In this exclusive interview, Ethisphere Editor in Chief Bill Coffin speaks with Linda Miller, Principal, Advisory Services, Grant Thornton LLP, and Paul Sobel, Chairman of the Committee of Sponsoring Organizations (COSO) about the current state of fraud risk management, the development of a new COSO fraud risk management guide, and how life after COVID-19 is changing the fraud risk landscape for everyone.
What does today’s fraud risk landscape look like, especially after so many organizations experienced significant disruptions and challenges to their controls and processes as a result of the COVID-19 pandemic?
Linda Miller: It is extremely varied. There are some proactive organizations that have established very formal structures for thinking through their fraud risks, and they follow best practices really well. There are others that don’t have a clear fraud risk assessment structure in place.
Fraud can be deceptive; you often don’t know how much fraud you might have. A lot of times, organizations think they don’t have a problem with it until there is a big fraud event. I always say that organizations that haven’t given a lot of thought to fraud risk management likely have much higher fraud losses than those who have.
In conjunction with large-scale data breaches, we are seeing a big rise in fraud schemes perpetrated through cyber channels using stolen identities. Many organizations have been caught flat-footed by the sophistication of those fraudsters, the tools they are using, and the speed with which they’re able to adapt to changing technology.
The pandemic also hastened social engineering—people falling victim to fraud schemes through some sort of personal deception, such as phishing, fooling someone into clicking a link and downloading malware, getting them to share personal data, etc. We’re also seeing a lot of real-time payment schemes rising in the banking community, as people are being fooled into authorizing fraudulent payments, believing that they are real. When the world transitioned to a remote working environment, we saw a lot more of these schemes, since people were further away from their IT departments, and maybe were not getting patches downloaded to their systems. And because there was such anxiety in the world as a result of the pandemic, people are much more susceptible to falling prey to social engineering schemes than what we had seen in the past.
For example, we’ve seen companies conduct phishing testing where they send a very, very authentic-looking email at 7:00 am on a Monday morning to see if employees are not paying close enough attention and fall victim to the phishing attack. Companies found their employees were three times more likely to click on a suspicious link because they were distracted–for example, they’re getting ready for work, maybe trying to get their kids ready for school, and are checking emails in between different tasks.
So, we have this environment where people’s attention is very much divided. When you have people in that distracted environment, they are going to be more susceptible to social engineering schemes, which is an example of how important it is to think about what new fraud risks might exist, and how you should adapt to them.
Paul Sobel: I think the bad guys out there recognize that people were perhaps a little more vulnerable and feeling a little more stressed or uncertain because they are working from home. The frequency and creativity of some of the email messages that came through probably made it easier for individuals to slip up, think that something sounds right, and click on something they shouldn’t have.
Another area that bears watching relates to ESG reporting. In other parts of the world, sustainability reporting is more common compared to the United States—although we have some likely SEC requirements coming down the path. This is non-financial information, and I think companies are probably less prepared to make sure that this information has the same veracity and internal controls as financial information. As a result, there will be more potential for intentional misreporting because companies are getting pressure from shareholder groups in this area, so they decide they better put a good foot forward in the ESG area.
Linda Miller: In June, we went live with a guide on ESG fraud that Grant Thornton jointly published with the Association of Certified Fraud Examiners. I completely agree with Paul. It’s a very significant, growing threat to companies that most people have not really given a lot of thought to from a fraud risk management perspective.
How would you say that emerging risks have affected how companies have approached their fraud risk management practices and programs?
Paul Sobel: A lot of things accelerated during the pandemic, including the increasing vulnerability to fraud risk. The more mature companies are certainly realizing that you can’t just conduct fraud risk assessments once a year and have that be sufficient, just like a once-a-year business risk assessment is no longer sufficient.
Companies are realizing that this must be more of a continuous process. That doesn’t mean every second of every minute of every hour. However, you need to have people looking for signposts or indicators of change that show you may be vulnerable to a new and emerging fraud risk that you weren’t vulnerable to the month before. That is causing companies to think about this on a more regular basis and try to be more proactive.
COSO will be publishing an update to its 2016 FRM Guide later this year. That is no small task. What was the impetus for undertaking such an update?
Paul Sobel: For those who aren’t familiar, the 2016 fraud risk management guide was co-authored by COSO and the ACFE, and it has been very widely recognized and received. It takes the COSO internal control framework and maps it to five key fraud risk management principles, which have become broadly recognized as well.
That guide is very good and still relevant, but as the COSO board, we’ve been thinking about which parts of our past guidance needed updating. So, I reached out to the ACFE to see if we could try and bring it a little bit more into the current world. For example, there is now an ESG component in there, and there is more about data analytics compared to the2016 guide. Data analytics is a keyway to monitor changing risk factors that could lead to fraud.
We’ve also simplified some of the appendices and are making it a little bit more user-friendly. It is a very large task. This is something that’s been underway for a year, and it will be more than 100 pages. We’re still working through it with the ACFE, but we are very excited about having something fresh and more current out in the marketplace, hopefully by early Fall of 2022.
What should companies think about as they adopt the suggested changes from COSO’s updated fraud risk management guide?
Linda Miller: I was working on the COSO fraud risk management guide update with the ACFE, and companies are going to be encouraged to consider some of these new threats we were just talking about through the new guide. It used to be that things like account takeovers were a big fraud threat for the banking industry, but they weren’t looking at the different types of synthetic identity-based fraud risks. There wasn’t a lot of guidance on how they could use data to identify fraud and patterns in their data. The guide is much more relevant today to the kind of fraud environment that we live in currently.
I spent a year as the Deputy Executive Director of the Pandemic Response Accountability Committee, and we saw some very creative frauds being perpetrated in pandemic spending programs. And so, we incorporated how we worked closely with the Inspector General community to look at PPP, unemployment assistance, and other types of Small Business Administration loan frauds. We have really revamped the government appendix in the new COSO guide to make it more relevant to today’s fraud risks. Some of those government agencies were operating on quite antiquated IT infrastructures, and the guide helps every kind of organization consider how they can modernize, use data more effectively, and start to anticipate some of these more emerging fraud threats.
Grant Thornton’s Anti-Fraud playbook also provides a comprehensive review of fraud risk management activities: fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud risk management monitoring activities. Companies can’t do them all equally, at the same time, so what areas should they prioritize?
Linda Miller: No, they can’t. They are kind of chronological, and they do align with the same five risk management principles from the COSO fraud risk management guide. You could just do an ad-hoc fraud risk assessment, but without a structure in place, some accountability mechanism, and people whose job it is to consider fraud holistically across the organization, then it’s not going to be nearly as effective as it could be. So, the first component of establishing a culture in structure and governance is very important.
The fraud risk assessment piece is vital to being able to develop controls that are effective. If you put in place anti-fraud controls without the benefit of considering where your biggest risks are, you may be spending money on controls that you don’t really need. You may also be leaving some large gaps uncontrolled.
If you had to pick what is the most impactful of those five areas, it’s the third, implementing the proactive preventative controls. I say this all the time when people talk to me about it, everybody can find some low hanging fruit to put some controls in. Even if you don’t know where to start, you could do some analytics on areas such as purchase card data. We recently did some basic data visualization for a client, and we looked at the number of employees who had 12 or more purchase cards; and the client asked, why would an employee have 12 purchase cards? We said, we didn’t know, but 27 employees had 12 purchase cards. And the client didn’t know that; they had never looked at their data in that way.
You can spend tons of money to bring in a big vendor that does very sophisticated AI solutions, but if you overlook the easy pieces, then you miss opportunities for quick wins—and that’s really important. Data is the key in all of this, and the control environment is about using data more effectively than most other organizations. There are a few organizations, primarily in the financial services industry, that do this well; but most companies struggle to understand even the most basic challenges that they have because they’re not using their data the way they could be using it.
Do you see a significant difference in how companies prioritize their fraud risk management activities based on company size and/or program maturity?
Paul Sobel: I think so. Typically larger, better-funded companies with more mature fraud risk programs are going to be looking at all five of those fraud risk management activities more comprehensively as opposed to just focusing on the third area on fraud control activities, and in particular, fraud risk assessment. Those are not easy to do. They require some commitment of time and expertise to facilitate the discussion. A lot of the less mature, and often smaller, companies don’t bother with that step. They jump to the risk areas and put controls in place, so they’re probably more vulnerable to the less obvious risks. I think that’s just the nature of the beast; larger, better-funded companies are going to spend more money on this, and money does make a difference, no question about it. It also makes them a little bit more proactive in understanding and addressing the risks, whereas smaller, less mature organizations are probably much more reactive. That can work for a time. You can get lucky for years, but when your luck runs out, you’re probably going to pay a heavier price than if you had been more proactive to begin with.
What should companies keep in mind as they implement monitoring activities as part of their FRM programs?
Linda Miller: Using data in the smartest way possible. For example, a lot of internal audit groups have an enormous amount of data that they could be using to monitor their progress if they understood how that data could be useful. It goes back to what data we collect, and how we can use that data to understand how our fraud risk environment might be changing.
There’s a lot of specific data elements around basic operational processes, and you can start to see anomalies if you look at that data regularly. If you know what to expect, then it looks different when it’s deviating from the expected patterns. Again, it goes back to keeping track of how things are going in a normal environment. You have a baseline, and then being able to look for spikes and changes in that baseline with basic things like Benford’s Law, which is an old tool in the fraud examiner’s toolbox. Are you going back and looking at your invoices on a regular interval to run some very basic analyses to see if there is anything unusual? Why did one vendor charge you five times more at the end of a particular month, or why, on the third day of each month, are you seeing unusual spikes in some of your invoices? One question I always ask is, are people being required to go on vacation?
These are the kinds of monitoring activities that can keep you out of major fraud events if you’re smart about it. But if you’re being reactive, as Paul was saying, it could go months or years before you discover that you have an internal fraud scheme that has been growing and growing.
What advice would you have companies that are looking to strengthen their overall FRM programs?
Linda Miller: Structure is extremely important. If you’re thinking holistically about how you can improve your fraud risk management program, one of the very first things you need to look at is if you have a structure that will allow you to be successful. Do you have people whose roles and responsibilities are dedicated to fraud risk management, and do they understand that discipline? Do you rely on your first line of defense—the people who interact with your customers—to manage fraud or do you have a second line of defense that allows you to receive input from the first line, and to communicate and guide their activities? To be honest, there are a lot of people that don’t have any kind of background in fraud, and they don’t really understand how fraud manifests itself.
I’ve had clients who will spend a 40-hour customer service training session for their new hires, and only one of those hours is on fraud. Not that the training should be 39 hours on fraud and only one hour in the other direction, but a lot of organizations aren’t thinking about fraud. Fraud is not baked into their culture, and they’re not considering it. They’re thinking much more about customer service and lowering the friction for their customers. You’ll go out of business if you don’t think about your customers, but you’ll also go out of business if you put your customers or your own bottom line at risk.
Paul Sobel: I think one of the biggest things that organizations can do is to be more continuous in how they assess fraud risks and how they monitor emerging fraud risks in the marketplace. Even the more mature organizations still tend to only conduct an annual fraud risk assessment. That that can get you by maybe for financial reporting fraud, but not for a lot of these other types of frauds. Organizations are having to realize that you need to divide and conquer so different people monitor different aspects in the environment. But they also need to have some way of bringing that information together on a more continuous basis so that you can reassess fraud as you need to, as opposed to, whenever the calendar happens to flip the page.
A lot of businesses that took a hit during COVID are trying to make up for lost ground financially now. Do you see that as a possible vector for fraud?
Linda Miller: I think there’s going to be an increase in financial statement fraud coming out of the pandemic. We thought that would happen all along, because if you’re feeling under the gun, and you’re not performing well, you’re going to be under pressure to manipulate your financial reporting. Coming out of the pandemic, I also think there is a higher risk of internal actors colluding with external actors. You saw how easy it was to commit fraud using stolen identities on the dark web. It was a game that just about everybody got into. You didn’t have to be a sophisticated fraudster to learn how to use an onion router, you get on the dark web, and you were in business.
A lot of these people cut their teeth on these fraud schemes during the pandemic, and now they’re going to be more emboldened to do that going forward. There’s a lot of fallout in the post-pandemic landscape, especially since I think a lot of people aren’t going to go back to the office permanently. Remote work is going to be the new normal, and how our businesses adapt to that will be a lot of our growing pains over the next couple years.
Final thoughts?
Paul Sobel: Try to be more proactive than reactive. It’s very easy, particularly in challenging times, to be reactive, but that is pennywise and pound foolish. It’s going to catch up with you at some point. The companies that are more proactive and trying to anticipate how their fraud risks may change are more likely to maybe prevent it in some cases, or certainly detect it in a more timely manner and then deal with it in a more cost-effective way.
Linda Miller: There is a difference between fraud risk and fraud loss. Fraud risk is what could happen. Fraud loss is what you know has happened. And it’s important to understand the difference. That often gets conflated in people’s minds, and so they think that because they haven’t discovered a fraud, it didn’t happen. Or, they have had historically low fraud losses, so their environment is not at high risk for fraud. That is a fallacy. The point of a fraud risk assessment is to think about the different ways that you may be defrauded right now, but you just haven’t identified or detected it yet.
About the Experts
Linda Miller, Principal, Advisory Services for Grant Thornton LLP is a nationally recognized expert in fraud risk management. From 2020-2021, Miller served as the Deputy Executive Director of the Pandemic Response Accountability Committee (PRAC), where she helped stand up a brand new, fully virtual government agency tasked with overseeing $5 trillion in pandemic relief in the midst of a global pandemic. While at the Government Accountability Office, Miller led the development of the Framework for Managing Fraud Risks in Federal Programs. Miller also helped draft the Fraud Reduction and Data Analytics Act of 2015 and served on the task force that developed the COSO Fraud Risk Management Guide, which guides the private sector in fraud risk management. An accomplished elite athlete, Miller competed at the Olympic Games in 2000 in the sport of rowing.
Paul Sobel, Chairman, the Committee of Sponsoring Organizations (COSO), is widely recognized as a leading expert on governance, enterprise risk management, compliance, and internal control. He was a key member of the Advisory Council that provided input for the 2017 update to COSO’s ERM Framework, Enterprise Risk Management—Integrating with Strategy and Performance. Prior to joining COSO, Sobel was the Chief Risk Officer and Chief Audit Executive for Georgia-Pacific, LLC, a privately-owned forest and consumer products company based in Atlanta, Ga. Sobel was inducted by The Institute of Internal Auditors (IIA) in the prestigious American Hall of Distinguished Audit Practitioners; was awarded the IIA’s Bradford Cadmus Memorial Award for outstanding contributions in research, education, and other activities related to internal auditing; and was selected as one of the 100 Most Influential People in Finance by Treasury & Risk Magazine. He is a sought-after speaker and a prolific author.
This interview was facilitated by the Center for Audit Quality and Anti- Fraud Collaboration, and stems from the work done by the BELA Fraud Risk Management Working Group, which concluded in May 2022. That Working Group’s paper can be found in the BELA Member Hub. Need access? Email [email protected]