Category Archives: Anti-Fraud Policy

Cyberfraud & Data Breaches – May 2018 Training Event

On May 16th and 17th, our Chapter, supported by our partners, national ACFE and the Virginia State Police, will present our sixteenth Spring training event, this time on the subject of CYBERFRAUD AND DATA BREACHES.  Our presenter will be CARY E. MOORE, CFE, CISSP, MBA; ACFE Presenter Board member and internationally renowned author and authority on every aspect of cybercrime.  CLICK HERE  to see an outline of the training, the agenda and Cary’s bio.  If you decide to do so, you may REGISTER HERE.  Attendees will receive 16 CPE credits, and a printed manual of over 300 pages detailing every subject covered in the training.  In addition, as a door prize, we will be awarding, by drawing, a printed copy of the 2017 Fraud Examiners Manual, a $200 value!

As the relentless wave of cyberattacks continues, all our client organizations are under intense pressure from key stakeholders and regulators to implement and enhance their anti-fraud programs to protect customers, employees and the valuable information in their possession. According to research from IBM Security and the Ponemon Institute, the average total cost per company, per event of a data breach is US $3.62 million. Initial damage estimates of a single breach, while often staggering, may not consider less obvious and often undetectable threats such as theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These knock-on effects can last for years and have devastating financial, operational and brand ramifications.

Given the broad regulatory pressures to tighten anti-fraud cyber security controls and the visibility surrounding cyber risk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by various governing bodies of which CFEs need to be aware. One of the more prominent is a regulation issued by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on the entity’s risk assessment, the NYDFS law has specific requirements around data encryption, protection and retention, third party information security, application security, incident response and breach. notification, board reporting, and annual certifications.

However, organizations continue to struggle to report on the overall effectiveness of their cyber security risk management and anti-fraud programs. The American Institute of Certified Public Accountants (AICPA) has released a cyber security risk management reporting framework intended to help organizations expand cyber risk reporting to a broad range of internal and external users, including the C-suite and the board of directors (BoD). The AICPA’s reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about an organization’s cyber risk management  program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s cyber security objectives and developing and maintaining controls within the entity’s cyber security risk management program, whether it is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for Standardization (ISO)’s ISO 27001/2 and related frameworks, or internally developed frameworks based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered a leading practice that provides the C-suite, boards and other key stakeholders clear insight into an organization’s cyber security program and identifies gaps or pitfalls that leave organizations vulnerable.

Cyber security risk management examination reports are vital to the fraud control program of any organization doing business on-line.  Such reports help an organization’s BoD establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyber risk management programs and drive more effective decision making. Active involvement and oversight from the BoD can help ensure that an organization is paying adequate attention to cyber risk management. The board can help shape expectations for reporting on cyber threats and fraud attempts while also advocating for greater transparency and assurance around the effectiveness of the program.

Organizations that choose to utilize the AICPA’s cyber security attestation reporting framework and perform an examination of their cyber security program may be better positioned to gain competitive advantage and enhance their brand in the marketplace. For example, an outsource retail service provider (OSP) that can provide evidence that a well-developed and sound cyber security risk management program is in place in its organization can proactively provide the report to current and potential customers, evidencing that it has implemented appropriate controls to protect the sensitive IT assets and valuable data over which it maintains access. At the same time, current and potential retailor customers of an OSP want the third parties with whom they engage to also place a high level of importance on cyber security. Requiring a cyber security examination report as part of the selection criteria would offer transparency into  outsourcers’ cyber security programs and could be a determining factor in the selection process.

The value of addressing cyber security related fraud concerns and questions by CFEs before regulatory mandates are established or a crisis occurs is quite clear. The knowledgeable CFE can help our client organizations view the new cyber security attestation reporting frameworks as an opportunity to enhance their existing cyber security and anti-fraud programs and gain competitive advantage. The attestation reporting frameworks address the needs of a variety of key stakeholder groups and, in turn, limit the communication and compliance burden. CFE client organizations that view the cyber security reporting landscape as an opportunity can use it to lead, navigate and disrupt in today’s rapidly evolving cyber risk environment.

Please decide to join us for our May Training Event on this vital and timely topic!  YOU MAY REGISTER 0N-LINE HERE.  You can pay with PayPal (you don’t need a PayPal account; you can use any credit card) or just print an invoice and submit your payment by snail mail!

Bribery & Deferred Prosecution

Between January and February 2015, a prominent trade organization focusing on American attorneys conducted a survey of 243 Chief Legal Officers of global companies to assess the corporate counsel’s opinion regarding the greatest threats to their organization’s growth. Respondents were asked to rank their top three concerns. Not surprisingly, economic uncertainty was at the top of the list with 57% of the respondents ranking it in their top three. The unexpected finding was that 53% of the respondents named regulatory compliance and enforcement as a top concern as well.

When asked to specify which laws caused them the most concern 28% identified the Foreign Corrupt Practices Act and 15% identified the UK Bribery Act. This means 43% of the respondents named anti-bribery laws as one of their top three concerns, more than any other law or regulation identified. When asked about the resources spent on regulatory compliance and enforcement, the response was also surprising as only 38% of the corporate counsel who identified regulatory compliance and enforcement as a threat, are expending resources to address the threat. As a follow up to the 2015 survey, the same organization conducted a second survey in early 2017 to gain further insight into corporate counsels’ ability to address regulatory and compliance threats. This time 256 respondents were surveyed, 62% of whom stated that their organization is designing or building some type of robust internal compliance program. Although this is movement in the right direction, over a third of the organizations surveyed still may not be prepared to detect or deter bribery and corruption. Most significantly, they will not be prepared to meet government expectations if a violation occurs and self-reporting is required. Lastly, 54% of the respondents stated that they are building or expanding their in-house systems to address this threat. Many believe that compliance technology is the appropriate answer as regulators prefer technical solutions to these problems, because they are viewed to be sophisticated and ‘state of the art’.

This research should be of special interest to all CFEs because we work so frequently with corporate counsels, but indeed, to assurance professionals in general who like fraud examiners are on the front line in the fight against corruption.

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 but aggressive enforcement did not really pick up until around 2005 when there were twelve enforcement actions.  The purpose of the FCPA was to prevent the bribery of foreign government officials when negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper books and records and/or having inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve over the years.

The FCPA created questions of definition and interpretation, i.e., Who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define adequate internal controls to detect and deter bribery and corruption?

The enactment of the United Kingdom (UK) Bribery Act in July 2010 was the first attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of adequate procedures, that if followed could allow affirmative defense for an organization if investigated for bribery. The UK Bribery Act recommended several internal controls for combating bribery and introduced the incentive of a more favorable result for those who could document compliance. These controls include:

• Established anti-bribery procedures
• Top level commitment to prevent bribery
• Periodic and documented risk assessments
• Proportionate due diligence
• Communication of bribery prevention policies and procedures
• Monitoring of anti-bribery procedures

The concept of an affirmative defense for adequate procedures creates quite a contrast to FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved.

The UK Bribery Act equated all facilitation and influence payments to bribery. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness of all these acts remains enforcement.

In November 2012 the US Department of Justice and the Securities Exchange Commission released “A Resource Guide to the Foreign Corrupt Practices Act.” The guide book introduced several hallmarks of an effective compliance program. The Resource Guide provided companies with the tools to demonstrate a proactive approach to deter bribery and corruption. Companies in compliance may receive some consideration during the fines and penalty stage.

The guide’s hallmarks include:

• Establish a code of conduct that specifically addresses the risk of bribery and corruption.
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and corruption activities.
• Training all employees to be thoroughly prepared to address bribery and corruption risk.
• Perform risk assessments of potential bribery and corruption pitfalls by geography and industry.
• Review the anti-corruption program annually to assess the effectiveness of policies procedures and controls.
• Perform audits and monitor foreign business operations to assure compliance with the code of conduct.
• Ensure that proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations.
• Investigate and respond appropriately to all allegations of bribery and corruption.
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations.
• Perform adequate due diligence that addresses the risk of bribery and corruption of all third parties prior to entering a business relationship.

The SEC and DOJ entered into the first ever Non-Prosecution Agreement (NPA) for Foreign Corrupt Practices violations in 2013. This decision was a harbinger from the DOJ and SEC with regard to future enforcement actions. The NPA highlighted the “extensive remedial measurements and cooperation efforts” that the defendant company demonstrated during the investigation. The corporation paid only $882,000 in fines because they were able to “demonstrate a strong tone from the top and a robust anti-corruption program”.

Under a Deferred Prosecution Agreement (DPA) the DOJ files a court document charging the organization while simultaneously requesting that prosecution be deferred to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor.

If the company completes the term of the DPA, the DOJ will dismiss the charges without imposing fines and penalties. Under the Non-Prosecution Agreement, the DOJ maintains the right to file charges against the organization later should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and is posted on the DOJ website. Like the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will drop all charges.

The key differences between a deferred prosecution case and one not featuring deferred prosecution is the initial response of the defendant company to the discovery of improper payments. In a deferred prosecution case the response usually features prompt self-reporting, full cooperation with the government and the quality of the serious remedial steps taken, including termination of implicated personnel and the modification of company behavior in the country where the violations occurred. Additionally, deferred prosecution defendants frequently discover the improper payments while in the process of enhancing their anti-bribery and corruption controls.

Originally allegations of FCPA violations were received through a company’s internal whistleblower hotline. That trend changed with the enactment of the Sarbanes Oxley Act in 2002 and the Dodd-Frank Act in 2012. These laws created other means and mechanisms for reporting suspicions of illegal activity and provided protections from retaliation against whistleblowers. The Dodd-Frank Act also has monetary incentives of 10% to 30% of the amounts recovered by the government to encourage whistleblowers to come forward. Companies considering whether to disclose potential anti-corruption problems to the SEC must now consider the possibility that a potential whistleblower may report it first to the government thus creating greater liability for the organization.

In conclusion, according to recent reporting by the ACFE, corporate compliance programs continue to mature, and are now accepted as a cost of conducting business in a global marketplace. The US government continues to clarify its expectations about corporate responsibility at home and abroad and works with international partners and their compliance programs. Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International play a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities like the ACFE, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace.

Basic Cash Concealment Strategies

One of the topics in which readers of this blog have expressed consistent interest over the years regards the many strategies of cash asset concealment employed by fraudsters; especially by embezzlers of relatively small sums from employers, who seem particularly creative at such manipulations.  Regardless of the method used to hide ill-gotten assets, one fact remains constant; proceeds from illicit activities must be disguised in some way to avoid being discovered. Those the ACFE dubs ‘asset hiders’ have developed many sophisticated techniques for working the system and accomplishing the goal of concealing their gains; in attempting to track down and recover secret stores of cash, the fraud examiner is presented with a true challenge, and the first step in meeting this challenge is to understand how asset hiders work. This post will concentrate on the concealment of raw cash.

There are three primary ways to hide cash assets. They are:

— Currency hoards;
— Cashier’s checks and traveler’s checks;
— Deposits to financial institutions.

The most basic method for hiding cash is the currency hoard, in which a person simply stores cash in a hidden location, usually in his or her home or on her property. This is the proverbial ‘cash under the mattress’ technique. In a typical home, hiding places for currency or other valuables can range from the obvious to the ingenious.

For example, precious metals and jewelry can easily be hidden in a layer of cooking grease at the bottom of a pot. The space beneath the bottom drawer of bureaus, chests, and cabinets is also a commonly used hiding place. Loose bricks in the wall or fireplace can disguise small spaces for hiding things. A more complex scheme is to build a false ceiling below the original ceiling and then use the space between the two as a hiding place.

Another place to hoard currency is in furniture. The hollow spaces of upholstered furniture make these pieces a good hiding place. Many people find false bottoms in drawers or inside stereo speakers useful places for hiding cash.

The basic structure of the home itself provides many opportunities for creating hiding places. One of the most common spots for hiding objects is in the walls. Cunning hiders may construct false walls in closets or pantries, or they may build large cavities into a wall, which is then covered with a mirror or a painting. Installing false light switch plates and electrical outlets provides easy access to spaces between walls and generally appear quite normal, although amateurs often leave tell-tale marks on the plate screws. These marks often provide searchers with signs of tampering and can lead to the discovery of a cache. An even simpler method is to hide currency inside the electrical boxes behind real electrical plates. If a larger space is needed, hiders sometimes remove the box from the wall and build a shelf below it. Significant amounts of currency can be hidden in these spaces. Currency hoards can also be hidden above ceiling light boxes in the space below the attic.

The plumbing system provides other natural hiding places. For example, many bathrooms have access holes under the sink, which are usually covered with a removable chrome disk. These access holes are designed so a cleaning ‘snake’ can be inserted into the main drain when the lines are clogged. This space is easily utilized as a hiding space. Floor drains are also used for hiding currency. Excellent hiding places can be created by installing false pipes that appear to be part of the home’s plumbing. Some individuals hide objects and money in shower curtain rods. Other places frequently used for hiding are air ducts, doors, and stairways. Heating and cooling system ducts are generally easy to access and have plenty of empty space. Hollow core doors are easily rigged for hiding. The top surface of the door can simply be cut away, allowing access to the natural secret compartment inside. Enclosed staircases have dead space underneath that is accessible. If the staircase is not enclosed, there may be usable space for small objects behind each of the risers. Stairs can be hinged, creating a hidden compartment underneath.

Cashier’s and traveler’s checks are another method used to hide assets. These instruments are useful for several reasons:

–They allow asset hiders to easily disguise their financial dealings from asset seekers like law enforcement, CFEs and forensic accountants;
–They help disguise the asset hider’s financial dealings and reduce the amount of currency physically carried;
–Cashier’s checks or traveler’s checks in denominations of less than $10,000 are negotiable financial instruments that can be exchanged almost any place in the world.

Whilst efforts to control the use of wire transfers for money laundering have traditionally been focused on banks, examiners also need to be aware that there are non-bank money transmitters that fraudsters often use to conceal cash assets.  These non-bank transmitters specialize in money transfers for individuals rather than businesses. In addition to other services, most non-bank transmitters sell money orders and traveler’s checks. These companies range from large international enterprises like Western Union to small mom-and-pop neighborhood check cashing businesses.

There are several reasons fraudsters like using non-bank transmitters. First, non-bank transmitters allow individuals to cash personal checks or wire money to family members nationally or in other countries. Check cashing companies and other sellers of money orders, such as convenience stores and grocery stores, provide a much-needed service to people without bank accounts. Second, non-bank transmitters allow individuals to obtain many individual traveler’s checks and money orders in amounts less than $10,000 each. Most states regulate check cashing and the sale of money orders with licensing and bonding requirements. The Money Laundering Suppression Act of 1994 required all money transmitters to register with the U.S. Department of Treasury. Furthermore, like other financial institutions, these businesses are required to file currency transaction reports (CTRs) for transactions of $10,000 or more in currency and coins, and they are required to file Suspicious Activity Reports (SARs) with the Treasury Department for certain classes of suspect transactions.

Check cashing companies have been known to receive illegally earned or stolen currency and use it to cash legitimate checks for their customers, thus avoiding CTRs or to structure transmittals by issuing multiple traveler’s checks and money orders for less than $10,000 each. Third, the transactions of non-bank transmitters will not trigger a mechanism for identifying unreported cash. Although money transmitters are classified as financial institutions, they are not depository institutions but operate through accounts with commercial banks. And, unlike bank accounts, which contain copies of deposits and canceled checks used in locating assets, non-bank money transmitters do not maintain copies of deposits and canceled checks. Unless the money order or traveler’s check appears in the financial records of the asset hider, it will likely go undetected since there is no place for the investigator to begin a search. However, once a money order or traveler’s check has been specifically identified, it can be traced back like any other financial instrument.

Banks and other financial institutions are frequently utilized by secrecy seekers as vehicles for hiding or disguising currency. The methods used may be as simple as renting a safe-deposit box and storing currency or valuables inside.  Searching the safe-deposit box of a suspected embezzler for evidence is not easily accomplished. It requires a court order. But; even if access to the box is denied, the investigator in a hidden asset case can often make educated guesses as to the contents by observing the movements of the hider. For instance, if the subject makes a visit to her safe-deposit box after attending an antique jewelry collector’s exposition, the examiner could surmise a collection of jewelry items is stored therein. Trips made to a safe-deposit box before foreign travel may indicate that the hider is moving money from his or her native country to a foreign location.

The banking system is, without question, the most important vehicle of both lawful and unlawful financial transactions. While most bankers are not active participants in asset hiding, it can be extremely difficult to distinguish between legitimate transactions and those conducted by secrecy seekers. Some bankers even prefer to close their eyes to the sources of their deposits and, in doing so, knowingly accept tainted funds. It’s important to understand how secrecy seekers use bank deposits and funds transfers to hide assets.  For the examiner, it’s important to know that most large banks have computer programs that can retrieve a specific wire transfer record. Many medium-sized banks cannot electronically retrieve specific wire data more than a month old, and some banks would have to search manually for records. However, even small banks usually send their international money transfers through one of the large Money Center banks, thus creating a record. Many large banks have enhanced their record-keeping systems to assure themselves and bank regulators that they are in full compliance with the Bank Secrecy Act. Some institutions have systems that monitor the wire transfer activity of certain accounts and generate periodic reports highlighting the consolidation of incoming wires followed by an outgoing wire transfer. Most of these systems are designed to monitor only customer accounts and do not record funds transfer services provided for non-depositors for which the bank serves only as an intermediary.

To conduct a successful wire transfer search, the examiner should have as much information as possible relating to the transfer in question when contacting the appropriate entity. Having the following information on hand will help make the search much more efficient:

— Date of transfer
— Amount of transfer
— Names of sending and receiving institutions
— Routing numbers of sending and receiving institutions
— Identity of sender and designated receiver
— Input sequence and/or output sequence

While most banks do not actively participate in fraudulent transfers, some signs for the examiner that could indicate collusion between a bank and its customer are:
— Allowing clients whose funds are not of foreign origin to make investments limited to foreigners;
— Acting without power of attorney to allow clients to manage investments or to transmit funds
on behalf of foreign-registered companies or local companies acting as laundries;
— Participating in sequential transactions that fall under the government reporting thresholds;
–Allowing telephone transfers of funds without written authorization and failing to keep a record of such transfers;
— Entering false foreign account number designations with regard to wire transfers.

What am I Bid!

A couple of recently reported high profile cases (one from the governmental and one from the private sector), involving bid rigging in the mid-western construction industry merit a consideration of the principle fraud scenarios involved.  The ACFE tells us that in a legitimate competitive bidding process, vendors submit confidential bids stating the price at which they will complete a contract or project, based on the specifications set forth by the purchasing company. Legally, all bidders are supposed to be able to bid under the same terms and conditions. Bid-rigging schemes occur when an employee fraudulently assists a vendor in winning a contract. The competitive bidding process can be tailor-made for bribery, as several suppliers or contractors vie for contracts in what can be a very cutthroat environment. An “inside influence” can ensure that a vendor wins the sought-after contract; thus, many vendors are willing to pay for this influence.

The way competitive bidding is rigged depends largely upon the level of influence of the corrupt employee. The more power a person has over the bidding process, the more likely the person will be able to influence the selection of a supplier. Therefore, employees who participate in bid-rigging schemes tend to have major influence over the competitive bidding process. Potential targets for accepting bribes include buyers, contracting officials, engineers and technical representatives, quality or product assurance representatives, subcontractor liaison employees, or anyone else with authority over the contract awards.

Bid-rigging schemes can be categorized based on the stage of bidding at which the fraudster exerts his or her influence. Thus, bid-rigging schemes can be separated into three categories: pre-solicitation phase, solicitation phase, and submission phase.

–Pre-solicitation fraud: This occurs before bids are officially sought for a project. There are two distinct types of pre-solicitation phase bid rigging scenarios. The first is a need recognition scenario in which an employee is paid to convince her company that a project is necessary. The result of such a scheme is that the victim company purchases unnecessary goods or services from a supplier at the direction of the corrupt employee. The second is a specifications scenario, in which a contract is tailored to the strengths of a supplier: the vendor and an employee set the specifications of the contract to accommodate the vendor’s capabilities.

–Solicitation fraud: During this phase, the purchaser requests bids from potential contractors. Fraudsters attempt to influence the selection of a contractor by restricting the pool of competitors from whom bids are sought. In other words, a corrupt vendor pays an employee to assure that one or more of the vendor’s competitors do not get to bid on the contract. Thus, the corrupt vendor can improve its chances of winning the job. There are several different variations of basic  solicitation schemes:

-Bid-pooling: Several bidders conspire to split up contracts, assuring that each gets a certain amount of work. Instead of submitting confidential bids, the vendors discuss what their bids will be, so they can guarantee that each vendor will win a share of the purchasing company’s business. Furthermore, since the vendors plan their bids in advance, they can conspire to raise their prices.

-Bid-splitting: Some companies and government divisions require that a purchase or contract over a certain dollar amount go through a formal bidding process. In these cases, a company pays an employee to split a contract into small dollar amounts that will not require a formal bid. Then, the employee simply gives the contract to the vendor offering the kickback, thus avoiding the bidding process altogether.

-Fictitious suppliers: Another way to eliminate competition is to solicit bids from fictitious suppliers. The perpetrator uses quotes from several fictitious companies to demonstrate competitive pricing on final contracts. In other words, bogus price quotes can validate actual (and inflated) pricing of an accepted contract.

-Time advantages: Competition can be limited by severely restricting the time for submitting bids. That way, certain suppliers are given advance notice of contracts before bid solicitation, so they have adequate time to prepare. These vendors have a decided advantage over the competition. A vendor can also pay an employee to turn over the specifications to him or her earlier than to his or her competitors.

-Limited scope of solicitations: Bids can be solicited in obscure publications or during holiday periods, so some vendors are unlikely to see them. This eliminates potential rivals and creates an advantage for corrupt suppliers. In more blatant cases, the bids of outsiders are accepted but are “lost” or improperly disqualified by the corrupt employee of the purchaser.

–Submission fraud: During this phase, bids are given to the buyer. Competitive bids are confidential and are supposed to remain sealed until the date all bids are opened and examined. People with access to sealed bids are often the targets of unethical vendors. Some vendors will pay to submit their bid last, knowing what others bid or to see competitors’ bids and adjust their own bid accordingly.

In bid-rigging scenarios, an employee sells his influence or access to confidential information. Since information can be copied or sold without taking it outside the organization, there is no missing asset to conceal. The perpetrator merely must conceal the use of influence or the transfer of information. S/he also needs to ensure that all of the appropriate documentation is available in case someone reviews his or her decisions. An illegally won contract results in profits that a vendor would not have earned under normal conditions. The vendor employee responsible for arranging the bid-rigging can be rewarded with cash, a promotion, power, or prestige.

Companies are far from defenseless in controlling for these types of abuses.  CFEs and other assurance professionals can proactively advise on the setting up of policies and on the establishment of controls over the bidding process and by helping to verify, through on-going testing, that they are enforced.  In reviewing the bid-letting process, management or its auditors should look for:

-Premature disclosure of information (by buyers or firms participating in design and engineering), indicating that information was revealed to one bidder and not the others.
-Limited time for submission of bids (so only those with advance information have adequate time to prepare bids or proposals).
-Failure to make potential competitors aware of the solicitation, e.g., by using obscure publications to publish bid solicitations or the publication of bid solicitations during holidays.
-Vague solicitations regarding time, place, or other requirements for submitting acceptable bids.
-Inadequate control over number and destination of bid packages sent to interested bidders.
-Purchasing employee helps contractor prepare a bid.
-Failure to amend solicitation to include necessary bid clarification, such as notifying one contractor of changes that can be made following the bid.

Clients should also be advised to examine contract specifications before bids are solicited and to check for any of the following conditions:

-Instances of unnecessary specifications, especially where they might limit the number of qualified bidders.
-Requirements inadequately described. A vendor might bribe an employee to prepare vague specifications with the intention of charging more money after being accepted as the approved vendor.
-Specifications developed with the help of a contractor or consultant who will be permitted to bid or work on the contract.

We can also advise our clients to closely review bid acceptances to ensure that all policies and controls were enforced. Specifically, they should look for the following:

-Specifications tailored to a particular vendor.
-Unreasonably restrictive pre-qualifications.
-An employee who defines a “need” that could only be met by one supplier.
-An employee who justifies a sole-source or noncompetitive procurement process.
-Changes in a bid once other bidders’ prices are known, sometimes accomplished through deliberate mistakes “planted” in a bid.
-Bids accepted after the due date.
-Low bidder withdraws to become a subcontractor on the same contract.
-Falsified documents or receipt dates (to get a late bid accepted).
-Falsification of contractor qualifications, work history, facilities, equipment, or personnel.

Clients are also well advised to examine contracts relative to other contracts. Determine if any of the following conditions exist:

-A large project condensed into smaller projects to avoid the bid process or other control procedures.
-Backup suppliers that are scarce or nonexistent (this may reveal an unusually strong attachment to a primary supplier that is bribing an employee).
-Large write-offs of surplus supplies (this may indicate excessive purchases from a supplier that is bribing a purchasing agent).

Clients might additionally look for indications that bidders are in collusion, such as:

-Improper communication by purchasers with contractors or their representatives at trade or professional meetings.
-A bidders’ conference, which permits improper communications between contractors, who then can rig bids.
-Determine if purchasing agents have a financial interest in the contractor or have had discussions regarding employment.

CFEs, equipped with their in-depth knowledge of fraud scenarios, can bring powerful antifraud controls to any enterprise habitually involved in a competitive bidding process as a core component of its business strategy.

People, People & People

Our Chapter’s Vice-President Rumbi Petrolozzi’s comment in her last blog post to the effect that one of the most challenging tasks for the forensic accountant or auditor working proactively is defining the most effective and efficient scope of work for a risk-based assurance project. Because resources are always scarce, assurance professionals need to make sure they can meet both quality and scheduling requirements whilst staying within our fixed resource and cost constraints.

An essential step in defining the scope of a project is identifying the critical risks to review and the controls required to manage those risks. An efficient scope focuses on the subset of controls (i.e., the key controls) necessary to provide assurance. Performing tests of controls that are not critical is not efficient. Similarly, failing to test controls that could be the source of major fraud vulnerabilities leads to an ineffective audit.  As Rumbi points out, and too often overlooked, the root cause of most risk and control failures is people. After all, outstanding people are required to make an organization successful, and failing to hire, retain, and train a competent team of employees inevitably leads to business failure.

In an interview, a few decades ago, one of America’s most famous business leaders was asked what his greatest challenges were in turning one of his new companies around from failure to success. He is said to have responded that his three greatest challenges were “people, people, and people.” Certainly, when assurance professionals or management analyze the reasons for data breaches and control failures, people are generally found to be the root cause. For example, weaknesses may include (echoing Rumbi):

Insufficiently trained personnel to perform the work. A common material weakness in compliance with internal control over financial reporting requirements is a lack of experienced financial reporting personnel within a company. In more traditional anti-fraud process reviews, examiners often find that control weaknesses arise because individuals don’t understand the tasks they have to perform.

Insufficient numbers to perform the work. When CPAs find that important reconciliations are not performed timely, inventories are not counted, a backlog in transaction processing exists, or agreed-upon corrective actions to address prior audit findings aren’t completed, managers frequently offer the excuse that their area is understaffed.

Poor management and leadership. Fraud examiners find again and again, that micromanagers and dictators can destroy a solid finance function. At the other end of the spectrum, the absence of leadership, motivation, and communication can cause whole teams to flounder. Both situations generally lead to a failure to perform key controls consistently. For example, poor managers have difficulty retaining experienced professionals to perform account reconciliations on time and with acceptable levels of quality leading directly to an enhanced level of vulnerability to numerous fraud scenarios.

Ineffective human resource practices. In some cases, management may choose to accept a certain level of inefficiency and retain individuals who are not performing up to par. For instance, in an example cited by one of our ACFE training event speakers last year, the financial analysis group of a U.S. manufacturing company was failing to provide management with timely business information. Although the department was sufficiently staffed, the team members were ineffective. Still, management did not have the resolve to terminate poor performers, for fear it would not be possible to hire quality analysts to replace the people who were terminated.

In such examples, people-related weaknesses result in business process key control failures often leading to the facilitation of subsequent frauds. The key control failure was the symptom, and the people-related weakness was the root cause. As a result, the achievement of the business objective of fraud prevention is rendered at risk.

Consider a fraud examiner’s proactive assessment of an organization’s procurement function. If the examiner finds that all key controls are designed adequately and operating effectively, in compliance with company policy, and targeted cost savings are being generated, should s/he conclude the controls are adequate? What if that department has a staff attrition rate of 25 percent and morale is low? Does that change the fraud vulnerability assessment? Clearly, even if the standard set of controls were in place, the function would not be performing at optimal levels.  Just as people problems can lead to risk and control failures, exceptional people can help a company achieve success. In fact, an effective system of internal control considers the adequacy of controls not only to address the risks related to poor people-related management but also to recognize reduction in fraud vulnerability due to excellence in people-related management.

The people issue should be addressed in at least two phases of the assurance professional’s review process: planning and issue analysis (i.e., understanding weaknesses, their root cause, and the appropriate corrective actions).  In the planning phase, the examiner should consider how people-related anti-fraud controls might impact the review and which controls should be included in the scope. The following questions might be considered in relation to anti-fraud controls over staffing, organization, training, management and leadership, performance appraisals, and employee development:

–How significant would a failure of people-related controls be to the achievement of objectives and the management of business risk covered by the examination?
–How critical is excellence in people management to the achievement of operational excellence related to the objectives of the review?

Issue analysis requires a different approach. Reviewers may have to ask the question “why” three or more times before they get to the root cause of a problem. Consider the following little post-fraud dialogue (we’ve all heard variations) …

CFE: “Why weren’t the reconciliations completed on time?”
MANAGER. “Because we were busy closing the books and one staff member was on vacation.”
CFE: “You are still expected to complete the reconciliations, which are critical to closing the books. Even with one person on vacation, why were you too busy?”
MANAGER: “We just don’t have enough people to get everything done, even when we work through weekends and until late at night.”
CFE: “Why don’t you have enough people?”
MANAGER: “Management won’t let me hire anybody else because of cost constraints.”
CFE: “Why won’t management let you hire anybody? Don’t they realize the issue?”
MANAGER: “Well, I think they do, but I have been so busy that I may not have done an effective job of explaining the situation. Now that you are going to write this up as a control weakness, maybe they will.”

The root cause of the problem in this scenario is that the manager responsible for reconciliations failed to provide effective leadership. She did not communicate the problem and ensure she had sufficient resources to perform the work assigned. The root cause is a people problem, and the reviewer should address that directly in his or her final report. If the CFE only reports that the reconciliations weren’t completed on time, senior management might only press the manager to perform better without understanding the post-fraud need for both performance improvement and additional staff.

In many organizations, it’s difficult for a reviewer to discuss people issues with management, even when these issues can be seen to directly and clearly contribute to fraud vulnerably. Assurance professionals may find it tricky, for political reasons to recommend the hiring of additional staff or to explain that the existing staff members do not have the experience or training necessary to perform their assigned tasks. Additionally, we are likely to run into political resistance when reporting management and leadership failure. But, that’s the job assurance professionals are expected to perform; to provide an honest, objective assessment of the condition of critical anti-fraud controls including those related to people.  If the scope of our work does not consider people risks, or if reviewers are unable to report people-related weaknesses, we are not adding the value we should. We’re also failing to report on matters critical to the maintenance and extension of the client’s anti-fraud program.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

A Ship of Fools

Our Chapter’s January-February 2018 lecture for CPE credit is concerned with the broader ethical implications of the types of fraud, many interlocking and coordinated, that made up the 2007-2008 Great Recession.  At the center of the scandal were ethically challenged actions by bank managements and their boards, but also by the investment companies and ratings agencies, who not only initiated much of the fraud and deception but, in many cases, actively expanded and perpetuated it.

Little more than a glance at the historical record confirms that deception by bank executives of regulators and of their own investors about illegal activity or about the institution’s true financial condition to conceal poor performance, poor management, or questionable transactions is not new to the world of U.S. finance. In fact, it was a key practice during the meltdown of the financial markets in 2007. In addition, the period saw heated debate about alleged deception by the rating agencies, Standard & Poor’s, Moody’s, and Fitch, of major institutional investors, who depended on the agencies’ valuations of subprime-backed securities in the making of investment decisions. Thus, not only deceptive borrowers and unscrupulous mortgage brokers and appraisers contributed to the meltdown. The maelstrom of lies and deception that drove the entire U.S. financial system in mid to late 2005 accelerated to the point of no return, and the crisis that ensued proved unavoidable.

There were ample instances of bank deception in the years leading up to the Great Depression of the 1930’s. The facts came out with considerable drama and fanfare through the work of the era’s Pecora Commission. However, the breadth and scope of executive deception that came under the legal and regulatory microscope following the financial market collapse of 2007 to 2009 represent some of history’s most brazen cases of concealment of irresponsible lending practices, fraudulent underwriting, shady financial transactions, and intentionally false statements to investors, federal regulators, and investigators.

According to the ACFE and other analysts, the lion’s share of direct blame for the meltdown lies with top executives of the major banks, investment firms, and rating agencies. They charge the commercial bank bosses with perpetuating a boom in reckless mortgage lending and the investment bankers with essentially tricking institutional investors into buying the exotic derivative securities backed by the millions and millions of toxic mortgages sold off by the mortgage lenders. The commercial bank bosses and investment bankers were, according to these observers, aided and abetted by the rating agencies, which lowered their rating standards on high-risk mortgage-backed securities that should never have received investment-grade ratings but did so because the rating agencies were paid by the very investment banks which issued the bonds. The agencies reportedly feared losing business if they gave poor ratings to the securities.

As many CFEs know, fraud is always the principal credit risk of any nonprime mortgage lending operation. It’s impossible in practice to detect fraud without reviewing a sample of the loan files. Paper loan files are bulky, so they are photographed, and the images are stored on computer tapes. Unfortunately, most investors (the large commercial and investment banks that purchased non-prime loans and pooled them to create financial derivatives) didn’t review the loan files before purchasing them and did not even require the original lenders to provide them with the loan tapes requisite for subsequent review and audit.

The rating agencies also never reviewed samples of loan files before giving AAA ratings to nonprime mortgage financial derivatives. The “AAA’ rating is supposed to indicate that there is virtually no credit risk, the risk being thought equivalent to U.S. government bonds, which the finance industry refers to as “risk-free.”  The rating agencies attained their lucrative profits because they gave AAA ratings to nonprime financial derivatives exposed to staggering default risk. A graph of their profits in this era rises like a stairway to the stars. Turning a blind eye to the mortgage fraud epidemic was the only way the rating agencies could hope to attain, and sustain, those profit levels. If they had engaged forensic accountants to review even small samples of nonprime loans, they would have been confronted with only two real choices: (1) rating them as toxic waste, which would have made it impossible to sell the associated nonprime financial derivatives or (2) documenting that they themselves were committing, aiding and abetting, a blatant accounting fraud.

A statement made during the 2008 House of Representatives hearings on the topic of the rating agencies’ role in the crisis represents an apt summary of how the financial and government communities viewed the actions and attitudes of the three rating agencies in the years leading up to the subprime crisis. An S&P employee, testified that “the rating agencies continue to create an even bigger monster, the CDO [collateralized debt obligation] market. Let’s hope we all are wealthy and retired by the time this house of cards falters.”

With respect to bank executives, the examples of proved and alleged deception during the period are so numerous as to almost defy belief. Among the most noteworthy are:

–The SEC investigated Citigroup as to whether it misled investors by failing to disclose critical details about the troubled mortgage assets it was holding as the financial markets began to collapse in 2007. The investigation came only after some of the mortgage-related securities being held by Citigroup were downgraded by an independent rating agency. Shortly thereafter, Citigroup announced quarterly losses of around $10 billion on its subprime-mortgage holdings, an astounding amount that directly contributed to the resignation of then CEO, Charles Prince;

–The SEC conducted similar investigations into Bank of America, now-defunct Lehman Brothers, and Merrill Lynch (now a part of Bank of America);

–The SEC filed civil fraud charges against Angelo Mozilo, cofounder and former CEO of Countrywide Financial Corp. In the highest-profile government legal action against a chief executive related to the financial crisis, the SEC charged Mozilo with insider trading and alleged failure to disclose material information to shareholders, according to people familiar with the matter. Mozilo sold $130 million of Countrywide stock in the first half of 2007 under an executive sales plan, according to government filings.

As the ACFE points out, every financial services company has its own unique internal structure and management policies. Some are more effective than others in reducing the risk of management-level fraud. The best anti-fraud controls are those designed to reduce the risk of a specific type of fraud threatening the organization.  Designing effective anti-fraud controls depends directly on accurate assessment of those risks. How, after all, can management or the board be expected to design and implement effective controls if it is unclear about which frauds are most threatening? That’s why a fraud risk assessment (FRA) is essential to any anti-fraud  Program; an essential exercise designed to determine the specific types of fraud to which your client organization is most vulnerable within the context of its existing anti-fraud controls. This enables management to design, customize, and implement the best controls to minimize fraud risk throughout the organization.  Again, according to the ACFE (joined by the Institute of Internal Auditors, and the American Institute of Certified Public Accountants), an organization’s contracted CFEs backed by its own internal audit team can play a direct role in this all-important effort.

Your client’s internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and review management’s fraud management capabilities periodically. They should interview and communicate regularly with those conducting the organization’s risk assessments, as well as with others in key positions throughout the organization, to help them ensure that all fraud risks have been considered appropriately. When performing proactive fraud risk assessment engagements, CFEs should direct adequate time and attention to evaluating the design and operation of internal controls specifically related to fraud risk management. We should exercise professional skepticism when reviewing activities and be on guard for the tell-tale signs of fraud. Suspected frauds uncovered during an engagement should be treated in accordance with a well-designed response plan consistent with professional and legal standards.

As this month’s lecture recommends, CFEs and forensic accountants can also contribute value by proactively taking a proactive role in support of the organization’s underlying ethical culture.

The Anti-Fraud Blockchain

Blockchain technology, the series of interlocking algorithms powering digital currencies like BitCoin, is emerging as a potent fraud prevention tool.  As every CFE knows, technology is enabling new forms of money and contracting, and the growing digital economy holds great promise to provide a full range of new financial tools, especially to the world’s poor and unbanked. These emerging virtual currencies and financial techniques are often anonymous, and none have received quite as much press as Bitcoin, the decentralized peer-to-peer digital form of money.

Bitcoins were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or “mined” by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most people purchase Bitcoins on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $16,0000 in December 2017. People can send Bitcoins, or percentages of bitcoin, to each other using computers or mobile apps, where coins are stored in digital wallets. Bitcoins can be directly exchanged between users anywhere in the world using unique alphanumeric identifiers, akin to e-mail addresses, and there are no transaction fees in the basic system, absent intermediaries.

Anytime a purchase takes place, it is recorded in a public ledger known as the “blockchain,” which ensures no duplicate transactions are permitted. Crypto currencies are called such because they use cryptography to regulate the creation and transfer of money, rather than relying on central authorities. Bitcoin acceptance continues to grow rapidly, and it is possible to use Bitcoins to buy cupcakes in San Francisco, cocktails in Manhattan, and a Subway sandwich in Allentown.

Because Bitcoin can be spent online without the need for a bank account and no ID is required to buy and sell the crypto currency, it provides a convenient system for anonymous, or more precisely pseudonymous, transactions, where a user’s true name is hidden. Though Bitcoin, like all forms of money, can be used for both legal and illegal purposes, its encryption techniques and relative anonymity make it strongly attractive to fraudsters and criminals of all kinds. Because funds are not stored in a central location, accounts cannot readily be seized or frozen by police, and tracing the transactions recorded in the blockchain is significantly more complex than serving a subpoena on a local bank operating within traditionally regulated financial networks. As a result, nearly all the so-called Dark Web’s illicit commerce is facilitated through alternative currency systems. People do not send paper checks or use credit cards in their own names to buy meth and pornography. Rather, they turn to anonymous digital and virtual forms of money such as Bitcoin.

A blockchain is, essentially, a way of moving information between parties over the Internet and storing that information and its transaction history on a disparate network of computers. Bitcoin, and all the other digital currencies, operates on a blockchain: as transactions are aggregated into blocks, each block is assigned a unique cryptographic signature called a “hash.” Once the validating cryptographic puzzle for the latest block has been solved by a coin mining computer, three things happen: the result is timestamped, the new block is linked irrevocably to the blocks before and after it by its unique hash, and the block and its hash are posted to all the other computers that were attempting to solve the puzzle involved in the mining process for new coins. This decentralized network of computers is the repository of the immutable ledger of bitcoin transactions.  If you wanted to steal a bitcoin, you’d have to rewrite the coin’s entire history on the blockchain in broad daylight.

While bitcoin and other digital currencies operate on a blockchain, they are not the blockchain itself. It’s an insight of many computer scientists that in addition to exchanging digital money, the blockchain can be used to facilitate transactions of other kinds of digitized data, such as property registrations, birth certificates, medical records, and bills of lading. Because the blockchain is decentralized and its ledger immutable, all these types of transactions would be protected from hacking; and because the blockchain is a peer-to-peer system that lets people and businesses interact directly with each other, it is inherently more efficient and  cheaper than current systems that are burdened with middlemen such as lawyers and regulators.

A CFE’s client company that aims to reduce drug counterfeiting could have its CFE investigator use the blockchain to follow pharmaceuticals from provenance to purchase. Another could use it to do something similar with high-end sneakers. Yet another, a medical marijuana producer, could create a blockchain that registers everything that has happened to a cannabis product, from seed to sale, letting consumers, retailers and government regulators know where everything came from and where it went. The same thing can be done with any normal crop so, in the same way that a consumer would want to know where the corn on her table came from, or the apple that she had at lunch originated, all stake holders involved in the medical marijuana enterprise would know where any batch of product originated and who touched it all along the way.

While a blockchain is not a full-on solution to fraud or hacking, its decentralized infrastructure ensures that there are no “honeypots” of data available, like financial or medical records on isolated company servers, for criminals to exploit. Still, touting a bitcoin-derived technology as an answer to cybercrime may seem a stretch considering the high-profile, and lucrative, thefts of cryptocurrency over the past few years. Its estimated that as of March 2015, a full third of  all Bitcoin exchanges, (where people store their bitcoin), up to then had been hacked, and nearly half had closed. There was, most famously, the 2014 pilferage of Mt. Gox, a Japanese based digital coin exchange, in which 850,000 bitcoins worth $460,000,000 disappeared. Two years later another exchange, Bitfinex, was hacked and around $60 million in bitcoin was taken; the company’s solution was to spread the loss to all its customers, including those whose accounts had not been drained.

Unlike money kept in a bank, cryptocurrencies are uninsured and unregulated. That is one of the consequences of a monetary system that exists, intentionally, beyond government control or oversight. It may be small consolation to those who were affected by these thefts that the bitcoin network itself and the blockchain has never been breached, which perhaps proves the immunity of the blockchain to hacking.

This security of the blockchain itself demonstrates how smart contracts can be written and stored on it. These are covenants, written in code, that specify the terms of an agreement. They are smart because as soon as its terms are met, the contract executes automatically, without human intervention. Once triggered, it can’t be amended, tampered with, or impeded. This is programmable money. Such smart contracts are a tool with the potential to change how business in done. The concept, as with digital currencies, is based on computers synced together. Now imagine that rather than syncing a transaction, software is synced. Every machine in the network runs the same small program. It could be something simple, like a loan: A sends B some money, and B’s account automatically pays it back, with interest, a few days later. All parties agree to these terms, and it’s locked in using the smart contract. The parties have achieved programmable money!

There is no doubt that smart contracts and the blockchain itself will augment the trend toward automation, though it is automation through lines of code, not robotics. For businesses looking to cut costs and reduce fraud, this is one of the main attractions of blockchain technology. The challenge is that, if contracts are automated, what will happen to traditional firm control structures, processes, and intermediaries like lawyers and accountants? And what about managers? Their roles would all radically change. Most blockchain advocates imagine them changing so radically as to disappear altogether, taking with them many of the costs currently associated with doing business. According to a recent report in the trade press, the blockchain could reduce banks’ infrastructure costs attributable to cross-border payments, securities trading, and regulatory compliance by $15-20 billion per annum by 2022.  Whereas most technologies tend to automate workers on the periphery, blockchain automates away the center. Instead of putting the taxi driver out of a job, blockchain puts Uber out of a job and lets the taxi drivers work with the customer directly.

Whether blockchain technology will be a revolution for good or one that continues what has come to seem technology’s inexorable, crushing ascendance will be determined not only by where it is deployed, but how. The blockchain could be used by NGOs to eliminate corruption in the distribution of foreign aid by enabling funds to move directly from giver to receiver. It is also a way for banks to operate without external oversight, encouraging other kinds of corruption. Either way, we as CFEs would be wise to remember that technology is never neutral. It is always endowed with the values of its creators. In the case of the blockchain and crypto-currency, those values are libertarian and mechanistic; trust resides in algorithmic rules, while the rules of the state and other regulatory bodies are often viewed with suspicion and hostility.

With a Little Help

by Rumbi Petrozzello, CPA/CFF, CFE
2018 Vice-President – Central Virginia Chapter ACFE

In November, my husband and I headed out to our usual spot, on Fourth Avenue in Brooklyn, to cheer for those running the New York marathon. A marathon, for those who don’t know, is 26.2 miles long. People who complete marathons get nothing but respect from me – success in marathoning only comes with a lot of dedication and training. Many people spend at least six months following a training plan that is not just about building distance. For instance, when learning (and it is learning) how to complete 26.2 miles of running (or walking for that matter) people must learn how to remain fueled and hydrated while running. This training also then applies to making lifestyle adjustments such as changing one’s diet and sleeping habits. Years ago, when I was training for the New York Marathon, friends knew to not call after 10PM because I was going to bed early to get enough sleep before early morning runs. I tried not to go out on Friday nights, because I went on my long runs on Saturday mornings and wanted to be energized for them. I spent a lot of time and energy doing research, talking to friends who were seasoned runners and even took running classes to improve my performance and chances of success during the race. Despite the very popular tag line “Just Do It”, a lot of work goes into even getting to that point.

The past few months, I have been doing quite a bit of work that involves assessing the controls that companies have over their systems to detect, deter and prevent fraud and error. Going in, the time energy and money that companies have put into all of this is impressive. They will have an audit committee, an internal audit function and a lot of documentation around what their systems are. There will be volumes of documentation on procedures and protocols and, at the very least, on paper, things look fantastic. However, when we start talking to employees about what their reality is, things often are very different. Some of the issues we found included:

• Staff who did not quite understand what some technical terms meant and, so ignored the parts they didn’t understand. We spoke with people who were very happy to perform and review controls, but they didn’t know how best to do that, and no one was telling them the how;

• Some staff did not understand why they were being asked to change things and, believing that what they had been doing for years constituted a good system, stuck with that;

• In some cases, it wasn’t clear just who was responsible for ownership of a process and that meant, often, that nothing ended up getting done;

• In other instances, staff were given such vague instructions that they resorted to making it up as they went along.

Having the rules is completely useless if your people don’t know what do with them and, just as importantly, why they’re doing what they’ve been asked to do in the first place. What is vital in all of this, is the proper training. As CFEs and Forensic Accountants, we are perfectly positioned to work with clients to ensure that controls and systems go beyond theory. So it’s vitally important for success to constantly work with clients to strengthen systems and controls. This can be done by recommending that our corporate clients:

• Provide training to employees. This training must include the identification of control owners and then the process of working directly with them to ensure that they understand what their roles are and specifically why they need to follow the steps being asked of them. Sometimes, when a control owner is given a requested role, they are told to “review” something. Review can mean anything and often what some people consider to be a review is insufficient for complete understanding. For instance, an employee may think that merely saying they checked something is sufficient. Or that having a verbal conversation is enough proof of review. Be sure to recommend to clients that they let employees know that there should be written evidence of a mandated review and to be equally sure to provide clear examples of what qualifies as evidence of that review.

• Review systems and controls to ensure that they address risks. A company may institute many systems and related procedures but, upon review, a CFE or forensic accountant may find inadequate segregation of duties. You may find that a supervisor is checking a team’s work, but no one is authorizing that supervisor’s. This becomes particularly risky if that supervisor has access to many aspects of the business. A CFE or forensic accountant, can review roles and duties to ensure that duties are sufficiently segregated.

• Training should be ongoing and updated for changes in the company as well as changes in technology and processes. At least once a year, employees should receive updated training and performance reviews. In this way, companies can also learn if there have been material changes that might lead to systems and processes having been adjusted in such a way as to create weakness and holes that could lead to future fraud or error.

It’s all well and good to have ads where famous people run, jump and play and tell you to “just do it”. I remember people rolling their eyes at me when I mentioned that I was dashing to running class – why do you have to learn how to run? Doesn’t everyone know how to do that? Yes, I could run, but with training, I ran a better marathon and lived to tell the tale (unlike the original guy). Yes, employees may know how to do the compliance and control work but as a CFE or forensic accountant, you can help a client company work with their employees to perform their work better, be aware of controls and be cognizant of risk and how to mitigate it. It’s so much better than just doing it.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.