Category Archives: Fraud Management

The Ideal Employee

It was late on a dark November evening in 2002 when the corporate counsel of the Victoria Paper Corporation contacted our Chapter member Jay Magret, CFE, CIA about a suspected irregularity involving the team of Tim Clark, the world-wide maintenance manager for Victoria’s most complex automated paper manufacturing equipment.

Clark had been hired after a long exhaustive search by one of Victoria’s many employment contractors, Global Image, Inc. Clark was hired to oversee the entire maintenance program at Victoria’s plants worldwide.  Victoria’s management was elated because Clark seemed ideal for the position, seemingly having spent half of his professional life providing automated systems savvy support to major paper companies around the world. He was used to working in foreign locals and had collected an array of impressive skills that enabled him to be appreciated as a through professional. Once hired, Tim requested four additional staff members for his unit, whom he said he personally knew, and contracted for through Global Image. The names and resumes of the four new staff members were subsequently provided by Grayson Employment, another job agency that also specialized in providing labor to the paper industry. Because the four new staff members were already registered in Grayson’s employee database and were explicitly requested by Tim Clark, Victoria and Global Image didn’t feel the need to complete the usual background verifications.

Such a chain of job agencies is common in the labor market: international paper companies, like companies in other industries, manage large projects in disparate, sometimes isolated locales around the globe, and they are stressed by production deadlines. Accordingly, companies find themselves continuously short on the highly specialized people who are qualified to manage and support such projects. Such international companies rely heavily on job agencies to provide contractors already skilled in the business and available to work in remote destinations.

When a business sector is booming, it becomes crowded with personnel interested in exploiting opportunity and, in the resulting complicated labor market, the temptation to cut personnel supply corners in response to tight deadlines often emerges. The result is that, with a plethora of job agencies providing labor, sometimes to a single project, the final employer sometimes doesn’t know with precision what the hourly fee paid to each individual contractor is after it is redistributed along the chain of multiple job agencies.

Under Clark’s direction, his team was charged with the ambitious task of assuring the continuous performance of maintenance activities at Victoria’s paper plants around the world. On paper, Clark’s team worked long hours each week and most weekends, sometimes flying throughout Europe and Asia with little rest. Each hour worked by a member of the maintenance team was certified and signed off on personally by Clark, on behalf of Victoria.

During their year-and-a-half of service, the four individuals hired by Tim Clark claimed to have worked an excessive number of hours, which triggered an internal review by Grayson Employment’s personnel management. During their review, personnel management found that the four employees’ employment files did not include appropriate identification documents. When the agency requested copies of their passports, the four employees immediately submitted their resignations, and soon after Clark did the same. The day after Clark resigned, Grayson contacted Victoria whose corporate counsel, alarmed, contacted our Jay Magret.

Setting to work immediately and working closely with Victoria’s auditors and the corporate counsel, Magret quickly uncovered evidence that Clark had falsified records and documents for three of the individuals on his team. It became apparent to Jay that those individuals were ghost employees; they did not exist. Clark had created fake resumes for three ghost employees, falsified contracts, signed time sheets, and forged the resignation letters. Further analysis showed that the fourth individual did indeed exist, was related to Clark, and had collaborated on the scheme. Clark and his accomplice had to work hard to carry out the duties of four employees.

Jay’s analysis also showed that Omega’s employee interviews were sometimes conducted solely by line managers involved in the hiring process, without the support of the Human Resources Department. The same line managers were then responsible for certifying the time sheets of their employees, including contractors, while their identification documents weren’t systematically collected or retained. Moreover, the contracts and procedures in use didn’t clearly establish or document each step of the selection and job assignment process.

Magret’s final report specified that the fraud was possible, and profitable, because the paper company client paid the wages of each ghost employee through the chain of job agencies and directly into the accounts of the contractors, which were registered in the name of a private company and managed by Clark. By the time Victoria realized the scope of the fraud scenario with Magret’s help, Clark and his associate had already disappeared with more than a million dollars paid to them during their year-and-a-half scheme. The paper company later discovered that even Clark was not who he claimed to be. He had used a fake identity and was untraceable, leaving little to no chance of recovery of the stolen money.

In response to management’s request that he proactively suggest controls to strengthen Victoria’s anti-fraud program, Magret suggested, as a matter of normal practice, that:

–Companies should perform time assessments to ensure they know how long a job will take to complete.

–Strict procedures should be in place during the hiring process, especially regarding segregation of duties. Human resources should always be involved in the process and responsible for checking identification documents with the physical person.

–The company should limit the opportunity for line managers to recommend hiring people they know. In some cases, it is unavoidable, so managers should always try to guarantee a higher level of segregation, especially in the authorization of time sheets.

–When using a job agency, the company should be sure that the relationship with contractors will be directly between the company itself and the agency. By doing this, the company will save money and be more assured about the contracted personnel.

— Client inhouse auditors of the personnel function should perform a periodic analysis of office records by selecting a sample of employees and verifying their effective presence in the office or on the job site, making sure appropriate identification is included in their records.
–Excessive hours claimed is as a red flag, especially when it is common among off-site employees. Establishing key performance indicators for each department or business process can serve as a reference for red flag comparisons.

–A wide-ranging and fragmented work environment can make the ghost employee phenomenon possible. A strong internal control framework and strictly enforced personnel policies are the only ways to prevent and discourage this type of fraud scheme.

Confidential Sources & Informants

There has been much in the news recently concerning the confidential sources and informants involved in current Federal on-going criminal and non-criminal investigations.  During the more complex of our examinations, we, as practicing fraud examiners and forensic accountants, can also expect to encounter the same types of sources and informants. Both sources and informants serve the same purpose, to provide information helpful in the development of a case. However, there are notable differences between confidential sources and confidential informants; the two terms should not be used interchangeably.

A confidential source furnishes information simply consequent on being a member of an occupation or profession and has no culpability in the alleged offense. For example, confidential sources might include barbers, attorneys, accountants, and law enforcement personnel. A confidential informant on the other hand has a direct or indirect involvement in the matter under investigation, and s/he might (incidentally) also be culpable. The distinction between the two sources is their involvement or noninvolvement in the offense. As every CFE knows, informants can pose treacherous legal issues for the fraud examiner.

There is no question that information provided by a well-placed informant can be invaluable to any case; secretly photographed or recorded conversations provided by an informant are the most convincing type of evidence. This information is generally viewed as something the use of which is sure to be successful for a criminal prosecutor, because there is little that a white-collar criminal can dispute when caught red-handed in the fraudulent act.

The ACFE identifies several types of informants with which a CFE might expect to become directly or indirectly involved: the basic lead, the participant, the covert, and the accomplice/witness.

—Basic Lead Informants. This type of informant supplies information to the investigator about illicit activities that they have encountered. The reasons that the informant decides to supply information are varied; some informants simply want to “do their part” to stop an unscrupulous activity, while others are interested in harming the criminals against whom they are informing. For instance, many informants in drug, prostitution, or illegal gambling endeavors are involved in those activities as well and intend to eliminate some of their competition. Whatever the reason, these informants’ only role in an investigation is to supply useful information.

—Participant informants.  The participant informant is directly involved in gathering preliminary evidence in the investigation. The informant in this instance not only supplies an investigation with information, but the informant is also involved in setting up a “sting” operation, initiating contact with the criminal for arrest purposes. A participant informant is just what the name suggests, a participant in the investigation of criminal activity.

—Covert informants. A covert informant also supplies information on criminal behavior to an investigator or to authorities. The difference between covert informants and other types of informants is that a covert informant is one who has been embedded in a situation or scenario for a period, sometimes for years, and is called upon only sporadically for newly uncovered information (i.e., tip-offs) and leads. These types of informants are often referred to as moles because of the nature of their insulated situation as inside sources. There are two instances in which covert informants are commonly used: in organized crime and in hate-extremist group investigations. Covert informants are often culled to get information about upcoming criminal activities by such groups.

—Accomplice/witness informants. The accomplice/witness informant is often called upon to provide information concerning criminal activity. Unlike other types of informants, the accomplice/witness informant seeks to avoid prosecution for an offense by providing investigators with helpful information. For example, the government might promise leniency if the accomplice/witness informant offers details about a co-conspirator.

There are three essential procedures for the investigator to keep in mind and follow when using sources and informants. First, strive to keep the informant’s identity as confidential as possible. Second, independently verify the information provided by the source or informant. Third, develop witness and documentary evidence from independently verified information. For example, an informant might indicate that an investigative target committed fraud. If the fraud examiner subsequently conducts an interview and gets a confession out of the target, the information is no longer dependent on the informant’s claim.

If the confidential source or informant has provided documents, names of potential witnesses, or other evidence, all reasonable steps must be taken to protect the identity of that source. Care should be taken to ensure that the questioning of other witnesses is done in a manner that does not reveal its origin. This can usually be accomplished by phrasing questions in a certain way. For example, Smith furnished confidential information about Jones, the co-owner of Jones Brothers Construction Company. When the fraud examiner confronts Jones, she does not want him to know that she has talked to Smith.

If necessary, in this example, the fraud examiner would display the evidence from witnesses and documents that would not reveal the source or informant’s identity. The information from the source or informant is basically useless unless the fraud examiner can verify its authenticity and independently corroborate it. Suppose a source furnishes the fraud examiner with copies of documents showing that Jones Brothers Construction Company’s building code violations dropped by 80 percent since a bribery arrangement allegedly began. This kind of evidence would corroborate the source’s story. If a source told the fraud examiner that Jones frequently had drinks with Walters, the city’s chief building inspector, the fraud examiner would want to find out some way to verify this information. Recall that the third objective when using sources is to develop the witness’s information and other evidence so that it makes a cohesive case.

Fraud examiners should make every effort to develop and cultivate a wide range of sources. Business and financial institution executives, law enforcement and other governmental personnel, medical and educational professionals, and internal and external auditors are always good contacts for practicing fraud examiners.

The fraud examiner should strive to make contacts in her community, well in advance of needing the information they can provide; my contacts on LinkedIn and in the Central Virginia ACFE Chapter have proven their investigative value again and again!  If the fraud examiner receives an allegation and needs confidential information, s/he might obtain assistance from a source cultivated earlier.  Additionally, we need sources to feel confident that they can share information with us without being compromised. In theory, the source will never have to testify; s/he has no firsthand knowledge. Firsthand information comes either from a witness or from a document.

The fraud examiner might also encounter new sources when tracking leads during a specific investigation. S/he might interview a stockbroker from whom the target purchased stock but who does not want his identity revealed. The fraud examiner shou1d not encourage a person to provide confidential information, but rather try to get verifying reports on the record. But if the fraud examiner promises confidentiality for a source’s information, she must abide by that promise.

The ACFE advises that active recruitment of informants is generally not desirable because doing so might appear unseemly to a jury. It is better to encourage an informant to come forward. It is also desirable to develop an informant relationship, but such relationships must be handled carefully. The fraud examiner must be careful to clearly document the adequate predication for an informant’s involvement. Generally, the most fundamental questions concerning informants will focus on the degree of their culpability or the lack of it. There have been cases where the informant is guiltier than the target; in such cases the court might rule that the informant’s information cannot be introduced.

Finally, it’s recommended that all contact with informants and-sources be reported on a memorandum, although the confidential source or informant’s identity should not be included in the report. Instead of including the source or informant’s identity, the fraud examiner should use symbols to denote the source’s identity. It is further recommended that sources be preceded with an “S,” followed by a unique identifier (i.e., source #1 would be “S-l”; source #2 would be “S-2”). The symbols for informants would then be “I-1” and “I-2.”

Generally, disclosure of the identities of sources and informants should be on a strict need to-know basis. For that reason, the person’s identity should be maintained in a secure file with limited access, and it should be cross-indexed by the source’s symbol number. The reliability of the source, if known, and whether the person can furnish relevant information should always be documented in writing.

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm
the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

The Complex Non-Profit

Our Chapter was contacted several weeks ago by the management of a not-for-profit organization seeking a referral to a CFE for conduct of an examination of suspected fraud.  Following a lively discussion with the requester’s corporate counsel, we made the referral which, we’ve subsequently learned, is working out well.  Our discussion of the case with counsel brought the following thoughts to mind. When talking not-for-profits, we’re talking programs; projects that are not funded through the sale of a product or service, but projects that obtain outside funding via the government, charitable grants, or donations to achieve a specific outcome. These outcomes can be any of a variety of things, from a scientific research study to find a cure for a catastrophic illness or federally legislated programs to provide health care to the indigent and elderly, as with the Medicaid and Medicare programs, respectively; or a not-for-profit charity that provides several programs, each funded from different sources, but all providing services to the elderly such as delivered meals, community center operations, adult daycare, and wellness programs. Typically, these outcomes are a social benefit. Some of these programs are of a specific duration, while others are renewed on a periodic basis depending on continued funding and the successful management of the program to achieve the desired outcomes.

In an examination for fraud in such entities, it’s typically not the core projects or programs themselves that are the object of the review; it’s the management of the program. Managers are engaged to operate such programs consistent with the program’s scope and budget. The opportunity for fraud in these programs will vary in several specific aspects: by the independence provided to the program manager, by the organizational structure of the program, and by the level of oversight by the funding source. These three elements make the conduct of a fraud examination of program management different from that of investigations for fraud in the typical core business functions of enterprises like those involved in manufacturing or retail trade. The fraud schemes will be similar because of the ACFE defined primary fraud classifications that apply to almost all organizations, but the key is how they’ve been adapted by program management.

The three primary classifications of fraud that are most common in program management fraud are schemes related to asset misappropriation, corruption, and financial statement reporting.

With asset misappropriation, the fraudulent action most commonly involved is embezzlement, not just simple theft of funds.  While they are both criminal actions, embezzlement has a specific meaning. Black’s Law Dictionary states it best: “the fraudulent taking of private property with which one has been entrusted, especially as a fiduciary.” It really is a matter of intent.
Examples of some inherent fraud schemes and of how these schemes are carried out within a program are:

False expenditures:

— The program is not being conducted, but funds are being expended. This sounds like the classic shell company scam, except a program rather than a for profit business is being exploited. The program by itself is legitimate, but it’s the intent of management that makes it a fraud;

–The program is not performed to its completion; however, the funds are fully expended. The decision to be made is whether the intent was to embezzle funds throughout the program or if there are other underlying reasons as to why the program wasn’t completed that resulted in the embezzlement of the funds;

–The program budget does not allow for program completion. Is this a case of bad budgeting or the use of budgeting with the intent to embezzle;

–The work plan is partially or wholly fictitious. It’s important for the examiner to keep in mind that some programs involve work that is so technologically or scientifically complex that it can be difficult for the examiner to understand just what the objective is.

Overbilling:

Unlike false expenditures, the use of overbilling within programs is more of a means to commit the fraudulent act of embezzlement within the program’s specific functions rather than within the overall program as with false expenditures. Specifically, overbilling schemes are found associated with misuse of time or assets by staff or with expenditures not used in an approved manner. For example:

–Staff members are performing non-program duties. Often, personnel are pulled from one program to work on another. There are many reasons for why this decision is made, but was the funding for that amount of personnel intentionally requested with the purpose of using personnel on another program that is not entitled to receive the funding for additional staff members?

–Staff members are misrepresenting the performance of the program. Often, staff will show the project to be operating on a level that seemingly should require more resources. The project is really operating on a lower level of resources, and whoever has the authority to bill uses that authority to overbill.

–Staff members are hired who are not qualified to perform program duties. Many times, often with large grant monies involved, the program manager hires friends or relatives, or perhaps there is such a strict time frame involved with the funding that management will hire a warm body just to fill the approved slot. In both cases, proper vetting procedures should be in place, even though the granting authority may not require them.

–As with staffing, funds are often redirected to other programs for similar reasons.

–Funds expended are not consistent with the proposed budget. The CFE should ask why the budget is out of line with expenditures? Is the approved budget in use, or was it just prepared as window-dressing for a grant proposal?

–Funds are expended that are not consistent with the governing cost principles. The classic example is the outrageous amounts the military spends on commonly used items, like the $5,000 toilet seat the ACFE originally told us about.

–The program is not completed, but the funding has been expended. Embezzlement can occur within the framework of asset misappropriation or overbilling, but because programs can differ in their objectives to a large degree, the vulnerability is greater to asset misappropriation schemes than to schemes involving overbilling.

Program Reporting:

Financial reporting and program reporting are two different things. Financial reporting can be a component of program reporting, but not the other way around. Many funded projects have strict guidelines on how to report project performance.  Like a disease that goes undetected because everything checked out in a physical exam, ethically challenged program managers find subtle ways to misrepresent performance, either to hide misuse of funds or just to indicate program success when there is none.
For example:

–The status of the project is falsely reported. This type of program reporting misstatement is typically done to give the illusion that the project’s objectives will be met to continue the objective of an uninterrupted steam of funding.

–The program results are falsely reported. The difference between project status and program results may not be apparent at first glance. The motivation is the same in that both are done to hide fraud. The false reporting of program status is typically done to keep funds ongoing throughout the project; the falsification of program results is typically done to ensure renewal of funding for another year or for a period of years. The project type will typically determine the likelihood of which type of false reporting is occurring.

–Improper criteria are used to measure performance. This concerns overall performance as opposed to financial performance. Given that funded projects can be difficult to understand considering the complexity of the activity being performed, performance measurement criteria can be manipulated because of the inherently complicated nature of the basic project. No one understands the project, so how can anyone know whether it’s succeeding? This phenomenon is commonly encountered if the project is divided into so many subparts that no one person, except the project manager, knows with certainty just how it’s proceeding.

–Program accomplishments are falsely reported. How many times have newspapers parroted the declaration from a non-profit that their program provided such and such a level of service to the indigent?  How do readers know if the program’s actual goal (and related funding) wasn’t to provide services to a level of recipients three times the amount reported?

–Operating statistics are manipulated to provide false results. Operating statistics are not financial statistics. An example would be a program that provides meals to the homebound elderly. An amount of payment by those receiving the meals is suggested. However, the government reimbursement for those meals deducts any amount contributed by the elderly being served. The project manager may manipulate the statistics to give more weight to the fixed-income, city-dwelling elderly it services, because such recipients are usually unable to pay anything for their delivered meals.

In summary, in approaching the fraud examination of non-profit entities, it’s not the overall programs themselves that are typically fraudulent, meaning that examinations don’t have to start with a determination of whether the entity is real or a shell. Fraud is committed by people, not programs or business systems; they are the tools of fraud. The ultimate funding source of programs are people as well, whether taxpayers (in the case of Federal or State governments) or private citizens (in the case of private charities).   It is not only the vast amount of funding that can flow to not-for-profit programs that constitutes the justification for combating fraud committed by the management of such programs. Programs that rely on funding as non-profits are typically entities that are established to provide a public benefit; to fill in the gaps for services and products not provided through any other means. So, the occurrence of fraud in these programs, no matter the size of the program or the fraud, is an especially heinous act given the loss of social benefit that results. For that reason alone, the examination of program management by CFEs is vital to the public interest.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

First Steps to Prosecution

A recent study sponsored by the financial trade press indicated some haziness among assurance professionals generally about the precise mechanism(s) underlying the process by which the authorities make the initial decision to prosecute or not to prosecute alleged financial statement fraud.

In the U.S. federal system, a criminal investigation of fraudulent financial reporting can originate in all sorts of ways. An investigation may be initiated because of a whistleblower, an anonymous tip, information supplied by a conscientious or guilt-ridden employee, or facts discovered during a routine annual audit of the company’s financial statements. In addition, the company’s public disclosure of financial misstatements may itself lead to the commencement of a criminal investigation. However initially initiated, the decision to start a criminal investigation is entirely within the discretion of the United States Attorney in each federal district.

For the prosecutor, the decision whether to open an investigation can be difficult. The main reason is the need for the prosecutor to establish criminal intent, that is, that the perpetrator not only got the accounting wrong but did so willfully. Often, bad accounting will be the result of judgment calls, which can be defended as exactly that, executive determinations or judgement calls that, while easy to second guess with the benefit of hindsight, were made in good faith at the time. Thus, a prosecutor evaluating the viability of a criminal prosecution will be looking for evidence of conduct so egregious that the perpetrator must have known it was wrong. This is not to suggest that evidence of a wrongful intent is the only consideration. A prosecutor’s exercise of his or her prosecutorial discretion may consider all kinds of factors in deciding whether criminal inquiry is warranted. Those factors may include the magnitude and nature of the accounting misstatements, whether individuals personally benefited from the misstatements or acted pursuant to the directive of a superior, whether documents were fabricated or destroyed, the probable deterrent or rehabilitative effect of prosecution, and the likelihood of success at trial. The availability of governmental resources may also be a factor.

Where the putative defendant is a corporation, partnership, or other business organization, a more settled set of factors come into play:

–The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for certain categories of crime;
–The pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management;
–The corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it;
–The corporation’s timely and voluntary disclosure of wrong-doing and its willingness to cooperate in the investigation of its agents;
–The existence and effectiveness of the corporation’s preexisting compliance program;
–The corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies;
–Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as the impact on the public arising from the prosecution;
–The adequacy of the prosecution of individuals responsible for the corporation’s malfeasance;
–The adequacy of remedies such as civil or regulatory enforcement actions.

However, a prosecutor gets there, once s/he determines to commence a criminal investigation, there is no doubt that those who are its targets will quickly come to view it as a priority over everything else. The government’s powers to investigate are broad, and, once a determination to go forward is made, the full resources of the government, including the FBI, can be brought to bear. The criminal sentences resulting from a successful prosecution can be severe if not excessive, particularly considering the enhanced criminal sentences put in place by Sarbanes-Oxley.  The ACFE reports that one midlevel executive at a company who elected to proceed to trial was convicted and received a prison sentence of 24 years. The fact that the sentence was subsequently set aside on appeal does little to mitigate the concern that such a sentence could be imposed upon a first-time, nonviolent offender whose transgression was a failure to apply generally accepted accounting principles.

Typically, a company learns that it is involved in a criminal investigation when it receives a grand jury subpoena, in most instances a subpoena duces tecum, compelling the company or its employees to furnish documents to the grand jury. In an investigation of fraudulent financial reporting, such a subpoena for documents may encompass all the files underlying the company’s publicly disseminated financial information, including the records underlying the transactions at issue and related emails.

For a CFE’s client company counsel and for the company’s executives generally, the need to respond to the subpoena presents both an opportunity and a dilemma. The opportunity stems from the company’s ability, in responding to the subpoena, to learn about the investigation, an education process that will be critical to a successful criminal defense. The dilemma stems from the need to assess the extent to which active and complete cooperation should be pledged to the prosecutor at the outset. The formulation of a response to a criminal subpoena, therefore, constitutes a critical point in the investigatory process. Those involved are thereby placed in the position of needing to make important decisions at an early stage that can have lasting and significant effects.  The CFE can support them in getting through this process.

Once an initial review of the subpoena and its underlying substance is complete, one of the first steps in formulating a response is often for company counsel to make a phone call to the prosecutor to make appropriate introductions and, to the extent possible, to seek background information regarding the investigation. In this initial contact, the prosecutor will be understandably guarded. Nonetheless, some useful information will frequently be shared. A general impression may be gained about the scope and focus of the investigation and the timing of additional subpoenas and testimony. Thereafter, it is not unusual for an initial meeting to be arranged to discuss in greater detail the company’s response. One benefit of such a meeting is that some level of additional information may be forthcoming.

From the outset, company counsel will be undertaking a process that will be ongoing throughout the criminal proceedings: learning as much as possible about the prosecutor’s case. The reason is that, unlike a civil case, in which broad principles of discovery enable the defendants to learn the details of the adversary’s evidence, the procedural rules of a criminal investigation result in much greater secrecy. Less formal methods of learning the details of the prosecutor’s case, therefore, are critical. In these initial contacts, the establishment of a sound foundation for the company’s dealings with the prosecutor is an important aspect of the investigation. To state it simply, CFE’s should always support that those dealings be premised on a foundation of candor.

Although it may be appropriate at various stages to decline to discuss sensitive matters, counsel should avoid making a factual statement on any subject about which it may be incompletely or inaccurately informed. This admonition applies to subjects such as the existence and location of files, the burden of producing documents, and the availability of witnesses. It also applies to more substantive matters bearing on the guilt or innocence of parties. CFE’s should, again, counsel their clients that a relationship with the prosecutor based on trust and confidence is key.

The judgment regarding the extent of cooperation with the prosecutor can be a tough one. Unlike in a civil proceeding, where cooperation with regulatory authorities (such as the SEC) is generally the preferred approach, the decision to cooperate with the government in a criminal investigation may be much more difficult, insofar as a subsequent effort to oppose the government (should such a change of approach be necessary) would be impeded by the loss of a significant tactical advantage, the loss of surprise. In criminal cases, the government is not afforded the same broad rights of discovery available in civil proceedings. It is entirely possible for a prosecutor to have no significant knowledge of the defense position until after the start of a trial. On the other hand, the privileges available to a corporation are limited. There is, most importantly, no Fifth Amendment privilege against self-incrimination for companies.  Furthermore, almost any kind of evidence, even evidence that would be inadmissible at trial, except for illegal wiretaps or privileged material, can be considered by a grand jury. Therefore, the company’s ability to oppose a grand jury investigation is limited, and the prosecutor may even consider a company’s extensive zeal in opposition to constitute obstruction of justice. Moreover, the prosecutor’s ultimate decision about indictment of the company may be affected by the extent of the company’s cooperation. And corporate management may wish to demonstrate cooperation as a matter of policy or public relations.

One issue with which a company will need to wrestle is whether it is appropriate for a public company or its executives to do anything other than cooperate with the government. On this issue, it is useful for executives to appreciate that the U.S. system of justice affords those being investigated certain fundamental rights, and it is not unpatriotic to take advantage of them. As to individuals, one of the most basic of these rights is the Fifth Amendment privilege against self-incrimination. Insofar as, in fraud cases, guilt can be established through circumstantial evidence, executives need to keep in mind that it demonstrates no lack of civic virtue to take full advantage of constitutional protections designed to protect the innocent.

A challenge is that many of these judgments regarding cooperation must be made at the outset when the company’s information is limited. Often the best approach, at least as a threshold matter, will be one of courteous professionalism, meaning respect for one’s adversary and reasonable accommodation pending more informed judgments down the road. Premature expressions of complete cooperation are best avoided as a subsequent change in approach can give rise to governmental frustration and anger.

Following the initial steps of the grand jury subpoena and the preliminary contact with the prosecutor, CFE’s are uniquely positioned to assist corporate counsel and management in the remaining stages of the criminal investigation of a financial crime:

–Production of documents;
–Grand jury testimony;
–Plea negotiations (if necessary);
–Trial (if necessary).

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

The Right Question, the Right Way

As every CFE knows, an integral part of the fraud examination process involves obtaining information from people. Regardless of the interview’s objective, all CFEs should embrace the role of interviewer and use the time-tested techniques recommended to us by the ACFE. But asking the right questions does not necessarily ensure key information will be uncovered; an effective interviewer also recognizes the need to separate truth from deception. Consequently, crafting effective questions, understanding the communication dynamics at play, actively participating in the interview process, and remaining alert to signs of deception will help examiners increase the effectiveness and efficiency of our interviews and of our overall engagements.

Some interviewers try to gather as much information using as few questions as possible and end up receiving convoluted or vague responses. Others seek confirmation of every detail, which can quickly turn an interview into an unproductive probing of minutia. Balancing thoroughness and efficiency is imperative to obtaining the necessary and relevant facts without overburdening the interviewee. Because the location of this line varies by interviewee, CFEs can find this balance most effectively by ensuring they ask only clear questions throughout the interview.

Some individuals might respond to a question in a way that doesn’t provide a direct answer or that veers off topic. Sometimes these responses are innocent; sometimes they are not. To make the most of an interview, examiners must remain in control of the situation, regardless of how the interviewee responds.  Being assertive does not require being impolite, however. In some instances, wording questions as a subtle command (e.g., “Tell me about…. or “Please describe….) can help establish the interview relationship. Additionally, remaining in control does not mean dissuading the interviewee from exploring pertinent topics that are outside the planned discussion points.  Interview questions can be structured in several ways, each with its own strengths, weaknesses, and ideal usage. Open questions ask the interviewee to describe or explain something. Most examination interviews should rely heavily on open questions, as these provide the best view of how things operate and the perspective of the staff member involved in a particular area. They also enable the reviewer to observe the interviewee’s demeanor and attitude, which can provide additional information about specific issues. However, if the CFE believes an individual might not stay on topic or may avoid providing certain information, open questions should be used cautiously.  In contrast, closed questions can be answered with a specific, definitive response, most often “yes” or “no.” They are not meant to provide the big picture but can be useful in gathering details such as amounts and dates. Examiners should use closed questions sparingly in an informational interview, as they do not encourage the flow of information as effectively as open questions.

Occasionally, the questioner might want to direct the interviewee toward a specific point or evoke a certain reply. Leading questions can be useful in such circumstances by exploring an assumption, a fact or piece of information, that the interviewee did not provide previously. When used appropriately, such questions can help the interviewer confirm facts that the interviewee might be hesitant to discuss. Examples of leading questions include: “So there have been no changes in the process since last year?” and “You sign off on these exception reports, correct?” If the interviewee does not deny the assumption, then the fact is confirmed. However,  before using leading questions, the interviewer should raise the topic with open questions and allow the interviewee the chance to volunteer information.

The examiner should establish and maintain an appropriate level of eye contact with the interviewee throughout the interview to personalize the interaction and build rapport. However, the appropriate level of eye contact varies by culture and even by person; consequently, the examiner should pay attention to the interviewee to determine the level of eye contact that makes him or her comfortable.

People tend to mirror each other’s body language subconsciously as a way of bonding and creating rapport. CFEs can help put interviewees at ease by subtly reflecting their body language. Further, the skilled interviewer can assess the level of rapport established by changing posture and by watching the interviewee’s response. This information can help CFEs determine whether to move into sensitive areas of questioning or to continue establishing a connection with the individual.

Confirming periodically that the examiner is listening can encourage interviewees to continue talking. For example, the interviewer can provide auditory confirmation with a simple “mmm hmmm” and nonverbal confirmation by nodding or leaning toward the interviewee during his or her response.

When the interviewee finishes a narrative response, the examiner can encourage additional information by echoing back the last point the person made. This confirms that the interviewer is actively listening and absorbing the information, and it provides a starting point for the person to continue the response.

Occasionally, the examiner might summarize the information provided to that point so that the interviewee can affirm, clarify, or correct the interviewer’s understanding.

Most often, the greatest impediment to an effective interview is the interviewer him or herself.  While it is clearly important for the interviewer to observe, to listen, and to assess the subject in a variety of ways, the role of the interviewer, and the effect he or she has on the interview process, cannot be minimized.

The interviewer typically focuses on the subject as the person who will provide the information he or she seeks. The interviewer concentrates on establishing rapport, listening effectively, analyzing the subject’s verbal and nonverbal communication, and gauging how much or how little the subject is telling her. These are valid areas of concentration for the interviewer. One significant risk is that the interviewer may pay too little attention to the negative influences s/he can bring to the interview, process. The terms interview and communication are interchangeable, and effective communication is a two-way street. What makes the interviewer an effective communicator and effective interviewer is not just the signals he or she picks up from the subject but also the signals, the information, the tone, and the body language he or she sends to the subject. It is highly presumptuous of the interviewer to think he or she has little or no effect on the subject and that the subject is not evaluating, assessing, and analyzing the interviewer.

The interviewer’s style of dress, jewelry, and grooming may tell the subject as much about the interviewer as does the interviewer’s demeanor. If the interviewer is overdressed for the occasion, does it make the subject feel inferior or intimidated? If too casual, does the interviewer send a signal of the lack of importance of the interview and, as a result, does the subject become too relaxed or not as attentive? Attire should have a desired effect. For example, when interviewing an enforcement officer or other professional who is familiar with uniforms and clothing as indicators of status, it may be appropriate to wear a coat and tie. In general, it is best to always to err on the side of conservative dress for the circumstances.

The examiner should not attempt to interview two or more persons at one time unless there is no other option. It is more difficult to control an interview with two or more subjects. One subject may be more dominant than the other. The subjects will influence each other’s memories. Some subjects will not want to embarrass themselves in front of a peer or supervisor. The environment for confidential communications will be adversely affected.

When the interviewer responds to the subject’s responses, he sends signals. At times, it might be advisable to not write notes down at the time the individual tells the interviewer something sensitive. Rather, the interviewer might consider devoting his attention to the subject and writing down the sensitive information after the conversation has moved away from the sensitive area.  The interviewer should never become argumentative, antagonistic, or belligerent. The use of the  “Good Cop, Bad Cop” routine can have unwanted results, especially long term. The CFE interviewer should use tact, speak clearly and with authority but without use of threatening language. The interviewer should consistently set a professional tone.

Finally, all individuals want to be shown respect. Maintaining the personal dignity of the subject is critical for the success of the interview and follow-up efforts. Everyone wants respect, from homeless persons to top executives. To be shown respect, especially if the subject is not accustomed to it, is disarming and contributes to that essential, professional tone.