Applying AA's Fraud Detection Proposal to Wirecard Part 2

AA is Looking Backward Not Forward

This is the second of two posts on this topic. First post here.

Point Two: Enhanced Audit Work

The following outlines some possible enhanced steps auditors could have taken.

I don’t know what steps the auditors took.

That WC was able to perpetrate its fraud for so long perhaps suggests the auditors were not employing any of these enhanced steps or had not completed them.

Confirmation of the Euros 1.9 Billion Accounts

Audit Confirmations

Given the unusual arrangements with the escrow accounts and their Euros 1.9 billion balance, WC’s auditor should have not relied on a single step verification – the typical bank confirmation--and probably used more than one method.

What additional steps could WC’s auditors have taken?

First, in view of the amounts, they could have requested two bank officer signatures on the confirm, and specified an official title, e.g., “one of whom must be a Vice President in the xxx Department”.

Second, once the audit confirmation was returned, the auditors could have attempted to determine that the signer(s) on the confirmation were employees of the bank and worked in a department that would be responsible for replying.

This could be done by referring to the bank’s “book” of authorized signers. This document lists officers authorized to sign, any limits on their authority, and the departments in which they work. Often the officers are assigned a unique identifier number in case their penmanship rivals AA’s.

Or by phoning the bank and telling the receptionist that they had something important to send the signer and wanted to confirm the appropriate department to send their letter. In this case they would not mention that audit confirm.

If the receptionist couldn’t find the employee’s name in the bank’s records or responded that the individual worked in “Marketing”, alarm bells should go off.

The auditors could send a copy of the confirmation back to the bank requesting that in light of the amount involved the bank reconfirm both the information in the confirm and the authority of the signer(s).

The reconfirmation request should not be sent to the party or parties signing the confirmation as received, but rather to another department.

For example, if the auditors received the confirm from someone in the Trust Department, they could send the reconfirmation request to the Trust Department Internal Audit Department. Or the bank’s Internal Audit Department. Or to the Head of the Trust Division. And when a billion or so Euros are involved, perhaps even the President of the bank.

The auditing firm could have asked a senior officer of its affiliate in the ROP to assist by contacting a senior officer at the bank for a reconfirmation. 

Alternative Measures

The auditors could ask the bank to send duplicates of account statements directly to them. If the bank doesn’t have an account for that customer, then it would so advise.

If it sends a statement with much lower balances, then questions would arise over the amount claimed in the account.

“So what you’re saying is that between 1 and 31 December, these accounts received Euros 1.8 billion in net credits.” 

The idea with this step is that requests for duplicate statements would not reach the person within the Bank conspiring to provide false information on confirmations. One department replies to audit confirms. Another department handles “routine” requests for duplicate statements.

If the auditors were engaged in reviewing the use of WC’s accounts by the third parties to determine the amounts those parties needed access to, as my proposal suggests, they should have then they should already have requested account statements.

Transactions shown in the statements should match entries in WC’s accounts. The auditors could take a statistical sample to trace/match transactions between the two.

There are other methods.

The ones outlined here are designed to prove the existence of the account, not necessarily the balance.

If there was doubt about the veracity of the account statements, the auditors could use statistical analysis of transaction amounts and patterns to identify those that likely have been “faked”. Benford’s “Law” is one such technique but there are others.

I met a chap at a financial crimes conference (anti not pro, if you’re wondering) who claimed that using Benford’s Law he quite easily “proved” that financial statements provided for an investigation had been “cooked”.

WC’s establishment of the escrow accounts probably ostensibly to mitigate the credit risk of the two Philippine banks should have resulted in a file documenting management and board discussions, engagement of ROP counsel, correspondence on legal points, review by the board, and a legal document signed by both WC and the two banks in question.

If such a file did not exist, that should raise questions. Often those perpetrating fraud do not create the full set of “backstory” documentation to support the fraud. Or miss critical details in their backstory.

If it did, it should provide another opportunity to verify the existence of the account. Contact the bank and ask to speak to its lawyer named in the correspondence. Check to see if the person signing the agreement on behalf of the bank was in the “right” department and had the authority.

Auditors could also send a request to the bank to confirm that there had been no changes to the escrow agreement. Again if the bank replied that there was no such agreement then alarm bells would go off.

Send a small payment to the bank favour the escrow account prior to fiscal year end. If it’s returned with the notation “no account”, then alarm bells go off. If it’s not returned, it should show up in statements. If not, the bells ring again.

Look for evidence of use of the escrow accounts by WC.

A transfer funds to its main operating account would confirm the existence of the accounts, but, of course, not the balance. 

The bank holding the operating account should be able to provide details of any transfer – by order party (the escrow account), originating bank (one of the two Philippine banks), and date of credit to WC’s operating account. So the auditor should not simply match amounts, but look to the transaction details. Again on a sample basis.

If WC never used any funds from the escrow accounts, that should raise questions, particularly if WC is borrowing funds to pay dividends or expenses.

Review of Third Party Companies

WC gave access to its accounts to these companies, As noted, WC therefore had a credit risk exposure to them.

The auditors should understand WC’s rationale for taking this risk and ask to see the “file”. That would include among other things WC’s credit approval policy and process, documentation of WC’s review, determination of appropriate amount of access, official approval by WC authorized officers/board, supporting documents, e.g., these companies’ audited financial statements, DNB checkings, bank references, etc..

[Side Comment: AA’s smarter, elder brother expert in many things Asian once discovered a massive fraud by reviewing DNB’s for some Asian companies that were used to execute the fraud. If we believe his account, and I can think of no reason why not to, he took all of 20 minutes to do so. For this purpose, I am ignoring his much earlier persuasion of AA that our paternal grandfather was 2,000 years old and had attended grade school with Jesus.]

If WC doesn’t have this information—specifically financials and other credit information—already, the auditors should question why WC are letting these parties have access to their accounts.PPThe auditors could also check ancillary sources of information.

As indicated by the its article referenced above and this one, the FT found some rather strange things about the companies.

Now one might respond that the FT benefited from disclosures by a whistleblower and the auditors had no such help.

But if the auditors were examining the rationale and reasonableness of these companies’ access to WC escrow accounts, then they would have come across the same opaqueness and unsettling information that the FT did.

If they had details of these companies supposed contribution to revenues and net income, they would also have had reason to dig deeper.

In “simple” 30 minute Google search on Alalam I did not turn up the sort of information one would expect for tech company on the “bleeding edge” of the “PSP space”.

What's the point with the 30 minutes here and the even shorter 20 minutes ascribed to AA's wiser, elder brother?
  
Simply that additional audit measures do not require massive investments in time or energy if done properly.  

Nothing in Crunchbase. A rather incomplete profile at Owler, where AlAlam has but one follower.

Not much in the way of third party reporting other than regurgitation of press releases. No interviews with key persons sharing their vision or thought leadership. Sad.

AlAlam has an English language website. But it doesn’t appear to have an Arabic one. Rather strange for a company in the UAE which presumably is pitching customers in the region. Perhaps, they are on the “bleeding edge” of the marketing “space” as well and have moved beyond traditional methods of marketing.

No information on officers, directors, etc.

A laughably short company profile.

BIS Updates its Guidelines for the Management of AML/CFT

This month the BIS released an update to its January 2014 publication “Guidelines: Sound management of risks related to money laundering and financing of terrorism.“

The updates focus on the need for increased communication/interaction and co-operation between a nation’s financial institution supervisory agency (prudential supervision) and other domestic national agencies charged with anti-money laundering and countering the financing of terrorism.

As well the BIS advocates similar cross-border interaction and cooperation.

It’s important to note once again that the BIS does not have the authority to force countries to accept its guidelines. It does not legislate, it recommends.

Individual countries may accept or reject BIS guidance in full or in part. And are free to set the details of how a principle they accept will be applied. 

That being said, it is rare that countries reject BIS suggestions in toto.

What are the changes?

The addition of paragraph 96 to the main body of the guidelines and a new Annex 5 outlining best practices.

Paragraph 96 sums up the BIS’s intent.

“Prudential and AML/CFT supervisors should establish an effective cooperation mechanism regardless of the institutional setting, as set out in Annex 5, to ensure that ML/FT risks are adequately supervised in the domestic and cross-jurisdictional context for the benefit of the two functions.“

Annex 5 contains what I’d consider some rather self-evident points. But many regulations do state what is obvious. And that’s done for good reasons.

License Authorization

1. Prudential Supervisors should consult with AML/CFT supervisors to identify any AML/CFT risks posed by the bank’s proposed business model for a new bank or such risks for an existing foreign bank seeking a license in its jurisdiction.
2. They should also consider the bank’s AML/CFT policies and procedures, risk management structure and risk mitigation systems.

Assessment of Major Shareholders, Acquisitions, and Major Holdings

1. Similar to the above with a focus on how these affect the proposed licensee’s AML/CFT risk as well as cases when new shareholders are proposed.
2. Part of this assessment is a review of the history of the proposed major shareholders, acquisitions, and major holdings for evidence of AML/CFT risks, vulnerabilities or transgressions.
3. This assessment requires cross border interchange and co-operation to obtain information from other national regulatory agencies.

International Co-Operation

1. This can be established via bi-lateral agreements (MoUs) for exchange or “prudential colleges” where a group of supervisory or regulatory agencies agree to exchange information. Link to information on EU “prudential college”.
2. The FATF has published guidelines on the exchange of AML/CFT information both domestically and internationally. Last update in 2017.PP

14 juillet - la France la belle, la rebelle et la France profonde

Corporate Fraud Part 2 -- An Alternative Proposal for Enchancing Detection

Abu Arqala Publishes His Proposal

In the previous post, I expressed some concerns about a proposal to combat corporate fraud.

Saying that a particular solution seems unworkable or difficult to implement isn’t really of much utility.

Don’t tell me what can’t be done. Tell me what can.

The point is to outline a possible solution.

What then is AA’s alternative? What is to be done?

To start we have to accept that just as with corporate misgovernance there is no financial equivalent of hydroxychloroquine that is a sure cure. 

Because fraud is not just equivalent of a bad “flu”, financial or otherwise, and won't just go away in July or some other month, we do have to take action.

To that end I offer this alternative proposal which seeks to use existing structures to enhance current risk disclosures and promote risk-based auditing.

A key goal is turning auditors’ attention and action away from what appears to be a sole focus on policies, internal processes and controls, and pieces of paper.

As the old joke goes, if it isn’t written down, it doesn’t exist for an auditor.

The real risk with that mentality is the converse.

If an auditor has a piece of paper—a confirmation, a copy of a contract, etc.--the existence of an asset or liability or a business relationship is a proven fact.

The steps I’m proposing would not mean that auditors would abandon examining adherence to financial reporting and accounting standards, reviewing internal controls and processes for adequacy, nor performing many paper based audit activities, including confirmations, nor issuing opinions on those matters.

Because the majority of companies do not engage in major fraud, that current audit work provides needed information to a wide range of third parties, e.g. shareholders, other investors, lenders, business partners, etc. And so it should continue.

If a company is fraud free, an investor is still going to want to know if the company is following accepted accounting principles, has proper accounting systems and internal controls, has documentary evidence to back up transactions, etc. That it uses reasonable assumptions when valuing hard-to-value assets.

One doesn’t want to invest one’s money with or make a loan to an honest but incompetent or disorganized company.

So my proposals are designed to leave those aspects of auditing in place but enhance the extent of auditors’ work.

First, emphasize the need for auditors to identify if the company has any serious or unusual risks in its business model or practices, including unusual vulnerabilities.

If such risks are found, require that they are disclosed in a clear form in a company’s audited financial statements.

When those risks are pose substantial or unusual vulnerabilities, auditors should include these in the “key audit matters” section of their audit opinion. That would require that they discuss the existence and materiality of such “matters”; describe the additional audit work they have performed to address them; and their resulting assessment on that matter.

If they don’t reach the level of a “key audit matter”, they should be noted and addressed/focused on in the audit plan. 

The goal is not to come up with a laundry list of every potential risk factor similar to a bond or stock offering memorandum which is primarily a CYA or more accurately a CYLE (cover your legal exposure) exercise for the underwriting/offering banks and the issuer. 

All business are subject to a variety of risks.

The point is to identify those risks or vulnerabilities that are not obvious and have a material impact. 

This will become clearer in the post to follow where I outline this “point” applied in actual cases or hypothesize how it might have been applied at Wirecard or Hin Leong Trading.

Second, require that auditing procedures be scaled to risk of an individual asset, liability, etc.

For example, one should not use the same method to verify bank deposits of Euros 1.9 billion that one uses to confirm a USD 100,000 receivable. 

What are these two principles designed to achieve?

The first is designed to alert market participants, lenders, and regulators of vulnerabilities and dependencies that could have a material affect on the company’s health. To raise a red flag. 

That's important because fighting fraud is not the sole job of one group any more than corporate governance is. 

What that means is that for this aspect of point one to work someone out there has to be "listening".  If the "flag" is missed, the chances of uncovering the fraud decrease. 

It is also intended to cause the auditor to focus on a class of risks that seem often to be overlooked at least in some cases. 

That serves as the "back-up" if no one is listening.

Auditors are already required to assess a company’s risks and then develop a specific audit plan of work to ensure appropriate audit work is done on these areas. So this is a reminder with emphasis of this existing requirement.

But if they don’t focus on this latter class of risks, there is a real danger—as perhaps evidenced by some recent fraud cases—that they will not undertake the work they should have to address these issues.

The second is designed to "force" auditors to scale audit work to risks.

What’s the relation to fraud?

As I noted in an earlier post, many but not all types of fraud necessarily require the overstatement of assets. 

We’re most concerned with major frauds that threaten the viability of a company that is the reason for risk based scaling of audit work.

At first blush, this may sound like a good proposal. Or at least that's what I tell myself.

But it is not a panacea. There are no 100% solutions.

Why?

As to reliance on large numbers of market participants reacting to alerts (the first point), if you’ve read this blog before, you know I have little faith in the mythology of efficient markets.

Not no faith. Just a slight bit more than I have in the “Power Ponies”.

Admittedly, I’m banking on a very small number of market participants to read, understand, and then take action on any red flags raised by disclosure of these sort of business risks.  

That being said, just a few persistent sharp investigative (but probably underpaid) journalists at the FT played a major role in uncovering NMC and Wirecard

.

But, the effectiveness of this point doesn't just rely on those sort of market participants.

Widening auditors' risk focus and thus getting them to adjust their audit focus and work should also contribute to detection, particularly because they have access to detailed company financial information that other market participants don't.

But neither of these two intended goals will result in fraud detection all the time.

That’s the reason for the second point.

That’s why it’s in some respects more important than the first. 

Enhanced audit work. Moving beyond the tick-the-box approach to one that is based on risk. The more risk the more work required.

Why is that important?

As I’ve argued, “fiddling” with the income statement requires “fiddling” with the balance sheet pretty much dollar for dollar.

Major fraud requires major fiddling.  

If audit procedures disclose that assets are overvalued or non existent, it’s very good sign that the income statement has been overstated and income is non existent. And vice versa.

There are other cases of fraud that might be detected by enhanced audit work to confirm the existence of an asset or its carrying value.

Some examples.

Knowingly exchanging one asset for another of lesser or of no value.

Or, as happened at Hin Leong Trading, selling inventory without recognizing the sale in the accounts.

Failure to recognize the financial impact of a “good” transaction that has gone bad. A receivable associated with a legitimate sale turns out to be uncollectable. An asset purchased in good faith goes “south”. But there is no charge to the income statement or to equity.

Harder to detect frauds would be inflating expenses to take cash out of the firm. For example, overpaying for goods or services actually received. Or paying for non existent services.

Note in the second part of the previous sentence I’ve eliminated “goods”. It’s much easier to determine that an asset doesn’t exist, than it is that a service wasn’t performed. Or performed in full.

Enhanced audit procedures should lead to discovery of some and perhaps even many of those frauds, primarily those likely to have a material adverse impact on the company. 

Smaller amount items are likely to remain undetected. 

All well and good, you might say. But what about other cases of fraud like NMC where billions of US dollars in liabilities were not recorded in the financials.

Indeed.

These are extremely difficult to detect.

The “first line” of defense is the auditor’s confirm from lenders or providers of funds. This is not ironclad because auditors do not send confirms for each and every loan or other asset of the lender. 

If clever people are perpetrating the fraud, they may arrange a fraudulent reply to the confirms.  

One might hope that as part of annual credit reviews, lenders and other providers of funds look to see if their debt is reflected in the borrower's financials.  They have the details that generally should enable them to identify their debt, e.g., rate, tenor, currency in the absence of their name in the financials.

Banking on "hope" is a endeavor with limited probabilities of success.

Other difficult to detect frauds involve hard-to-value assets, e.g., non listed investments, or real estate. 

Slight changes in assumptions can result in large changes in value. If stock analysts have trouble accurately valuing listed securities, it’s unlikely that accountants or even forensic accountants will fare better.

Enhanced audit work (my second point) does not provide an airtight solution. It does, however, raise the odds of detection.

That means that at best my proposal will not detect all fraud, but it might result in more fraud being detected than currently.

In a post to follow, I’ll detail how both steps have been applied and might have been applied at Wirecard and Hin Leong.  The latter by drawing on my legendary powers of 20/20 hindsight.

In the Wake of Wirecard What is to be Done about Corporate Fraud? Part 1

Corporate fraud is a twin of corporate misgovernance. 

The two are frequently companions.

 “طيزين في سروال واحد “. 

Or, if you are a film buff like A, “طيزين بلباس “. 

I’ve written before on this topic but in relation to “corporate governance”. Here and here.

To launch this discussion intended to consist of three posts, let’s begin by looking at a proposal Edward Hadas made in an article at Reuters. 

When a sharp incisive journalist like Ed writes a piece, it’s always a good idea to take a close look.

In his article, he proposes the use of private sector forensic accountants to conduct investigations to uncover fraud.  

They would be funded by a portion of the fees that companies pay their "regular auditors" so that the "fraud busters" could be independent of the economic considerations that are often considered impediments to financial auditors' full performance of their duties.

The “fraud busters” would not check all companies but only those where they “sniff out suspicious activity”.

How?

Either from tips from stock analysts, whistleblowers, worried bankers, and/or investigative journalists. Or from their own ratio analysis, etc.

The “fraud busters” might also choose to focus on industries that “attract miscreants”.

They would be given “a government license to pry”, presumably at a minimum to conduct investigations and compel the company to provide access to confidential information. 

They would also have “the authority to prevent regular auditors from signing off on accounts.”

An interesting proposal.

However, I think this system would be difficult to institute and would pose several significant challenges.

First, the “government license to pry” and the authority “to prevent auditors certifying financial statements” imply that the “fraud busters” would be granted legal powers akin those to enjoyed by governmental agencies.

If so, this is likely to result in potential conflicts between the “fraud busters” and the governmental agencies.

Why?  

Because unlike investigative journalists, security analysts, etc. they would be able to compel testimony and the provision of records as well as issue binding judgements, e.g., on financial auditors.

Would the “fraud busters” or a government agency have the final say about inception, the determinative process, and disposition of a potential case?

As well, in order to the prevent the “fraud busters” from interfering with ongoing or contemplated non-public official investigations, they would need to be informed about them.

Official agencies would naturally be reluctant to provide this information for fear that it would be “leaked” in one way or another, thus alerting the “target”. 

Or potentially causing harm to the "target" before the process was complete. 

Or that such “inside information” would be misused for “insider trading”.

Second, and more importantly, giving private sector companies rights typically the monopoly of government agencies would raise significant constitutional and legal issues regarding due process and the rights of a defendant. And probably not only  in the USA. 

What would be the “probable cause” standard for a “fraud busters” investigation?

It would seem that at least it would have to be equivalent to the standards that governmental agencies must meet before formally commencing an investigation, including the legal right to compel testimony and provision of records. 

Think of the steps required for an SEC Formal Order of Investigation or the judicial processes associated with US DOJ actions. Or of “discovery” in civil cases.

There are operational issues on exactly how this would be arranged (structure) and managed (process) for "fraud buster" investigations to ensure the rights of “targets” are protected. And confidentiality were maintained.

I think these legal issues are particularly important because as I read Edward’s article—and apologies to him if I have misread it—the “fraud busters” seem to have fairly wide latitude to begin an investigation.

They seem to be “financial bounty hunters” or a version of the Met “Flying Squad” set free to range far and wide to uncover frauds.

For example, as per his article, they might “focus” on companies in an industry they judge “attracts miscreants”. This might be characterized as “guilt by association” by targets.  And even harder to justify on a “probable cause” basis if legal objections were raised by the target.

Other justifications would be “tips” as mentioned above from third parties and financial ratio analyses the “fraud busters” conducted themselves.

How would the credibility and “weight” of the “tips” be assessed? Particularly, when many of the tips are likely to originate from sources that do not have first hand access to inside information of wrongdoing.  

Or where the “tipper” has an economic interest in lowering the price of the target’s stock? Think Herbalife. 

All these raise issues about probable cause in a USA context. 

Should their investigations be limited to the subject of the tip? Or might they like Kenneth Starr range far and wide beyond their initial scope to find wrongdoing once they commenced an investigation?

Initial suspicions on NMC concerned overvaluation of acquisitions. What turned out to be the “real” problem was unrecorded liabilities. There were no tips that I am aware of on that problem until information came out at the final stages of the company’s unraveling.

What should be the impact of ostensible independent third party’s report that it found no evidence of fraud?

As per “Management” Note 2.5 on page 97 of Wirecard’s 2018 audited annual report a Singapore law firm, Rajah and Tann, conducted an investigation which cleared Wirecard at least preliminarily. A Government of Singapore investigation was still ongoing at the time.  

This may seem like pettifogging. 

But if we hope to see criminal or civil penalties imposed on fraudsters, we need to make sure that they have no defense from shortcomings in due process or violations of defendants' rights.

Third, if, as asserted, economic considerations motivate auditors to not properly execute their responsibilities, wouldn’t “fraud busters” be subject to the same temptations?

In their case the issue would not be doing too little but doing too much.

Investigation for the sake of investigation because presumably, they will be paid for the number of investigations they conduct. 

With the lure of a sizable “bounty” for uncovering a fraud perhaps providing  additional incentive to “keep digging” or to overstate wrongdoing.

There are other difficulties.

For example, because they receive their authorities from national governments, cross border investigations would likely be more limited that those by governmental agencies. That is not to assert that national governmental agencies have an easy time with cross border cases.

Similarly, granting the “fraud busters” powers similar to governmental agencies probably would require as well the provision of legal immunity regarding their investigative actions in order for them to discharge their duties.  

In the next post I’ll outline an alternative proposal—admittedly imperfect—that seeks to leverage existing structures to increase the detection of fraud.