Category Archives: Anti-Fraud Training

It’s a Reputation Thing

According to the ACFE presenter at one of our live events, 6.4 percent of worldwide fraud cases occur in the education sector, which represents the fifth most-targeted industry by fraudsters out of 23 reported by members of the ACFE. And the three most frequent fraud schemes reported as perpetrated in the education sector are billing schemes, fraudulent expense reimbursements and corruption schemes. Most of the reporting CFE’s also seem to agree that nonprofit institutions’ greatest fraud related challenge is mitigating reputational risk. Good faculty members and students won’t join fraudulent universities. Governments and donors won’t financially contribute to organizations they don’t trust.

Thus, institutions of higher learning aren’t anymore immune to fraud than any other large organization. However, the probability of occurrence of fraud risks may be somewhat higher in colleges and universities because of their promoted environment of collegiality, which may lead to more decentralization and a consequent lack of basic internal controls. Federal and state governments, as well as donors, have increased the pressure on universities to implement better governance practices and on their boards of governors to exercise their fiduciary responsibilities more efficiently.

Which brought our speaker to the issue of regular risk assessments, but tailored specifically to the unique needs of the educational environment. Colleges and universities around the world should be actively encouraged by their governing boards and counsels to perform regular fraud risk assessments and vigorously implement and enforce compliance with targeted internal controls, such as proper segregation of duties and surprise audits. Of course, as with all organizations, universities can prevent fraud by segregating a task of requesting a financial transaction from those of approving it, processing the payment, reconciling the transaction to the appropriate accounts and safeguarding the involved asset(s). Surprise audits should be just that: unannounced supervisory reviews. This creates not just an atmosphere of collegiality and support but one in which the perceived opportunity to commit fraud is lowered.

As I’ve indicated again and again in the pages of this blog, the most powerful fraud prevention measure any organization can take is the education of its staff, top to bottom. Educating faculty, staff members and students about the university’s ethics (or anti-fraud) policies is important not only to prevent fraud but to preserve the institution’s reputation. It’s also important to develop ethics policies carefully and implement them in accordance with the particular culture and character of the institution.

Culturally, universities, like most nonprofit educational institutions, don’t like heavy-handed policies, or controls, because faculty members perceive them as impediments to their research and teaching activities. After going through an appropriate anti-fraud training program, every employee and faculty member (many higher-education institutions actually view faculty above the instructor level as quasi-independent contractors) should come to understand the nature and role of internal controls as well as the negative consequences associated with fraud.

University administrators, faculty and staff members can be motivated to prevent fraud on a basis of self-interest because its occurrence might affect their chances of promotions and salary increases and tarnish the external reputation of the university, which could then affect its financial situation and, hence, their individual prospects.

ACFE training tells us that organizational administrators who don’t get honest feedback and don’t hear and address fraud tips quickly can get in trouble politically, legally and strategically. All universities should implement user-friendly reporting mechanisms that allow anyone to anonymously report fraud and irregular activities plus deliver healthy feedback on leadership’s strengths and weaknesses. This will keep direct lines of communication open among all employees and senior university administrators. These tools will not only strengthen the fight against fraud but also advance the university’s strategic mission and refine senior administrators’ leadership styles. You can’t manage something you can’t see. Such tried and true mechanisms as independent internal audit departments and/or involved audit committees, should provide effective oversight of reporting mechanisms.

Still, many universities still resist pressure from their external stakeholders to implement hotlines because of concern they might create climates of mistrust among faculty members. Faculty members’ tendency to resist any effort to have their work examined and questioned may explain this resistance. Necessary cultural changes take some time, but educational institutions can achieve them with anti-fraud training and a substantial dose of ethical leadership and tone at the top.

From a legal perspective, colleges and universities, like any other nonprofit organization, must proactively demonstrate due diligence by adopting measures to prevent fraud and damage to their individual reputations. They’re also financially and ethically indebted to governments and donors to educate tomorrow’s leaders by demonstrating their ability to ensure that their internal policies and practices are sound.

Senior university administrators also must be able to show that they investigate all credible allegations of fraud. In addition, independent, professional and confidential fraud investigations conducted by you, the CFE, allow a victim university and its senior administrators to:

— determine the exact sources of losses and hopefully identify the perpetrator(s);
— potentially recover some or all of financial damages;
— collect evidence for potential criminal or civil lawsuits;
— avoid possible discrimination charges from terminated employees;
— identify internal control weaknesses and address them;
— reduce future losses and meet budget targets;
— comply with legal requirements such as senior administrators’ fiduciary duties of loyalty and reasonable care;
— reduce imputed university liability which may result from employee misconduct;

As CFE’s we should encourage client universities to adequately train and sensitize administrators, faculty and staff members about their ethics policies and the general problems related to occupational fraud in general. Administrators should also consider implementation of anonymous reporting programs and feedback processes among all stakeholders and among the senior administration. They should perform regular fraud risk assessments and implement targeted internal controls, such as proper segregation of duties and conflict-of-interest disclosures. Senior administrators should lead by example and adopt irreproachable behaviors at all times (tone at the top). Finally, faculty members’ job incentives should be aligned with the university’s mission and goals to avoid dysfunctional and illegal practices. All easier said than done, but, as a profession, let’s encourage them to do it when we have the chance!

Better Call Saul

As reported so often in the press these last few years, even when well-intentioned employees feel they’re doing the right thing by reporting acts of wrongdoing, their reports aren’t always well received. Numerous studies conducted by the ACFE strikingly bear this out. And this is so much the case that any employee (public or private) who witnesses acts of wrongdoing and decides to report them is well advised to seek legal counsel before doing so. When a whistle-blower also happens to be a CFE, the same advice applies. Every CFE should learn just when, where, and how to report fraudulent acts before blowing the whistle, if only so they can comply with the often complex procedures required to receive any available protections against retaliation.

All the U.S. states have laws to protect public sector employees from retaliation for whistle-blowing. Indeed, most of the state whistle-blowing laws were enacted specifically to actively encourage public sector employees to report fraud, waste, and abuse both in and without government agencies. Some state laws protect only public employees; others include government contractors and private-sector employees as well. Many of the laws protecting private sector employees involve workplace safety. They were designed and enacted decades ago to protect employees from retaliation when reporting occupational safety issues. Public and private employees can use them, but they might not apply in all situations. Over the years, reporting in some other specific situations has also received protection.

Facts to keep in mind. Whistle-blowing, as it relates to fraud, is the act of reporting fraud, waste, and abuse. Reporting any act of wrongdoing is considered whistle-blowing, regardless if it’s reported by a public or private employee or to persons inside or outside of the victim organization. Anyone can report wrongdoing, but the subsequent level of protection against retaliation an employee will receive will differ depending on whether they’re public or private, to whom they report, the manner in which they report, the type of wrongdoing they report, and the law(s) under which they report. The ACFE tells us that a majority of unprotected whistle-blowers end up being terminated. Among those unterminated, some are suspended, some transferred against their wishes and some are given poor performance evaluations, demoted or harassed. To address their situation, some choose recourse to the courts. The rub here is that to prevail, the employee will probably have to link their whistleblowing directly to the retaliation. This can be difficult for the employee experiencing any kind of current problem in the workplace because employers will claim their adverse personnel actions were based on the employees’ poor performance and not on the employees’ decision to blow the whistle. It’s especially easy for employers to assert this claim if the person who conducted the retaliation claims no knowledge of the whistle-blowing, which is very frequently the case.

Additionally, many whistle-blowers lose their cases because they didn’t comply with some technicality in the laws. Protection laws are very specific on how whistle-blowers must report the wrongdoing. Failing to comply with any aspect of the law will result in a loss of protection. Some examples:

• Subject Matter Jurisdiction – the court must have the power to hear the kind of issue in the whistle-blower’s suit. Subject matter jurisdiction is based on the law the whistle-blower plans to use. Generally speaking, federal courts hear violations of federal laws and state courts hear violations of state laws, although this isn’t always the case. Employees can file alleged violations of their civil rights in state or federal courts under Section 1983 of Title 42 of the U.S. Code of
Federal Regulations. While rarely used in the past, today Section 1983 is part of the Civil Rights Act and the primary means of enforcing all Constitutional rights. Subject Matter Jurisdiction can help employees decide to file in federal or state court. Of course, the employer might ask to have the case moved to another court.

• Personal Jurisdiction – the employee should make sure the court has power over the party s/he wants to sue. A court must have personal jurisdiction over the defendant to hear a case. Courts usually have personal jurisdiction over the people and organizations residing or doing business in their jurisdiction.

• Venue – venue refers to the court that will hear the employee’s case. The proper venue is the jurisdiction in which the defendant lives or does business, where the contract was signed or carried out, or the incident took place. More than one court can have jurisdiction over the case. The employee should pick the venue most convenient for her.

As I said above, most whistle-blower laws were written and are intended to protect public-sector employees who report violations affecting public health and safety. Proving public interest is easy for public-sector employees because their work involves public protection. It’s not as easy for private-sector employees. A goodly percentage of private-sector whistle-blowers lose their cases because the matters didn’t involve public policy. Whistle-blowers can improve their chances of success by preparing early and reading the whistle-blowing laws of their state of jurisdiction. The case law is also important because it shows the precedent already set by the courts. The better prepared the employee is, the less likely s/he will make avoidable mistakes. An evolving issue is the extent to which whistle-blowers must be certain of violations. Many laws already require the employee to state the specific law that was broken. Some courts require whistle-blowers to be certain of their allegations. Trends requiring certainty will make it increasingly difficult for whistle-blowers to receive protection.

As a final point. A goodly percentage of whistle-blowers fail to achieve protection each year because of their own improper conduct. Some of these whistle-blowers misused their employers’ property; some of them stole it. Employees must ensure their conduct is above scrutiny because some courts will apply the “doctrine of unclean hands” and bar whistle-blowers from protection, if they’ve engaged in misconduct directly related to their complaints. The doctrine of unclean hands can work against employers, just as it does employees. In Virginia not too long ago, a Medicaid provider submitted documents containing incorrect claims information to the court. The whistle-blower proved the information was false and won his case on those grounds alone. Thus, it’s important for employers and employees to comport themselves with integrity.

Whistle-blowers who commit unlawful acts to advance their cases don’t do well in court, but neither do whistle-blowers who refuse to commit unlawful acts on behalf of their employers. Most state whistle-blower laws are designed to protect employees that refuse to commit unlawful acts, but it can be difficult to receive even that protection.

All this by way of saying that the laws governing whistle-blower protection are many and varied. As fraud examiners and auditors it behooves us to be as familiar with these laws in the jurisdictions in which we practice as we reasonably can be. But always, when confronted with such cases, always consult counsel. As my father told me so long ago, the man or women who acts as their own attorney has a fool for a client.

Just Like Me

During a joint training seminar between our Chapter and the Virginia State Police held a number of years ago, I took the opportunity to ask the attendees (many of whom are practicing CFE’s) to name the most common fraud type they’d individually investigated in the past year. Turned out that one form or another of affinity fraud won hands down, at least here in Central Virginia.

This most common type of fraud targets specific sectors of society such as religious affiliates, the fraudster’s own relatives or acquaintances, retirees, racial groups, or professional organizations of which the fraudster is a member. Our Chapter members indicate that when a scammer ingratiates himself within a group and gains trust, an affinity fraud of some kind can almost always be expected to be the result.

Regulators and other law enforcement personnel typically attempt to identify instances of affinity fraud in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, affinity fraud tends to be an under reported crime since victims may be embarrassed that they so easily fell prey to the fraudster in the first place or they may remain connected to the offender because of emotional bonding and/or cultivated trust. Reluctance to report the crime also frequently stems from a misplaced belief that the fraudster is fundamentally a good guy or gal and will ultimately do the right thing and return any funds taken. In order to stop affinity fraud, regulators and law enforcement must obviously first be able to detect and identify the crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

The poster boy for affinity fraud is, of course, Bernard Madoff. The Madoff tragedy is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s list of victims grew to include prominent persons in the finance, retail and entertainment industries. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his customers were defrauded of approximately twenty billion dollars. It can be debated whether the poor economy, lack of investor education, or ready access to diverse persons over the internet has led to an increase in affinity fraud but there can be no doubt that the internet makes it increasingly easy for fraudsters to pose as members of any community they target. And, it’s clear that affinity frauds have dramatically increased in recent years. In fact, affinity fraud has been identified by the ACFE as one of the top five investment schemes each year since 1998.

Affinity frauds assume different forms, e.g. information phishing expeditions, investment scams, or charity cons. However, most affinity frauds have a common element and entail a pyramid-type of Ponzi scheme. In these types of frauds, the offender uses new funds from fresh victims as payment to initial investors. This creates the illusion that the scam is profitable and additional victims would be wise to immediately invest. These types of scams inevitably collapse when it either becomes clear to investors or to law enforcement that the fraudster is not legitimate or that there are no more financial backers for the fraud. Although most fraud examiners may be familiar with the Madoff scandal, there are other large scale affinity frauds perpetrated across the United States almost on a daily basis that continue to shape how regulators and other law enforcement approach these frauds.

Perpetrators of affinity frauds work hard, sometime over whole years, to make their scams appealing to their targeted victims. Once the offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential investors. By having an esteemed figurehead who appears to be knowledgeable about the investment and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was an esteemed member of the community. As a former chair of the National Association of Securities Dealers (NASD) and owner of a company ranked sixth largest market maker on the National Association of Securities Dealers Automated Quotations (NASDAQ), Madoff’s reputation in the financial services industry was impeccable and people were eager to invest with him.

The ACFE indicates that projection bias is yet another reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Sigmund Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they shared the same value system.

Success of affinity fraud stems from the higher degree of trust and reliance associated with many of the groups targeted for such conduct. Because of the victim’s trust in the offender, the targeted persons are less likely to fully investigate the investment scheme presented to them. The underlying rationale of affinity fraud is that victims tend to be more trusting, and, thus, more likely to invest with individuals they have a connection with – family, religious, ethnic, social, or professional. Affinity frauds are often difficult to detect because of the tight-knit nature common to some groups targeted for these schemes. Victims of these frauds are less likely to inform appropriate law enforcement of their problems and the frauds tend to continue until an investor or outsider to the target group finally starts to ask questions.

Because victims in affinity frauds are less likely to question or go outside of the group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religious cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to believe they have been defrauded and also unlikely to investigate the con. Regulators and other law enforcement personnel can also learn from prior failures in identifying or stopping affinity frauds. Because the Madoff fraud is one of the largest frauds in history, many studies have been conducted to determine how this fraud could have been stopped sooner. In hindsight, there were numerous red flags that indicated Madoff’s activity was fraudulent; however, appropriate actions were not taken to halt the scheme. The United States Securities and Exchange Commission (SEC) received several complaints against Madoff as early as 1992, including several official complaints filed by Harry Markopolos, a former securities industry professional and fraud investigator. Every step of the way, Madoff appeared to use his charm and manipulative ways to explain away his dealings to the SEC inspection teams. The complaints were not properly investigated and subsequent to Madoff’s arrest, the SEC was the target of a great deal of criticism. The regulators obviously did not apply appropriate professional skepticism while doing their jobs and relied on Madoff’s reputation and representations rather than evidence to the contrary. In the wake of this scandal, regulatory reforms were deemed a priority by the SEC and other similar agencies.

Education is needed for the investing public and the regulators and law enforcement personnel alike to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of frauds. This is where CFEs and forensic accountants are uniquely qualified to offer their communities much needed assistance. Affinity frauds are not easily anticipated by the victims. Madoff whistleblower Markopolos asserted that “nobody thinks one of their own is going to cheat them”. Affinity frauds will not be curtailed unless the public, we, the auditing and fraud examination communities, and regulators and other law enforcement personnel are all involved.

Fraudsters, All Too Human

Our certified Chapter members often get questions from clients and employers related to why a fraudster who’s victimized them did what he or she did. Examiners with the most experience in the process of interviewing those later convicted of fraud comment again and again about the usefulness to their overall investigation of a basic understanding of the fraudster’s basic mind set. Such knowledge can aid the examiner in narrowing down the preliminary pool of suspects, and, most importantly, assist in gaining an admission in a subsequent admissions seeking interview. ACFE experts regard fraud (and the process of interviewing) primarily as human constructs, and especially within the content of the interview process, to be able to tie in the pressure that the individual might have been under (as they perceived it) to the interview process; to understand that individual with regard to their rationalization as they were able to affect it, significantly increases the possibility of getting the compliance and cooperation that the examiner wants from the interviewee.

During your investigation, it’s important to remember that people do things for a reason. The fraud examiner might not understand the reasons a fraudster commits his or her crime, but the motivations certainly make sense to the perpetrator. For example, a perpetrator might commit fraud because her life has spiraled out of control, although it might not be out of control under a objective, reasonable person’s definition. But in the perpetrator’s view, her life has become so problematic that fraud is the only way she can see to restore balance. And during the fraud examination, if the examiner can get the suspected perpetrator to talk about the lack of control in her life, the examiner can often use this information to compel the fraudster to admit guilt and provide valuable insight into ways that similar frauds might be prevented in the future.

As a continuation of this line of thought, the examiner should consider possible human motives when examining evidence. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes. It can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused, and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, she might suspect a payroll employee who recently complained about not receiving a raise in the past two years. Although such information doesn’t mean that the payroll employee committed fraud, the possible motive can guide the examiner.

ACFE experts also agree that interviewers should seek to understand the possible motives of the various suspects they encounter during an examination. To do this, interviewers should suspend their own value system. This will better position the interviewer to persuade the suspect(s) to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions. In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his motivations, even if the suspect reveals her motivations in an indirect manner. So when conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work as opposed to how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s normal behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Always remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. As indicated above, unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason. Situational fraudsters (those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises) do not tend to view themselves as criminals. In contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud, situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if she can genuinely communicate that she understands how anyone under similar circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is presenting a trap, he generally will not make any admission of wrongdoing.

So, in your examinations, never lose sight of the human element; that by definition, fraud involves human deception for personal gain. Why do people deceive to get what they want, or in some cases, what they need? Most humans commit deceptive acts to protect themselves from various consequences of the truth. Avoiding punishment is the most common reason for deception, but there are other reasons, including to protect another person, to win the admiration or respect of others, to avoid embarrassment, enjoy the thrill of accomplishment and to avoid hard work to achieve goals. When people feel that their self-security is threatened, they might resort to deception to preserve their image. Further, people can become so engaged in managing how others perceive them that they become unable to separate the truth from fiction in their own minds.

The ability to sympathetically cast oneself into the human situation of others is one of the most valuable skills that a fraud examiner can have in our efforts to determine the truth.

Cash In – Cash Out

One of our associate Chapter members has become involved in her first fraud investigation just months after graduating from university and joining her first employer. She’s working for a restaurant management consulting practice and the investigation involves cash theft targeting the cash registers of one of the firm’s smaller clients. Needless to say, we had a lively discussion!

There are basically two ways a fraudster can steal cash from his or her employer. One is to trick the organization into making a payment for a fraudulent purpose. For instance, a fraudster might produce an invoice from a nonexistent company or submit a timecard claiming hours that s/he didn’t really work. Based on the false information that the fraudster provides, the organization issues a payment, e.g., by sending a check to the bogus company or by issuing an inflated paycheck to the employee. These schemes are known as fraudulent disbursements of cash. In a fraudulent disbursement scheme, the organization willingly issues a payment because it thinks that the payment is for a legitimate purpose. The key to the success of these types of schemes is to convince the organization that money is owed.

The second way (as in our member’s restaurant case) to misappropriate cash is to physically remove it from the organization through a method other than the normal disbursement process. An employee takes cash out of his cash register, puts it in his pocket, and walks out the door. Or, s/he might just remove a portion of the cash from the bank deposit on their way to the bank. This type of misappropriation is what is referred to as a cash theft scheme. These schemes reflect what most people think of when they hear the term “theft”; a person simply grabs the money and sneaks away with it.

What are commonly denoted cash theft schemes divide into two categories, skimming and larceny. The difference between whether it’s skimming or larceny depends completely on when the cash is stolen, a distinction confusing to our associate member. Cash larceny is the theft of money that has already appeared on a victim organization’s books, while skimming is the theft of cash that has not yet been recorded in the accounting system. The way an employee extracts the cash may be exactly the same for a cash larceny or skimming scheme. Because the money is stolen before it appears on the books, skimming is known as an “off-book” fraud. The absence of any recorded entry for the missing money also means there is no direct audit trail left by a skimming scheme. The fact that the funds are stolen before they are recorded means that the organization may not be “aware” that the cash was ever received. Consequently, it may be very difficult to detect that the money has been stolen.

The basic structure of a skimming scheme is simple: Employee receives payment from a customer, employee pockets payment, employee does not record the payment. There are a number of variations on the basic plot, however, depending on the position of the perpetrator, the type of company that is victimized, and the type of payment that is skimmed. In addition, variations can occur depending on whether the employee skims sales or receivables (this post is only about sales).

Most skimming, particularly in the retail sector, occurs at the cash register – the spot where revenue enters the organization. When the customer purchases merchandise, he or she pays a cashier and leaves the store with whatever s/he purchased, i.e., a shirt, a meal, etc. Instead of placing the money in the cash register, the employee simply puts it in his or her pocket without ever recording the sale. The process is made much easier when employees at cash collection points are left unsupervised as is the case in many small restaurants. A common technique is to ring a “no sale” or some other non-cash transaction on the employee’s register. The false transaction is entered on the register so that it appears that the employee is recording the sale. If a manager is nearby, it will look like the employee is following correct cash receipting procedures, when in fact the employee is stealing the customer’s payment. Another way employees sometimes skim unrecorded sales is by conducting sales during nonbusiness hours. For instance, many employees have been caught selling company merchandise on weekends or after hours without the knowledge of the owners. In one case, a manager opened his store two hours early every day and ran it business-as-usual, pocketing all sales made during the “unofficial” store hours. As the real opening time approached, he would destroy all records from the off-hours transactions and start the day from scratch.

Although sales skimming does not directly affect the books, it can show up on a company’s records in indirect ways, usually as inventory shrinkage; this is how the skimming thefts were detected at our member’s client. The bottom line is that unless skimming is being conducted on a very large scale, it is usually easier for the fraudster to ignore the shrinkage problem. From a practical standpoint, a few missing pieces of inventory are not usually going to trigger a fraud investigation. However, if a skimming scheme is large enough, it can have a marked effect on a small business’ inventory, especially in a restaurant where profit margins are always tight and a few bad sales months can put the concern out of business. Small business owners should conduct regular inventory counts and make sure that all shortages are promptly investigated and accounted for.

Any serious attempt to deter and detect cash theft must begin with observation of employees.
Skimming and cash larceny almost always involve some form of physical misappropriation of cash or checks; the perpetrator actually handles, conceals, and removes money from the company. Because the perpetrator will have to get a hold of funds and actually carry them away from the company’s premises, it is crucial for management to be able to observe employees who handle incoming cash.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.

Taken Hostage

by Rumbi Petrozzello
2019 Vice President – Central Virginia ACFE Chapter

On March 22, 2018, I flew into the Atlanta Airport and stopped by the airport’s EMS offices to request an incident report. The gentleman who greeted me at the entrance to the offices was very kind and asked me to wait while he pulled up the details of the report for me. He called over to his coworker, who was sitting in front of a computer, and asked him for help. I heard the coworker clicking on his mouse a few times and then he said that his machine didn’t seem to be working. “It hasn’t been working all morning,” he added. The gentleman then gave me a phone number to call for assistance and apologized for not being more helpful. After I called the number, got voicemail and left a message, I became concerned because I was leaving the country the next day for a week and a half and so hoped that someone would get back to me that day.

Unfortunately, no one had called me back by the time I left. When I returned, I found no voicemail. I called again and left a message. A week after that, the airport EMS Chief returned my call with apologies for the delay – their computers had been down, and he was only now able to start getting back to people. Because I had been out of the country and not really following the news, it was only after a couple of months that I put two and two together. At that point I was working on Eye on Fraud, a publication of the AICPA’s Fraud Task Force. The edition was on Ransomware and as I looked at the information concerning Atlanta, I noticed the dates and realized that the day that I flew into Atlanta and visited the EMS office was the same day that the city of Atlanta was struck by a ransomware attack that crippled the city for over a week and resulted in costs to the city exceeding $2.6 million; a lot more than the $52,000 that was demanded in ransom by the attackers. In late November, two Iranians were indicted for the Atlanta and other attacks. The Atlanta ransomware attack featured many characteristics shared by such attacks, be they on individuals, companies, or governments.

Ransomware attacks have been a problem for decades; the first such documented attack took place in 1989. At that time the malicious code was delivered to victims’ computers via floppy disk and the whole exploit was very easy for victims to reverse. 2006 saw a big uptick in ransomware attacks and, today, ransomware is big business for individual cyber criminals and for organized gangs alike, earning them about a billion dollars in 2016.

Ransomware is a form of malware (malicious software), and works in one of two general ways:

1. Crypto-ransomware encrypts hard drives or files and folders.
2. Locker-ransomware locks users out of their machines, without employing encryption.

As time has gone on, ransomware has become more complex and ransomware attacks more sophisticated. One way in which cyber criminals break into computer systems is via human engineering. This can take the form of an email with a malicious attachment or a link to a compromised website. Cyber criminals also take advantage of known weaknesses in computer operating systems. The WannaCry ransomware, which swept the globe several years ago, took advantage of a flaw in Microsoft Windows. This underscores how essential it is to provide cyber training to employees and to update this training often. Employees must be taught to always be vigilant and on the lookout for such attacks, and to maintain awareness of how such threats are constantly changing and migrating. All it takes is a single employee lapse in judgment and attention for malware to get into a business’s computer system. It’s also essential to keep computers and software up to date with the latest patches. WannaCry was successful in part because Microsoft had discontinued its support of some versions of Windows, including for Windows XP and Windows Server 2003. The amount of money companies thought they were saving by continuing to use old unsupported software was dwarfed by the cost of recovery from malware attacks specifically targeting that software.

When CFEs and forensic accountants dialogue with clients about ransomware attack scenarios, we should remind them that cyber criminals are equal opportunity offenders when it comes to such exploits. Employees should be alert to this whether they are working on an employer’s machine or on a personal one. Ransomware has now made its way into the smartphone space, so employees should be made aware that heightened vigilance should extend even to their smartphones. CFEs should additionally work with clients to fund penetration and phishing tests to determine how effective staff training has been and to highlight areas for improvement.

Both individuals and companies should have a plan on how they will deal with a possible ransomware attack. A well-thought out plan can minimize the effects of an attack and can also mean that the reaction to the attack is measured and not mounted on the basis of uncoordinated panic. For example, when LabCorp was attacked in July 2018, the company contained the spread of the malware in less than an hour. Its, therefore, doubly important that we CFEs and forensic accountants work with IT specialists to formulate an advance plan in case of a ransomware or other malware, attack.

Experts recommend that ransom should not be paid. Clients need to be made to understand that when their systems are taken hostage, they are dealing with criminals and criminals are, more often than not, not to be trusted. When the city of Leeds, Alabama, was attacked, the city paid the cyber criminals $12,000 in ransom. Despite making this payment, the hackers restored only a limited number of files. The city was then faced with the expenditure of additional funds in the attempt to recover or rebuild the remaining files. Sometimes hackers will disappear with ransom and restore nothing. In the face of this, companies and individuals should be encouraged to have back up and restoration plans. To be useful, backups must be made regularly and kept physically separate from the machine or network being protected. The recovery plan should be tested at least annually.

Ransomware exploits are not going away any time soon. Ransomware attacks are a way to get money, not only through the ransom demanded itself but also through access to other sensitive information belonging to employees and clients. Often the hacker will demand a nominal amount in ransom and sell the information stolen by access to the company’s network for a lot more.

We, as CFEs and forensic accountants, can help our client address the ballooning threat in a number of ways:

• by performing a risk assessments of clients’ systems and processes, to identify weaknesses and areas for control improvement.
• by providing staff training on security best practices. This training should be updated at least once a year; in addition to updating staff on changes, this will also serve to remind employees to be vigilant. This training must include everyone in a company, even top management and the board.
• by reminding clients to keep software up to date and to consider upgrades or total changes when an application is no longer supported. Encourage management to have software updates automated on employees’ machines.
• by working with clients to create a backup and recovery system, that features off-site backups. This program should be tested regularly, and backups should be reviewed to ensure their integrity.
• by working with IT and third-party vendors on annual penetration and social engineering testing at client locations. The third-party vendors used should be rotated ever three years.

CSO Online predicts that ransomware attacks will rise to one every 14 seconds by the end of 2019. We CFEs and forensic accountants should work with our clients to innovate effective ways to protect themselves and to mitigate the effects of the future attacks that certainly will occur. The key is to ensure that clients remain educated, vigilant and prepared.

Authority Figures

As fraud examiners and forensic accountants intimately concerned with the on-going state of health of our client’s fraud management programs, we find ourselves constantly looking at the integrity of the critical data that’s truly (as much as financial capital) the life blood of today’s organizations. We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data driven vulnerabilities to fraud to a minimum. Every little bit of critical financial information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture and on our challenge.

When it comes to managing its client, financial and payment data, almost every small to medium sized organization has a Sandy. Sandy’s the person to whom everyone goes to get the answers about data, and the state of system(s) that process it; quick answers that no one else ever seems to have. That’s because Sandy is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance. Sandy is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees. The now unlamented great recession, during which enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices, only exacerbated an existing, ever growing trend. The very real threat to the Enterprise Fraud Management system that the Sandy’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever-present possibility) but that they will retire or get another job across town or out of state, taking their vital knowledge of company systems and data with them.

The day after Sandy’s retirement party and, to an increasing degree thereafter, it will dawn on Sandy’s management that it’s lost a large amount of information about the true state of its data and financial processing system(s). Management will also become aware, if it isn’t already, of its lack of a large amount of system critical data documentation that’s been carried around nowhere else but in Sandy’s head. The point is that, for some smaller organizations, their reliance on a few key employees for day to day, operationally related information goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their entire fraud prevention programs. Today’s newspapers and the internet are full of stories about hacking and large-scale data breeches, that only reinforce the importance of vulnerable data and of the completeness of its documentation to the on-going operational viability of our client organizations.

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of change related information is formally documented. Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily involved in everyday, routine data management projects. There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them. The anomalies might be in the form of missing data, changes in data field definitions, or changes in the content of the fields; the possibilities are endless. Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management system and for the overall fraud risk assessment process itself become almost impossible to determine.

If our auditor or fraud examiner, operating under today’s typical budget or time constraints, is not very thorough and misses the identification of some of these anomalies, they can end up never being addressed. How many times as an analyst have we all tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah. Sandy made that change back in February before she retired; we don’t have too many details on it.” In other words, undocumented changes to transactions and data, details of which are now only existent in Sandy’s no longer available head. When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of the origination’s fraud prevention program. The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high. What can’t be seen, can’t ever be managed or even explained.

In summary, it’s a truly humbling to experience to be confronted with how much critical financial information resides in the fading (or absent) memories of past or present key employees; what the ACFE calls authority figures. As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent systems of transaction related documentation and the sharing of knowledge on a consistent basis about all systems but especially regarding the recording of changes to critical financial systems. One nice benefit of this approach, which I brought to the attention of one of my audit clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than serving as the encyclopedia for the rest of the operational staff.

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Every Seat Taken!

Our Chapter’s thanks to all our attendees and to our partners, the Virginia State Police and national ACFE for the unqualified success of our May training event, Cyberfraud and Data Breaches! Our speaker, Cary Moore, CFE, CISSP, conducted a fully interactive, two-day session on one of the most challenging and relevant topics confronting practicing fraud examiners and forensic accountants today.

The event examined the potential avenues of data loss and guided attendees through the crucial strategies needed to mitigate the threat of malicious data theft and the risk of inadvertent data loss, recognizing that information is a valuable asset, and that management must take proactive steps to protect the organization’s intellectual property. As Cary forcefully pointed out, the worth of businesses is no longer based solely on tangible assets and revenue-making potential; the information the organization develops, stores, and collects accounts for a large share of its value.

A data breach occurs when there is a loss or theft of, or unauthorized access to, proprietary information that could result in compromising the data. It is essential that management understand the crisis its organization might face if its information is lost or stolen. Data breaches incur not only high financial costs but can also have a lasting negative effect on an organization’s brand and reputation.

Protecting information assets is especially important because the threats to such assets are on the rise, and the cost of a data breach increases with the number of compromised records. According to a 2017 study by the Ponemon Institute, data breaches involving fewer than 10,000 records caused an average loss of $1.9 million, while beaches with more than 50,000 compromised records caused an average loss of $6.3 million. However, before determining how to protect information assets, it is important to understand the nature of these assets and the many methods by which they can be breached.

Intellectual property is a catchall phrase for knowledge-based assets and capital, but it’s helpful to think of it as intangible proprietary information. Intellectual property (IP) is protected by law. IP law grants certain exclusive rights to owners of a variety of intangible assets. These rights incentivize individuals, company leaders, and investors to allocate the requisite resources to research, develop, and market original technology and creative works.

A trade secret is any idea or information that gives its owner an advantage over its competitors. Trade secrets are particularly susceptible to theft because they provide a competitive advantage. What constitutes a trade secret, however, depends on the organization, industry, and jurisdiction, but generally, to be classified as a trade secret, information must:

• Be secret: The information is not generally known to the relevant portion of the public.
• Confer some sort of economic benefit on its holder: The idea or information must give its owner an advantage over its competitors. The benefit conferred from the information, however, must stem from not being generally known, not just from the value of the information itself. The best test for determining what is confidential information is to determine whether the information would provide an advantage to the competition.
• Be the subject of reasonable efforts to maintain its secrecy: The owner must take reasonable steps to protect its trade secrets from disclosure. That is, a piece of information will not receive protection as a trade secret if the owner does not take adequate steps to protect it from disclosure.

Cary presented in-depth information on the various types of threats to data security including:

–Insiders
–Hackers
–Competitors
–Organized criminal groups
–Government-sponsored groups

Protecting proprietary information is a timely issue, but it is difficult. The event presented a list of common challenges faced when protecting information assets:

–Proprietary information is among the most valuable commodities, and attackers are doing everything in their power to steal as much of this information as possible.
–The risk of data breaches for organizations is high.
–New and emerging technologies create new risks and vulnerabilities.
— IT environments are becoming increasingly complex, making the management of them more expensive, difficult, and time consuming.
–There is a wider range of devices and access points, so businesses must proactively seek ways to combat the effects of this complexity.
–The rise in portable devices is creating more opportunities for data to “leak” from the business.
–The rise in Bring Your Own Device (BYOD) initiatives is generating new operational challenges and security problems.
–The rapidly expanding Internet of Things (IoT) has significantly increased the number of network connected things (e.g., HVAC systems, MRI machines, coffeemakers) that pose data security threats, many of which were inconceivable only a short time ago.
–The number of threats to corporate IT systems is on the rise.
–Malware is becoming more sophisticated.
–There is an increasing number of laws in this area, making information security an urgent priority.

Cary covered the entire gamut of challenges related to cyber fraud and data breaches ranging from legal issues, corporate espionage, social engineering, the use of social media, the bring-your-own-devices phenomenon, and the impact of cloud computing. The remaining portion of the event was devoted to addressing how enterprises can effectively respond when confronted by the challenges posed by these issues including breach response team building and breach prevention techniques like conducting security risk assessments, staff awareness training and the incident response plan.

When an organization experiences a data breach, management must respond in an appropriate and timely manner. During the initial response, time is critical. To help ensure that an organization responds to data breaches timely and efficiently, management should have an incident response plan in place that outlines how to respond to such issues. Timely responses can help prevent further data loss, fines, and customer backlash. An incident response plan outlines the actions an organization will take when data breaches occur. More specifically, a response plan should guide the necessary action when a data breach is reported or identified. Because every breach is different, a response plan should not outline how an organization should respond in every instance. Instead, a response plan should help the organization manage its response and create an environment to minimize risk and maximize the potential for success. In short, a response plan should describe the plan fundamentals that the organization can deploy on short notice.

Again, our sincere thanks go out to all involved in the success of this most worthwhile training event!