Category Archives: Fraud Management

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

First Steps to Prosecution

A recent study sponsored by the financial trade press indicated some haziness among assurance professionals generally about the precise mechanism(s) underlying the process by which the authorities make the initial decision to prosecute or not to prosecute alleged financial statement fraud.

In the U.S. federal system, a criminal investigation of fraudulent financial reporting can originate in all sorts of ways. An investigation may be initiated because of a whistleblower, an anonymous tip, information supplied by a conscientious or guilt-ridden employee, or facts discovered during a routine annual audit of the company’s financial statements. In addition, the company’s public disclosure of financial misstatements may itself lead to the commencement of a criminal investigation. However initially initiated, the decision to start a criminal investigation is entirely within the discretion of the United States Attorney in each federal district.

For the prosecutor, the decision whether to open an investigation can be difficult. The main reason is the need for the prosecutor to establish criminal intent, that is, that the perpetrator not only got the accounting wrong but did so willfully. Often, bad accounting will be the result of judgment calls, which can be defended as exactly that, executive determinations or judgement calls that, while easy to second guess with the benefit of hindsight, were made in good faith at the time. Thus, a prosecutor evaluating the viability of a criminal prosecution will be looking for evidence of conduct so egregious that the perpetrator must have known it was wrong. This is not to suggest that evidence of a wrongful intent is the only consideration. A prosecutor’s exercise of his or her prosecutorial discretion may consider all kinds of factors in deciding whether criminal inquiry is warranted. Those factors may include the magnitude and nature of the accounting misstatements, whether individuals personally benefited from the misstatements or acted pursuant to the directive of a superior, whether documents were fabricated or destroyed, the probable deterrent or rehabilitative effect of prosecution, and the likelihood of success at trial. The availability of governmental resources may also be a factor.

Where the putative defendant is a corporation, partnership, or other business organization, a more settled set of factors come into play:

–The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for certain categories of crime;
–The pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management;
–The corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it;
–The corporation’s timely and voluntary disclosure of wrong-doing and its willingness to cooperate in the investigation of its agents;
–The existence and effectiveness of the corporation’s preexisting compliance program;
–The corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies;
–Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as the impact on the public arising from the prosecution;
–The adequacy of the prosecution of individuals responsible for the corporation’s malfeasance;
–The adequacy of remedies such as civil or regulatory enforcement actions.

However, a prosecutor gets there, once s/he determines to commence a criminal investigation, there is no doubt that those who are its targets will quickly come to view it as a priority over everything else. The government’s powers to investigate are broad, and, once a determination to go forward is made, the full resources of the government, including the FBI, can be brought to bear. The criminal sentences resulting from a successful prosecution can be severe if not excessive, particularly considering the enhanced criminal sentences put in place by Sarbanes-Oxley.  The ACFE reports that one midlevel executive at a company who elected to proceed to trial was convicted and received a prison sentence of 24 years. The fact that the sentence was subsequently set aside on appeal does little to mitigate the concern that such a sentence could be imposed upon a first-time, nonviolent offender whose transgression was a failure to apply generally accepted accounting principles.

Typically, a company learns that it is involved in a criminal investigation when it receives a grand jury subpoena, in most instances a subpoena duces tecum, compelling the company or its employees to furnish documents to the grand jury. In an investigation of fraudulent financial reporting, such a subpoena for documents may encompass all the files underlying the company’s publicly disseminated financial information, including the records underlying the transactions at issue and related emails.

For a CFE’s client company counsel and for the company’s executives generally, the need to respond to the subpoena presents both an opportunity and a dilemma. The opportunity stems from the company’s ability, in responding to the subpoena, to learn about the investigation, an education process that will be critical to a successful criminal defense. The dilemma stems from the need to assess the extent to which active and complete cooperation should be pledged to the prosecutor at the outset. The formulation of a response to a criminal subpoena, therefore, constitutes a critical point in the investigatory process. Those involved are thereby placed in the position of needing to make important decisions at an early stage that can have lasting and significant effects.  The CFE can support them in getting through this process.

Once an initial review of the subpoena and its underlying substance is complete, one of the first steps in formulating a response is often for company counsel to make a phone call to the prosecutor to make appropriate introductions and, to the extent possible, to seek background information regarding the investigation. In this initial contact, the prosecutor will be understandably guarded. Nonetheless, some useful information will frequently be shared. A general impression may be gained about the scope and focus of the investigation and the timing of additional subpoenas and testimony. Thereafter, it is not unusual for an initial meeting to be arranged to discuss in greater detail the company’s response. One benefit of such a meeting is that some level of additional information may be forthcoming.

From the outset, company counsel will be undertaking a process that will be ongoing throughout the criminal proceedings: learning as much as possible about the prosecutor’s case. The reason is that, unlike a civil case, in which broad principles of discovery enable the defendants to learn the details of the adversary’s evidence, the procedural rules of a criminal investigation result in much greater secrecy. Less formal methods of learning the details of the prosecutor’s case, therefore, are critical. In these initial contacts, the establishment of a sound foundation for the company’s dealings with the prosecutor is an important aspect of the investigation. To state it simply, CFE’s should always support that those dealings be premised on a foundation of candor.

Although it may be appropriate at various stages to decline to discuss sensitive matters, counsel should avoid making a factual statement on any subject about which it may be incompletely or inaccurately informed. This admonition applies to subjects such as the existence and location of files, the burden of producing documents, and the availability of witnesses. It also applies to more substantive matters bearing on the guilt or innocence of parties. CFE’s should, again, counsel their clients that a relationship with the prosecutor based on trust and confidence is key.

The judgment regarding the extent of cooperation with the prosecutor can be a tough one. Unlike in a civil proceeding, where cooperation with regulatory authorities (such as the SEC) is generally the preferred approach, the decision to cooperate with the government in a criminal investigation may be much more difficult, insofar as a subsequent effort to oppose the government (should such a change of approach be necessary) would be impeded by the loss of a significant tactical advantage, the loss of surprise. In criminal cases, the government is not afforded the same broad rights of discovery available in civil proceedings. It is entirely possible for a prosecutor to have no significant knowledge of the defense position until after the start of a trial. On the other hand, the privileges available to a corporation are limited. There is, most importantly, no Fifth Amendment privilege against self-incrimination for companies.  Furthermore, almost any kind of evidence, even evidence that would be inadmissible at trial, except for illegal wiretaps or privileged material, can be considered by a grand jury. Therefore, the company’s ability to oppose a grand jury investigation is limited, and the prosecutor may even consider a company’s extensive zeal in opposition to constitute obstruction of justice. Moreover, the prosecutor’s ultimate decision about indictment of the company may be affected by the extent of the company’s cooperation. And corporate management may wish to demonstrate cooperation as a matter of policy or public relations.

One issue with which a company will need to wrestle is whether it is appropriate for a public company or its executives to do anything other than cooperate with the government. On this issue, it is useful for executives to appreciate that the U.S. system of justice affords those being investigated certain fundamental rights, and it is not unpatriotic to take advantage of them. As to individuals, one of the most basic of these rights is the Fifth Amendment privilege against self-incrimination. Insofar as, in fraud cases, guilt can be established through circumstantial evidence, executives need to keep in mind that it demonstrates no lack of civic virtue to take full advantage of constitutional protections designed to protect the innocent.

A challenge is that many of these judgments regarding cooperation must be made at the outset when the company’s information is limited. Often the best approach, at least as a threshold matter, will be one of courteous professionalism, meaning respect for one’s adversary and reasonable accommodation pending more informed judgments down the road. Premature expressions of complete cooperation are best avoided as a subsequent change in approach can give rise to governmental frustration and anger.

Following the initial steps of the grand jury subpoena and the preliminary contact with the prosecutor, CFE’s are uniquely positioned to assist corporate counsel and management in the remaining stages of the criminal investigation of a financial crime:

–Production of documents;
–Grand jury testimony;
–Plea negotiations (if necessary);
–Trial (if necessary).

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

The Right Question, the Right Way

As every CFE knows, an integral part of the fraud examination process involves obtaining information from people. Regardless of the interview’s objective, all CFEs should embrace the role of interviewer and use the time-tested techniques recommended to us by the ACFE. But asking the right questions does not necessarily ensure key information will be uncovered; an effective interviewer also recognizes the need to separate truth from deception. Consequently, crafting effective questions, understanding the communication dynamics at play, actively participating in the interview process, and remaining alert to signs of deception will help examiners increase the effectiveness and efficiency of our interviews and of our overall engagements.

Some interviewers try to gather as much information using as few questions as possible and end up receiving convoluted or vague responses. Others seek confirmation of every detail, which can quickly turn an interview into an unproductive probing of minutia. Balancing thoroughness and efficiency is imperative to obtaining the necessary and relevant facts without overburdening the interviewee. Because the location of this line varies by interviewee, CFEs can find this balance most effectively by ensuring they ask only clear questions throughout the interview.

Some individuals might respond to a question in a way that doesn’t provide a direct answer or that veers off topic. Sometimes these responses are innocent; sometimes they are not. To make the most of an interview, examiners must remain in control of the situation, regardless of how the interviewee responds.  Being assertive does not require being impolite, however. In some instances, wording questions as a subtle command (e.g., “Tell me about…. or “Please describe….) can help establish the interview relationship. Additionally, remaining in control does not mean dissuading the interviewee from exploring pertinent topics that are outside the planned discussion points.  Interview questions can be structured in several ways, each with its own strengths, weaknesses, and ideal usage. Open questions ask the interviewee to describe or explain something. Most examination interviews should rely heavily on open questions, as these provide the best view of how things operate and the perspective of the staff member involved in a particular area. They also enable the reviewer to observe the interviewee’s demeanor and attitude, which can provide additional information about specific issues. However, if the CFE believes an individual might not stay on topic or may avoid providing certain information, open questions should be used cautiously.  In contrast, closed questions can be answered with a specific, definitive response, most often “yes” or “no.” They are not meant to provide the big picture but can be useful in gathering details such as amounts and dates. Examiners should use closed questions sparingly in an informational interview, as they do not encourage the flow of information as effectively as open questions.

Occasionally, the questioner might want to direct the interviewee toward a specific point or evoke a certain reply. Leading questions can be useful in such circumstances by exploring an assumption, a fact or piece of information, that the interviewee did not provide previously. When used appropriately, such questions can help the interviewer confirm facts that the interviewee might be hesitant to discuss. Examples of leading questions include: “So there have been no changes in the process since last year?” and “You sign off on these exception reports, correct?” If the interviewee does not deny the assumption, then the fact is confirmed. However,  before using leading questions, the interviewer should raise the topic with open questions and allow the interviewee the chance to volunteer information.

The examiner should establish and maintain an appropriate level of eye contact with the interviewee throughout the interview to personalize the interaction and build rapport. However, the appropriate level of eye contact varies by culture and even by person; consequently, the examiner should pay attention to the interviewee to determine the level of eye contact that makes him or her comfortable.

People tend to mirror each other’s body language subconsciously as a way of bonding and creating rapport. CFEs can help put interviewees at ease by subtly reflecting their body language. Further, the skilled interviewer can assess the level of rapport established by changing posture and by watching the interviewee’s response. This information can help CFEs determine whether to move into sensitive areas of questioning or to continue establishing a connection with the individual.

Confirming periodically that the examiner is listening can encourage interviewees to continue talking. For example, the interviewer can provide auditory confirmation with a simple “mmm hmmm” and nonverbal confirmation by nodding or leaning toward the interviewee during his or her response.

When the interviewee finishes a narrative response, the examiner can encourage additional information by echoing back the last point the person made. This confirms that the interviewer is actively listening and absorbing the information, and it provides a starting point for the person to continue the response.

Occasionally, the examiner might summarize the information provided to that point so that the interviewee can affirm, clarify, or correct the interviewer’s understanding.

Most often, the greatest impediment to an effective interview is the interviewer him or herself.  While it is clearly important for the interviewer to observe, to listen, and to assess the subject in a variety of ways, the role of the interviewer, and the effect he or she has on the interview process, cannot be minimized.

The interviewer typically focuses on the subject as the person who will provide the information he or she seeks. The interviewer concentrates on establishing rapport, listening effectively, analyzing the subject’s verbal and nonverbal communication, and gauging how much or how little the subject is telling her. These are valid areas of concentration for the interviewer. One significant risk is that the interviewer may pay too little attention to the negative influences s/he can bring to the interview, process. The terms interview and communication are interchangeable, and effective communication is a two-way street. What makes the interviewer an effective communicator and effective interviewer is not just the signals he or she picks up from the subject but also the signals, the information, the tone, and the body language he or she sends to the subject. It is highly presumptuous of the interviewer to think he or she has little or no effect on the subject and that the subject is not evaluating, assessing, and analyzing the interviewer.

The interviewer’s style of dress, jewelry, and grooming may tell the subject as much about the interviewer as does the interviewer’s demeanor. If the interviewer is overdressed for the occasion, does it make the subject feel inferior or intimidated? If too casual, does the interviewer send a signal of the lack of importance of the interview and, as a result, does the subject become too relaxed or not as attentive? Attire should have a desired effect. For example, when interviewing an enforcement officer or other professional who is familiar with uniforms and clothing as indicators of status, it may be appropriate to wear a coat and tie. In general, it is best to always to err on the side of conservative dress for the circumstances.

The examiner should not attempt to interview two or more persons at one time unless there is no other option. It is more difficult to control an interview with two or more subjects. One subject may be more dominant than the other. The subjects will influence each other’s memories. Some subjects will not want to embarrass themselves in front of a peer or supervisor. The environment for confidential communications will be adversely affected.

When the interviewer responds to the subject’s responses, he sends signals. At times, it might be advisable to not write notes down at the time the individual tells the interviewer something sensitive. Rather, the interviewer might consider devoting his attention to the subject and writing down the sensitive information after the conversation has moved away from the sensitive area.  The interviewer should never become argumentative, antagonistic, or belligerent. The use of the  “Good Cop, Bad Cop” routine can have unwanted results, especially long term. The CFE interviewer should use tact, speak clearly and with authority but without use of threatening language. The interviewer should consistently set a professional tone.

Finally, all individuals want to be shown respect. Maintaining the personal dignity of the subject is critical for the success of the interview and follow-up efforts. Everyone wants respect, from homeless persons to top executives. To be shown respect, especially if the subject is not accustomed to it, is disarming and contributes to that essential, professional tone.

Not Just the Hotline

Prior to our Chapter’s last scheduled live training event, I was invited as a presenter to an orientation session for a group of employees serving as staff to a local government fraud, waste and abuse hotline. Anonymous communications, often called “tips,” may take various forms, including a posted letter, telephone call, fax, or e-mail. Long gone are the days when any governmental or private organization receiving such a communication would feel comfortable disregarding it. In today’s environment, such communications are almost always taken seriously, and significant efforts are made to resolve every credible allegation. By their very nature, such investigations are triggered suddenly and generally require a prompt and decisive response, even if only to establish that the allegations are unfounded or purely mischievous. The allegations may be in the form of general statements or they may be very specific, identifying names, documents, situations, transactions, or issues. From the CFE’s or forensic investigator’s perspective, no matter what form they take or how they are received, anonymous communications addressed to the client can pose challenging investigative issues in themselves whose complexity is often under-estimated.

The initiators of such tips can be motivated by a variety of factors, which range from the possibility of monetary gain (substantial monetary recovery is available to whistleblowers under the U.S. False Claims Act), to moral outrage, to genuine concern over an issue or simply from the desire of a disgruntled employee to air an issue or undermine a colleague. Adding to the complication, legislation such as Sarbanes-Oxley and the raft of on-going private and governmental scandals, the increased scrutiny of health care providers and of defense contractors have all served to raise public awareness of whistle-blower programs specifically and of the importance of anonymous reporting mechanisms in general.

With hotlines now so ubiquitous, it’s equally important for investigators to be aware that anonymous tips come in not only to formal public hotlines but in a wide variety of forms and through many channels; such communications can come addressed to various individuals and groups within the company or to outside entities, to government agencies, and even via outside news agencies. Typical recipients within the company of non-hotline tips can be expected to be legal counsel, audit committee members, senior management, department supervisors, human resources managers and the compliance or ethics officer. A tip may take the form of a typical business letter addressed to the company, an e-mail (usually from a nontraceable account), or an official internal complaint. It may also duplicate tips submitted to news agencies, competitors, web site postings, chat rooms, or government agencies. It may also be a message to an internal ethics hotline phone number. Whatever form it takes, a tip may contain allegations that, while factually correct at its core, may also include embellishments or inaccurate information, wildly emotional allegations, or poor grammar. Further, the communication structure of the tip may be disorganized, repetitive, display unprioritized thoughts and mix key issues with irrelevant matters and unsupported subjective opinions. In other cases, while the tip’s information about specific issues may not be correct, it may contain a grain of truth or may identify elements of several unrelated but potentially troubling issues.

In some situations, the allegations aired in an anonymous tip may be known within the company and labeled as rumors or gossip. Some whistle-blowers are neither gossip hounds nor disgruntled employees but, rather, frustrated employees who have tried to engage management about a problem and have gone unheard. Only then do they file a complaint by sending a letter or an e-mail or by making a phone call.  While one should never leap to a specific conclusion upon receipt of an anonymous communication, inaction is never a recommended option. One of the dangers of ignoring an anonymous tip that wasn’t initially received via the hotline is that a situation that can be satisfactorily addressed with prompt action at lower levels or locally within the organization may become elevated to higher levels or to third parties and even to regulatory bodies outside the entity because the whistle-blower believes the communication has been side-lined or shunted aside. This can have damaging consequences for an organization’s reputation and brands if the allegations become public or attract media attention and a cover-up appears to have occurred, however well-intentioned the organization may have been. Ignoring an anonymous tip also may negatively impact staff morale and motivation, if suspicions of impropriety are widespread among staff and it appears that the employer is uninterested or doing nothing to rectify the situation. Ultimately, management may leave itself open to criticism or perhaps the danger of regulatory censure or legal action by stakeholders or authorities if it cannot demonstrate that it has given due consideration to the issues raised in an anonymous communication.

Once notified by a client of the receipt of an anonymous tip, the CFE or forensic accounting investigator should obtain an understanding of all the circumstances of that receipt. While the circumstances on the surface may appear unremarkable and trivial, that information is often a key factor in determining the best approach to dealing with a tip and, more broadly, often provides clues that are helpful in other areas. Initial facts and circumstances to be established include:

• How? This refers to how the information was conveyed—for example, whether it was in a letter, phone call, or e-mail and whether the letter was handwritten or typed. Additionally, the forensic accounting investigator seeks to determine whether the message includes copies of corporate documents or references to specific documents and whether the tip is anonymous, refers to individuals, or is signed.
• When? This includes establishing the date on which the message was received by the entity, the date of the tip, and in the case of a letter, the postmark date and postmark location.
• Where? This involves establishing where the tip was sent from, be it a post office, overseas, a private residence, within the office, a sender’s fax number, or an e-mail account.
• Who? To whom was the tip sent? Was it a general reference such as “To whom it may concern”? A specific individual? A department such as the head office or internal audit? The president’s office? The press? A competitor? Sometimes an anonymous notification will indicate that another entity has been copied on the document; this requires verification. Always consider the possibility that the tip may have been sent to the auditor and/or to the U.S. Securities and Exchange Commission.
• What? This refers to understanding the allegations and organizing them by issue. Often, a tip will contain many allegations that are variations on the same issue or that link to a common issue. For this reason, it is often helpful to formally summarize in writing the tip by issues and related sub-issues. Does the information in the tip contain information that may be known only to a certain location or department? If so, that may point to a group of individuals or former employees as the source of the tip.
• Why? What is the possible motivation for the tip? Issues with misreporting financial information? Ethical decisions? Disgruntled employee? Former employee airing grievances?

For many organizations, whistle-blower communications have become almost daily phenomena. But many of the most serious allegations don’t arrive via a hotline.  This is largely because in the wake of corporate scandals, lawmakers and ethics authorities are responding to public concern by encouraging employee monitoring of corporate ethics and affording some statutory protections for whistle-blowers. Dealing with the unexpected anonymous tip that triggers a CFE conducted investigation can be a challenging matter, even for the most seasoned investigator. Objective analysis and the strategic approach taken by professionals skilled in corporate investigations can assist clients in successfully addressing issues that may have serious legal and financial implications. Protection of employees from retaliatory action and the
company’s need to decide whether and to whom to disclose information are among the many issues created by the receipt of anonymous tips.  For the CFE, the key to resolving cases of anonymous tips usually involves a detailed examination of copious amounts of data obtained from various sources such as interviews, public records searches, data mining, hard-copy document review, and electronic discovery. A careful, experience-based investigative strategy is imperative to address the circumstances surrounding the transmittal and receipt of any anonymous tip and to tackle its allegations prudently and thoroughly.

Asked and Answered

Some months ago, I was involved as a member of an out-of-town fraud examination team during which the question of note taking during an investigative interview arose. A younger member of the team (a junior internal auditor) wanted to know about approaches to the documentation of not just one, but possibly of the several prospective interview sessions it initially appeared might be necessary regarding the examination.

As the ACFE tells us, notes, whether handwritten or recorded, always send an unambiguous signal to the subject that the interviewer is memorializing his or her comments. Interviews without notes are significantly limited in their value and may even signal to the interview subject that it may later be just a question of her word against the interviewer’s. If the interviewer takes only cryptic or shorthand notes and later reviews those notes with the subject to confirm what was said, the interviewer should recognize that the notes, while confirmed and edited to a certain extent, will still be less than complete.

On the other hand, tape recording an interview is a significant obstacle to full cooperation. People are reluctant to be recorded. For the most part, the use of tape recorders to take notes is not recommended in situations involving a potential fraud. Most subjects will resist the use of recorders and, even in circumstances where the subject may have agreed to their use, their responses will be more guarded than if a recorder was not used. If a recorder is used, be sure to begin the taping by recording the date, time, names of the individuals present, and an acknowledgment by the subject that they know the interview is being recorded and they have agreed to be recorded.

Once the interviewer has determined how s/he will document the interview, s/he should ask the subject if it is okay to take notes or record the session. It is the polite and professional thing to do and it serves two purposes:

–It is part of the process by which the subject is encouraged to be a participant;
–If the subject balks or tells the interviewer she does mind that the interviewer takes notes, it can open a line of questioning by the interviewer to determine the exact cause of the subject’s objections;

The subject should always be advised that note taking is critical to the integrity of the process and that notes ensure that what the subject says is documented properly. Failure to take notes limits the information to the memory and interpretation of the interviewer.  In a professional setting, most subjects will understand the critical nature of notes. Very few people will say it is not all right to take notes, regardless of how they feel about it. If they are absolutely opposed to the taking of notes, find out why and concentrate on what the subject says and reduce the interview to notes as quickly as possible after the interview. With a hostile subject who opposes note taking, the interviewer can ask if it is okay for her to make selected notes regarding dates or things the interviewer might not remember later. The interviewer can explain that it is important that s/he understand the subject’s position or communication correctly. If the subject is still adamant about the interviewer not taking notes, it should be documented in the interviewer’s report.

As the fraud interviewer develops his or her interviewing skill set, s/he should concentrate on taking verbatim notes which, among other things, include, at a minimum, nouns, pronouns, and verbs. Some practitioners recommend that the interviewer not attempt to write everything down. The argument is that, in doing so, the interviewer will not have an opportunity to observe the subject’s nonverbal communications.

The generally accepted recommendation is, therefore, where feasible, that the interviewer take down verbatim as much of what the subject says as is possible. This includes repeated words and parenthetical comments. This practice allows the interviewer to later review what the subject said as opposed to what the interviewer thought the subject said. Note taking also provides additional documentation of what the subject is communicating and (when reviewed after the fact in the light of additional knowledge) of what the subject has excluded.

During the act of taking notes, the interviewer should exercise caution. Taking notes intermittently can signal to the subject that the interviewer takes notes only when the information is important. Conversely, if, during the interview, a very sensitive area is broached, or if the subject indicates that s/he is uncomfortable with an area or issue, the interviewer can put her pencil down, lean forward, establish good eye contact, and listen to the subject. The simple suspension of note taking may place the subject at ease. As soon as the interview moves to a less sensitive area, the interviewer should try to reduce the previously mentioned sensitive area to notes. If the subject associates note taking with core interview information, the subject may interpret continued note taking as encouragement to continue talking.

The interviewer should not write down interpretive comments while taking notes. The interviewer should however make notes, where appropriate, in cases where verbal and
nonverbal indications of both resistance or cooperation are found.

The interviewer should always take notes with the possibility in mind that the notes may be subjected to third party scrutiny. This scrutiny may extend to opposing counsel in the event of litigation. The interviewer’s notes may or may not be privileged materials. With this in
mind, the interviewer should consider the following:

–Begin each separate set of interview notes on a clean page;
–Identify the date, time, and place of the interview and all the individuals present at the interview;
–Obtain as much background data on the subject as possible, including telephone numbers, and identify means of contacting him or her, including alternate numbers for family and friends;
–Initial and date the notes;
–Document the interviewer’s questions;
–Take verbatim notes if possible. Concentrate, but do not limit notes of the subject’s responses to:
• Nouns
• Pronouns
• Verb tense
• Qualifiers
• Indicators of responsibility, innocence, or guilt
–Do not document conclusions or interpretations;
–Report any unusual change in body language in an objective manner. Document the changes in body language and tone, if applicable, in conjunction with notes of what the subject or interviewer said at the time the body language or tone changed;
–At the conclusion of the interview, review the notes with the subject to confirm what the subject has said.

Finally, following the interview, your notes should be reproduced in printed form as quickly as possible.  Enough cannot be said for the value of a well-documented set of interview notes for every aspect of a subsequent investigation; their presence or absence can make or break your entire case.

Team Work is Hard Work

From reading posts and comments posted to LinkedIn, it seems that a number of our Chapter members and guests from time to time find themselves involved in internal fraud investigations either as members of internal or external audit units or as sole practitioners.  As CFE’s we know that we can make significant contributions to a financial crime investigation, if we can work effectively, as team members, with the victim company’s internal and external auditors, as well as with other constituents involved in resolving allegations or suspicions of internal fraud. In addition to a thorough knowledge of accounting and auditing, CFE’s bring to bear a variety of skills, including interviewing, data mining and analysis.  We also know that some auditors assume that simply auditing more transactions, with the use of standard procedures, increases the likelihood that fraud will be found. While this can prove to be true in some cases, when there is suspicion of actual fraud, the introduction of competent forensic accounting investigators may be more likely to resolve the issue and bring it to a successful conclusion.

Within the boundaries of an investigation, we CFE’s typically deal with numerous constituencies, each with a different interest and each viewing the situation from a different perspective. These parties to the investigation may well attempt to influence the investigative process, favor their individual concerns, and react to events and findings in terms of personal biases. CFE’s thus often have the task of conveying to all constituencies that the results of the investigation will be more reliable if all participants and interested parties work together as a team and contribute their specific expertise or insight with objectivity. In the highly-charged environment created by a financial crime investigation, the forensic accounting investigator can make a huge contribution just by displaying and encouraging the balance and level headedness which comes from his or her detailed familiarity with the mechanics of the standard types of financial fraud.

The ACFE recommends that all parties with a stake in the process, management, audit committee, auditors, and legal counsel, should always consider including forensic accounting investigators in the front-end process of decision making about an investigation. One of the key initial decisions is, usually, the degree to which the forensic accounting investigators can work with and rely on the work of others, specifically, the internal and external auditors. Another common front-end decision is whether CFE’s—with their knowledge of accounting systems, controls, and typical fraud schemes, may be added to the team that eventually evaluates the organization’s business processes to strengthen the controls that allowed the fraud to occur. Management may at first be inclined to push for a quick result because it feels the company will be further damaged if it continues to operate under a shadow.

Senior executives may be unable or in some cases unwilling to see the full scope of issues and may attempt to limit the investigation, sometimes as a matter of self-protection, or they may seek to persuade the CFE that the issues at hand are immaterial. Whatever happened, it happened on their watch, and they may understandably be very sensitive to the CFE’s intrusion into their domain. Any defensiveness on the part of management should be defused as quickly and as thoroughly as possible, usually through empathy and consideration on the part of the forensic accounting investigator. The party or entity engaging the forensic accounting investigator, for example, the audit committee, management, or counsel, should be committed to a thorough investigation of all issues and is ultimately responsible for the investigation. The committee may engage CFE’s and forensic accounting investigators directly and look to them for guidance, or it may ask outside counsel to engage the CFE, who usually will work at counsel’s direction in fulfilling counsel’s responsibilities to the audit committee.

Every CFE should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve their unique but related objectives. As to the CFE’s  objectives, those are determined by the scope of work and the desire to meet the goals of whoever retained their services. Regardless of the differing interests of the various constituencies, forensic accounting investigators must typically answer the following questions:

  • Who is involved?
  • Could there be coconspirators?
  • Was the perpetrator instructed by a higher supervisor not currently a target of the investigation?
  • How much is at issue or what is the total impact on the financial statements?
  • Over what period did this occur?
  • Have we identified all material schemes?
  • How did this happen?
  • How was it identified, and could it have been detected earlier?
  • What can be done to deter a recurrence?

CFE’s should always keep in mind that they are primarily fact finders and not typically engaged to reach or provide conclusions, or, more formally, opinions. This differs from the financial auditor’s role. The financial auditor is presented with the books and records to be audited and determines the nature, extent, and timing of audit procedures. On one hand, the financial statements are management’s responsibility, and an auditor confirms they have been prepared in accordance with generally accepted accounting principles after completing these procedures and assessing the results. The CFE or forensic accounting investigator, on the other hand, commands a different set of skills and works at the direction of an employer that may be management, the audit committee, counsel, or an auditing firm itself.

Teaming with all concerned parties together with the internal and external auditors, the forensic accounting investigator should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve each team member’s unique but related objectives; management understandably may be eager to bring the investigation to a quick conclusion. The chief financial officer may be defensive over the fact that his or her organization allowed this to happen;   the board of directors, through the independent members of its audit committee, is likely to focus on conducting a thorough and complete investigation, but its members may lack the experience needed to assess the effort. In addition, they may be concerned about their personal reputations and liability. The board is likely to look to legal counsel and in some cases, to forensic accounting investigators to define the parameters of the project;  as to counsel, in most investigations in which counsel is involved, they are responsible for the overall conduct of the investigation and will assign and allocate resources accordingly; the internal auditor may have a variety of objectives, including not alienating management, staying on schedule to complete the annual audit plan, and not opening the internal audit team to criticism. The internal audit team may also feel embarrassed, angry, and defensive that it did not detect the wrongdoing; the external auditor may have several concerns, including whether the investigative team will conduct an investigation of adequate scope, whether the situation suggests retaining forensic accountants from the auditors’ firm, whether forensic accountants should be added to the audit team, and even whether the investigation will implicate the quality of past audits.

In summary, team work is complex, hard work.  While fraud is not an everyday occurrence at most companies, boards and auditing firms should anticipate the need to conduct a financial fraud investigation at some time in the future.  CFE’s can be an integral part of the planning for such investigations and can be of great help in designing the pre-planned team work protocols that ensure that, if a fraud exists, there is a high probability that it will be identified completely and dealt with in a timely and appropriate manner.

Fraud is Crisis

Every fraud represents the challenge of a crisis of greater or lesser degree to the organization which suffers it.

Seventy-one percent of surveyed companies told the financial press in a 2016 survey that they have some sort of general crisis management plan and/or program in place, and almost a further 12 percent indicated that they have one in development. A fraud related crisis has the further potential to have a very significant impact on the reputation of the company and its officers, on the company’s ability to reach its objectives, and even on its ability to survive.  Thus, executives are learning that crises in general are to be avoided, and if avoidance is not possible, that the crisis is to be managed to minimize harm. Directors are also learning that organization-wide crisis assessment, planning, and management must be part of a modern risk management program and, further, constitute a vital component of the overall fraud management program.

Unfortunately, the urgent nature of a major fraud precipitated crisis frequently triggers a focus simply on survival, and ethical concerns can be largely forgotten in the heat of the moment. A crisis is an event that brings, or has the potential for bringing, an organization into disrepute and can imperil its future profitability, growth and long term viability. Effective management of such events involves minimization of all harmful impacts. Crisis-driven reactions rarely approach this objective unless advanced planning is extensive and based upon a good understanding of crisis management techniques, including the importance of maintaining reputation based upon the company’s past, substantiated ethical behavior. If ethical behavior is considered of great importance by a corporation in its normal activities, ethical considerations should be even more so in crisis situations, since crisis resolution decisions usually define the company’s future reputation.

Not only are crisis decisions among the most significant made in terms of potential impact on reputation, remediation opportunities may also be lost if ethical behavior is not a definite part of the crisis management process. For example, avoidance of crises may be easier if employees are ethically sensitized to stakeholder needs; phases of the crisis may be shortened if ethical behavior is expected across the board by all employees; and/or damage to reputations may be minimized if the public expects ethical performance based on the company’s past corporate actions. Moreover, the degree of trust that ethical concern instills in a corporate culture will ensure that no information or option will be suppressed and not given to the decision maker(s) who must deal with the crisis. Finally, constant concern for ethical principles should ensure that important issues are identified and the best alternatives canvased to produce the optimal decision for the company.

Fundamental to the proper management of a crisis is an understanding of four phases of a crisis: pre-crisis, uncontrolled, controlled, and reputation restoration.  As I indicated above, the main goal of any general crisis management program should be to avoid crises on the front end (including those activated by frauds). If this is not possible, then the goals should be to minimize the impact. This can be done by anticipating crises or recognizing early warning signs (red flags) as soon as possible, and responding to soften or minimize the impact and shorten the time during which an anticipated crisis will be uncontrolled. These goals can best be achieved by proper advanced planning, by continued monitoring, and by speedy, effective decision making during the crisis.

Advanced planning for any type of crisis (including fraud) should be part of a modern enterprise risk assessment and contingency management program because of the growing recognition of the potential negative reputational impact of an unanticipated crisis. Fraud examiners can pro-actively assist in this process by conducting fraud risk assessments and by participating in brainstorming for potential problem areas, assessing the vulnerabilities identified, and devising suggested contingency plans for effective action. Second, red flags or warning indicators can be picked out that will identify what is developing so that the earliest action can be taken to minimize cost.

Seventy-three percent of the surveyed companies also reported having a senior-level management and corporate-level crisis management team that focuses on the individual crisis, and 76 percent had a crisis communication plan, which includes notification of the public, employees, government, and the media. The process of CFE assisted brainstorming to identify potential frauds should address fraud related scenarios that could arise from:

  1. Natural disasters;
  2. Technological disasters;
  3. Differences of expectations between individuals, groups, and corporations leading to confrontations;
  4. Malevolent acts by terrorists, extremists, governments, and individuals;
  5. Management values (ethical challenges) that do not keep pace with societal requirements, laws and obligations;
  6. Management deception;
  7. Management misconduct.

Managing the crisis effectively once it has happened is vital to the achievement of crisis management goals. Quick identification and assessment of a developing crisis can be instrumental in influencing the outcome efficiently and effectively. One of the defining characteristics of a crisis is that it will degenerate quickly if no timely action is taken so delay in identification and action can have serious consequences.

The 2016 survey also indicated that internal corporate training programs were apart of preparing for crisis awareness for most the respondents, and that 48 percent used outside contract trainers. Major factors listed by respondents as needing improvement in crisis management generally included internal awareness (51 percent), communication (46 percent), drills/training (38 percent), vulnerability/risk assessment (36 percent), information technology (33 percent), planning/coordinating (32 percent), and business continuity (25 percent).

Undivided attention to any crisis, but especially to fraud related crises, and avoidance of other related problems that can conflict decision makers will result in better decisions, just as will the making of advanced plans on a contingency basis and the integration of ethics into the fraud containment/response process. One of the most important aspects to keep in mind during the assessment of crises, and the avoidance or minimization of their impact, is the immediate and ongoing impact on the organization’s reputation. By reflecting on how the organization’s response to the crisis will affect the perception by stakeholders of it trustworthiness, responsibility, reliability, and credibility, decision makers can make choices that benefit all stakeholders and often enhance the organization’s reputational capital or shorten the period of its diminishment; here, as in all things fraud related, CFE’s, through their expertise and advice, have a critical role to play.

Bob the Builder

bobthebuilder

by Rumbi Petrozzello
2016 Vice President – Central Virginia ACFE Chapter

The soundtrack of my summer was a cacophony of drills, sanders and related discordant noises, all guaranteed to drive me to near insanity. Since the bulk of this seemed to be happening right outside my window, the result was a shrinking view of the sky, more views into the homes of my neighbors than I ever wanted and a near-constant film of dust on everything in our home, despite all our best efforts. I thought that construction was looming large only in my life but, coming off a trip to Nashville, Tennessee, I see that I’m far from alone. I took a tour bus around the city and, it almost seemed the city skyline was made up of little else than the silhouettes of massive construction cranes. There’s a lot going on in an industry that, at least in New York City, has a history of control by organized crime.

It’s hardly surprising – construction projects span long periods of time and require many moving parts. There can be several contractors responsible for different parts of a construction project, and each of those contractors hires subcontractors. Because projects range from moderate to long term, contractors and subcontractors will bill periodically for work in progress and, there is a lot of leeway for estimating just how much of the project has been completed. Depending on the contract, there may be head room to get paid for cost overruns and, if there’s room for that, you can be sure that someone is going to try to take advantage. There is no shortage of ways in which fraud or error can occur when it comes to construction. Controlling various aspects of the construction industry was lucrative business for organized crime for many years. Nowadays, the regular fraudster on the street has also found his way into profiting from construction related fraud – if the opportunity is there, the ethically challenged always seem to find ways to exploit it.

As forensic accountants and fraud examiners, we may find ourselves being called upon to investigate such frauds. Sometimes companies decide to be proactive and bring us in to assess, suggest and institute practices that will help prevent, detect and deter fraudulent activities. In either case, there is much that we can do. An important aspect of this type of effort is our emphasizing to the client and the wider business community the importance of well-kept and comprehensive business records. As tedious as some of this may feel to those maintaining the records, such records can prove invaluable when things go wrong. Contractors and their subcontractors should both maintain up-to-date ledgers. The ledger information should be corroborated by supporting information. Examples of critical documentation are:

  • Payroll records – this includes matching the ledger information to time cards, information from payroll processing companies and filings with city, state and federal authorities.
  • Bank statements – bank statements should be reconciled to the general ledger and there should be searches for possible bank accounts that are not reported on the ledger. Is the contractor transferring funds to accounts for related companies? What information is on the credit card statements and how does it relate to the contractors’ ledgers? Does information on brokerage accounts match information in the general ledger?
  • Invoices – do the vendors declarations of what’s going on make sense? Do their submitted expenses make sense? Can you immediately understand their expenses or is the information vague and lacking enough detail to determine what the vendor is being paid for? Have costs been misclassified? Follow the money … we should always stop and take the time to look and see where the money is going and why it’s going there.

Many construction projects employ union workers. Because unions tend to be organizations with lots of bureaucracy, it follows that they tend also to be organizations with lots of records. If a union tells you that it does not have many records, that fact alone should raise a red flag. When seeking to verify information from such organizations, there are various standard records we can request:

  • Shop steward report – This is a report that will show the names of the employees working, the times they reported for work and left and out and the number of hours worked. This information can be very useful in testing if the hours claimed are reasonable.
  • Job descriptions – Do the job descriptions make sense and do they match the employees that are claiming to be doing the work? In one case in New York City, a legally blind man was listed on the books as a heavy machinery operator. Subsequent investigation revealed that he was indeed blind; and he never went anywhere near heavy machinery.
  • Member profiles – Review benefits and see to whom the union pays those benefits. Review the records and see if anything jumps out at you as being unusual, requiring further information and perhaps investigation. Do you have a member (or members) listed who’s well-paid for not doing much?
  • Look at the records the general contractor keeps and see if they match the records kept by the union.

If you’ve been brought in to perform proactive fraud prevention and detection work, encourage and suggest that, if one does not already exist, the company set up an effective and comprehensive whistleblower program. Confidential sources are often the most important element of an investigation. These sources can also be very helpful in making sure that you ask for all the documents needed for your specific investigation and they can also make valuable suggestions precisely where else you can look for vital case information.

If my city is anything like yours, there are a lot of construction projects being planned and in the works. You don’t have to look hard at all to find media reporting on cost overruns and fraud in the construction industry. From The Big Dig in Boston to personal tales told to you by friends, there are many ways in which the moving parts of any construction project can be exploited by fraudsters. There are also many ways in which we can be of service as forensic accountants and fraud examiners to deter, detect and investigate every aspect of this exploitation.