Threat Assessment & Cyber Security

One rainy Richmond evening last week I attended the monthly dinner meeting of one of the professional organizations of which I’m a member.  Our guest speaker’s presentation was outstanding and, in my opinion, well worth sharing with fellow CFE’s especially as we find more and more of our client’s grappling with the reality of  ever-evolving cyber threats.

Our speaker started by indicating that, according to a wide spectrum of current thinking, technology issues in isolation should be but one facet of the overall cyber defense strategy of any enterprise. A holistic view on people, process and technology is required in any organization that wants to make its chosen defense strategy successful and, to be most successful, that strategy needs to be supplemented with a good dose of common sense creative thinking. That creative thinking proved to be the main subject of her talk.

Ironically, the sheer size, complexity and geopolitical diversity of the modern-day enterprise can constitute an inherent obstacle for its goal of achieving business objectives in a secured environment.  The source of the problem is not simply the cyber threats themselves, but threat agents. The term “threat agent,” from the Open Web Application Security Project (OWASP), is used to indicate an individual or group that can manifest a threat. Threat agents are represented by the phenomena of:

–Corporate Espionage;
–Government Actors;
–Common Criminals (individual and organized).

Irrespective of the type of threat, the threat agent takes advantage of an identified vulnerability and exploits it in the attempt to negatively impact the value the individual business has at risk. The attempt to execute the threat in combination with the vulnerability is called hacking. When this attempt is successful, and the threat agent can negatively impact the value at risk, it can be concluded that the vulnerability was successfully exploited. So, essentially, enterprises are trying to defend against hacking and, more importantly, against the threat agent that is the hacker in his or her many guises. The ACFE identifies hacking as the single activity that has resulted in the greatest number of cyber breaches in the past decade.

While there is no one-size-fits-all standard to build and run a sustainable security defense in a generic enterprise context, most companies currently deploy something resembling the individual components of the following general framework:

–Business Drivers and Objectives;
–A Risk Strategy;
–Policies and Standards;
–Risk Identification and Asset Profiling;
–People, Process, Technology;
–Security Operations and Capabilities;
–Compliance Monitoring and Reporting.

Most IT risk and security professionals would be able to identify this framework and agree with the assertion that it’s a sustainable approach to managing an enterprise’s security landscape. Our speaker pointed out, however, that in her opinion, if the current framework were indeed working as intended, the number of security incidents would be expected to show a downward trend as most threats would fail to manifest into full-blown incidents. They could then be routinely identified by enterprises as known security problems and dealt with by the procedures operative in day-to-day security operations. Unfortunately for the existing framework, however, recent security surveys conducted by numerous organizations and trade groups clearly show an upward trend of rising security incidents and breaches (as every reader of daily press reports well knows).

The rising tide of security incidents and breaches is not surprising since the trade press also reports an average of 35 new, major security failures on each and every day of the year.  Couple this fact with the ease of execution and ready availability of exploit kits on the Dark Web and the threat grows in both probability of exploitation and magnitude of impact. With speed and intensity, each threat strikes the security structure of an enterprise and whittles away at its management credibility to deal with the threat under the routine, daily operational regimen presently defined. Hence, most affected enterprises endure a growing trend of negative security incidents experienced and reported.

During the last several years, in response to all this, many firms have responded by experimenting with a new approach to the existing paradigm. These organizations have implemented emergency response teams to respond to cyber-threats and incidents. These teams are a novel addition to the existing control structure and have two main functions: real-time response to security incidents and the collection of concurrent internal and external security intelligence to feed predictive analysis. Being able to respond to security incidents via a dedicated response team boosts the capacity of the operational organization to contain and recover from attacks. Responding to incidents, however efficiently, is, in any case, a reactive approach to deal with cyber-threats but isn’t the whole story. This is where cyber-threat intelligence comes into play. Threat intelligence is a more proactive means of enabling an organization to predict incidents. However, this approach also has a downside. The influx of a great deal of intelligence information may limit the ability of the company to render it actionable on a timely basis.

Cyber threat assessments are an effective means to tame what can be this overwhelming influx of intelligence information. Cyber threat assessment is currently recognized in the industry as red teaming, which is the practice of viewing a problem from an adversary or competitor’s perspective. As part of an IT security strategy, enterprises can use red teams to test the effectiveness of the security structure as a whole and to provide a relevance factor to the intelligence feeds on cyber threats. This can help CEOs decide what threats are relevant and have higher exposure levels compared to others. The evolution of cyber threat response, cyber threat
intelligence and cyber threat assessment (red teams) in conjunction with the existing IT risk framework can be used as an effective strategy to counter the agility of evolving cyber threats. The cyber threat assessment process assesses and challenges the structure of existing enterprise security systems, including designs, operational-level controls and the overall cyber threat response and intelligence process to ensure they remain capable of defending against current relevant exploits.

Cyber threat assessment exercises can also be extremely helpful in highlighting the most relevant attacks and in quantifying their potential impacts. The word “adversary” in the definition of the term ‘red team’ is key in that it emphasizes the need to independently challenge the security structure from the view point of an attacker.  Red team exercises should be designed to be independent of the scope, asset profiling, security, IT operations and coverage of existing security policies. Only then can enterprises realistically apply the attacker’s perspective, measure the success of its risk strategy and see how it performs when challenged. It’s essential that red team exercises have the freedom to treat the complete security structure and to point to flaws in all components of the IT risk framework. It’s a common notion that a red team exercise is a penetration test. This is not the case. Use of penetration test techniques by red teams is a means to identify the information required to replicate cyber threats and to create a controlled security incident. The technical shortfalls that are identified during standard penetration testing are mere symptoms of gaps that may exist in the governance of people, processes and technology. Hence, to make the organization more resilient against cyber threats, red team focus should be kept on addressing the root cause and not merely on fixing the security flaws discovered during the exercise. Another key point is to include cyber threat response and threat monitoring in the scope of such assessments. This demands that red team exercises be executed, and partially announced, with CEO-level approval. This ensures that enterprises challenge the end-to-end capabilities of an enterprise to cope with a real-time security incident. Lessons learned from red teaming can be documented to improve the overall security posture of the organization and as an aid in dealing with future threats.

Our speaker concluded by saying that as cyber threats evolve, one-hundred percent security for an active business is impossible to achieve. Business is about making optimum use of existing resources to derive the desired value for stakeholders. Cyber-defense cannot be an exception to this rule. To achieve optimized use of their security investments, CEOs should ensure that security spending for their organization is mapped to the real emerging cyber threat landscape. Red teaming is an effective tool to challenge the status quo of an enterprise’s security framework and to make informed judgements about the actual condition of its actual security posture today. Not only can the judgements resulting from red team exercises be used to improve cyber threat defense, they can also prove an effective mechanism to guide a higher return on cyber-defense investment.

A CDC for Cyber

I remember reading somewhere a few years back that Microsoft had commissioned a report which recommended that the U.S. government set up an entity akin to its Center for Disease Control but for cyber security.  An intriguing idea.  The trade press talks about malware and computer viruses and infections to describe self -replicating malicious code in the same way doctors talk about metastasizing cancers or the flu; likewise, as with public health, rather than focusing on prevention and detection, we often blame those who have become infected and try to retrospectively arrest/prosecute (cure) those responsible (the cancer cells, hackers) long after the original harm is done. Regarding cyber, what if we extended this paradigm and instead viewed global cyber security as an exercise in public health?

As I recall, the report pointed out that organizations such as the Centers for Disease Control in Atlanta and the World Health Organization in Geneva have over decades developed robust systems and objective methodologies for identifying and responding to public health threats; structures and frameworks that are far more developed than those existent in today’s cyber-security community. Given the many parallels between communicable human diseases and those affecting today’s technologies, there is also much fraud examiners and security professionals can learn from the public health model, an adaptable system capable of responding to an ever-changing array of pathogens around the world.

With cyber as with matters of public health, individual actions can only go so far. It’s great if an individual has excellent techniques of personal hygiene, but if everyone in that person’s town has the flu, eventually that individual will probably succumb as well. The comparison is relevant to the world of cyber threats. Individual responsibility and action can make an enormous difference in cyber security, but ultimately the only hope we have as a nation in responding to rapidly propagating threats across this planetary matrix of interconnected technologies is to construct new institutions to coordinate our response. A trusted, international cyber World Health Organization could foster cooperation and collaboration across companies, countries, and government agencies, a crucial step required to improve the overall public health of the networks driving the critical infrastructures in both our online and our off-line worlds.

Such a proposed cyber CDC could go a long way toward counteracting the technological risks our country faces today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world. A cyber CDC could fulfill many roles that are carried out today only on an ad hoc basis, if at all, including:

• Education — providing members of the public with proven methods of cyber hygiene to protect themselves;
• Network monitoring — detection of infection and outbreaks of malware in cyberspace;
• Epidemiology — using public health methodologies to study digital cyber disease propagation and provide guidance on response and remediation;
• Immunization — helping to ‘vaccinate’ companies and the public against known threats through software patches and system updates;
• Incident response — dispatching experts as required and coordinating national and global efforts to isolate the sources of online infection and treat those affected.

While there are many organizations, both governmental and non-governmental, that focus on the above tasks, no single entity owns them all. It is through these gaps in effort and coordination that cyber risks continue to mount. An epidemiological approach to our growing technological risks is required to get to the source of malware infections, as was the case in the fight against malaria. For decades, all medical efforts focused in vain on treating the disease in those already infected. But it wasn’t until epidemiologists realized the malady was spread by mosquitoes breeding in still pools of water that genuine progress was made in the fight against the disease. By draining the pools where mosquitoes and their larvae grow, epidemiologists deprived them of an important breeding ground, thus reducing the spread of malaria. What stagnant pools can we drain in cyberspace to achieve a comparable result? The answer represents the yet unanswered challenge.

There is another major challenge a cyber CDC would face: most of those who are sick have no idea they are walking around infected, spreading disease to others. Whereas malaria patients develop fever, sweats, nausea, and difficulty breathing, important symptoms of their illness, infected computer users may be completely asymptomatic. This significant difference is evidenced by the fact that the overwhelming majority of those with infected devices have no idea there is malware on their machines nor that they might have even joined a botnet army. Even in the corporate world, with the average time to detection of a network breach now at 210 days, most companies have no idea their most prized assets, whether intellectual property or a factory’s machinery, have been compromised. The only thing worse than being hacked is being hacked and not knowing about it. If you don’t know you’re sick, how can you possibly get treatment? Moreover, how can we prevent digital disease propagation if carriers of these maladies don’t realize they are infecting others?

Addressing these issues could be a key area of import for any proposed cyber CDC and fundamental to future communal safety and that of critical information infrastructures. Cyber-security researchers have pointed out the obvious Achilles’ heel of the modern technology infused world, the fact that today everything is either run by computers (or will be) and that everything is reliant on these computers continuing to work. The challenge is that we must have some way of continuing to work even if all the computers fail. Were our information systems to crash on a mass scale, there would be no trading on financial markets, no taking money from ATMs, no telephone network, and no pumping gas. If these core building blocks of our society were to suddenly give way, what would humanity’s backup plan be? The answer is simply, we don’t now have one.

Complicating all this from a law enforcement and fraud investigation perspective is that black hats generally benefit from technology long before defenders and investigators ever do. The successful ones have nearly unlimited budgets and don’t have to deal with internal bureaucracies, approval processes, or legal constraints. But there are other systemic issues that give criminals the upper hand, particularly around jurisdiction and international law. In a matter of minutes, the perpetrator of an online crime can virtually visit six different countries, hopping from server to server and continent to continent in an instant. But what about the police who must follow the digital evidence trail to investigate the matter?  As with all government activities, policies, and procedures, regulations must be followed. Trans-border cyber-attacks raise serious jurisdictional issues, not just for an individual police department, but for the entire institution of policing as currently formulated. A cop in Baltimore has no authority to compel an ISP in Paris to provide evidence, nor can he make an arrest on the right bank. That can only be done by request, government to government, often via mutual legal assistance treaties. The abysmally slow pace of international law means it commonly takes years for police to get evidence from overseas (years in a world in which digital evidence can be destroyed in seconds). Worse, most countries still do not even have cyber-crime laws on the books, meaning that criminals can act with impunity making response through a coordinating entity like a cyber-CDC more valuable to the U.S. specifically and to the world in general.

Experts have pointed out that we’re engaged in a technological arms race, an arms race between people who are using technology for good and those who are using it for ill. The challenge is that nefarious uses of technology are scaling exponentially in ways that our current systems of protection have simply not matched.  The point is, if we are to survive the progress offered by our technologies and enjoy their benefits, we must first develop adaptive mechanisms of security that can match or exceed the exponential pace of the threats confronting us. On this most important of imperatives, there is unambiguously no time to lose.

Help for the Little Guy

It’s clear to the news media and to every aware assurance professional that today’s cybercriminals are more sophisticated than ever in their operations and attacks. They’re always on the lookout for innovative ways to exploit vulnerabilities in every global payment system and in the cloud.

According to the ACFE, more consumer records were compromised in 2015-16 than in the previous four years combined. Data breach statistics from this year (2017) are projected to be even grimmer due to the growth of increasingly sophisticated attack methods such as increasingly complex malware infections and system vulnerability exploits, which grew tenfold in 2016. With attacks coming in many different forms and from many different channels, consumers, businesses and financial institutions (often against their will) are being forced to gain a better understanding of how criminals operate, especially in ubiquitous channels like social networks. They then have a better chance of mitigating the risks and recognizing attacks before they do severe damage.

As your Chapter has pointed out over the years in this blog, understanding the mechanics of data theft and the conversion process of stolen data into cash can help organizations of all types better anticipate in the exact ways criminals may exploit the system, so that organizations can put appropriate preventive measures in place. Classic examples of such criminal activity include masquerading as a trustworthy entity such as a bank or credit card company. These phishers send e-mails and instant messages that prompt users to reply with sensitive information such as usernames, passwords and credit card details, or to enter the information at a rogue web site. Other similar techniques include using text messaging (SMSishing or smishing) or voice mail (vishing) or today’s flood of offshore spam calls to lure victims into giving up sensitive information. Whaling is phishing targeted at high-worth accounts or individuals, often identified through social networking sites such as LinkedIn or Facebook. While it’s impossible to anticipate or prevent every attack, one way to stay a step ahead of these criminals is to have a thorough understanding of how such fraudsters operate their enterprises.

Although most cyber breaches reported recently in the news have struck large companies such as Equifax and Yahoo, the ACFE tells us that small and mid-sized businesses suffer a far greater number of devastating cyber incidents. These breaches involve organizations of every industry type; all that’s required for vulnerability is that they operate network servers attached to the internet. Although the number of breached records a small to medium sized business controls is in the hundreds or thousands, rather than in the millions, the cost of these breaches can be higher for the small business because it may not be able to effectively address such incidents on its own.  Many small businesses have limited or no resources committed to cybersecurity, and many don’t employ any assurance professionals apart from the small accounting firms performing their annual financial audit. For these organizations, the key questions are “Where should we focus when it comes to cybersecurity?” and “What are the minimum controls we must have to protect the sensitive information in our custody?” Fraud Examiners and forensic accountants with client attorneys assisting small businesses can assist in answering these questions by checking that their client attorney’s organizations implement a few vital cybersecurity controls.

First, regardless of their industry, small businesses must ensure their network perimeter is protected. The first step is identifying the vulnerabilities by performing an external network scan at least quarterly. A small business can either hire an outside company to perform these scans, or, if they have small in-house or contracted IT, they can license off-the-shelf software to run the scans, themselves. Moreover, small businesses need a process in place to remedy the identified critical, high, and medium vulnerabilities within three months of the scan run date, while low vulnerabilities are less of a priority. The fewer vulnerabilities the perimeter network has,
the less chance that an external hacker will breach the organization’s network.

Educating employees about their cybersecurity responsibilities is not a simple check-sheet matter. Smaller businesses not only need help in implementing an effective information security policy, they also need to ensure employees are aware of the policy and of their responsibilities. The policy and training should cover:

–Awareness of phishing attacks;
–Training on ransomware management;
–Travel tips;
–Potential threats of social engineering;
–Password protection;
–Risks of storing sensitive data in the cloud;
–Accessing corporate information from home computers and other personal devices;
–Awareness of tools the organization provides for securely sending emails or sharing large files;
–Protection of mobile devices;
–Awareness of CEO spoofing attacks.

In addition, small businesses should verify employees’ level of awareness by conducting simulation exercises. These can be in the form of a phishing exercise in which organizations themselves send fake emails to their employees to see if they will click on a web link, or a social engineering exercise in which a hired individual tries to enter the organization’s physical location and steal sensitive information such as information on computer screens left in plain sight.

In small organizations, sensitive information tends to proliferate across various platforms and folders. For example, employees’ personal information typically resides in human resources software or with a cloud service provider, but through various downloads and reports, the information can proliferate to shared drives and folders, laptops, emails, and even cloud folders like Dropbox or Google Drive. Assigned management at the organization should check that the organization has identified the sites of such proliferation to make sure it has a good handle on the state of all the organization’s sensitive information:

–Inventory all sensitive business processes and the related IT systems. Depending on the organization’s industry, this information could include customer information, pricing data, customers’ credit card information, patients’ health information, engineering data, or financial data;
–For each business process, identify an information owner who has complete authority to approve user access to that information;
–Ensure that the information owner periodically reviews access to all the information he or she owns and updates the access list.

Organizations should make it hard to get to their sensitive data by building layers or network segments. Although the network perimeter is an organization’s first line of defense, the probability of the network being penetrated is today at an all-time high. Management should check whether the organization has built a layered defense to protect its sensitive information. Once the organization has identified its sensitive information, management should work with the IT function to segment those servers that run its sensitive applications.  This segmentation will result in an additional layer of protection for these servers, typically by adding another firewall for the segment. Faced with having to penetrate another layer of defense, an intruder may decide to go elsewhere where less sensitive information is stored.

An organization’s electronic business front door also can be the entrance for fraudsters and criminals. Most of today’s malware enters through the network but proliferates through the endpoints such as laptops and desktops. At a minimum, internal small business management must ensure that all the endpoints are running anti-malware/anti-virus software. Also, they should check that this software’s firewall features are enabled. Moreover, all laptop hard drives should be encrypted.

In addition to making sure their client organizations have implemented these core controls, assurance professionals should advise small business client executives to consider other protective controls:

–Monitor the network. Network monitoring products and services can provide real-time alerts in case there is an intrusion;
–Manage service providers. Organizations should inventory all key service providers and review all contracts for appropriate security, privacy, and data breach notification language;
–Protect smart devices. Increasingly, company information is stored on mobile devices. Several off-the-shelf solutions can manage and protect the information on these devices. Small businesses should ensure they are able to wipe the sensitive information from these devices if they are lost or stolen;
–Monitor activity related to sensitive information. Management IT should log activities against their sensitive information and keep an audit log in case an incident occurs and they need to review the logs to evaluate the incident.

Combined with the controls listed above, these additional controls can help any small business reduce the probability of a data breach. But a security program is only as strong as its weakest link Through their assurance and advisory work, CFE’s and forensic accountants can proactively help identify these weaknesses and suggest ways to strengthen their smaller client organization’s anti-fraud defenses.

The Conflicted Board

Our last post about cyberfraud and business continuity elicited a comment about the vital role of corporate governance from an old colleague of mine now retired and living in Seattle.  But the wider question our commenter had was, ‘What are we as CFEs to make of a company whose Board willfully withholds for months information about a cyberfraud which negatively impacts it customers and the public? From the ethical point of view, does this render the Board somehow complicit in the public harm done?’

Governance of shareholder-controlled corporations refers to the oversight, monitoring, and controlling of a company’s activities and personnel to ensure support of the shareholders’ interests, in accordance with laws and the expectations of stakeholders. Governance has been more formally defined by the Organization for Economic Cooperation and Development (OECD) as a set of relationships between a company’s management, its Board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set (including about ethical continuity), and the means of attaining those objectives and monitoring performance. Good corporate governance should provide proper incentives for the Board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring.

The role and mandate of the Board of Directors is of paramount importance in the governance framework. Typically, the directors are elected by the shareholders at their annual meeting, which is held to receive the company’s audited annual financial statements and the audit report thereon, as well as the comments of the chairman of the Board, the senior company officers, and the company auditor.

A Board of Directors often divides itself into subcommittees that concentrate more deeply in specific areas than time would allow the whole Board to pursue. These subcommittees are charged with certain actions and/or reviews on behalf of the whole Board, with the proviso that the whole Board must be briefed on major matters and must vote on major decisions. Usually, at least three subcommittees are created to review matters related to (1) governance, (2) compensation, and (3) audit, and to present their recommendations to the full Board. The Governance Committee deals with codes of conduct and company policy, as well as the allocation of duties among the subcommittees of the Board. The Compensation Committee reviews the performance of senior officers, and makes recommendations on the nature and size of salaries, bonuses, and related remuneration plans. Most important to fraud examiners and assurance professionals, the Audit Committee reviews internal controls and systems that generate financial reports prepared by management; the appropriateness of those financial reports; the effectiveness of the company’s internal and external auditors; its whistle-blowing systems, and their findings; and recommends the re-election or not of the company’s external auditors.

The Board must approve the selection of a Chief Executive Officer (CEO), and many Boards are now approving the appointment of the Chief Financial Officer (CFO) as well because of the important of that position. Generally, the CEO appoints other senior executives, and they, in turn, appoint the executives who report to them. Members of these committees are selected for their expertise, interest, and character, with the expectation that the independent judgment of each director will be exercised in the best interest of the company. For example, the ACFE tells us, members of the Audit Committee must be financially literate, and have sufficient expertise to understand audit and financial matters. They must be of independent mind (i.e., not be part of management or be relying upon management for a significant portion of their annual income), and must be prepared to exercise that independence by voting for the interest of all shareholders, not just those of management or of specific limited shareholder groups.

Several behavioral expectations extend to all directors, i.e., to act in the best interest of the company (shareholders & stakeholders), to demonstrate loyalty by exercising independent judgment, acting in good faith, obedient to the interests of all and to demonstrate due care, diligence, and skill.

All directors are expected to demonstrate certain fiduciary duties. Shareholders are relying on directors to serve shareholders’ interests, not the directors’ own interests, nor those of management or a third party. This means that directors must exercise their own independent judgment in the best interests of the shareholders. The directors must do so in good faith (with true purpose, not deceit) on all occasions. They must exercise appropriate skill, diligence, and an expected level of care in all their actions.

Obviously, there will be times when directors will be able to make significant sums of money by misusing the trust with which they have been bestowed and at the expense of the other stakeholders of the company. At these times a director’s interests may conflict with those of the others. Therefore, care must be taken to ensure that such conflicts are disclosed, and that they are managed so that no harm comes to the other shareholders. For example, if a director has an interest in some property or in a company that is being purchased, s/he should disclose this to the other directors and refrain from voting on the acquisition. These actions should alert other directors to the potential self-dealing of the conflicted director, and thereby avoid the non-conflicted directors from being misled into thinking that the conflicted director was acting only with the corporation’s interests in mind.

From time to time, directors may be sued’ by shareholders or third parties who believe that the directors have failed to live up to appropriate expectations. However, courts will not second-guess reasonable decisions by non-conflicted directors that have been taken prudently and on a reasonably informed basis. This is known as the business judgment ru1e and it protects directors charged with breach of their duty of care if they have acted honestly and reasonably. Even if no breach of legal rights has occurred, shareholders may charge that their interests have been ‘oppressed’ (i.e., prejudiced unfairly, or unfairly disregarded) by a corporation or a director’s actions, and courts may grant what is referred to as an oppression remedy of financial compensation or other sanctions against the corporation or the director personally. If, however, the director has not been self-dealing or misappropriating the company’s opportunities, s/he will likely be protected from personal liability by the business judgment rule.

Some shareholders or third parties have chosen to sue directors ‘personally in tort’ for their conduct as directors, even when they have acted in good faith and within the scope of their duties, and when they believed they were acting in the best interests of the corporations they serve.  Recently, courts have held that directors cannot escape such personal liability by simply claiming that they did the action when performing their corporate responsibilities. Consequently, directors or officers must take care when making all decisions that they meet normal standards of behavior.

Consequently, when management and the Board of a company who has been the victim of a cyber-attack decides to withhold information about the attack (sometimes for weeks or months), fundamental questions about compliance with fiduciary standards and ethical duty toward other stakeholders and the public can quickly emerge.   The impact of recent corporate cyber-attack scandals on the public has the potential to change future governance expectations dramatically. Recognition that some of these situations appear to have resulted from management inattention or neglect (the failure to timely patch known software vulnerabilities, for example) has focused attention on just how well a corporation can expect to remediate its public face and ensure ongoing business continuity following such revelations to the public.

My colleague points out that so damaging were the apparently self-protective actions taken by the Boards of some of these victim companies in the wake of several recent attacks to protect their share price, (thereby shielding the interests of existing executives, directors, and investors in the short term) that the credibility of their entire corporate governance and accountability processes has been jeopardized, thus endangering, in some cases, even their ability to continue as viable going concerns.

In summary, in the United States, the Board of Directors sits at the apex of a company’s governing structure. A typical Board’s duties include reviewing the company’s overall business strategy, selecting and compensating the company’s senior executives; evaluating the company’s outside auditor, overseeing the company’s financial statements; and monitoring overall company performance. According to the Business Roundtable, the Board’s ‘paramount duty’ is to safeguard the interests of the company’s shareholders.  It’s fair to ask if a Board that chooses not to reveal to its stakeholders or to the general investor public a potentially devastating cyber-fraud for many months can be said to have meet either the letter or the spirit of its paramount duty.

Cyberfraud & Business Continuity

We received an e-mail inquiry from a follower of our Chapter’s LinkedIn page last week asking specifically about recovery following a cyberfraud penetration and, in general, about disaster planning for smaller financial institutions. It’s a truism that with virtually every type of business process and customer moving away from brick-and-mortar places of business to cloud supported business transactions and communication, every such organization faces an exponential increase in the threat of viruses, bots, phishing attacks, identity theft, and a whole host of other cyberfraud intrusion risks.  All these threats illustrate why a post-intrusion continuity plan should be at or near the top of any organization’s risk assessment, yet many of our smaller clients especially remain stymied by what they feel are the costs and implementational complexity of developing such a plan. Although management understands that it should have a plan, many say, “we’ll have to get to that next year”, yet it never seems to happen.

Downtime due to unexpected penetrations, breeches and disasters of all kinds not only affect our client businesses individually, but can also affect the local, regional, or worldwide economy if the business is sufficiently large or critical. Organizations like Equifax do not operate in a vacuum; they are held accountable by customers, vendors, and owners to operate as expected. Moreover, the extent of the impact on a business depends on the products or services it offers. Having an updated, comprehensive, and tested general continuity plan can help organizations mitigate operational losses in the event of any disaster or major disruption. Whether it’s advising the organization about cyberfraud in general or reviewing the different elements of a continuity plan for fraud impact, the CFE can proactively assist the client organization on the front end in getting a cyberfraud-recovery continuity plan in place and then in ensuring its efficient operation on the back end.

Specifically, regarding the impact of cyberfraud, the ACFE tells us that, until relatively recently, many organizations reported not having directly addressed it in their formal business continuity plans. Some may have had limited plans that addressed only a few financial fraud-related scenarios, such as employee embezzlement or supplier billing fraud, but hadn’t equipped general employees to deal with even the most elemental impacts of cyberfraud.   However, as these threats increasingly loomed, and as their on-line business expanded, more organizations have committed themselves to the process of formally addressing them.

An overall business continuity plan, including targeted elements to address cyberfraud, isn’t a short-term project, but rather an ongoing set of procedures and control definitions that must evolve along with the organization and its environment. It’s an action plan, complete with the tools and resources needed to continue those critical business processes necessary to keep the entity operating after a cyber disruption. Before advising our clients to embark on such a business continuity plan project, we need to make them aware that there is a wealth of documentation available that they can review to help in their planning and execution effort. An example of such documentation is one written for the industry of our Chapter’s inquirer, banking; the U.S. Federal Financial Institutions Examination Council’s (FFIEC’s) Business Continuity Planning Handbook. And there are other such guides available on-line to orient the continuity process for entities in virtually every other major business sector.  While banks are held to a high standard of preparedness, and are subject to regular bank examination, all types of organizations can profit from use of the detailed outline the FFIEC handbook provides as input to develop their own plans. The publication encourages organizations of all sizes to adopt a process-oriented approach to continuity planning that involves business impact analysis as well as fraud risk assessment, management, and monitoring.

An effective plan begins with client commitment from the top. Senior management and the board of directors are responsible for managing and controlling risk; plan effectiveness depends on management’s willingness to commit to the process from start to finish. Working as part of the implementation team, CFEs can make sure both the audit committee and senior management understand this commitment and realize that business disruption from cyber-attack represents an elevated risk to the organization that merits senior-level attention. The goal of this analysis is to identify the impact of cyber threats and related events on all the client organizations’ business processes. Critical needs are assessed for all functions, processes, and personnel, including specialized equipment requirements, outsourced relationships and dependencies, alternate site needs, staff cross-training, and staff support such as specialized training and guidance from human resources regarding related personnel issues. As participants in this process, CFEs acting proactively are uniquely qualified to assist management in the identification of different cyberfraud threats and their potential impacts on the organization.

Risk assessment helps gauge whether planned cyberfraud-related continuity efforts will be successful. Business processes and impact assumptions should be stress tested during this phase. Risks related to protecting customer and financial information, complying with regulatory guidelines, selecting new systems to support the business, managing vendors, and maintaining secure IT should all be considered. By focusing on a single type of potential cyber threat’s impact on the business, our client organizations can develop realistic scenarios of related threats that may disrupt the cyber-targeted processes.  At the risk assessment stage, organization should perform a gap analysis to compare what actions are needed to recover normal operations versus those required for a major business interruption. This analysis highlights cyber exposures that the organization will need to address in developing its recovery plan. Clients should also consider conducting another gap analysis to compare what is present in their proposed or existing continuity plan with what is outlined (in the case of a bank) in the recommendations presented in the FFIEC handbook. This is an excellent way to assess needs and compliance with these and/or the guidelines available for other industries. Here too, CFEs can provide value by employing their skills in fraud risk assessment to assist the organization in its identification of the most relevant cyber risks.

After analyzing the business impact analysis and risk assessment, the organization should devise a strategy to mitigate the risks of business interruption from cyberfraud. This becomes the plan itself, a catalog of steps and checklists, which includes team members and their roles for recovery, to initiate action following a cyber penetration event. The plan should go beyond technical issues to also include processes such as identifying a lead team, creating lists of emergency contacts, developing calling trees, listing manual procedures, considering alternate locations, and outlining procedures for dealing with public relations.  As members of the team CFEs, can work with management throughout response plan creation and installation, consulting on plan creation, while advising management on areas to consider and ensuring that fraud related risks are transparently defined and addressed.

Testing is critical to confirm cyber fraud contingency plans. Testing objectives should start small, with methods such as walkthroughs, and increase to eventually encompass tabletop exercises and full enterprise wide testing. The plan should be reviewed and updated for any changes in personnel, policies, operations, and technology. CFEs can provide management with a fraud-aware review of the plan and how it operates, but their involvement should not replace management’s participation in testing the actual plan. If the staff who may have to execute the plan have never touched it, they are setting themselves up for failure.

Once the plan is created and tested, maintaining it becomes the most challenging activity and is vital to success in today’s ever-evolving universe of cyber threats. Therefore, concurrent updating of the plan in the face of new and emerging threats is critical.

In summary, cyberfraud-threat continuity planning is an ongoing process for all types of internet dependent organizations that must remain flexible as daily threats change and migrate. The plan is a “living” document. The IT departments of organizations are challenged with identifying and including the necessary elements unique to their processes and environment on a continuous basis. Equally important, client management must oversee update of the plan on a concurrent basis as the business grows and introduces new on-line dependent products and services. CFEs can assist by ensuring that their client organizations keep cyberfraud related continuity planning at the top of mind by conducting periodic reviews of the basic plan and by reporting on the effectiveness of its testing.

The Right Question, the Right Way

As every CFE knows, an integral part of the fraud examination process involves obtaining information from people. Regardless of the interview’s objective, all CFEs should embrace the role of interviewer and use the time-tested techniques recommended to us by the ACFE. But asking the right questions does not necessarily ensure key information will be uncovered; an effective interviewer also recognizes the need to separate truth from deception. Consequently, crafting effective questions, understanding the communication dynamics at play, actively participating in the interview process, and remaining alert to signs of deception will help examiners increase the effectiveness and efficiency of our interviews and of our overall engagements.

Some interviewers try to gather as much information using as few questions as possible and end up receiving convoluted or vague responses. Others seek confirmation of every detail, which can quickly turn an interview into an unproductive probing of minutia. Balancing thoroughness and efficiency is imperative to obtaining the necessary and relevant facts without overburdening the interviewee. Because the location of this line varies by interviewee, CFEs can find this balance most effectively by ensuring they ask only clear questions throughout the interview.

Some individuals might respond to a question in a way that doesn’t provide a direct answer or that veers off topic. Sometimes these responses are innocent; sometimes they are not. To make the most of an interview, examiners must remain in control of the situation, regardless of how the interviewee responds.  Being assertive does not require being impolite, however. In some instances, wording questions as a subtle command (e.g., “Tell me about…. or “Please describe….) can help establish the interview relationship. Additionally, remaining in control does not mean dissuading the interviewee from exploring pertinent topics that are outside the planned discussion points.  Interview questions can be structured in several ways, each with its own strengths, weaknesses, and ideal usage. Open questions ask the interviewee to describe or explain something. Most examination interviews should rely heavily on open questions, as these provide the best view of how things operate and the perspective of the staff member involved in a particular area. They also enable the reviewer to observe the interviewee’s demeanor and attitude, which can provide additional information about specific issues. However, if the CFE believes an individual might not stay on topic or may avoid providing certain information, open questions should be used cautiously.  In contrast, closed questions can be answered with a specific, definitive response, most often “yes” or “no.” They are not meant to provide the big picture but can be useful in gathering details such as amounts and dates. Examiners should use closed questions sparingly in an informational interview, as they do not encourage the flow of information as effectively as open questions.

Occasionally, the questioner might want to direct the interviewee toward a specific point or evoke a certain reply. Leading questions can be useful in such circumstances by exploring an assumption, a fact or piece of information, that the interviewee did not provide previously. When used appropriately, such questions can help the interviewer confirm facts that the interviewee might be hesitant to discuss. Examples of leading questions include: “So there have been no changes in the process since last year?” and “You sign off on these exception reports, correct?” If the interviewee does not deny the assumption, then the fact is confirmed. However,  before using leading questions, the interviewer should raise the topic with open questions and allow the interviewee the chance to volunteer information.

The examiner should establish and maintain an appropriate level of eye contact with the interviewee throughout the interview to personalize the interaction and build rapport. However, the appropriate level of eye contact varies by culture and even by person; consequently, the examiner should pay attention to the interviewee to determine the level of eye contact that makes him or her comfortable.

People tend to mirror each other’s body language subconsciously as a way of bonding and creating rapport. CFEs can help put interviewees at ease by subtly reflecting their body language. Further, the skilled interviewer can assess the level of rapport established by changing posture and by watching the interviewee’s response. This information can help CFEs determine whether to move into sensitive areas of questioning or to continue establishing a connection with the individual.

Confirming periodically that the examiner is listening can encourage interviewees to continue talking. For example, the interviewer can provide auditory confirmation with a simple “mmm hmmm” and nonverbal confirmation by nodding or leaning toward the interviewee during his or her response.

When the interviewee finishes a narrative response, the examiner can encourage additional information by echoing back the last point the person made. This confirms that the interviewer is actively listening and absorbing the information, and it provides a starting point for the person to continue the response.

Occasionally, the examiner might summarize the information provided to that point so that the interviewee can affirm, clarify, or correct the interviewer’s understanding.

Most often, the greatest impediment to an effective interview is the interviewer him or herself.  While it is clearly important for the interviewer to observe, to listen, and to assess the subject in a variety of ways, the role of the interviewer, and the effect he or she has on the interview process, cannot be minimized.

The interviewer typically focuses on the subject as the person who will provide the information he or she seeks. The interviewer concentrates on establishing rapport, listening effectively, analyzing the subject’s verbal and nonverbal communication, and gauging how much or how little the subject is telling her. These are valid areas of concentration for the interviewer. One significant risk is that the interviewer may pay too little attention to the negative influences s/he can bring to the interview, process. The terms interview and communication are interchangeable, and effective communication is a two-way street. What makes the interviewer an effective communicator and effective interviewer is not just the signals he or she picks up from the subject but also the signals, the information, the tone, and the body language he or she sends to the subject. It is highly presumptuous of the interviewer to think he or she has little or no effect on the subject and that the subject is not evaluating, assessing, and analyzing the interviewer.

The interviewer’s style of dress, jewelry, and grooming may tell the subject as much about the interviewer as does the interviewer’s demeanor. If the interviewer is overdressed for the occasion, does it make the subject feel inferior or intimidated? If too casual, does the interviewer send a signal of the lack of importance of the interview and, as a result, does the subject become too relaxed or not as attentive? Attire should have a desired effect. For example, when interviewing an enforcement officer or other professional who is familiar with uniforms and clothing as indicators of status, it may be appropriate to wear a coat and tie. In general, it is best to always to err on the side of conservative dress for the circumstances.

The examiner should not attempt to interview two or more persons at one time unless there is no other option. It is more difficult to control an interview with two or more subjects. One subject may be more dominant than the other. The subjects will influence each other’s memories. Some subjects will not want to embarrass themselves in front of a peer or supervisor. The environment for confidential communications will be adversely affected.

When the interviewer responds to the subject’s responses, he sends signals. At times, it might be advisable to not write notes down at the time the individual tells the interviewer something sensitive. Rather, the interviewer might consider devoting his attention to the subject and writing down the sensitive information after the conversation has moved away from the sensitive area.  The interviewer should never become argumentative, antagonistic, or belligerent. The use of the  “Good Cop, Bad Cop” routine can have unwanted results, especially long term. The CFE interviewer should use tact, speak clearly and with authority but without use of threatening language. The interviewer should consistently set a professional tone.

Finally, all individuals want to be shown respect. Maintaining the personal dignity of the subject is critical for the success of the interview and follow-up efforts. Everyone wants respect, from homeless persons to top executives. To be shown respect, especially if the subject is not accustomed to it, is disarming and contributes to that essential, professional tone.

From Inside the Building

By Rumbi Petrozzello, CFE, CPA/CFF
2017 Vice-President – Central Virginia Chapter ACFE

Several months ago, I attended an ACFE session where one of the speakers had worked on the investigation of Edward Snowden. He shared that one of the ways Snowden had gained access to some of the National Security Agency (NSA) data that he downloaded was through the inadvertent assistance of his supervisor. According to this investigator, Snowden’s supervisor shared his password with Snowden, giving Snowden access to information that was beyond his subordinate’s level of authorization. In addition to this, when those security personnel reviewing downloads made by employees noticed that Snowden was downloading copious amounts of data, they approached Snowden’s supervisor to question why this might be the case. The supervisor, while acknowledging this to be true, stated that Snowden wasn’t really doing anything untoward.

At another ACFE session, a speaker shared information with us about how Chelsea Manning was able to download and remove data from a secure government facility. Manning would come to work, wearing headphones, listening to music on a Discman. Security would hear the music blasting and scan the CDs. Day after day, it was the same scenario. Manning showed up to work, music blaring.  Security staff grew so accustomed to Manning, the Discman and her CDs that when she came to work though security with a blank CD boldly labelled “LADY GAGA”, security didn’t blink. They should have because it was that CD and ones like it that she later carried home from work that contained the data she eventually shared with WikiLeaks.

Both these high-profile disasters are notable examples of the bad outcome arising from a realized internal threat. Both Snowden and Manning worked for organizations that had, and have, more rigorous security procedures and policies in place than most entities. Yet, both Snowden and Manning did not need to perform any magic tricks to sneak data out of the secure sites where the target data was held; it seems that it all it took was audacity on the one side and trust and complacency on the other.

When organizations deal with outside parties, such as vendors and customers, they tend to spend a lot of time setting up the structures and systems that will guide how the organization will interact with those vendors and customers. Generally, companies will take these systems of control seriously, if only because of the problems they will have to deal with during annual external audits if they don’t. The typical new employee will spend a lot of time learning what the steps are from the point when a customer places an order through to the point the customer’s payment is received. There will be countless training manuals to which to refer and many a reminder from co-workers who may be negatively impacted if the rooky screws up.

However, this scenario tends not to hold up when it comes to how employees typically share information and interact with each other. This is true despite the elevated risk that a rogue insider represents. Often, when we think about an insider causing harm to a company through fraudulent acts, we tend to imagine a villain, someone we could identify easily because s/he is obviously a terrible person. After all, only a terrible person could defraud their employer. In fact, as the ACFE tells us, the most successful fraudsters are the ones who gain our trust and who, therefore, don’t really have to do too much for us to hand over the keys to the kingdom. As CFEs and Forensic Accountants, we need to help those we work with understand the risks that an insider threat can represent and how to mitigate that risk. It’s important, in advising our clients, to guide them toward the creation of preventative systems of policy and procedure that they sometimes tend to view as too onerous for their employees. Excuses I often hear run along the lines of:

• “Our employees are like family here, we don’t need to have all these rules and regulations”

• “I keep a close eye on things, so I don’t have to worry about all that”

• “My staff knows what they are supposed to do; don’t worry about it.”

Now, if people can easily walk sensitive information out of locations that have documented systems and are known to be high security operations, can you imagine what they can do at your client organizations? Especially if the employer is assuming that their employees magically know what they are supposed to do? This is the point that we should be driving home with our clients. We should look to address the fact that both trust and complacency in organizations can be problems as well as assets. It’s great to be able to trust employees, but we should also talk to our clients about the fraud triangle and how one aspect of it, pressure, can happen to any staff member, even the most trusted. With that in mind, it’s important to institute controls so that, should pressure arise with an employee, there will be little opportunity open to that employee to act. Both Manning and Snowden have publicly spoken about the pressures they felt that led them to act in the way they did. The reason we even know about them today is that they had the opportunity to act on those pressures. I’ve spent time consulting with large organizations, often for months at a time. During those times, I got to chat with many members of staff, including security. On a couple of occasions, I forgot and left my building pass at home. Even though I was on a first name basis with the security staff and had spent time chatting with them about our personal lives, they still asked me for identification and looked me up in the system. I’m sure they thought I was a nice and trustworthy enough person, but they knew to follow procedures and always checked on whether I was still authorized to access the building. The important point is that they, despite knowing me, knew to check and followed through.

Examples of controls employees should be reminded to follow are:

• Don’t share your password with a fellow employee. If that employee cannot access certain information with their own password, either they are not authorized to access that information or they should speak with an administrator to gain the desired access. Sharing a password seems like a quick and easy solution when under time pressures at work, but remind employees that when they share their login information, anything that goes awry will be attributed to them.

• Always follow procedures. Someone looking for an opportunity only needs one.

• When something looks amiss, thoroughly investigate it. Even if someone tells you that all is well, verify that this is indeed the case.

• Explain to staff and management why a specific control is in place and why it’s important. If they understand why they are doing something, they are more likely to see the control as useful and to apply it.

• Schedule training on a regular basis to remind staff of the controls in place and the systems they are to follow. You may believe that staff knows what they are supposed to do, but reminding them reduces the risk of them relying on hearsay and secondhand information. Management is often surprised by what they think staff knows and what they find out the staff really knows.

It should be clear to your clients that they have control over who has access to sensitive information and when and how it leaves their control. It doesn’t take much for an insider to gain access to this information. A face you see smiling at you daily is the face of a person you can grow comfortable with and with whom you can drop your guard. However, if you already have an adequate system and effective controls in place, you take the personal out of the equation and everyone understands that we are all just doing our job.

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.

Sock Puppets

The issue of falsely claimed identity in all its myriad forms has shadowed the Internet since the beginning of the medium.  Anyone who has used an on-line dating or auction site is all too familiar with the problem; anyone can claim to be anyone.  Likewise, confidence games, on or off-line, involve a range of fraudulent conduct committed by professional con artists against unsuspecting victims. The victims can be organizations, but more commonly are individuals. Con artists have classically acted alone, but now, especially on the Internet, they usually group together in criminal organizations for increasingly complex criminal endeavors. Con artists are skilled marketers who can develop effective marketing strategies, which include a target audience and an appropriate marketing plan: crafting promotions, product, price, and place to lure their victims. Victimization is achieved when this marketing strategy is successful. And falsely claimed identities are always an integral component of such schemes, especially those carried out on-line.

Such marketing strategies generally involve a specific target market, which is usually made up of affinity groups consisting of individuals grouped around an objective, bond, or association like Facebook or LinkedIn Group users. Affinity groups may, therefore, include those associated through age, gender, religion, social status, geographic location, business or industry, hobbies or activities, or professional status. Perpetrators gain their victims’ trust by affiliating themselves with these groups.  Historically, various mediums of communication have been initially used to lure the victim. In most cases, today’s fraudulent schemes begin with an offer or invitation to connect through the Internet or social network, but the invitation can come by mail, telephone, newspapers and magazines, television, radio, or door-to-door channels.

Once the mark receives and accepts the offer to connect, some sort of response or acceptance is requested. The response will typically include (in the case of Facebook or LinkedIn) clicking on a link included in a fraudulent follow-up post to visit a specified web site or to call a toll-free number.

According to one of Facebook’s own annual reports, up to 11.2 percent of its accounts are fake. Considering the world’s largest social media company has 1.3 billion users, that means up to 140 million Facebook accounts are fraudulent; these users simply don’t exist. With 140 million inhabitants, the fake population of Facebook would be the tenth-largest country in the world. Just as Nielsen ratings on television sets determine different advertising rates for one television program versus another, on-line ad sales are determined by how many eyeballs a Web site or social media service can command.

Let’s say a shyster want 3,000 followers on Twitter to boost the credibility of her scheme? They can be hers for $5. Let’s say she wants 10,000 satisfied customers on Facebook for the same reason? No problem, she can buy them on several websites for around $1,500. A million new friends on Instagram can be had for only $3,700. Whether the con man wants favorites, likes, retweets, up votes, or page views, all are for sale on Web sites like Swenzy, Fiverr, and Craigslist. These fraudulent social media accounts can then be freely used to falsely endorse a product, service, or company, all for just a small fee. Most of the work of fake account set up is carried out in the developing world, in places such as India and Bangladesh, where actual humans may control the accounts. In other locales, such as Russia, Ukraine, and Romania, the entire process has been scripted by computer bots, programs that will carry out pre-encoded automated instructions, such as “click the Like button,” repeatedly, each time using a different fake persona.

Just as horror movie shape-shifters can physically transform themselves from one being into another, these modern screen shifters have their own magical powers, and organizations of men are eager to employ them, studying their techniques and deploying them against easy marks for massive profit. In fact, many of these clicks are done for the purposes of “click fraud.” Businesses pay companies such as Facebook and Google every time a potential customer clicks on one of the ubiquitous banner ads or links online, but organized crime groups have figured out how to game the system to drive profits their way via so-called ad networks, which capitalize on all those extra clicks.

Painfully aware of this, social media companies have attempted to cut back on the number of fake profiles. As a result, thousands and thousands of identities have disappeared over night among the followers of many well know celebrities and popular websites. If Facebook has 140 million fake profiles, there is no way they could have been created manually one by one. The process of creation is called sock puppetry and is a reference to the children’s toy puppet created when a hand is inserted into a sock to bring the sock to life. In the online world, organized crime groups create sock puppets by combining computer scripting, web automation, and social networks to create legions of online personas. This can be done easily and cheaply enough to allow those with deceptive intentions to create hundreds of thousands of fake online citizens. One only needs to consult a readily available on-line directory of the most common names in any country or region. Have a scripted bot merely pick a first name and a last name, then choose a date of birth and let the bot sign up for a free e-mail account. Next, scrape on-line photo sites such as Picasa, Instagram, Facebook, Google, and Flickr to choose an age-appropriate image to represent your new sock puppet.

Armed with an e-mail address, name, date of birth, and photograph, you sign up your fake persona for an account on Facebook, LinkedIn, Twitter, or Instagram. As a last step, you teach your puppets how to talk by scripting them to reach out and send friend requests, repost other people’s tweets, and randomly like things they see Online. Your bots can even communicate and cross-post with one another. Before the fraudster knows it, s/he has thousands of sock puppets at his disposal for use as he sees fit. It is these armies of sock puppets that criminals use as key constituents in their phishing attacks, to fake on-line reviews, to trick users into downloading spyware, and to commit a wide variety of financial frauds, all based on misplaced and falsely claimed identity.

The fraudster’s environment has changed and is changing over time, from a face-to-face physical encounter to an anonymous on-line encounter in the comfort of the victim’s own home. While some consumers are unaware that a weapon is virtually right in front of them, others are victims who struggle with the balance of the many wonderful benefits offered by advanced technology and the painful effects of its consequences. The goal of law enforcement has not changed over the years; to block the roads and close the loopholes of perpetrators even as perpetrators continue to strive to find yet another avenue to commit fraud in an environment in which they can thrive. Today, the challenge for CFEs, law enforcement and government officials is to stay on the cutting edge of technology, which requires access to constantly updated resources and communication between organizations; the ability to gather information; and the capacity to identify and analyze trends, institute effective policies, and detect and deter fraud through restitution and prevention measures.

Now is the time for CFEs and other assurance professionals to continuously reevaluate all we for take for granted in the modern technical world and to increasingly question our ever growing dependence on the whole range of ubiquitous machines whose potential to facilitate fraud so few of our clients and the general public understand.

Structure & Scope

T.J. Jones presented himself as a turnaround specialist to the Chairman of the Board of Central State Corporation, a medium sized, public company, a mid-western manufacturer of computer equipment, who hired him to take over a large, but under-performing division of the company.  Jones immediately set out lofty goals for sales and profits and very quickly replaced all the existing senior staff of the division with new hires loyal to himself. To meet his inflated goals, two of Jones’s managers, in addition to legitimate equipment sales, shipped bricks to distributors and recorded some as sales of equipment to retail distributors and some as inventory out on consignment. No real products left the plant for these “special sales.” The theory was that actual sales would inevitably grow, and the bricks could be replaced later with real products. In the meantime, the unwitting distributors thought they were holding consignment inventory in the unopened cartons.

The result was that overstated sales and accounts receivable quickly caused overstated net income, retained earnings, current assets, working capital, and total assets. Prior to the manipulation, annual sales of the division were $135 million. During the two falsification years of the fraud, sales were $185 million and $362 million. Net income went up from a loss of $20 million to $23 million (income), then to $31 million (income); and the gross margin percent went from 6 percent to 28 percent. The revenue and profit figures outpaced the performance of Central State’s industry category. The accounts receivable collection period grew to 94 days, while it was 70 days elsewhere in the industry.

All the paperwork was in order because the two hand-picked managers had falsified the sales and consignment invoices, even though they did not have customer purchase orders for all the false sales. Shipping papers were in order, and several co-operating shipping employees knew that not every box shipped contained disk drives. Company accounting and control procedures required customer purchase orders or contracts evidencing real orders. A sales invoice was supposed to indicate the products and their prices, and shipping documents were supposed to indicate actual shipment. Sales were always charged to a customer’s account receivable.  During the actual operation of the fraud there were no glaring control omissions that would have pointed to financial fraud. Alert auditors might have noticed the high tension created by concentration on meeting profit goals. Normal selection of sales transactions with vouching to customer orders and shipping documents might have turned up a missing customer order. Otherwise, the paperwork would have seemed to be in order. The problem lay in Jones’ and his managers’ power to override controls and to instruct some shipping staff to send dummy boxes.  Confirmations of distributors’ accounts receivable may have elicited exception responses. The problem was to have a large enough confirmation sample to pick up some of these distributors or to be skeptical enough to send a special sample of confirmations to distributors who took the “sales” near the end of the accounting period. Observation of inventory could have included some routine inspection of goods not on the company’s premises.

The overstatements were not detected. The auditor’s annual confirmation sample was typically small and did not contain any of the false shipments. Tests of detail transactions did not turn up any missing customer orders. The inventory out on consignment was audited by obtaining a written confirmation from the holders, who apparently over the entire period of the fraud had not opened even one of the affected boxes. The remarkable financial performance was attributed to good management.

The fraud was revealed by one of Jones’ subordinate managers who was arrested on an unrelated drug charge and volunteered as a cooperating witness in exchange for the dropping of the drug charge.

This hypothetical case is a good example of the initial situation confronting management when a fraud affecting the financial statements comes to light, often with little or no warning. Everyone involved with company management will have a strong intuitive sense that an investigation is necessary; but the fact is that the company has now lost faith in the validity of its own public disclosures of financial performance.

That will need to be fixed. And it is not enough to simply alert markets that previously issued financial results are wrong; outsiders will want to know what the correct numbers should have been. The only way to find out is to dig into the numbers and distinguish the falsified results from the real ones. Beyond the need to set the numbers straight, the company will need to identify those complicit in the fraud and deal with them. This is not only a quest for justice but the need to restore credibility, and the company will be unable to do so until outsiders are satisfied that the wrongdoing executives and staff have been identified and removed.  Thus, the company needs an audit report on its financial statements. The need for a new audit report arises from the likelihood that, once a company’s financial statements have been found to be unreliable, the company’s external auditor will want to pull its existing, inaccurate,  report.

As a practical matter, pulling its report involves the external auditor’s recommendation that the company issue a press release that previously issued financial statements are not to be relied upon. Once the company issues such a press release, it will be out of compliance with any number of SEC regulations. It will no longer satisfy the threshold prerequisites for trading on the company’s securities exchange. It will be viewed by many, and certainly the plaintiff class action bar, as coming close to having admitted wrongdoing. And everyone on the outside, not to mention its own board of directors, will want answers fast. A critical step in the restoration of important business relationships and a return to compliance with regulatory requirements is the new auditor’s report. And, where fraudulent financial reporting has been discovered, an in-depth and comprehensive investigation is often the only way to get one.

A critical issue at the outset of a financial fraud investigation is its structure and scope. A key attribute for which the external auditor, as well as the SEC, will be on the lookout is that the investigation is overseen by the audit committee. In public companies, it is the audit committee that has explicit legal responsibility for oversight of financial reporting, and accounting fraud falls squarely within the orbit of financial reporting.  In addition, the audit committee, as a matter of statutory design, is structured to be independent and possessed of a level of financial sophistication that makes it the most viable subset of the board of directors to oversee the investigative efforts in this case. It’s also the audit committee that has the statutory power to engage and pay outside advisers even without the consent of management, a statutory power that can be vital if management, or part of management, as in our hypothetical case above, is a participant in the fraud.

The audit committee’s role is to oversee the investigation, not actually conduct it. For that it needs to look to outside professionals, and there are two types. The one is the outside counsel to the audit committee. If the audit committee has not already engaged outside counsel, it needs to do so. It’s audit committee counsel who will conduct the interviews, comb through the financial records, and present factual findings for audit committee consideration. Individual audit committee members may choose to sit in on interviews, and that is their choice. But it’s audit committee counsel who will conduct the investigation. The other group of professionals is the forensic accountants and/or CFEs.  Audit committee counsel, while knowledgeable of financial reporting obligations and investigative techniques, will probably not possess a sufficiently detailed knowledge of accounting systems, generally accepted accounting principles
(GAAP), or computerized ledgers. For that, audit committee counsel is well advised look for help to the category of accountants and fraud examiners specifically trained in digging into financial records for evidence of fraud.

What exactly is the audit committee looking for in such an investigation? There are primarily two things. The first, obviously enough, is what the actual numbers should have been. Often fraudulent entries involve judgment calls where the operative question is not whether the number matches the underlying financial records but whether the judgment behind the number was exercised in good faith.  The operative question for the investigators is whether the executive exercised his judgment in good faith to make the best estimate allowed by reasonably available information. Sometimes it’s not so easy to tell.

Beyond the correct numbers, the second thing for which the investigators are looking is executive complicity. In other words: who did it? Again, the good faith of those potentially involved comes into play. The investigators are not seeking simply whether executives reported financial results that turned out to be wrong. The issue rather is whether the executives tried to get them right. If they did and made an honest mistake or estimated incorrectly, that does not sound like fraud and may not even be a violation of GAAP to begin with. The main point here is that, when it comes to executive complicity, the investigators are ordinarily looking for evidence of wrongful intent (scienter). In other words, they are looking for an intentional misapplication of GAAP or an approach to GAAP that is so reckless as to constitute the equivalent of an intentional misapplication.

The scope of the investigation, then, should not pose too difficult an issue at the outset.  Initially, the scope will be largely defined by the potential improprieties that have been uncovered. The tricky question becomes: how far should the investigators go beyond the suspicious entries? The judgment calls here are formidable. One of the key issues involves the expectations of the external auditor and, beyond that, the SEC. If the scope is not sufficiently broad, the investigation may not be satisfactory to either one. Indeed, an insufficient scope can place the external auditor in a particularly awkward spot insofar as the SEC may subsequently fault not only the audit committee for inadequate scope but the external auditor’s acceptance of the audit committee’s investigative report.

An additional complicating factor involves the way fraud starts and grows. A critical issue to consider is that, overtime, as the Central State example illustrates, the manipulations will often get increasingly aggressive as the perpetrators spread the fraud throughout many line items so that no single account stands out as unusual but a substantial number are affected. For example, to prevent the distortion of accounts receivable from getting too large, Jones and his accomplices spread the fraud into inventory, then asset capitalization, then net income. The spread of the fraud is analogous to pouring a glass of water on a tabletop. It can spread everywhere without getting too deep in any one place.

So, once fraudulent financial reporting has been identified, even in just a few entries, the investigators will want to consider the possibility that it’s a symptom of a broader problem. If the investigators have been lucky enough to nip it in the bud, that may be the end of it.  Unfortunately, if the fraud has gotten big enough to be detected in the first place, such a limited size cannot be assumed. Even where the fraud ostensibly starts out small the need for a broader scope has got to be considered.

The scope of the investigation, therefore, can start out with its parameters guided by the suspicious entries revealed at the outset. In most cases, though, it will need to broaden to ensure that additional areas are not affected as well. Throughout the investigation, moreover, the scope will have to remain flexible. The investigators will have to stay on the lookout for additional clues, and will have to follow where they lead. Faced with an ostensibly ever-widening scope, initial audit committee frustration is both to be expected and understandable. But there is just no practical alternative.