Category Archives: Computer Forensics - Page 2

Mining the General Ledger

miningI was chatting via Skype over this last week-end with a former officer of our Chapter who left the Richmond area many years ago to found his own highly successful forensic accounting practice on the west coast.  During our conversation, he remarked that he never fails to intensively indoctrinate trainees new to his organization in an understanding of the primary importance of the general ledger in any investigation of financial fraud.  With a good sense of those areas of the financial statements most vulnerable to fraud, and with whatever clues the investigative team has gleaned from an initial set of interviews focusing on those accounting entries initially arousing suspicion, he tells his trainees that they’re ready to turn their attention to a place with the potential to provide a cornucopia of useful information. That place is the client firm’s own accounting system general ledger.

My old colleague pointed out that for a fraud examiner or forensic accountant on the search for fraud, there are several great things about the general ledger. One is that virtually all sophisticated financial reporting systems have one. Another is that, as the primary accounting tool of the company, it reflects every transaction the company has entered.

He went on to say that unless the fraud has been perpetrated simply through last-minute topside adjustments, it’s captured in the general ledger somewhere. What’s vital is knowing how, and where, to look. The important thing to keep in mind is the way the ACFE tells us that financial fraud starts and grows. That guidance says that ledger entries entered at particular points of time — say, the final days leading up to the end of a quarter — are more likely to reflect falsified information than entries made at earlier points. Beyond that, a fraudulent general ledger entry in the closing days of a quarter may reflect unusual characteristics. For example, the amounts involved say, having been determined, as they were, by the need to cross a certain numerical threshold rather than by a legitimate business transaction may by their very nature look a bit strange.  Perhaps they’re larger than might be expected or rounded off. It also may be that unusual corporate personnel were involved—executives who would not normally be involved in general ledger entries. Or, if the manipulating executives are not thinking far enough ahead, the documentation behind the journal entries themselves may not be complete or free from suspicion. For example, a non-routine, unusually large ledger entry with rounded numbers that was atypically made at the direction of a senior executive two days before the end of a quarter should arouse some suspicion.

Indeed, once a suspicious general ledger entry has been identified, determining its legitimacy can be fairly straightforward. Sometimes it might involve simply a conversation with the employee who physically made the entry.  My colleague went on to point out that, in his experience, senior executives seeking to perpetrate financial fraud often suffer from a significant handicap: they don’t know how to make entries to the accounting system. To see that a fraudulent entry is made, they have to ask some employee sitting at a computer screen somewhere to do it for them, someone who, if properly trained, may want to fully understand the support for a non-routine transaction coming from an unusual source. Of course, if the employee’s boss simply orders him or her to make the entry, resistance may be awkward. But, if suspicions are aroused, the direction to enter the entry may stick in the employee’s memory, giving the employee the ability to later describe in convincing detail exactly how the ledger entry came to be made. Or, concerned about the implications and the appearance of his own complicity, the employee may include with the journal entry an explanation that captures his skepticism. The senior executive directing the entry may be oblivious to all this. S/he thinks she has successfully adjusted the general ledger to create the needed earnings. Little does she know that within the ledger entry the data-entering employee has embedded incriminating evidence for the forensic accountants to find.

The general ledger may reflect as well large transactions that simply by their nature are suspicious. The investigators may want to ask the executive responsible about such a transaction’s business purpose, the underlying terms, the timing, and the nature of the negotiations. Transaction documentation might be compared to the general ledger’s entry to make sure that nothing was left out or changed. If feasible, the forensic accountants may even want to reach out to the entry’s counter-party to explore whether there are any unrecorded terms in side letters or otherwise undisclosed aspects of the transaction.

As we all know, an investigation will not ordinarily stop with clues gleaned from the general ledger. For example, frequently a useful step is to assess the extent to which a company has accounted for significant or suspicious transactions in accordance with their underlying terms. Such scrutiny may include a search for undisclosed terms, such as those that may be included in side letters or pursuant to oral agreements. In searching for such things, the investigators will seek to cast a wide net and may try to coax helpful information from knowledgeable company personnel outside the accounting function. As our former Central Virginia Chapter officer put it, “I like to talk to the guys on the loading dock. They’ll tell you anything.”

As I’m sure most readers of this blog are aware, while such forensic accounting techniques, and there are many others, can be undertaken independently of what employee interviews turn up, usually the two will go hand in hand. For example, an interview of one employee might yield suspicions about a particular journal entry, which is then dug out of the accounting system and itself investigated. Or an automated search of the general ledger may yield evidence of a suspicious transaction, resulting in additional interviews of employees. Before long, the investigative trail may look like a roadmap of Washington DC. Clues are discovered, cross-checked against other information, and explored further. Employees are examined on entries and, as additional information surfaces, examined again. As the investigation progresses, shapes start to appear in the fog. Patterns emerge. And those executives not being completely candid look increasingly suspicious.

So, with thanks to our good friend for sharing, in summary, if there is predication of a fraud, what sorts of things might a thorough forensic examination of the general ledger reveal?

–The journal entries that the company recorded to implement the fraud;

–The dates on which the company recorded fraudulent transactions;

–The sources for the amounts recorded (e.g., an automated sub-accounting system, such as purchasing or treasury, versus a manually prepared journal entry);

–The company employee responsible for entering the journal entries into the accounting system;

–Adjusting journal entries that may have been recorded.

Where the Money Is

bank-robberyOne of the followers of our Central Virginia Chapter’s group on LinkedIn is a bank auditor heavily engaged in his organization’s analytics based fraud control program.  He was kind enough to share some of his thoughts regarding his organization’s sophisticated anti-fraud data modelling program as material for this blog post.

Our LinkedIn connection reports that, in his opinion, getting fraud data accurately captured, categorized, and stored is the first, vitally important challenge to using data-driven technology to combat fraud losses. This might seem relatively easy to those not directly involved in the process but, experience quickly reveals that having fraud related data stored reliably over a long period of time and in a readily accessible format represents a significant challenge requiring a systematic approach at all levels of any organization serious about the effective application of analytically supported fraud management. The idea of any single piece of data being of potential importance to addressing a problem is a relatively new concept in the history of banking and of most other types of financial enterprises.

Accumulating accurate data starts with an overall vision of how the multiple steps in the process connect to affect the outcome. It’s important for every member of the fraud control team to understand how important each process pre-defined step is in capturing the information correctly — from the person who is responsible for risk management in the organization to the people who run the fraud analytics program to the person who designs the data layout to the person who enters the data. Even a customer service analyst or a fraud analyst not marking a certain type of transaction correctly as fraud can have an on-going impact on developing an accurate fraud control system. It really helps to establish rigorous processes of data entry on the front end and to explain to all players exactly why those specific processes are in place. Process without communication and communication without process both are unlikely to produce desirable results. In order to understand the importance of recording fraud information correctly, it’s important for management to communicate to all some general understanding about how a data-driven detection system (whether it’s based on simple rules or on sophisticated models) is developed.

Our connection goes on to say that even after an organization has implemented a fraud detection system that is based on sophisticated techniques and that can execute effectively in real time, it’s important for the operational staff to use the output recommendations of the system effectively. There are three ways that fraud management can improve results within even a highly sophisticated system like that of our LinkedIn connection.

The first strategy is never to allow operational staff to second-guess a sophisticated model at will. Very often, a model score of 900 (let’s say this is an indicator of very high fraud risk), when combined with some decision keys and sometimes on its own, can perform extremely well as a fraud predictor. It’s good practice to use the scores at this high risk range generated by a tested model as is and not allow individual analysts to adjust it further. This policy will have to be completely understood and controlled at the operational level. Using a well-developed fraud score as is without watering it down is one of the most important operational strategies for the long term success of any model. Application of this rule also makes it simpler to identify instances of model scoring failure by rendering them free of any subsequent analyst adjustments.

Second, fraud analysts will have to be trained to use the scores and the reason codes (reason codes explain why the score is indicative of risk) effectively in operations. Typically, this is done by writing some rules in operations that incorporate the scores and reason codes as decision keys. In the fraud management world, these rules are generally referred to as strategies. It’s extremely important to ensure strategies are applied uniformly by all fraud analysts. It’s also essential to closely monitor how the fraud analysts are operating using the scores and strategies.

Third, it’s very important to train the analysts to mark transactions that are confirmed or reported to be fraudulent by the organization’s customers accurately in their data store.

All three of these strategies may seem very straight forward to accomplish, but in practical terms, they are not that easy without a lot of planning, time, and energy. A superior fraud detection system can be rendered almost useless if it is not used correctly. It is extremely important to allow the right level of employee to exercise the right level of judgment.  Again, individual fraud analysts should not be allowed to second-guess the efficacy of a fraud score that is the result of a sophisticated model. Similarly, planners of operations should take into account all practical limitations while coming up with fraud strategies (fraud scenarios). Ensuring that all of this gets done the right way with the right emphasis ultimately leads the organization to good, effective fraud management.

At the heart of any fraud detection system is a rule or a model that attempts to detect a behavior that has been observed repeatedly in various frequencies in the past and classifies it as fraud or non-fraud with a certain rank ordering. We would like to figure out this behavior scenario in advance and stop it in its tracks. What we observe from historical data and our experience needs be converted to some sort of a rule that can be systematically applied to the data real-time in the future. We expect that these rules or models will improve our chance of detecting aberrations in behavior and help us distinguish between genuine customers and fraudsters in a timely manner. The goal is to stop the bleeding of cash from the account and to accomplish that as close to the start of the fraud episode as we can. If banks can accurately identify early indicators of on-going fraud, significant losses can be avoided.

In statistical terms, what we define as a fraud scenario would be the dependent variable or the variable we are trying to predict (or detect) using a model. We would try to use a few independent variables (as many of the variables used in the model tend to have some dependency on each other in real life) to detect fraud. Fundamentally, at this stage we are trying to model the fraud scenario using these independent variables. Typically, a model attempts to detect fraud as opposed to predict fraud. We are not trying to say that fraud is likely to happen on this entity in the future; rather, we are trying to determine whether fraud is likely happening at the present moment, and the goal of the fraud model is to identify this as close to the time that the fraud starts as possible.

In credit risk management, we try to predict if there will likely be serious delinquency or default risk in the future, based on the behavior exhibited in the entity today. With respect to detecting fraud, during the model-building process, not having accurate fraud data is akin to not knowing what the target is in a shooting range. If a model or rule is built on data that is only 75 percent accurate, it is going to cause the model’s accuracy and effectiveness to be suspect as well. There are two sides to this problem.  Suppose we mark 25 percent of the fraudulent transactions inaccurately as non-fraud or good transactions. Not only are we missing out on learning from a significant portion of fraudulent behavior, by misclassifying it as non-fraud, the misclassification leads to the model assuming the behavior is actually good behavior. Hence, misclassification of data affects both sides of the equation. Accurate fraud data is fundamental to addressing the fraud problem effectively.

So, in summary, collecting accurate fraud data is not the responsibility of just one set of people in any organization. The entire mind-set of the organization should be geared around collecting, preserving, and using this valuable resource effectively. Interestingly, our LinkedIn connection concludes, the fraud data challenges faced by a number of other industries are very similar to those faced by financial institutions such as his own. Banks are probably further along in fraud management and can provide a number of pointers to other industries, but fundamentally, the problem is the same everywhere. Hence, a number of techniques he details in this post are applicable to a number of industries, even though most of his experience is bank based. As fraud examiners and forensic accountants, we will no doubt witness the impact of the application of analytically based fraud risk management by an ever multiplying number of client industrial types.

The Expert & the Internet

expert-witnessesPart of the wrap up process our Chapter performs following each of our two day seminars is a review of attendee question topics.  As nearly all of them do, our recent ‘Investigating on the Internet: Research Tools for Fraud Examiners’ seminar elicited a number of thoughtful questions, several from attendees whose practices include testimony as an expert witness and employment as legal consultants.   From the tenor and content of the questions it appears that these CFEs were acting as experts and consultants in the legal process by assisting attorneys with the financial details of a suit, and testifying about these practices at trial. In such cases CFE’s analyze documents and transactions, both internet based and hard copy, showing how the fraud was accomplished and, when possible, who the most likely perpetrators were. The CFE acts as a guide and adviser for the attorney in assembling the case, and, sometimes, as a major participant as an expert witness in explaining the ways of fraud to a judge and jury.

Experts, in general, are brought in when required by law, as in malpractice suits where a member of a profession, say a physician, has to explain the infraction against professional by-laws or principles; where key points are deemed sufficiently technical or complex, like “cooking-the-books” schemes involving intricate accounting manipulations; or for assisting (some would say, for swaying) the jury in making its final decision.  Federal Rule of Evidence 702 tells us that an expert witness with appropriate knowledge and credentials may testify in any proceeding where scientific, technical, or specialized knowledge will shed light on the dispute.  Even in cases that don’t go to trial, experts may still be involved in mediation, arbitration, settlement conferences, or summary judgment motions. Experts contribute value to the trial process in a myriad of ways. They provide background information to guide and frame a case; during discovery they investigate, run tests, advise on depositions, prepare other witnesses, make exhibits, and respond to the opposition’s discovery requests; they file written opinions, which are entered as evidence into the court record; and they testify in actual proceedings should the case actually make it to a courtroom.

Once they accept a case, many experts immediately begin utilizing on and off-line tools to start the process of assembling a narrative version of the events. This detailed summary of the facts of the case serves as the raw material for rendering an official opinion. It’s important that the narrative text be written with care and professionalism. The text may (and probably will) have to be produced during discovery. Additionally, a well-written narrative helps the client attorney in preparing and executing the case at trial.  As our speaker, Liseli Pennings, pointed out, perhaps the thorniest challenge for CFEs, once they’re engaged to work on a case, is setting a value on business losses due to fraud. Even though financially related information available on the internet and elsewhere can be of great value in estimating the loss, there may be several methods appropriate for evaluating net worth/net loss appropriate to a given case, each rendering a different number at the end. And regardless of the numbers, there’s always the human element.

Article V. of the Association of Certified Fraud Examiners Code of Professional Ethics states:

A fraud examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered.  No opinion shall be expressed regarding the guilt or innocence of any person or party.

The rule that prohibits opinions regarding the guilt or innocence of any person or party is a rule of prudence. Clearly, it’s prudent for a Certified Fraud Examiner to refrain from usurping the role of the jury. In a courtroom, no good attorney would ask a Certified Fraud Examiner for such a conclusion, and no alert judge would allow such testimony. The fraud examiner’s job is to present the evidence in his report. Such evidence might constitute a convincing case pointing to the guilt or innocence of a person. But a clear line should be drawn between a report that essentially says “Here is the evidence” and one that steps over the line and says “He is the guilty (innocent) person.”  Nevertheless, there is a fine line between recommending action – forwarding the evidence to a law enforcement agency or filing a complaint or lawsuit – and giving an opinion on guilt or innocence. Certified Fraud Examiners may make such recommendations because they think the evidence is strong enough to support a case. They might even have a conclusion about whether the suspect committed a crime. The rule does not prohibit the Certified Fraud Examiner, under the proper circumstances, from accusing the person under investigation. However, the ultimate decision of whether a person is “guilty” or “innocent” is for a jury to determine. The CFE is free to report the facts and the conclusions that can be drawn from those facts, but the decision as to whether or not a person is guilty of a crime is a decision for the judge or jury.

As Liseli pointed out caution as to information reliability is the by-word for every use of internet based information in general and use by expert witnesses is no exception. According to discovery rules governing expert testimony, everything the expert says or writes about the case after being hired is subject to discovery by opposing counsel. That means everything: internet downloads, narrative versions of the case, comments to the press or law enforcement, hypothetical reconstructions, even notes can be demanded and used by the opposing party.  However, CFE’s acting as expert witnesses need to be aware of the consulting expert exception.

Experts may consult on the attorney’s work product, i.e., materials the attorney prepares as background for a case. While performing background work, the expert is said to be working as an associate of the attorney, so the exchange is protected…they are two professionals conferring. However, once the expert is hired as a witness, and begins entering opinions as part of the attorney’s case, there is no privilege for any contribution the expert makes. The distinction is something like this: when acting as “witnesses,” experts are bringing official information to the court, and so must disclose any contact with the case; when experts act as “consultants” or “associates” for attorneys or law enforcement, they are only assisting the attorney, and do not have to disclose their involvement in the case.

There is one trap for the unwary. The rule is that if an expert will testify at trial, everything s/he does regarding the case must be turned over to the other side. If an expert works only as a consultant to the attorney, then her work product is not discoverable. However, if a testifying expert reviews the work of the consultant expert, then the work of the consultant expert will be discoverable. Just remember this, if you are hired to testify at trial, anything you used to form your opinion will be subject to review by the opposing party. This includes information downloaded from the internet, notes from other experts, documents received from the plaintiff or defendant, and any documents or notes from the attorney. Be sure to consult with the attorney before you review anything. If the attorney has not given the document to you, then ask before you read. Otherwise, you may inadvertently destroy the confidentiality or privilege of the material.

The utilization of internet based information resources introduces yet another layer of complexity to the employment of CFE’s as expert witnesses and/or attorney consultants.  The information available is often vast, almost instantly available and constantly changing.  Practitioners and their client attorneys must decide on a case by case basis whether it’s best utilized in the role of a consultant or in that of an expert witness.

Lunch & a Common Interest

lunch

Register Today for Investigating on the InternetMay 18-19 2016 RVACFES Seminar!

My wife and I were just finishing up lunch at Maggiano’s here in Richmond last week when an old consulting colleague of mine came up to our table.  Chatting as he accompanied us out of the restaurant and into the parking lot, he told me that he’s currently working as an investigative team member for a local forensic accounting firm on a case of suspected embezzlement.   The client’s management and audit committee are hyper sensitive to employee privacy rights, having experienced a prior grievance lawsuit over alleged wrongful termination and defamation, and my friend had some questions about the common interest privilege and how best to proceed with the investigation in such an environment.

The ACFE tells us that there are a number of important precautions any investigator can take to avoid liability when conducting sensitive investigations.  The right to investigate for fraud is implicit in U.S accounting and legal systems. No special authority is required, although some states regulate the activities of private investigators and others. Generally, an employer, fraud examiner, forensic accountant or other investigator may lawfully interview witnesses, collect evidence where lawfully available, collect and review documents, and examine public records, without fear of liability, if the investigator acts prudently and in good faith. It’s also important that any investigation be based on sufficient “predication.” Predication means that the individual has a sufficient basis and legitimate reason to take each step in the investigation. Anyone who acts irresponsibly, without predication, or in violation of the rights of the subject, can be liable for a number of different civil actions.

Defamation is an unprivileged publication of a falsehood about a person that tends to harm the reputation of that person. The law of defamation actually consists of two torts: libel and slander. Libel is basically defamation that appears in written form, while slander involves defamatory remarks that are only spoken. Aside from the method of publication the elements of these two causes of action are essentially the same. In general, the elements of a defamation claim are:

— A false and defamatory statement is made about the plaintiff;
— This statement is communicated (“published”) to a third party; and
— The plaintiff suffers harm to her reputation or good name as a result.

In any internal fraud-related review, it’s likely that there will be unflattering allegations made against certain persons at some point in the investigation. It’s therefore important that investigative team members understand exactly what constitutes defamation so that they can avoid this potential liability. Statements of pure opinion are not defamatory because, according to the first element of the cause of action, a statement must be false in order to support a defamation suit. An opinion cannot really be proved true or false. Therefore, only statements of fact can give rise to a defamation claim. This does not mean that an investigator can shield herself from liability by phrasing all accusations as statements of opinion – “in my opinion, Allen cooked the books. ” Although the preceding statement purports to be an opinion, it implies a fact, that Allen manipulated the books. Therefore, this statement could be found to be defamatory. On the other hand, a statement that a particular employee is “difficult” or that she “seemed uncomfortable” are more likely to be found to be statements of opinion, and thus not actionable.

The second element of the cause of action requires that the statement be published, i.e., communicated to a third person or persons. The crux of defamation law is that the plaintiff’s reputation is harmed by a false statement. If no one else hears the statement, the plaintiff’s reputation cannot be harmed. This is why publication is a required element of the cause of action. Although the term “publication” is used, this does not mean that the statement has to be published in the traditional sense; it’s enough that the statement is communicated to a third person, either in writing (libel) or through spoken word (slander). In some cases, even hand signals have been found to amount to a publication. If a statement is never communicated to a third person, it cannot be defamatory. Thus, if during an interview an investigator accuses the subject of having stolen money, this will not amount to defamation as long as no one else hears the comment. On the other hand, if during an interview of Smith, the interviewer says, “It appears Jones took the money,” this could amount to defamation, since the accusation against Jones has now been published to Smith.

Aside from truth, the most important defense to a defamation action for my investigating friend is the common interest privilege. If a person makes a statement: (1) in good faith; (2) regarding a subject in which the person making the statement has a legitimate interest or duty; (3) to another person with a corresponding interest or duty, then that statement is exempt from a defamation claim. The statement will be privileged even if it is false, even if it injures the reputation of the employee, and even if it is published to a third person.

The common interest privilege extends to communications about internal investigations among persons with a legitimate interest in the investigation. Interested persons include the investigative team, members of the company’s management who requested the investigation, those who have an interest in the results of the investigation, and those who have authority to implement the recommendations or otherwise make decisions based on the results of the investigation. Some courts also have concluded that a government agency that receives a required or mandated report from the company has a common interest in that report. The law recognizes that these persons have a legitimate need to communicate about the investigation, and that the nature of such an investigation necessarily involves the discussion of the actual or suspected wrongdoing of employees. If every allegation were subject to a defamation suit, this would have a chilling effect on the ability of companies to investigate internal misconduct. Therefore, statements made in good faith among these interested persons are privileged from defamation suits.

But please bear in mind that the common interest privilege is qualified, which means that it can be lost. In order to be privileged, the communication must have been made in good faith. If the person who made the communication knew that it was false or had a reckless disregard for whether it was true or not, then this statement is not privileged, and the speaker can be successfully sued for defamation. Furthermore, the communication is only privileged among those with a “need to know.” If a statement is disseminated outside the group of interested persons, it loses its privilege. Therefore, it’s extremely important to limit the distribution of any internal report to those discussed in the preceding paragraph.

In summary, the common interest privilege is a qualified privilege, meaning that it can be lost if the defendant acts with malice in publicizing falsehoods about the plaintiff. Contrast the common interest privilege with statements made in connection with judicial proceedings; judicial proceeding statements are absolutely privileged. This means that they cannot be the subject of a defamation suit, regardless of the speaker’s motives. The judicial privilege attaches to all statements made by judges, jurors, attorneys, witnesses and other parties to a judicial proceeding. It applies to all aspects of the proceedings, including pretrial depositions and hearings, as well as to all papers or pleadings filed in the case. The idea is that we do not want to hinder the courts’ ability to get at the truth, so all those who testify in a judicial proceeding are absolutely privileged from defamation claims. But keep in mind that intentional falsehoods can still be punished in these settings under perjury laws.

Investigating on the Internet

online-investigationThis May our Chapter, along with our partners the Virginia State Police and national ACFE will be hosting a two day seminar – ‘Investigating on the Internet – Research Tools for Fraud Examiners’.  This in-depth session will be taught by Liseli Pennings, Deputy Training Director for the ACFE.  We’ll begin enrolling students in mid-March, so pencil in the dates, May 18th and 19th!

Fraud examiners now have the ability to gain insights from, and test correlations with, a vast array of investigative relevant information on the Internet, which can be as diverse as suspect competitor information, regulatory filings, and conversations on social media.  Such analytics can provide CFE investigators with a variety of capabilities from investigative planning and risk assessment to fieldwork. They also enable fraud examination practitioners to provide clients with more compelling information about every experienced fraud.

Internet based investigation tools can be classified into three broad categories:

–Retrospective statistical analysis, used to gain deeper insight into important sub-processes in financial and operational areas related to the investigation subject.

–Forward-looking models, built to predict which areas of the business are riskier or simply require a greater level of fraud prevention focus.

–Advanced visualization analytics, used to help transform the investigation by providing deep analytical insights and actionable information through visual tools like interactive charts and dynamic graphics. In short, investigation on the internet has rapidly evolved from simply allowing CFE’s the ability to provide perspective in hindsight to helping them assemble rich digital views of the present investigative situation. Investigative, internet based analytics provide investigators with the potential to dramatically increase the value of the insights they can provide clients at every level of the examination from evaluation of business risks, to suspect analysis, and on to prosecutorial issues and challenges.

The first step in deploying internet based investigative tools effectively is determining the exact fraud scenario that needs to be addressed – what are the features constituting the scenario under review? Once specific fraud features have been identified, on-line analytical capabilities can be used to source facts, drive understanding, and generate knowledge by addressing three general questions:

–What data can be leveraged to enhance understanding of the exact fraud scenario and improve the performance of its investigation? It’s important to understand the source of the on-line data available and the systems and processes that produce it. Effective data evaluation by the examiner supports the accuracy, completeness, and reliability of the data used in her investigation.

–What is known about the general type of business processes related to the fraud?

–Exactly what fraud scenario is suspected to have transpired and why? What steps should be taken by the client immediately?

Canny use of the internet by the trained investigator can play an important role in answering these questions with a view to optimizing immediate investigative performance. The knowledgeable examiner can frequently look at on-line data from within the organization and outside it, with a focus on patterns, data mining and optimization, data visualization, advanced algorithms, neural analysis, and social networks.

These data can provide powerful insight into every aspect of our cases under investigation. In addition to examination field-work one of the most important uses of internet based investigative tools is to enhance fraud risk management. Analytics available on-line from the ACFE and others help provide a clearer understanding of risks and furnish insights as to how they can be mitigated. Ultimately, the objective is to develop and implement an analytical capability that provides the individual CFE with greater insight into the control failures associated with each major category of fraud. A second important use for internet analytics is to develop a deeper understanding of common fraud related issues. Once a potential issue has been identified, analytics can source the facts (e.g., what does the data tell us about the issue?), drive understanding of the facts (e.g., what has happened?), and generate knowledge (e.g., why did it happen?) to ultimately build a more complete presentation of fraud report findings. A third area for CFE’s to consider is how to leverage the use of the analytics performed for the fraud examination for use by the client throughout their organization. In this regard, the CFE’s report can become an important change agent, driving fraud prevention insights throughout the organization. Business managers and leaders of other organizational risk functions have a need to understand fraud risks and the correlations between data. In many cases, fraud investigative tools developed for use during a fraud examination can evolve into valuable fraud prevention tools and ownership can be transferred to business or functional leaders for ongoing use.

Consider keeping the following in mind when using internet based investigative tools in your investigation:

–Establish a clear understanding of what you’re trying to achieve in your investigation and ensure a linkage to examination planning. This should translate into defined objectives that drive the strategy and long-term vision for the use of the tools as well as surface near-term opportunities.

–Know the data.  It’s important for examiners to understand both the data they have and the data they don’t have when determining how and where to begin using the internet as an investigative tool. This knowledge also prioritizes efforts to collect what’s missing for future analyses and for enhancements to the data driven investigative program.

–Start with a targeted, ad hoc program which will likely yield greater benefits in terms of speeding insights, learning, and long term value. Take the time to learn first and then deploy necessary capabilities across your tool kit.

–Lever existing cumulative insights. These ever building insights may provide clues related to the risks and related fraud scenarios to start with, jump-starting the investigative program and build consistency with prior initiatives.

–Take steps to develop a written plan early on in every examination to take action and measure results accurately. Don’t forget that the client organization, systems, and processes that support fraud response and control remediation must be able to take action working with the insights that your final report provides.

Fraud examiners stand at the beginning of a new era in the use of internet based data to enhance the entire fraud examination life cycle. Taking the steps outlined above can help individual practitioners realize gains in effectiveness and efficiency while providing enhanced investigative services.

Please make plans to join your fellow RVACFE Chapter members and guests for an outstanding learning experience on May 18th and 19th.  You won’t be disappointed!

Making Sure It Sticks

ComputerRaft2
Download our Chapter’s Free App – RVACFESon Google Play!

As a follow-on to our last blog post (see To Have and to Hold immediately above), I thought I’d talk a little about the documents our investigating CFE was able to find.

These case documents proved critical to the examination and were found in both paper and digital form.   Of the two types of evidence, the digital documents proved the most voluminous and the trickiest from an investigative point of view.  Suspected frauds, such as the one our CFE reader was investigating, leave behind data on computer systems, all kinds of data. Despite the ubiquity of this digital evidence, though, it’s often overlooked, collected incorrectly, or analyzed ineffectively. The rub is that, if relevant evidence isn’t gathered at the very beginning of an investigation, it may be too late to do so later in the process. Therefore, ideally, a CFE’s client organization’s management should consider the importance of digital evidence from the outset of its operations and be prepared to gather it for a wide range of financial fraud related scenarios; indeed, most of the larger, more sophisticated companies, finding themselves routinely under cyber-attack, already do so.

It’s been my experience that many organizations underestimate just how often they may need to produce reliable evidence of what has happened in their information systems.  And, importantly, from the individual CFE’s point of view, they also may underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence. Unless an organization has developed a detailed incident response plan, much potential evidence will never be collected or will become worthless as a result of contamination. As a preliminary to any investigation involving digital data, CFE’s should assess whether the client organization has applied a consistent and effective approach to managing information security incidents, including staff and organizational responsibilities and procedures; not having done so can prove a significant legal problem for the client in court.  When a follow-up action against a person after an information security related fraud involves legal action, evidence should be collected, retained, and presented to conform to the rules for evidence promulgated by the relevant jurisdiction(s). The examination should also review whether documented procedures are developed and followed when collecting and presenting routine evidence for internal disciplinary actions.

Digital forensic readiness (DFR) focuses on proactively collecting and preserving potential digital evidence. This can limit business risk by providing support for all kinds of legal defense, civil litigation, criminal prosecution, internal disciplinary actions, intellectual property claims, and due care documentation.  It also can document the impact of a crime or disputed action for an insurance or damage claim. In addition, digital forensics can support the recovery process indirectly after an incident (something that proved very important for the client of our CFE in the ‘To Have and to Hold’ case).

When preparing data for use as evidence, all CFE’s know that it’s often necessary to provide further supporting information. It’s important to show that audit trail information can demonstrate that the system used to preserve evidence is functioning appropriately. It’s also important to demonstrate how information progresses through it. Audit trails need to be comprehensive and overseen appropriately, because without them the integrity and authenticity – and thus the evidential weight – of the data stored in the system could be questioned in court.  In addition to the system’s effectiveness, CFE’s need to be concerned with whether access to audit trail information was controlled adequately. In some applications, access may be needed infrequently, thus it’s important that the access procedures be documented.

In most jurisdictions, the legal admissibility of digital evidence (or any evidence) in a court of law is governed by three fundamental principles: relevance, reliability, and sufficiency. Digital evidence is relevant when it can prove or disprove an element of the specific case being investigated. Although the meaning of reliable (i.e., authentic and accurate) varies among jurisdictions, a general principle is to ensure the digital evidence is what it purports to be and has not been spoiled. It is not always necessary to collect all data or to make a complete copy of the original evidence. In many jurisdictions, the concept of sufficiency means that enough evidence has been collected to prove or disprove the elements of the matter.

Information security is key when discussing legal admissibility.  Was the process for capturing electronic information secure? Was the correct information captured, and was it complete and accurate? During storage, was the information changed in any way? When responding to questions by opposing counsel about the authenticity of stored information, organizations must show whether the system was operated correctly at all times. To address this issue, CFE’s should establish that all relevant procedures are well thought out, complete in scope, documented, and operated by competent individuals.

To reduce the risk of legal challenges, CFE’s should consider offering evidence that the client organization has implemented security measures. Management should have reviewed information security systems at planned intervals to determine whether their control objectives, controls, processes, and procedures:

–Conform to the requirements of information security standards and relevant regulations;
–Conform to the identified IT security requirements;
–Are implemented and maintained effectively;
–Are performing as expected.

Determining which digital evidence the organization should be collecting and preserving is a two-step process. First, the crimes and disputes the organization is exposed to must be determined. Second, based on the identified exposure, the organization needs to identify potential evidence based on a risk analysis combined with a cost/benefit approach.

DFR is a natural progression for organizations with a mature information security posture, enabling them to pursue perpetrators in the legal domain when other security measures have failed. Among more security-aware CFE clients, it can enhance existing processes and leverage incident response, business continuity, and crime prevention activities. CFE’s can provide assurance of their client organization’s forensic readiness based on the following criteria suggested by the ACFE:

–Whether the organization has identified the main likely threats it faces;
–Whether the organization has identified what sorts of evidence it is likely to need in a criminal proceeding and how it will secure that data;
–Whether the organization has identified the amount and quality of evidence it already has collected;
–Whether the organization is familiar with potential legal problems such as admissibility, data protection, human rights, limits to surveillance, obligations to staff members and others, and disclosure in legal proceedings;
— Whether the organization has identified the management, skill, and resource implications and developed an action plan.

CFE’s, as part of the planning for a fraud or incident investigation, should ensure the completeness and integrity of digital evidence. Moreover, they should ensure that potentially useful evidence is never overlooked.  A functioning and documented DFR supports such assurance and helps make sure that assurance sticks.

Tying Up Loose Ends

ComputerSystemChris Rosetti, a nationally recognized authority on fraud prevention and our July 2015 RVACFES live event speaker, responding to a question during his training session at the Virginia State Police Training Academy, commented that the securing of end-point devises was posing one of the greatest challenges to the fraud prevention programs of many of his clients.  Chris explained that an endpoint is any software or hardware devise that has an IP address, transmits data to another device, processes or displays information, or accesses a network or computing infrastructure. So any device that can connect to an organization’s network is an endpoint.

He went on to say that endpoints include such devices as smart phones, IPads, desktops, laptops, and servers, as well as radio frequency devices, routers, firewalls, switches, hubs, network attached storage, and voice-over-IP devices (like desk top VOIP phones replacing conventional landlines). Moreover, to complicate matters further, desktops and laptops generally have one or more wired network cards, Wi-Fi network cards, multiple CD/DVD ROMs, multiple USB ports, modem ports, an Ethernet connection port, and in some cases, Bluetooth and PCMCIA cards. Each of these items constitutes a potential security node and, therefore, a fraud risk.  In his opinion, end point security is a key component in the information security defenses of organizations and is, to this day, being overlooked by a significant number of enterprises.   Surprisingly, Chris says that a fifth of organizations don’t have any form of end point security, which means that their corporate networks and data are potentially exposed to hackers and criminals who can access sensitive information from unprotected access points.  With the unmanaged end point and the mobile end point now ubiquitous business enablers, it doesn’t suffice anymore to just lock down only the endpoints within the office premises or build a formidable perimeter security infrastructure. These end points are not only prone to threats themselves, but also can be a medium for threat vectors to attack the infrastructure.  Current threats include viruses, Trojans, worms, the use of end points as distributed denial-of-service (DDoS) zombie hosts and spyware.

Chris indicates that in his risk assessments and in his fraud prevention practice, new and novel types of threats are emerging almost on a weekly basis. These threats often take advantage of a growing number and variety of end point vulnerabilities, and include the familiar buffer overruns, the more insidious keystroke loggers and instant messaging worms, as well as vulnerabilities even in the security software clients install to protect themselves.  Chris says that the issues related to end point security need to be addressed from two different perspectives: protecting the end point itself and protecting the enterprise from the end point.  Regarding the endpoint itself, CFE’s need to be aware when conducting our fraud risk assessments that a device that does not have the proper tools to detect and prevent malicious codes and attacks (e.g., desktop firewalls, anti-virus programs) can expose the entire organization’s infrastructure to attacks. A device like a cellphone or IPad that is connected to the corporate network and also allowed to connect to the Internet through another medium (e.g., dial-up, wireless) at the same time opens a channel for attackers. Allowing removable storage devices (e.g., thumbdrives, external drives, MP3 players) to connect to the network, and handhelds of all types to synchronize with other networked devices, serves as yet another medium for the entry of malicious code into the enterprise.

According to Chris, the good news is that, according to his count, there are currently more than a hundred tools and products for securing the end point and improving its security health. These include anti-malware programs, desktop firewalls, automatic software patch updaters, an intrusion detection system (IDS), secure remote access tools and port lock down (to prevent USB devices from connecting).  As CFE’s, our fraud risk assessment reports need to emphasize that all devices issued to enterprise employees should have these types of security tools configured and that devices are appropriately locked down. Vulnerability scanners that scan all the devices within the enterprise enhance its fraud management capabilities.

Chris advocates inventorying all the endpoint devices connected to the corporate network as a vital component of the fraud prevention program.  This, in turn, allows the identification of all the interfaces on the various endpoints.  The fraud vulnerability assessment inspection of the end point may identify gaps, e.g., a machine that has not been patched. One inspection policy might be to isolate the machine and deny connectivity. However, the user may be looking to connect and carry out some critical activity; therefore, building a remediation aspect into the inspection process would be important. This way, if a patch is missing, the user can be directed to the site to download a patch and. once it is installed, the user can be allowed to re-connect.  Organizations also lose critical information through USB or equivalent devices. Employees can copy sensitive and protected information on these devices and remove such information from the premises. To stop this from happening, data loss prevention should be part of the organization’s fraud prevention strategy.

Chris additionally advocates including a review of end point vulnerability in every fraud risk assessment used to build the fraud prevention program.   The first step to the fraud vulnerability assessment of any endpoint environment is to understand the organization’s policies and how the policies address endpoint security. Second, CFE’s must understand the technologies deployed to implement endpoint security, if any. This is probably the toughest task because some CFE’s may not be qualified to conduct such reviews on their own. In such cases, Chris recommends it may be best to augment the assessment staff with outside experts, because these technologies change rapidly.

Finally, Chris pointed out that some commercially available endpoint control solutions come with an integrated, risk-based monitoring dashboard. Organizations that have implemented continuous or automated financial audits may want to start deploying the endpoint agents on those nodes that their external auditors audit regularly and let the agents continuously feed data to the dashboard.  This strategy may prove to be a good investment if it reduces total audit costs in the long run and provides greater assurance that the organization’s most critical endpoints are secure.

With the corporate perimeter quickly vanishing, the virtual organization becoming a reality and with more organizations allowing staff members to work from wherever on their own phones, laptops or other wired devices, all CFE’s  should think of how they can bring the anti-fraud security perimeter closer to where the data are and treat everything else as external. We should advocate that all our clients deploy end point security tools  to ensure that the end points are secure from fraud exploits and also that the organization itself is secure from its own end points.

Forensic Accounting in a Time of Terror

CitySceneIt seemed that, hardly had we bid the last family member goodbye and cleared away the Thanksgiving dishes, that we heard about yet another terror attack, this one domestic, in Colorado Springs.  It increasingly feels that the terrorists freely swim in the sea of the vulnerable rest of us.  As fraud examiners and forensic accountants confronted with the problem of assisting our clients and law enforcement in combating the illicit financing of this scourge, it seems to me we should have two basic objectives, follow the money and dry up the money.  I know I’m preaching to the choir but law enforcement and government agencies in collaboration with forensic accountants and fraud examiners can play a key role in tracing the source of terrorist financing directly to those financial activities used to support terror attacks on both our national and on global citizens. Using this information, law enforcement agencies can utilize existing investigative and predictive analytics tools to gather, dissect, and convey data in an effort to distinguish the types of distinctive patterns (just as we daily do with fraud scenarios) leading to future terrorist perpetrated events. Government agencies can employ database inquiries of the terrorist-related financial information that fraud examiners have helped to build to evaluate the future probability of terrorist financing and attacks. Forensic accountants can also review the data to identify the specific patterns related to previous transactions by utilizing those same data analysis tools, which can also be used to assist in tracking the sources of the funds.

Our pivotal role is being increasingly recognized on all sides by those actively engaged in this struggle. According to the ACFE, forensic accountants use a combination of “accounting knowledge with investigative skills in … litigation support and investigative accounting settings” (ACFE, 2015). Hence, it’s no news to readers of this blog that numerous organizations, agencies, and companies employ us forensic accountants to provide investigative services and fraud risk assessments. Among them are public accounting firms, law firms, law enforcement agencies, The Internal Revenue Service (IRS), the Central Intelligence Agency (CIA), and the Federal Bureau of Investigation (FBI).  The FBI is a case in point.  All the way back in 2009, the FBI officially created a forensic accounting position within the Bureau to complement its standard criminal investigations. Now the agency is actively utilizing forensic accountants to investigate domestic and foreign terrorists involved in financial wrongdoing. FBI forensic accountants use various investigative tools to track terrorist financing, i.e. government-wide databases and Financial Crimes Enforcement Network (FinCEN) data inquiries to trace the illicit funds and related transactions of suspected terrorists. The search for illicit funding sources commences after Government agencies share information regarding red flags of possible terrorist activities such as money laundering.

Obstructing terrorist financing requires that fraud examiners have an understanding of both the original and the supply source of the illicit funds. As such financing is typically derived from a poisonous mix of both legal and illegal funding sources, terrorists may attempt to evade detection by funneling money through legitimate businesses thus making the money difficult to trace. Charitable organizations and reputable companies provide a legitimate source through which terrorists may pass money for illicit activities without drawing the unwanted attention of law enforcement agencies. Patrons of legitimate charities and non-profit organizations are often unaware that their personal contributions may support terrorist activities. However, terrorists also obtain funds from obvious illegal sources, such as kidnapping, fraud, and drug trafficking.

Terrorists often change daily routines to evade law enforcement agencies as predictable patterns create trails that are easy for skilled investigators to follow. Audit trails can be traced from the donor source to the terrorist by forensic accountants and law enforcement agencies using specific indicators to assist the tracking. Audit trails reveal where the funds originate and whether the funds came from legal or illegal sources.

Take their use of money laundering and virtual currencies as an example.  Money laundering is a specific type of illegal funding, which can provide the forensic accountant a clear audit trail.  Money laundering is the process of obtaining and funneling illicit funds in order to disguise the connection with the original unlawful activity. Terrorists launder money in order to spend the unlawfully obtained money without drawing attention to themselves and their activities. In order to remain undetected by regulatory authorities, the illicit funds being deposited or spent need to be “washed” to give the impression that the money came from a seemingly reputable source. There are particular types of unusual transactions that raise red flags associated with money laundering in financial institutions. The more times an unusual transaction occurs, the greater the probability it’s the product of an illicit activity.  Money laundering may be quite sophisticated depending on the strategies employed to avoid detection. Some identifiers indicating a possible money-laundering scheme are: lack of identification, money wired to new locations, customer closes account after wiring or transferring large amounts of money, executed out -of-the-ordinary business transactions, executed transactions involving the customer’s own business or occupation, and executed transactions falling just below the threshold trigger requiring the financial institution to file a report.

Virtual currency, unlike traditional forms of money, does not leave a clear audit trail for forensic accountants to trace and investigate. The Government Accounting Office (GAO) has discussed the emerging trend of financial anonymity of Bitcoins and other virtual currency and the need for regulators of traditional banking institutions to become more aware of suspicious activities with respect to virtual currency. According to the GAO, because they operate over the Internet, virtual currencies can be used globally to make payments and funds transfers across borders. The obscurity of Bitcoin currency transactions allows international funding sources to conduct exchanges without a trace of evidence. This co-mingling effect is similar to money laundering but without the regulatory oversight. Government and law enforcement agencies must be able to share information with public regulators when they become suspicious of terrorist financing.

The traditional types of data analysis tools, so familiar to the readers of this blog, which can be effectively used by forensic accountants to investigate these types of terrorist financing include: Benford’s Law, Accounting Command Language (ACL) software, Interactive Data Extraction and Analysis (IDEA) software, data mining software, and financial statement analysis ratios.

Forensic accounting technology is most beneficial in terror related investigations when used in conjunction with the analysis tools of law enforcement agencies to predict and analyze future terrorist activity, before it happens. Even though some of the tools in a forensic accountant’s arsenal are useful in tracking terrorist funds, the ability to identify conceivable terrorist threats is limited. To identify the future activities of terrorist groups, forensic accountants, and law enforcement agencies need to cooperate with one another by standardizing and incorporating the principal analytical tools utilized by all their sister agencies. Agencies and government officials should become familiar with virtual currency like Bitcoins. Because of the anonymity and lack of regulatory oversight, virtual currency offers terrorist groups a useful means to finance illicit activities on an international level. It might be helpful to even conceive of a new government agency to tie together all of the financial forensics efforts of the different organizations so that information sharing is not so compartmentalized as to compromise future investigative cooperation.

To Control Cyber Fraud Rapidly Identify System Abnormalities


sun-broochAccording to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes.  Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continues unabated, with organizations of all kinds losing productivity, revenue and more customers every month.  ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies.  As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls.  And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing system changes.  It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work.  By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

  • Are systems monitored for unauthorized changes in real time?
  • Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations.  Researchers found that these top six controls help organizations manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and look backward, identifying definitively the source of outages, fraud associated abnormalities  or service issues.  Because they have a process that tracks and records all changes to their infrastructure and their success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and re-mediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail.  The organization must cultivate a “culture” of change management and causality throughout, with zero tolerance for unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all changes must follow, an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy.  One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.

Perhaps most important for responding to and controlling system changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from those incidents, and dramatically longer and less-effective resolution times.  On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to  reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of an identified  high volume of failed system changes.  All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

Keep Your Friends Close When Planning a Fraud Investigation

CelebrationOur last post about the natural partnership between the corporate internal auditor, the chairman of the audit committee of the board  and the independent fraud examiner elicited a couple of comments about initial investigative steps I thought worth following up.  While it’s all well and good to bang on about the benefits of such a tripartite relationship in general, what exactly are the mechanics of how such a partnership actually works during the early, critical days following discovery of what management fears is an actual or suspected fraud?

By definition, we fraud examiners are outside investigative experts in such a situation, best engaged by corporate council at the request of the chairman of the audit committee so as to maintain litigation privilege.  Why is litigation privilege so important?  CFE’s are independent, reputable investigative professionals who can add credibility to the inquiry though our detailed knowledge of the complex issues associated with fraud scenarios, computer forensics, forensic accounting and fraud examination.  Should the case at hand go to trial, opinion testimony is only admissible if it comes from witnesses (like CFE’s) whom the court determines are experts (there have been a number of posts on this blog about the CFE testifying as an expert witness).

The engagement of the CFE should ideally take place as early on in the investigation as possible following management’s determination that the allegation has merit; this is so as to make his or her expertise available to any internal audit group and to the audit committee during the initial fact finding stage of the review.  For example, the first thing the CFE might profitably do following engagement is to review the information initially gathered by internal audit or management for conformance with known categories of fraud scenarios.  What type of fraud does this appear to be?  How was it discovered/who reported it? How credible is the informant?  Who are the personnel involved; what are their titles and responsibilities?

Armed with this information, the CFE is then prepared to bring a significant level of expertise to bear during the next step of the preliminary investigation, a step, in my opinion, too often precluded because the CFE doesn’t have the requisite organizational knowledge.  I refer to fraud risk assessment.  If the organization has performed a general risk assessment of its critical business processes, the CFE can obtain that assessment from the internal auditors or from the Board and evaluate it with an eye to identification of those vulnerabilities to fraud, waste and abuse that management, for one reason or another (usually budgetary), has chosen to accept.  This initial review for fraud vulnerabilities to known types of fraud scenarios should also include examination of monetary, regulatory, reputational and other identified risks. How often has investigation of a suspected fraud of one type lead to subsequent revelation of multiple, interconnected others.

With this level of pre-examination intelligence, the CFE is in a strong position to define the objectives of her investigative approach and draft an investigative program.  A clear set of investigative objectives firmly based on knowledge of the risk profile and risk appetite of the actual organization can strongly ground the steps of the fraud investigation program in detailing the exact facts involving any fraud scenario, no matter how complex.  The ability of the internal audit group to identify and schedule data sources and of the chairman of the audit committee of the board to compel management compliance with the investigation are critical to the effectiveness of the planning stage of the investigation.

The final step for early days is the assemblage of the investigative team.  Given the sensitive and confidential nature of most fraud investigations, the investigative team should be kept as small as efficient and economical performance of the fraud investigation program allows.  The documented, detailed investigative program of the procedural steps to be undertaken during the review should be the guide here, specifying in a preface that all team members are free of bias and conflicts of interest in their conduct of the investigation.  As every CFE knows, maintaining independent oversight is crucial for the investigation’s credibility – failure in this area leaves the investigation open to criticism by opposing counsel, regulators, or law enforcement agencies.  In planning for the investigation of cases involving financial matters, the internal auditors might prove be the organizational group of greatest use to the CFE.  In frauds involving senior management, however, or in which the risks to the enterprise are significant, the board of directors, the chairman of the audit committee, or a special committee of the board might prove to be the investigating CFE’s most potent planning support.

Insufficient coordination and planning in the early days of an investigation may tip off suspects leading to the alteration or destruction of potentially vital evidence.  Even worse, the use of inaccurate information or accurate information collected in haste without sufficient attention to generally accepted investigative procedure might be inadmissible in an eventual court case or lead to sanctions and fines.  The bottom line is that planning is always the key to the successful implementation of any fraud investigative process; in those cases where we can look to natural allies within the subject organization in planning our investigation, we should not hesitate to reach out to them as expeditiously as possible.