A version of this blog post was first published in the Institute of Chartered Accountants of Pakistan’s publication, The Pakistan Accountant, in the July-September 2014 issue.
As per the statistics presented in the Report to the Nations on Occupational Fraud and Abuse (2014 Global Fraud Study) issued by the Association of Certified Fraud Examiners (ACFE), by the time you finish reading this sentence, the world would have lost $1.8 million to fraud, and Pakistan is no exception.
Fraud ranges from an employee reporting inaccurate hours in his daily manual timesheet to a Head of State influencing the procurement process in favour of one particular manufacturer in an aircraft deal worth billions. It varies from an explicit act like forging a cheque to an act disguised as a perfectly legal maneuver of appointing someone the head of the premiere public accountability agency with the intent of diverting the agency focus from your activities.
The true nature and extent of fraud is vast and takes many forms; however, the most pertinent to the audience of this magazine is Occupational Fraud which involves corruption, asset misappropriation, and financial statement frauds. Much has been written about the further detailed types of frauds so these are not elaborated in this article. To share examples of how frauds and corrupt practices are conducted in Pakistan by corporations ranging from sole proprietorship firms to large multinationals to public sector enterprises would require a dedicated book. Interviews and interrogations, though part of fraud examination process are also a separate science. Instead, the concepts and practices of fraud examination and investigation in a practical context are explained which can help the reader in developing a frame of reference when approaching a fraud investigation engagement whether as part of a professional services firm, or as an employee in an organization carrying out internal investigation or special assignment.
Some Important Terms
It is important to understand that “fraud examination” is not the same thing as “forensic accounting”. The International Fraud Examiners Manual issued by ACFE notes that:
“Forensic accounting is the use of professional accounting skills in matters involving potential or actual civil or criminal litigation. The word “forensic” is defined by Black’s Law Dictionary as “used in or suitable to courts of law or public debate.” Therefore, forensic accounting is actually litigation support involving accounting.”
Fraud Examiner’s Manual, 2019 International Edition, Association of Certified Fraud Examiners
Most fraud examinations involve forensic accounting activities such as calculations of economic loss etc.
The word forensic is used casually in most instances in Pakistan although the reports may or may not be submitted as evidence in a court of law. However, the intended principle is the same that the outcome of the investigation should be fit for consideration as admissible evidence.
Fraud Examination Process
Fraud examination is a non-linear process and is based strongly on the investigator’s sense of professional scepticism applied in the light of sound knowledge of related internal controls. Any of these two elements missing would result in a more efficient yet completely ineffective investigation.
A fraud examiner mostly follow the “fraud theory approach” which starts from the investigator creating a hypothesis of what might have occurred based on known facts and testing the said hypothesis through acquisition of (or connecting or integrating) new information. The examination is approached from both the perspectives of whether the fraud could have happened and whether it could not have. The methodology is pretty straight forward:
- Analysing available data
- Creating a hypothesis
- Testing the hypothesis
- Refining and amending the hypothesis
Analysing Available Data
This is the most crucial step as it feeds into the entire investigation and governs whether the investigator would be able to form a hypothesis close to the actual incident. In small investigations involving one or two examiners working on two or three key documents such as agreements, invoices etc, the step cannot be challenging. However, when the investigation involves documentation review of hundreds and thousands of pages of information, hundreds of gigabytes of email backups, files upon files of elaborate non-financial manufacturing data, the documentation analysis process needs to be a lot more sophisticated.
The most time-trusted tool in any investigator’s belt is spreadsheet-based Chronology of events and documents gathered from various sources recording each attribute of every single event, document, or transaction. Once developed, analysis of the comprehensive repository provides greater insights on the trends and clarity of how things progressed in the fraud scheme.
Different such chronologies developed in different workstream also overlap to show unique insights that is otherwise not clear from focused analysis of any single workstream. For example, we might note from work performed in HR area that an adhoc promotion/ additional charge of a certain official entitled him to become a member of the procurement committee and vote in favour of a particular vendor being investigated separately.
Once the investigator has complete view of the events and correspondence that were created during the relevant time period, only then is the investigator able to form a hypothesis of how the fraud may have been perpetrated, if at all.
The repository, in addition to creating a chronology by adding dates, need to also be enhanced to include the gist or a short summary of the event or document to provide a birds’ eye view to the lead investigator. In our practical experience, these strategies have combined documentation and correspondence spanning over a decade in a manageable and usable format resulting in a much more convenient review and establishment of case patterns.
This approach helps in establishing layers in field team which would otherwise be a haphazard mess with the review being performed at the documentation analysis of the junior-most members of the team by the seniormost members of the team with the middle-tier in confusion for how to add value. The task of populating the gist based on the review of the documentation is appropriate for the middle tier to perform. In large engagements, it may not be unusual to have qualified managers or assistant managers in the middle-level tiers or even on a specific workstreams.
Another useful tool in the document analysis is the use of Computer Forensics software to perform complex document review procedures including advance keyword searches using GREP search terms. Although expensive but couple with a high-speed double-sided OCR scanner, the technological assistance can prove to be a game-changer in large scale investigations. Big data forming part of the information gathered, for example, master sales database, production electronic records, etc should also be subjected to data analysis procedures using SQL or R, if not possible through simple Excel.
However, none of the techniques will prove to be effective unless interim interventions by the lead investigation team or investigator are made periodically to review the overarching picture emerging from the analysis.
Creating a hypothesis
This requires creative thinking. At the risk of raising a few eyebrows, the key to success is to put yourself in the fraudster’s shoes. If the CEO of a multinational earns Rs. 2.5 million per month and he runs the leading corporation in its sector earning Rs. 10 billion net profit a year, his annual income is still Rs. 30 million. That can barely buy a single house in the posh localities these days. Consider on the other hand his main distributor, who is also the owner of his company; his net profit may be only Rs. 200 million, but they’re all for his taking. The CEO – an employee – has to have the thought of comparison cross his mind at some point or the other. And some CEOs then may resort to self-dealing through the distributors. This may be indicated through shady distributor selection mechanisms, long-running distributor relationships, special arrangements with the distributor to transfer funds to him for services with less verifiability etc.
On a smaller scale, an allegation of undocumented production to compensate a government official may be substantiated by developing the hypothesis that perhaps the material used was shown as destroyed and written off. This could be done by forging the quality control documentation that supports the destroyed inventory.
There may be infinite number of hypotheses and it is necessary to harness one’s imagination and entertain only those fitting the merits of the information initially available and as learned through documentation analysis. This is a key moment in the timeline for an investigator because moving hereon requires a decision on where to focus a team’s time and energies to and eventually control the economics of the engagement so as not to imbalance the cost vs. benefit equation of the investigative process.
Testing the hypothesis
This is the stage where the investigators perform targeted testing of the documentation and records or physical observation of processes to substantiate or refute the hypothesis. While sounding very clever, the instances quoted above in the hypothesis are all that have been successfully caught and proven fraudulent or at least executed with fraudulent intent. For example, some signatures and time recordings in the lab testing documentations were after the signing person had already left for home as per the biometric attendance system records; some documents were dated when Karachi was shut down due to an ad hoc holiday announced by the government; in a procurement transaction, the redesigned procurement committee in a high profile procurement transaction had a member who was earlier a member of technical committee that made suggestions in favour of the vendor that the said procurement committee approved. Cross-linking with HR records showed the said member served in the position which allowed him to be a part of procurement committee for only 7 days. Cross-linking the repositories of two different procurement transactions of same product showed strike contrast in the technical eligibility criteria. This was done to avoid rejection of bid of the same vendor on performance grounds.
All of this is attained after approaching the documentation review in a targeted manner with a hypothesis in mind. Practically, the above two are not isolated separate processes and a line dividing the two is rarely clear.
Refining and amending the hypothesis
Targeted testing may reveal circumstances which may completely change the direction of the examination. This is normal and should not cause panic for the fraud examiner. In one of our recent examination involving computer fraud, the primary suspect had virtually everything pointing towards “probable cause”. However, when the hypothesis was tested, the person was revealed to be the most secured person in the entire investigation, and computer forensic software results coupled with the interviews highlighted grave irregularities at the side of the organization which was not identified by prior three non-professional inquiries conducted internally.
The process can be inefficient and it is imperative to keep all stakeholders informed of the progress and continue to gauge their appetite for further analysis. This requires skills of the investigator to communicate with the aid of dashboard reporting preferably, how the investigation is progressing in a sure-footed manner.
Communicating results
The principles of AIDA and the seven C’s as learned in Business Management and Communication obviously apply here. However, a fraud examiners’ report is distinguished from any other report with one key highlighting feature: No fact unsubstantiated. All evidences in the report should be clearly organized, catalogued and presented as a support to the report. The report itself should contain minimal mental impression and conjectures which may indicate bias unless the conjecture can be reasonably be expected to be made by any other independent person.
The litmus test of an effective fraud examiners report is the fact that an independent person with no prior knowledge of the case or the subject matters discussed arrives at the same conclusion as the fraud examiner. An effective quality control process is important in large investigation to ensure this result.
There are many sub-components of the overarching summary presented in this articles such as data analysis using MS Excel, ACL, interviewing skills, dashboard reporting skills, file management, documentation flow control, evidence cataloguing etc. which are vital for an investigation to succeed. However, the broader frame of reference, if set properly, can naturally progress to include these and many additional features in a good investigator’s work approach.