Category Archives: Financial Fraud

Loose Ends

A forensic accountant colleague of mine often refers to “loose-ends”. In his telling, loose-ends are elements of an investigation that get over-looked or insufficiently investigated which have the power to come back and bite an examiner with ill effect. That a small anomaly may be a sign of fraud is a fact that is no surprise to any seasoned investigator. Since fraud is typically hidden, the discovery of fraud usually is unlikely, at least at the beginning, to involve a huge revelation.

The typical audit does not presume that those the auditor examiners and the documents s/he reviews have something sinister about them. The overwhelming majority of audits are conducted in companies in which material fraud does not exist. However, the auditor maintains constant awareness that material fraud could be present.

Imagine a policewoman walking down a dark alley into which she knows a suspect has entered just before her. She doesn’t know where the suspect is, but as she walks down that alley, she is acutely aware of and attuned to her surroundings. Her senses are at their highest level. She knows beyond the shadow of a doubt that danger lurks nearby.

Fraud audits (and audits in general) aren’t like that. Fraud audits are more like walking through a busy mall and watching normal people go about their daily activities. In the back of the examiner’s mind, he knows that among all the shoppers are a few, a very few, shoplifters. They look just like everyone else. The examiner knows they are there because statistical studies and past experience have shown that they are, but he doesn’t know exactly where or who they are or when he will encounter them, if at all. If he were engaged to find them, he would have to design procedures to increase the likelihood of discovery without in any way annoying the substantial majority of honest shoppers in whose midst they swim.

A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control.

It occurred to me a while back that a fraud risk assessment can of thought of as ignoring a loose-end if it fails to include sufficient consideration of the client organization’s ethical dimension. That the ethical dimension is not typically included as a matter of course in the routine fraud risk assessment constitutes, to my mind, a lost opportunity to conduct a fuller, and potentially, a more useful assessment. As part of their assessments, today’s practitioners can potentially use surveys, Control Self-Assessment sessions, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline. Under this expanded model, the most successful fraud risk assessment would include small brainstorming sessions with the operational management of the business process(s) under review. Facilitated by a Certified Fraud Examiner (CFE), these assessments would look at typical fraud schemes encountered in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.

Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the CFE understand the actual robustness and resilience of the control and of the control environment and estimate the potential risk to the organization.

One challenge at this point in the process is ensuring that the analysis assesses not just roles, but also those specific individuals who are responsible for the controls. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert like the CFE can help facilitate the discussion and ensure that nothing is left off the table. To ask and get the answers to the right questions, the CFE facilitator should help the respondents keep in mind that:

o Fraud entails intentional misconduct designed to avoid detection.
o Risk assessments identify where fraud might occur and who the potential perpetrator(s) might be.
o Persons inside and outside of the organization could perpetrate such schemes.
o Fraud perpetrators typically exploit weaknesses in the system of controls or may override or circumvent controls.
o Fraud perpetrators typically find ways to hide the fraud from detection.

It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to by the ACFE as measuring the organization’s ethical baseline.

Organizations can determine their ethical baseline by periodically conducting either CFE moderated Control Self-Assessment sessions including employees from high-risk business processes, through an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation. The survey can ask respondents to rate questions or statements on a scale, ranging from 1—Strongly Disagree to 5—Strongly Agree. Sample statements might include:

1. Our organizational culture is trust-based.
2. Missing approvals are not a big deal here.
3. Strong personalities dominate most departments.
4. Pressure to perform outweighs ethical behavior.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here.
7. The saying “Don’t rock the boat!” fits this organization.
8. I am encouraged to speak up whenever needed.
9. Ethical behavior is a top priority of management.
10.I know where I can go if I need to report a potential issue of misconduct.

The ethical baseline should not be totally measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If repeated over time, the baseline can help identify both positive and negative trends. The results of the ethical baseline survey should be discussed by the CFE with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization.

In summary, the additional value created by combining of the results of the traditional fraud risk assessment with an ethical baseline assessment can help CFEs better determine areas of risk and control that should be considered in building the fraud prevention and response plans. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden by management may require more frequent assurance from prevention professionals than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent assessment of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By adding ethical climate evaluation to their standard fraud risk assessment procedures, CFEs can tie up what otherwise might be a major loose-end in their risk evaluation.

When You Assume

by Rumbi Petrozzello
2018 Vice President – Central Virginia ACFE Chapter

On November 8, 2007, in the small town of Constantine, Michigan, 11-year-old Jodi Parrack was reported missing. Residents from the surrounding region volunteered to search for the missing girl, including Ray McCann, a police reservist. During the search, Ray suggested to Jodi’s mother, Valerie, that they should search for Jodi in the local cemetery. Valerie and Ray did so and, tragically, found her daughter there; she had been murdered.

Almost immediately, Ray came under suspicion. His reaction to Jodi’s death appeared to some of the investigators to be suspicious and why had he suggested that he and Valerie go to the cemetery, of all places, to look for Jodi? Then, during their subsequent investigation, the police found Jodi’s DNA on Ray’s body; according to Ray this was because he had pulled Valerie away from Jodi when he and her mother discovered the child’s body.

For years, Ray was under suspicion. He was brought in for questioning by the police on multiple occasions, and his answers, as far as the police were concerned, were not particularly convincing. He claimed to have been in one place and the police said that there was proof that he was not there. Seven years after Jodi’s murder, Ray was arrested and charged with perjury, related to the answers he had originally given the police; this seems to have been a tactic the police employed to hold him while they continued to try to gather enough evidence to charge him with Jodi’s murder.

While Ray was being held and facing from two to twenty years behind bars, another girl was attacked; she fought back, escaped and led the police to another man, Daniel Furlong. It turned out that Furlong’s DNA had been found on Jodi’s body during the original investigation as well as Ray’s and yet, the police had persisted in focusing solely on Ray. It was also revealed that the authorities were not honest when they told Ray that they possessed evidence Ray was lying. All the police really had was a deeply held conviction that Ray was being deceptive, leading to their determination to somehow develop evidence to validate that feeling.

By the time Ray was released after spending 20 wasted months of his life behind bars, he had lost his job, his family and the trust of the community in which he lived and which he had hoped someday to serve.

As Fraud Examiners and/or Forensic Accountants, we are engaged to investigate alleged wrongdoing and to follow up on leads as we work to resolve often confusing and contradictory matters. As we seek evidence, interview people and try to figure out what happened and who did what, it can be all too easy to make the mistake of viewing a red flag as somehow constituting proof. If someone giggles when they’re telling you they know nothing; if a person taps her foot throughout an interview, or if someone is extremely helpful, none of those things in themselves means anything definitive in resolving the question as to whether or not they have done anything wrong, let alone illegal.

Professional skepticism is a CFE’s tendency not to believe or take anyone’s assertions at face value, a mental tendency to ask every assertion to “prove it” (with evidence). The inevitable occurrence of confusion, errors and deception in all situations involving actual or suspected fraud dictates this basic aspect of professional skepticism. Persuading a skeptical CFE or forensic accountant is not impossible, just somewhat more difficult than persuading a normal person in an everyday context. Our skepticism protects the Ray McCann’s of this world because it’s a manifestation of objectivity, holding no special concern for preconceived conclusions on any side of an issue. Skepticism is not an attitude of being cynical, hypercritical, or scornful. The properly skeptical investigator asks these questions (1) What do I need to know? (2) How well do I know it? (3) Does it make sense?

Professional skepticism should lead investigators to appropriate inquiry about every clue involving seeming wrong doing. Clues should lead to thinking about the evidence needed, wringing out all the implications from the evidence, then arriving at the most suitable and supportable explanation. Time pressure to complete an investigation is no excuse for failing to exercise professional skepticism and bias and prejudice are always unacceptable. Too many investigators (including auditors) have gotten themselves into trouble by accepting some respondent’s glib assertion and stopping too early in an investigation without seeking facts supportive of alternative explanations.

A red flag means only that further investigation is warranted; it definitely does not mean that the examiner should shut down all other avenues of investigation and it certainly does not mean that an attempt should ever be made to make the crime fit the person. In the sad case of Ray McCann, the police continued to pursue him to the exclusion of all others even though they had found someone else’s DNA on Jodi’s body. They never appeared to be even looking for any other suspect. Even when Daniel Furlong subsequently confessed to murdering Jodi, the local authorities still persisted in implying that Ray was somehow connected to the crime; in the face of all contradictory evidence, the police still stubbornly refused to let go of their original hypothesis.

As we pursue our work as forensic accountants and fraud examiners, we should be constantly reviewing our hypotheses and assessing our approaches.

• Are we trying to make evidence fit the facts as we initially suppose them to be?
• Are we ignoring evidence because it does not fit the story we’re trying to tell?
• Are we letting a particular person’s behavior cloud a more objective judgment of the totality of what’s going on?

Often, even after a person has been cleared of suspicion in a case, we hear parties involved in the investigation make statements along the lines of, “I just know they are good for something.” Fortunately, our practice is not founded on feelings and gut instincts; our practice, and profession, is one that relies on evidence. As you’re investigating a matter, keep in mind:

• Following your defined process and procedure throughout is paramount to investigative success. Even if someone or some aspect of a case looks totally transparent within the context of the investigation, be thorough and follow your evidence all the way through.

• If your findings do not support your original premise, don’t try to force things. Step back and ask yourself why this is the case. Ask yourself if you need to reconsider your foundational hypothesis.

• Beware of confirmation bias – that is be careful that you are not looking only for data that reinforces the conclusion(s) that you have already reached (and, in so doing, ignoring anything that might prove contradictory).

• Even if your team is determined to work the assignment in a particular direction, make sure you speak up and let them know about any reservations you might have. You may not have the popular position, but you may end up expressing the critical position if it turns out that there is other evidence in light of which the conclusions the team has made need to be adjusted.

In summary, when you feel it in your gut and you are absolutely sure that you are right about a hypothesis, it’s very difficult to look beyond your conviction and to see or even consider other options. It’s vital that you do so since, as the ACFE has pointed out so many times, there is a hefty price to be paid professionally for ignoring evidence which eventually proves to be critical simply because it appears not to corroborate your case. Due professional care requires a disposition to question all material assertions made by all respondents involved in the case whether oral or written. This attitude must be balanced with an open mind about the integrity of all concerned. We CFEs should neither blindly assume that everyone is dishonest nor thoughtlessly assume that those involved in our investigations are not ethically challenged. The key lies in the examiner’s attitude toward gathering the evidence necessary to reach reasonable and supportable investigative decisions.

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

The Healthcare Fraud Circus

The trade press indicates that healthcare expenditures are again on the rise while the ACFE tells us that approximately $25 million dollars per hour is stolen, wasted or abused in the provision of healthcare services in the US alone. Not surprisingly, our Chapter members, CFEs and forensic accountants, employed by both governmental and private institutions, are being increasingly called upon to grapple with the fallout.

The Centers for Medicare and Medicaid Services (CMS) defines healthcare fraud as the intentional deception or misrepresentation that an individual knows, or should know, to be false, or does not believe to be true, and makes, knowing the deception could result in some unauthorized benefit to himself or some other person(s). The Health Insurance Portability and Accountability Act (HIPAA) is more specific, defining the term federal healthcare offense as “a violation of, or a criminal conspiracy to violate” specific provisions of the U.S. Code, “if the violation or conspiracy relates to a health care benefit program” 18 U.S.C. § 24(a).

The statute goes on to define a health care benefit program as any public or private plan or contract, affecting commerce, under which any medical benefit, item, or service is provided to any individual, and includes any individual or entity who is providing a medical benefit, item, or service for which payment may be made under the plan or contract. Finally, health care fraud is defined as knowingly and willfully executing a scheme to defraud a healthcare benefit program or obtaining, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by. . . any healthcare benefit program. HIPAA establishes specific criminal sanctions for offenses against both private and public health insurance programs. These offenses are consistent with the common definitions of fraud in that they involve false statements, misrepresentations, or deliberate omissions that are critical to the determination of benefits payable and which may obstruct fraud investigations.

Practitioners new to fraud examination and forensic accounting in the healthcare arena need to develop a familiarity with the players involved in the provision of and payment for healthcare services if they are to effectively investigate identified instances of fraud, waste, and abuse in this ever-expanding sector of the economy.

Healthcare fraud differs from healthcare abuse. CMS says that abuse refers to incidents or practices that are not consistent with the standard of medical care (in other words, with substandard care)

–Unnecessary costs to a program, caused either directly or indirectly;
–Improper payment or payment for services that fail to meet professional standards;
–Medically unnecessary services;
–Substandard quality of care (e.g., in nursing homes);
–Failure to meet coverage requirements.

Healthcare fraud, in comparison, typically takes one or more of the following forms:

–False statements or claims;
–Elaborate schemes;
–Cover-up strategies;
–Misrepresentations of value;
–Misrepresentations of service.

It’s important to appreciate that healthcare is a dynamic and segmented market among parties that deliver or facilitate the delivery of health information, healthcare resources, and the financial transactions that underly and support the functioning of all the many components of the total business process. To fully appreciate what healthcare fraud looks like, it’s important to understand traditional and nontraditional players. The patient is the individual who actually receives a healthcare service. The provider is an individual or entity that delivers or executes the healthcare service. The payer is the entity that processes the financial transaction. The plan sponsor is the party that funds the transaction. Plan sponsors include private self-insurance programs, employer-based premium programs, and government programs such as Medicare and Medicaid. A vendor is any entity that provides a professional service or materials used in the delivery of patient care. Complicating matters is that each one of these player entities has a distinct perspective and point of view of the overall process which can differ significantly from that of each of the others.

So, what does healthcare fraud look like from the individual patient’s perspective? The patient may submit a false claim with no participation from any other party. The patient may exaggerate a workers’ compensation claim or allege that an injury took place at work when in fact it occurred outside of work. The patient may participate in collusive fraudulent behavior with other parties. A second party may be a physician who fabricates a service for liability compensation. The patient may be involved in an established crime ring that involves extensive collusive behavior, such as staging an auto accident. The schemes typically repeat themselves as well as constantly evolve in the creativity they demonstrate.

And from the provider’s perspective? The fraud schemes can vary from simple false claims to complex financial arrangements. The traditional scheme of submitting false claims for services not rendered has always been and continues to be a problem. Other maneuvers, such as submitting duplicate claims or not acknowledging duplicate payments, are issues as well.

Some schemes manifest great complexity and sophistication in their understanding of payer systems. One example is the rent-a-patient scheme where criminals pay “recruiters” to organize and recruit beneficiaries to visit clinics owned or operated by the criminals. For a fee, recruiters “rent,” or “broker,” the beneficiaries to the criminals. Recruiters often enlist beneficiaries at low-income housing projects, retirement communities, or employment settings of low-income wage earners. Detecting complicated misrepresentations that involve contractual arrangements with third parties or cost report manipulations submitted to government programs requires a niche expertise for identification representing an opportunity for anti-fraud practitioners expert in data mining.

And from the payer’s perspective? The fraud schemes perpetrated by this group tend to be pursued mostly in response to transactions between the payer and a government plan sponsor. They include misrepresentations of performance guarantees, not answering beneficiary questions on claims status, bad-faith claim transactions, and financial transactions that are not contractually based. Other fraudulent activities include altering or reassigning the diagnosis or procedure codes submitted by the provider. Auditing payer activities also requires a niche expertise involving operational as well as contractual issues.

Healthcare fraud schemes perpetrated by employers include underreporting the number of employees, employee classifications, and payroll information; failing to pay insurance premiums, which results in no coverage; creating infrastructures that make employees pay for coverage via payroll deductions; engaging in management activities that discourage employees from seeking medical treatment; and referring employees to a medical facility and in turn receiving compensation for the referrals.

Vendor perpetrated schemes furnishes numerous examples involving a range of participants, from professional healthcare subcontractors to suppliers of equipment, products, services, and pharmaceuticals. These schemes include false claims, claims for altered products, counterfeit medications, and services from unlicensed professionals. They include collusive behavior among several entities as well as between individual professionals.

In summary, the take away for anti-fraud professionals is that Healthcare fraud is growing at an accelerated rate in the United States. Traditional schemes include false claim submissions, care that lacks medical necessity, controlled substance abuse, upcoding (billing for more expensive procedures), employee-plan fraud, staged-accident rings, waiver of copayments and deductibles, billing experimental treatments as nonexperimental ones, agent-broker fraud relationships, premium fraud, bad-faith claim payment activities, quackery; overutilization (rendering more services than are necessary), and kickbacks. Evolved schemes include complex rent-a-patient activities, 340 B program abuse activities (setting aside discounted drugs, making them unavailable to those in need), pill-mill schemes (schemes to falsely bill prescriptions), counterfeit drug activities, and organized criminal schemes.

CFEs and forensic accountants have a significant role in combating all of this. The good news is that much information is available to guide practitioners from both governmental and private sources.

Concealment Strategies & Fraud Scenarios

I remember Joseph Wells mentioning at an ACFE conference years ago that identifying the specific asset concealment strategy selected by a fraudster was often key to the investigator’s subsequent understanding of the entire fraud scenario the fraudster had chosen to implement. What Joe meant was that a fraud scenario is the unique way the inherent fraud scheme has occurred (or can occur) at an examined entity; therefore, a fraud scenario describes how an inherent fraud risk will occur under specific circumstances. Upon identification, a specific fraud scenario, and its associated concealment strategy, become the basis for fraud risk assessment and for the examiner’s subsequent fraud examination program.

Fraud concealment involves the strategies used by the perpetrator of the fraud scenario to conceal the true intent of his or her transaction(s). Common concealment strategies include false documents, false representations, false approvals, avoiding or circumventing control levels, internal control evasion, blocking access to information, enhancing the effects of geographic distance between documents and controls, and the application of both real and perceived pressure. Wells also pointed out that an important aspect of fraud concealment pertains to the level of sophistication demonstrated by the perpetrator; the connection between concealment strategies and fraud scenarios is essential in any discussion of fraud risk structure.

As an example, consider a rights of return fraud scenario related to ordered merchandise. Most industries allow customers to return products for any number of reasons. Rights of return refers to circumstances, whether as a matter of contract or of existing practice, under which a product may be returned after its sale either in exchange for a cash refund, or for a credit applied to amounts owed or to be owed for other products, or in exchange for other products. GAAP allows companies to recognize revenue in certain cases, even though the customer may have a right of return. When customers are given a right of return, revenue may be recognized at the time of sale if the sales price is substantially fixed or determinable at the date of sale, the buyer has paid or is obligated to pay the seller, the obligation to pay is not contingent on resale of the product, the buyer’s obligation to the seller does not change in the event of theft or physical destruction or damage of the product, the buyer acquiring the product for resale is economically separate from the seller, the seller does not have significant obligations for future performance or to bring about resale of the product by the buyer, and the amount of future returns can be reasonably estimated.

Sales revenue not recognizable at the time of sale is recognized either once the return privilege has substantially expired or if the conditions have been subsequently met. Companies sometimes stray by establishing accounting policies or sales agreements that grant customers vague or liberal rights of returns, refunds, or exchanges; that fail to fix the sales price; or that make payment contingent upon resale of the product, receipt of funding from a lender, or some other future event. Payment terms that extend over a substantial portion of the period in which the customer is expected to use or market the purchased products may also create problems. These terms effectively create consignment arrangements, because, no economic risk has been transferred to the purchaser.

Frauds in connection with rights of return typically involve concealment of the existence of the right, either by contract or arising from accepted practice, and/or departure from GAAP specified conditions. Concealment usually takes one or more of the following forms:

• Use of side letters: created and maintained separate and apart from the sales contract, that provide the buyer with a right of return;

• Obligations by oral promise or some other form of understanding between seller and buyer that is honored as a customary practice but arranged covertly and hidden;

• Misrepresentations designed to mischaracterize the nature of arrangements, particularly in respect of:

–Consignment arrangements made to appear to be final sales;

–Concealment of contingencies, under which the buyer can return the products, including failure to resell the products, trial periods, and product performance conditions;

–Failure to disclose the existence, or extent, of stock rotation rights, price protection concessions, or annual returned-goods limitations;

–Arrangement of transactions, with straw counterparties, agents, related parties, or other special purpose entities in which the true nature of the arrangements is concealed or obscured, but, ultimately, the counterparty does not actually have any significant economic risk in the “sale”.

Sometimes the purchaser is complicit in the act of concealment, for example, by negotiating a side letter, and this makes detection of the fraud even more difficult. Further, such frauds often involve collusion among several individuals within an organization, such as salespersons, their supervisors, and possibly both marketing and financial managers.

It’s easy to see that once a CFE has identified one or more of these concealment strategies as operative in a given entity, the process of developing a descriptive fraud scenario, completing a related risk assessment and constructing a fraud examination program will be a relatively straight forward process. As a working example, of a senario and related concealment strategies …

Over two decades ago the SEC charged a major computer equipment manufacturer with overstating revenue in the amount of $500,000 on transactions for which products had been shipped, but for which, at the time of shipment, the company had no reasonable expectation that the customer would accept and pay for the products. The company eventually accepted back most of the product as sales returns during the following quarter.

The SEC noted that the manufacturer’s written distribution agreements generally allowed the distributor wide latitude to return product to the company for credit whenever the product was, in the distributor’s opinion, damaged, obsolete, or otherwise unable to be sold. According to the SEC, in preparing the manufacturer’s financial statements for the target year, company personnel submitted a proposed allowance for future product returns that was unreasonably low in light of the high level of returns the manufacturer had received in the first several months of the year.

The SEC determined that various officers and employees in the accounting and sales departments knew the exact amount of returns the company had received before the year end, when the company’s independent auditors finished their fieldwork on the annual audit. Had the manufacturer revised the allowance for sales returns to reflect the returns information, the SEC concluded it would have had to reduce the net revenue reported for the fiscal year. Instead, the SEC found that several of the manufacturer’s officers and employees devised schemes to prevent the auditors from discovering the true amount of the returns, including 1), keeping the auditors away from the area at the manufacturer’s headquarters where the returned goods were stored, and 2), accounting personnel altering records in the computer system to reduce the level of returns. After all the facts were assembled, the SEC took disciplinary action against several company executives.

As with side agreements, a broad base of inquiry into company practices may be one of the best assessment techniques the CFE has regarding possible concealment strategies supporting fraud scenarios involving returns and exchanges. In addition to inquiries of this kind, the ACFE recommends that CFE’s may consider using analytics like:

• Compare returns in the current period with prior periods and ask about unusual increases.

• Because companies may slow the return process to avoid reducing sales in the current period, determine whether returns are processed in timely fashion. The facts can also be double-checked by confirming with customers.

• Calculate the sales return percentage (sales returns divided by total sales) and ask about any unusual increase.

• Compare returns after a reporting period with both the return reserve and the monthly returns to determine if they appear reasonable.

• Determine whether sales commissions are paid at the time of sale or at the time of collection. Sales commissions paid at the time of sale provide incentives to inflate sales artificially to meet internal and external market pressures.

• Determine whether product returns are adjusted from sales commissions. Sales returns processed through the so-called house account may provide a hidden mechanism to inflate sales to phony customers, collect undue commissions, and return the product to the vendor without being penalized by having commissions adjusted for the returned goods.

Analytics Confronts the Normal

The Information Audit and Control Association (ISACA) tells us that we produce and store more data in a day now than mankind did altogether in the last 2,000 years. The data that is produced daily is estimated to be one exabyte, which is the computer storage equivalent of one quintillion bytes, which is the same as one million terabytes. Not too long ago, about 15 years, a terabyte of data was considered a huge amount of data; today the latest Swiss Army knife comes with a 1 terabyte flash drive.

When an interaction with a business is complete, the information from the interaction is only as good as the pieces of data that get captured during that interaction. A customer walks into a bank and withdraws cash. The transaction that just happened gets stored as a monetary withdrawal transaction with certain characteristics in the form of associated data. There might be information on the date and time when the withdrawal happened; there may be information on which customer made the withdrawal (if there are multiple customers who operate the same account). The amount of cash that was withdrawn, the account from which the money was extracted, the teller/ATM who facilitated the withdrawal, the balance on the account after the withdrawal, and so forth, are all typically recorded. But these are just a few of the data elements that can get captured in any withdrawal transaction. Just imagine all the different interactions possible on all the assorted products that a bank has to offer: checking accounts, savings accounts, credit cards, debit cards, mortgage loans, home equity lines of credit, brokerage, and so on. The data that gets captured during all these interactions goes through data-checking processes and gets stored somewhere internally or in the cloud.  The data that gets stored this way has been steadily growing over the past few decades, and, most importantly for fraud examiners, most of this data carries tons of information about the nuances of the individual customers’ normal behavior.

In addition to what the customer does, from the same data, by looking at a different dimension of the data, examiners can also understand what is normal for certain other related entities. For example, by looking at all the customer withdrawals at a single ARM, CFEs can gain a good understanding of what is normal for that particular ATM terminal.  Understanding the normal behavior of customers is very useful in detecting fraud since deviation from normal behavior is a such a primary indicator of fraud. Understanding non-fraud or normal behavior is not only important at the main account holder level but also at all the entity levels associated with that individual account. The same data presents completely different information when observed in the context of one entity versus another. In this sense, having all the data saved and then analyzed and understood is a key element in tackling the fraud threat to any organization.

Any systematic, numbers-based system of understanding of the phenomenon of fraud as a past occurring event is dependent on an accurate description of exactly what happened through the data stream that got accumulated before, during, and after the fraud scenario occurred. Allowing the data to speak is the key to the success of any model-based system. This data needs to be saved and interpreted very precisely for the examiner’s models to make sense. The first crucial step to building a model is to define, understand, and interpret fraud scenarios correctly. At first glance, this seems like a very easy problem to solve. In practical terms, it is a lot more complicated process than it seems.

The level of understanding of the fraud episode or scenario itself varies greatly among the different business processes involved with handling the various products and functions within an organization. Typically, fraud can have a significant impact on the bottom line of any organization. Looking at the level of specific information that is systematically stored and analyzed about fraud in financial institutions for example, one would arrive at the conclusion that such storage needs to be a lot more systematic and rigorous than it typically is today. There are several factors influencing this. Unlike some of the other types of risk involved in client organizations, fraud risk is a censored problem. For example, if we are looking at serious delinquency, bankruptcy, or charge-off risk in credit card portfolios, the actual dollars-at-risk quantity is very well understood. Based on past data, it is relatively straightforward to quantify precise credit dollars at risk by looking at how many customers defaulted on a loan or didn’t pay their monthly bill for three or more cycles or declared bankruptcy. Based on this, it is easy to quantify the amount at risk as far as credit risk goes. However, in fraud, it is virtually impossible to quantify the actual amount that would have gone out the door as the fraud is stopped immediately after detection. The problem is censored as soon as some intervention takes place, making it difficult to precisely quantify the potential risk.

Another challenge in the process of quantifying fraud is how well the fraud episode itself gets recorded. Consider the case of a credit card number getting stolen without the physical card getting stolen. During a certain period, both the legitimate cardholder and the fraudster are charging using the card. If the fraud detection system in the issuing institution doesn’t identify the fraudulent transactions as they were happening in real time, typically fraud is identified when the cardholder gets the monthly statement and figures out that some of the charges were not made by him/her. Then the cardholder calls the issuer to report the fraud.  In the not too distant past, all that used to get recorded by the bank was the cardholder’s estimate of when the fraud episode began, even though there were additional details about the fraudulent transactions that were likely shared by the cardholder. If all that gets recorded is the cardholder’s estimate of when the fraud episode began, ambiguity is introduced regarding the granularity of the actual fraud episode. The initial estimate of the fraud amount becomes a rough estimate at best.  In the case in which the bank’s fraud detection system was able to catch the fraud during the actual fraud episode, the fraudulent transactions tended to be recorded by a fraud analyst, and sometimes not too accurately. If the transaction was marked as fraud or non-fraud incorrectly, this problem was typically not corrected even after the correct information flowed in. When eventually the transactions that were actually fraudulent were identified using the actual postings of the transactions, relating this back to the authorization transactions was often not a straightforward process. Sometimes the amounts of the transactions may have varied slightly. For example, the authorization transaction of a restaurant charge is sometimes unlikely to include the tip that the customer added to the bill. The posted amount when this transaction gets reconciled would look slightly different from the authorized amount. All of this poses an interesting challenge when designing a data-driven analytical system to combat fraud.

The level of accuracy associated with recording fraud data also tends to be dependent on whether the fraud loss is a liability for the customer or to the financial institution. To a significant extent, the answer to the question, “Whose loss is it?” really drives how well past fraud data is recorded. In the case of unsecured lending such as credit cards, most of the liability lies with the banks, and the banks tend to care a lot more about this type of loss. Hence systems are put in place to capture this data on a historical basis reasonably accurately.

In the case of secured lending, ID theft, and so on, a significant portion of the liability is really on the customer, and it is up to the customer to prove to the bank that he or she has been defrauded. Interestingly, this shift of liability also tends to have an impact on the quality of the fraud data captured. In the case of fraud associated with automated clearing house (ACH) batches and domestic and international wires, the problem is twofold: The fraud instances are very infrequent, making it impossible for the banks to have a uniform method of recording frauds; and the liability shifts are dependent on the geography.  Most international locations put the onus on the customer, while in the United States there is legislation requiring banks to have fraud detection systems in place.  The extent to which our client organizations take responsibility also tends to depend on how much they care about the customer who has been defrauded. When a very valuable customer complains about fraud on her account, a bank is likely to pay attention.  Given that most such frauds are not large scale, there is less need to establish elaborate systems to focus on and collect the data and keep track of past irregularities. The past fraud information is also influenced heavily by whether the fraud is third-party or first-party fraud. Third-party fraud is where the fraud is committed clearly by a third party, not the two parties involved in a transaction. In first-party fraud, the perpetrator of the fraud is the one who has the relationship with the bank. The fraudster in this case goes to great lengths to prevent the banks from knowing that fraud is happening. In this case, there is no reporting of the fraud by the customer. Until the bank figures out that fraud is going on, there is no data that can be collected. Also, such fraud could go on for quite a while and some of it might never be identified. This poses some interesting problems. Internal fraud where the employee of the institution is committing fraud could also take significantly longer to find. Hence the data on this tends to be scarce as well.

In summary, one of the most significant challenges in fraud analytics is to build a sufficient database of normal client transactions.  The normal transactions of any organization constitute the baseline from which abnormal, fraudulent or irregular transactions, can be identified and analyzed.  The pinpointing of the irregular is thus foundational to the development of the transaction processing edits which prevent the irregular transactions embodying fraud from even being processed and paid on the front end; furnishing the key to modern, analytically based fraud prevention.

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

People, People & People

Our Chapter’s Vice-President Rumbi Petrolozzi’s comment in her last blog post to the effect that one of the most challenging tasks for the forensic accountant or auditor working proactively is defining the most effective and efficient scope of work for a risk-based assurance project. Because resources are always scarce, assurance professionals need to make sure they can meet both quality and scheduling requirements whilst staying within our fixed resource and cost constraints.

An essential step in defining the scope of a project is identifying the critical risks to review and the controls required to manage those risks. An efficient scope focuses on the subset of controls (i.e., the key controls) necessary to provide assurance. Performing tests of controls that are not critical is not efficient. Similarly, failing to test controls that could be the source of major fraud vulnerabilities leads to an ineffective audit.  As Rumbi points out, and too often overlooked, the root cause of most risk and control failures is people. After all, outstanding people are required to make an organization successful, and failing to hire, retain, and train a competent team of employees inevitably leads to business failure.

In an interview, a few decades ago, one of America’s most famous business leaders was asked what his greatest challenges were in turning one of his new companies around from failure to success. He is said to have responded that his three greatest challenges were “people, people, and people.” Certainly, when assurance professionals or management analyze the reasons for data breaches and control failures, people are generally found to be the root cause. For example, weaknesses may include (echoing Rumbi):

Insufficiently trained personnel to perform the work. A common material weakness in compliance with internal control over financial reporting requirements is a lack of experienced financial reporting personnel within a company. In more traditional anti-fraud process reviews, examiners often find that control weaknesses arise because individuals don’t understand the tasks they have to perform.

Insufficient numbers to perform the work. When CPAs find that important reconciliations are not performed timely, inventories are not counted, a backlog in transaction processing exists, or agreed-upon corrective actions to address prior audit findings aren’t completed, managers frequently offer the excuse that their area is understaffed.

Poor management and leadership. Fraud examiners find again and again, that micromanagers and dictators can destroy a solid finance function. At the other end of the spectrum, the absence of leadership, motivation, and communication can cause whole teams to flounder. Both situations generally lead to a failure to perform key controls consistently. For example, poor managers have difficulty retaining experienced professionals to perform account reconciliations on time and with acceptable levels of quality leading directly to an enhanced level of vulnerability to numerous fraud scenarios.

Ineffective human resource practices. In some cases, management may choose to accept a certain level of inefficiency and retain individuals who are not performing up to par. For instance, in an example cited by one of our ACFE training event speakers last year, the financial analysis group of a U.S. manufacturing company was failing to provide management with timely business information. Although the department was sufficiently staffed, the team members were ineffective. Still, management did not have the resolve to terminate poor performers, for fear it would not be possible to hire quality analysts to replace the people who were terminated.

In such examples, people-related weaknesses result in business process key control failures often leading to the facilitation of subsequent frauds. The key control failure was the symptom, and the people-related weakness was the root cause. As a result, the achievement of the business objective of fraud prevention is rendered at risk.

Consider a fraud examiner’s proactive assessment of an organization’s procurement function. If the examiner finds that all key controls are designed adequately and operating effectively, in compliance with company policy, and targeted cost savings are being generated, should s/he conclude the controls are adequate? What if that department has a staff attrition rate of 25 percent and morale is low? Does that change the fraud vulnerability assessment? Clearly, even if the standard set of controls were in place, the function would not be performing at optimal levels.  Just as people problems can lead to risk and control failures, exceptional people can help a company achieve success. In fact, an effective system of internal control considers the adequacy of controls not only to address the risks related to poor people-related management but also to recognize reduction in fraud vulnerability due to excellence in people-related management.

The people issue should be addressed in at least two phases of the assurance professional’s review process: planning and issue analysis (i.e., understanding weaknesses, their root cause, and the appropriate corrective actions).  In the planning phase, the examiner should consider how people-related anti-fraud controls might impact the review and which controls should be included in the scope. The following questions might be considered in relation to anti-fraud controls over staffing, organization, training, management and leadership, performance appraisals, and employee development:

–How significant would a failure of people-related controls be to the achievement of objectives and the management of business risk covered by the examination?
–How critical is excellence in people management to the achievement of operational excellence related to the objectives of the review?

Issue analysis requires a different approach. Reviewers may have to ask the question “why” three or more times before they get to the root cause of a problem. Consider the following little post-fraud dialogue (we’ve all heard variations) …

CFE: “Why weren’t the reconciliations completed on time?”
MANAGER. “Because we were busy closing the books and one staff member was on vacation.”
CFE: “You are still expected to complete the reconciliations, which are critical to closing the books. Even with one person on vacation, why were you too busy?”
MANAGER: “We just don’t have enough people to get everything done, even when we work through weekends and until late at night.”
CFE: “Why don’t you have enough people?”
MANAGER: “Management won’t let me hire anybody else because of cost constraints.”
CFE: “Why won’t management let you hire anybody? Don’t they realize the issue?”
MANAGER: “Well, I think they do, but I have been so busy that I may not have done an effective job of explaining the situation. Now that you are going to write this up as a control weakness, maybe they will.”

The root cause of the problem in this scenario is that the manager responsible for reconciliations failed to provide effective leadership. She did not communicate the problem and ensure she had sufficient resources to perform the work assigned. The root cause is a people problem, and the reviewer should address that directly in his or her final report. If the CFE only reports that the reconciliations weren’t completed on time, senior management might only press the manager to perform better without understanding the post-fraud need for both performance improvement and additional staff.

In many organizations, it’s difficult for a reviewer to discuss people issues with management, even when these issues can be seen to directly and clearly contribute to fraud vulnerably. Assurance professionals may find it tricky, for political reasons to recommend the hiring of additional staff or to explain that the existing staff members do not have the experience or training necessary to perform their assigned tasks. Additionally, we are likely to run into political resistance when reporting management and leadership failure. But, that’s the job assurance professionals are expected to perform; to provide an honest, objective assessment of the condition of critical anti-fraud controls including those related to people.  If the scope of our work does not consider people risks, or if reviewers are unable to report people-related weaknesses, we are not adding the value we should. We’re also failing to report on matters critical to the maintenance and extension of the client’s anti-fraud program.

First Steps to Prosecution

A recent study sponsored by the financial trade press indicated some haziness among assurance professionals generally about the precise mechanism(s) underlying the process by which the authorities make the initial decision to prosecute or not to prosecute alleged financial statement fraud.

In the U.S. federal system, a criminal investigation of fraudulent financial reporting can originate in all sorts of ways. An investigation may be initiated because of a whistleblower, an anonymous tip, information supplied by a conscientious or guilt-ridden employee, or facts discovered during a routine annual audit of the company’s financial statements. In addition, the company’s public disclosure of financial misstatements may itself lead to the commencement of a criminal investigation. However initially initiated, the decision to start a criminal investigation is entirely within the discretion of the United States Attorney in each federal district.

For the prosecutor, the decision whether to open an investigation can be difficult. The main reason is the need for the prosecutor to establish criminal intent, that is, that the perpetrator not only got the accounting wrong but did so willfully. Often, bad accounting will be the result of judgment calls, which can be defended as exactly that, executive determinations or judgement calls that, while easy to second guess with the benefit of hindsight, were made in good faith at the time. Thus, a prosecutor evaluating the viability of a criminal prosecution will be looking for evidence of conduct so egregious that the perpetrator must have known it was wrong. This is not to suggest that evidence of a wrongful intent is the only consideration. A prosecutor’s exercise of his or her prosecutorial discretion may consider all kinds of factors in deciding whether criminal inquiry is warranted. Those factors may include the magnitude and nature of the accounting misstatements, whether individuals personally benefited from the misstatements or acted pursuant to the directive of a superior, whether documents were fabricated or destroyed, the probable deterrent or rehabilitative effect of prosecution, and the likelihood of success at trial. The availability of governmental resources may also be a factor.

Where the putative defendant is a corporation, partnership, or other business organization, a more settled set of factors come into play:

–The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for certain categories of crime;
–The pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management;
–The corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it;
–The corporation’s timely and voluntary disclosure of wrong-doing and its willingness to cooperate in the investigation of its agents;
–The existence and effectiveness of the corporation’s preexisting compliance program;
–The corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies;
–Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as the impact on the public arising from the prosecution;
–The adequacy of the prosecution of individuals responsible for the corporation’s malfeasance;
–The adequacy of remedies such as civil or regulatory enforcement actions.

However, a prosecutor gets there, once s/he determines to commence a criminal investigation, there is no doubt that those who are its targets will quickly come to view it as a priority over everything else. The government’s powers to investigate are broad, and, once a determination to go forward is made, the full resources of the government, including the FBI, can be brought to bear. The criminal sentences resulting from a successful prosecution can be severe if not excessive, particularly considering the enhanced criminal sentences put in place by Sarbanes-Oxley.  The ACFE reports that one midlevel executive at a company who elected to proceed to trial was convicted and received a prison sentence of 24 years. The fact that the sentence was subsequently set aside on appeal does little to mitigate the concern that such a sentence could be imposed upon a first-time, nonviolent offender whose transgression was a failure to apply generally accepted accounting principles.

Typically, a company learns that it is involved in a criminal investigation when it receives a grand jury subpoena, in most instances a subpoena duces tecum, compelling the company or its employees to furnish documents to the grand jury. In an investigation of fraudulent financial reporting, such a subpoena for documents may encompass all the files underlying the company’s publicly disseminated financial information, including the records underlying the transactions at issue and related emails.

For a CFE’s client company counsel and for the company’s executives generally, the need to respond to the subpoena presents both an opportunity and a dilemma. The opportunity stems from the company’s ability, in responding to the subpoena, to learn about the investigation, an education process that will be critical to a successful criminal defense. The dilemma stems from the need to assess the extent to which active and complete cooperation should be pledged to the prosecutor at the outset. The formulation of a response to a criminal subpoena, therefore, constitutes a critical point in the investigatory process. Those involved are thereby placed in the position of needing to make important decisions at an early stage that can have lasting and significant effects.  The CFE can support them in getting through this process.

Once an initial review of the subpoena and its underlying substance is complete, one of the first steps in formulating a response is often for company counsel to make a phone call to the prosecutor to make appropriate introductions and, to the extent possible, to seek background information regarding the investigation. In this initial contact, the prosecutor will be understandably guarded. Nonetheless, some useful information will frequently be shared. A general impression may be gained about the scope and focus of the investigation and the timing of additional subpoenas and testimony. Thereafter, it is not unusual for an initial meeting to be arranged to discuss in greater detail the company’s response. One benefit of such a meeting is that some level of additional information may be forthcoming.

From the outset, company counsel will be undertaking a process that will be ongoing throughout the criminal proceedings: learning as much as possible about the prosecutor’s case. The reason is that, unlike a civil case, in which broad principles of discovery enable the defendants to learn the details of the adversary’s evidence, the procedural rules of a criminal investigation result in much greater secrecy. Less formal methods of learning the details of the prosecutor’s case, therefore, are critical. In these initial contacts, the establishment of a sound foundation for the company’s dealings with the prosecutor is an important aspect of the investigation. To state it simply, CFE’s should always support that those dealings be premised on a foundation of candor.

Although it may be appropriate at various stages to decline to discuss sensitive matters, counsel should avoid making a factual statement on any subject about which it may be incompletely or inaccurately informed. This admonition applies to subjects such as the existence and location of files, the burden of producing documents, and the availability of witnesses. It also applies to more substantive matters bearing on the guilt or innocence of parties. CFE’s should, again, counsel their clients that a relationship with the prosecutor based on trust and confidence is key.

The judgment regarding the extent of cooperation with the prosecutor can be a tough one. Unlike in a civil proceeding, where cooperation with regulatory authorities (such as the SEC) is generally the preferred approach, the decision to cooperate with the government in a criminal investigation may be much more difficult, insofar as a subsequent effort to oppose the government (should such a change of approach be necessary) would be impeded by the loss of a significant tactical advantage, the loss of surprise. In criminal cases, the government is not afforded the same broad rights of discovery available in civil proceedings. It is entirely possible for a prosecutor to have no significant knowledge of the defense position until after the start of a trial. On the other hand, the privileges available to a corporation are limited. There is, most importantly, no Fifth Amendment privilege against self-incrimination for companies.  Furthermore, almost any kind of evidence, even evidence that would be inadmissible at trial, except for illegal wiretaps or privileged material, can be considered by a grand jury. Therefore, the company’s ability to oppose a grand jury investigation is limited, and the prosecutor may even consider a company’s extensive zeal in opposition to constitute obstruction of justice. Moreover, the prosecutor’s ultimate decision about indictment of the company may be affected by the extent of the company’s cooperation. And corporate management may wish to demonstrate cooperation as a matter of policy or public relations.

One issue with which a company will need to wrestle is whether it is appropriate for a public company or its executives to do anything other than cooperate with the government. On this issue, it is useful for executives to appreciate that the U.S. system of justice affords those being investigated certain fundamental rights, and it is not unpatriotic to take advantage of them. As to individuals, one of the most basic of these rights is the Fifth Amendment privilege against self-incrimination. Insofar as, in fraud cases, guilt can be established through circumstantial evidence, executives need to keep in mind that it demonstrates no lack of civic virtue to take full advantage of constitutional protections designed to protect the innocent.

A challenge is that many of these judgments regarding cooperation must be made at the outset when the company’s information is limited. Often the best approach, at least as a threshold matter, will be one of courteous professionalism, meaning respect for one’s adversary and reasonable accommodation pending more informed judgments down the road. Premature expressions of complete cooperation are best avoided as a subsequent change in approach can give rise to governmental frustration and anger.

Following the initial steps of the grand jury subpoena and the preliminary contact with the prosecutor, CFE’s are uniquely positioned to assist corporate counsel and management in the remaining stages of the criminal investigation of a financial crime:

–Production of documents;
–Grand jury testimony;
–Plea negotiations (if necessary);
–Trial (if necessary).

The Other Assets Dance

Studies by the ACFE and various academics have revealed over the years that, while not as common as cash schemes, employee misappropriations of other types of corporate assets than cash can sometimes prove even more disastrous than cash theft for any organization that suffers them.  The median losses associated with noncash schemes is generally higher than cash schemes, being $100,000 as opposed to $60,000.

The other asset category includes such assets as inventories of all kinds, i.e., inventory for sale, supplies and equipment and some categories of fixed assets; in short, the term inventory and other assets is generally meant to encompass misapplication schemes involving any assets held by an enterprise other than cash.  The theft of non-cash assets is generally classified by the ACFE into three groups: inventory schemes, supplies schemes and other asset schemes; of these schemes inventory related schemes account for approximately 70% of the losses while misappropriation of company supplies accounts for another 20%…the remaining losses are associated with several types of fixed assets, equipment, and corporate related information.

Those who study these types of fraud generally lump non-cash assets together for describing how these types of assets are misappropriated since the methods for misappropriation don’t vary much among the various asset types.  The asset, no matter what it is, can be misused (or “borrowed”) or it can be stolen.  Assets that are misused rather than stolen outright include company assigned vehicles, company supplies of all kinds, computers, and other office equipment.  As a very frequently occurring example, a company executive might make use of a company car when on an out of the home office assignment; false documentation (both in writing and verbally) is provided to the company by the employee regarding the nature of her use of the vehicle.  At the end of the trip, the car is returned intact and the cost to the fraudster’s company is only a few hundred dollars at most; but what we have here is, nonetheless, an instance of fraud when a false statement or declaration accompanies the use.

In contrast, the costs of inventory misuse schemes can be very costly.  To many employees, inventory fraud of some kinds is not perceived as a crime, but rather as “borrowing” and, in truth, the actual cost of borrowing a laptop to do personal computing at home may often be immaterial if the asset is returned undamaged.  On the other hand, if the employee uses the laptop to operate a side business during and after normal work hours, the consequences can be more serious for the company, especially if the employee’s business is in competition with that of the employer.  Since the employee is not performing his or her assigned work duties, the employer suffers a loss of productivity and is defrauded of that portion of the employee’s wages related to the fraud.  If the employee’s low productivity continues for any length of time, the employer might have to engage additional employees to compensate which means more capital diverted to wages.  As noted above, if the employee’s business is like that of the employer’s, lost business for the employer would be an additional cost of the scheme.  If the employee had not contracted work for his own company, the business would presumably have gone to her employer. Unauthorized use of company equipment can also mean additional wear and tear, causing company owned equipment to break down sooner than it would have under normal operating conditions.

So, what about prevention?  There are preventative measures for control of other asset related frauds which, if properly installed and operating, may help prevent employee exploits directed against all the many types of inventories maintained by a typical business:
For each type of asset inventory (for sale, supplies, equipment, etc.), the following items (as appropriate) should be pre-numbered and controlled:

–requisitions
–receiving reports
–perpetual records
–raw materials requisitions
–shipping documents
–job cost sheets

The following duties related to the distinct types of asset inventories should be handled by different employees:

–requisition of inventory
–receipt of inventory
–disbursement of inventory
–conversion of inventory to scrap
–receipt of proceeds from disposal of scrape.

Someone independent of the purchasing or warehousing function should conduct physical observation of all asset inventories according to defined schedules.  Personnel conducting physical observations of these types of assets should be knowledgeable about the inventory, i.e., what types of material it should contain, where the material should physically be, etc.  All company owned merchandise should be physically guarded and locked; and access should be limited to authorized personnel only.