February 2006

Think Like the Fraudster

Brainstorming how fraudulent activities may occur can open the auditor's mind to a host of new possibilities.

Antoinette L. Lynch, PhD, CPA
Assistant Professor
Department of Accountancy, Miami University

The IIA's International Standards for the Professional Practice of Internal Auditing 1210.a2 states that internal auditors should have sufficient knowledge to be able to identify indicators of fraud when performing normal internal audit responsibilities and fraud investigations. Brainstorming is one method internal auditors can use to improve their fraud prevention and detection efforts. When conducting an audit, internal auditors can use brainstorming sessions to collaboratively develop a taxonomy that includes ideas about possibilities for fraud. Furthermore, exchanging ideas about fraud helps to promote professional skepticism for all team members throughout the audit. As the saying goes, "two heads are better than one."

Brainstorming is a low-cost procedure that can bring about a wealth of new ideas about how fraudulent activities might occur within an organization, and it should be an integral part of internal auditors' proactive approach to fraud detection. An under-standing of brainstorming techniques can help internal auditors maximize the procedure's effectiveness.

CREATIVE COLLABORATION

The concept of brainstorming was developed in the 1950s by Alex Osborn, a New York advertising executive who believed that idea generation is best accomplished by a group rather than by individuals working alone, and that an effective brainstorming session can only occur under the following conditions:

  1. Criticism is ruled out. Adverse judgment of ideas must be withheld.
  2. Freewheeling is welcomed. The wilder the idea, the better, because it is easier to tame down than to think up.
  3. Quantity is wanted. The greater the number of ideas, the more likelihood there will be useful ideas.

Creativity Techniques

More than 20 brainstorming techniques are in existence today, ranging from paradigm-preserving (i.e., staying within the current mind-set) to paradigm-modifying (i.e., thinking outside the box or challenging current assumptions) (see "Creativity Techniques at right, click to enlarge). Force Field Analysis, developed by Kurt Lewin (1951), is an example of a paradigm preserving technique in which individuals are forced to generate ideas to maximize an ideal/optimal situation and ideas to minimize the impact of a catastrophic situation. This technique is useful when the internal auditor's goal is not to think outside the box, but to build thought processes within certain constraints. For example, if the issue were strengthening internal controls related to inventory, brainstorming would be confined to exploring the optimal situation compared to the catastrophic situation for misappropriation of inventory.

On the other hand, paradigm-modifying techniques do not force individuals to think within specified boundaries. Evidence shows that paradigm-modifying techniques help individuals produce more creative ideas than paradigm-preserving techniques. Paradigm-modifying techniques can be useful for auditors because they provide a degree of skepticism, where the auditor approaches a perceived problem from a new perspective, rather than relying on a predictable technique or familiar thought process. "An Insight Model of Creativity" at right, click to enlarge) illustrates the concept.

Model of Creativity

Paradigm-modifying techniques can help internal auditors think like fraudsters, who are often very creative and unpredictable. Take for example the investment adviser, who, instead of leaving a paper trail for auditors or being restricted to the company's internal system for communicating to clients, relied on chat room sessions to increase prices of stock held in his personal investment portfolio. By using a chat room, the adviser used a method of communicating that auditors had never considered. As another example, a former executive of Symbol Technologies was accused of committing securities fraud by persuading distributors to purchase scanners that the distributors did not need. In return, Symbol promised distributors that any unsold scanners would be re-purchased. This illegal practice, known as "channel stuffing," enabled executives to inflate the company's reported sales.

One way to get auditors to think creatively about how a fraudster might perpetrate and conceal frauds such as these is to use Guided Fantasy, a paradigm-modifying technique that takes group members mentally out of their work environment by guiding them through a fantasy that is elaborate enough to make them relax. For example, a facilitator could "guide" the fantasy by telling the team members to imagine they are in a five-star restaurant overlooking the Brazilian beaches. Once they return from the fantasy and begin the task of discussing fraud, ideas should begin to flow without inhibition.

Once auditors have decided on a specific brainstorming technique, they still have several other options to consider: Should the brainstorming be done face-to-face or individually as part of a group (nominal brainstorming)? Should electronic brainstorming be used? Should the ideas be submitted anonymously or should the originators of the ideas be identified? The brainstorming process used depends largely on the culture and structure of the organization, the available technology, and the specific fraud detection goals.

FACE TO FACE VS NOMINAL BRAINSTORMING

Two common brainstorming processes for generating ideas are for groups to meet face-to-face and simultaneously share ideas or for individuals within a group to generate ideas separately and then come together and share ideas. The latter is referred to as nominal brainstorming. During face-to-face brainstorming, team members engage in an open, interactive discussion on a particular topic (e.g., ways that management and employees can commit fraud or steps that can be taken to improve internal controls). This traditional face-to-face approach is common, but its disadvantages are many. For example, facial expressions may indicate disagreement by other team members, thus making it difficult to follow the Osborn rules for brainstorming. Also, because individuals have to wait their turn to speak, they cannot express their ideas immediately. In a hierarchical organization structure, junior auditors may be less likely to put forth ideas in the presence of more seasoned auditors or supervisors. As a result, fewer and less novel ideas are generated than might otherwise be possible. The face-to-face approach is also not ideal for geographically dispersed audit team members.

Alternatively, with nominal brainstorming, individuals brainstorm alone without immediately seeing the ideas generated by other members of the team. Nominal brainstorming enables every team member to participate and list all ideas that come to mind without being interrupted. After everyone has generated ideas on a particular topic, the ideas of all team members are pooled and exchanged. For example, each internal auditor is given 15 minutes to individually brainstorm about a particular topic. After 15 minutes of brainstorming, each individual would then be asked to submit his or her ideas to the other team members. Once all ideas are merged, the team would discuss them and devote attention to specific ideas that the team wanted to explore further. Nominal brainstorming can be done face-to-face or remotely. However, if it is done face-to-face, it is important that at least 15 minutes be allocated for each individual to think without any interruption from others.

ELECTRONIC BRAINSTORMING

Both face-to-face and nominal brainstorming can be done electronically. Electronic brainstorming consists of using technology, such as a group support system, to submit ideas to other team members. When generating ideas, verbal discussion is typically ruled out. For example, during a face-to-face brainstorming session, individuals can be stationed at computer workstations and submit their ideas by typing them. Similar to a chat session, ideas are typed in a small box below a team dialogue box, and the "submit" button is selected to send an idea to other team members. Electronic nominal brainstorming occurs when individuals type all of their ideas into a document, for example, before circulating the document to the other team members.

Traditionally, groups have brainstormed face-to-face, verbally in the same setting, and without technology. However, brainstorming electronically offers many advantages. With electronic brainstorming, all ideas are typed and stored immediately; participants do not have to wait to submit their ideas. Using electronic brainstorming also makes it easier to submit ideas anonymously to other team members. Team members can type ideas and then submit them to other members using an alias.

ANONYMOUS BRAINSTORMING

Anonymous brainstorming is useful when individuals may be shy or fear evaluation from other team members, and it typically works best for large teams. When conducting electronic brainstorming anonymously, individual team members can submit ideas without having the ideas linked directly to them. For example, when ideas are submitted to the group, they are either untagged or tagged with an alias (e.g., Team Member 4). When brainstorming without anonymity, all ideas are tagged with the name of the individual who submitted the idea.

When deciding if anonymity is best for a particular audit team, the internal auditor should consider if the topic being considered is sensitive, whether it will be difficult to prevent criticism, and whether the team is hierarchically structured with experts and novices. Organizations also should consider whether or not they want ideas to be traced back to the team member. Submitting ideas anonymously typically works best in a setting where sensitive issues are discussed, employees are concerned about being evaluated, and where the organization is hierarchically structured. Alternatively, team members may decide to have a nonanonymous discussion of the ideas after the ideas have been presented anonymously.

Anonymity is not required in an environment where employees want recognition for their ideas and are not afraid to submit ideas for fear of criticism. In such an environment, novices' ideas are given equal weight as experts' ideas.

A BETTER AUDIT PLAN

To understand and identify fraudsters, internal auditors must begin to think like them. Creativity training can help auditors think beyond their mental schema; all companies should consider training both experienced and inexperienced auditors in thinking outside the box.

Even in engagements that only use one internal auditor, there is an opportunity for brainstorming. The auditor can brainstorm with the chief audit executive (CAE) or another auditor assigned to a different engagement. The CAE will likely have a broad understanding of the organization, regulations, and audits, while the internal auditor assigned to the engagement will likely have specialized knowledge in that particular area. The CAE's ideas will likely bring about an understanding of the organization's history, combined with the experience and insight from overseeing various audits across functions. In contrast, the internal auditor assigned to the engagement might generate ideas from a more in-depth, detailed level of expertise.

In cases where several internal auditors are available, the brainstorming group might consist of three or four internal auditors within the same functional area of expertise, or across functional areas of expertise. The ideal situation is for members of the brainstorming group to generate their own ideas individually based on their own taxonomies, in addition to generating ideas based on the ideas of others. The exchange of ideas from internal auditors coming from different backgrounds helps the group as a whole generate ideas that otherwise may not have been considered. The discussions among these different types of auditors should promote cognitive stimulation, skepticism, and synergy, which in turn can lead to an audit plan that better serves both internal and external stakeholders.

To comment on this article, e-mail the author at alynch@theiia.org.

 

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP