ACCA UK’s Internal Audit Network Panel organised a webinar on ‘Frauditing for internal auditors’ back in 2015. A panel of three experts from CIFAS, NHS Protect and Grant Thornton explored the fraud landscape. Below is an overview of the event. 

Internal fraud - the view from the Fraud Prevention Service

Sophie Keen is the business engagement manager at CIFAS which involves helping organisations from both the private and public sectors to see the benefits gained from data sharing to combat both customer and internal fraud. Before taking on this role, she was the manager of the Internal Fraud Database, purely focusing on the insider threats and working with organisations across all sectors to help combat these. 

By examining the cases of internal fraud filed with CIFAS in 2014, Sophie gave an overview of what threats are on the increase and what steps can be taken to help counter these. 

What is CIFAS?

CIFAS is a not-for-profit membership organisation which allows organisations to share information with one another on confirmed frauds to prevent the same identities and addresses from being re-used for fraud. CIFAS operates on the basis that fraud data is non-competitive and that co-operation and communication in the interests of crime prevention. 

The Internal Fraud Database (IFD)

CIFAS runs an Internal Fraud Database that members can access for the purposes of filing data on confirmed internal fraud cases, and searching applicants and current staff against the database as part of their vetting and screening process. There are currently over 130 organisations using the database and they collectively filed 751 cases in 2014. All cases filed are live and available for matching on for six years before automatically dropping off. Members also have the advantage of being able to match on over 90,000 cases of confirmed fraud risk with the majority of these being made up of immigration cases supplied by the Home Office. 

How does it work?

All of the cases filed with CIFAS are confirmed frauds that have been investigated and are backed by evidence. All of these cases are proven and every individual involved has been notified by way of a Fair Processing Notification. 

All of the cases filed by CIFAS members are categorised into five general fraud types: 

  • account fraud
  • dishonest action to obtain a benefit by theft or deception
  • employment application fraud
  • unauthorised obtaining or disclosure of personal or commercial information
  • bribery and corruption.

IFD cases recorded in 2014

Employment application fraud made up the greatest proportion of cases filed in 2014 with dishonest action by staff coming second. All organisations are at risk of these fraud types whereas something like an account fraud is likely to affect banks over other types of organisation. These two fraud types were also the most filed in 2013. 

A total of 751 cases was filed in 2014 – an increase of nearly 18% on 2013. The biggest percentage increase came from the successful employment application frauds where 51 of the 77 cases were filed due to concealed unspent criminal convictions. With DBS checks often taking time to come back, organisations often have to start employing an individual before all the checks take place.

Swipe to view table

Internal fraud type

  2013 2014 % change
Account fraud 46 30 -34.8%
Being bribed - 1 -
Dishonest actions 268 227 -10.6%
Employment application fraud - successful 31 77 148.4
Employment application fraud - unsuccessful 293 396 35.2
Unauthorised disclosure of commercial data 4 1 -75.0
Unauthorised disclosure of personal data 48 53 10.4
Total cases 638 751 17.7

Employment application fraud

Looking at both successful and unsuccessful employment application frauds, they accounted for 63% of cases recorded in 2014. These include the concealment of unspent criminal convictions but also things such as concealed employment record, material falsehoods such as immigration status, qualifications and references. 

The consistent high level of filing emphasises the need for proper vetting and screening of candidates. 

Dishonest action by staff to obtain a benefit by theft or deception

The next most frequently filed fraud on the database in 2014 was dishonest action by staff to obtain a benefit by theft or deception and accounted for 30% of cases. This covers a broad range of fraud such as theft of cash, false expenses, procurement fraud and facilitating fraudulent applications. Theft of cash from either the customer or the employer has continually been the most common reason for filing. However the number of these cases in 2014 dropped by 63% over the number of cases filed in 2013. 

The only reason for filing a case of dishonest action that did increase in 2014 was the manipulation of their own accounts. To carry out fraud involving the manipulation of accounts requires knowledge of company systems and processes which is perhaps why the length of service for these employees remains the highest across all fraud types at 6.9 years. 

Account fraud

The amount of account frauds filed in 2014 accounted for 4% of cases and dropped by just over a third compared to 2013. This appears to be a continuing downward trend where 2013 say a drop of 16% compared to 2012. Tighter controls and increased account monitoring implemented by organisations could be having a strong deterrent effect. In addition, the increased ease with which consumers can control and access their own accounts through online and mobile banking and text alerts, may be discouraging employees from attempting this type of fraud. Employees who are going to commit this type of fraud may therefore be choosing to target more elderly or vulnerable customers who are more likely to be using the traditional methods of banking. 

Unlawful obtaining or disclosure of personal or commercial data

Whilst the number of these cases has always been lower compared to other fraud types apart from account fraud at 7% of cases, these cases need to be viewed in the context that one single instance of data disclosure can have huge effects, not only on the organisation but also on customers and other members of staff. Filings relating to commercial data theft have always been the lowest with only one filed in 2014. 

Organisations and membership have consistently reported that whilst they believe these frauds are occurring, it is very hard for them to prove the case and gain the appropriate evidence to enable them to share with others. Staff awareness is an important part of any internal fraud prevention policy but with frauds involving the obtaining and disclosure of data, understanding the human element is key. 

The highest reason for filing under this fraud type was disclosure of customer data to a third party, with the next being fraudulent personal use of customer data. This is a continuing trend from 2013. This data can be extremely valuable and has the potential to be used for far more frauds once it has been harvested and subsequently placed in the wrong hands. 

Reporting of cases

Whilst all of the cases filed on the Internal Fraud Database must be of a standard where they could be reported to the police, there is no obligation to do so. In 2014, only 15% of the 751 cases filed were reported to Law Enforcement and only 3% went on to court. This is a drop in Law Enforcement reporting compared to 2013 which was just under a quarter of cases. It is not always going to be possible to gain criminal convictions due to the resources of the police and the time organisations have to complete police reports. Relying on DBS checks is not therefore not going to be a sufficient mechanism on its own to prevent fraudsters entering a company. 

In summary, the number of cases being filed at CIFAS is increasing with the threat coming from both prospective and current employees. To help mitigate these risks, it is vital to have a fraud prevention strategy which includes staff awareness and education, strict access controls, and collaboration across all sectors to help share experiences and warn of known serial offenders. 

NHS Protect

Nicole McLaughlin is the area anti-fraud specialist for the South East and provides advice, guidance and direction in matters relating to counter fraud arrangements within NHS health bodies, particularly to Local Counter Fraud Specialists (LCFS) and Directors of Finance (DOF). Main elements of this work comprise developing and promoting an anti-fraud culture, supporting deterrence work, prevention detection, supporting LCFS in their conducting of investigations, promoting the application of a full range of sanctions and promoting the pursuit of redress. 

Nicole talked about how NHS Protect deals with fraud within the NHS and highlighted some recent cases that made the national press:

  • ‘Manchester practice manager jailed for £150K fraud’
  • ‘GP Practice Manager jailed for £350K theft’
  • ‘Medically unqualified clinical director ordered to pay £250K to NHS’
  • ‘Former NHS Director jailed for CV lies’
  • ‘NHS Financial analyst and four accomplices jailed for conspiracy’

NHS Protect works predominantly on using two pieces of legislation:   

Fraud Act 2006: 

  • Section 2 – Fraud by false representation (eg. lying about the number of hours worked)
  • Section 3 – Fraud by failing to disclose information (eg. not disclosing an unspent criminal conviction in a job application)
  • Section 4 – Fraud by abuse of position (when you in a position where you are expected to safeguard the financial interests of another person).

Bribery (Corruption) Act 2010 under which individuals and organisations can both be prosecuted: 

  • giving or rewarding by financial or other advantage
  • requesting, agreeing to receive or accepting the advantage
  • corporate failure to prevent bribery.

Fraud by false representation is the biggest area of work for NHS Protect. 

How do we protect the NHS?

All health bodies within the NHS – both providers and commissioners - are issued with the NHS Protect Standards. The standards are broken down into four areas – strategic governance, informing and involving, preventing & deterring, and hold to account which is where a person is held to account following an investigation. NHS will work with professional regulatory bodies where the member of staff involved is a professional. 

Compliance with the standards is the starting point for any NHS Protect investigation - organisations not complying with the standards are deemed to be higher risk. The NHS is one of the biggest employers in Europe and within any NHS organisation, NHS Protect expects to see:

  • robust adherence to corporate procedures
  • application of NHS Protect Standards
  • all members of staff personally applying the Codes of Conduct
  • creation of an anti-crime culture
  • promotion of best practice at all times
  • sharing of breaches openly and quickly.

Fraud in the NHS

Fraud in the NHS is not widespread but there is a dishonest minority and fraud can be perpetrated by any of the following: 

  • Doctors / Dentists (claiming to provide treatment that they have not provided to real clients or clients that do not exist, or claiming for the same treatment several times)
  • Opticians (claiming for glasses or eye tests that they have not provided to real clients or clients that do not exist)
  • Pharmacists (claiming that a prescription was completed but the client was unable to pay when payment was in fact received)
  • Consultants (treating private patients using NHS facilities)
  • Staff (payroll fraud for expenses and hours worked, false references/qualifications/papers on job applications, non-declaration of convictions)
  • Patients (registering under false names to obtain prescription drugs, claiming for taxis to the hospital when they took the bus
  • Contractors (inflating invoices, invoicing for work they have not done, procurement fraud).

In addition to those above, there are external fraud threats such as: 

  • Bank mandate fraud (where organisations are misled into paying fraudsters instead of suppliers)
  • Procurement fraud (numerous contracts for building works, catering, portering – a high risk area)
  • Bribery.

Case study – Operation GRANITE

This case happened 2-3 years ago:

  • A director of finance submitted a number of copy documents in support of the trust’s alleged financial status to the Department of Health and External Auditors. These documents were subsequently found to be forgeries of genuine valuation reports supplied to him by HMRC (Valuation Office Agency)
  • The forgeries showed lower valuations for Trust land/property sold during that financial year which if not discovered would have created false financial information in the Trust’s revenue account effectively clearing its financial liabilities and creating a £1,000,000 surplus for the 2006/07 financial year
  • His fingerprints revealed a number of previous criminal convictions recorded against him which were not declared on his original application for employment
  • Upon conviction (after trial) he was sentenced to 12 months imprisonment on each of the four counts. Although he did not benefit personally, he caused a loss and committed multiple types of fraud.

Using data analytics in fraud auditing

Tim Foster-Key is a director at Grant Thornton’s Business Risk Services practice. He has a wide variety of experience in both IT audit and risk based assignment. His client base covers Large corporate through to public sector and not for profit organisations. His technology and accounting background gives him the ability to provide practical solutions, such as through the use of data analytics to identify trends or exceptions that help identify process and control weaknesses. 

Tim discussed the issues and subsequent approach used to follow through an audit delivery when data analytics are used as part of your internal audit approach and data issues that have been identified that may suggest weak processes/controls or potential fraud. 

Benefits over the use of data analytics in frauditing

  • Higher levels of assurance
  • Identify more trends with larger samples
  • Increased quantification of control and process issues
  • Less resource hungry – let technology do the work whilst you step back and appraise the situation
  • Repeatable tests – easy to repeat tests in different ways
  • Early warning – identify issues before they come fraudulent and make recoverability difficult
  • Create more customised tests that immediately add value e.g. fraud analytic testing for acquisition due diligence
  • Identify potential fraud indicators on large projects e.g. replacement of accounting/finance system

Use of data analytics within fraud audits

To mitigate fraud there are a number of instances where data analytics assists:

  • New vendor/supplier management or duplicate accounts
  • Gifts and entertainment logging and conformance to policy
  • Irregular payments to suppliers or general transactions
  • Irregular journal entries and adjustments
  • Payments to non-approved suppliers or compliance with dual sign off
  • Irregular timings of bookings and payments
  • Abnormal or 'too good to be true' transactions

Bear in mind that data analytics is very rarely the silver bullet or the solution to the work that you are doing either in a pure fraud context or a consequence of an internal audit assignment. It is more to do with giving you that focussed output that puts you onto a path to follow up with your other activities.

Evolution of data analytics maturity

Where do you sit in the evolution of data analytics? You will sit somewhere on this scale:

  1. Ad-hoc - utilised when needed but limited to select individuals with limited use of tools perhaps Excel. No agreed approach or linkage to other data sets.
  2. Limited value - increasing adoption and perhaps use of IDEA/ACL. Some value but not integrated with other data and unpredictable results. A value add to the audit not expected.
  3. Limited and valued - Analytics policy and methodology and in the 'driving seat' at the testing stage to validate controls. Wider usage within Internal Audit and value seen by stakeholders.
  4. Meshed - on request data sources in place and skillset starting to be embedded within the audit department and allows for customised tests
  5. Embed - metric based monitoring allowing for the creation of more customised tests with blended different data sets e.g. vendor testing linking accounts payable system to Companies House
  6. Forward looking - analytics driving audit plans with changed audit and risk behaviours based on analytics results. Reviewing the process of anomalous events rather than full end to end data testing.

Techniques that can be used for frauditing with data analytics

There are a number of different data driven techniques to identify fraud:

  • Duplicate transactions such as same invoice or supplier number
  • Rounded/even amounts e.g. £5,000 or £200
  • Ratio analysis on spread of values:
    • Spread of product prices from maximum to minimum that may highlight over-charging and kickbacks
    • Difference between maximum and 2nd highest price
    • Differences between sales people (international vs. domestic or between product sales teams)
    • Year on year trend analysis between teams or products
  • Benfords Law: First digit in a large number of transactions will be more likely than a later number e.g. a '1' is more likely than a '9', or expense claims just under £500 where an authorisation policy for claims over £500 exists
  • Matching structured internal data to public sources e.g. suppliers address on internal systems to postcode data

Approach to using data analytics in frauditing 

Test creation & definition

  • Identify the required tests linked to fraud risk indicators - be clear what you want to do and do not get side-tracked. Understand the tests that you are trying to do
  • Link to business operations including your sector
  • Link to fraud triangle overview (perceived opportunity, pressure or motive, and the rationalisation of the act – get into the head of the fraudster)

Data identification

  • Identify the required datasets to achieve the tests – you need to have a good relationship with the business and speak to the IT department
  • Agree on data extraction needs – you should only go for a test sample at this stage. Do not request the full data set – you should test your approach with a small subset of data to ensure that it has all of the fields that it needs so that you are not requesting the data time after time

Cleanse and normalise

  • Scrub data to ensure its accuracy – prepare the data for the tests that you want to do
  • Identify data anomalies and their root cause

Data analytics and insight

  • Perform data analytics using tools. eg. IDEA

Report and monitor

  • Provide fraud reports and findings in a format that the user can utilise

The more advanced your data skills the more you can move to customised data testing to best identify and quantify fraudulent behaviour.

Common types of data issues that identify weak processes/controls

  • Purchase to pay
    • employee initiated purchase orders for own benefit
    • fraudulent disbursements through 'ghost' vendors
  • Corporate credit cards
    • use of corporate cards for personal gain
  • Payroll
    • 'ghost' employees or payments to terminated or dead employees
    • excessive overtime payments
  • Sales and receivables
    • vendor and employee collusion
    • sales inflation for higher bonuses/commissions
  • Information systems and critical data
    • Theft of critical data to be used for fraudulent purposes
    • Selling of corporate data to external parties

Summary

Use a professional data analytical tool. Keep to the basics and build your skills up gradually. Work with your team on a wider context because the best output is as part of the wider team delivering the audit or the fraud review and letting them take the exceptions and investigating those but working with the teams to get a rounded answer. 

Moving your skills on, look to improve things so you are informing third line of defence but think about scripting in the long run because that will be a very powerful use of data analytics.