9 Documentation Elements of a Model Risk Program Framework

9 Documentation Elements of a Model Risk Program Framework

Models are all around us — integral and important to operational efficiency — but the risks that they sometimes pose can materially impact the financial well-being of even the most well-structured organizations. In order to understand the risks, we must first define what a model is and what the inherent risks are when operating a model.

Read More

The Difference Between Operational Risk Management and Operational Resilience

The Difference Between Operational Risk Management and Operational Resilience

Operational resilience is a set of techniques that allow people, processes and informational systems to adapt to changing patterns. In other words, it is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the competency to ramp up or slow down operations in a way that provides a competitive edge, and enables quick and local process modification.

Read More

Investigator Dives Deep Into Digital Data & Information

MEMBER PROFILE

Tyson Johnson, CFE, CPP
VP, Business Development, BrightPlanet  
Oakville, Ontario, Canada

Before even graduating from college, Tyson Johnson, CFE, CPP, VP of Business Development at BrightPlanet in Ontario, had spent hundreds of hours conducting surveillance, performing interviews, writing reports, conducting undercover investigations, and even testifying in court. Johnson says that his passion for fighting fraud is something that has always been in him. “I spent my summers and free time between studies working as a private investigator, cutting my teeth on suspect personal injury claimants for insurance firms,” Johnson said. “It started early in my life and has simply become part of who I am.”

What steps led you to your current position?  

I have always been passionate about 'intelligence' and its ability to help nations, companies and individuals to make better decisions by identifying risks and opportunities. While in university, I knew I wanted to enter the Canadian Security Intelligence Service (CSIS). I was fortunate to be selected by CSIS, and I enjoyed my time with that organization. It was during my years as an Intelligence Officer that I obtained my CFE credential and also became aware of BrightPlanet. After departing CSIS I held progressively more senior risk management roles, starting with a global bank, and then two global manufacturing firms, before having the opportunity to join BrightPlanet.

Did you always plan to pursue the role you are currently in?  

Actually, yes. For the past decade I have used BrightPlanet's services. I began speaking with their leadership five years ago and stated that should they ever wish to move its business into the mainstream (diversify away from government contracts) I would be interested. The phone call happened about six months ago, and the rest is history. I am very excited to help my fellow CFEs with their online anti-fraud objectives.

How do you think online investigations have changed in the last five years?  

Online investigations have changed and will continue to change as fast as the technology changes. Years ago, I remember conducting an investigation and obtaining an Anton Pillar (civil search order) to collect digital data devices for forensic review. That amounted to one desktop computer, one thumb drive and diskettes. Today, anyone looking to collect digital data will need to deal with laptops, smart phones, thumb drives, MP3 players, SD cards, DropBox accounts, Gmail accounts and social media profiles, all while ensuring privacy laws, data ownership issues and other legal issues are properly dealt with. Not to mention the difficulties we face with Bring Your Own Device (BYOD) strategies at the workplace. This happens when personal devices are used to access the Internet within a secure environment and employees have access to confidential information.

What career advice do you have for those just starting out in the fraud-fighting field?  

Become rooted in the fundamentals of fraud investigation, but remain innovative and open to embracing changes in the legal and technological landscapes. Find a good mentor and listen to their counsel. Become a lifelong learner in fighting fraud, and take pride in your work.

Read Tyson's full profile in the Career Center on ACFE.com.

Case Study: The Desperate Accountant & Her Employer's Weak Internal Controls

SPECIAL TO THE WEB

Robert Tie, CFE, CFP
Contributing Writer, Fraud Magazine

The elements of an occupational fraud were all in place: A trusted accountant — deep in debt —noticed a weakness in her highly profitable employer's internal controls. She and two outside accomplices fully exploited that deficiency. But the Orange County, Calif., District Attorney's Office made sure they didn't get away with it.

Life didn't seem fair to Cecile Nhung Campbell, CPA. She was desperate for cash, while her employer, Kia Motors America — where she routinely approved payment of six-figure invoices — was rolling in it.

But what if Cecile could be clever enough to filch some of that money, and Kia didn't notice? Wouldn't that mean she needed it — and therefore deserved it — more than Kia did?

POINT OF VIEW

It was the best of times … or the worst, depending on whom you asked.

In 2002, debt-ridden Cecile and her husband, attorney Mel Wayne Campbell, were at the end of their financial rope. Cecile worked in the accounting department at the Irvine, Calif., U.S. headquarters of Korean car maker Kia Motors; Mel was active in Orange County real estate. The professional couple was living beyond their means and had consumed two large home equity lines of credit (HELOC).

Kia, though, had never seen better days. Its U.S. sales had soared 47 percent in the prior year, propelling the firm toward the top rank of global auto manufacturers.

OPPORTUNITY KNOCKS

Part of Cecile's job was processing U.S. Customs Service invoices for import duty due on the cars Kia shipped from Korea to America's West Coast. When she approved an invoice, Kia's accounts payable department would send a check or wire transfer to the Customs Service bank account that was specified on the invoice. (The Customs Service is now the Bureau of Customs and Border Protection.)

Unfortunately for Kia, its risk management procedures hadn't kept pace with the company's rapid expansion. Cecile noticed that lately accounts payable had been minimally reviewing Customs Service invoices before paying them. She began to form a fraud scheme that could divert some of Kia's plentiful cash into her hands.

She shared the vague plan with her husband, and he asked to hear more. Cecile explained the perfunctory bill payment workflow at Kia. They brainstormed over a suitable billing scheme and weighed the odds of its success. Eventually they concluded that Kia's anti-fraud controls were weak enough to overcome. So they finalized their plan and prepared to act on it.

THE SETUP

First, Cecile asked her younger brother, Long Ngoc Ho, to obtain a fictitious business name statement, which was necessary for opening a bank account under a name other than that of the depositor. Ho managed to acquire such a statement — for a nonexistent firm doing business as "U.S. Customs Service Detail." He then brought it to the Campbells' bank and opened an account there under that business name.

Cecile had chosen that name for the phony account because she was confident it would pass muster in Kia's accounts payable unit. Ho listed himself as an officer of the fake firm. The bank was eager to add a depositor, so it didn't ask any questions Ho couldn't plausibly answer. He then gave his sister the routing number and documentation for the new account. (Ultimately, Ho didn't participate any further in the scheme. He didn't benefit from it in any way — financially or otherwise.)

Next, Cecile made a photocopy of a valid U.S. Customs Services invoice that she'd recently approved and Kia had paid by check. Then she changed the invoice date to the current month, replaced the bank routing number with that of the phony account her brother had opened and made a fresh copy of the altered document. It looked just like an actual U.S. Customs Service invoice. Cecile then approved the phony bill, sent it to accounts payable and requested that it send the funds by wire transfer rather than by check. She rashly cast caution aside because she wanted to get the money quickly.

Read the full article at Fraud-Magazine.com.

Even if it Ain’t Broke, Consider Fixing It

GUEST BLOGGER

Catherine Lofland, CPA
ACFE Research Specialist

The average person can name several corporate scandals off the top of their head. Once a fraud scandal becomes a household name, the victim organization may never recover from the damage to its reputation. The effects are far-reaching: employees, investors, creditors, vendors, customers and the community are among those who can suffer tremendously from fraud. The pervasive threat of corporate malfeasance indicates companies need to seriously consider whether they have effective systems in place to prevent such scandals. While strong internal controls, independent external audits, an ethics program and a whistleblower policy are effective fraud deterrents and detection methods, these measures succeed only when supported by a robust corporate governance system.

Corporate governance refers to the procedures and processes according to which an organization is controlled. It consists of the official policies promoting oversight and accountability in a variety of areas, including financial reporting, corporate strategy and risk management. You can think of corporate governance as a system of checks and balances similar to those outlined in the U.S. Constitution, which allows each branch of the government to regulate one another. An organization’s checks and balances are designed to protect the diverse interests of its stakeholder groups by keeping management and the board in line.

One of the biggest challenges in implementing a corporate governance system is that some companies, especially smaller organizations, don’t see any reason to change the status quo. This “if it ain’t broke, don’t fix it” attitude toward fraud prevention can be dangerous. Managers who exhibit this attitude aren’t concerned about fraud simply because they haven’t suffered from it yet. However, if an organization has a weak corporate governance structure, a devastating fraud might be just around the corner.

Our latest online self-study course, Corporate Governance for Fraud Prevention, describes the principles, functions and essential components of a corporate governance system. It addresses the controversy of CEO duality, the recommended committees any organization should have on its board of directors and how to set the appropriate tone at the top. The course discusses corporate governance best practices that you can tailor to your organization’s structure and needs, since there is no one-size-fits-all approach.

Many corporate governance programs are born from a crisis. But it is critical not to wait until disaster strikes at your organization to begin implementing an effective corporate governance system. While establishing preventive measures might seem costly and burdensome, they are vital to the success, reputation and longevity of your company.

Read more about the new course here.