Author Archives: cwl890

Client’s Card Security

Our Chapter recently got a question from a reader of this blog about data privacy; specifically she asked about the Payment Card Industry Data Security Standard (PCI DSS) and whether compliance with that standard’s requirements by a client would provide reasonable assurance that the client organization’s customer data privacy controls and procedures are adequate. The question came up in the course of a credit card fraud examination in which our reader’s small CPA firm was involved. A very good question indeed! The short answer, in my opinion, is that, although PCI DSS compliance audits cover some aspects of data privacy, because they’re limited to credit cards, PCI DSS audits would not, in themselves be sufficient to convince a jury that data privacy is adequately protected throughout a whole organization. The question is interesting because of its bearing on the fraud risk assessments CFE’s routinely conduct. The question is important because CFE’s should understand the scope (and limitations) of PCI DSS compliance activities within their client organizations and communicate the differences when reviewing corporate-wide data privacy for fraud prevention purposes. This understanding will also tend to prevent any potential misunderstandings over duplication of review efforts with business process owners and fraud examination clients.

Given all the IT breeches and intrusions happening daily, consumers are rightly cynical these days about businesses’ ability to protect their personal data. They report that they’re much more willing to do business with companies that have independently verified privacy policies and procedures. In-depth privacy fraud risk assessments can help organizations assess their preparedness for the outside review that inevitably follows a major customer data privacy breach. As I’m sure all the readers of this blog know, data privacy generally applies to information that can be associated with a specific individual or that has identifying characteristics that might be combined with other information to indicate a specific person. Such personally identifiable information (PII) is defined as any piece of data that can be used to uniquely identify, contact, or locate a single person. Information can be considered private without being personally identifiable. Sensitive personal data includes individual preferences, confidential financial or health information, or other personal information. An assessment of data privacy fraud risk encompasses the policy, controls, and procedures in place to protect PII.

In planning a fraud risk assessment of data privacy, CFE’s auditors should evaluate or consider based on risk:

–The consumer and employee PII that the client organization collects, uses, retains, discloses, and discards.
–Privacy contract requirements and risk liabilities for all outsourcing partners, vendors, contractors, and other third parties involving sharing and processing of the organization’s consumer and employee data.
–Compliance with privacy laws and regulations impacting the organization’s specific business and industry.
–Previous privacy breaches within the organization and its third-party service providers, and reported breaches for similar organizations noted by clearing houses like Dunn &
Bradstreet and in the client industry’s trade press.
–The CFE should also consult with the client’s corporate legal department before undertaking the review to determine whether all or part of the assessment procedure should be performed at legal direction and protected as “attorney-client privileged” work products.

The next step in a privacy fraud risk assessment is selecting a framework for the review.
Two frameworks to consider are the American Institute of Certified Public Accountants (AICPA) Privacy Framework and The IIA’s Global Audit Technology Guide: Managing and Auditing Privacy Risks. For ACFE training purposes, one CFE working for a well know on-line retailer reported organizing her fraud assessment report based on the AICPA framework. The CFE chose that methodology because it would be understood and supported easily by management, external auditors, and the audit committee. The AICPA’s ten component framework was useful in developing standards for the organization as well as for an assessment framework:

–Management. The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
–Notice. The organization provides notice about its privacy policies and procedures and identifies the purposes for which PII is collected, used, retained, and disclosed.
–Choice and Consent. The organization describes the choices available to the individual customer and obtains implicit or explicit consent with respect to the collection, use, and disclosure of PII.
–Collection. The organization collects PII only for the purposes identified in the Notice.
–Use, Retention, and Disposal. The organization limits the use of PII to the purposes identified in the Notice and for which the individual customer has provided implicit or explicit consent. The organization retains these data for only as long as necessary to fulfill the stated purposes or as required by laws or regulations, and thereafter disposes of such information appropriately.
–Access. The organization provides individual customers with access to their PII for review and update.
–Disclosure to Third Parties. The organization discloses PII to third parties only for the purposes identified in the Notice and with the implicit or explicit consent of the individual.
–Security for Privacy. The organization protects PII against unauthorized physical and logical access.
–Quality. The organization maintains accurate, complete, and relevant PII for the purposes identified in the Notice.
–Monitoring and Enforcement. The organization monitors compliance with its privacy policies and procedures and has procedures to address privacy complaints and disputes.

Using the detailed assessment procedures in the framework, the CFE, working with internal client staff, developed specific testing procedures for each component, which were performed over a two-month period. Procedures included traditional walkthroughs of processes, interviews with individuals responsible for IT security, technical testing of IT security and infrastructure controls, and review of physical storage facilities for documents with PII. Technical scanning was performed independently by the retailer’s IT staff, which identified PII on servers and some individual personal computers erroneously excluded from compliance monitoring. Facilitated sessions with the CFE and individuals responsible for PII helped identify problem areas. The fraud risk assessment dramatically increased awareness of data privacy and identified several opportunities to strengthen ownership, accountability, controls, procedures, and training. As a result of the assessment, the retailer implemented a formal data classification scheme and increased IT security controls. Several of the vulnerabilities and required enhancements involved controls over hard-copy records containing PII. Management reacted to the overall report positively and requested that the CFE schedule future recurring views of fraudulent privacy breech vulnerability.

Fraud risk assessments of client privacy programs can help make the business case within any organization for focusing on privacy now, and for promoting organizational awareness of privacy issues and threats. This is one of the most significant opportunities for fraud examiners to help assess risks and identify potential gaps that are daily proving so devastating if left unmanaged.

Working Toward Non-Prosecution

A recent major article in the financial trade press alluded to the importance of the U.S. Foreign Corrupt Practices Act as a piece of US government regulation of which it behooves all fraud examiners to be aware. The reference got me to thinking about the confusion that still persists regarding certain provisions of the Act among corporate players as reported in the article in question following several high profile prosecutions. Enacted to great fanfare in 1977, the purpose of the FCPA was to prevent the bribery by the agents of US corporations of foreign government officials when those agents were negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper corporate books and records as well as maintenance of inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve to the present day.

From the first, the FCPA spawned questions of definition and interpretation for those trying to comply, i.e., who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define “adequate” internal controls to detect and deter bribery and corruption?

The United Kingdom enacted its UK Bribery Act in July 2010 which really represented the first real attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of “adequate procedures”, that if followed could allow affirmative defense for an organization under investigation for bribery. The UK Bribery Act recommended several internal controls for combating bribery and offered the incentive of a more favorable result for those who could document compliance. Among the controls:

• Establish anti-bribery procedures;
• A top corporate level commitment to prevent bribery;
• Periodic and documented risk assessments;
• Proportionate due diligence;
• Communication of bribery prevention policies and procedures to all involved parties to corporate transactions;
• Monitoring of anti-bribery procedures.

The concept of an affirmative defense for adequate procedures creates quite a contrast to the US FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved. The UK Bribery Act simply equates all facilitation and influence payments to bribery, thus eliminating much confusion. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness remains enforcement.

Then, in 2010, the US Department of Justice and the Securities Exchange Commission released a guide book introducing several hallmarks of an effective FCPA compliance program. The publication of the guidebook is a development which, according to the article I was reading, many auditors and CFE’s remain unaware, even today. The Resource Guide provides our client companies with the tools to demonstrate a proactive approach to the deterrence of bribery and corruption. Companies found out of compliance may receive some consideration during the fines and penalty stage of their cases.

The guidebook recommends that companies doing business overseas:
• Establish a code of conduct that specifically addresses the risk of bribery and corruption;
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and anti-corruption activities;
• Train all employees to be thoroughly prepared to address bribery and corruption risk and document that the training took place;
• Perform fraud risk assessments of potential bribery and corruption pitfalls by country and industry;
• Review the anti-corruption program annually to assess the effectiveness of policies, procedures and controls;
• Perform audits (routine and surprise) and monitor foreign business operations to assure strict compliance with the published code of conduct;
• Ensure proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations;
• Investigate and respond promptly and appropriately to all allegations of bribery and corruption;
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations;
• Perform adequate due diligence that addresses the risk of bribery and corruption performed by third parties prior to entering into any business relationship.

Fraud examiners should make their clients aware that a company which can provide evidence of compliance with these recommendations is afforded many advantages if they’re ever charged with a violation of the Act. Among them is a Deferred Prosecution Agreement (DPA). Under a Deferred Prosecution Agreement the Department of Justice files a court document charging the organization while simultaneously requesting that prosecution be deferred in order to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor. If the company completes the term of the DPA the DOJ will dismiss the charges without imposing fines and penalties!

The DOJ and the company may alternatively even enter into a Non-Prosecution Agreement. Under such an agreement the DOJ retains the right to file charges against the organization at a later time should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and posted on the DOJ website. Similar to the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will, again, drop all charges.

The good news is that, since publication of the guidebook, corporate compliance programs have continued to mature, and are now generally accepted as just another cost of conducting business in a global marketplace. The US government is continuing to clarify expectations with regard to corporate responsibility at home and abroad, and working with international partners and their compliance programs.

Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International, are playing a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace. Hence, every fraud examiner and assurance professional should strongly support these efforts while strongly encouraging our clients to become familiar with and comply with the provisions of the recently updated 2010 guidebook.

You Are Your Report

The ACFE tells us that organizing and writing the final fraud investigation report is one of the most challenging tasks that CFE’s report routinely performing in connection with their examinations. Thus, the whole process of communicating the results of our investigations is, and must be, an integral part of any CFE’s practice. As I’m sure every reader of this blog knows, any communication can be challenging, even when the news being delivered is positive, but when the news to be delivered is negative (e.g., analyzing the facts of an embezzlement or presenting the results of an investigation of a complex management fraud), the job of delivering it can be super stressful. In such situations, the CFE’s ability to communicate takes on increased importance. An organized, thoughtful approach can make that task easier and more constructive for all concerned. Therefore, in my opinion, practitioners would do well to apply some key steps to any kind effective communication.

We can take some comfort in realization of the fact that the responsibility for delivering bad news is certainly not unique to fraud examiners. Professionals of all disciplines have developed protocols for communicating news perceived to be negative. These protocols are generally built on the keys to effective information transfer common to all types of communication and stress the importance of having a plan. Where they differ from the general communication guidance with which assurance professionals may already be familiar is their emphasis on specific keys that are particularly helpful in face-to-face meetings and situations requiring investigators to deliver negative news. One such protocol exists under a variety of names but is most frequently dubbed the “ABCDE” mnemonic. Let’s go through the letters of the mnemonic one by one.

The “A” stands for advanced planning. Advance preparation is an especially important element of effectively communicating bad news. It should go without having to be said that CFE’s can avoid wasted time and potentially embarrassing mistakes by having a solid grasp of the facts before delivering any of their findings to others. This includes carefully reviewing findings and confirming their understanding of critical issues well in advance of any reporting. Although fraud examiners often are sometimes familiar with their audience as the result of past interactions (especially if they’re employed by an attorney or an investigative firm), it’s always helpful to gather background information about the target audience of the findings, their level of involvement with and understanding of the issue, and their communication styles so the CFE can tailor the report and/ or related meeting accordingly. Examiners also may consider visualizing the point of view they expect the audience will have regarding the issue in question, because this will likely guide their reactions and questions. And as always, practice makes perfect. It’s better to work out any bugs alone or with a colleague (if you’re lucky enough to have one) than in the midst of a highly charged meeting with attorneys and management present.

“B” addresses the protocol process of building the environment and is especially relevant to face to face presentations of the report. The setting for the meeting also is an important factor, as it should allow the examiner to maintain control over the meeting’s direction. Optimally, the meeting should occur in a place that’s private, where the participants are not distracted, and where interruptions are kept to a minimum. These factors may not be as difficult to control in the case of meetings with an audit committee or in your employing attorney’s office which generally occur in a private conference room, but examiners should consider the practical complications that can arise when meeting with a client manager in his or her office. Distractions created by telephones, e-mail, employees coming and going, or the possibility of being overheard can limit meeting productivity. With this in mind, CFE’s should try to schedule the meeting at a time and place where the participants can devote their full attention to the challenging issues at hand.

Communicating well is the “C” in our mnemonic. To try always to employ direct, clear language to communicate bad news, while still being sensitive to the audience’s feelings, is an imperative skill for investigators to possess. Although it’s sometimes tempting to temper an issue or to use euphemisms to try to soften the blow, that approach can add confusion, and ultimately, only delay the inevitable. A straightforward, honest delivery of the facts is generally the best policy and is, after all, what we’re being paid to do. Never lose sight of the fact that some words (e.g., scam and scheme) are emotionally charged and may elicit negative reactions from the audience. Instead, words such as “suspected scenario”, or “suspected irregularity” better convey the message without unnecessarily offending anyone. Striking the right balance between directness and sensitivity can be difficult, but it’s critical to the successful delivery of bad news. Providing the audience with specific examples from her report can help clarify the CFE’s message without the need for personal, un-objective, or emotion laden words. We know from many ACFE publications and training courses that the majority of communication comes from body language, facial expressions, eye contact, and tone of voice. As fraud examiners and forensic accountants, we need to be aware of these nonverbal cues and keep them in check so they do not undermine delivery of our results. An important and often overlooked aspect of good communication is ensuring that the message sent equals the message received. Remember the old politician’s maxim; “Tell them. Tell them what your said. Tell them again”! It’s important, particularly in the case of bad news, for the examiner to verify that the audience fully understands the message being delivered, both its content and seriousness. Eliciting feedback from the audience will give the CFE an opportunity to confirm what they heard and will enable her to clear up any miscommunication immediately.

Dealing with reactions is the “D” in our mnemonic. As we all know, in the case of fraud reports, there will always be reactions. It’s inevitable, and healthy, that the audience will have questions and want you, the examiner, to provide actual transactions and/or evidence supporting the report findings. CFE’s should be prepared, based on “A” their advanced preparation, to anticipate questions and by gathering supporting documentation in advance, to provide these items during the meeting. Examiners should also expect audience members to offer their own responses or explanations to counter the report findings. Because emotions will be running high, these responses may take the form of a personal attack on the examiner, but s/he must take care not to react defensively or place blame. Above all, we CFE’s must keep in mind that our role is to communicate factual information so that appropriate due diligence can be taken and never to in any way speculate as to guilt or offer value judgments; stick to the facts which will always speak for themselves far more eloquently than you can.

It’s important for management and counsel to identify the immediate impact of the bad news. For example, does this apparent instance of fraud as revealed by the fraud report have immediate regulatory ramifications? Does this situation result in the need for a restatement of financial statements? Should we move forward immediately with terminations or prosecution? The fear of unknown consequences can make bad news seem even worse. By doing some advance research to help address these types of questions, the CFE can make a valuable contribution to the organization by helping to at least begin to define the extent of the unknown. Once the immediate impact has been assessed, the next logical step will be to develop a long-term plan for fixing or mitigating the control problem. Because of the examiner’s familiarity with the mechanics of the underlying issue confronting management and counsel, s/he is in an excellent position to work with other assurance professionals to provide alternatives or suggestions for remediation and for the eventual strengthening of the client’s fraud prevention program. Examiners should be sure to emphasize their willingness to provide additional information or assistance as needed as we assist management and others to arrange the timetable for following up on the results of our investigations.

It’s a Reputation Thing

According to the ACFE presenter at one of our live events, 6.4 percent of worldwide fraud cases occur in the education sector, which represents the fifth most-targeted industry by fraudsters out of 23 reported by members of the ACFE. And the three most frequent fraud schemes reported as perpetrated in the education sector are billing schemes, fraudulent expense reimbursements and corruption schemes. Most of the reporting CFE’s also seem to agree that nonprofit institutions’ greatest fraud related challenge is mitigating reputational risk. Good faculty members and students won’t join fraudulent universities. Governments and donors won’t financially contribute to organizations they don’t trust.

Thus, institutions of higher learning aren’t anymore immune to fraud than any other large organization. However, the probability of occurrence of fraud risks may be somewhat higher in colleges and universities because of their promoted environment of collegiality, which may lead to more decentralization and a consequent lack of basic internal controls. Federal and state governments, as well as donors, have increased the pressure on universities to implement better governance practices and on their boards of governors to exercise their fiduciary responsibilities more efficiently.

Which brought our speaker to the issue of regular risk assessments, but tailored specifically to the unique needs of the educational environment. Colleges and universities around the world should be actively encouraged by their governing boards and counsels to perform regular fraud risk assessments and vigorously implement and enforce compliance with targeted internal controls, such as proper segregation of duties and surprise audits. Of course, as with all organizations, universities can prevent fraud by segregating a task of requesting a financial transaction from those of approving it, processing the payment, reconciling the transaction to the appropriate accounts and safeguarding the involved asset(s). Surprise audits should be just that: unannounced supervisory reviews. This creates not just an atmosphere of collegiality and support but one in which the perceived opportunity to commit fraud is lowered.

As I’ve indicated again and again in the pages of this blog, the most powerful fraud prevention measure any organization can take is the education of its staff, top to bottom. Educating faculty, staff members and students about the university’s ethics (or anti-fraud) policies is important not only to prevent fraud but to preserve the institution’s reputation. It’s also important to develop ethics policies carefully and implement them in accordance with the particular culture and character of the institution.

Culturally, universities, like most nonprofit educational institutions, don’t like heavy-handed policies, or controls, because faculty members perceive them as impediments to their research and teaching activities. After going through an appropriate anti-fraud training program, every employee and faculty member (many higher-education institutions actually view faculty above the instructor level as quasi-independent contractors) should come to understand the nature and role of internal controls as well as the negative consequences associated with fraud.

University administrators, faculty and staff members can be motivated to prevent fraud on a basis of self-interest because its occurrence might affect their chances of promotions and salary increases and tarnish the external reputation of the university, which could then affect its financial situation and, hence, their individual prospects.

ACFE training tells us that organizational administrators who don’t get honest feedback and don’t hear and address fraud tips quickly can get in trouble politically, legally and strategically. All universities should implement user-friendly reporting mechanisms that allow anyone to anonymously report fraud and irregular activities plus deliver healthy feedback on leadership’s strengths and weaknesses. This will keep direct lines of communication open among all employees and senior university administrators. These tools will not only strengthen the fight against fraud but also advance the university’s strategic mission and refine senior administrators’ leadership styles. You can’t manage something you can’t see. Such tried and true mechanisms as independent internal audit departments and/or involved audit committees, should provide effective oversight of reporting mechanisms.

Still, many universities still resist pressure from their external stakeholders to implement hotlines because of concern they might create climates of mistrust among faculty members. Faculty members’ tendency to resist any effort to have their work examined and questioned may explain this resistance. Necessary cultural changes take some time, but educational institutions can achieve them with anti-fraud training and a substantial dose of ethical leadership and tone at the top.

From a legal perspective, colleges and universities, like any other nonprofit organization, must proactively demonstrate due diligence by adopting measures to prevent fraud and damage to their individual reputations. They’re also financially and ethically indebted to governments and donors to educate tomorrow’s leaders by demonstrating their ability to ensure that their internal policies and practices are sound.

Senior university administrators also must be able to show that they investigate all credible allegations of fraud. In addition, independent, professional and confidential fraud investigations conducted by you, the CFE, allow a victim university and its senior administrators to:

— determine the exact sources of losses and hopefully identify the perpetrator(s);
— potentially recover some or all of financial damages;
— collect evidence for potential criminal or civil lawsuits;
— avoid possible discrimination charges from terminated employees;
— identify internal control weaknesses and address them;
— reduce future losses and meet budget targets;
— comply with legal requirements such as senior administrators’ fiduciary duties of loyalty and reasonable care;
— reduce imputed university liability which may result from employee misconduct;

As CFE’s we should encourage client universities to adequately train and sensitize administrators, faculty and staff members about their ethics policies and the general problems related to occupational fraud in general. Administrators should also consider implementation of anonymous reporting programs and feedback processes among all stakeholders and among the senior administration. They should perform regular fraud risk assessments and implement targeted internal controls, such as proper segregation of duties and conflict-of-interest disclosures. Senior administrators should lead by example and adopt irreproachable behaviors at all times (tone at the top). Finally, faculty members’ job incentives should be aligned with the university’s mission and goals to avoid dysfunctional and illegal practices. All easier said than done, but, as a profession, let’s encourage them to do it when we have the chance!

Better Call Saul

As reported so often in the press these last few years, even when well-intentioned employees feel they’re doing the right thing by reporting acts of wrongdoing, their reports aren’t always well received. Numerous studies conducted by the ACFE strikingly bear this out. And this is so much the case that any employee (public or private) who witnesses acts of wrongdoing and decides to report them is well advised to seek legal counsel before doing so. When a whistle-blower also happens to be a CFE, the same advice applies. Every CFE should learn just when, where, and how to report fraudulent acts before blowing the whistle, if only so they can comply with the often complex procedures required to receive any available protections against retaliation.

All the U.S. states have laws to protect public sector employees from retaliation for whistle-blowing. Indeed, most of the state whistle-blowing laws were enacted specifically to actively encourage public sector employees to report fraud, waste, and abuse both in and without government agencies. Some state laws protect only public employees; others include government contractors and private-sector employees as well. Many of the laws protecting private sector employees involve workplace safety. They were designed and enacted decades ago to protect employees from retaliation when reporting occupational safety issues. Public and private employees can use them, but they might not apply in all situations. Over the years, reporting in some other specific situations has also received protection.

Facts to keep in mind. Whistle-blowing, as it relates to fraud, is the act of reporting fraud, waste, and abuse. Reporting any act of wrongdoing is considered whistle-blowing, regardless if it’s reported by a public or private employee or to persons inside or outside of the victim organization. Anyone can report wrongdoing, but the subsequent level of protection against retaliation an employee will receive will differ depending on whether they’re public or private, to whom they report, the manner in which they report, the type of wrongdoing they report, and the law(s) under which they report. The ACFE tells us that a majority of unprotected whistle-blowers end up being terminated. Among those unterminated, some are suspended, some transferred against their wishes and some are given poor performance evaluations, demoted or harassed. To address their situation, some choose recourse to the courts. The rub here is that to prevail, the employee will probably have to link their whistleblowing directly to the retaliation. This can be difficult for the employee experiencing any kind of current problem in the workplace because employers will claim their adverse personnel actions were based on the employees’ poor performance and not on the employees’ decision to blow the whistle. It’s especially easy for employers to assert this claim if the person who conducted the retaliation claims no knowledge of the whistle-blowing, which is very frequently the case.

Additionally, many whistle-blowers lose their cases because they didn’t comply with some technicality in the laws. Protection laws are very specific on how whistle-blowers must report the wrongdoing. Failing to comply with any aspect of the law will result in a loss of protection. Some examples:

• Subject Matter Jurisdiction – the court must have the power to hear the kind of issue in the whistle-blower’s suit. Subject matter jurisdiction is based on the law the whistle-blower plans to use. Generally speaking, federal courts hear violations of federal laws and state courts hear violations of state laws, although this isn’t always the case. Employees can file alleged violations of their civil rights in state or federal courts under Section 1983 of Title 42 of the U.S. Code of
Federal Regulations. While rarely used in the past, today Section 1983 is part of the Civil Rights Act and the primary means of enforcing all Constitutional rights. Subject Matter Jurisdiction can help employees decide to file in federal or state court. Of course, the employer might ask to have the case moved to another court.

• Personal Jurisdiction – the employee should make sure the court has power over the party s/he wants to sue. A court must have personal jurisdiction over the defendant to hear a case. Courts usually have personal jurisdiction over the people and organizations residing or doing business in their jurisdiction.

• Venue – venue refers to the court that will hear the employee’s case. The proper venue is the jurisdiction in which the defendant lives or does business, where the contract was signed or carried out, or the incident took place. More than one court can have jurisdiction over the case. The employee should pick the venue most convenient for her.

As I said above, most whistle-blower laws were written and are intended to protect public-sector employees who report violations affecting public health and safety. Proving public interest is easy for public-sector employees because their work involves public protection. It’s not as easy for private-sector employees. A goodly percentage of private-sector whistle-blowers lose their cases because the matters didn’t involve public policy. Whistle-blowers can improve their chances of success by preparing early and reading the whistle-blowing laws of their state of jurisdiction. The case law is also important because it shows the precedent already set by the courts. The better prepared the employee is, the less likely s/he will make avoidable mistakes. An evolving issue is the extent to which whistle-blowers must be certain of violations. Many laws already require the employee to state the specific law that was broken. Some courts require whistle-blowers to be certain of their allegations. Trends requiring certainty will make it increasingly difficult for whistle-blowers to receive protection.

As a final point. A goodly percentage of whistle-blowers fail to achieve protection each year because of their own improper conduct. Some of these whistle-blowers misused their employers’ property; some of them stole it. Employees must ensure their conduct is above scrutiny because some courts will apply the “doctrine of unclean hands” and bar whistle-blowers from protection, if they’ve engaged in misconduct directly related to their complaints. The doctrine of unclean hands can work against employers, just as it does employees. In Virginia not too long ago, a Medicaid provider submitted documents containing incorrect claims information to the court. The whistle-blower proved the information was false and won his case on those grounds alone. Thus, it’s important for employers and employees to comport themselves with integrity.

Whistle-blowers who commit unlawful acts to advance their cases don’t do well in court, but neither do whistle-blowers who refuse to commit unlawful acts on behalf of their employers. Most state whistle-blower laws are designed to protect employees that refuse to commit unlawful acts, but it can be difficult to receive even that protection.

All this by way of saying that the laws governing whistle-blower protection are many and varied. As fraud examiners and auditors it behooves us to be as familiar with these laws in the jurisdictions in which we practice as we reasonably can be. But always, when confronted with such cases, always consult counsel. As my father told me so long ago, the man or women who acts as their own attorney has a fool for a client.

Just Like Me

During a joint training seminar between our Chapter and the Virginia State Police held a number of years ago, I took the opportunity to ask the attendees (many of whom are practicing CFE’s) to name the most common fraud type they’d individually investigated in the past year. Turned out that one form or another of affinity fraud won hands down, at least here in Central Virginia.

This most common type of fraud targets specific sectors of society such as religious affiliates, the fraudster’s own relatives or acquaintances, retirees, racial groups, or professional organizations of which the fraudster is a member. Our Chapter members indicate that when a scammer ingratiates himself within a group and gains trust, an affinity fraud of some kind can almost always be expected to be the result.

Regulators and other law enforcement personnel typically attempt to identify instances of affinity fraud in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, affinity fraud tends to be an under reported crime since victims may be embarrassed that they so easily fell prey to the fraudster in the first place or they may remain connected to the offender because of emotional bonding and/or cultivated trust. Reluctance to report the crime also frequently stems from a misplaced belief that the fraudster is fundamentally a good guy or gal and will ultimately do the right thing and return any funds taken. In order to stop affinity fraud, regulators and law enforcement must obviously first be able to detect and identify the crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

The poster boy for affinity fraud is, of course, Bernard Madoff. The Madoff tragedy is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s list of victims grew to include prominent persons in the finance, retail and entertainment industries. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his customers were defrauded of approximately twenty billion dollars. It can be debated whether the poor economy, lack of investor education, or ready access to diverse persons over the internet has led to an increase in affinity fraud but there can be no doubt that the internet makes it increasingly easy for fraudsters to pose as members of any community they target. And, it’s clear that affinity frauds have dramatically increased in recent years. In fact, affinity fraud has been identified by the ACFE as one of the top five investment schemes each year since 1998.

Affinity frauds assume different forms, e.g. information phishing expeditions, investment scams, or charity cons. However, most affinity frauds have a common element and entail a pyramid-type of Ponzi scheme. In these types of frauds, the offender uses new funds from fresh victims as payment to initial investors. This creates the illusion that the scam is profitable and additional victims would be wise to immediately invest. These types of scams inevitably collapse when it either becomes clear to investors or to law enforcement that the fraudster is not legitimate or that there are no more financial backers for the fraud. Although most fraud examiners may be familiar with the Madoff scandal, there are other large scale affinity frauds perpetrated across the United States almost on a daily basis that continue to shape how regulators and other law enforcement approach these frauds.

Perpetrators of affinity frauds work hard, sometime over whole years, to make their scams appealing to their targeted victims. Once the offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential investors. By having an esteemed figurehead who appears to be knowledgeable about the investment and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was an esteemed member of the community. As a former chair of the National Association of Securities Dealers (NASD) and owner of a company ranked sixth largest market maker on the National Association of Securities Dealers Automated Quotations (NASDAQ), Madoff’s reputation in the financial services industry was impeccable and people were eager to invest with him.

The ACFE indicates that projection bias is yet another reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Sigmund Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they shared the same value system.

Success of affinity fraud stems from the higher degree of trust and reliance associated with many of the groups targeted for such conduct. Because of the victim’s trust in the offender, the targeted persons are less likely to fully investigate the investment scheme presented to them. The underlying rationale of affinity fraud is that victims tend to be more trusting, and, thus, more likely to invest with individuals they have a connection with – family, religious, ethnic, social, or professional. Affinity frauds are often difficult to detect because of the tight-knit nature common to some groups targeted for these schemes. Victims of these frauds are less likely to inform appropriate law enforcement of their problems and the frauds tend to continue until an investor or outsider to the target group finally starts to ask questions.

Because victims in affinity frauds are less likely to question or go outside of the group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religious cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to believe they have been defrauded and also unlikely to investigate the con. Regulators and other law enforcement personnel can also learn from prior failures in identifying or stopping affinity frauds. Because the Madoff fraud is one of the largest frauds in history, many studies have been conducted to determine how this fraud could have been stopped sooner. In hindsight, there were numerous red flags that indicated Madoff’s activity was fraudulent; however, appropriate actions were not taken to halt the scheme. The United States Securities and Exchange Commission (SEC) received several complaints against Madoff as early as 1992, including several official complaints filed by Harry Markopolos, a former securities industry professional and fraud investigator. Every step of the way, Madoff appeared to use his charm and manipulative ways to explain away his dealings to the SEC inspection teams. The complaints were not properly investigated and subsequent to Madoff’s arrest, the SEC was the target of a great deal of criticism. The regulators obviously did not apply appropriate professional skepticism while doing their jobs and relied on Madoff’s reputation and representations rather than evidence to the contrary. In the wake of this scandal, regulatory reforms were deemed a priority by the SEC and other similar agencies.

Education is needed for the investing public and the regulators and law enforcement personnel alike to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of frauds. This is where CFEs and forensic accountants are uniquely qualified to offer their communities much needed assistance. Affinity frauds are not easily anticipated by the victims. Madoff whistleblower Markopolos asserted that “nobody thinks one of their own is going to cheat them”. Affinity frauds will not be curtailed unless the public, we, the auditing and fraud examination communities, and regulators and other law enforcement personnel are all involved.

Private Company Employee Health

Our last post presented a short list of the chief fraud threats targeting government run health programs.  We thought it might be useful to practitioners to balance it with one on frauds directed at private company health insurance plans.  From one perspective, many of the schemes, as you’d expect, are similar; but there are significant differences. Losses due to fraud in both public and private health-care spending are notoriously difficult to estimate but amount to more than US $6o billion annually, according to a statement made by the then U.S. Attorney General  several years ago at a National Institutes of Health summit.  Like all fraud, by definition, health-care fraud involves deception or misrepresentation that results in an unauthorized benefit.  In the private sector, it increases the cost of providing benefits to employees company-wide, which in turn increases the overall cost of doing business, regardless of industry. And while only a slight percentage of health-care providers and consumers deliberately engage in fraud, that small percentage can raise the cost of doing business significantly. The increased costs appear in the form of higher premiums and out-of-pocket expenses or reduced benefits or coverage for employees and affect small businesses disproportionately.

But the news isn’t all bad.  The good news is that, especially with the rise of fraud prevention approaches based on data analytics, companies have more and more tools at their disposal to help combat this problem. Most important, perhaps, are the contributions our fraud examiner profession is making and the unique expertise we bring to fraud-fighting efforts. With the right approach and technology tools, fraud risk assessors can help identify control weaknesses that leave the organization susceptible to health-care fraud and track down potential indicators that such fraud may have occurred or is in progress. Working with management as well as with other assurance professionals and external parties, fraud examiners can help meet this challenge and even prevent it by applying well designed system edits that identify fraudulent insurance claims on the front end, preventing them from even being paid (pre-payment prevention as opposed to post-payment pay and chase).

Every fraud examiner and forensic accountant knows that access to the right information is critical to combating the ever mutating array of health-care frauds targeting both the private and governmental sectors. Asking the appropriate questions and carefully sifting through relevant data can reveal potentially fraudulent activity and shed light on abuses that otherwise may not be identified.

Much of the needed health-care information often resides with an organization’s health insurance provider or third-party claims administrators (TPAs); fraud examiners and company management should work cooperatively with these parties to obtain an understanding of the details. Specifically, employers should hold regular discussions with their providers or TPAs to collaborate on anti-fraud activities and to understand their provider’s approach to the problem. Providers, on their side, should share the details of their anti-fraud efforts with organizational management. They should also explain their, often proprietary, techniques used to detect fraud and abuse and provide specific examples of potential frauds recently identified.  Companies also have access to employee historical health claims databases through their insurance provider or their TPA. Analysis should be performed by these parties, and it generally should focus on identifying unusual patterns or trends as such findings could signal fraudulent activity in the claims data; the objective in doing so is to develop payment system edits targeting specific fraud schemes so that claims related to the schemes are prevented by the edits from paying the related health service claims.  Even if the data does not contain indicators of potential fraud schemes, fraud examiners should still recommend that it be mined continually to ferret out potential mistakes.

If it’s not already part of your client company’s regular human resource (HR) administration process, simply matching employee data with the TPA’s files could also shed light on potential problems. Some employees, for instance, may be in the wrong plan or have the wrong coverage. Moreover, former employees may still be listed as covered.  Which brings us to the big problem of dependent eligibility; I say ‘big’ because dependent eligibility is a costly issue for all employee health plans because providing costly health insurance coverage to the ineligible dependents of company employees can quickly prove a budget buster for enterprises of all sizes.

To determine a client’s risk of exposure to ineligible dependents, fraud risk assessors should start with an assessment of the controls built into the benefits enrollment process. If the organization doesn’t require proof of eligibility during the initial enrollment process, the risk of exposure increases. Risk also increases if proof is required upon initial enrollment but not thereafter, such as when covered children reach a certain age. Based on the level of risk identified, examiners, in conjunction with HR, can select one of several approaches to the next phase of their review.

–Low Risk: Offer employees an amnesty period. The organization should remind employees of the benefit plan requirements and let them know that a review of eligibility will be performed. They should be given a reasonable amount of time to adjust their coverage as necessary without any repercussions; sometimes this alone can result in a significant level of compliance.

–Medium Risk: Require eligibility certification. In addition to the steps associated with low risk, the organization should require employees to complete an affidavit that certifies all of their covered dependents are eligible under the benefit plan requirements.

–High Risk: Audit employee eligibility. The company’s internal audit function should perform a full eligibility audit after the organization completes the steps associated with low and medium risk situations.

As this blog and the ACFE have repeated over and over again, employee awareness can be the best fraud prevention tool available. Fraud Examiners working in every industry should learn more about health-care fraud scenarios and their effect on their client’s businesses and pursue opportunities to educate management on the cost drivers and the impact of fraud on their companies. If the organization’s compliance program includes employee training and distribution of periodic educational updates, this would be a logical medium into which to integrate employee awareness messaging. At a minimum, Fraud Examiners should be sure that any new employee orientation sessions cover basic healthcare benefits guidance:

–Don’t provide personal health coverage information to strangers. If the employee is uncertain why a third party is requesting certain personal information, they should be instructed to contact their company’s benefits administrator.

–Don’t loan an insurance card to anyone not listed on the card as a covered individual.

–Employees need to familiarize themselves with the conditions under which health coverage is being extended to them and to their dependents.

Given the complexities of health benefits administration, an organization almost cannot provide too much information to its employees about their coverage. Taking the guesswork out of the administration process can result in lower costs and happier employees in the long run.  Although many anticipated long-term benefits from U.S. health-care reforms contained in the Affordable Care Act, in the short term most employers were required to expand coverage offerings for employees and their dependents, thereby increasing costs. All of these factors point to an opportunity for health-care fraud to continue growing and, consequently, for Fraud Examiners and for fraud risk assessors to continue to play an important role in keeping this relentless source of monetary loss at bay.

Program Integrity Federalism

From time to time someone among our newer Chapter members working in the insurance industry reports confronting instances of Medicaid and Medicare fraud for the first time. I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.

Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2017 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to be aware that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since the programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and Morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set. Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage. Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other more worthy beneficiaries. But please be aware, while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected. According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse.

On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters. While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially. On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2016 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software; Certified Fraud Examiners (CFE’s) will increasingly find themselves at the forefront of the effort to strengthen health care program integrity at the Federal level and within each state.

Getting Out of Your Own Way

One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process. And at the heart of the interviewing process lies communication. As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If s/he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction. Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects. Why do we identify with and speak more freely to some people? We are naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process. An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter. And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration. If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his or her dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer. Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that is not provided and that is concealed, that is most critical to our professional efforts.

By developing your listening abilities, practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution. If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it is virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject. The effective interviewer, however, has learned to contaminate as little as possible. By retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

The Know It All

As fraud examiners intimately concerned with the general on-going state of health of fraud management and response systems, we find ourselves constantly looking at the integrity of the data that’s truly the life blood of today’s client organizations.  We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data vulnerabilities to a minimum.   Every little bit of critical information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture. 

When it comes to managing its client, financial and payment data, almost every organization has a Pauline.  Pauline’s the person everyone goes to get the answers about data, and the state of the system(s) that process it, that no one else in her unit ever seems to have.  That’s because Pauline is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance.  Pauline is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees.   The great recession of past memory where enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices only exacerbated a still existing, ever growing trend.  The very real threat to the fraud management system that the Pauline’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever present possibility) but that they will retire or get another job out of state, taking their vital knowledge of the company systems and data with them. 

The day after Pauline’s retirement party and, to an increasing degree thereafter, it will dawn on  Pauline’s unit management that it’s lost a large amount of valuable information about the true state of its data and financial processing system(s), of its total lack of a large amount of system critical data documentation that’s been carried around nowhere but in Jane’s head.  The point is that, for some organizations, their reliance on a few key employees for day to day, operationally related information on their data goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their fraud prevention system.  Today’s newspapers and the internet are full of stories about data breeches, only reinforcing the importance of vulnerable data and of its documentation to the on-going operational viability of our client organizations. 

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of that change related information is ever formally documented.  Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily the ones involved in everyday, routine data management projects.  There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them.  The anomalies might be in the form of missing data, changes in data field definitions, or change in the content of the fields; the possibilities are endless.  Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management systems and for the overall fraud risk assessment process itself become almost impossible to determine.   

If our auditor or fraud examiner, operating under today’s typical budget or time constraints,  is not very thorough and misses even finding some of these anomalies, they can end up never being addressed.   How many times as an analyst have you tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah.  Pauline made that change back in February before she retired; we don’t have too many details on it.”  In other words, undocumented changes to transactions and data, details of which are now only existent in Pauline’s head.  When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of overall fraud management.  The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high.  What can’t be seen, can’t ever be managed or even explained. 

It’s truly humbling for any practitioner to experience how much critical financial information resides in the fading (or absent) memories of past or present key employees.  As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent transaction related documentation and the sharing of knowledge on a consistent basis for all systems but especially in matters involving changes to critical financial systems.  One nice benefit of this approach, which I brought to the attention of one of my clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than constantly serving as the encyclopedia for the rest of the operational staff.