The Ideal Employee

It was late on a dark November evening in 2002 when the corporate counsel of the Victoria Paper Corporation contacted our Chapter member Jay Magret, CFE, CIA about a suspected irregularity involving the team of Tim Clark, the world-wide maintenance manager for Victoria’s most complex automated paper manufacturing equipment.

Clark had been hired after a long exhaustive search by one of Victoria’s many employment contractors, Global Image, Inc. Clark was hired to oversee the entire maintenance program at Victoria’s plants worldwide.  Victoria’s management was elated because Clark seemed ideal for the position, seemingly having spent half of his professional life providing automated systems savvy support to major paper companies around the world. He was used to working in foreign locals and had collected an array of impressive skills that enabled him to be appreciated as a through professional. Once hired, Tim requested four additional staff members for his unit, whom he said he personally knew, and contracted for through Global Image. The names and resumes of the four new staff members were subsequently provided by Grayson Employment, another job agency that also specialized in providing labor to the paper industry. Because the four new staff members were already registered in Grayson’s employee database and were explicitly requested by Tim Clark, Victoria and Global Image didn’t feel the need to complete the usual background verifications.

Such a chain of job agencies is common in the labor market: international paper companies, like companies in other industries, manage large projects in disparate, sometimes isolated locales around the globe, and they are stressed by production deadlines. Accordingly, companies find themselves continuously short on the highly specialized people who are qualified to manage and support such projects. Such international companies rely heavily on job agencies to provide contractors already skilled in the business and available to work in remote destinations.

When a business sector is booming, it becomes crowded with personnel interested in exploiting opportunity and, in the resulting complicated labor market, the temptation to cut personnel supply corners in response to tight deadlines often emerges. The result is that, with a plethora of job agencies providing labor, sometimes to a single project, the final employer sometimes doesn’t know with precision what the hourly fee paid to each individual contractor is after it is redistributed along the chain of multiple job agencies.

Under Clark’s direction, his team was charged with the ambitious task of assuring the continuous performance of maintenance activities at Victoria’s paper plants around the world. On paper, Clark’s team worked long hours each week and most weekends, sometimes flying throughout Europe and Asia with little rest. Each hour worked by a member of the maintenance team was certified and signed off on personally by Clark, on behalf of Victoria.

During their year-and-a-half of service, the four individuals hired by Tim Clark claimed to have worked an excessive number of hours, which triggered an internal review by Grayson Employment’s personnel management. During their review, personnel management found that the four employees’ employment files did not include appropriate identification documents. When the agency requested copies of their passports, the four employees immediately submitted their resignations, and soon after Clark did the same. The day after Clark resigned, Grayson contacted Victoria whose corporate counsel, alarmed, contacted our Jay Magret.

Setting to work immediately and working closely with Victoria’s auditors and the corporate counsel, Magret quickly uncovered evidence that Clark had falsified records and documents for three of the individuals on his team. It became apparent to Jay that those individuals were ghost employees; they did not exist. Clark had created fake resumes for three ghost employees, falsified contracts, signed time sheets, and forged the resignation letters. Further analysis showed that the fourth individual did indeed exist, was related to Clark, and had collaborated on the scheme. Clark and his accomplice had to work hard to carry out the duties of four employees.

Jay’s analysis also showed that Omega’s employee interviews were sometimes conducted solely by line managers involved in the hiring process, without the support of the Human Resources Department. The same line managers were then responsible for certifying the time sheets of their employees, including contractors, while their identification documents weren’t systematically collected or retained. Moreover, the contracts and procedures in use didn’t clearly establish or document each step of the selection and job assignment process.

Magret’s final report specified that the fraud was possible, and profitable, because the paper company client paid the wages of each ghost employee through the chain of job agencies and directly into the accounts of the contractors, which were registered in the name of a private company and managed by Clark. By the time Victoria realized the scope of the fraud scenario with Magret’s help, Clark and his associate had already disappeared with more than a million dollars paid to them during their year-and-a-half scheme. The paper company later discovered that even Clark was not who he claimed to be. He had used a fake identity and was untraceable, leaving little to no chance of recovery of the stolen money.

In response to management’s request that he proactively suggest controls to strengthen Victoria’s anti-fraud program, Magret suggested, as a matter of normal practice, that:

–Companies should perform time assessments to ensure they know how long a job will take to complete.

–Strict procedures should be in place during the hiring process, especially regarding segregation of duties. Human resources should always be involved in the process and responsible for checking identification documents with the physical person.

–The company should limit the opportunity for line managers to recommend hiring people they know. In some cases, it is unavoidable, so managers should always try to guarantee a higher level of segregation, especially in the authorization of time sheets.

–When using a job agency, the company should be sure that the relationship with contractors will be directly between the company itself and the agency. By doing this, the company will save money and be more assured about the contracted personnel.

— Client inhouse auditors of the personnel function should perform a periodic analysis of office records by selecting a sample of employees and verifying their effective presence in the office or on the job site, making sure appropriate identification is included in their records.
–Excessive hours claimed is as a red flag, especially when it is common among off-site employees. Establishing key performance indicators for each department or business process can serve as a reference for red flag comparisons.

–A wide-ranging and fragmented work environment can make the ghost employee phenomenon possible. A strong internal control framework and strictly enforced personnel policies are the only ways to prevent and discourage this type of fraud scheme.

Confidential Sources & Informants

There has been much in the news recently concerning the confidential sources and informants involved in current Federal on-going criminal and non-criminal investigations.  During the more complex of our examinations, we, as practicing fraud examiners and forensic accountants, can also expect to encounter the same types of sources and informants. Both sources and informants serve the same purpose, to provide information helpful in the development of a case. However, there are notable differences between confidential sources and confidential informants; the two terms should not be used interchangeably.

A confidential source furnishes information simply consequent on being a member of an occupation or profession and has no culpability in the alleged offense. For example, confidential sources might include barbers, attorneys, accountants, and law enforcement personnel. A confidential informant on the other hand has a direct or indirect involvement in the matter under investigation, and s/he might (incidentally) also be culpable. The distinction between the two sources is their involvement or noninvolvement in the offense. As every CFE knows, informants can pose treacherous legal issues for the fraud examiner.

There is no question that information provided by a well-placed informant can be invaluable to any case; secretly photographed or recorded conversations provided by an informant are the most convincing type of evidence. This information is generally viewed as something the use of which is sure to be successful for a criminal prosecutor, because there is little that a white-collar criminal can dispute when caught red-handed in the fraudulent act.

The ACFE identifies several types of informants with which a CFE might expect to become directly or indirectly involved: the basic lead, the participant, the covert, and the accomplice/witness.

—Basic Lead Informants. This type of informant supplies information to the investigator about illicit activities that they have encountered. The reasons that the informant decides to supply information are varied; some informants simply want to “do their part” to stop an unscrupulous activity, while others are interested in harming the criminals against whom they are informing. For instance, many informants in drug, prostitution, or illegal gambling endeavors are involved in those activities as well and intend to eliminate some of their competition. Whatever the reason, these informants’ only role in an investigation is to supply useful information.

—Participant informants.  The participant informant is directly involved in gathering preliminary evidence in the investigation. The informant in this instance not only supplies an investigation with information, but the informant is also involved in setting up a “sting” operation, initiating contact with the criminal for arrest purposes. A participant informant is just what the name suggests, a participant in the investigation of criminal activity.

—Covert informants. A covert informant also supplies information on criminal behavior to an investigator or to authorities. The difference between covert informants and other types of informants is that a covert informant is one who has been embedded in a situation or scenario for a period, sometimes for years, and is called upon only sporadically for newly uncovered information (i.e., tip-offs) and leads. These types of informants are often referred to as moles because of the nature of their insulated situation as inside sources. There are two instances in which covert informants are commonly used: in organized crime and in hate-extremist group investigations. Covert informants are often culled to get information about upcoming criminal activities by such groups.

—Accomplice/witness informants. The accomplice/witness informant is often called upon to provide information concerning criminal activity. Unlike other types of informants, the accomplice/witness informant seeks to avoid prosecution for an offense by providing investigators with helpful information. For example, the government might promise leniency if the accomplice/witness informant offers details about a co-conspirator.

There are three essential procedures for the investigator to keep in mind and follow when using sources and informants. First, strive to keep the informant’s identity as confidential as possible. Second, independently verify the information provided by the source or informant. Third, develop witness and documentary evidence from independently verified information. For example, an informant might indicate that an investigative target committed fraud. If the fraud examiner subsequently conducts an interview and gets a confession out of the target, the information is no longer dependent on the informant’s claim.

If the confidential source or informant has provided documents, names of potential witnesses, or other evidence, all reasonable steps must be taken to protect the identity of that source. Care should be taken to ensure that the questioning of other witnesses is done in a manner that does not reveal its origin. This can usually be accomplished by phrasing questions in a certain way. For example, Smith furnished confidential information about Jones, the co-owner of Jones Brothers Construction Company. When the fraud examiner confronts Jones, she does not want him to know that she has talked to Smith.

If necessary, in this example, the fraud examiner would display the evidence from witnesses and documents that would not reveal the source or informant’s identity. The information from the source or informant is basically useless unless the fraud examiner can verify its authenticity and independently corroborate it. Suppose a source furnishes the fraud examiner with copies of documents showing that Jones Brothers Construction Company’s building code violations dropped by 80 percent since a bribery arrangement allegedly began. This kind of evidence would corroborate the source’s story. If a source told the fraud examiner that Jones frequently had drinks with Walters, the city’s chief building inspector, the fraud examiner would want to find out some way to verify this information. Recall that the third objective when using sources is to develop the witness’s information and other evidence so that it makes a cohesive case.

Fraud examiners should make every effort to develop and cultivate a wide range of sources. Business and financial institution executives, law enforcement and other governmental personnel, medical and educational professionals, and internal and external auditors are always good contacts for practicing fraud examiners.

The fraud examiner should strive to make contacts in her community, well in advance of needing the information they can provide; my contacts on LinkedIn and in the Central Virginia ACFE Chapter have proven their investigative value again and again!  If the fraud examiner receives an allegation and needs confidential information, s/he might obtain assistance from a source cultivated earlier.  Additionally, we need sources to feel confident that they can share information with us without being compromised. In theory, the source will never have to testify; s/he has no firsthand knowledge. Firsthand information comes either from a witness or from a document.

The fraud examiner might also encounter new sources when tracking leads during a specific investigation. S/he might interview a stockbroker from whom the target purchased stock but who does not want his identity revealed. The fraud examiner shou1d not encourage a person to provide confidential information, but rather try to get verifying reports on the record. But if the fraud examiner promises confidentiality for a source’s information, she must abide by that promise.

The ACFE advises that active recruitment of informants is generally not desirable because doing so might appear unseemly to a jury. It is better to encourage an informant to come forward. It is also desirable to develop an informant relationship, but such relationships must be handled carefully. The fraud examiner must be careful to clearly document the adequate predication for an informant’s involvement. Generally, the most fundamental questions concerning informants will focus on the degree of their culpability or the lack of it. There have been cases where the informant is guiltier than the target; in such cases the court might rule that the informant’s information cannot be introduced.

Finally, it’s recommended that all contact with informants and-sources be reported on a memorandum, although the confidential source or informant’s identity should not be included in the report. Instead of including the source or informant’s identity, the fraud examiner should use symbols to denote the source’s identity. It is further recommended that sources be preceded with an “S,” followed by a unique identifier (i.e., source #1 would be “S-l”; source #2 would be “S-2”). The symbols for informants would then be “I-1” and “I-2.”

Generally, disclosure of the identities of sources and informants should be on a strict need to-know basis. For that reason, the person’s identity should be maintained in a secure file with limited access, and it should be cross-indexed by the source’s symbol number. The reliability of the source, if known, and whether the person can furnish relevant information should always be documented in writing.

The Threat Within

Our Chapter’s May 16th and 17th upcoming training seminar on CYBER FRAUD AND DATA BREACHES emphasizes that corporate insiders represent one of the largest threats to an organization’s vital information resources. Insiders are individuals with access or inside knowledge about an organization, and such access or knowledge gives them the ability to exploit that organization’s vulnerabilities.  Insiders enjoy two critical openings in the security structure that put them in a position to exploit organizations’ information security vulnerabilities:

• the trust of their employers
• their access to facilities

Information theft by insiders is of special concern when employees leave an organization. Often, employees leave one organization for another, taking with them the knowledge of how their former organization operates, as well as its pricing policies, manufacturing methods, customers, and so on.

The ACFE tells us that insiders can be classified into three categories:

• Employees:  employee insiders are employees with rights and access associated with being employed by the organization.
• Associates: insider associates are people with physical access to an organization’s facilities, but they are not employees of the organization (e.g., contractors, cleaning crews).
• Affiliates: insider affiliates are individuals connected to pure insiders or insider associates (e.g., spouse, friend, client), and they can use the credentials of those insiders with whom they are connected to gain access to an organization’s systems or facilities.

There are many types of potential insider threats, and they can be organized into the following categories:

• Traitors
• Zealots
• Spies
• Browsers
• Well-intentioned insiders

A traitor is a legitimate insider who misuses his or her insider credentials to facilitate malicious acts.  When a trusted insider misuses his or her privileges to violate a security policy, s/he becomes a traitor. Below are some signs that an insider may be a traitor:

• Unusual change in work habits;
• Seeking out sensitive projects;
• Unusual work hours;
• Inconsistent security habits;
• Mocking security policies and procedures;
• Rationalizing inappropriate actions;
• Changes in lifestyle;
• Living beyond his or her means.

Zealots are trusted insiders with strong and uncompromising beliefs that clash with their organization’s perspectives on certain issues and subjects. Zealots pose a threat because they might exploit their access or inside knowledge to “reform” their organizations.
Zealots might attempt reform by:

• Exposing perceived shortcomings of the organization by making unauthorized disclosures of information to the public or by granting access to outsiders;
• Destroying information;
• Halting services or the production of products.

Zealots believe that their actions are just, no matter how much damage they cause.

A spy is an individual who is intentionally placed in a situation or organization to gather intelligence. A well-placed corporate spy can provide intelligence on a target organization’s product development, product launches, and organizational developments or changes.

Spies are common in foreign, business, and competitive intelligence efforts.

Browsers are insiders who are overly curious about information to or of which they do not need access, knowledge or possession to carry out their work duties. Their curiosity drives them to review data not intended for them.  Browsers might “browse” through information that they have no specific need to know until they find something interesting or something they can use. Browsers might use such information for personal gain, or they might use it for:

• Obtaining awards;
• Supporting decisions about promotions;
• Understanding contract negotiations;
• Gaining a personal advantage over their peers.

Browsers can be the hardest insider threat to identify, and they can be even harder to defeat.

The well-intentioned insider is an insider who, through ignorance or laziness, unintentionally fosters security breaches. Well-intentioned insiders might foster security breaches by:

• Disabling anti-virus software;
• Installing unapproved software;
• Leaving their workstations or facilities unlocked;
• Using easy-to-crack passwords;
• Failing to shred or destroy sensitive information.
While well-intentioned individuals might be stellar employees when it comes to work production, their ignorance or laziness regarding information security practices can be disastrous.

CFE’s need to understand that there are numerous motivations for insider attacks including:
• Work-related grievances;
• Financial gain;
• Challenge;
• Curiosity;
• Spying for competitors;
• Revenge;
• Ego;
• Opportunity;
• Ideology (e.g., “I don’t like the way my organization conducts business.”)

There are many ways our client organizations can combat insider threats. The most effective mitigation strategies recommended by the ACFE are:

• Create an insider threat program. To combat insider threats, management should form an insider threat team, create related policies, develop processes and implement controls, and regularly communicate those policies and controls across the organization.
• Work together across the organization. To be successful, efforts to combat insider threats should be communicated across the silos of management, IT, data owners, software engineers, general counsel, and human resources.
• Address employee privacy issues with general counsel. Because employees have certain privacy rights that can affect numerous aspects of the employer-employee relationship, and because such rights may stem from, and be protected by, various elements of the law, management should consult legal counsel whenever addressing actions impacting employee privacy.
• Pay close attention at times of resignation/ termination. Because leaving an organization is a key time of concern for insider threats, management should be cautious of underperforming employees, employees at risk of being terminated, and of employees who will likely resign.
• Educate managers regarding potential recruitment. Management should train subordinates to exercise due diligence in hiring prospective employees.
• Recognize concerning behaviors as a potential indicator. Management must train managers and all employees to recognize certain behaviors or characteristics that might indicate employees are committing or are at risk of committing a breach. Common behavioral red flags are living beyond one’s financial means, experiencing financial difficulties, having an uncommonly close relationship with vendors or customers, and demonstrating excessive control over their job responsibilities.
• Mitigate threats from trusted business partners. Management should subject their organization’s contractors and outsourced organizations to the same security controls, policies, and procedures to which they subject their own employees.
• Use current technologies differently. Most organizations have implemented technologies to detect network intrusions and other threats originating outside the network perimeter, and organizations with such technologies should use them to the extent possible to detect potential indicators of malicious insider behavior within the network.
• Focus on protecting the most valuable assets. Management should dedicate the most effort to securing its most valuable organizational assets and intellectual property against insider threats.
• Learn from past incidents. Past incidents of insider threats and abuse will suggest areas of vulnerability that insiders will likely exploit again.
Additionally:
• Focus on deterrence, not detection. In other words, create a culture that deters any aberrant behavior so that those who continue to practice that behavior stand out from the “noise” of normal business; focus limited investigative resources on those individuals.
• Know your people—know who your weak links are and who would be most likely to be a threat. Use human resources data to narrow down threats rather than looking for a single needle in a pile of needles.
• Identify information that is most likely to be valuable to someone else and protect it to a greater degree than the rest of your information.
• Monitor ingress and egress points for information (e.g., USB ports, printers, network boundaries).
• Baseline normal activity and look for anomalies.
Other measures organizations might consider taking to combat insider threats include:
• Educate employees as to what information is proprietary and confidential.
• Require that all employees and third-party vendors and contractors sign nondisclosure agreements; written agreements providing that all proprietary and confidential information learned during their relationship must be kept confidential and must not be disclosed to anyone, upon the commencement and termination of employment or contracts.
• Ensure that all an organization’s third-party vendors and contractors perform background checks on all third-party employees who will have access to the organization’s information systems.
• Prohibit employees, contractors, and trusted business partners from printing sensitive documents that are not required for business purposes.
• If possible, avoid connecting information systems to those of business partners.

Also, when possible, management should conduct exit interviews with departing employees. During an exit interview, the departing employee should be advised about the organization’s trade secrets and confidential information, as well as any obligation not to disclose or use such information for his or her own benefit or for the benefit of others without express written consent. Also, the employee should be given a form to sign stating that s/he was informed that any proprietary information should not be disclosed and that s/he agrees not to disclose any such information without consent.

Finally, when management terminates its relationship with an insider, it should immediately deactivate the insider’s access to company tools and resources.

Please consider joining us for at our May 16th and 17th Spring training event, Cyber Fraud and Data Breaches for 16 CPE credits!  You may register and pay on-line here!

Analytics Confronts the Normal

The Information Audit and Control Association (ISACA) tells us that we produce and store more data in a day now than mankind did altogether in the last 2,000 years. The data that is produced daily is estimated to be one exabyte, which is the computer storage equivalent of one quintillion bytes, which is the same as one million terabytes. Not too long ago, about 15 years, a terabyte of data was considered a huge amount of data; today the latest Swiss Army knife comes with a 1 terabyte flash drive.

When an interaction with a business is complete, the information from the interaction is only as good as the pieces of data that get captured during that interaction. A customer walks into a bank and withdraws cash. The transaction that just happened gets stored as a monetary withdrawal transaction with certain characteristics in the form of associated data. There might be information on the date and time when the withdrawal happened; there may be information on which customer made the withdrawal (if there are multiple customers who operate the same account). The amount of cash that was withdrawn, the account from which the money was extracted, the teller/ATM who facilitated the withdrawal, the balance on the account after the withdrawal, and so forth, are all typically recorded. But these are just a few of the data elements that can get captured in any withdrawal transaction. Just imagine all the different interactions possible on all the assorted products that a bank has to offer: checking accounts, savings accounts, credit cards, debit cards, mortgage loans, home equity lines of credit, brokerage, and so on. The data that gets captured during all these interactions goes through data-checking processes and gets stored somewhere internally or in the cloud.  The data that gets stored this way has been steadily growing over the past few decades, and, most importantly for fraud examiners, most of this data carries tons of information about the nuances of the individual customers’ normal behavior.

In addition to what the customer does, from the same data, by looking at a different dimension of the data, examiners can also understand what is normal for certain other related entities. For example, by looking at all the customer withdrawals at a single ARM, CFEs can gain a good understanding of what is normal for that particular ATM terminal.  Understanding the normal behavior of customers is very useful in detecting fraud since deviation from normal behavior is a such a primary indicator of fraud. Understanding non-fraud or normal behavior is not only important at the main account holder level but also at all the entity levels associated with that individual account. The same data presents completely different information when observed in the context of one entity versus another. In this sense, having all the data saved and then analyzed and understood is a key element in tackling the fraud threat to any organization.

Any systematic, numbers-based system of understanding of the phenomenon of fraud as a past occurring event is dependent on an accurate description of exactly what happened through the data stream that got accumulated before, during, and after the fraud scenario occurred. Allowing the data to speak is the key to the success of any model-based system. This data needs to be saved and interpreted very precisely for the examiner’s models to make sense. The first crucial step to building a model is to define, understand, and interpret fraud scenarios correctly. At first glance, this seems like a very easy problem to solve. In practical terms, it is a lot more complicated process than it seems.

The level of understanding of the fraud episode or scenario itself varies greatly among the different business processes involved with handling the various products and functions within an organization. Typically, fraud can have a significant impact on the bottom line of any organization. Looking at the level of specific information that is systematically stored and analyzed about fraud in financial institutions for example, one would arrive at the conclusion that such storage needs to be a lot more systematic and rigorous than it typically is today. There are several factors influencing this. Unlike some of the other types of risk involved in client organizations, fraud risk is a censored problem. For example, if we are looking at serious delinquency, bankruptcy, or charge-off risk in credit card portfolios, the actual dollars-at-risk quantity is very well understood. Based on past data, it is relatively straightforward to quantify precise credit dollars at risk by looking at how many customers defaulted on a loan or didn’t pay their monthly bill for three or more cycles or declared bankruptcy. Based on this, it is easy to quantify the amount at risk as far as credit risk goes. However, in fraud, it is virtually impossible to quantify the actual amount that would have gone out the door as the fraud is stopped immediately after detection. The problem is censored as soon as some intervention takes place, making it difficult to precisely quantify the potential risk.

Another challenge in the process of quantifying fraud is how well the fraud episode itself gets recorded. Consider the case of a credit card number getting stolen without the physical card getting stolen. During a certain period, both the legitimate cardholder and the fraudster are charging using the card. If the fraud detection system in the issuing institution doesn’t identify the fraudulent transactions as they were happening in real time, typically fraud is identified when the cardholder gets the monthly statement and figures out that some of the charges were not made by him/her. Then the cardholder calls the issuer to report the fraud.  In the not too distant past, all that used to get recorded by the bank was the cardholder’s estimate of when the fraud episode began, even though there were additional details about the fraudulent transactions that were likely shared by the cardholder. If all that gets recorded is the cardholder’s estimate of when the fraud episode began, ambiguity is introduced regarding the granularity of the actual fraud episode. The initial estimate of the fraud amount becomes a rough estimate at best.  In the case in which the bank’s fraud detection system was able to catch the fraud during the actual fraud episode, the fraudulent transactions tended to be recorded by a fraud analyst, and sometimes not too accurately. If the transaction was marked as fraud or non-fraud incorrectly, this problem was typically not corrected even after the correct information flowed in. When eventually the transactions that were actually fraudulent were identified using the actual postings of the transactions, relating this back to the authorization transactions was often not a straightforward process. Sometimes the amounts of the transactions may have varied slightly. For example, the authorization transaction of a restaurant charge is sometimes unlikely to include the tip that the customer added to the bill. The posted amount when this transaction gets reconciled would look slightly different from the authorized amount. All of this poses an interesting challenge when designing a data-driven analytical system to combat fraud.

The level of accuracy associated with recording fraud data also tends to be dependent on whether the fraud loss is a liability for the customer or to the financial institution. To a significant extent, the answer to the question, “Whose loss is it?” really drives how well past fraud data is recorded. In the case of unsecured lending such as credit cards, most of the liability lies with the banks, and the banks tend to care a lot more about this type of loss. Hence systems are put in place to capture this data on a historical basis reasonably accurately.

In the case of secured lending, ID theft, and so on, a significant portion of the liability is really on the customer, and it is up to the customer to prove to the bank that he or she has been defrauded. Interestingly, this shift of liability also tends to have an impact on the quality of the fraud data captured. In the case of fraud associated with automated clearing house (ACH) batches and domestic and international wires, the problem is twofold: The fraud instances are very infrequent, making it impossible for the banks to have a uniform method of recording frauds; and the liability shifts are dependent on the geography.  Most international locations put the onus on the customer, while in the United States there is legislation requiring banks to have fraud detection systems in place.  The extent to which our client organizations take responsibility also tends to depend on how much they care about the customer who has been defrauded. When a very valuable customer complains about fraud on her account, a bank is likely to pay attention.  Given that most such frauds are not large scale, there is less need to establish elaborate systems to focus on and collect the data and keep track of past irregularities. The past fraud information is also influenced heavily by whether the fraud is third-party or first-party fraud. Third-party fraud is where the fraud is committed clearly by a third party, not the two parties involved in a transaction. In first-party fraud, the perpetrator of the fraud is the one who has the relationship with the bank. The fraudster in this case goes to great lengths to prevent the banks from knowing that fraud is happening. In this case, there is no reporting of the fraud by the customer. Until the bank figures out that fraud is going on, there is no data that can be collected. Also, such fraud could go on for quite a while and some of it might never be identified. This poses some interesting problems. Internal fraud where the employee of the institution is committing fraud could also take significantly longer to find. Hence the data on this tends to be scarce as well.

In summary, one of the most significant challenges in fraud analytics is to build a sufficient database of normal client transactions.  The normal transactions of any organization constitute the baseline from which abnormal, fraudulent or irregular transactions, can be identified and analyzed.  The pinpointing of the irregular is thus foundational to the development of the transaction processing edits which prevent the irregular transactions embodying fraud from even being processed and paid on the front end; furnishing the key to modern, analytically based fraud prevention.

Managing Disruption

Technology risks are evolving and changing so rapidly, it’s more difficult for management to assess new fraud threats and to adjust its strategies to manage and mitigate them. Applications that use disruptive technologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. CFEs and other anti-fraud professionals are struggling to stay abreast of the most recent developments and to identify anti-fraud policies, procedures and controls that add value.  Additionally, the exponential growth of computing power has enabled our client organizations to capitalize on the use of mobile devices and to leverage the ubiquity of the internet to reach their markets almost instantly.

While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for CFEs. Digitalization of data has created opportunities for knowledgeable investigators to improve their use of data analytics, use algorithms to facilitate cognitive intelligence, and to even create bot applications that perform automated fraud assessment tasks in real time. The essence of the risks and controls involved has not changed as much as the underlying technology. The new processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must continue to be enforced. However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Anti-fraud focused information security and access control processes must treat the bot as if it were a person and only allow it access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts remain faithfully performed.

Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the fraud prevention landscape. New businesses created by these technologies need to follow established governance processes and design fraud and abuse risk management and related internal controls into their business processes. As entirely new markets and products are developed, it’s important that risk managers with fraud investigation experience are involved proactively from the first. This blog has devoted several recent posts to blockchain technology.  Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology.  Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, routine contract management, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new fraud risks, which were previously being addressed by the middle man.

There are several ways CFEs can proactively help manage the effect of the fraud related aspects of disruptive technologies on their client organizations. By focusing on anti-fraud assurance, providing fraud scenario insight to management, and by demonstrating proficiency and expertise in innovative technologies, fraud examiners will be able to contribute significantly to the overall fraud prevention programs of our client organizations.

For many years organizations have been encouraged by economists to focus on what they do best. That is wise advice for the fraud examination profession, as well. By continuing to focus on governance, fraud risk, and preventative controls, CFEs can help ensure fraud prevention policies and processes are designed and operating effectively. Regardless of the nature or tempo of the changes, investigators will then be able to more effectively fulfill their mission. Moreover, proactively helping their organizations anticipate emerging fraud risks and technological changes can position fraud examiners as authorities and better prepare client organizations to better respond to disruptive events.

By aligning with the expectations of the profession’s key client stakeholders and working closely with those subject-matter experts who are implementing disruptive technologies from within and without, CFEs can remain focused on the most relevant and significant fraud prevention related issues.  For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable the CFE community to significantly affect the business agenda.  More than ever, fraud examiners must constantly pursue training to learn about recent technologies and the complex and emerging new risks being introduced into their organizations.  Additionally, chief investigators need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.  Perhaps the most important thing CFEs can do to prepare for disruptive technological innovations is to embrace and leverage new technologies in their own work. CFE investigators need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots.

All assurance professionals need to completely understand how technologies like blockchain work and how they can be used and analyzed in fraud investigations.  They must take advantage of machine learning and data analytics in their examination processes. Moreover, continuous fraud auditing should be the standard default for new review routines and real-time identification of fraud signatures and red flags should be a requirement as organizations implement new business processes.

In summary, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, few thought that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and fraudsters capitalize on the opportunities that arise. Fraud risk managers will have to assess emerging threats consistently and continuously. CFEs will need to respond to emerging threats with new and better ways to perform our investigations and engage to redesign our own processes or face disruption ourselves.

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm
the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

Cyberfraud & Data Breaches May 2018 Training Event

On May 16th and 17th, our Chapter, supported by our partners national, ACFE and the Virginia State Police, will present our sixteenth Spring training event, this time on the subject of CYBERFRAUD AND DATA BREACHES.  Our presenter will be CARY E. MOORE, CFE, CISSP, MBA; ACFE Presenter Board member and internationally renowned author and authority on every aspect of cybercrime.  CLICK HERE  to see an outline of the training, the agenda and Cary’s bio.  If you decide to do so, you may REGISTER HERE.  Attendees will receive 16 CPE credits, and a printed manual of over 300 pages detailing every subject covered in the training.  In addition, as a door prize, we will be awarding, by drawing, a printed copy of the 2017 Fraud Examiners Manual, a $200 value!

As the relentless wave of cyberattacks continues, all our client organizations are under intense pressure from key stakeholders and regulators to implement and enhance their anti-fraud programs to protect customers, employees and the valuable information in their possession. According to research from IBM Security and the Ponemon Institute, the average total cost per company, per event of a data breach is US $3.62 million. Initial damage estimates of a single breach, while often staggering, may not consider less obvious and often undetectable threats such as theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These knock-on effects can last for years and have devastating financial, operational and brand ramifications.

Given the broad regulatory pressures to tighten anti-fraud cyber security controls and the visibility surrounding cyber risk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by various governing bodies of which CFEs need to be aware. One of the more prominent is a regulation issued by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on the entity’s risk assessment, the NYDFS law has specific requirements around data encryption, protection and retention, third party information security, application security, incident response and breach. notification, board reporting, and annual certifications.

However, organizations continue to struggle to report on the overall effectiveness of their cyber security risk management and anti-fraud programs. The American Institute of Certified Public Accountants (AICPA) has released a cyber security risk management reporting framework intended to help organizations expand cyber risk reporting to a broad range of internal and external users, including the C-suite and the board of directors (BoD). The AICPA’s reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about an organization’s cyber risk management
program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s cyber security objectives and developing and maintaining controls within the entity’s cyber security risk management program, whether it is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for Standardization (ISO)’s ISO 27001/2 and related frameworks, or internally developed frameworks based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered a leading practice that provides the C-suite, boards and other key stakeholders clear insight into an organization’s cyber security program and identifies gaps or pitfalls that leave organizations vulnerable.

Cyber security risk management examination reports are vital to the fraud control program of any organization doing business on-line.  Such reports help an organization’s BoD establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyber risk management programs and drive more effective decision making. Active involvement and oversight from the BoD can help ensure that an organization is paying adequate attention to cyber risk management. The board can help shape expectations for reporting on cyber threats and fraud attempts while also advocating for greater transparency and assurance around the effectiveness of the program.

Organizations that choose to utilize the AICPA’s cyber security attestation reporting framework and perform an examination of their cyber security program may be better positioned to gain competitive advantage and enhance their brand in the marketplace. For example, an outsource retail service provider (OSP) that can provide evidence that a well-developed and sound cyber security risk management program is in place in its organization can proactively provide the report to current and potential customers, evidencing that it has implemented appropriate controls to protect the sensitive IT assets and valuable data over which it maintains access. At the same time, current and potential retailor customers of an OSP want the third parties with whom they engage to also place a high level of importance on cyber security. Requiring a cyber security examination report as part of the selection criteria would offer transparency into
outsourcers’ cyber security programs and could be a determining factor in the selection process.

The value of addressing cyber security related fraud concerns and questions by CFEs before regulatory mandates are established or a crisis occurs is quite clear. The knowledgeable CFE can help our client organizations view the new cyber security attestation reporting frameworks as an opportunity to enhance their existing cyber security and anti-fraud programs and gain competitive advantage. The attestation reporting frameworks address the needs of a variety of key stakeholder groups and, in turn, limit the communication and compliance burden. CFE client organizations that view the cyber security reporting landscape as an opportunity can use it to lead, navigate and disrupt in today’s rapidly evolving cyber risk environment.

Please decide to join us for our May Training Event on this vital and timely topic!  YOU MAY REGISTER 0N-LINE HERE.  You can pay with PayPal (you don’t need a PayPal account; you can use any credit card) or just print an invoice and submit your payment by snail mail!

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

Bribery & Deferred Prosecution

Between January and February 2015, a prominent trade organization focusing on American attorneys conducted a survey of 243 Chief Legal Officers of global companies to assess the corporate counsel’s opinion regarding the greatest threats to their organization’s growth. Respondents were asked to rank their top three concerns. Not surprisingly, economic uncertainty was at the top of the list with 57% of the respondents ranking it in their top three. The unexpected finding was that 53% of the respondents named regulatory compliance and enforcement as a top concern as well.

When asked to specify which laws caused them the most concern 28% identified the Foreign Corrupt Practices Act and 15% identified the UK Bribery Act. This means 43% of the respondents named anti-bribery laws as one of their top three concerns, more than any other law or regulation identified. When asked about the resources spent on regulatory compliance and enforcement, the response was also surprising as only 38% of the corporate counsel who identified regulatory compliance and enforcement as a threat, are expending resources to address the threat. As a follow up to the 2015 survey, the same organization conducted a second survey in early 2017 to gain further insight into corporate counsels’ ability to address regulatory and compliance threats. This time 256 respondents were surveyed, 62% of whom stated that their organization is designing or building some type of robust internal compliance program. Although this is movement in the right direction, over a third of the organizations surveyed still may not be prepared to detect or deter bribery and corruption. Most significantly, they will not be prepared to meet government expectations if a violation occurs and self-reporting is required. Lastly, 54% of the respondents stated that they are building or expanding their in-house systems to address this threat. Many believe that compliance technology is the appropriate answer as regulators prefer technical solutions to these problems, because they are viewed to be sophisticated and ‘state of the art’.

This research should be of special interest to all CFEs because we work so frequently with corporate counsels, but indeed, to assurance professionals in general who like fraud examiners are on the front line in the fight against corruption.

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 but aggressive enforcement did not really pick up until around 2005 when there were twelve enforcement actions.  The purpose of the FCPA was to prevent the bribery of foreign government officials when negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper books and records and/or having inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve over the years.

The FCPA created questions of definition and interpretation, i.e., Who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define adequate internal controls to detect and deter bribery and corruption?

The enactment of the United Kingdom (UK) Bribery Act in July 2010 was the first attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of adequate procedures, that if followed could allow affirmative defense for an organization if investigated for bribery. The UK Bribery Act recommended several internal controls for combating bribery and introduced the incentive of a more favorable result for those who could document compliance. These controls include:

• Established anti-bribery procedures
• Top level commitment to prevent bribery
• Periodic and documented risk assessments
• Proportionate due diligence
• Communication of bribery prevention policies and procedures
• Monitoring of anti-bribery procedures

The concept of an affirmative defense for adequate procedures creates quite a contrast to FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved.

The UK Bribery Act equated all facilitation and influence payments to bribery. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness of all these acts remains enforcement.

In November 2012 the US Department of Justice and the Securities Exchange Commission released “A Resource Guide to the Foreign Corrupt Practices Act.” The guide book introduced several hallmarks of an effective compliance program. The Resource Guide provided companies with the tools to demonstrate a proactive approach to deter bribery and corruption. Companies in compliance may receive some consideration during the fines and penalty stage.

The guide’s hallmarks include:

• Establish a code of conduct that specifically addresses the risk of bribery and corruption.
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and corruption activities.
• Training all employees to be thoroughly prepared to address bribery and corruption risk.
• Perform risk assessments of potential bribery and corruption pitfalls by geography and industry.
• Review the anti-corruption program annually to assess the effectiveness of policies procedures and controls.
• Perform audits and monitor foreign business operations to assure compliance with the code of conduct.
• Ensure that proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations.
• Investigate and respond appropriately to all allegations of bribery and corruption.
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations.
• Perform adequate due diligence that addresses the risk of bribery and corruption of all third parties prior to entering a business relationship.

The SEC and DOJ entered into the first ever Non-Prosecution Agreement (NPA) for Foreign Corrupt Practices violations in 2013. This decision was a harbinger from the DOJ and SEC with regard to future enforcement actions. The NPA highlighted the “extensive remedial measurements and cooperation efforts” that the defendant company demonstrated during the investigation. The corporation paid only $882,000 in fines because they were able to “demonstrate a strong tone from the top and a robust anti-corruption program”.

Under a Deferred Prosecution Agreement (DPA) the DOJ files a court document charging the organization while simultaneously requesting that prosecution be deferred to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor.

If the company completes the term of the DPA, the DOJ will dismiss the charges without imposing fines and penalties. Under the Non-Prosecution Agreement, the DOJ maintains the right to file charges against the organization later should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and is posted on the DOJ website. Like the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will drop all charges.

The key differences between a deferred prosecution case and one not featuring deferred prosecution is the initial response of the defendant company to the discovery of improper payments. In a deferred prosecution case the response usually features prompt self-reporting, full cooperation with the government and the quality of the serious remedial steps taken, including termination of implicated personnel and the modification of company behavior in the country where the violations occurred. Additionally, deferred prosecution defendants frequently discover the improper payments while in the process of enhancing their anti-bribery and corruption controls.

Originally allegations of FCPA violations were received through a company’s internal whistleblower hotline. That trend changed with the enactment of the Sarbanes Oxley Act in 2002 and the Dodd-Frank Act in 2012. These laws created other means and mechanisms for reporting suspicions of illegal activity and provided protections from retaliation against whistleblowers. The Dodd-Frank Act also has monetary incentives of 10% to 30% of the amounts recovered by the government to encourage whistleblowers to come forward. Companies considering whether to disclose potential anti-corruption problems to the SEC must now consider the possibility that a potential whistleblower may report it first to the government thus creating greater liability for the organization.

In conclusion, according to recent reporting by the ACFE, corporate compliance programs continue to mature, and are now accepted as a cost of conducting business in a global marketplace. The US government continues to clarify its expectations about corporate responsibility at home and abroad and works with international partners and their compliance programs. Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International play a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities like the ACFE, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace.

Basic Cash Concealment Strategies

One of the topics in which readers of this blog have expressed consistent interest over the years regards the many strategies of cash asset concealment employed by fraudsters; especially by embezzlers of relatively small sums from employers, who seem particularly creative at such manipulations.  Regardless of the method used to hide ill-gotten assets, one fact remains constant; proceeds from illicit activities must be disguised in some way to avoid being discovered. Those the ACFE dubs ‘asset hiders’ have developed many sophisticated techniques for working the system and accomplishing the goal of concealing their gains; in attempting to track down and recover secret stores of cash, the fraud examiner is presented with a true challenge, and the first step in meeting this challenge is to understand how asset hiders work. This post will concentrate on the concealment of raw cash.

There are three primary ways to hide cash assets. They are:

— Currency hoards;
— Cashier’s checks and traveler’s checks;
— Deposits to financial institutions.

The most basic method for hiding cash is the currency hoard, in which a person simply stores cash in a hidden location, usually in his or her home or on her property. This is the proverbial ‘cash under the mattress’ technique. In a typical home, hiding places for currency or other valuables can range from the obvious to the ingenious.

For example, precious metals and jewelry can easily be hidden in a layer of cooking grease at the bottom of a pot. The space beneath the bottom drawer of bureaus, chests, and cabinets is also a commonly used hiding place. Loose bricks in the wall or fireplace can disguise small spaces for hiding things. A more complex scheme is to build a false ceiling below the original ceiling and then use the space between the two as a hiding place.

Another place to hoard currency is in furniture. The hollow spaces of upholstered furniture make these pieces a good hiding place. Many people find false bottoms in drawers or inside stereo speakers useful places for hiding cash.

The basic structure of the home itself provides many opportunities for creating hiding places. One of the most common spots for hiding objects is in the walls. Cunning hiders may construct false walls in closets or pantries, or they may build large cavities into a wall, which is then covered with a mirror or a painting. Installing false light switch plates and electrical outlets provides easy access to spaces between walls and generally appear quite normal, although amateurs often leave tell-tale marks on the plate screws. These marks often provide searchers with signs of tampering and can lead to the discovery of a cache. An even simpler method is to hide currency inside the electrical boxes behind real electrical plates. If a larger space is needed, hiders sometimes remove the box from the wall and build a shelf below it. Significant amounts of currency can be hidden in these spaces. Currency hoards can also be hidden above ceiling light boxes in the space below the attic.

The plumbing system provides other natural hiding places. For example, many bathrooms have access holes under the sink, which are usually covered with a removable chrome disk. These access holes are designed so a cleaning ‘snake’ can be inserted into the main drain when the lines are clogged. This space is easily utilized as a hiding space. Floor drains are also used for hiding currency. Excellent hiding places can be created by installing false pipes that appear to be part of the home’s plumbing. Some individuals hide objects and money in shower curtain rods. Other places frequently used for hiding are air ducts, doors, and stairways. Heating and cooling system ducts are generally easy to access and have plenty of empty space. Hollow core doors are easily rigged for hiding. The top surface of the door can simply be cut away, allowing access to the natural secret compartment inside. Enclosed staircases have dead space underneath that is accessible. If the staircase is not enclosed, there may be usable space for small objects behind each of the risers. Stairs can be hinged, creating a hidden compartment underneath.

Cashier’s and traveler’s checks are another method used to hide assets. These instruments are useful for several reasons:

–They allow asset hiders to easily disguise their financial dealings from asset seekers like law enforcement, CFEs and forensic accountants;
–They help disguise the asset hider’s financial dealings and reduce the amount of currency physically carried;
–Cashier’s checks or traveler’s checks in denominations of less than $10,000 are negotiable financial instruments that can be exchanged almost any place in the world.

Whilst efforts to control the use of wire transfers for money laundering have traditionally been focused on banks, examiners also need to be aware that there are non-bank money transmitters that fraudsters often use to conceal cash assets.  These non-bank transmitters specialize in money transfers for individuals rather than businesses. In addition to other services, most non-bank transmitters sell money orders and traveler’s checks. These companies range from large international enterprises like Western Union to small mom-and-pop neighborhood check cashing businesses.

There are several reasons fraudsters like using non-bank transmitters. First, non-bank transmitters allow individuals to cash personal checks or wire money to family members nationally or in other countries. Check cashing companies and other sellers of money orders, such as convenience stores and grocery stores, provide a much-needed service to people without bank accounts. Second, non-bank transmitters allow individuals to obtain many individual traveler’s checks and money orders in amounts less than $10,000 each. Most states regulate check cashing and the sale of money orders with licensing and bonding requirements. The Money Laundering Suppression Act of 1994 required all money transmitters to register with the U.S. Department of Treasury. Furthermore, like other financial institutions, these businesses are required to file currency transaction reports (CTRs) for transactions of $10,000 or more in currency and coins, and they are required to file Suspicious Activity Reports (SARs) with the Treasury Department for certain classes of suspect transactions.

Check cashing companies have been known to receive illegally earned or stolen currency and use it to cash legitimate checks for their customers, thus avoiding CTRs or to structure transmittals by issuing multiple traveler’s checks and money orders for less than $10,000 each. Third, the transactions of non-bank transmitters will not trigger a mechanism for identifying unreported cash. Although money transmitters are classified as financial institutions, they are not depository institutions but operate through accounts with commercial banks. And, unlike bank accounts, which contain copies of deposits and canceled checks used in locating assets, non-bank money transmitters do not maintain copies of deposits and canceled checks. Unless the money order or traveler’s check appears in the financial records of the asset hider, it will likely go undetected since there is no place for the investigator to begin a search. However, once a money order or traveler’s check has been specifically identified, it can be traced back like any other financial instrument.

Banks and other financial institutions are frequently utilized by secrecy seekers as vehicles for hiding or disguising currency. The methods used may be as simple as renting a safe-deposit box and storing currency or valuables inside.  Searching the safe-deposit box of a suspected embezzler for evidence is not easily accomplished. It requires a court order. But; even if access to the box is denied, the investigator in a hidden asset case can often make educated guesses as to the contents by observing the movements of the hider. For instance, if the subject makes a visit to her safe-deposit box after attending an antique jewelry collector’s exposition, the examiner could surmise a collection of jewelry items is stored therein. Trips made to a safe-deposit box before foreign travel may indicate that the hider is moving money from his or her native country to a foreign location.

The banking system is, without question, the most important vehicle of both lawful and unlawful financial transactions. While most bankers are not active participants in asset hiding, it can be extremely difficult to distinguish between legitimate transactions and those conducted by secrecy seekers. Some bankers even prefer to close their eyes to the sources of their deposits and, in doing so, knowingly accept tainted funds. It’s important to understand how secrecy seekers use bank deposits and funds transfers to hide assets.  For the examiner, it’s important to know that most large banks have computer programs that can retrieve a specific wire transfer record. Many medium-sized banks cannot electronically retrieve specific wire data more than a month old, and some banks would have to search manually for records. However, even small banks usually send their international money transfers through one of the large Money Center banks, thus creating a record. Many large banks have enhanced their record-keeping systems to assure themselves and bank regulators that they are in full compliance with the Bank Secrecy Act. Some institutions have systems that monitor the wire transfer activity of certain accounts and generate periodic reports highlighting the consolidation of incoming wires followed by an outgoing wire transfer. Most of these systems are designed to monitor only customer accounts and do not record funds transfer services provided for non-depositors for which the bank serves only as an intermediary.

To conduct a successful wire transfer search, the examiner should have as much information as possible relating to the transfer in question when contacting the appropriate entity. Having the following information on hand will help make the search much more efficient:

— Date of transfer
— Amount of transfer
— Names of sending and receiving institutions
— Routing numbers of sending and receiving institutions
— Identity of sender and designated receiver
— Input sequence and/or output sequence

While most banks do not actively participate in fraudulent transfers, some signs for the examiner that could indicate collusion between a bank and its customer are:
— Allowing clients whose funds are not of foreign origin to make investments limited to foreigners;
— Acting without power of attorney to allow clients to manage investments or to transmit funds
on behalf of foreign-registered companies or local companies acting as laundries;
— Participating in sequential transactions that fall under the government reporting thresholds;
–Allowing telephone transfers of funds without written authorization and failing to keep a record of such transfers;
— Entering false foreign account number designations with regard to wire transfers.