Category Archives: Data Analytics

Bye-Bye Money

Miranda had responsibility for preparing personnel files for new hires, approval of wages, verification of time cards, and distribution of payroll checks. She “hired” fictitious employees, faked their records, and ordered checks through the payroll system. She deposited some checks in several personal bank accounts and cashed others, endorsing all of them with the names of the fictitious employees and her own. Her company’s payroll function created a large paper trail of transactions among which were individual earnings records, W-2 tax forms, payroll deductions for taxes and insurance, and Form 941 payroll tax reports. She mailed all the W-2 forms to the same post office box.

Miranda stole $160,000 by creating some “ghosts,” usually 3 to 5 out of 112 people on the payroll and paying them an average of $650 per week for three years. Sometimes the ghosts quit and were later replaced by others. But she stole “only” about 2 percent of the payroll funds during the period.

A tip from a fellow employee received by the company hotline resulted in the engagement of Tom Hudson, CFE.  Tom’s objective was to obtain evidence of the existence and validity of payroll transactions on the control premise that different people should be responsible for hiring (preparing personnel files), approving wages, and distributing payroll checks. “Thinking like a crook” lead Tom to readily see that Miranda could put people on the payroll and obtain their checks just as the hotline caller alleged. In his test of controls Tom audited for transaction authorization and validity. In this case random sampling was less likely to work because of the small number of alleged ghosts. So, Tom looked for the obvious. He selected several weeks’ check blocks, accounted for numerical sequence (to see whether any checks had been removed), and examined canceled checks for two endorsements.

Tom reasoned that there may be no “balance” to audit for existence/occurrence, other than the accumulated total of payroll transactions, and that the total might not appear out of line with history because the tipster had indicated that the fraud was small in relation to total payroll and had been going on for years.  He decided to conduct a surprise payroll distribution, then followed up by examining prior canceled checks for the missing employees and then scan personnel files for common addresses.

Both the surprise distribution and the scan for common addresses quickly provided the names of 2 or 3 exceptions. Both led to prior canceled checks (which Miranda had not removed and the bank reconciler had not noticed), which carried Miranda’s own name as endorser. Confronted, she confessed.

The major risks in any payroll business cycle are:

•Paying fictitious “employees” (invalid transactions, employees do not exist);

• Overpaying for time or production (inaccurate transactions, improper valuation);

•Incorrect accounting for costs and expenses (incorrect classification, improper or inconsistent presentation and disclosure).

The assessment of payroll system control risk normally takes on added importance because most companies have fairly elaborate and well-controlled personnel and payroll functions. The transactions in this cycle are numerous during the year yet result in lesser amounts in balance sheet accounts at year-end. Therefore, in most routine outside auditor engagements, the review of controls, test of controls and audit of transaction details constitute the major portion of the evidence gathered for these accounts. On most annual audits, the substantive audit procedures devoted to auditing the payroll-related account balances are very limited which enhances fraud risk.

Control procedures for proper segregation of responsibilities should be in place and operating. Proper segregation involves authorization (personnel department hiring and firing, pay rate and deduction authorizations) by persons who do not have payroll preparation, paycheck distribution, or reconciliation duties. Payroll distribution (custody) is in the hands of persons who do not authorize employees’ pay rates or time, nor prepare the payroll checks. Recordkeeping is performed by payroll and cost accounting personnel who do not make authorizations or distribute pay. Combinations of two or more of the duties of authorization, payroll preparation and recordkeeping, and payroll distribution in one person, one office, or one computerized system may open the door for errors and frauds. In addition, the control system should provide for detail control checking activities.  For example: (1) periodic comparison of the payroll register to the personnel department files to check hiring authorizations and for terminated employees not deleted, (2) periodic rechecking of wage rate and deduction authorizations, (3) reconciliation of time and production paid to cost accounting calculations, (4) quarterly reconciliation of YTD earnings records with tax returns, and (5) payroll bank account reconciliation.

Payroll can amount to 40 percent or more of an organization’s total annual expenditures. Payroll taxes, Social Security, Medicare, pensions, and health insurance can add several percentage points in variable costs on top of wages. So, for every payroll dollar saved through forensic identification, bonus savings arise automatically from the on-top costs calculated on base wages. Different industries will exhibit different payroll risk profiles. For example, firms whose culture involves salaried employees who work longer hours may have a lower risk of payroll fraud and may not warrant a full forensic approach. Organizations may present greater opportunity for payroll fraud if their workforce patterns entail night shift work, variable shifts or hours, 24/7 on-call coverage, and employees who are mobile, unsupervised, or work across multiple locations. Payroll-related risks include over-claimed allowances, overused extra pay for weekend or public holiday work, fictitious overtime, vacation and sick leave taken but not deducted from leave balances, continued payment of employees who have left the organization, ghost employees arising from poor segregation of duties, and the vulnerability of data output to the bank for electronic payment, and roster dysfunction. Yet the personnel assigned to administer the complexities of payroll are often qualified by experience than by formal finance, legal, or systems training, thereby creating a competency bias over how payroll is managed. On top of that, payroll is normally shrouded in secrecy because of the inherently private nature of employee and executive pay. Underpayment errors are less probable than overpayment errors because they are more likely to be corrected when the affected employees complain; they are less likely to be discovered when employees are overpaid. These systemic biases further increase the risk of unnoticed payroll error and fraud.

Payroll data analysis can reveal individuals or entire teams who are unusually well-remunerated because team supervisors turn a blind eye to payroll malpractice, as well as low-remunerated personnel who represent excellent value to the organization. For example, it can identify the night shift worker who is paid extra for weekend or holiday work plus overtime while actually working only half the contracted hours, or workers who claim higher duty or tool allowances to which they are not entitled. In addition to providing management with new insights into payroll behaviors, which may in turn become part of ongoing management reporting, the total payroll cost distribution analysis can point forensic accountants toward urgent payroll control improvements.

The detail inside payroll and personnel databases can reveal hidden information to the forensic examiner. Who are the highest earners of overtime pay and why? Which employees gained the most from weekend and public holiday pay? Who consistently starts late? Finishes early? Who has the most sick leave? Although most employees may perform a fair day’s work, the forensic analysis may point to those who work less, sometimes considerably less, than the time for which they are paid. Joined-up query combinations to search payroll and human resources data can generate powerful insights into the organization’s worst and best outliers, which may be overlooked by the data custodians. An example of a query combination would be: employees with high sick leave + high overtime + low performance appraisal scores + negative disciplinary records. Or, reviewers could invert those factors to find the unrecognized exemplary performers.

Where predication suggests fraud concerns about identified employees, CFEs can add value by triangulating time sheet claims against external data sources such as site access biometric data, company cell phone logs, phone number caller identification, GPS data, company email, Internet usage, company motor fleet vehicle tolls, and vehicle refueling data, most of which contain useful date and time-of-day parameters.  The data buried within these databases can reveal employee behavior, including what they were doing, where they were, and who they were interacting with throughout the work day.

Common findings include:

–Employees who leave work wrongfully during their shift;
–Employees who work fewer hours and take sick time during the week to shift the workload to weekends and public holidays to maximize pay;
–Employees who use company property excessively for personal purposes during working hours;
–Employees who visit vacation destinations while on sick leave;
–Employees who take leave but whose managers do not log the paperwork, thereby not deducting leave taken and overstating leave balances;
–Employees who moonlight in businesses on the side during normal working hours, sometimes using the organization’s equipment to do so.

Well-researched and documented forensic accounting fieldwork can support management action against those who may have defrauded the organization or work teams that may be taking inappropriate advantage of the payroll system. Simultaneously, CFEs and forensic accountants, working proactively, can partner with management to recover historic costs, quantify future savings, reduce reputational and political risk, improve the organization’s anti-fraud policies, and boost the productivity and morale of employees who knew of wrongdoing but felt powerless to stop it.

The Who, the What, the When

CFEs and forensic accountants are seekers. We spend our days searching for the most relevant information about our client requested investigations from an ever-growing and increasingly tangled data sphere and trying to make sense of it. Somewhere hidden in our client’s computers, networks, databases, and spreadsheets are signs of the alleged fraud, accompanying control weaknesses and unforeseen risks, as well as possible opportunities for improvement. And the more data the client organization has, the harder all this is to find.  Although most computer-assisted forensic audit tests focus on the numeric data contained within structured sources, such as financial and transactional databases, unstructured or text based data, such as e-mail, documents, and Web-based content, represents an estimated 8o percent of enterprise data within the typical medium to large-sized organization. When assessing written communications or correspondence about fraud related events, CFEs often find themselves limited to reading large volumes of data, with few automated tools to help synthesize, summarize, and cluster key information points to aid the investigation.

Text analytics is a relatively new investigative tool for CFEs in actual practice although some report having used it extensively for at least the last five or more years. According to the ACFE, the software itself stems from a combination of developments in our sister fields of litigation support and electronic discovery, and from counterterrorism and surveillance technology, as well as from customer relationship management, and research into the life sciences, specifically artificial intelligence. So, the application of text analytics in data review and criminal investigations dates to the mid-1990s.

Generally, CFEs increasingly use text analytics to examine three main elements of investigative data: the who, the what, and the when.

The Who: According to many recent studies, substantially more than a half of business people prefer using e-mail to use of the telephone. Most fraud related business transactions or events, then, will likely have at least some e-mail communication associated with them. Unlike telephone messages, e-mail contains rich metadata, information stored about the data, such as its author, origin, version, and date accessed, and can be documented easily. For example, to monitor who is communicating with whom in a targeted sales department, and conceivably to identify whether any alleged relationships therein might signal anomalous activity, a forensic accountant might wish to analyze metadata in the “to,” “from,” “cc,” or “bcc” fields in departmental e-mails. Many technologies for parsing e-mail with text analytics capabilities are available on the market today, some stemming from civil investigations and related electronic discovery software. These technologies are like the social network diagrams used in law enforcement or in counterterrorism efforts.

The What: The ever-present ambiguity inherent in human language presents significant challenges to the forensic investigator trying to understand the circumstances and actions surrounding the text based aspects of a fraud allegation. This difficulty is compounded by the tendency of people within organizations to invent their own words or to communicate in code. Language ambiguity can be illustrated by examining the word “shred”. A simple keyword search on the word might return not only documents that contain text about shredding a document, but also those where two sports fans are having a conversation about “shredding the defense,” or even e-mails between spouses about eating Chinese “shredded pork” for dinner. Hence, e-mail research analytics seeks to group similar documents according to their semantic context so that documents about shredding as concealment or related to covering up an action would be grouped separately from casual e-mails about sports or dinner, thus markedly reducing the volume of e-mail requiring more thorough ocular review. Concept-based analysis goes beyond traditional search technology by enabling users to group documents according to a statistical inference about the co-occurrence of similar words. In effect, text analytics software allows documents to describe themselves and group themselves by context, as in the shred example. Because text analytics examines document sets and identifies relationships between documents according to their context, it can produce far more relevant results than traditional simple keyword searches.

Using text analytics before filtering with keywords can be a powerful strategy for quickly understanding the content of a large corpus of unstructured, text-based data, and for determining what is relevant to the search. After viewing concepts at an elevated level, subsequent keyword selection becomes more effective by enabling users to better understand the possible code words or company-specific jargon. They can develop the keywords based on actual content, instead of guessing relevant terms, words, or phrases up front.

The When: In striving to understand the time frames in which key events took place, CFEs often need to not only identify the chronological order of documents (e.g., sorted by or limited to dates), but also link related communication threads, such as e-mails, so that similar threads and communications can be identified and plotted over time. A thread comprises a set of messages connected by various relationships; each message consists of either a first message or a reply to or forwarding of some other message in the set. Messages within a thread are connected by relationships that identify notable events, such as a reply vs. a forward, or changes in correspondents. Quite often, e-mails accumulate long threads with similar subject headings, authors, and message content over time. These threads ultimately may lead to a decision, such as approval to proceed with a project or to take some other action. The approval may be critical to understanding business events that led up to a particular journal entry. Seeing those threads mapped over time can be a powerful tool when trying to understand the business logic of a complex financial transaction.

In the context of fraud risk, text analytics can be particularly effective when threads and keyword hits are examined with a view to considering the familiar fraud triangle; the premise that all three components (incentive/pressure, opportunity, and rationalization) are present when fraud exists. This fraud triangle based analysis can be applied in a variety of business contexts where increases in the frequency of certain keywords related to incentive/pressure, opportunity, and rationalization, can indicate an increased level of fraud risk.

Some caveats are in order.  Considering the overwhelming amount of text-based data within any modern enterprise, assurance professionals could never hope to analyze all of it; nor should they. The exercise would prove expensive and provide little value. Just as an external auditor would not reprocess or validate every sales transaction in a sales journal, he or she would not need to look at every related e-mail from every employee. Instead, any professional auditor would take a risk-based approach, identifying areas to test based on a sample of data or on an enterprise risk assessment. For text analytics work, the reviewer may choose data from five or ten individuals to sample from a high-risk department or from a newly acquired business unit. And no matter how sophisticated the search and information retrieval tools used, there is no guarantee that all relevant or high-risk documents will be identified in large data collections. Moreover, different search methods may produce differing results, subject to a measure of statistical variation inherent in probability searches of any type. Just as a statistical sample of accounts receivable or accounts payable in the general ledger may not identify fraud, analytics reviews are similarly limited.

Text analytics can be a powerful fraud examination tool when integrated with traditional forensic data-gathering and analysis techniques such as interviews, independent research, and existing investigative tests involving structured, transactional data. For example, an anomaly identified in the general ledger related to the purchase of certain capital assets may prompt the examiner to review e-mail communication traffic among the key individuals involved, providing context around the circumstances and timing, of events before the entry date. Furthermore, the forensic accountant may conduct interviews or perform additional independent research that may support or conflict with his or her investigative hypothesis. Integrating all three of these components to gain a complete picture of the fraud event can yield valuable information. While text analytics should never replace the traditional rules-based analysis techniques that focus on the client’s financial accounting systems, it’s always equally important to consider the communications surrounding key events typically found in unstructured data, as opposed to that found in the financial systems.

Financing Death One BitCoin at a Time

Over the past decade, fanatic religious ideologists have evolved to become hybrid terrorists demonstrating exceptional versatility, innovation, opportunism, ruthlessness, and cruelty. Hybrid terrorists are a new breed of organized criminal. Merriam-Webster defines hybrid as “something that is formed by combining two or more things”. In the twentieth century, the military, intelligence forces, and law enforcement agencies each had a specialized skill-set to employ in response to respective crises involving insurgency, international terrorism, and organized crime. Military forces dealt solely with international insurgent threats to the government; intelligence forces dealt solely with international terrorism; and law enforcement agencies focused on their respective country’s organized crime entities. In the twenty-first century, greed, violence, and vengeance motivate the various groups of hybrid terrorists. Hybrid terrorists rely on organized crime such as money laundering, wire transfer fraud, drug and human trafficking, shell companies, and false identification to finance their organizational operations.

Last week’s horrific terror bombing in Manchester brings to the fore, yet again, the issue of such terrorist financing and the increasing role of forensic accountants in combating it. Two of the main tools of modern terror financing schemes are money laundering and virtual currency.

Law enforcement and government agencies in collaboration with forensic accountants play key roles in tracing the source of terrorist financing to the activities used to inflict terror on local and global citizens. Law enforcement agencies utilize investigative and predictive analytics tools to gather, dissect, and convey data to distinguish patterns leading to future terrorist events. Government agencies employ database inquiries of terrorist-related financial information to evaluate the possibilities of terrorist financing and activities. Forensic accountants review the data for patterns related to previous transactions by utilizing data analysis tools, which assist in tracking the source of the funds.

As we all know, forensic accountants use a combination of accounting knowledge combined with investigative skills in litigation support and investigative accounting settings. Several types of organizations, agencies, and companies frequently employ forensic accountants to provide investigative services. Some of these organizations are public accounting firms, law firms, law enforcement agencies, The Internal Revenue Service (IRS), The Central Intelligence Agency (CIA), and The Federal Bureau of Investigations (FBI).

Locating and halting the source of terrorist financing involves two tactics, following the money and drying up the money. Obstructing terrorist financing requires an understanding of both the original and supply source of the illicit funds. As the financing is derived from both legal and illegal funding sources, terrorists may attempt to evade detection by funneling money through legitimate businesses thus making it difficult to trace. Charitable organizations and reputable companies provide a legitimate source through which terrorists may pass money for illicit activities without drawing the attention of law enforcement agencies. Patrons of legitimate businesses are often unaware that their personal contributions may support terrorist activities. However, terrorists also obtain funds from obvious illegal sources, such as kidnapping, fraud, and drug trafficking. Terrorists often change daily routines to evade law enforcement agencies as predictable patterns create trails that are easy for skilled investigators to follow. Audit trails can be traced from the donor source to the terrorist by forensic accountants and law enforcement agencies tracking specific indicators. Audit trails reveal where the funds originate and whether the funds came from legal or illegal sources. The ACFE tells us that basic money laundering is a specific type of illegal funding source, which provides a clear audit trail.

Money laundering is the process of obtaining and funneling illicit funds to disguise the connection with the original unlawful activity. Terrorists launder money to spend the unlawfully obtained money without drawing attention to themselves and their activities. To remain undetected by regulatory authorities, the illicit funds being deposited or spent need to be washed to give the impression that the money came from a seemingly reputable source. There are types of unusual transactions that raise red flags associated with money laundering in financial institutions. The more times an unusual transaction occurs, the greater the probability it is the product of an illicit activity. Money laundering may be quite sophisticated depending on the strategies employed to avoid detection. Some identifiers indicating a possible money-laundering scheme are: lack of identification, money wired to new locations, customer closes account after wiring or transferring copious amounts of money, executed out-of-the-ordinary business transactions, executed transactions involving the customer’s own business or occupation, and executed transactions falling just below the threshold trigger requiring the financial institution to file a report.

Money laundering takes place in three stages: placement, layering, and integration. In the placement stage, the cash proceeds from criminal activity enter the financial system by deposit. During the layering stage, the funds transfer into other accounts, usually offshore financial institutions, thus creating greater distance between the source and origin of the funds and its current location. Legitimate purchases help funnel the money back into the economy during the integration stage, the final stage.

Complicating all this is for the investigator is virtual currency. Virtual currency, unlike traditional forms of money, does not leave a clear audit trail for forensic accountants to trace and investigate. Cases involving the use of virtual currency, i.e. Bitcoins and several rival currencies, create anonymity for the perpetrator and create obstacles for investigators. Bitcoins have no physical form and provide a unique opportunity for terrorists to launder money across international borders without detection by law enforcement or government agencies. Bitcoins are long strings of numbers and letters linked by mathematical encryption algorithms. A consumer uses a mobile phone or computer to create an online wallet with one or more Bitcoin addresses before commencing electronic transactions. Bitcoins may also be used to make legitimate purchases through various, established online retailers.

Current international anti-money laundering laws aid in fighting the war against terrorist financing; however, international laws require actual cash shipments between countries and criminal networks (or at the very least funds transfers between banks). International laws are not applicable to virtual currency transactions, as they do not consist of actual cash shipments. According to the website, “Bitcoin uses peer-to-peer technology to operate with no central authority or banks”.

In summary, terrorist organizations find virtual currency to be an effective method for raising illicit funds because, unlike cash transactions, cyber technology offers anonymity with less regulatory oversight. Due to the anonymity factor, Bitcoins are an innovative and convenient way for terrorists to launder money and sell illegal goods. Virtual currencies are appealing for terrorist financiers since funds can be swiftly sent across borders in a secure, cheap, and highly secretive manner. The obscurity of Bitcoin allows international funding sources to conduct exchanges without a trace of evidence. This co-mingling effect is like traditional money laundering but without the regulatory oversight. Government and law enforcement agencies must, as a result, be able to share information with public regulators when they become suspicious of terrorist financing.

Forensic accounting technology is most beneficial when used in conjunction with the analysis tools of law enforcement agencies to predict and analyze future terrorist activity. Even though some of the tools in a forensic accountant’s arsenal are useful in tracking terrorist funds, the ability to identify conceivable terrorist threats is limited. To identify the future activities of terrorist groups, forensic accountants, and law enforcement agencies should cooperate with one another by mutually incorporating the analytical tools utilized by each. Agencies and government officials should become familiar with virtual currency like Bitcoins. Because of the anonymity and lack of regulatory oversight, virtual currency offers terrorist groups a useful means to finance illicit activities on an international scale. In the face of the challenge, new governmental entities may be needed to tie together all the financial forensics efforts of the different stake holder organizations so that information sharing is not compartmentalized.

RVACFES May 2017 Event Sold-Out!

On May 17th and 18th the Central Virginia ACFE Chapter and our partners, the Virginia State Police and the Association of Certified Fraud Examiners (ACFE) were joined by an over-flow crowd of audit and assurance professionals for the ACFE’s training course ‘Conducting Internal Investigations’. The sold-out May 2017 seminar was the ninth that our Chapter has hosted over the years with the Virginia State Police utilizing a distinguished list of certified ACFE instructor-practitioners.

Our internationally acclaimed instructor for the May seminar was Gerard Zack, CFE, CPA, CIA, CCEP. Gerry has provided fraud prevention and investigation, forensic accounting, and internal and external audit services for more than 30 years. He has worked with commercial businesses, not-for-profit organizations, and government agencies throughout North America and Europe. Prior to starting his own practice in 1990, Gerry was an audit manager with a large international public accounting firm. As founder and president of Zack, P.C., he has led numerous fraud investigations and designed customized fraud risk management programs for a diverse client base. Through Zack, P.C., he also provides outsourced internal audit services, compliance and ethics programs, enterprise risk management, fraud risk assessments, and internal control consulting services.

Gerry is a Certified Fraud Examiner (CFE) and Certified Public Accountant (CPA) and has focused most of his career on audit and fraud-related services. Gerry serves on the faculty of the Association of Certified Fraud Examiners (ACFE) and is the 2009 recipient of the ACFE’s James Baker Speaker of the Year Award. He is also a Certified Internal Auditor (CIA) and a Certified Compliance and Ethics Professional (CCEP).

Gerry is the author of Financial Statement Fraud: Strategies for Detection and Investigation (published 2013 by John Wiley & Sons), Fair Value Accounting Fraud: New Global Risks and Detection Techniques (2009 by John Wiley & Sons), and Fraud and Abuse in Nonprofit Organizations: A Guide to Prevention and Detection (2003 by John Wiley & Sons). He is also the author of numerous articles on fraud and teaches seminars on fraud prevention and detection for businesses, government agencies, and nonprofit organizations. He has provided customized internal staff training on specialized auditing issues, including fraud detection in audits, for more than 50 CPA firms.

Gerry is also the founder of the Nonprofit Resource Center, through which he provides antifraud training and consulting and online financial management tools specifically geared toward the unique internal control and financial management needs of nonprofit organizations. Gerry earned his M.B.A at Loyola University in Maryland and his B.S.B.A at Shippensburg University of Pennsylvania.

To some degree, organizations of every size, in every industry, and in every city, experience internal fraud. No entity is immune. Furthermore, any member of an organization can carry out fraud, whether it is committed by the newest customer service employee or by an experienced and highly respected member of upper management. The fundamental reason for this is that fraud is a human problem, not an accounting problem. As long as organizations are employing individuals to perform business functions, the risk of fraud exists.

While some organizations aggressively adopt strong zero tolerance anti-fraud policies, others simply view fraud as a cost of doing business. Despite varying views on the prevalence of, or susceptibility to, fraud within a given organization, all must be prepared to conduct a thorough internal investigation once fraud is suspected. Our ‘Conducting Internal Investigations’ event was structured around the process of investigating any suspected fraud from inception to final disposition and beyond.

What constitutes an act that warrants an examination can vary from one organization to another and from jurisdiction to jurisdiction. It is often resolved based on a definition of fraud adopted by an employer or by a government agency. There are numerous definitions of fraud, but a popular example comes from the joint ACFE-COSO publication, Fraud Risk Management Guide:

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

However, many law enforcement agencies have developed their own definitions, which might be more appropriate for organizations operating in their jurisdictions. Consequently, fraud examiners should determine the appropriate legal definition in the jurisdiction in which the suspected offense was committed.

Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More specifically, fraud examination involves:

–Assisting in the detection and prevention of fraud;
–Initiating the internal investigation;
–Obtaining evidence and taking statements;
–Writing reports;
–Testifying to findings.

A well run internal investigation can enhance a company’s overall well-being and can help detect the source of lost funds, identify responsible parties and recover losses. It can also provide a defense to legal charges by terminated or disgruntled employees. But perhaps, most importantly, an internal investigation can signal to every company employee that the company will not tolerate fraud.

Our two-day seminar agenda included Gerry’s in depth look at the following topics:

–Assessment of the risk of fraud within an organization and responding when it is identified;
–Detection and investigation of internal frauds with the use of data analytics;
–The collection of documents and electronic evidence needed during an investigation;
–The performance of effective information gathering and admission seeking interviews;
–The wide variety of legal and regulatory concerns related to internal investigations.

Gerry did his usual tremendous job in preparing the professionals in attendance to deal with every step in an internal fraud investigation, from receiving the initial allegation to testifying as a witness. The participants learned to lead an internal investigation with accuracy and confidence by gaining knowledge about topics such as the relevant legal aspects impacting internal investigations, the use of computers and analytics during the investigation, collecting and analyzing internal and external information, and interviewing witnesses and the writing of effective reports.

Industrialized Theft

In at least one way you have to hand it to Ethically Challenged, Inc.;  it sure knows how to innovate, and the recent spate of ransomware attacks proves they also know how to make what’s old new again. Although society’s criminal opponents engage in constant business process improvement, they’ve proven again and again that they’re not just limited to committing new crimes from scratch every time. In the age of Moore’s law, these tasks have been readily automated and can run in the background at scale without the need for significant human intervention. Crime automations like the WannaCry virus allow transnational organized crime groups to gain the same efficiencies and cost savings that multinational corporations obtained by leveraging technology to carry out their core business functions. That’s why today it’s possible for hackers to rob not just one person at a time but 100 million or more, as the world saw with the Sony PlayStation and Target data breaches and now with the WannaCry worm.

As covered in our Chapter’s training event of last year, ‘Investigating on the Internet’, exploit tool kits like Blackhole and SpyEye commit crime “automagically” by minimizing the need for human labor, thereby dramatically reducing criminal costs. They also allow hackers to pursue the “long tail” of opportunity, committing millions of thefts in small amounts so that (in many cases) victims don’t report them and law enforcement has no way to track them. While high-value targets (companies, nations, celebrities, high-net-worth individuals) are specifically and individually targeted, the way the majority of the public is hacked is by automated scripted computer malware, one large digital fishing net that scoops up anything and everything online with a vulnerability that can be exploited. Given these obvious advantages, as of 2016 an estimated 61 percent of all online attacks were launched by fully automated crime tool kits, returning phenomenal profits for the Dark Web overlords who expertly orchestrated them. Modern crime has become reduced and distilled to a software program that anybody can run at tremendous profit.

Not only can botnets and other tools be used over and over to attack and offend, but they’re now enabling the commission of much more sophisticated crimes such as extortion, blackmail, and shakedown rackets. In an updated version of the old $500 million Ukrainian Innovative Marketing solutions “virus detected” scam, fraudsters have unleashed a new torrent of malware that hold the victim’s computer hostage until a ransom is paid and an unlock code is provided by the scammer to regain access to the victim’s own files. Ransomware attack tools are included in a variety of Dark Net tool kits, such as WannaCry and Gameover Zeus. According to the ACFE, there are several varieties of this scam, including one that purports to come from law enforcement. Around the world, users who become infected with the Reveton Trojan suddenly have their computers lock up and their full screens covered with a notice, allegedly from the FBI. The message, bearing an official-looking large, full-color FBI logo, states that the user’s computer has been locked for reasons such as “violation of the federal copyright law against illegally downloaded material” or because “you have been viewing or distributing prohibited pornographic content.”

In the case of the Reveton Trojan, to unlock their computers, users are informed that they must pay a fine ranging from $200 to $400, only accepted using a prepaid voucher from Green Dot’s MoneyPak, which victims are instructed they can buy at their local Walmart or CVS; victims of WannaCry are required to pay in BitCoin. To further intimidate victims and drive home the fact that this is a serious police matter, the Reveton scammers prominently display the alleged violator’s IP address on their screen as well as snippets of video footage previously captured from the victim’s Webcam. As with the current WannaCry exploit, the Reveton scam has successfully targeted tens of thousands of victims around the world, with the attack localized by country, language, and police agency. Thus, users in the U.K. see a notice from Scotland Yard, other Europeans get a warning from Europol, and victims in the United Arab Emirates see the threat, translated into Arabic, purportedly from the Abu Dhabi Police HQ.

WannaCry is even more pernicious than Reveton though in that it actually encrypts all the files on a victim’s computer so that they can no longer be read or accessed. Alarmingly, variants of this type of malware often present a ticking-bomb-type countdown clock advising users that they only have forty-eight hours to pay $300 or all of their files will be permanently destroyed. Akin to threatening “if you ever want to see your files alive again,” these ransomware programs gladly accept payment in Bitcoin. The message to these victims is no idle threat. Whereas previous ransomware might trick users by temporarily hiding their files, newer variants use strong 256-bit Advanced Encryption Standard cryptography to lock user files so that they become irrecoverable. These types of exploits earn scores of millions of dollars for the criminal programmers who develop and sell them on-line to other criminals.

Automated ransomware tools have even migrated to mobile phones, affecting Android handset users in certain countries. Not only have individuals been harmed by the ransomware scourge, so too have companies, nonprofits, and even government agencies, the most infamous of which was the Swansea Police Department in Massachusetts some years back, which became infected when an employee opened a malicious e-mail attachment. Rather than losing its irreplaceable police case files to the scammers, the agency was forced to open a Bitcoin account and pay a $750 ransom to get its files back. The police lieutenant told the press he had no idea what a Bitcoin was or how the malware functioned until his department was struck in the attack.

As the ACFE and other professional organizations have told us, within its world, cybercrime has evolved highly sophisticated methods of operation to sell everything from methamphetamine to child sexual abuse live streamed online. It has rapidly adopted existing tools of anonymity such as the Tor browser to establish Dark Net shopping malls, and criminal consulting services such as hacking and murder for hire are all available at the click of a mouse. Untraceable and anonymous digital currencies, such as Bitcoin, are breathing new life into the underground economy and allowing for the rapid exchange of goods and services. With these additional revenues, cyber criminals are becoming more disciplined and organized, significantly increasing the sophistication of their operations. Business models are being automated wherever possible to maximize profits and botnets can threaten legitimate global commerce, easily trained on any target of the scammer’s choosing. Fundamentally, it’s been done. As WannaCry demonstrates, the computing and Internet based crime machine has been built. With these systems in place, the depth and global reach of cybercrime, mean that crime now scales, and it scales exponentially. Yet, as bad as this threat is today, it is about to become much worse, as we hand such scammers billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

Analytics & Fraud Prevention

During our Chapter’s live training event last year, ‘Investigating on the Internet’, our speaker Liseli Pennings, pointed out that, according to the ACFE’s 2014 Report to the Nations on Occupational Fraud and Abuse, organizations that have proactive, internet oriented, data analytics in place have a 60 percent lower median loss because of fraud, roughly $100,000 lower per incident, than organizations that don’t use such technology. Further, the report went on, use of proactive data analytics cuts the median duration of a fraud in half, from 24 months to 12 months.

This is important news for CFE’s who are daily confronting more sophisticated frauds and criminals who are increasingly cyber based.  It means that integrating more mature forensic data analytics capabilities into a fraud prevention and compliance monitoring program can improve risk assessment, detect potential misconduct earlier, and enhance investigative field work. Moreover, forensic data analytics is a key component of effective fraud risk management as described in The Committee of Sponsoring Organizations of the Treadway Commission’s most recent Fraud Risk Management Guide, issued in 2016, particularly around the areas of fraud risk assessment, prevention, and detection.  It also means that, according to Pennings, fraud prevention and detection is an ideal big data-related organizational initiative. With the growing speed at which they generate data, specifically around their financial reporting and sales business processes, our larger CFE client organizations need ways to prioritize risks and better synthesize information using big data technologies, enhanced visualizations, and statistical approaches to supplement traditional rules-based investigative techniques supported by spreadsheet or database applications.

But with this analytics and fraud prevention integration opportunity comes a caution.  As always, before jumping into any specific technology or advanced analytics technique, it’s crucial to first ask the right risk or control-related questions to ensure the analytics will produce meaningful output for the business objective or risk being addressed. What business processes pose a high fraud risk? High-risk business processes include the sales (order-to-cash) cycle and payment (procure-to-pay) cycle, as well as payroll, accounting reserves, travel and entertainment, and inventory processes. What high-risk accounts within the business process could identify unusual account pairings, such as a debit to depreciation and an offsetting credit to a payable, or accounts with vague or open-ended “catch all” descriptions such as a “miscellaneous,” “administrate,” or blank account names?  Who recorded or authorized the transaction? Posting analysis or approver reports could help detect unauthorized postings or inappropriate segregation of duties by looking at the number of payments by name, minimum or maximum accounts, sum totals, or statistical outliers. When did transactions take place? Analyzing transaction activities over time could identify spikes or dips in activity such as before and after period ends or weekend, holiday, or off-hours activities. Where does the CFE see geographic risks, based on previous events, the economic climate, cyber threats, recent growth, or perceived corruption? Further segmentation can be achieved by business units within regions and by the accounting systems on which the data resides.

The benefits of implementing a forensic data analytics program must be weighed against challenges such as obtaining the right tools or professional expertise, combining data (both internal and external) across multiple systems, and the overall quality of the analytics output. To mitigate these challenges and build a successful program, the CFE should consider that the priority of the initial project matters. Because the first project often is used as a pilot for success, it’s important that the project address meaningful business or audit risks that are tangible and visible to client management. Further, this initial project should be reasonably attainable, with minimal dollar investment and actionable results. It’s best to select a first project that has big demand, has data that resides in easily accessible sources, with a compelling, measurable return on investment. Areas such as insider threat, anti-fraud, anti-corruption, or third-party relationships make for good initial projects.

In the health care insurance industry where I worked for many years, one of the key goals of forensic data analytics is to increase the detection rate of health care provider billing non-compliance, while reducing the risk of false positives. From a capabilities perspective, organizations need to embrace both structured and unstructured data sources that consider the use of data visualization, text mining, and statistical analysis tools. Since the CFE will usually be working as a member of a team, the team should demonstrate the first success story, then leverage and communicate that success model widely throughout the organization. Results should be validated before successes are communicated to the broader organization. For best results and sustainability of the program, the fraud prevention team should be a multidisciplinary one that includes IT, business users, and functional specialists, such as management scientists, who are involved in the design of the analytics associated with the day-to-day operations of the organization and hence related to the objectives of  the fraud prevention program. It helps to communicate across multiple departments to update key stakeholders on the program’s progress under a defined governance regime. The team shouldn’t just report noncompliance; it should seek to improve the business by providing actionable results.

The forensic data analytics functional specialists should not operate in a vacuum; every project needs one or more business champions who coordinate with IT and the business process owners. Keep the analytics simple and intuitive, don’t include too much information in one report so that it isn’t easy to understand. Finally, invest time in automation, not manual refreshes, to make the analytics process sustainable and repeatable. The best trends, patterns, or anomalies often come when multiple months of vendor, customer, or employee data are analyzed over time, not just in the aggregate. Also, keep in mind that enterprise-wide deployment takes time. While quick projects may take four to six weeks, integrating the entire program can easily take more than one or two years. Programs need to be refreshed as new risks and business activities change, and staff need updates to training, collaboration, and modern technologies.

Research findings by the ACFE and others are providing more and more evidence of the benefits of integrating advanced forensic data analytics techniques into fraud prevention and detection programs. By helping increase their client organization’s maturity in this area, CFE’s can assist in delivering a robust fraud prevention program that is highly focused on preventing and detecting fraud risks.

Exploiting the Dual

businessmeet1Many of today’s CFE’s hold dual certifications as CPA’s, CIA’s, CISA’s and a host of others.  This proven enhanced expertise endows the employers of fraud examiners engaged as full time corporate auditing staff with a whole host of new and exciting fraud detection and prevention capabilities.  This is especially true of corporations whose operations are daily fraud targets.  Rather than dealing with the infrequent single instance of fraud, as is most often the case in conventional CFE practice, these staff practitioners endow their employers with enhanced power in the task of devising investigative and preventative approaches to cope with random, most often automated, fraud attempts arriving on a recurring basis, twenty-four hours a day, 365 days a year.

One of the most effective innovations that dually certified CFE’s can bring to bear in such dynamic fraud environments involves some version of a mixture of continuous monitoring, continuous fraud auditing and continuous assurance. As the external and internal auditing professions view the first of these general concepts, continuous monitoring constitutes a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed. For example, as one of hundreds of possible examples, management might mandate that its staff CFE (s) periodically monitor the key fraud prevention controls that ensure that customer orders are checked against credit limits to ensure that the controls remain in place and aren’t deactivated.

Continuous auditing for fraud has been defined as the collection of evidence concerning fraud scenarios, by one or more examiners, on systems and transactions, on a continuous basis throughout a temporal period. For example, the staff examiners could routinely extract details of any unusually large adjusting journal entry for investigation, validate the reasons for the entry, determine whether it had been approved, and document these findings. The historical case file of irregularities will be built up from this and like evidence and from its related investigation, as will the examiner’s knowledge of the landscape of on-going fraud threats confronting the business.

Continuous fraud control assurance can even provide a concurrent or on demand assurance opinion on systems or transactions. A continuous opinion could represent an examiner’s or auditor’s opinion that overall fraud prevention controls are operating satisfactorily, unless a report is given to the contrary (often referred to as an ‘evergreen’ fraud control report). On-demand assessment concerning the functioning of key anti-fraud controls can be called for at any time to provide a spot evaluation at a point that does not necessarily coincide with a fiscal year or month-end. For example, a potential investor or lender might want to know the state of a company’s fraud prevention controls on the day that he/she makes a final investing or lending decision. Although these types of control assessments are still relatively rare, it’s possible that, given the pervasiveness of fraud in some heavily automated financial industries, the demand for this type of assessment may accelerate in the future.

Each of these three elements are built upon (and depend on) the one that precedes it. A continuous process of fraud assessment needs continuous monitoring systems to be in place to be effective. These monitoring systems provide the evidence to be collected and assessed upon which to build management assurance.

One of the biggest benefits of a program of continuous fraud control assessment is the beneficial effect it can have on an employing organization’s overall fraud control program. It’s obvious that, with continuous assessment, any key fraud control failures are detected and fixed as soon as they occur, bringing the effectiveness of the failed controls again more closely into conjunction with management’s expectations.  An additional plus for the continuous fraud control evaluation approach is that it provides early warning of problems; employing management can be apprised of a control failure as soon as it happens, providing maximum rectification time. Early warning reduces rectification downtime for the control. The objective is for the external auditors, when they later perform their checks, to find that the control weakness identified by the staff fraud examiner is now corrected and the corrected control operative as of the sign-off date, thus avoiding audit points.  One more advantage conferred by the presence of a dually certified fraud examiner on the audit staff is that many of the controls critical to the anti-fraud program can be fully automated under the CFE’s supervision and thus lend themselves to a continuous review approach. This proactive ‘no surprises’ approach to fraud control should be attractive to all organizations considering employing those holding the CFE certification as either staff auditors or security professionals.

What does it take for management to get this fraud prevention approach off the ground?  First, hire more dually certified CFE’s.  Next, automation is key to the program’s success, especially emphasizing data mining and analytics. Technology that can speed up communication is also needed, because there is no value in identifying an issue quickly if it is not communicated equally quickly to those who need to know about it. Continuous auditing for fraud includes continuous monitoring and reporting by exception on problems that arise. Therefore, the control environment of the employing organization must be at least good enough to ensure that the number of exceptions detected is not initially overwhelming. If anti-fraud controls are at a semi-mature level of effectiveness, however, there is really no reason why, with effort, a continuous assurance approach can’t work.

In setting up continuous audit tests, CFE’s must understand what can go wrong and know what they are looking for, in advance; this is a point where dual certification as an experience CPA or CIA is a plus in guiding the testing process and for creating the business rules for detecting exceptions and understanding them. This latter point is no trivial matter since something that could seem an exception under one set of circumstances, can be perfectly normal under a different set and trained financial assurance professionals know the difference.

Creatively employing their dually certified CFEs in an enhanced fraud detection and prevention effort based on the continuous audit approach confers several benefits to any management while enhancing the fraud prevention program:

–Creation of a database of the most frequently occurring fraud scenarios coupled with the most effective audit approaches to investigate and resolve them;

–Development of tailored data analytics and investigative tools for common fraud scenarios; auditors can get the fraud related data they need when they want them;

— Faster and more thorough fraud examinations and greater depth of audit for the same cost;

— Investigation and resolution of fraud related issues as they occur is a proven proactive approach demonstrating an enhanced level of management due diligence;

— The entire audit staff can have more alternatives in the way they perform fraud related work, including reliance on preventive controls like front end systems edits which prevent fraud be screening out transactions likely to contain fraud on the system’s front end.

–Because fraud related auditing is more effective it becomes more visible for those being audited both within and without the enterprise. Senior management has first-hand knowledge that auditors are ‘on the case’ even if they do not see them every day of the week. This visibility can also act as an additional deterrent to frauds, both internal and external.

On Auditors, Lawyers & Data

corp-counselWhen it comes to gaining access to sensitive, internal digital data during a forensic examination, the corporate council can be the fraud examiner’s best ally.  It, therefore, behooves us to fully understand the unifying role the client counsel holds in overseeing the entire review process.  As our guest blogger, Michael Hart, and other experienced practitioners have pointed out, data analysis becomes most effective when it’s integrated into the wider forensic accounting project.  If the end results are to cohere with findings from other sources, forensic data analysis should not be performed as a separate investigation, walled off from the other review efforts undertaken to benefit the client. Today, it’s a truism that data analysis can serve many functions within a forensic accounting project. On some occasions, it’s rightfully the main engine of an engagement. When such is the case, data analysis is used for highlighting potentially unusual items and trends. More often, however, in actual practice, data analysis is a complementary part of a wider forensic accounting investigation, a piece of a puzzle (and never the be all and end all of the investigation), that involves several other parallel methods of information analysis or evidence gathering, including document review, physical inspection, and investigative interviews.

The timing of the data analysis work depends on the extent to which the forensic accounting team needs to work with the results as defined by counsel. Frequently, once the method of a fraud has been established, data analysis is conducted to estimate the amount of damage. If the team knows that several components of an organization were affected by a fraud scheme, that team may be able to compare these results with those derived from analyses of unaffected branches and, after adjusting for other relevant factors, provide management with a broad estimate of the total effect on the financial statements. When such an approach is used, the comparison should be performed after the investigation has determined the characteristics of the fraud scheme. However, in most cases, as the ACFE tells us, the purpose of data analysis in an investigation is to identify suspicious activity on which the forensic accounting team can act.

Suspicious transactions can be identified in several ways: comparing different sources of evidence, such as accounting records and bank statements, to find discrepancies between them; searching digital records for duplicate transactions; or identifying sudden changes in the size, volume, or nature of transactions, which need to be explained. While data analysis often is a fast and effective way of highlighting potential areas of fraud, it will never capture every detail that an experienced fraud examiner can glean from reviewing an original document. If data analysis is performed to identify suspicious activity, it typically is performed before any manual review is carried out. This helps ensure that investigative resources are targeting suspicious areas and are concentrating on confirming fraudulent activity rather than concentrating on a search for such activity within a sea of legitimate transactions.

The first person to be contacted when there is a suspected fraud is typically in-house counsel. Depending on the apparent severity of the matter and its apparent location in the company, other internal resources to be alerted at an early stage, in addition to the board (typically through its audit committee), may include corporate security, internal audit, risk management, the controller’s office, and the public relations and investor relations groups. Investigations usually begin with extensive conversation about who should be involved, and the responsible executives may naturally wish to involve some or all the functions just mentioned.  Depending on the circumstances, the group of internal auditors (if there is one) can in fact be a tremendous asset to an independent forensic investigative team. As participants in the larger team, internal auditors’ knowledge of the company may improve both the efficiency with which evidence is gathered and the forensic team’s effectiveness in lining up interviews and analyzing findings. The ACFE advices client executives and in-house counsel to engage an external team but to consider making available to that team the company’s internal auditors, selected information systems staff and other internal resources for any investigation of substantial size.

The key to the success of all this from the forensic accountant’s point of view, especially in gaining access to critical digital data, can be the corporate counsel.  On one hand, the forensic accounting investigator may find that the attorney gives the forensic accounting investigator free rein to devise and execute a strategic investigative plan, subject to the attorney’s approval. That scenario is particularly likely in cases of asset misappropriation. On the other hand, some attorneys insist on being involved in all phases of the investigation. It’s the attorney’s call. When engaged by counsel, forensic accounting investigators take direction from counsel. You should advise per your best judgment, but in the end, you work at counsel’s direction.

When working with attorneys on projects involving sensitive digital data, forensic accounting investigators should specifically understand:

  • Their expected role and responsibilities vis-à-vis other team members;
  • Critical managers and players within the information systems shop and their various roles;
  • What other professionals are involved (current or contemplated);
  • The extent and source of any external scrutiny (SEC, IRS, DOJ, etc.);
  • Any legal considerations (extent of privilege, expectation that the company intends to waive privilege, expectation of criminal charges, and so on);
  • Anticipated timing issues, if any;
  • Expected form, timing, and audience of interim or final deliverables;
  • Specifics of the matters under investigation, as currently understood by counsel;
  • Any limitations on departments or personnel that can be involved, interviewed, or utilized in the investigation process.

Independent counsel, with the help of forensic accounting investigators, often takes the lead in setting up, organizing, and managing the entire investigative team. This process may include the selection and retention of other parties who make up the team. Independent counsel’s responsibilities typically encompass the following:

  • Preparing, maintaining, and disseminating a working-group list (very helpful in sorting out which law firms or experts represent whom);
  • Establishing the timetable in conjunction with the board of directors or management, disseminating the timetable to the investigating team, and tracking progress against it;
  • Compiling, submitting, and tracking the various document and personnel access requests that the investigating team members will generate;
  • Organizing client or team meetings and agendas;
  • Preparing the final report with or for the board or its special committee, or doing so in conjunction with other teams from which reports are forthcoming;
  • Establishing and maintaining communication channels with the board of directors and other interested parties, generally including internal general counsel, company management, regulatory personnel, law enforcement or tax authority personnel, and various other attorneys involved.

As fraud examiners, we’re frequently conversant in areas related to financial accounting and reporting such as valuation, tax, and the financial aspects of human resource management but conversant doesn’t necessarily indicate a sufficient level of knowledge to fully guide a complex organizational investigation.  What we can do, however, is to work closely with the corporate counsel to assist him or her in the building of a team on the back of which even the most complex examination can be brought to a successful conclusion.

Cybersecurity – Is There a Role for Fraud Examiners?

cybersecurityAt a cybersecurity fraud prevention conference, I attended recently in California one of the featured speakers addressed the difference between information security and cybersecurity and the complexity of assessing the fraud preparedness controls specifically directed against cyber fraud.  It seems the main difficulty is the lack of a standard to serve as the basis of a fraud examiner’s or auditor’s risk review. The National Institute of Standards and Technology’s (NIST) framework has become a de facto standard despite the fact that it’s more than a little light on specific details.  Though it’s not a standard, there really is nothing else at present against which to measure cybersecurity.  Moreover, the technology that must be the subject of a cybersecurity risk assessment is poorly understood and is mutating rapidly.  CFE’s, and everyone else in the assurance community, are hard pressed to keep up.

To my way of thinking, a good place to start in all this confusion is for the practicing fraud examiner to consider the fundamental difference between information security and cybersecurity, the differing nature of the threat itself.   There is simply a distinction between protecting information against misuse of all sorts (information security) and an attack by a government, a terrorist group, or a criminal enterprise that has immense resources of expertise, personnel and time, all directed at subverting one individual organization (cybersecurity).  You can protect your car with a lock and insurance but those are not the tools of choice if you see a gang of thieves armed with bricks approaching your car at a stoplight. This distinction is at the very core of assessing an organization’s preparations for addressing the risk of cyberattacks and for defending itself against them.

As is true in so many investigations, the cybersecurity element of the fraud risk assessment process begins with the objectives of the review, which leads immediately on to the questions one chooses to ask. If an auditor only wants to know “Are we secure against cyberattacks?” then the answer should be up on a billboard in letters fifty feet high: No organization should ever consider itself safe against cyber attackers. They are too powerful and pervasive for any complacency. If major television networks can be stricken, if the largest banks can be hit, if governments are not immune, then the CFE’s client organization is not secure either.  Still, all anti-fraud reviewers can ask subtle and meaningful questions of client management, specifically focused on the data and software at risk of an attack. A fraud risk assessment process specific to cybersecurity might delve into the internals of database management systems and system software, requiring the considerable skills of a CFE supported by one or more tech-savvy consultants s/he has engaged to form the assessment team. Or it might call for just asking simple questions and applying basic arithmetic.

If the fraud examiner’s concern is the theft of valuable information, the simple corrective is to make the data valueless, which is usually achieved through encryption. The CFE’s question might be, “Of all your data, what percentage is encrypted?” If the answer is 100 percent, the follow-up question is whether the data are always encrypted—at rest, in transit and in use. If it cannot be shown that all data are secured all of the time, the next step is to determine what is not protected and under what circumstances. The assessment finding would consist of a flat statement of the amount of unencrypted data susceptible to theft and a recitation of the potential value to an attacker in stealing each category of unprotected data. The readers of this blog know that data must be decrypted in order to be used and so would be quick to point out that “universal” encryption in use is, ultimately, a futile dream. There are vendors who, think otherwise, but let’s accept the fact that data will, at some time, be exposed within a computer’s memory. Is that a fault attributable to the data or to the memory and to the programs running in it? Experts say it’s the latter. In-memory attacks are fairly devious, but the solutions are not. Rebooting gets rid of them and antimalware programs that scan memory can find them. So a CFE can ask,” How often is each system rebooted?” and “Does your anti-malware software scan memory?

To the extent that software used for attacks is embedded in the programs themselves, the problem lies in a failure of malware protection or of change management. A CFE need not worry this point; according to my California presenter many auditors (and security professionals) have wrestled with this problem and not solved it either. All a CFE needs to ask is whether anyone would be able to know whether a program had been subverted. An audit of the change management process would often provide a bounty of findings, but would not answer the reviewer’s question. The solution lies in having a version of a program known to be free from flaws (such as newly released code) and an audit trail of

known changes. It’s probably beyond the talents of a typical CFE to generate a hash total using a program as data and then to apply the known changes in order to see if the version running in production matches a recalculated hash total. But it is not beyond the skills of IT expects the CFE can add to her team and for the in-house IM staff responsible keeping their employer’s programs safe. A CFE fraud risk reviewer need only find out if anyone is performing such a check. If not, the CFE can simply conclude and report to the client that no one knows for sure if the client’s programs have been penetrated or not.

Finally, a CFE might want to find out if the environment in which data are processed is even capable of being secured. Ancient software running on hardware or operating systems that have passed their end of life are probably not reliable in that regard. Here again, the CFE need only obtain lists and count. How many programs have not been maintained for, say, five years or more? Which operating systems that are no longer supported are still in use? How much equipment in the data center is more than 10 years old? All this is only a little arithmetic and common sense, not rocket science.

In conclusion, frauds associated with weakened or absent cybersecurity systems are not likely to become a less important feature of the corporate landscape over time. Instead, they are poised to become an increasingly important aspect of doing business for those who create automated applications and solutions, and for those who attempt to safeguard them on the front end and for those who investigate and prosecute crimes against them on the back end. While the ramifications of every cyber fraud prevention decision are broad and diverse, a few basic good practices can be defined which the CFE, the fraud expert, can help any client management implement:

  • Know your fraud risk and what it should be;
  • Be educated in management science and computer technology. Ensure that your education includes basic fraud prevention techniques and associated prevention controls;
  • Know your existing cyber fraud prevention decision model, including the shortcomings of those aspects of the model in current use and develop a schedule to address them;
  • Know your frauds. Understand the common fraud scenarios targeting your industry so that you can act swiftly when confronted with one of them.

We can conclude that the issues involving cybersecurity are many and complex but that CFE’s are equipped  to bring much needed, fraud related experience to any management’s table as part of the team in confronting them.