An Ethical Toolbox

As CFE’s we know organizations that have clearly articulated values and a strong culture of ethical behavior tend to control fraud more effectively. They usually have well-established frameworks, principles, rules, standards, and policies that encompass the attributes of generally accepted fraud control. These attributes include leadership, an ethical framework, responsibility structures, a fraud control policy; prevention systems, fraud awareness, third-party management systems, notification systems, detection systems, and investigation systems.

CFE’s are increasingly being called upon to assist in the planning for an assessment of a client organization’s integrity and ethics safeguards and then as active members of the team performing the engagement. The increasing demand for such assessments has grown out of the increasing awareness that a strong ethical culture is a vital part of effective fraud prevention.  Conducting such targeted research within the client organization, within its industry; and its region will help determine the emerging risk areas and potential gaps in most organizational anti-fraud safeguards. Four key elements of integrity and ethics safeguards have emerged over the past few years.  These are the fraud control plan, handling conflicts of interest, shaping ethical dealings with third parties, and natural justice principles for employees facing allegations of wrongdoing.

The need for a fraud control plan is borne out by an organization’s potential fraud losses; typically, about five percent of revenues are lost to fraud each year, according to the ACFE’s 2016 Report to the Nations on Occupational Fraud and Abuse. A fraud control plan typically will articulate an organization’s fraud risks, controls, and mitigation strategies, including:

–Significant business activities;
–Potential areas of fraud risk;
–Related fraud controls;
–Gaps in control coverage and assurance activities;
–Defined remedial actions to minimize fraud risks;
–Review mechanisms evaluating the effectiveness of fraud control strategies.

Management should review and update the fraud control plan periodically and report the results to the audit committee and senior management. Thus, the role of the board and of the audit committee of the board are vital for the implementation of any ethically based fraud control plan. The chairman of the board is, or should be, the chief advocate for the shareholders, and completely independent of management. It is the chairman’s primary job to direct the company’s executives and drive oversight of their activities in the name of the shareholders. An independent and highly skilled audit committee chairman is essential to maintain a robust system of checks and balances over all operations. To be truly effective, the chairman must be independent of those he or she is charged with watching.  The chairmen of the board and the audit committee must devote material time to their duties. While the board can use the company’s oversight functions to maintain a checks and balances process, there is no substitute for personal, direct involvement. The board must be willing to direct inquiries into allegations of misconduct, and have unquestioned confidential spending authority to conduct reviews and investigations as it deems necessary.

One of the most effective compliance tools available to the board is the day-to-day vigilance of the company’s employees. When an individual employee detects wrongdoing, he or she must have an effective and safe method to report observations, such as a third-party ethics hotline that reports to the chairman of the board and audit committee. All employees must be protected from retribution to avoid any possibility of corrupting the process.

A zero-based budgeting process, requiring that the individual elements of the company’s budget be built from the bottom up, reviewed in detail, and justified, can identify unusual spending in numerous corporate and operating units. This provides an in-depth view of spending as opposed to basing the current year’s spending, in aggregate, on last year’s spending, where irregularities may be buried and overlooked.

In organizations with an internal audit division the overall review would typically be performed by Director of Internal Audit (CAE) whom the CFE and other specialists would support. This review should be integrated into the organization’s wider business planning to ensure synergies exist with other business processes, and should link to the organization-wide risk assessment and to other anti-fraud processes.

The ACFE tells us that there is a growing consensus that managing conflicts of interest is critical to curbing corruption. Reports indicate that unmanaged conflicts of interest continue to cost organizations millions of dollars. To minimize these risks, organizations need a clear and well-understood conflict of interest policy, coupled with practical arrangements to implement and monitor policy requirements. Stated simply, a conflict of interest occurs when the independent judgment of a person is swayed, or might be swayed, from making decisions in the best interest of others who are relying on that judgment. An executive or employee is expected to make judgments in the best interest of the company. A director is legally expected to make judgments in the best interest of the company and of its shareholders, and to do so strategically so that no harm and perhaps some benefit will come to other stakeholders and to the public interest. A professional accountant is expected to make judgments that are in the public interest. Decision makers usually have a priority of duties that they are expected to fulfill, and a conflict of interests confuses and distracts the decision maker from that duty, resulting in harm to those legitimate expectations that are not fulfilled. Sometimes the term apparent conflict of interest is used, but it is a misnomer because it refers to a situation where no conflict of interest exists, although because of lack of information someone other than the decision maker would be justified in concluding (however tentatively) that the decision maker does have one

A special or conflicting interest could include any interest, loyalty, concern, emotion, or other feature of a situation tending to make the decision maker’s judgment (in that situation) less reliable than it would normally be, without rendering the decision maker incompetent. Commercial interests and family connections are the most common sources of conflict of interest, but love, prior statements, gratitude, and other subjective tugs on judgment can also constitute interest in this sense.

The perception of competing interests, impaired judgment, or undue influence also can be a conflict of interest. Good practices for managing conflicts of interest involve both prevention and detection, such as:

–Promoting ethical standards through a documented, explicit conflict of interest policy as well as well-stated values and clear conflicts provisions in the code of ethics;
–Identifying, understanding, and managing conflicts of interest through open and transparent communication to ensure that decision-making is efficient, transparent, and fair, and that everyone is aware of what to do if they suspect a conflict;
–Informing third parties of their responsibilities and the consequences of noncompliance through a statement of business ethics and formal contractual requirements;
–Ensuring transparency through well-established arrangements for declaring and registering gifts and other benefits;
–Ensuring that decisions are made independently, with evidence that staff and contractors routinely declare all actual, potential, and perceived conflicts of interests, involving at-risk areas such as procurement, management of contracts, human resources, decision-making, and governmental policy advice;
–Establishing management, internal controls, and independent oversight to detect breaches of policy and to respond appropriately to noncompliance.

Contemporary business models increasingly involve third parties, with external supplier costs now representing one of the most significant lines of expenditure for many organizations. Such interactions can provide an opportunity for fraud and corruption. An enterprise’s strong commitment to ethical values needs to be communicated to suppliers through a Statement of Business Ethics. Many forward-thinking organizations already have codes of ethics in place that set out the values and ethical expectations of both their board members and staff. The board code of conduct should define the behavioral standards for members, while the staff code of conduct should detail standards for employee conduct and the sanctions that apply for wrongdoing. Similar statements also are appropriate for third parties such as suppliers, service providers, and business partners.

A statement of business ethics outlines both acceptable and unacceptable practices in third-party dealings with an organization. Common features include:

–The CEO’s statement on the organization’s commitment to operating ethically;
–The organization’s values and business principles;
–What third parties can expect in their dealings with the organization and the behaviors expected of them;
–Guidance related to bribery, gifts, benefits, hospitality, travel, and accommodation; conflicts of interest; confidentiality and privacy of information; ethical communications; secondary employment; and other expectations.
–Contact information for concerns, clarification, reporting of wrongdoing, and disputes.

Once established, the organization needs to implement a well-rounded communication strategy for the statement of business ethics that includes education of staff members, distribution to third parties, publication on the organization’s website, references to it in the annual report, and inclusion in future tender proposals and bid packs.

Engaged and capable employees underpin the success of most organizations, yet management does not always recognize the bottom-line effects and employee turnover costs when innocent employees are the subject of allegations of fraud and other wrongdoing. About 60 percent of allegations against employees turn out to be unsubstantiated, according to the ACFE. A charter of rights compiles in a single document all the information that respondents to allegations of wrongdoing may require. Such a charter should be written in an easy-to-understand style to meet the needs of its target audience. It should:

–Outline the charter’s purpose, how it will operate, how it supports a robust complaints and allegations system, and how it aligns with the organization’s values;
–Describe how management handles workplace allegations and complaints, and ensure principles of natural justice and other legislative obligations, such as privacy, are in place;
–Provide a high-level overview diagram of the allegation assessment and investigation process, including the channels for submitting allegations; the distinct phases for logging, assessing, and investigating the allegations; and the final decision-making phase;
–Include details of available support such as contact information for human resource specialists, details about an external confidential employee help line, and processes for updates throughout the investigation;
–Illustrate the tiered escalation process for handling allegations that reflects (at one end) how issues of a serious, sensitive, or significant nature are addressed, and encourages (at the other end) the handling of low level localized issues as close to the source as possible;
–Provide answers to frequent questions that respondents might have about the process for dealing with allegations, such as “What can I expect?” “Are outcomes always reviewable?” “What does frivolous and vexatious mean?” “What will I be told about the outcome?” and “What happens when a process is concluded?”;
–Outline the options for independent reviews of adverse investigation outcomes.

The Who, the What, the When

CFEs and forensic accountants are seekers. We spend our days searching for the most relevant information about our client requested investigations from an ever-growing and increasingly tangled data sphere and trying to make sense of it. Somewhere hidden in our client’s computers, networks, databases, and spreadsheets are signs of the alleged fraud, accompanying control weaknesses and unforeseen risks, as well as possible opportunities for improvement. And the more data the client organization has, the harder all this is to find.  Although most computer-assisted forensic audit tests focus on the numeric data contained within structured sources, such as financial and transactional databases, unstructured or text based data, such as e-mail, documents, and Web-based content, represents an estimated 8o percent of enterprise data within the typical medium to large-sized organization. When assessing written communications or correspondence about fraud related events, CFEs often find themselves limited to reading large volumes of data, with few automated tools to help synthesize, summarize, and cluster key information points to aid the investigation.

Text analytics is a relatively new investigative tool for CFEs in actual practice although some report having used it extensively for at least the last five or more years. According to the ACFE, the software itself stems from a combination of developments in our sister fields of litigation support and electronic discovery, and from counterterrorism and surveillance technology, as well as from customer relationship management, and research into the life sciences, specifically artificial intelligence. So, the application of text analytics in data review and criminal investigations dates to the mid-1990s.

Generally, CFEs increasingly use text analytics to examine three main elements of investigative data: the who, the what, and the when.

The Who: According to many recent studies, substantially more than a half of business people prefer using e-mail to use of the telephone. Most fraud related business transactions or events, then, will likely have at least some e-mail communication associated with them. Unlike telephone messages, e-mail contains rich metadata, information stored about the data, such as its author, origin, version, and date accessed, and can be documented easily. For example, to monitor who is communicating with whom in a targeted sales department, and conceivably to identify whether any alleged relationships therein might signal anomalous activity, a forensic accountant might wish to analyze metadata in the “to,” “from,” “cc,” or “bcc” fields in departmental e-mails. Many technologies for parsing e-mail with text analytics capabilities are available on the market today, some stemming from civil investigations and related electronic discovery software. These technologies are like the social network diagrams used in law enforcement or in counterterrorism efforts.

The What: The ever-present ambiguity inherent in human language presents significant challenges to the forensic investigator trying to understand the circumstances and actions surrounding the text based aspects of a fraud allegation. This difficulty is compounded by the tendency of people within organizations to invent their own words or to communicate in code. Language ambiguity can be illustrated by examining the word “shred”. A simple keyword search on the word might return not only documents that contain text about shredding a document, but also those where two sports fans are having a conversation about “shredding the defense,” or even e-mails between spouses about eating Chinese “shredded pork” for dinner. Hence, e-mail research analytics seeks to group similar documents according to their semantic context so that documents about shredding as concealment or related to covering up an action would be grouped separately from casual e-mails about sports or dinner, thus markedly reducing the volume of e-mail requiring more thorough ocular review. Concept-based analysis goes beyond traditional search technology by enabling users to group documents according to a statistical inference about the co-occurrence of similar words. In effect, text analytics software allows documents to describe themselves and group themselves by context, as in the shred example. Because text analytics examines document sets and identifies relationships between documents according to their context, it can produce far more relevant results than traditional simple keyword searches.

Using text analytics before filtering with keywords can be a powerful strategy for quickly understanding the content of a large corpus of unstructured, text-based data, and for determining what is relevant to the search. After viewing concepts at an elevated level, subsequent keyword selection becomes more effective by enabling users to better understand the possible code words or company-specific jargon. They can develop the keywords based on actual content, instead of guessing relevant terms, words, or phrases up front.

The When: In striving to understand the time frames in which key events took place, CFEs often need to not only identify the chronological order of documents (e.g., sorted by or limited to dates), but also link related communication threads, such as e-mails, so that similar threads and communications can be identified and plotted over time. A thread comprises a set of messages connected by various relationships; each message consists of either a first message or a reply to or forwarding of some other message in the set. Messages within a thread are connected by relationships that identify notable events, such as a reply vs. a forward, or changes in correspondents. Quite often, e-mails accumulate long threads with similar subject headings, authors, and message content over time. These threads ultimately may lead to a decision, such as approval to proceed with a project or to take some other action. The approval may be critical to understanding business events that led up to a particular journal entry. Seeing those threads mapped over time can be a powerful tool when trying to understand the business logic of a complex financial transaction.

In the context of fraud risk, text analytics can be particularly effective when threads and keyword hits are examined with a view to considering the familiar fraud triangle; the premise that all three components (incentive/pressure, opportunity, and rationalization) are present when fraud exists. This fraud triangle based analysis can be applied in a variety of business contexts where increases in the frequency of certain keywords related to incentive/pressure, opportunity, and rationalization, can indicate an increased level of fraud risk.

Some caveats are in order.  Considering the overwhelming amount of text-based data within any modern enterprise, assurance professionals could never hope to analyze all of it; nor should they. The exercise would prove expensive and provide little value. Just as an external auditor would not reprocess or validate every sales transaction in a sales journal, he or she would not need to look at every related e-mail from every employee. Instead, any professional auditor would take a risk-based approach, identifying areas to test based on a sample of data or on an enterprise risk assessment. For text analytics work, the reviewer may choose data from five or ten individuals to sample from a high-risk department or from a newly acquired business unit. And no matter how sophisticated the search and information retrieval tools used, there is no guarantee that all relevant or high-risk documents will be identified in large data collections. Moreover, different search methods may produce differing results, subject to a measure of statistical variation inherent in probability searches of any type. Just as a statistical sample of accounts receivable or accounts payable in the general ledger may not identify fraud, analytics reviews are similarly limited.

Text analytics can be a powerful fraud examination tool when integrated with traditional forensic data-gathering and analysis techniques such as interviews, independent research, and existing investigative tests involving structured, transactional data. For example, an anomaly identified in the general ledger related to the purchase of certain capital assets may prompt the examiner to review e-mail communication traffic among the key individuals involved, providing context around the circumstances and timing, of events before the entry date. Furthermore, the forensic accountant may conduct interviews or perform additional independent research that may support or conflict with his or her investigative hypothesis. Integrating all three of these components to gain a complete picture of the fraud event can yield valuable information. While text analytics should never replace the traditional rules-based analysis techniques that focus on the client’s financial accounting systems, it’s always equally important to consider the communications surrounding key events typically found in unstructured data, as opposed to that found in the financial systems.

Not Just the Hotline

Prior to our Chapter’s last scheduled live training event, I was invited as a presenter to an orientation session for a group of employees serving as staff to a local government fraud, waste and abuse hotline. Anonymous communications, often called “tips,” may take various forms, including a posted letter, telephone call, fax, or e-mail. Long gone are the days when any governmental or private organization receiving such a communication would feel comfortable disregarding it. In today’s environment, such communications are almost always taken seriously, and significant efforts are made to resolve every credible allegation. By their very nature, such investigations are triggered suddenly and generally require a prompt and decisive response, even if only to establish that the allegations are unfounded or purely mischievous. The allegations may be in the form of general statements or they may be very specific, identifying names, documents, situations, transactions, or issues. From the CFE’s or forensic investigator’s perspective, no matter what form they take or how they are received, anonymous communications addressed to the client can pose challenging investigative issues in themselves whose complexity is often under-estimated.

The initiators of such tips can be motivated by a variety of factors, which range from the possibility of monetary gain (substantial monetary recovery is available to whistleblowers under the U.S. False Claims Act), to moral outrage, to genuine concern over an issue or simply from the desire of a disgruntled employee to air an issue or undermine a colleague. Adding to the complication, legislation such as Sarbanes-Oxley and the raft of on-going private and governmental scandals, the increased scrutiny of health care providers and of defense contractors have all served to raise public awareness of whistle-blower programs specifically and of the importance of anonymous reporting mechanisms in general.

With hotlines now so ubiquitous, it’s equally important for investigators to be aware that anonymous tips come in not only to formal public hotlines but in a wide variety of forms and through many channels; such communications can come addressed to various individuals and groups within the company or to outside entities, to government agencies, and even via outside news agencies. Typical recipients within the company of non-hotline tips can be expected to be legal counsel, audit committee members, senior management, department supervisors, human resources managers and the compliance or ethics officer. A tip may take the form of a typical business letter addressed to the company, an e-mail (usually from a nontraceable account), or an official internal complaint. It may also duplicate tips submitted to news agencies, competitors, web site postings, chat rooms, or government agencies. It may also be a message to an internal ethics hotline phone number. Whatever form it takes, a tip may contain allegations that, while factually correct at its core, may also include embellishments or inaccurate information, wildly emotional allegations, or poor grammar. Further, the communication structure of the tip may be disorganized, repetitive, display unprioritized thoughts and mix key issues with irrelevant matters and unsupported subjective opinions. In other cases, while the tip’s information about specific issues may not be correct, it may contain a grain of truth or may identify elements of several unrelated but potentially troubling issues.

In some situations, the allegations aired in an anonymous tip may be known within the company and labeled as rumors or gossip. Some whistle-blowers are neither gossip hounds nor disgruntled employees but, rather, frustrated employees who have tried to engage management about a problem and have gone unheard. Only then do they file a complaint by sending a letter or an e-mail or by making a phone call.  While one should never leap to a specific conclusion upon receipt of an anonymous communication, inaction is never a recommended option. One of the dangers of ignoring an anonymous tip that wasn’t initially received via the hotline is that a situation that can be satisfactorily addressed with prompt action at lower levels or locally within the organization may become elevated to higher levels or to third parties and even to regulatory bodies outside the entity because the whistle-blower believes the communication has been side-lined or shunted aside. This can have damaging consequences for an organization’s reputation and brands if the allegations become public or attract media attention and a cover-up appears to have occurred, however well-intentioned the organization may have been. Ignoring an anonymous tip also may negatively impact staff morale and motivation, if suspicions of impropriety are widespread among staff and it appears that the employer is uninterested or doing nothing to rectify the situation. Ultimately, management may leave itself open to criticism or perhaps the danger of regulatory censure or legal action by stakeholders or authorities if it cannot demonstrate that it has given due consideration to the issues raised in an anonymous communication.

Once notified by a client of the receipt of an anonymous tip, the CFE or forensic accounting investigator should obtain an understanding of all the circumstances of that receipt. While the circumstances on the surface may appear unremarkable and trivial, that information is often a key factor in determining the best approach to dealing with a tip and, more broadly, often provides clues that are helpful in other areas. Initial facts and circumstances to be established include:

• How? This refers to how the information was conveyed—for example, whether it was in a letter, phone call, or e-mail and whether the letter was handwritten or typed. Additionally, the forensic accounting investigator seeks to determine whether the message includes copies of corporate documents or references to specific documents and whether the tip is anonymous, refers to individuals, or is signed.
• When? This includes establishing the date on which the message was received by the entity, the date of the tip, and in the case of a letter, the postmark date and postmark location.
• Where? This involves establishing where the tip was sent from, be it a post office, overseas, a private residence, within the office, a sender’s fax number, or an e-mail account.
• Who? To whom was the tip sent? Was it a general reference such as “To whom it may concern”? A specific individual? A department such as the head office or internal audit? The president’s office? The press? A competitor? Sometimes an anonymous notification will indicate that another entity has been copied on the document; this requires verification. Always consider the possibility that the tip may have been sent to the auditor and/or to the U.S. Securities and Exchange Commission.
• What? This refers to understanding the allegations and organizing them by issue. Often, a tip will contain many allegations that are variations on the same issue or that link to a common issue. For this reason, it is often helpful to formally summarize in writing the tip by issues and related sub-issues. Does the information in the tip contain information that may be known only to a certain location or department? If so, that may point to a group of individuals or former employees as the source of the tip.
• Why? What is the possible motivation for the tip? Issues with misreporting financial information? Ethical decisions? Disgruntled employee? Former employee airing grievances?

For many organizations, whistle-blower communications have become almost daily phenomena. But many of the most serious allegations don’t arrive via a hotline.  This is largely because in the wake of corporate scandals, lawmakers and ethics authorities are responding to public concern by encouraging employee monitoring of corporate ethics and affording some statutory protections for whistle-blowers. Dealing with the unexpected anonymous tip that triggers a CFE conducted investigation can be a challenging matter, even for the most seasoned investigator. Objective analysis and the strategic approach taken by professionals skilled in corporate investigations can assist clients in successfully addressing issues that may have serious legal and financial implications. Protection of employees from retaliatory action and the
company’s need to decide whether and to whom to disclose information are among the many issues created by the receipt of anonymous tips.  For the CFE, the key to resolving cases of anonymous tips usually involves a detailed examination of copious amounts of data obtained from various sources such as interviews, public records searches, data mining, hard-copy document review, and electronic discovery. A careful, experience-based investigative strategy is imperative to address the circumstances surrounding the transmittal and receipt of any anonymous tip and to tackle its allegations prudently and thoroughly.

Asked and Answered

Some months ago, I was involved as a member of an out-of-town fraud examination team during which the question of note taking during an investigative interview arose. A younger member of the team (a junior internal auditor) wanted to know about approaches to the documentation of not just one, but possibly of the several prospective interview sessions it initially appeared might be necessary regarding the examination.

As the ACFE tells us, notes, whether handwritten or recorded, always send an unambiguous signal to the subject that the interviewer is memorializing his or her comments. Interviews without notes are significantly limited in their value and may even signal to the interview subject that it may later be just a question of her word against the interviewer’s. If the interviewer takes only cryptic or shorthand notes and later reviews those notes with the subject to confirm what was said, the interviewer should recognize that the notes, while confirmed and edited to a certain extent, will still be less than complete.

On the other hand, tape recording an interview is a significant obstacle to full cooperation. People are reluctant to be recorded. For the most part, the use of tape recorders to take notes is not recommended in situations involving a potential fraud. Most subjects will resist the use of recorders and, even in circumstances where the subject may have agreed to their use, their responses will be more guarded than if a recorder was not used. If a recorder is used, be sure to begin the taping by recording the date, time, names of the individuals present, and an acknowledgment by the subject that they know the interview is being recorded and they have agreed to be recorded.

Once the interviewer has determined how s/he will document the interview, s/he should ask the subject if it is okay to take notes or record the session. It is the polite and professional thing to do and it serves two purposes:

–It is part of the process by which the subject is encouraged to be a participant;
–If the subject balks or tells the interviewer she does mind that the interviewer takes notes, it can open a line of questioning by the interviewer to determine the exact cause of the subject’s objections;

The subject should always be advised that note taking is critical to the integrity of the process and that notes ensure that what the subject says is documented properly. Failure to take notes limits the information to the memory and interpretation of the interviewer.  In a professional setting, most subjects will understand the critical nature of notes. Very few people will say it is not all right to take notes, regardless of how they feel about it. If they are absolutely opposed to the taking of notes, find out why and concentrate on what the subject says and reduce the interview to notes as quickly as possible after the interview. With a hostile subject who opposes note taking, the interviewer can ask if it is okay for her to make selected notes regarding dates or things the interviewer might not remember later. The interviewer can explain that it is important that s/he understand the subject’s position or communication correctly. If the subject is still adamant about the interviewer not taking notes, it should be documented in the interviewer’s report.

As the fraud interviewer develops his or her interviewing skill set, s/he should concentrate on taking verbatim notes which, among other things, include, at a minimum, nouns, pronouns, and verbs. Some practitioners recommend that the interviewer not attempt to write everything down. The argument is that, in doing so, the interviewer will not have an opportunity to observe the subject’s nonverbal communications.

The generally accepted recommendation is, therefore, where feasible, that the interviewer take down verbatim as much of what the subject says as is possible. This includes repeated words and parenthetical comments. This practice allows the interviewer to later review what the subject said as opposed to what the interviewer thought the subject said. Note taking also provides additional documentation of what the subject is communicating and (when reviewed after the fact in the light of additional knowledge) of what the subject has excluded.

During the act of taking notes, the interviewer should exercise caution. Taking notes intermittently can signal to the subject that the interviewer takes notes only when the information is important. Conversely, if, during the interview, a very sensitive area is broached, or if the subject indicates that s/he is uncomfortable with an area or issue, the interviewer can put her pencil down, lean forward, establish good eye contact, and listen to the subject. The simple suspension of note taking may place the subject at ease. As soon as the interview moves to a less sensitive area, the interviewer should try to reduce the previously mentioned sensitive area to notes. If the subject associates note taking with core interview information, the subject may interpret continued note taking as encouragement to continue talking.

The interviewer should not write down interpretive comments while taking notes. The interviewer should however make notes, where appropriate, in cases where verbal and
nonverbal indications of both resistance or cooperation are found.

The interviewer should always take notes with the possibility in mind that the notes may be subjected to third party scrutiny. This scrutiny may extend to opposing counsel in the event of litigation. The interviewer’s notes may or may not be privileged materials. With this in
mind, the interviewer should consider the following:

–Begin each separate set of interview notes on a clean page;
–Identify the date, time, and place of the interview and all the individuals present at the interview;
–Obtain as much background data on the subject as possible, including telephone numbers, and identify means of contacting him or her, including alternate numbers for family and friends;
–Initial and date the notes;
–Document the interviewer’s questions;
–Take verbatim notes if possible. Concentrate, but do not limit notes of the subject’s responses to:
• Nouns
• Pronouns
• Verb tense
• Qualifiers
• Indicators of responsibility, innocence, or guilt
–Do not document conclusions or interpretations;
–Report any unusual change in body language in an objective manner. Document the changes in body language and tone, if applicable, in conjunction with notes of what the subject or interviewer said at the time the body language or tone changed;
–At the conclusion of the interview, review the notes with the subject to confirm what the subject has said.

Finally, following the interview, your notes should be reproduced in printed form as quickly as possible.  Enough cannot be said for the value of a well-documented set of interview notes for every aspect of a subsequent investigation; their presence or absence can make or break your entire case.

Small Scale Electronic Crime Scenes

Most frauds aren’t Enron.  As the ACFE tells us, most frauds encountered by practicing CFE’s are what I like to call “small crime-scene frauds” perpetrated by long time employees like Mary who works in a back office keeping the books, knows everything about the company, and who has been quietly embezzling lesser amounts of company funds without detection for the last fifteen years.  In today’s environment, Mary will be doing her work on a desktop computer, probably connected to a small network with internet access.  Mary’s workstation and the simple network supporting it constitute an electronic crime-scene to be investigated as thoroughly and with as much attention to detail as possible and accompanied by a full set of investigative documentation if there is ever to be any hope of obtaining a conviction (should Mary’s employer, your client, finally decide to go that way).

It goes without saying that the investigator or team of investigators to any crime scene, large or small, have the primary responsibility of protecting all the computer and related electronic evidence that might be useful in a future civil or criminal action. Evidence is where the CFE or other investigators find it. While crime scene evidence from personal and property crimes might be in plain view, computer and electronic evidence is subtler and might not be as evident or obvious at the scene.  In general, first responders at any scene can destroy critical latent evidence if they lack training in the proper identification, collection, and packaging procedures for the type of investigation. This means that both corporate security departments and law enforcement agencies routinely involved in such investigations specially train their personnel in computer and electronic investigative techniques. Much of the potential evidence at a small-scale scene might be circumstantial, but it could possibly be used to support the primary physical and direct evidence that a detailed investigation will later develop. A list of inappropriate purchases and related amounts found on Mary’s workstation at the crime scene could be persuasive to a jury if properly obtained.

Thus, education and preparation are major components of any successful crime scene search for electronic evidence. However, our corporate clients need to be made aware of what all law enforcement agencies know, that in-house or external security personnel, whose background might sometimes even include the performance of criminal crime scene searches, are usually not qualified for large or small-scale computer crime scene searches.

The basic steps involved in a small-scale computer site investigation include the following:

–Secure and protect the scene;
–Initiate a preliminary survey;
–Evaluate physical evidence possibilities;
–Prepare a narrative description;
–Take photographs of the scene;
–Prepare a diagram/sketch of the scene;
–Conduct a detailed search and record and collect physical evidence;
–Conduct a final survey;
–Release the crime scene.

Although a number of these steps also apply to crime scene searches for crimes involving misdemeanors and felonies, the orientation of their performance in the investigation of an electronic crime scene is more technical in nature. When a computer or some electronic device is suspected of having been used as a tool in the perpetration of a crime, normal evidence gathering techniques for computer forensics processing should always be followed. It does not matter whether the crime scene is also suspected of having been additionally involved in a separate fraud issue, a civil, or a criminal investigation; if a computer or other electronic device is involved, the steps will be the same in all cases.

It is also essential that the organization’s computer personnel be excluded from the crime scene. Most computer specialists are not familiar with computer forensics techniques and individuals among them could have been involved in the crime, wittingly or unwittingly. Additionally, security must be provided for the area while the investigation is proceeding. Any employees or visitors who subsequently enter the scene need to be identified.  Try to identify in writing anyone who has routine access to the site or anyone who might have a reason to be involved with the scene generally. Do not rely on your memory alone, as it will not sufficiently support you in a court of law.

Computer and electronic evidence usually takes on the same general forms with which we’re all familiar: computer hardware, peripherals, cell phones, hand held devices, various storage media, digital cameras, and the list goes on. The investigator will have a general knowledge of the types of evidence that can be collected from each of these devices; however, s/he must be prepared for new devices showing up at any crime scene at any time. A cautious walkthrough is a good first step to get a feel for the complexity of the site. In addition to a workstation, several additional workstations or areas might become part of the investigation. Keep in mind that due to the networking configurations of even today’s smallest systems, remote sites might probably be involved in the investigation.

The investigator(s) should strive to maintain a continuing level of control of the situation and of the physical site during the investigation.  An inventory log and chain-of-custody form should be completed and photographs made of all relevant devices and related electronic evidence. Specific activities that might be included in this phase of the investigation include:

–Determination of all the locations that might need to be searched;
–Look out for any specific issues that need to be addressed relating to pieces of hardware and software;
–Identification of any possible personnel and equipment needed for the investigation but not yet on-site;
–Determination of which devices can be physically removed from the site;
–Identification of all individuals who have had access to the computer or electronic resources material to the investigation.

The evaluation of physical evidence is a continuation of the preliminary survey and may not be perceived as a separate step. After the site is thoroughly photographed, a more detailed search can begin. Before any devices are handled, remember that fingerprint evidence might become evidence in establishing who used these devices. The smallest, most insignificant appearing piece of evidence might clinch a case. Any network capability and connections to the computer site must be identified. Networking can broaden any investigation considerably. If there is an internet connection, it can become a worldwide investigation involving various internet service providers and the possibility of subpoenas. Cell-phone evidence may involve various telephone network carriers and additional subpoenas.  Prioritize the evidence collection process to prevent loss, destruction, or modification. Focus first on items easily identifiable and accessible and proceed to identified out-of-sight evidence. Look for the obvious first, the suspect might have been sloppy.

A journal or narrative must be prepared concerning the investigation and the crime scene search. Anything and everything is important when conducting the scene investigation. Remember that the defense attorney is going to query any witnesses on the most obscure item possible. A technique suggested by the ACFE is to represent crime scenes in a “general to specific” scheme. Describe the site in broad terms and then get very specific with details. A sound idea is to cross-reference a chronological journal with the photographic evidence and a chain-of-custody form. The narrative effort should not degenerate into a sporadic and unorganized attempt to recover physical evidence. Under most circumstances, evidence should not be collected while developing the narrative. The narrative process can be accomplished by using audio, video, or text. Remember the axiom “haste makes waste.”

Developing a photographic profile of the crime scene is a requirement for any computer forensic investigation no matter how small. Photographs should be taken as soon as the incident scene is secured and before any computers or electronic devices are moved. Photographs should be taken from all angles of the physical site. Close-ups of cable connections for all devices should be included. Note these cables will need to be separately tagged in another step. Any video screens displayed would be photographed. The photographic effort needs to be recorded in a photographic log.  Photographs should be taken as soon as possible to depict the scene as it is observed before anything is handled, moved, or introduced to the scene. Photographs allow a visual permanent record of the crime scene and items of evidence collected from the crime scene.

A diagram or sketch establishes a permanent record of items, conditions, and distance/size relationships. They also supplement the photographic record. Usually a rough sketch is drawn at the crime scene and is used as a model for a complete, formal document that would be completed later. The sketch can be coordinated with any logs or journals via a numbering scheme. Sketches are used along with the reports and photographs to document the scene. A crime scene sketch is simply a drawing that accurately shows the appearance of a crime scene.

The CFE will usually have a general idea from discussions with the client as to the types of evidence that s/he will find at the incident scene. A checklist can be developed that will identify most types of computer and electronic evidence that might be at a small-scale crime scene. The major difference between investigations will probably be the size of the computer system and the amount of disk storage that will need to be secured or imaged. Seizure of electronic devices, such as cell phones and iPads, should not pose any special problems due to their small size. It might be necessary to determine the amount of disk storage records that need to be copied or imaged for later forensic analysis. On large data bases or for data in the cloud it will be next to impossible to copy or image the entire storage device. In these cases, a forensic examination might have to occur partly at the crime scene and partly off-site once the required permissions for data access are received from the data owners of record.

Conflicts in documentation can cause considerable grief in a court of law. Also, if a computer system is to be reconstructed later, cable connections and maps must be precise. There are four basic premises to the search, recording, and collection phase of a small- scale investigation. These premises are as follows:

–The best search options are typically the most difficult and time consuming;
–The physical evidence cannot be over-documented;
–There is generally only one best chance to properly perform the investigative task;
–Cautious searching of visible areas and identification and searching of relevant off-site areas is crucial.

After the investigative team has completed all tasks relating to the search, recording, and collection phases at the small-scale crime scene, a critical review should be conducted to ensure that nothing has been missed. This is the last chance to cover all the bases and ensure nothing has been overlooked. The investigators must ensure that they have gone far enough in the search for evidence, documented all essential things, and made no assumptions that may prove to be incorrect later.

–Double-check documentation to detect inadvertent errors;
–Check to ensure all evidence is accounted for before leaving the crime scene;
–Ensure all forensic hardware and software used in the search is gathered;
–Ensure possible hiding places of evidence and difficult areas for access have not been overlooked;

An incident scene debriefing is the best opportunity for personnel and participants to ensure the investigation is complete.

The last step in the evidence investigation phase for a small-scale crime scene featuring electronic evidence is to release the incident scene back to its owners. The release is accomplished only after completion of the final survey. The individual investigator or team should provide an inventory of the items seized to the client owner/manager of the scene. A receipt for electronic evidence must be completed for any devices seized. A formal document should be provided that specifies the time and date of the release, to whom released, and by whom released.

For Appearance Sake

By Rumbi Petrozzello, CPA/CFF, CFE
2017 Vice-President – Central Virginia Chapter ACFE

Last Thursday, the 15th of June 2017, the New York State Senate Committee on Ethics and Internal Governance met. The previous sentence reads like a big yawn with which no one, beyond perhaps the members of the committee itself, would be concerned. However, this meeting was big news. The room was packed with members of the media and every member of the committee was in attendance. Why? Because this was the first meeting the committee had empaneled since 2009, as confirmed by the committee’s published archive of events. It turns out that it was indeed a big deal that all committee members were in attendance because, for eight years straight, none of the committee members had attended a single meeting.

If you are thinking that the ethics committee did not meet for eight years because there were no ethical issues to discuss and our state’s legislative leadership practiced only ethical and upright behavior, you would be sorely mistaken. John Sampson, the State Senator who chaired the committee at that last meeting in 2009 was found guilty, of obstruction of justice and of lying to federal agents in 2015 and sentenced to jail time in January 2017. Evidently, taking their cues from the tone at the top evidenced by the leadership of their ethics committee, during the same eight-year meeting hiatus, seven other state senators were convicted on charges that included mail fraud, looting a nonprofit and bribery.

So, you might ask, what happened at the meeting last week? The committee had come together to discuss stipends, that are supposed to go to committee chairs, that were apparently also being paid to committee vice-chairs (and, in one case, to a deputy vice-chair, whatever that is). There was a motion proposed to stop making these payments to anyone but the committee chair. It seems that just coming together was more than enough work for the committee and, therefore, they tabled the motion, a motion that would not even have been binding, until its next meeting. It should be noted that two of the senators receiving this chair stipend, as vice-chairs, serve on the ethics committee and both voted to postpone voting on the motion. It would be laughable if it were a laughing matter.

Think about where you work and about all the clients with whom we work, as fraud examiners and forensic accountants. We work with our clients and with those who employ us to suggest comprehensive policies that cover good business practices and ethical behaviors and actions. Reading about the shenanigans of the State Senate Committee on Ethics recalled several thoughts:

The assumption that personnel will automatically be motivated to behave as corporate owners want is no longer valid. People are motivated more by self-interest than in the past and are likely to come from backgrounds that emphasize different priorities of duty. As a result, there is greater need than ever for clear guidance and for identifying and effectively managing threats to good governance and accountability.

Even when different employee backgrounds are not an issue, personnel can misunderstand the organization’s objectives and their own role and fiduciary duty. For example, many directors and employees at Enron evidently believed that the company’s objectives were best served by actions that brought short term profit:

—through ethical dishonesty, manipulation of energy markets or sham displays of trading floors;
—through book keeping that was illusory;
—through actions that benefited themselves at the expense of other stakeholders.

Frequently, employees are tempted to cut ethical corners, and they have done so because they believed that their top management wanted them to; they were ordered to do so; or they were encouraged to do so by misguided or manipulative incentive programs. These actions occurred although the board of directors would have preferred (sometimes with hindsight) that they had not. Personnel simply misunderstood what was expected by the board because guidance was unclear or they were led astray and did not understand that they were to report the problem for appropriate corrective action, or to whom or how.

Among our clients, lack of proper guidance or reporting mechanisms may have been the result of directors and others not understanding their duties as fiduciaries. Directors owe shareholders and regulators several duties, including obedience, loyalty, and due care. Recognition of the increasing complexity, volatility and risk inherent in modern corporate interests and operations, particularly as their scope expands to diverse groups and cultures has led to the requirement for risk identification, assessment and management systems.

  • If our client businesses want to do an excellent job at implementing effective ethics programs, orientation of new employees should always involve a review of the code of ethical practice by the staff tasked with compliance and with enforcing policies. How many entities are actively practicing what they preach during such sessions? The values that a company’s directors wish to instill to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance. Usually, such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that appropriate values are respected.
  • After orientation, what steps are companies taking to maintain their ethics programs on an on-going basis? Principles are more useful to employees than just rules because principles facilitate interpretation when the precise circumstances encountered do not exactly fit the rules prescribed. A blend of principles and rules is often optimal in maintaining of a code of conduct in the long term.
  • Is leadership periodically coming together to talk about where their firm stands when it comes to ethics and compliance? A code on its own may be nothing more than ‘ethical art’ that hangs on the wall but is rarely studied or followed. Experience has revealed that, to be effective, a code must be reinforced by a comprehensive ethical culture.
  • Is anyone reviewing how whistleblowing claims are being dealt with? Does the company even have a whistleblower program? If so, does the staff even know about it and how it works? Whistle-blowers are part of a needed monitoring, risk management and remediation system.
  • Is leadership setting a positive tone at the top and displaying the behaviors that it is demanding from employees? The ethical behavior expected must be referred to in speeches and newsletters by top management as often as they refer to their health and safety programs, or to their antipollution program or else it will be viewed as less important by employees. If personnel never or rarely hear about ethical expectations, they will perceive them as not a serious priority.

Once, I worked at a company where senior management smoked in the office; behavior that is illegal and was, on paper, not allowed. When staff members complained to human resources, no corrective action was taken. Frustrated, some staff members called the city hotline to file a report. Following visits from the city, human resources put up no smoking signs and then notices encouraging employees to keep reports of inappropriate staff smoking internal. By only paying lip service to policy, this company’s management seemed populated by future candidates for the State’s Senate Ethics Committee. But my former employer doesn’t stand alone as evidenced by frauds at Wells Fargo and at others. A company can pull out screeds of rules and regulations, but what matters most is what the staff knows and what the leadership does.

In the case of the New York State Senate Committee on Ethics and Internal Governance, what it did was delay a vote on the issues before it until the next meeting. And when will the next meeting be? After taking eight years to set up its last meeting, the committee was in no hurry to set a date for the next. They adjourned without scheduling the next one. They did, however, take a moment to congratulate themselves on attending this meeting. You can’t forget the important stuff.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

The Initially Immaterial Financial Fraud

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.

Financing Death One BitCoin at a Time

Over the past decade, fanatic religious ideologists have evolved to become hybrid terrorists demonstrating exceptional versatility, innovation, opportunism, ruthlessness, and cruelty. Hybrid terrorists are a new breed of organized criminal. Merriam-Webster defines hybrid as “something that is formed by combining two or more things”. In the twentieth century, the military, intelligence forces, and law enforcement agencies each had a specialized skill-set to employ in response to respective crises involving insurgency, international terrorism, and organized crime. Military forces dealt solely with international insurgent threats to the government; intelligence forces dealt solely with international terrorism; and law enforcement agencies focused on their respective country’s organized crime entities. In the twenty-first century, greed, violence, and vengeance motivate the various groups of hybrid terrorists. Hybrid terrorists rely on organized crime such as money laundering, wire transfer fraud, drug and human trafficking, shell companies, and false identification to finance their organizational operations.

Last week’s horrific terror bombing in Manchester brings to the fore, yet again, the issue of such terrorist financing and the increasing role of forensic accountants in combating it. Two of the main tools of modern terror financing schemes are money laundering and virtual currency.

Law enforcement and government agencies in collaboration with forensic accountants play key roles in tracing the source of terrorist financing to the activities used to inflict terror on local and global citizens. Law enforcement agencies utilize investigative and predictive analytics tools to gather, dissect, and convey data to distinguish patterns leading to future terrorist events. Government agencies employ database inquiries of terrorist-related financial information to evaluate the possibilities of terrorist financing and activities. Forensic accountants review the data for patterns related to previous transactions by utilizing data analysis tools, which assist in tracking the source of the funds.

As we all know, forensic accountants use a combination of accounting knowledge combined with investigative skills in litigation support and investigative accounting settings. Several types of organizations, agencies, and companies frequently employ forensic accountants to provide investigative services. Some of these organizations are public accounting firms, law firms, law enforcement agencies, The Internal Revenue Service (IRS), The Central Intelligence Agency (CIA), and The Federal Bureau of Investigations (FBI).

Locating and halting the source of terrorist financing involves two tactics, following the money and drying up the money. Obstructing terrorist financing requires an understanding of both the original and supply source of the illicit funds. As the financing is derived from both legal and illegal funding sources, terrorists may attempt to evade detection by funneling money through legitimate businesses thus making it difficult to trace. Charitable organizations and reputable companies provide a legitimate source through which terrorists may pass money for illicit activities without drawing the attention of law enforcement agencies. Patrons of legitimate businesses are often unaware that their personal contributions may support terrorist activities. However, terrorists also obtain funds from obvious illegal sources, such as kidnapping, fraud, and drug trafficking. Terrorists often change daily routines to evade law enforcement agencies as predictable patterns create trails that are easy for skilled investigators to follow. Audit trails can be traced from the donor source to the terrorist by forensic accountants and law enforcement agencies tracking specific indicators. Audit trails reveal where the funds originate and whether the funds came from legal or illegal sources. The ACFE tells us that basic money laundering is a specific type of illegal funding source, which provides a clear audit trail.

Money laundering is the process of obtaining and funneling illicit funds to disguise the connection with the original unlawful activity. Terrorists launder money to spend the unlawfully obtained money without drawing attention to themselves and their activities. To remain undetected by regulatory authorities, the illicit funds being deposited or spent need to be washed to give the impression that the money came from a seemingly reputable source. There are types of unusual transactions that raise red flags associated with money laundering in financial institutions. The more times an unusual transaction occurs, the greater the probability it is the product of an illicit activity. Money laundering may be quite sophisticated depending on the strategies employed to avoid detection. Some identifiers indicating a possible money-laundering scheme are: lack of identification, money wired to new locations, customer closes account after wiring or transferring copious amounts of money, executed out-of-the-ordinary business transactions, executed transactions involving the customer’s own business or occupation, and executed transactions falling just below the threshold trigger requiring the financial institution to file a report.

Money laundering takes place in three stages: placement, layering, and integration. In the placement stage, the cash proceeds from criminal activity enter the financial system by deposit. During the layering stage, the funds transfer into other accounts, usually offshore financial institutions, thus creating greater distance between the source and origin of the funds and its current location. Legitimate purchases help funnel the money back into the economy during the integration stage, the final stage.

Complicating all this is for the investigator is virtual currency. Virtual currency, unlike traditional forms of money, does not leave a clear audit trail for forensic accountants to trace and investigate. Cases involving the use of virtual currency, i.e. Bitcoins and several rival currencies, create anonymity for the perpetrator and create obstacles for investigators. Bitcoins have no physical form and provide a unique opportunity for terrorists to launder money across international borders without detection by law enforcement or government agencies. Bitcoins are long strings of numbers and letters linked by mathematical encryption algorithms. A consumer uses a mobile phone or computer to create an online wallet with one or more Bitcoin addresses before commencing electronic transactions. Bitcoins may also be used to make legitimate purchases through various, established online retailers.

Current international anti-money laundering laws aid in fighting the war against terrorist financing; however, international laws require actual cash shipments between countries and criminal networks (or at the very least funds transfers between banks). International laws are not applicable to virtual currency transactions, as they do not consist of actual cash shipments. According to the website Bitcoin.org, “Bitcoin uses peer-to-peer technology to operate with no central authority or banks”.

In summary, terrorist organizations find virtual currency to be an effective method for raising illicit funds because, unlike cash transactions, cyber technology offers anonymity with less regulatory oversight. Due to the anonymity factor, Bitcoins are an innovative and convenient way for terrorists to launder money and sell illegal goods. Virtual currencies are appealing for terrorist financiers since funds can be swiftly sent across borders in a secure, cheap, and highly secretive manner. The obscurity of Bitcoin allows international funding sources to conduct exchanges without a trace of evidence. This co-mingling effect is like traditional money laundering but without the regulatory oversight. Government and law enforcement agencies must, as a result, be able to share information with public regulators when they become suspicious of terrorist financing.

Forensic accounting technology is most beneficial when used in conjunction with the analysis tools of law enforcement agencies to predict and analyze future terrorist activity. Even though some of the tools in a forensic accountant’s arsenal are useful in tracking terrorist funds, the ability to identify conceivable terrorist threats is limited. To identify the future activities of terrorist groups, forensic accountants, and law enforcement agencies should cooperate with one another by mutually incorporating the analytical tools utilized by each. Agencies and government officials should become familiar with virtual currency like Bitcoins. Because of the anonymity and lack of regulatory oversight, virtual currency offers terrorist groups a useful means to finance illicit activities on an international scale. In the face of the challenge, new governmental entities may be needed to tie together all the financial forensics efforts of the different stake holder organizations so that information sharing is not compartmentalized.

RVACFES May 2017 Event Sold-Out!

On May 17th and 18th the Central Virginia ACFE Chapter and our partners, the Virginia State Police and the Association of Certified Fraud Examiners (ACFE) were joined by an over-flow crowd of audit and assurance professionals for the ACFE’s training course ‘Conducting Internal Investigations’. The sold-out May 2017 seminar was the ninth that our Chapter has hosted over the years with the Virginia State Police utilizing a distinguished list of certified ACFE instructor-practitioners.

Our internationally acclaimed instructor for the May seminar was Gerard Zack, CFE, CPA, CIA, CCEP. Gerry has provided fraud prevention and investigation, forensic accounting, and internal and external audit services for more than 30 years. He has worked with commercial businesses, not-for-profit organizations, and government agencies throughout North America and Europe. Prior to starting his own practice in 1990, Gerry was an audit manager with a large international public accounting firm. As founder and president of Zack, P.C., he has led numerous fraud investigations and designed customized fraud risk management programs for a diverse client base. Through Zack, P.C., he also provides outsourced internal audit services, compliance and ethics programs, enterprise risk management, fraud risk assessments, and internal control consulting services.

Gerry is a Certified Fraud Examiner (CFE) and Certified Public Accountant (CPA) and has focused most of his career on audit and fraud-related services. Gerry serves on the faculty of the Association of Certified Fraud Examiners (ACFE) and is the 2009 recipient of the ACFE’s James Baker Speaker of the Year Award. He is also a Certified Internal Auditor (CIA) and a Certified Compliance and Ethics Professional (CCEP).

Gerry is the author of Financial Statement Fraud: Strategies for Detection and Investigation (published 2013 by John Wiley & Sons), Fair Value Accounting Fraud: New Global Risks and Detection Techniques (2009 by John Wiley & Sons), and Fraud and Abuse in Nonprofit Organizations: A Guide to Prevention and Detection (2003 by John Wiley & Sons). He is also the author of numerous articles on fraud and teaches seminars on fraud prevention and detection for businesses, government agencies, and nonprofit organizations. He has provided customized internal staff training on specialized auditing issues, including fraud detection in audits, for more than 50 CPA firms.

Gerry is also the founder of the Nonprofit Resource Center, through which he provides antifraud training and consulting and online financial management tools specifically geared toward the unique internal control and financial management needs of nonprofit organizations. Gerry earned his M.B.A at Loyola University in Maryland and his B.S.B.A at Shippensburg University of Pennsylvania.

To some degree, organizations of every size, in every industry, and in every city, experience internal fraud. No entity is immune. Furthermore, any member of an organization can carry out fraud, whether it is committed by the newest customer service employee or by an experienced and highly respected member of upper management. The fundamental reason for this is that fraud is a human problem, not an accounting problem. As long as organizations are employing individuals to perform business functions, the risk of fraud exists.

While some organizations aggressively adopt strong zero tolerance anti-fraud policies, others simply view fraud as a cost of doing business. Despite varying views on the prevalence of, or susceptibility to, fraud within a given organization, all must be prepared to conduct a thorough internal investigation once fraud is suspected. Our ‘Conducting Internal Investigations’ event was structured around the process of investigating any suspected fraud from inception to final disposition and beyond.

What constitutes an act that warrants an examination can vary from one organization to another and from jurisdiction to jurisdiction. It is often resolved based on a definition of fraud adopted by an employer or by a government agency. There are numerous definitions of fraud, but a popular example comes from the joint ACFE-COSO publication, Fraud Risk Management Guide:

Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

However, many law enforcement agencies have developed their own definitions, which might be more appropriate for organizations operating in their jurisdictions. Consequently, fraud examiners should determine the appropriate legal definition in the jurisdiction in which the suspected offense was committed.

Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More specifically, fraud examination involves:

–Assisting in the detection and prevention of fraud;
–Initiating the internal investigation;
–Obtaining evidence and taking statements;
–Writing reports;
–Testifying to findings.

A well run internal investigation can enhance a company’s overall well-being and can help detect the source of lost funds, identify responsible parties and recover losses. It can also provide a defense to legal charges by terminated or disgruntled employees. But perhaps, most importantly, an internal investigation can signal to every company employee that the company will not tolerate fraud.

Our two-day seminar agenda included Gerry’s in depth look at the following topics:

–Assessment of the risk of fraud within an organization and responding when it is identified;
–Detection and investigation of internal frauds with the use of data analytics;
–The collection of documents and electronic evidence needed during an investigation;
–The performance of effective information gathering and admission seeking interviews;
–The wide variety of legal and regulatory concerns related to internal investigations.

Gerry did his usual tremendous job in preparing the professionals in attendance to deal with every step in an internal fraud investigation, from receiving the initial allegation to testifying as a witness. The participants learned to lead an internal investigation with accuracy and confidence by gaining knowledge about topics such as the relevant legal aspects impacting internal investigations, the use of computers and analytics during the investigation, collecting and analyzing internal and external information, and interviewing witnesses and the writing of effective reports.