Category Archives: Financial Fraud

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

The Conflicted Board

Our last post about cyberfraud and business continuity elicited a comment about the vital role of corporate governance from an old colleague of mine now retired and living in Seattle.  But the wider question our commenter had was, ‘What are we as CFEs to make of a company whose Board willfully withholds for months information about a cyberfraud which negatively impacts it customers and the public? From the ethical point of view, does this render the Board somehow complicit in the public harm done?’

Governance of shareholder-controlled corporations refers to the oversight, monitoring, and controlling of a company’s activities and personnel to ensure support of the shareholders’ interests, in accordance with laws and the expectations of stakeholders. Governance has been more formally defined by the Organization for Economic Cooperation and Development (OECD) as a set of relationships between a company’s management, its Board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set (including about ethical continuity), and the means of attaining those objectives and monitoring performance. Good corporate governance should provide proper incentives for the Board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring.

The role and mandate of the Board of Directors is of paramount importance in the governance framework. Typically, the directors are elected by the shareholders at their annual meeting, which is held to receive the company’s audited annual financial statements and the audit report thereon, as well as the comments of the chairman of the Board, the senior company officers, and the company auditor.

A Board of Directors often divides itself into subcommittees that concentrate more deeply in specific areas than time would allow the whole Board to pursue. These subcommittees are charged with certain actions and/or reviews on behalf of the whole Board, with the proviso that the whole Board must be briefed on major matters and must vote on major decisions. Usually, at least three subcommittees are created to review matters related to (1) governance, (2) compensation, and (3) audit, and to present their recommendations to the full Board. The Governance Committee deals with codes of conduct and company policy, as well as the allocation of duties among the subcommittees of the Board. The Compensation Committee reviews the performance of senior officers, and makes recommendations on the nature and size of salaries, bonuses, and related remuneration plans. Most important to fraud examiners and assurance professionals, the Audit Committee reviews internal controls and systems that generate financial reports prepared by management; the appropriateness of those financial reports; the effectiveness of the company’s internal and external auditors; its whistle-blowing systems, and their findings; and recommends the re-election or not of the company’s external auditors.

The Board must approve the selection of a Chief Executive Officer (CEO), and many Boards are now approving the appointment of the Chief Financial Officer (CFO) as well because of the important of that position. Generally, the CEO appoints other senior executives, and they, in turn, appoint the executives who report to them. Members of these committees are selected for their expertise, interest, and character, with the expectation that the independent judgment of each director will be exercised in the best interest of the company. For example, the ACFE tells us, members of the Audit Committee must be financially literate, and have sufficient expertise to understand audit and financial matters. They must be of independent mind (i.e., not be part of management or be relying upon management for a significant portion of their annual income), and must be prepared to exercise that independence by voting for the interest of all shareholders, not just those of management or of specific limited shareholder groups.

Several behavioral expectations extend to all directors, i.e., to act in the best interest of the company (shareholders & stakeholders), to demonstrate loyalty by exercising independent judgment, acting in good faith, obedient to the interests of all and to demonstrate due care, diligence, and skill.

All directors are expected to demonstrate certain fiduciary duties. Shareholders are relying on directors to serve shareholders’ interests, not the directors’ own interests, nor those of management or a third party. This means that directors must exercise their own independent judgment in the best interests of the shareholders. The directors must do so in good faith (with true purpose, not deceit) on all occasions. They must exercise appropriate skill, diligence, and an expected level of care in all their actions.

Obviously, there will be times when directors will be able to make significant sums of money by misusing the trust with which they have been bestowed and at the expense of the other stakeholders of the company. At these times a director’s interests may conflict with those of the others. Therefore, care must be taken to ensure that such conflicts are disclosed, and that they are managed so that no harm comes to the other shareholders. For example, if a director has an interest in some property or in a company that is being purchased, s/he should disclose this to the other directors and refrain from voting on the acquisition. These actions should alert other directors to the potential self-dealing of the conflicted director, and thereby avoid the non-conflicted directors from being misled into thinking that the conflicted director was acting only with the corporation’s interests in mind.

From time to time, directors may be sued’ by shareholders or third parties who believe that the directors have failed to live up to appropriate expectations. However, courts will not second-guess reasonable decisions by non-conflicted directors that have been taken prudently and on a reasonably informed basis. This is known as the business judgment ru1e and it protects directors charged with breach of their duty of care if they have acted honestly and reasonably. Even if no breach of legal rights has occurred, shareholders may charge that their interests have been ‘oppressed’ (i.e., prejudiced unfairly, or unfairly disregarded) by a corporation or a director’s actions, and courts may grant what is referred to as an oppression remedy of financial compensation or other sanctions against the corporation or the director personally. If, however, the director has not been self-dealing or misappropriating the company’s opportunities, s/he will likely be protected from personal liability by the business judgment rule.

Some shareholders or third parties have chosen to sue directors ‘personally in tort’ for their conduct as directors, even when they have acted in good faith and within the scope of their duties, and when they believed they were acting in the best interests of the corporations they serve.  Recently, courts have held that directors cannot escape such personal liability by simply claiming that they did the action when performing their corporate responsibilities. Consequently, directors or officers must take care when making all decisions that they meet normal standards of behavior.

Consequently, when management and the Board of a company who has been the victim of a cyber-attack decides to withhold information about the attack (sometimes for weeks or months), fundamental questions about compliance with fiduciary standards and ethical duty toward other stakeholders and the public can quickly emerge.   The impact of recent corporate cyber-attack scandals on the public has the potential to change future governance expectations dramatically. Recognition that some of these situations appear to have resulted from management inattention or neglect (the failure to timely patch known software vulnerabilities, for example) has focused attention on just how well a corporation can expect to remediate its public face and ensure ongoing business continuity following such revelations to the public.

My colleague points out that so damaging were the apparently self-protective actions taken by the Boards of some of these victim companies in the wake of several recent attacks to protect their share price, (thereby shielding the interests of existing executives, directors, and investors in the short term) that the credibility of their entire corporate governance and accountability processes has been jeopardized, thus endangering, in some cases, even their ability to continue as viable going concerns.

In summary, in the United States, the Board of Directors sits at the apex of a company’s governing structure. A typical Board’s duties include reviewing the company’s overall business strategy, selecting and compensating the company’s senior executives; evaluating the company’s outside auditor, overseeing the company’s financial statements; and monitoring overall company performance. According to the Business Roundtable, the Board’s ‘paramount duty’ is to safeguard the interests of the company’s shareholders.  It’s fair to ask if a Board that chooses not to reveal to its stakeholders or to the general investor public a potentially devastating cyber-fraud for many months can be said to have meet either the letter or the spirit of its paramount duty.

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.

Structure & Scope

T.J. Jones presented himself as a turnaround specialist to the Chairman of the Board of Central State Corporation, a medium sized, public company, a mid-western manufacturer of computer equipment, who hired him to take over a large, but under-performing division of the company.  Jones immediately set out lofty goals for sales and profits and very quickly replaced all the existing senior staff of the division with new hires loyal to himself. To meet his inflated goals, two of Jones’s managers, in addition to legitimate equipment sales, shipped bricks to distributors and recorded some as sales of equipment to retail distributors and some as inventory out on consignment. No real products left the plant for these “special sales.” The theory was that actual sales would inevitably grow, and the bricks could be replaced later with real products. In the meantime, the unwitting distributors thought they were holding consignment inventory in the unopened cartons.

The result was that overstated sales and accounts receivable quickly caused overstated net income, retained earnings, current assets, working capital, and total assets. Prior to the manipulation, annual sales of the division were $135 million. During the two falsification years of the fraud, sales were $185 million and $362 million. Net income went up from a loss of $20 million to $23 million (income), then to $31 million (income); and the gross margin percent went from 6 percent to 28 percent. The revenue and profit figures outpaced the performance of Central State’s industry category. The accounts receivable collection period grew to 94 days, while it was 70 days elsewhere in the industry.

All the paperwork was in order because the two hand-picked managers had falsified the sales and consignment invoices, even though they did not have customer purchase orders for all the false sales. Shipping papers were in order, and several co-operating shipping employees knew that not every box shipped contained disk drives. Company accounting and control procedures required customer purchase orders or contracts evidencing real orders. A sales invoice was supposed to indicate the products and their prices, and shipping documents were supposed to indicate actual shipment. Sales were always charged to a customer’s account receivable.  During the actual operation of the fraud there were no glaring control omissions that would have pointed to financial fraud. Alert auditors might have noticed the high tension created by concentration on meeting profit goals. Normal selection of sales transactions with vouching to customer orders and shipping documents might have turned up a missing customer order. Otherwise, the paperwork would have seemed to be in order. The problem lay in Jones’ and his managers’ power to override controls and to instruct some shipping staff to send dummy boxes.  Confirmations of distributors’ accounts receivable may have elicited exception responses. The problem was to have a large enough confirmation sample to pick up some of these distributors or to be skeptical enough to send a special sample of confirmations to distributors who took the “sales” near the end of the accounting period. Observation of inventory could have included some routine inspection of goods not on the company’s premises.

The overstatements were not detected. The auditor’s annual confirmation sample was typically small and did not contain any of the false shipments. Tests of detail transactions did not turn up any missing customer orders. The inventory out on consignment was audited by obtaining a written confirmation from the holders, who apparently over the entire period of the fraud had not opened even one of the affected boxes. The remarkable financial performance was attributed to good management.

The fraud was revealed by one of Jones’ subordinate managers who was arrested on an unrelated drug charge and volunteered as a cooperating witness in exchange for the dropping of the drug charge.

This hypothetical case is a good example of the initial situation confronting management when a fraud affecting the financial statements comes to light, often with little or no warning. Everyone involved with company management will have a strong intuitive sense that an investigation is necessary; but the fact is that the company has now lost faith in the validity of its own public disclosures of financial performance.

That will need to be fixed. And it is not enough to simply alert markets that previously issued financial results are wrong; outsiders will want to know what the correct numbers should have been. The only way to find out is to dig into the numbers and distinguish the falsified results from the real ones. Beyond the need to set the numbers straight, the company will need to identify those complicit in the fraud and deal with them. This is not only a quest for justice but the need to restore credibility, and the company will be unable to do so until outsiders are satisfied that the wrongdoing executives and staff have been identified and removed.  Thus, the company needs an audit report on its financial statements. The need for a new audit report arises from the likelihood that, once a company’s financial statements have been found to be unreliable, the company’s external auditor will want to pull its existing, inaccurate,  report.

As a practical matter, pulling its report involves the external auditor’s recommendation that the company issue a press release that previously issued financial statements are not to be relied upon. Once the company issues such a press release, it will be out of compliance with any number of SEC regulations. It will no longer satisfy the threshold prerequisites for trading on the company’s securities exchange. It will be viewed by many, and certainly the plaintiff class action bar, as coming close to having admitted wrongdoing. And everyone on the outside, not to mention its own board of directors, will want answers fast. A critical step in the restoration of important business relationships and a return to compliance with regulatory requirements is the new auditor’s report. And, where fraudulent financial reporting has been discovered, an in-depth and comprehensive investigation is often the only way to get one.

A critical issue at the outset of a financial fraud investigation is its structure and scope. A key attribute for which the external auditor, as well as the SEC, will be on the lookout is that the investigation is overseen by the audit committee. In public companies, it is the audit committee that has explicit legal responsibility for oversight of financial reporting, and accounting fraud falls squarely within the orbit of financial reporting.  In addition, the audit committee, as a matter of statutory design, is structured to be independent and possessed of a level of financial sophistication that makes it the most viable subset of the board of directors to oversee the investigative efforts in this case. It’s also the audit committee that has the statutory power to engage and pay outside advisers even without the consent of management, a statutory power that can be vital if management, or part of management, as in our hypothetical case above, is a participant in the fraud.

The audit committee’s role is to oversee the investigation, not actually conduct it. For that it needs to look to outside professionals, and there are two types. The one is the outside counsel to the audit committee. If the audit committee has not already engaged outside counsel, it needs to do so. It’s audit committee counsel who will conduct the interviews, comb through the financial records, and present factual findings for audit committee consideration. Individual audit committee members may choose to sit in on interviews, and that is their choice. But it’s audit committee counsel who will conduct the investigation. The other group of professionals is the forensic accountants and/or CFEs.  Audit committee counsel, while knowledgeable of financial reporting obligations and investigative techniques, will probably not possess a sufficiently detailed knowledge of accounting systems, generally accepted accounting principles
(GAAP), or computerized ledgers. For that, audit committee counsel is well advised look for help to the category of accountants and fraud examiners specifically trained in digging into financial records for evidence of fraud.

What exactly is the audit committee looking for in such an investigation? There are primarily two things. The first, obviously enough, is what the actual numbers should have been. Often fraudulent entries involve judgment calls where the operative question is not whether the number matches the underlying financial records but whether the judgment behind the number was exercised in good faith.  The operative question for the investigators is whether the executive exercised his judgment in good faith to make the best estimate allowed by reasonably available information. Sometimes it’s not so easy to tell.

Beyond the correct numbers, the second thing for which the investigators are looking is executive complicity. In other words: who did it? Again, the good faith of those potentially involved comes into play. The investigators are not seeking simply whether executives reported financial results that turned out to be wrong. The issue rather is whether the executives tried to get them right. If they did and made an honest mistake or estimated incorrectly, that does not sound like fraud and may not even be a violation of GAAP to begin with. The main point here is that, when it comes to executive complicity, the investigators are ordinarily looking for evidence of wrongful intent (scienter). In other words, they are looking for an intentional misapplication of GAAP or an approach to GAAP that is so reckless as to constitute the equivalent of an intentional misapplication.

The scope of the investigation, then, should not pose too difficult an issue at the outset.  Initially, the scope will be largely defined by the potential improprieties that have been uncovered. The tricky question becomes: how far should the investigators go beyond the suspicious entries? The judgment calls here are formidable. One of the key issues involves the expectations of the external auditor and, beyond that, the SEC. If the scope is not sufficiently broad, the investigation may not be satisfactory to either one. Indeed, an insufficient scope can place the external auditor in a particularly awkward spot insofar as the SEC may subsequently fault not only the audit committee for inadequate scope but the external auditor’s acceptance of the audit committee’s investigative report.

An additional complicating factor involves the way fraud starts and grows. A critical issue to consider is that, overtime, as the Central State example illustrates, the manipulations will often get increasingly aggressive as the perpetrators spread the fraud throughout many line items so that no single account stands out as unusual but a substantial number are affected. For example, to prevent the distortion of accounts receivable from getting too large, Jones and his accomplices spread the fraud into inventory, then asset capitalization, then net income. The spread of the fraud is analogous to pouring a glass of water on a tabletop. It can spread everywhere without getting too deep in any one place.

So, once fraudulent financial reporting has been identified, even in just a few entries, the investigators will want to consider the possibility that it’s a symptom of a broader problem. If the investigators have been lucky enough to nip it in the bud, that may be the end of it.  Unfortunately, if the fraud has gotten big enough to be detected in the first place, such a limited size cannot be assumed. Even where the fraud ostensibly starts out small the need for a broader scope has got to be considered.

The scope of the investigation, therefore, can start out with its parameters guided by the suspicious entries revealed at the outset. In most cases, though, it will need to broaden to ensure that additional areas are not affected as well. Throughout the investigation, moreover, the scope will have to remain flexible. The investigators will have to stay on the lookout for additional clues, and will have to follow where they lead. Faced with an ostensibly ever-widening scope, initial audit committee frustration is both to be expected and understandable. But there is just no practical alternative.

For Appearance Sake

By Rumbi Petrozzello, CPA/CFF, CFE
2017 Vice-President – Central Virginia Chapter ACFE

Last Thursday, the 15th of June 2017, the New York State Senate Committee on Ethics and Internal Governance met. The previous sentence reads like a big yawn with which no one, beyond perhaps the members of the committee itself, would be concerned. However, this meeting was big news. The room was packed with members of the media and every member of the committee was in attendance. Why? Because this was the first meeting the committee had empaneled since 2009, as confirmed by the committee’s published archive of events. It turns out that it was indeed a big deal that all committee members were in attendance because, for eight years straight, none of the committee members had attended a single meeting.

If you are thinking that the ethics committee did not meet for eight years because there were no ethical issues to discuss and our state’s legislative leadership practiced only ethical and upright behavior, you would be sorely mistaken. John Sampson, the State Senator who chaired the committee at that last meeting in 2009 was found guilty, of obstruction of justice and of lying to federal agents in 2015 and sentenced to jail time in January 2017. Evidently, taking their cues from the tone at the top evidenced by the leadership of their ethics committee, during the same eight-year meeting hiatus, seven other state senators were convicted on charges that included mail fraud, looting a nonprofit and bribery.

So, you might ask, what happened at the meeting last week? The committee had come together to discuss stipends, that are supposed to go to committee chairs, that were apparently also being paid to committee vice-chairs (and, in one case, to a deputy vice-chair, whatever that is). There was a motion proposed to stop making these payments to anyone but the committee chair. It seems that just coming together was more than enough work for the committee and, therefore, they tabled the motion, a motion that would not even have been binding, until its next meeting. It should be noted that two of the senators receiving this chair stipend, as vice-chairs, serve on the ethics committee and both voted to postpone voting on the motion. It would be laughable if it were a laughing matter.

Think about where you work and about all the clients with whom we work, as fraud examiners and forensic accountants. We work with our clients and with those who employ us to suggest comprehensive policies that cover good business practices and ethical behaviors and actions. Reading about the shenanigans of the State Senate Committee on Ethics recalled several thoughts:

The assumption that personnel will automatically be motivated to behave as corporate owners want is no longer valid. People are motivated more by self-interest than in the past and are likely to come from backgrounds that emphasize different priorities of duty. As a result, there is greater need than ever for clear guidance and for identifying and effectively managing threats to good governance and accountability.

Even when different employee backgrounds are not an issue, personnel can misunderstand the organization’s objectives and their own role and fiduciary duty. For example, many directors and employees at Enron evidently believed that the company’s objectives were best served by actions that brought short term profit:

—through ethical dishonesty, manipulation of energy markets or sham displays of trading floors;
—through book keeping that was illusory;
—through actions that benefited themselves at the expense of other stakeholders.

Frequently, employees are tempted to cut ethical corners, and they have done so because they believed that their top management wanted them to; they were ordered to do so; or they were encouraged to do so by misguided or manipulative incentive programs. These actions occurred although the board of directors would have preferred (sometimes with hindsight) that they had not. Personnel simply misunderstood what was expected by the board because guidance was unclear or they were led astray and did not understand that they were to report the problem for appropriate corrective action, or to whom or how.

Among our clients, lack of proper guidance or reporting mechanisms may have been the result of directors and others not understanding their duties as fiduciaries. Directors owe shareholders and regulators several duties, including obedience, loyalty, and due care. Recognition of the increasing complexity, volatility and risk inherent in modern corporate interests and operations, particularly as their scope expands to diverse groups and cultures has led to the requirement for risk identification, assessment and management systems.

  • If our client businesses want to do an excellent job at implementing effective ethics programs, orientation of new employees should always involve a review of the code of ethical practice by the staff tasked with compliance and with enforcing policies. How many entities are actively practicing what they preach during such sessions? The values that a company’s directors wish to instill to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance. Usually, such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that appropriate values are respected.
  • After orientation, what steps are companies taking to maintain their ethics programs on an on-going basis? Principles are more useful to employees than just rules because principles facilitate interpretation when the precise circumstances encountered do not exactly fit the rules prescribed. A blend of principles and rules is often optimal in maintaining of a code of conduct in the long term.
  • Is leadership periodically coming together to talk about where their firm stands when it comes to ethics and compliance? A code on its own may be nothing more than ‘ethical art’ that hangs on the wall but is rarely studied or followed. Experience has revealed that, to be effective, a code must be reinforced by a comprehensive ethical culture.
  • Is anyone reviewing how whistleblowing claims are being dealt with? Does the company even have a whistleblower program? If so, does the staff even know about it and how it works? Whistle-blowers are part of a needed monitoring, risk management and remediation system.
  • Is leadership setting a positive tone at the top and displaying the behaviors that it is demanding from employees? The ethical behavior expected must be referred to in speeches and newsletters by top management as often as they refer to their health and safety programs, or to their antipollution program or else it will be viewed as less important by employees. If personnel never or rarely hear about ethical expectations, they will perceive them as not a serious priority.

Once, I worked at a company where senior management smoked in the office; behavior that is illegal and was, on paper, not allowed. When staff members complained to human resources, no corrective action was taken. Frustrated, some staff members called the city hotline to file a report. Following visits from the city, human resources put up no smoking signs and then notices encouraging employees to keep reports of inappropriate staff smoking internal. By only paying lip service to policy, this company’s management seemed populated by future candidates for the State’s Senate Ethics Committee. But my former employer doesn’t stand alone as evidenced by frauds at Wells Fargo and at others. A company can pull out screeds of rules and regulations, but what matters most is what the staff knows and what the leadership does.

In the case of the New York State Senate Committee on Ethics and Internal Governance, what it did was delay a vote on the issues before it until the next meeting. And when will the next meeting be? After taking eight years to set up its last meeting, the committee was in no hurry to set a date for the next. They adjourned without scheduling the next one. They did, however, take a moment to congratulate themselves on attending this meeting. You can’t forget the important stuff.

The Initially Immaterial Financial Fraud

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.

RVACFES May 2017 Event Sold-Out!

On May 17th and 18th the Central Virginia ACFE Chapter and our partners, the Virginia State Police and the Association of Certified Fraud Examiners (ACFE) were joined by an over-flow crowd of audit and assurance professionals for the ACFE’s training course ‘Conducting Internal Investigations’. The sold-out May 2017 seminar was the ninth that our Chapter has hosted over the years with the Virginia State Police utilizing a distinguished list of certified ACFE instructor-practitioners.

Our internationally acclaimed instructor for the May seminar was Gerard Zack, CFE, CPA, CIA, CCEP. Gerry has provided fraud prevention and investigation, forensic accounting, and internal and external audit services for more than 30 years. He has worked with commercial businesses, not-for-profit organizations, and government agencies throughout North America and Europe. Prior to starting his own practice in 1990, Gerry was an audit manager with a large international public accounting firm. As founder and president of Zack, P.C., he has led numerous fraud investigations and designed customized fraud risk management programs for a diverse client base. Through Zack, P.C., he also provides outsourced internal audit services, compliance and ethics programs, enterprise risk management, fraud risk assessments, and internal control consulting services.

Gerry is a Certified Fraud Examiner (CFE) and Certified Public Accountant (CPA) and has focused most of his career on audit and fraud-related services. Gerry serves on the faculty of the Association of Certified Fraud Examiners (ACFE) and is the 2009 recipient of the ACFE’s James Baker Speaker of the Year Award. He is also a Certified Internal Auditor (CIA) and a Certified Compliance and Ethics Professional (CCEP).

Gerry is the author of Financial Statement Fraud: Strategies for Detection and Investigation (published 2013 by John Wiley & Sons), Fair Value Accounting Fraud: New Global Risks and Detection Techniques (2009 by John Wiley & Sons), and Fraud and Abuse in Nonprofit Organizations: A Guide to Prevention and Detection (2003 by John Wiley & Sons). He is also the author of numerous articles on fraud and teaches seminars on fraud prevention and detection for businesses, government agencies, and nonprofit organizations. He has provided customized internal staff training on specialized auditing issues, including fraud detection in audits, for more than 50 CPA firms.

Gerry is also the founder of the Nonprofit Resource Center, through which he provides antifraud training and consulting and online financial management tools specifically geared toward the unique internal control and financial management needs of nonprofit organizations. Gerry earned his M.B.A at Loyola University in Maryland and his B.S.B.A at Shippensburg University of Pennsylvania.

To some degree, organizations of every size, in every industry, and in every city, experience internal fraud. No entity is immune. Furthermore, any member of an organization can carry out fraud, whether it is committed by the newest customer service employee or by an experienced and highly respected member of upper management. The fundamental reason for this is that fraud is a human problem, not an accounting problem. As long as organizations are employing individuals to perform business functions, the risk of fraud exists.

While some organizations aggressively adopt strong zero tolerance anti-fraud policies, others simply view fraud as a cost of doing business. Despite varying views on the prevalence of, or susceptibility to, fraud within a given organization, all must be prepared to conduct a thorough internal investigation once fraud is suspected. Our ‘Conducting Internal Investigations’ event was structured around the process of investigating any suspected fraud from inception to final disposition and beyond.

What constitutes an act that warrants an examination can vary from one organization to another and from jurisdiction to jurisdiction. It is often resolved based on a definition of fraud adopted by an employer or by a government agency. There are numerous definitions of fraud, but a popular example comes from the joint ACFE-COSO publication, Fraud Risk Management Guide:

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

However, many law enforcement agencies have developed their own definitions, which might be more appropriate for organizations operating in their jurisdictions. Consequently, fraud examiners should determine the appropriate legal definition in the jurisdiction in which the suspected offense was committed.

Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More specifically, fraud examination involves:

–Assisting in the detection and prevention of fraud;
–Initiating the internal investigation;
–Obtaining evidence and taking statements;
–Writing reports;
–Testifying to findings.

A well run internal investigation can enhance a company’s overall well-being and can help detect the source of lost funds, identify responsible parties and recover losses. It can also provide a defense to legal charges by terminated or disgruntled employees. But perhaps, most importantly, an internal investigation can signal to every company employee that the company will not tolerate fraud.

Our two-day seminar agenda included Gerry’s in depth look at the following topics:

–Assessment of the risk of fraud within an organization and responding when it is identified;
–Detection and investigation of internal frauds with the use of data analytics;
–The collection of documents and electronic evidence needed during an investigation;
–The performance of effective information gathering and admission seeking interviews;
–The wide variety of legal and regulatory concerns related to internal investigations.

Gerry did his usual tremendous job in preparing the professionals in attendance to deal with every step in an internal fraud investigation, from receiving the initial allegation to testifying as a witness. The participants learned to lead an internal investigation with accuracy and confidence by gaining knowledge about topics such as the relevant legal aspects impacting internal investigations, the use of computers and analytics during the investigation, collecting and analyzing internal and external information, and interviewing witnesses and the writing of effective reports.

Rigging the Casino

I attended an evening lecture some weeks ago at the Marshall-Wythe law school of the College of William & Mary, my old alma mater, in Williamsburg, Virginia. One of the topics raised during the lecture was a detailed analysis of the LIBOR scandal of 2012, a fascinating tale of systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, and in an environment where little or no regulation prevailed.

After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally initiated, and the subsequent fines and penalties were huge. The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used. For example, in the United States in 2008 when the subprime lending crisis began, around 60 percent of prime adjustable-rate mortgages (ARMs) and nearly all subprime mortgages were indexed to the US dollar LIBOR. In 2012, around 45 percent of prime adjustable rate mortgages and over 80 percent of subprime mortgages were indexed to the LIBOR. American municipalities also borrowed around 75 percent of their money through financial products that were linked to the LIBOR.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average and its publication and dissemination. Reuters set aside the four highest and four lowest estimates, and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation. For example, in 2012 the total of derivatives priced relative to the LIBOR rate has been estimated at from $300-$600 trillion, so a manipulation of 0.1% in the LIBOR rate would generate an error of $300-600 million per annum. Consequently, it is not surprising that, once the manipulations came to light, the settlements and fines assessed were huge. By December 31, 2013, 7 of the 18 submitting banks charged with manipulation, had paid fines and settlements of upwards of $ 2 billion. In addition, the European Commission gave immunity for revealing wrongdoing to several the banks thereby allowing them to avoid fines including: Barclays €690 million, UBS €2.5 billion, and Citigroup €55 million.

Some examples of the types of losses caused by LIBOR manipulations are:

Manipulation of home mortgage rates: Many home owners borrow their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers receive a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. One observer estimated that each LIBOR submitting bank during this period might have been liable for as much as $2.3 billion in overcharges.

Municipalities lost on interest rate swaps: Municipalities raise funds through the issuance of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were launched to recover these losses which cost municipalities, hospitals, and other non-profits as much as $600 million a year; the remaining liability assisted the municipalities in further settlement negotiations.

Freddie Mac Losses: On March 27, 2013, Freddie Mac sued 15 banks for their losses of up to $3 billion due to LIBOR rate manipulations. Freddie Mac accused the banks of fraud, violations of antitrust law and breach of contract, and sought unspecified damages for financial harm, as well as punitive damages and treble damages for violations of the Sherman Act. To the extent that defendants used false and dishonest USD LIBOR submissions to bolster their respective reputations, they artificially increased their ability to charge higher underwriting fees and obtain higher offering prices for financial products to the detriment of Freddie Mac and other consumers.

Liability Claims/Antitrust cases (Commodities-manipulations claims): Other organizations also sued the LIBOR rate submitting banks for anti-competitive behavior, partly because of the possibility of treble damages, but they had to demonstrate related damages to be successful. Nonetheless, credible plaintiffs included the Regents of the University of California who filed a suit claiming fraud, deceit, and unjust enrichment.

All of this can be of little surprise to fraud examiners. The ACFE lists the following features of moral collapse in an organization or business sector:

  1. Pressure to meet goals, especially financial ones, at any cost;
  2. A culture that does not foster open and candid conversation and discussion;
  3. A CEO who is surrounded with people who will agree and flatter the CEO, as well as a CEO whose reputation is beyond criticism;
  4. Weak boards that do not exercise their fiduciary responsibilities with diligence;
  5. An organization that promotes people based on nepotism and favoritism;
  6. Hubris. The arrogant belief that rules are for other people, but not for us;
  7. A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

Each of the financial institutions involved in the LIBOR scandal struggled, to a greater or lesser degree with one or more of these crippling characteristics and, a distressing few, manifested all of them.

In Plain Sight

By Rumbi Petrozzello, CPA/CFF, CFE
2017 Vice-President – Central Virginia Chapter ACFE

Recently, I was listening to one my favorite podcasts, Radiolab, and they were discussing a series on Audible called “Ponzi Supernova”. Reporter Steve Fishman hounded infamous Ponzi schemer, Bernie Madoff, for several years. One day, Bernie called Steve, collect, and thus began the conversations between Madoff and Fishman that makes this telling of the Madoff Ponzi scheme like none other.

The tale is certainly compelling (how can a story of the largest known Ponzi scheme not be fascinating) and hearing Bernie Madoff talking about what he did and hearing what he says motivated him makes this series something I listened to from beginning to end, almost without taking a break. Through it all, as had happened just about every time I read or heard about Madoff, I was amazed that he was able to perpetrate his fraud for as long as he did, which, depending on who you believe, started somewhere between the early 1960s and 1992 (even Madoff gives different dates for when he started). This is no surprise. All too often, when fraudsters are caught, they try to minimize the extent of their wrongdoing. If they know that you’ve found $1,000, they’ll tell you that $1,000 was all they took. If you go on to find more, then the story will change a little to include what you’ve found. It’s very rare that a fraudster will confess to the full extent of her crime at the first go around (or even at the second or third).

As I listened to the series, something became very apparent. Often when people discuss the Madoff Ponzi scheme, one tends to get the feeling that, for decades, he took money from new investors to pay off old investors and carried on his multi-billion-dollar scheme without a single soul blowing the whistle on him. But that’s not the case. In a 477-page report from the U.S. Securities and Exchange Commission Office of Investigations (OIG) entitled “Investigation of Failure of the SEC to Uncover Bernard Madoff’s Ponzi Scheme – Public Version”, between June 1992 and December 2008, the Securities and Exchange Commission (SEC) received “six substantive complaints” regarding Madoff’s company and some of these complaints were submitted more than once.

One complaint mentioned in the report was received three times, with versions submitted in 2000, 2001 and 2005; the 2005 version was even entitled “The World’s Largest Hedge Fund is a Fraud”. This complaint series was submitted by Madoff’s most well-known nemesis, the whistleblower, Harry Markopolos. But, there were at least five other individuals who shared their concerns and suspicions about Madoff with the SEC. Three of these specifically used the words “Ponzi scheme”, including the first complaint, in 1992. Based on these complaints, the SEC conducted two investigations and three examinations and, even though the complaints explicitly stated that they suspected that Madoff Investments was a Ponzi scheme, none of the investigations or examinations concluded that Madoff was operating a Ponzi scheme. To add to this, the SEC was aware of two articles that questioned Madoff’s returns. Over the years, several investment companies performed their own due diligence and decided that Madoff’s company did not make sense and they believed that investing with Madoff would be a violation of their fiduciary duty to their clients. Despite all of this, none of these investigations or exams contained a finding of fraud.

Whether you’re a Certified Fraud Examiner (CFE) or a CPA, Certified in Financial Forensics (CFF), the work that you do is governed by a set of professional standards that help establish a performance baseline. This begins with competence. This means that those taking on an assignment should be able to complete the assignment successfully. This does not necessarily mean that whoever is leading the job needs to know how to do everything. It does mean that they should ensure that there is the right skill set working on the job, even if it means the use of referrals or consultation. Too many times, while reading the OIG report, the reader confronts the mention of a lack of experience. Listening to Ponzi Supernova, I learnt that at least one examiner was only three weeks out of school. The OIG report stated that, for one examination, because the person leading the investigation had no knowledge of how to investigate a suspected Ponzi scheme, they decided to just not investigate that claim; they decided instead to investigate what they knew, and that was front running (though even that investigation was carried out poorly).

Another ACFE professional standard is that of due professional care. Due professional care “requires diligence, critical analysis and professional skepticism”. It also means that any conclusion that a CFE reaches, must be supported by evidence that is relevant, sufficient and competent. Several times during the various investigations and examinations, SEC staff would ask Madoff or his employees questions and then accept any answers they were given without seeking any third-party confirmation. Sometimes, even when third-party confirmation was sought, the questions asked of those third parties were not the correct ones. Madoff himself tells the story of how, in 2006, Madoff testified that he settled trades for his advisory clients through his personal Depository Trust Company (DTC) account and he even gave the SEC his DTC account information. At this point Madoff was sure that, once the SEC checked this out, his fraud would be discovered. Instead, the SEC merely asked the DTC if Madoff had an account, and nothing more. Had they asked about account activity, they would have then discovered that Madoff’s account, even though it existed, did not trade anywhere near the volume purported by his statements. This brings up other aspects of due professional care; adequate planning and supervision. With proper supervision, the less experienced can be trained not just to ask questions, but to ask, and get adequate answers to, the correct questions. The person reviewing their work would be able to ask them, “did the answer that you got from the DTC answer the question that we are asking? Can we now confirm not that Madoff has an account with the DTC but, instead, that he is trading billions of dollars through these accounts?”

Time and time again, in the OIG report, the SEC stated that they did not have experienced and adequate staff for their examinations and investigations of Madoff. This was an excuse that was used to explain why, for instance, they did not send out requests for third-party confirmations, even after drafting them. In one case, staff stated that they did not send out a request to the National Association of Securities Dealers (NASD) because it would have been too time-consuming to review the data received. Adequate planning would have made sure that there was sufficient, qualified staffing to review the data. Adequate supervision would have ensured that this excuse for not sending out the request was squashed. However, it is not the case that no third-party confirmation requests were sent out. Some were and some of those sent out received responses. Responses were received from the NASD and other financial institutions These entities all claimed that there was no activity with Madoff on the dates that the examiners were asking about. Even with that information, there was no follow-up on the part of the examiners. At every turn, there seemed to be a lot of trust and just about no verification. This is even more surprising when you hear that the examiners would write notes about how Madoff was obviously lying and how many people had reported to the SEC that Madoff was running a dishonest business. Even with so much distrust, and so many whistleblowers, it turned out that those sent to shine a light on Madoff’s operations all seemed to be looking in all the wrong places.

Part of planning an investigation is determining what is being investigated and how the investigation is going to be executed. A very important part of the process is determining, beforehand, what will be done with negative results. When third-party responses were received and they all stated Madoff had not done business with them as claimed, the responses appear to have been filed and no further action taken. When responses were not received, the SEC did not follow up to find out why nothing had been returned. They likely would have found that the institution had not responded to the inquiry because there was nothing to respond about. There does not appear to have been a defined protocol on what to do when the answer to the question, “did this happen” was “No.”

I urge you to, at the very least, read the executive summary of the OIG report. For me at least, what Madoff could get away with, time and time again, with each subsequent SEC examination or investigation, is jaw-dropping. The fact that 1) several whistleblowers shared their concerns and even accompanied them with a great deal of detail and 2) that articles were written and yet, 3) those with access to the information that could prove, with very little effort, that Madoff was not doing what he claimed to be doing, found nothing of concern is something I struggle to comprehend. This whole sad history does underline the importance of referring to, and abiding by, our professional standards, to minimize the risk of missing a fraud like this one. Most importantly, it reduces the risk that someone might get an aneurism trying to wrap their mind around how, even when so many others could see that something was amiss, the watchdog missed it all!

Offered & Bid

Our Chapter was contacted last week by an apparent victim of an on-line auction fraud scheme called shilling.  Our victim bought an item on the auction and subsequently received independent verification that the seller had multiple ID’s which he used to artificially increase the high bid on the item ultimately purchased by our victim.  On-line consumer auctions have been a ubiquitous feature of the on-line landscape for the last two decades and, according the ACFE, the number of scams involving them is ever increasing.

The Internet allows con artists to trade in an environment of anonymity, which makes fraud easier to perpetrate. So every buyer of items from online auctions not only has to worry about the item being in good condition and every seller has to be concerned about being paid, they must both also worry about whether the other party to the transaction is even legitimate.   Common internet auction fraud complaints include products that never arrive, arrive damaged, or are valued less than originally promised. Many complaints also stem from sellers who deliver the product but never receive payment. Almost all auction sites have responded over the years by  instituting policies to prevent these types of fraud and have suspended people who break the rules. eBay, for example, has implemented buyer protection and fraudulent website protection programs, as well as several other safeguards to prevent fraudsters from abusing their auction services but the abuses just seem to go on and on.

What apparently happened to our victim is called shilling.  Shilling occurs when sellers arrange to have fictitious bids placed on their item to drive up the price. This is accomplished either by their own use of multiple user IDs (as our victim suspects of her seller) or by having other partners in crime artificially increase the high bid on their item; typically, these individuals are friends or family members of the seller. If the shiller sees a legitimately high bid that does not measure up to his or her expectations, s/he might burst in to give it a boost by raising the bid. This auction activity is one of the worst auction offenses and is cause for immediate and indefinite site suspension for any seller caught in its performance by any legitimate auction.

A related ploy that also raises lots of complaints is called sniping.  Sniping is a bid manipulation process in which an unscrupulous bidder bids during the last few seconds of an auction to gain the high bid just as the time runs out, thus negating the ability of another bidder to answer with a still higher bid. Most bidders who successfully engage in this practice do so with the aid of sniping technology. In general, sniping is legal; however, most online auctions sites have instituted no-sniping policies, as the practice is devious and may harm legitimate, honest bidders.

Then there’s bid shielding.  Bid shielding is a scam in which a group of dishonest bidders target an item and inflate the high bid value to discourage other real bidders. At the last moment, the highest bidder or other bidders will retract their bids, thereby shielding the lower bidder and allowing him to run away with the item at a desirable, and deceitful, price.

In the relentless drive for more customers, some sellers resort to bid siphoning which occurs when fraudulent sellers lure bidders off legitimate sites by offering to sell the “same” item at a lower price. They intend to trick consumers into sending money without delivering the item. By going off-site, buyers lose any protections the original site may provide, such as insurance, feedback forms, or guarantees.  This practice is often accompanied by sellers embellishing or distorting the descriptions of their wares. Borrowed images, ambiguous descriptions, and falsified facts are some of the tactics a seller will utilize in misleading a buyer with the end of guiding her to participation in a siphoning scheme.

The second chance scammer offers losing bidders of a closed auction a second chance to purchase the item that they lost in the auction. As with siphoning victims, second chance buyers lose any protections the original site may provide once they go off-site.

One of the most common complaints associated with on-line auctions is price manipulation.  To avoid price manipulation, consumers need to understand the auction format before bidding. Sellers may set up the auction with questionable bidding rules that leave the winning buyer in an adverse situation. For example, say you are a winner in an auction. You bid $50, but the lowest successful bid is only $45. The seller congratulates you on your win, and requests your high bid of $50 plus postage.  As another example, let’s say the highest bidder retracts his bid or the seller cancels it, which leaves you the highest bidder. The seller then wants you to pay the maximum bid amount, citing that the previous high bidder had outbid you. Finally, let’s say you win a straight auction with a high bid of $85. The seller contacts you and instructs you to send your high bid, plus shipping, packaging, listing fee costs, and numerous other charges.

Our last example relates to the practice of fee stacking which refers to the addition of hidden charges to the total amount due from the winning bidder after the auction has concluded. Shipping and handling fees can vary greatly; therefore, the buyer should inquire before bidding to avoid unexpected costs. Typically, postage and handling fees are charged at a flat rate. However, some scheming sellers add separate charges for postage, packaging, handling, and shipping, and often devise other fees to tack on as well, leaving the buyer with a much higher purchase price than anticipated.

Then there’s the flat failure to ship the purchased merchandise.  This is the one type of on-line auction fraud that most people have heard of even if they don’t themselves participate in on-line auctions and involves a seller receiving payment for the item sold, but not shipping the merchandise. If the merchandise does not arrive, the buyer should contact the seller for the item or request a refund, hopefully having kept a receipt of payment for the purchase. If the purchaser made the purchase with a credit card, s/he can contact the credit card company to deny the charges. If the buyer gets nowhere with the seller, the buyer should contact the U.S. Postal Inspection Service, as the failure to ship constitutes mail fraud.

On the other hand fraudulent buyer claims of lost or damaged items are also considered mail fraud. Some buyers falsely claim the item arrived damaged or did not arrive at all, and thus refuse payment. Sellers should insure the item during shipping and send it via certified mail, which requires a signature verifying receipt.

A related buyer scam is switch and return.  Let’s say you have successfully auctioned a vintage item. You, the seller, package it with care and ship it to the anxious buyer. But when the buyer receives it, he is not satisfied. You offer a refund. However, when the buyer returns the item, you get back an item that does not resemble the high-quality item that you shipped. The buyer has switched the high-quality item with a low-quality item and returned it to you. The buyer ends up with both the item and the refund.

The on-line market is awash in fakes. The seller “thinks” it is an original; but the buyer should think again. With the use of readily attainable computer graphics and imaging technology, a reproduction can be made to look almost identical to an original. Many fraudsters take full advantage of these capabilities to dupe unsuspecting or uninformed buyers into purchasing worthless items for high prices.

If you are a fraud examiner working with clients involved in the on-line auction market or a buyer or seller in those markets …

— Become familiar with the chosen auction site;
— Understand as much as possible about how internet auctions work, what the site obligations are toward a buyer or seller, and what the buyer’s or seller’s obligations are before bidding or selling;
— Find out what protections the auction site offers buyers;
— Try to determine the relative value of an item before bidding;
— Find out all you can about the seller, especially if the only information you have is an e-mail address.  If the seller is a business, check with the Better Business Bureau where the seller/buyer is located;
— Examine the feedback on the seller and use common sense. If a seller has a history of negative feedback, then do not deal with that seller;
— Consider whether the item comes with a warranty, and whether follow-up service is available if it is needed;
— Do not allow the seller or buyer to convince you to ignore the rules of a legitimate internet auction.