the request. determine if they missed a potential Ryan C. Hubbs, CFE, CIA, PHR, CCSA,
• Inconsistencies exist between the fraud scheme, or if the current audit is senior manager of anti-fraud and
statements made by several employ- tests need to be refined or enhanced. investigation services at Matson Driscoll
ees. This could indicate that one or & Damico LLP in Houston, Texas. He is
more people could be actively deceiv- It’s simple but difficult a member of the ACFE faculty. His email
ing the audit team. Take any process in the world that’s address is: [email protected].
• A “command and control” figure, designed to identify hidden items, and
The material in this article and much more will
who emerges early in the audit, man- you’ll see an extraordinary amount of be included in the revamped ACFE Auditing for
dates that all requests, data, support, pre-planning. From oil exploration to Internal Fraud course. See ACFE.com/AIF. — ed.

© 2012 Association of Certified Fraud Examiners, Inc.

All rights reserved. “ACFE,” “CFE,” “Certified Fraud Examiner,”“Fraud
Magazine,” “Association of Certified Fraud Examiners” and related
trademarks, names and logos are the property of the Association of
Certified Fraud Examiners, Inc., and are registered and/or used in the
U.S. and countries around the world.

© 2012 Association of Certified Fraud Examiners, Inc. FRAUD-MAGAZINE.COM JULY/AUGUST 2012 FRAUD MAGAZINE 53