Intelligent fraud fighting: an Internal Organization Security Intelligence system can assist in the prevention, deterrence, and detection of fraudulent activity.NICHOLAS AMATATA'S CAREER with ABC Motors ABC Motors Limited (All British (Engine) Company) of Hersham, Surrey, England was a manufacturer of cars, aircraft, motor scooters, and engines for road and air. Ltd. was full of promise. He was a hard-working, amiable a·mi·a·ble adj. 1. Friendly and agreeable in disposition; good-natured and likable. 2. Cordial; sociable; congenial: an amiable gathering. sales representative who quickly earned the trust of customers and fellow staff members. One day, shortly into his fourth year of service to the company, he began working with a customer who eventually ordered four fishing boat engines. Because of Amatata's honest appearance, the customer quickly trusted him and agreed to send installment checks directly to Amatata's personal account, with the understanding that the money would be forwarded to ABC ABC in full American Broadcasting Co. Major U.S. television network. It began when the expanding national radio network NBC split into the separate Red and Blue networks in 1928. . Because the company's accountant also trusted Amatata, nobody suspected any wrongdoing--that is, until US $12,500 had already been stolen from the organization. As it turned out, the fraud was uncovered by a fellow employee--a company driver. Amatata had asked the driver to accompany him to town, pick up some items he had purchased, and deliver them to his residence. To his surprise, the driver learned that the delivery included several expensive household items such as a bed worth US $1,667. At the time, Amatata's sales position paid less than US $166 per month--a typical amount for the region in which he worked. After the trip, Amatata gave the driver US $14 for lunch and instructed him not to tell anybody what he had seen, because it may make other employees envious en·vi·ous adj. 1. Feeling, expressing, or characterized by envy: "At times he regarded the wounded soldiers in an envious way.... . This instruction made the driver suspicious, and he immediately shared the full story with his close friend, the company accountant, who subsequently launched an investigation. After the scheme was discovered, Amatata was dismissed. This sales representative's scheme was detected by an observant ob·ser·vant adj. 1. Quick to perceive or apprehend; alert: an observant traveler. See Synonyms at careful. 2. employee with a solid ethical foundation and a channel--albeit an informal one--through which to communicate his suspicions. Imagine then if all employees had ethics and fraud training, were encouraged to be observant and forthcoming for the sake of the organization, and were given a formal channel through which to report suspicious behavior. That is the goal of an Internal Organization Security Intelligence (IOSI) system, a method for gathering information and building resources that help protect the organization from harm such as computer security breaches, burglars and other intruders, industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. , and frauds committed by employees, suppliers, and customers. WHAT IS AN IOSI? Although many organizations have internal security departments that provide physical controls over the movement of both people and tangible assets Tangible Asset An asset that has a physical form such as machinery, buildings and land. Notes: This is the opposite of an intangible asset such as a patent or trademark. Whether an asset is tangible or intangible isn't inherently good or bad. in and out of the organization, this conventional type of security arrangement relies solely on gate guards and watchmen working under a chief security officer. In contrast, an IOSI operation involves not only watchmen, but also loyal staff, customers, suppliers, and stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. that help provide controls. The system helps keep honest employees honest, deprives dishonest employees of an opportunity to commit fraudulent acts, and prevents other would-be fraudsters from even setting foot in the organization. The primary aim of an IOSI system is prevention, as opposed to cure. The idea stems from a system practiced by Kenya's National Security Intelligence System (NSIS NSIS Next Steps in Signaling NSIS Nullsoft Scriptable Install System NSIS Nullsoft SuperPimp Install System NSIS National Sheep Identification System (Ireland) NSIS North Snohomish, Island and Skagit ), which helps prevent crime throughout the nation. NSIS officers and informers are densely situated throughout the country, and their abundant presence helps preempt pre·empt or pre-empt v. pre·empt·ed, pre·empt·ing, pre·empts v.tr. 1. To appropriate, seize, or take for oneself before others. See Synonyms at appropriate. 2. a. criminal activity. Even when criminals dodge security and commit an offense, they are usually apprehended soon afterward af·ter·ward also af·ter·wards adv. At a later time; subsequently. Adv. 1. afterward - happening at a time subsequent to a reference time; "he apologized subsequently"; "he's going to the store but he'll be back here by the police upon receiving tips from the intelligence officers. By teaching all those who deal with the organization about the symptoms of fraud and increasing awareness of the IOSI system, frauds can be prevented--or at least detected early through timely tips or reports. Well-informed suppliers, customers, and employees can serve as both deterrents and informants. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , those loyal to the organization can form a protective team that keeps a watchful watch·ful adj. 1. Closely observant or alert; vigilant: kept a watchful eye on the clock. See Synonyms at aware, careful. 2. Archaic Not sleeping; awake. eye over the organization, somewhat like neighbors who establish a neighborhood watch group to protect their homes. The system is centered around a full-time IOSI department staffed with professionals who possess a variety of skills in fraud prevention, investigation, and internal controls. Their primary responsibilities consist of intelligence gathering and providing anti-fraud training across the organization. To expand its reach, the department enlists staff members from other areas of the company to serve as informants, or "agents." These individuals gather intelligence undercover in their respective departments and deliver it to the IOSI professionals for analysis and further investigation. The full-time IOSI employees also help formulate the organization's anti-fraud policy, continually review and amend the policy as deemed necessary, and cooperate with customers and suppliers on policy enforcement. Typically, the IOSI team operates under a chief internal security intelligence officer (CISIO) who reports to the board of directors or the audit committee. Reporting to the audit committee is ideal, as the CISIO's duties will typically include surveillance of the main board's activities to ensure board members do not commit financial statement fraud or otherwise deceive TO DECEIVE. To induce another either by words or actions, to take that for true which is not so. Wolff, Inst. Nat. Sec. 356. stakeholders for personal gain. To achieve its objectives, the IOSI system should involve everyone in the organization. That is, all departments should cooperate in the organizationwide vigilance VIGILANCE. Proper attention in proper time. 2. The law requires a man who has a claim to enforce it in proper time, while the adverse party has it in his power to defend himself; and if by his neglect to do so, he cannot afterwards establish such claim, the . The human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. department, for example, can contribute by recruiting employees with integrity, and the legal team can assist with procedures involving fraud investigations and prosecution of wrongdoers. Common fraudulent activities that can be prevented or detected early through a comprehensive IOSI system include bribery bribery Crime of giving a benefit (e.g., money) in order to influence the judgment or conduct of a person in a position of trust (e.g., an official or witness). Accepting a bribe also constitutes a crime. , kickbacks, management override An arrangement whereby commissions are made by sales managers based upon the sales made by their subordinate sales representatives. A term found in an agreement between a real estate agent and a property owner whereby the agent keeps the right to receive a commission for the sale of , and cash skimming Skimming An electronic method of capturing a victim's personal information used by identity thieves. The skimmer is a small device that scans a credit card and stores the information contained in the magnetic strip. . WHERE IOSI MEETS AUDITING The IOSI system is designed to reinforce the fraud-fighting power of internal auditing by helping detect frauds earlier and prevent them altogether. Although the two groups' responsibilities differ in many ways (see "Comparison of Internal Audit and IOSI Duties" on this page), several commonalties also exist. Having an IOSI system in place can enhance internal auditing's effectiveness, because internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. and IOSI professionals share many areas of responsibility, including fraud detection and prevention, fraud investigation, and controls improvement. By working with IOSI agents, internal auditors can detect fraud better as well as enhance the perception of detection, thereby acting as a fraud deterrent. Both groups are also concerned with preventive controls and, in fact, the IOSI's wide information-gathering network actually acts as such a control. Auditors and IOSI agents can also work together to investigate frauds. Typically, the IOSI group will be staffed by certified fraud examiners Certified Fraud Examiner (CFE) is a designation awarded by The Association of Certified Fraud Examiners (ACFE). The ACFE is a 41,000 member-based global association dedicated to providing anti-fraud education and training. , offering specialized expertise in this area. By combining resources, IOSI agents and auditors are more likely to identify loopholes for fraud, and together they can recommend that management implement appropriate controls to reduce the possibility of fraud in those areas. Security agents are trained to collect evidence or clues by being observant and asking good questions. They cultivate positive relationships with suppliers, customers, and employees--without compromising their professional independence. Any of these individuals could inadvertently leak information leading to the discovery of a well-hidden fraud scheme. Even former employees and clients have been known to divulge such vital knowledge. By keeping communication channels open with everyone they encounter, IOSI professionals, in conjunction with internal auditors and other loyal staff members, can serve as the organization's best informants. A productive, close relationship between internal auditing and the IOSI team can provide auditors with enhanced access to confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead on fraud schemes and hence increase the likelihood of discovery and opportunities for preventive or corrective measures. LAUNCHING IOSI The IOSI department should be established by a committee elected by the board of directors. The chief audit executive and chief financial officer would be ideally suited to coordinating this committee, given their direct involvement in safeguarding the origination's assets, tangible or otherwise. Once the department has been established, setting up the IOSI system involves eight key steps. 1. FORMULATE THE IOSI DEPARTMENT'S RESPONSIBILITIES. Those in charge of forming the IOSI department should ask a series of questions to help establish the department's responsibilities and priorities, including: What is the objective of the IOSI? How will those objectives be achieved? To whom will the IOSI report? With whom will the IOSI cooperate? The department's priorities should also be consistent with the security-related objectives of the overall organization. 2. DEVELOP A CODE OF ETHICS Code of Ethics can refer to:
3. RAISE AWARENESS AND PROVIDE TRAINING. The code of ethics should be the first document supplied to new employees, and all staff members should be required to sign a compliance declaration. The organization should also embark on rigorous ethics training for employees--and even suppliers and customers--so that all who deal with the organization are aware of the code. During the training, all officers should be alerted that the organization will not tolerate misconduct of any kind. Likewise, employees should be informed of the consequences of unethical unethical said of conduct not conforming with professional ethics. behavior and should be asked to report any suspicion of misconduct to an appropriate officer for investigation and further action. 4. ESTABLISH A WHISTLEBLOWING POLICY. A whistleblowing policy that covers harmful, dangerous, fraudulent, and other types of illegal activities should be established. The policy should include hotlines and other anonymous reporting channels so that suspected cases of misconduct can be reported immediately. After all, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Association of Certified Fraud Examiners' 2006 Report to the Nation, the majority of fraud cases are detected by tips or anonymous reporting. Whistle-blowers' anonymity should be guarded, and the organization should spell out tough measures--such as dismissal--for those who attempt to retaliate against or victimize whistleblowers. 5. DESIGN A REWARD SYSTEM. In many cases, frauds are committed by employees of the victim organization. For this reason, employees are often in a position to provide security and audit personnel crucial information about what they have heard or witnessed. After all, fraudsters typically work alongside other employees who know them well. With the right incentives in place, these employees can provide the names of the culprits to appropriate authorities for investigation and prosecution. Still, blowing the whistle can be risky, particularly when the wrongdoer is the whistleblower's supervisor. To provide incentive for reporters, the organization should reward those who give tips that lead to fraud discovery. The reward system should be openly communicated to staff through internal newsletters and other channels. In addition, the organization should establish an annual award for staff members who assist in fighting fraud by providing helpful tips. The reward system may also include all employees who perform beyond expectations, thus fostering loyalty among the staff. Employees who feel good about the organization often make the best informers, as they are typically invested in the organization's well-being. 6. CONSIDER DISCIPLINARY MEASURES. The organization should clearly establish disciplinary measures for employees found guilty of raising a false alarm, discouraging employees from malicious, unwarranted accusations. Such measures may include issuing a written warning or terminating the employee. However, a thorough investigation should be conducted so that no one is falsely accused, and it should be completed before a decision is made to reject or accept the alarm. 7. EMPLOY AND PROMOTE THE RIGHT PEOPLE. Criminologists generally agree that no one is born wicked and that people are typically forced into criminal activities by circumstances. Still, some philosophers have argued that a criminal, just like a dormant seed, requires favorable fa·vor·a·ble adj. 1. Advantageous; helpful: favorable winds. 2. Encouraging; propitious: a favorable diagnosis. 3. conditions to flourish. Therefore, it's important to consider the need for a solid background check before any candidate is offered an employment opportunity with the organization. While human behavior is often unpredictable, employing someone with a history of unethical or illegal behavior, for example, may be akin to planting a time bomb in the organization. 8. ESTABLISH AN EMPLOYEE COUNSELING PROGRAM. Employees grappling with stressful and overpowering o·ver·pow·er·ing adj. So strong as to be overwhelming: an overpowering need for solitude. o predicaments such as drug and alcohol abuse or financial strain may find themselves tempted to engage in fraudulent activities if their problems are left unchecked. For this reason, the organization may benefit from investing in a counseling program for employees to reduce the probability of fraud. UNOFFICIAL CHANNELS Security intelligence in and around an organization can involve official communication channels, such as hotlines, and unofficial channels, including informal conversations and word of mouth. The grapevine Grapevine - A distributed system project. , for example, is an important unofficial channel for the IOSI because it is a fast, natural way to disseminate dis·sem·i·nate v. dis·sem·i·nat·ed, dis·sem·i·nat·ing, dis·sem·i·nates v.tr. 1. To scatter widely, as in sowing seed. 2. information (see "The IOSI Grapevine" on this page). Communication spreads particularly quickly through the grapevine when it involves "bad news" such as fraud suspicion. Although gossip is one of the oldest and most common methods of sharing information, it is also known for introducing errors and slight variations that distort the original message. Therefore, any information received through the grapevine should be subject to a thorough investigation before any conclusions are drawn. If the right precautions precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. are taken, informal communication channels can be a valuable tool for early fraud detection. In one automotive company, an asset theft scheme was uncovered just three months after it began by way of an informal IOSI system. One of the company's workshop supervisors had found a way to sneak small but valuable motor vehicle parts past two security checks and off company premises. A female employee with whom he was having a romantic relationship soon became aware of the accumulated merchandise, which he had stashed under his bed for future sales. The woman, who worked in housekeeping, had a close relationship with the office manager--a friendly, unassuming gentleman who socialized so·cial·ize v. so·cial·ized, so·cial·iz·ing, so·cial·iz·es v.tr. 1. To place under government or group ownership or control. 2. To make fit for companionship with others; make sociable. with all levels of staff. One day, the manager joked that she had taken some coins he left on his desk. After they shared a laugh, the manager complimented her and told her he knew that both she and the workshop supervisor were honest, trustworthy employees. At that point, she told the manager that the supervisor was not honest, for he had amassed many stolen automotive parts under his bed. Her response prompted the manager to initiate a fraud investigation that led to the recovery of the stolen parts. PROACTIVE SECURITY An effective IOSI system will go a long way toward minimizing incidences of fraud and corruption. It will also assist the auditor in spotting danger signs of fraud early and thus help to reduce the organization's fraud loss. Although the IOSI system will not eliminate fraud entirely, constant integrated vigilance over organizational activities will help stem the problem by defusing de·fuse tr.v. de·fused, de·fus·ing, de·fus·es 1. To remove the fuse from (an explosive device). 2. To make less dangerous, tense, or hostile: fraud situations while still in their infancy. To comment on this article, e-mail the author at sosthenes.bichanga@theiia.org. SOSTHENES NYABUTO BICHANG'A, MIIA MIIA Massachusetts Interlocal Insurance Association MIIA Member of the Institute of Internal Auditors (Institute of Internal Auditors, UK) MIIA Medical Intelligence & Information Agency (Army) , CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , CFE CFE Conventional Forces in Europe (treaty) CFE Cash Flow to Equity (finance/accounting) CFE Comisión Federal de Electricidad (México) CFE Certified Fraud Examiner ACCOUNTANT, CMC (Common Messaging Calls) A programming interface specified by the XAPIA as the standard messaging API for X.400 and other messaging systems. CMC is intended to provide a common API for applications that want to become mail enabled. 1. MOTORS GROUP LTD. NAIROBI, KENYA RELATED ARTICLE: The IOSI Grapevine In an IOSI system, information doesn't just flow through official vertical or horizontal channels Horizontal Channel Two parallel horizontal trendlines acting as very strong support and resistance. The upper trendline connects a stock's highs over a period of time, and each high is equal to the previous high. ; instead, it flows in all directions--much like a grapevine. Getting information from this system depends on how well one is attuned at·tune tr.v. at·tuned, at·tun·ing, at·tunes 1. To bring into a harmonious or responsive relationship: an industry that is not attuned to market demands. 2. to it; hence the value of IOSI informants or "agents" throughout the organization. [GRAPHIC OMITTED]
Comparison of Internal Audit and IOSI Duties
Internal Auditor IOSI Agent
Appraises internal controls. Gathers anti-fraud intelligence in
and around the organization.
Examines the books of accounts. May examine the books and vouchers
during an investigation.
May investigate fraud. Investigates fraud and takes
statements from the suspects.
Recommends internal controls for Proactively looks for fraud danger
mitigating fraud and other errors. signs and follows them to
conclusion.
Helps maintain effective controls. Maintains physical security over the
assets of the organization.
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion