Category Archives: Computer Forensics

Sock Puppets

The issue of falsely claimed identity in all its myriad forms has shadowed the Internet since the beginning of the medium.  Anyone who has used an on-line dating or auction site is all too familiar with the problem; anyone can claim to be anyone.  Likewise, confidence games, on or off-line, involve a range of fraudulent conduct committed by professional con artists against unsuspecting victims. The victims can be organizations, but more commonly are individuals. Con artists have classically acted alone, but now, especially on the Internet, they usually group together in criminal organizations for increasingly complex criminal endeavors. Con artists are skilled marketers who can develop effective marketing strategies, which include a target audience and an appropriate marketing plan: crafting promotions, product, price, and place to lure their victims. Victimization is achieved when this marketing strategy is successful. And falsely claimed identities are always an integral component of such schemes, especially those carried out on-line.

Such marketing strategies generally involve a specific target market, which is usually made up of affinity groups consisting of individuals grouped around an objective, bond, or association like Facebook or LinkedIn Group users. Affinity groups may, therefore, include those associated through age, gender, religion, social status, geographic location, business or industry, hobbies or activities, or professional status. Perpetrators gain their victims’ trust by affiliating themselves with these groups.  Historically, various mediums of communication have been initially used to lure the victim. In most cases, today’s fraudulent schemes begin with an offer or invitation to connect through the Internet or social network, but the invitation can come by mail, telephone, newspapers and magazines, television, radio, or door-to-door channels.

Once the mark receives and accepts the offer to connect, some sort of response or acceptance is requested. The response will typically include (in the case of Facebook or LinkedIn) clicking on a link included in a fraudulent follow-up post to visit a specified web site or to call a toll-free number.

According to one of Facebook’s own annual reports, up to 11.2 percent of its accounts are fake. Considering the world’s largest social media company has 1.3 billion users, that means up to 140 million Facebook accounts are fraudulent; these users simply don’t exist. With 140 million inhabitants, the fake population of Facebook would be the tenth-largest country in the world. Just as Nielsen ratings on television sets determine different advertising rates for one television program versus another, on-line ad sales are determined by how many eyeballs a Web site or social media service can command.

Let’s say a shyster want 3,000 followers on Twitter to boost the credibility of her scheme? They can be hers for $5. Let’s say she wants 10,000 satisfied customers on Facebook for the same reason? No problem, she can buy them on several websites for around $1,500. A million new friends on Instagram can be had for only $3,700. Whether the con man wants favorites, likes, retweets, up votes, or page views, all are for sale on Web sites like Swenzy, Fiverr, and Craigslist. These fraudulent social media accounts can then be freely used to falsely endorse a product, service, or company, all for just a small fee. Most of the work of fake account set up is carried out in the developing world, in places such as India and Bangladesh, where actual humans may control the accounts. In other locales, such as Russia, Ukraine, and Romania, the entire process has been scripted by computer bots, programs that will carry out pre-encoded automated instructions, such as “click the Like button,” repeatedly, each time using a different fake persona.

Just as horror movie shape-shifters can physically transform themselves from one being into another, these modern screen shifters have their own magical powers, and organizations of men are eager to employ them, studying their techniques and deploying them against easy marks for massive profit. In fact, many of these clicks are done for the purposes of “click fraud.” Businesses pay companies such as Facebook and Google every time a potential customer clicks on one of the ubiquitous banner ads or links online, but organized crime groups have figured out how to game the system to drive profits their way via so-called ad networks, which capitalize on all those extra clicks.

Painfully aware of this, social media companies have attempted to cut back on the number of fake profiles. As a result, thousands and thousands of identities have disappeared over night among the followers of many well know celebrities and popular websites. If Facebook has 140 million fake profiles, there is no way they could have been created manually one by one. The process of creation is called sock puppetry and is a reference to the children’s toy puppet created when a hand is inserted into a sock to bring the sock to life. In the online world, organized crime groups create sock puppets by combining computer scripting, web automation, and social networks to create legions of online personas. This can be done easily and cheaply enough to allow those with deceptive intentions to create hundreds of thousands of fake online citizens. One only needs to consult a readily available on-line directory of the most common names in any country or region. Have a scripted bot merely pick a first name and a last name, then choose a date of birth and let the bot sign up for a free e-mail account. Next, scrape on-line photo sites such as Picasa, Instagram, Facebook, Google, and Flickr to choose an age-appropriate image to represent your new sock puppet.

Armed with an e-mail address, name, date of birth, and photograph, you sign up your fake persona for an account on Facebook, LinkedIn, Twitter, or Instagram. As a last step, you teach your puppets how to talk by scripting them to reach out and send friend requests, repost other people’s tweets, and randomly like things they see Online. Your bots can even communicate and cross-post with one another. Before the fraudster knows it, s/he has thousands of sock puppets at his disposal for use as he sees fit. It is these armies of sock puppets that criminals use as key constituents in their phishing attacks, to fake on-line reviews, to trick users into downloading spyware, and to commit a wide variety of financial frauds, all based on misplaced and falsely claimed identity.

The fraudster’s environment has changed and is changing over time, from a face-to-face physical encounter to an anonymous on-line encounter in the comfort of the victim’s own home. While some consumers are unaware that a weapon is virtually right in front of them, others are victims who struggle with the balance of the many wonderful benefits offered by advanced technology and the painful effects of its consequences. The goal of law enforcement has not changed over the years; to block the roads and close the loopholes of perpetrators even as perpetrators continue to strive to find yet another avenue to commit fraud in an environment in which they can thrive. Today, the challenge for CFEs, law enforcement and government officials is to stay on the cutting edge of technology, which requires access to constantly updated resources and communication between organizations; the ability to gather information; and the capacity to identify and analyze trends, institute effective policies, and detect and deter fraud through restitution and prevention measures.

Now is the time for CFEs and other assurance professionals to continuously reevaluate all we for take for granted in the modern technical world and to increasingly question our ever growing dependence on the whole range of ubiquitous machines whose potential to facilitate fraud so few of our clients and the general public understand.

The Who, the What, the When

CFEs and forensic accountants are seekers. We spend our days searching for the most relevant information about our client requested investigations from an ever-growing and increasingly tangled data sphere and trying to make sense of it. Somewhere hidden in our client’s computers, networks, databases, and spreadsheets are signs of the alleged fraud, accompanying control weaknesses and unforeseen risks, as well as possible opportunities for improvement. And the more data the client organization has, the harder all this is to find.  Although most computer-assisted forensic audit tests focus on the numeric data contained within structured sources, such as financial and transactional databases, unstructured or text based data, such as e-mail, documents, and Web-based content, represents an estimated 8o percent of enterprise data within the typical medium to large-sized organization. When assessing written communications or correspondence about fraud related events, CFEs often find themselves limited to reading large volumes of data, with few automated tools to help synthesize, summarize, and cluster key information points to aid the investigation.

Text analytics is a relatively new investigative tool for CFEs in actual practice although some report having used it extensively for at least the last five or more years. According to the ACFE, the software itself stems from a combination of developments in our sister fields of litigation support and electronic discovery, and from counterterrorism and surveillance technology, as well as from customer relationship management, and research into the life sciences, specifically artificial intelligence. So, the application of text analytics in data review and criminal investigations dates to the mid-1990s.

Generally, CFEs increasingly use text analytics to examine three main elements of investigative data: the who, the what, and the when.

The Who: According to many recent studies, substantially more than a half of business people prefer using e-mail to use of the telephone. Most fraud related business transactions or events, then, will likely have at least some e-mail communication associated with them. Unlike telephone messages, e-mail contains rich metadata, information stored about the data, such as its author, origin, version, and date accessed, and can be documented easily. For example, to monitor who is communicating with whom in a targeted sales department, and conceivably to identify whether any alleged relationships therein might signal anomalous activity, a forensic accountant might wish to analyze metadata in the “to,” “from,” “cc,” or “bcc” fields in departmental e-mails. Many technologies for parsing e-mail with text analytics capabilities are available on the market today, some stemming from civil investigations and related electronic discovery software. These technologies are like the social network diagrams used in law enforcement or in counterterrorism efforts.

The What: The ever-present ambiguity inherent in human language presents significant challenges to the forensic investigator trying to understand the circumstances and actions surrounding the text based aspects of a fraud allegation. This difficulty is compounded by the tendency of people within organizations to invent their own words or to communicate in code. Language ambiguity can be illustrated by examining the word “shred”. A simple keyword search on the word might return not only documents that contain text about shredding a document, but also those where two sports fans are having a conversation about “shredding the defense,” or even e-mails between spouses about eating Chinese “shredded pork” for dinner. Hence, e-mail research analytics seeks to group similar documents according to their semantic context so that documents about shredding as concealment or related to covering up an action would be grouped separately from casual e-mails about sports or dinner, thus markedly reducing the volume of e-mail requiring more thorough ocular review. Concept-based analysis goes beyond traditional search technology by enabling users to group documents according to a statistical inference about the co-occurrence of similar words. In effect, text analytics software allows documents to describe themselves and group themselves by context, as in the shred example. Because text analytics examines document sets and identifies relationships between documents according to their context, it can produce far more relevant results than traditional simple keyword searches.

Using text analytics before filtering with keywords can be a powerful strategy for quickly understanding the content of a large corpus of unstructured, text-based data, and for determining what is relevant to the search. After viewing concepts at an elevated level, subsequent keyword selection becomes more effective by enabling users to better understand the possible code words or company-specific jargon. They can develop the keywords based on actual content, instead of guessing relevant terms, words, or phrases up front.

The When: In striving to understand the time frames in which key events took place, CFEs often need to not only identify the chronological order of documents (e.g., sorted by or limited to dates), but also link related communication threads, such as e-mails, so that similar threads and communications can be identified and plotted over time. A thread comprises a set of messages connected by various relationships; each message consists of either a first message or a reply to or forwarding of some other message in the set. Messages within a thread are connected by relationships that identify notable events, such as a reply vs. a forward, or changes in correspondents. Quite often, e-mails accumulate long threads with similar subject headings, authors, and message content over time. These threads ultimately may lead to a decision, such as approval to proceed with a project or to take some other action. The approval may be critical to understanding business events that led up to a particular journal entry. Seeing those threads mapped over time can be a powerful tool when trying to understand the business logic of a complex financial transaction.

In the context of fraud risk, text analytics can be particularly effective when threads and keyword hits are examined with a view to considering the familiar fraud triangle; the premise that all three components (incentive/pressure, opportunity, and rationalization) are present when fraud exists. This fraud triangle based analysis can be applied in a variety of business contexts where increases in the frequency of certain keywords related to incentive/pressure, opportunity, and rationalization, can indicate an increased level of fraud risk.

Some caveats are in order.  Considering the overwhelming amount of text-based data within any modern enterprise, assurance professionals could never hope to analyze all of it; nor should they. The exercise would prove expensive and provide little value. Just as an external auditor would not reprocess or validate every sales transaction in a sales journal, he or she would not need to look at every related e-mail from every employee. Instead, any professional auditor would take a risk-based approach, identifying areas to test based on a sample of data or on an enterprise risk assessment. For text analytics work, the reviewer may choose data from five or ten individuals to sample from a high-risk department or from a newly acquired business unit. And no matter how sophisticated the search and information retrieval tools used, there is no guarantee that all relevant or high-risk documents will be identified in large data collections. Moreover, different search methods may produce differing results, subject to a measure of statistical variation inherent in probability searches of any type. Just as a statistical sample of accounts receivable or accounts payable in the general ledger may not identify fraud, analytics reviews are similarly limited.

Text analytics can be a powerful fraud examination tool when integrated with traditional forensic data-gathering and analysis techniques such as interviews, independent research, and existing investigative tests involving structured, transactional data. For example, an anomaly identified in the general ledger related to the purchase of certain capital assets may prompt the examiner to review e-mail communication traffic among the key individuals involved, providing context around the circumstances and timing, of events before the entry date. Furthermore, the forensic accountant may conduct interviews or perform additional independent research that may support or conflict with his or her investigative hypothesis. Integrating all three of these components to gain a complete picture of the fraud event can yield valuable information. While text analytics should never replace the traditional rules-based analysis techniques that focus on the client’s financial accounting systems, it’s always equally important to consider the communications surrounding key events typically found in unstructured data, as opposed to that found in the financial systems.

Small Scale Electronic Crime Scenes

Most frauds aren’t Enron.  As the ACFE tells us, most frauds encountered by practicing CFE’s are what I like to call “small crime-scene frauds” perpetrated by long time employees like Mary who works in a back office keeping the books, knows everything about the company, and who has been quietly embezzling lesser amounts of company funds without detection for the last fifteen years.  In today’s environment, Mary will be doing her work on a desktop computer, probably connected to a small network with internet access.  Mary’s workstation and the simple network supporting it constitute an electronic crime-scene to be investigated as thoroughly and with as much attention to detail as possible and accompanied by a full set of investigative documentation if there is ever to be any hope of obtaining a conviction (should Mary’s employer, your client, finally decide to go that way).

It goes without saying that the investigator or team of investigators to any crime scene, large or small, have the primary responsibility of protecting all the computer and related electronic evidence that might be useful in a future civil or criminal action. Evidence is where the CFE or other investigators find it. While crime scene evidence from personal and property crimes might be in plain view, computer and electronic evidence is subtler and might not be as evident or obvious at the scene.  In general, first responders at any scene can destroy critical latent evidence if they lack training in the proper identification, collection, and packaging procedures for the type of investigation. This means that both corporate security departments and law enforcement agencies routinely involved in such investigations specially train their personnel in computer and electronic investigative techniques. Much of the potential evidence at a small-scale scene might be circumstantial, but it could possibly be used to support the primary physical and direct evidence that a detailed investigation will later develop. A list of inappropriate purchases and related amounts found on Mary’s workstation at the crime scene could be persuasive to a jury if properly obtained.

Thus, education and preparation are major components of any successful crime scene search for electronic evidence. However, our corporate clients need to be made aware of what all law enforcement agencies know, that in-house or external security personnel, whose background might sometimes even include the performance of criminal crime scene searches, are usually not qualified for large or small-scale computer crime scene searches.

The basic steps involved in a small-scale computer site investigation include the following:

–Secure and protect the scene;
–Initiate a preliminary survey;
–Evaluate physical evidence possibilities;
–Prepare a narrative description;
–Take photographs of the scene;
–Prepare a diagram/sketch of the scene;
–Conduct a detailed search and record and collect physical evidence;
–Conduct a final survey;
–Release the crime scene.

Although a number of these steps also apply to crime scene searches for crimes involving misdemeanors and felonies, the orientation of their performance in the investigation of an electronic crime scene is more technical in nature. When a computer or some electronic device is suspected of having been used as a tool in the perpetration of a crime, normal evidence gathering techniques for computer forensics processing should always be followed. It does not matter whether the crime scene is also suspected of having been additionally involved in a separate fraud issue, a civil, or a criminal investigation; if a computer or other electronic device is involved, the steps will be the same in all cases.

It is also essential that the organization’s computer personnel be excluded from the crime scene. Most computer specialists are not familiar with computer forensics techniques and individuals among them could have been involved in the crime, wittingly or unwittingly. Additionally, security must be provided for the area while the investigation is proceeding. Any employees or visitors who subsequently enter the scene need to be identified.  Try to identify in writing anyone who has routine access to the site or anyone who might have a reason to be involved with the scene generally. Do not rely on your memory alone, as it will not sufficiently support you in a court of law.

Computer and electronic evidence usually takes on the same general forms with which we’re all familiar: computer hardware, peripherals, cell phones, hand held devices, various storage media, digital cameras, and the list goes on. The investigator will have a general knowledge of the types of evidence that can be collected from each of these devices; however, s/he must be prepared for new devices showing up at any crime scene at any time. A cautious walkthrough is a good first step to get a feel for the complexity of the site. In addition to a workstation, several additional workstations or areas might become part of the investigation. Keep in mind that due to the networking configurations of even today’s smallest systems, remote sites might probably be involved in the investigation.

The investigator(s) should strive to maintain a continuing level of control of the situation and of the physical site during the investigation.  An inventory log and chain-of-custody form should be completed and photographs made of all relevant devices and related electronic evidence. Specific activities that might be included in this phase of the investigation include:

–Determination of all the locations that might need to be searched;
–Look out for any specific issues that need to be addressed relating to pieces of hardware and software;
–Identification of any possible personnel and equipment needed for the investigation but not yet on-site;
–Determination of which devices can be physically removed from the site;
–Identification of all individuals who have had access to the computer or electronic resources material to the investigation.

The evaluation of physical evidence is a continuation of the preliminary survey and may not be perceived as a separate step. After the site is thoroughly photographed, a more detailed search can begin. Before any devices are handled, remember that fingerprint evidence might become evidence in establishing who used these devices. The smallest, most insignificant appearing piece of evidence might clinch a case. Any network capability and connections to the computer site must be identified. Networking can broaden any investigation considerably. If there is an internet connection, it can become a worldwide investigation involving various internet service providers and the possibility of subpoenas. Cell-phone evidence may involve various telephone network carriers and additional subpoenas.  Prioritize the evidence collection process to prevent loss, destruction, or modification. Focus first on items easily identifiable and accessible and proceed to identified out-of-sight evidence. Look for the obvious first, the suspect might have been sloppy.

A journal or narrative must be prepared concerning the investigation and the crime scene search. Anything and everything is important when conducting the scene investigation. Remember that the defense attorney is going to query any witnesses on the most obscure item possible. A technique suggested by the ACFE is to represent crime scenes in a “general to specific” scheme. Describe the site in broad terms and then get very specific with details. A sound idea is to cross-reference a chronological journal with the photographic evidence and a chain-of-custody form. The narrative effort should not degenerate into a sporadic and unorganized attempt to recover physical evidence. Under most circumstances, evidence should not be collected while developing the narrative. The narrative process can be accomplished by using audio, video, or text. Remember the axiom “haste makes waste.”

Developing a photographic profile of the crime scene is a requirement for any computer forensic investigation no matter how small. Photographs should be taken as soon as the incident scene is secured and before any computers or electronic devices are moved. Photographs should be taken from all angles of the physical site. Close-ups of cable connections for all devices should be included. Note these cables will need to be separately tagged in another step. Any video screens displayed would be photographed. The photographic effort needs to be recorded in a photographic log.  Photographs should be taken as soon as possible to depict the scene as it is observed before anything is handled, moved, or introduced to the scene. Photographs allow a visual permanent record of the crime scene and items of evidence collected from the crime scene.

A diagram or sketch establishes a permanent record of items, conditions, and distance/size relationships. They also supplement the photographic record. Usually a rough sketch is drawn at the crime scene and is used as a model for a complete, formal document that would be completed later. The sketch can be coordinated with any logs or journals via a numbering scheme. Sketches are used along with the reports and photographs to document the scene. A crime scene sketch is simply a drawing that accurately shows the appearance of a crime scene.

The CFE will usually have a general idea from discussions with the client as to the types of evidence that s/he will find at the incident scene. A checklist can be developed that will identify most types of computer and electronic evidence that might be at a small-scale crime scene. The major difference between investigations will probably be the size of the computer system and the amount of disk storage that will need to be secured or imaged. Seizure of electronic devices, such as cell phones and iPads, should not pose any special problems due to their small size. It might be necessary to determine the amount of disk storage records that need to be copied or imaged for later forensic analysis. On large data bases or for data in the cloud it will be next to impossible to copy or image the entire storage device. In these cases, a forensic examination might have to occur partly at the crime scene and partly off-site once the required permissions for data access are received from the data owners of record.

Conflicts in documentation can cause considerable grief in a court of law. Also, if a computer system is to be reconstructed later, cable connections and maps must be precise. There are four basic premises to the search, recording, and collection phase of a small- scale investigation. These premises are as follows:

–The best search options are typically the most difficult and time consuming;
–The physical evidence cannot be over-documented;
–There is generally only one best chance to properly perform the investigative task;
–Cautious searching of visible areas and identification and searching of relevant off-site areas is crucial.

After the investigative team has completed all tasks relating to the search, recording, and collection phases at the small-scale crime scene, a critical review should be conducted to ensure that nothing has been missed. This is the last chance to cover all the bases and ensure nothing has been overlooked. The investigators must ensure that they have gone far enough in the search for evidence, documented all essential things, and made no assumptions that may prove to be incorrect later.

–Double-check documentation to detect inadvertent errors;
–Check to ensure all evidence is accounted for before leaving the crime scene;
–Ensure all forensic hardware and software used in the search is gathered;
–Ensure possible hiding places of evidence and difficult areas for access have not been overlooked;

An incident scene debriefing is the best opportunity for personnel and participants to ensure the investigation is complete.

The last step in the evidence investigation phase for a small-scale crime scene featuring electronic evidence is to release the incident scene back to its owners. The release is accomplished only after completion of the final survey. The individual investigator or team should provide an inventory of the items seized to the client owner/manager of the scene. A receipt for electronic evidence must be completed for any devices seized. A formal document should be provided that specifies the time and date of the release, to whom released, and by whom released.

Financing Death One BitCoin at a Time

Over the past decade, fanatic religious ideologists have evolved to become hybrid terrorists demonstrating exceptional versatility, innovation, opportunism, ruthlessness, and cruelty. Hybrid terrorists are a new breed of organized criminal. Merriam-Webster defines hybrid as “something that is formed by combining two or more things”. In the twentieth century, the military, intelligence forces, and law enforcement agencies each had a specialized skill-set to employ in response to respective crises involving insurgency, international terrorism, and organized crime. Military forces dealt solely with international insurgent threats to the government; intelligence forces dealt solely with international terrorism; and law enforcement agencies focused on their respective country’s organized crime entities. In the twenty-first century, greed, violence, and vengeance motivate the various groups of hybrid terrorists. Hybrid terrorists rely on organized crime such as money laundering, wire transfer fraud, drug and human trafficking, shell companies, and false identification to finance their organizational operations.

Last week’s horrific terror bombing in Manchester brings to the fore, yet again, the issue of such terrorist financing and the increasing role of forensic accountants in combating it. Two of the main tools of modern terror financing schemes are money laundering and virtual currency.

Law enforcement and government agencies in collaboration with forensic accountants play key roles in tracing the source of terrorist financing to the activities used to inflict terror on local and global citizens. Law enforcement agencies utilize investigative and predictive analytics tools to gather, dissect, and convey data to distinguish patterns leading to future terrorist events. Government agencies employ database inquiries of terrorist-related financial information to evaluate the possibilities of terrorist financing and activities. Forensic accountants review the data for patterns related to previous transactions by utilizing data analysis tools, which assist in tracking the source of the funds.

As we all know, forensic accountants use a combination of accounting knowledge combined with investigative skills in litigation support and investigative accounting settings. Several types of organizations, agencies, and companies frequently employ forensic accountants to provide investigative services. Some of these organizations are public accounting firms, law firms, law enforcement agencies, The Internal Revenue Service (IRS), The Central Intelligence Agency (CIA), and The Federal Bureau of Investigations (FBI).

Locating and halting the source of terrorist financing involves two tactics, following the money and drying up the money. Obstructing terrorist financing requires an understanding of both the original and supply source of the illicit funds. As the financing is derived from both legal and illegal funding sources, terrorists may attempt to evade detection by funneling money through legitimate businesses thus making it difficult to trace. Charitable organizations and reputable companies provide a legitimate source through which terrorists may pass money for illicit activities without drawing the attention of law enforcement agencies. Patrons of legitimate businesses are often unaware that their personal contributions may support terrorist activities. However, terrorists also obtain funds from obvious illegal sources, such as kidnapping, fraud, and drug trafficking. Terrorists often change daily routines to evade law enforcement agencies as predictable patterns create trails that are easy for skilled investigators to follow. Audit trails can be traced from the donor source to the terrorist by forensic accountants and law enforcement agencies tracking specific indicators. Audit trails reveal where the funds originate and whether the funds came from legal or illegal sources. The ACFE tells us that basic money laundering is a specific type of illegal funding source, which provides a clear audit trail.

Money laundering is the process of obtaining and funneling illicit funds to disguise the connection with the original unlawful activity. Terrorists launder money to spend the unlawfully obtained money without drawing attention to themselves and their activities. To remain undetected by regulatory authorities, the illicit funds being deposited or spent need to be washed to give the impression that the money came from a seemingly reputable source. There are types of unusual transactions that raise red flags associated with money laundering in financial institutions. The more times an unusual transaction occurs, the greater the probability it is the product of an illicit activity. Money laundering may be quite sophisticated depending on the strategies employed to avoid detection. Some identifiers indicating a possible money-laundering scheme are: lack of identification, money wired to new locations, customer closes account after wiring or transferring copious amounts of money, executed out-of-the-ordinary business transactions, executed transactions involving the customer’s own business or occupation, and executed transactions falling just below the threshold trigger requiring the financial institution to file a report.

Money laundering takes place in three stages: placement, layering, and integration. In the placement stage, the cash proceeds from criminal activity enter the financial system by deposit. During the layering stage, the funds transfer into other accounts, usually offshore financial institutions, thus creating greater distance between the source and origin of the funds and its current location. Legitimate purchases help funnel the money back into the economy during the integration stage, the final stage.

Complicating all this is for the investigator is virtual currency. Virtual currency, unlike traditional forms of money, does not leave a clear audit trail for forensic accountants to trace and investigate. Cases involving the use of virtual currency, i.e. Bitcoins and several rival currencies, create anonymity for the perpetrator and create obstacles for investigators. Bitcoins have no physical form and provide a unique opportunity for terrorists to launder money across international borders without detection by law enforcement or government agencies. Bitcoins are long strings of numbers and letters linked by mathematical encryption algorithms. A consumer uses a mobile phone or computer to create an online wallet with one or more Bitcoin addresses before commencing electronic transactions. Bitcoins may also be used to make legitimate purchases through various, established online retailers.

Current international anti-money laundering laws aid in fighting the war against terrorist financing; however, international laws require actual cash shipments between countries and criminal networks (or at the very least funds transfers between banks). International laws are not applicable to virtual currency transactions, as they do not consist of actual cash shipments. According to the website Bitcoin.org, “Bitcoin uses peer-to-peer technology to operate with no central authority or banks”.

In summary, terrorist organizations find virtual currency to be an effective method for raising illicit funds because, unlike cash transactions, cyber technology offers anonymity with less regulatory oversight. Due to the anonymity factor, Bitcoins are an innovative and convenient way for terrorists to launder money and sell illegal goods. Virtual currencies are appealing for terrorist financiers since funds can be swiftly sent across borders in a secure, cheap, and highly secretive manner. The obscurity of Bitcoin allows international funding sources to conduct exchanges without a trace of evidence. This co-mingling effect is like traditional money laundering but without the regulatory oversight. Government and law enforcement agencies must, as a result, be able to share information with public regulators when they become suspicious of terrorist financing.

Forensic accounting technology is most beneficial when used in conjunction with the analysis tools of law enforcement agencies to predict and analyze future terrorist activity. Even though some of the tools in a forensic accountant’s arsenal are useful in tracking terrorist funds, the ability to identify conceivable terrorist threats is limited. To identify the future activities of terrorist groups, forensic accountants, and law enforcement agencies should cooperate with one another by mutually incorporating the analytical tools utilized by each. Agencies and government officials should become familiar with virtual currency like Bitcoins. Because of the anonymity and lack of regulatory oversight, virtual currency offers terrorist groups a useful means to finance illicit activities on an international scale. In the face of the challenge, new governmental entities may be needed to tie together all the financial forensics efforts of the different stake holder organizations so that information sharing is not compartmentalized.

Analytics & Fraud Prevention

During our Chapter’s live training event last year, ‘Investigating on the Internet’, our speaker Liseli Pennings, pointed out that, according to the ACFE’s 2014 Report to the Nations on Occupational Fraud and Abuse, organizations that have proactive, internet oriented, data analytics in place have a 60 percent lower median loss because of fraud, roughly $100,000 lower per incident, than organizations that don’t use such technology. Further, the report went on, use of proactive data analytics cuts the median duration of a fraud in half, from 24 months to 12 months.

This is important news for CFE’s who are daily confronting more sophisticated frauds and criminals who are increasingly cyber based.  It means that integrating more mature forensic data analytics capabilities into a fraud prevention and compliance monitoring program can improve risk assessment, detect potential misconduct earlier, and enhance investigative field work. Moreover, forensic data analytics is a key component of effective fraud risk management as described in The Committee of Sponsoring Organizations of the Treadway Commission’s most recent Fraud Risk Management Guide, issued in 2016, particularly around the areas of fraud risk assessment, prevention, and detection.  It also means that, according to Pennings, fraud prevention and detection is an ideal big data-related organizational initiative. With the growing speed at which they generate data, specifically around their financial reporting and sales business processes, our larger CFE client organizations need ways to prioritize risks and better synthesize information using big data technologies, enhanced visualizations, and statistical approaches to supplement traditional rules-based investigative techniques supported by spreadsheet or database applications.

But with this analytics and fraud prevention integration opportunity comes a caution.  As always, before jumping into any specific technology or advanced analytics technique, it’s crucial to first ask the right risk or control-related questions to ensure the analytics will produce meaningful output for the business objective or risk being addressed. What business processes pose a high fraud risk? High-risk business processes include the sales (order-to-cash) cycle and payment (procure-to-pay) cycle, as well as payroll, accounting reserves, travel and entertainment, and inventory processes. What high-risk accounts within the business process could identify unusual account pairings, such as a debit to depreciation and an offsetting credit to a payable, or accounts with vague or open-ended “catch all” descriptions such as a “miscellaneous,” “administrate,” or blank account names?  Who recorded or authorized the transaction? Posting analysis or approver reports could help detect unauthorized postings or inappropriate segregation of duties by looking at the number of payments by name, minimum or maximum accounts, sum totals, or statistical outliers. When did transactions take place? Analyzing transaction activities over time could identify spikes or dips in activity such as before and after period ends or weekend, holiday, or off-hours activities. Where does the CFE see geographic risks, based on previous events, the economic climate, cyber threats, recent growth, or perceived corruption? Further segmentation can be achieved by business units within regions and by the accounting systems on which the data resides.

The benefits of implementing a forensic data analytics program must be weighed against challenges such as obtaining the right tools or professional expertise, combining data (both internal and external) across multiple systems, and the overall quality of the analytics output. To mitigate these challenges and build a successful program, the CFE should consider that the priority of the initial project matters. Because the first project often is used as a pilot for success, it’s important that the project address meaningful business or audit risks that are tangible and visible to client management. Further, this initial project should be reasonably attainable, with minimal dollar investment and actionable results. It’s best to select a first project that has big demand, has data that resides in easily accessible sources, with a compelling, measurable return on investment. Areas such as insider threat, anti-fraud, anti-corruption, or third-party relationships make for good initial projects.

In the health care insurance industry where I worked for many years, one of the key goals of forensic data analytics is to increase the detection rate of health care provider billing non-compliance, while reducing the risk of false positives. From a capabilities perspective, organizations need to embrace both structured and unstructured data sources that consider the use of data visualization, text mining, and statistical analysis tools. Since the CFE will usually be working as a member of a team, the team should demonstrate the first success story, then leverage and communicate that success model widely throughout the organization. Results should be validated before successes are communicated to the broader organization. For best results and sustainability of the program, the fraud prevention team should be a multidisciplinary one that includes IT, business users, and functional specialists, such as management scientists, who are involved in the design of the analytics associated with the day-to-day operations of the organization and hence related to the objectives of  the fraud prevention program. It helps to communicate across multiple departments to update key stakeholders on the program’s progress under a defined governance regime. The team shouldn’t just report noncompliance; it should seek to improve the business by providing actionable results.

The forensic data analytics functional specialists should not operate in a vacuum; every project needs one or more business champions who coordinate with IT and the business process owners. Keep the analytics simple and intuitive, don’t include too much information in one report so that it isn’t easy to understand. Finally, invest time in automation, not manual refreshes, to make the analytics process sustainable and repeatable. The best trends, patterns, or anomalies often come when multiple months of vendor, customer, or employee data are analyzed over time, not just in the aggregate. Also, keep in mind that enterprise-wide deployment takes time. While quick projects may take four to six weeks, integrating the entire program can easily take more than one or two years. Programs need to be refreshed as new risks and business activities change, and staff need updates to training, collaboration, and modern technologies.

Research findings by the ACFE and others are providing more and more evidence of the benefits of integrating advanced forensic data analytics techniques into fraud prevention and detection programs. By helping increase their client organization’s maturity in this area, CFE’s can assist in delivering a robust fraud prevention program that is highly focused on preventing and detecting fraud risks.

Zack is Back on Internal Investigations!

Our Chapter is looking forward with anticipation to our next two-day training event (May 17th and 18th) when we will again have Gerry Zack, one of the ACFE’s best speakers, presenting on the topic ‘Conducting Internal Investigations’.  Gerry was last with us several years ago, when he taught ‘Introduction to Fraud Examination’ to an overflow crowd; judging from the number of early registrations, it looks like this year’s event will be an attendance repeat!

One of the training event segments Gerry presented in detail last time dealt with related party transactions internal to the organization and some of the unique challenges they can pose for fraud examiners.  Such ethical lapses take the form of schemes where individuals who approve one or more transactions for their organizations also benefit personally from them.  Per the ACFE, the business processes most affected by such scenarios are the loan function, the sales function and corporate purchases.

Regarding loan schemes, the key risks fraud examiners should look for are:

— The provision of loans to senior management, other employees, or board members at below-market interest rates or under terms not available in the marketplace;
— Failure to disclose the related party nature of the loan;
— The client organization providing guarantees for private loans made by employees or board members.

In these scenarios, the favorable terms benefit the employee at the expense of the employing organization.  To identify undisclosed loans to senior management, board members, and employees, the CFE could search for related-party loans using data analysis to compare the names on all notes receivables and accounts receivables with employee names from payroll records and board member names from board minutes. If a match occurs, the CFE should assess whether the related-party transaction was appropriately authorized and disclosed in the accounting records and financial statements.  Examiners can also search for undisclosed related-party loans by examining the interest rate, due dates, and collateral terms for notes receivables.  Notes receivable containing zero or unusually low interest rates, or requiring no due dates or insufficient collateral, may indicate related-party transactions.  The CFE can also examine advances made to customers or others who owe money to her client organization. Organizations generally do not advance money to others who owe them money unless a related-party relationship exists.

Gerry’s presentation for related party sales pin-pointed red flags like employees:

— Selling products or services significantly below market price or providing beneficial sales terms that ordinarily would not be granted to arms-length customers.
— Inflating sales for bonuses or stock options using related parties to perpetrate the scheme. Either a sale really has not taken place because the goods were not shipped or there was an obligation to repurchase the goods sold so the sale was incomplete.
— Approving excessive sales allowances or returns as well as accounts receivable adjustments or write-offs for related parties.

To cover up the related-party transaction, employees may deny reviewers access to customers to impede them from acquiring evidence concerning the related-party relationship.  Where the CFE suspects related party sales, s/he should perform analytical procedures to compare price variations among customers to identify those who pay significantly below the average sales price. Examiners can also attempt to identify any customer who pays prices that differ from the approved price sheet. Customer contracts can be directly analyzed for unusual rights of return, obligations to repurchase goods sold, and unusual extended repayment terms. Analytical procedures to identify customers with excessive returns, sales allowances, account receivable adjustments, or write-off’s may also be performed. Any variances in these areas might indicate undisclosed related-party transactions. Gerry also point out that data analysis can be used to efficiently compare employee addresses, telephone numbers, tax identification numbers, and birthdays with customer addresses, telephone numbers, tax identification numbers, and company organization dates. When creating a shell company, many individuals use their own contact information for convenience and their own birth date as the organization date because it is easy to remember. Any matches could indicate a related-party association and should be investigated minutely.

For third party purchases schemes, some of the key red flags are:

— the company paying prices significantly above market for goods or services;
— the company receiving significantly below average quality goods or services that are purchased at market prices for high quality goods or services;
— the company never actually receiving the purchased goods or services.

CFE’s should consider comparing cost variations among vendors to identify those whose costs significantly exceed the average cost. For identified variances, examiners should discover why the cost variations occurred to assess whether a related-party relationship exists. Like the examination steps for customers, it’s important to compare the employee’s address, telephone number, tax identification number, and birth date to vendors’ information to see if a relationship exists. CFE’s can also assess the use of sales intermediaries for products they can purchase directly from the manufacturer at lower costs.

For the comprehensive review of all this information, Gerry stressed that the level and quality of client company documentation is critical.  In reviewing their client organization’s documentation, the CFE may find that the organization does not have in place any policies or procedures prohibiting related-party relationships or transactions without prior approval. The organization also may not provide training to employees around related-party relationships and transactions, or require employees even to certify whether they are involved in any conflicts of interest with the organization. CFE’s should recommend, as a component of the fraud prevention program, that their client organization maintain written policies and procedures defining the process for obtaining approval for related-party relationships and transactions.

Key risks exist if:

— Written related-party policy and procedures are nonexistent or insufficient;
— Employees are not required to certify regularly whether they have a conflict of interest;
— Related-party transactions are not approved in accordance with established organizational policies and procedures;
— Related-party transactions are approved with exceptions to organizational policies and procedures.

The CFE should review approved related-party policies and procedures documentation. If related-party policies or procedures don’t exist or if they don’t sufficiently mitigate the risk of unauthorized or inappropriate related-party relationships or transactions, the examiner should consult with senior management and the board, if necessary, to offer guidance on a pro-active basis toward the development of such policies and procedures as a key fraud prevention measure.  The CFE should also review conflict of interest statements. If an employee documents a conflict of interest in his or her statement, the examiner should assess whether the conflict of interest was appropriately authorized and whether the process recognizes and discloses conflicts of interest.

Third party transactions are but a single topic of many to be covered by Gerry in our May event.  If you are called upon by your employer to investigate instances of fraud, waste and abuse both within your parent company and within related business affiliates, this is a seminar for you.  A well run internal investigation can enhance an enterprise’s well-being and can help detect the source of lost funds, identify responsible parties and recover losses. It can also provide a defense to legal charges by terminated or disgruntled employees. But perhaps most importantly, an internal investigation will signal to other employees that the company will not tolerate fraud. This seminar will prepare you for every step of an internal investigation into potential fraud, from receiving the initial allegation to testifying as a witness. Learn to lead an internal investigation with accuracy and confidence by gaining knowledge about key topics, such as relevant legal aspects of internal investigations, using computers in an investigation, collecting and analyzing internal information, interviewing witnesses and writing reports.

There are only 70 training slots available and our seminars fill up fast!  If you are interested in this vital investigative topic, you can find the seminar agenda, venue information, speaker bio and registration information at http://rvacfes.com/events/conducting-internal-investigations/.

On Auditors, Lawyers & Data

corp-counselWhen it comes to gaining access to sensitive, internal digital data during a forensic examination, the corporate council can be the fraud examiner’s best ally.  It, therefore, behooves us to fully understand the unifying role the client counsel holds in overseeing the entire review process.  As our guest blogger, Michael Hart, and other experienced practitioners have pointed out, data analysis becomes most effective when it’s integrated into the wider forensic accounting project.  If the end results are to cohere with findings from other sources, forensic data analysis should not be performed as a separate investigation, walled off from the other review efforts undertaken to benefit the client. Today, it’s a truism that data analysis can serve many functions within a forensic accounting project. On some occasions, it’s rightfully the main engine of an engagement. When such is the case, data analysis is used for highlighting potentially unusual items and trends. More often, however, in actual practice, data analysis is a complementary part of a wider forensic accounting investigation, a piece of a puzzle (and never the be all and end all of the investigation), that involves several other parallel methods of information analysis or evidence gathering, including document review, physical inspection, and investigative interviews.

The timing of the data analysis work depends on the extent to which the forensic accounting team needs to work with the results as defined by counsel. Frequently, once the method of a fraud has been established, data analysis is conducted to estimate the amount of damage. If the team knows that several components of an organization were affected by a fraud scheme, that team may be able to compare these results with those derived from analyses of unaffected branches and, after adjusting for other relevant factors, provide management with a broad estimate of the total effect on the financial statements. When such an approach is used, the comparison should be performed after the investigation has determined the characteristics of the fraud scheme. However, in most cases, as the ACFE tells us, the purpose of data analysis in an investigation is to identify suspicious activity on which the forensic accounting team can act.

Suspicious transactions can be identified in several ways: comparing different sources of evidence, such as accounting records and bank statements, to find discrepancies between them; searching digital records for duplicate transactions; or identifying sudden changes in the size, volume, or nature of transactions, which need to be explained. While data analysis often is a fast and effective way of highlighting potential areas of fraud, it will never capture every detail that an experienced fraud examiner can glean from reviewing an original document. If data analysis is performed to identify suspicious activity, it typically is performed before any manual review is carried out. This helps ensure that investigative resources are targeting suspicious areas and are concentrating on confirming fraudulent activity rather than concentrating on a search for such activity within a sea of legitimate transactions.

The first person to be contacted when there is a suspected fraud is typically in-house counsel. Depending on the apparent severity of the matter and its apparent location in the company, other internal resources to be alerted at an early stage, in addition to the board (typically through its audit committee), may include corporate security, internal audit, risk management, the controller’s office, and the public relations and investor relations groups. Investigations usually begin with extensive conversation about who should be involved, and the responsible executives may naturally wish to involve some or all the functions just mentioned.  Depending on the circumstances, the group of internal auditors (if there is one) can in fact be a tremendous asset to an independent forensic investigative team. As participants in the larger team, internal auditors’ knowledge of the company may improve both the efficiency with which evidence is gathered and the forensic team’s effectiveness in lining up interviews and analyzing findings. The ACFE advices client executives and in-house counsel to engage an external team but to consider making available to that team the company’s internal auditors, selected information systems staff and other internal resources for any investigation of substantial size.

The key to the success of all this from the forensic accountant’s point of view, especially in gaining access to critical digital data, can be the corporate counsel.  On one hand, the forensic accounting investigator may find that the attorney gives the forensic accounting investigator free rein to devise and execute a strategic investigative plan, subject to the attorney’s approval. That scenario is particularly likely in cases of asset misappropriation. On the other hand, some attorneys insist on being involved in all phases of the investigation. It’s the attorney’s call. When engaged by counsel, forensic accounting investigators take direction from counsel. You should advise per your best judgment, but in the end, you work at counsel’s direction.

When working with attorneys on projects involving sensitive digital data, forensic accounting investigators should specifically understand:

  • Their expected role and responsibilities vis-à-vis other team members;
  • Critical managers and players within the information systems shop and their various roles;
  • What other professionals are involved (current or contemplated);
  • The extent and source of any external scrutiny (SEC, IRS, DOJ, etc.);
  • Any legal considerations (extent of privilege, expectation that the company intends to waive privilege, expectation of criminal charges, and so on);
  • Anticipated timing issues, if any;
  • Expected form, timing, and audience of interim or final deliverables;
  • Specifics of the matters under investigation, as currently understood by counsel;
  • Any limitations on departments or personnel that can be involved, interviewed, or utilized in the investigation process.

Independent counsel, with the help of forensic accounting investigators, often takes the lead in setting up, organizing, and managing the entire investigative team. This process may include the selection and retention of other parties who make up the team. Independent counsel’s responsibilities typically encompass the following:

  • Preparing, maintaining, and disseminating a working-group list (very helpful in sorting out which law firms or experts represent whom);
  • Establishing the timetable in conjunction with the board of directors or management, disseminating the timetable to the investigating team, and tracking progress against it;
  • Compiling, submitting, and tracking the various document and personnel access requests that the investigating team members will generate;
  • Organizing client or team meetings and agendas;
  • Preparing the final report with or for the board or its special committee, or doing so in conjunction with other teams from which reports are forthcoming;
  • Establishing and maintaining communication channels with the board of directors and other interested parties, generally including internal general counsel, company management, regulatory personnel, law enforcement or tax authority personnel, and various other attorneys involved.

As fraud examiners, we’re frequently conversant in areas related to financial accounting and reporting such as valuation, tax, and the financial aspects of human resource management but conversant doesn’t necessarily indicate a sufficient level of knowledge to fully guide a complex organizational investigation.  What we can do, however, is to work closely with the corporate counsel to assist him or her in the building of a team on the back of which even the most complex examination can be brought to a successful conclusion.

Dr. Fraudster & the Billing Anomaly Continuum

healthcare-fraudThis month’s member’s lecture on Medicare and Medicaid Fraud triggered a couple of Chapter member requests for more specifics about how health care fraud detection analytics work in actual practice.

It’s a truism within the specialty of data analytics having to do with health care billing data that the harder you work on the front end, the more successful you’ll be in materializing information that will generate productive results on the back end.  Indeed, in the output of health care analytics applications, fraud examiners and health care auditors now have a new set of increasingly powerful tools to use in the audit and investigation of all types of fraud generally and of health care fraud specifically; I’m referring, of course, to analytically supported analysis of what’s called the billing anomaly continuum.

The use of the anomaly continuum in the general investigative process starts with the initial process of detection, proceeds to investigation and mitigation and then (depending on the severity of the case) can lead to the follow-on phases of prevention, response and recovery.   We’ll only discuss the first three phases here as most relevant for the fraud examination process and leave the prevention, response and recovery phases for a later post.

Detection is the discovery of clues within the data.  The process involves taking individual data segments related to the whole health care process (from the initial provision of care by the health care provider all the way to the billing and payment for that care by the insurance provider) and blending them into one data source for seamless analysis.  Any anomalies in the data can then be noted.  The output is then evaluated for either response or for follow-up investigation.  It is these identified anomalies that will go on at the end of the present investigative process to feed the detection database for future analysis.

As an example of an actual Medicare case, let’s say we have a health care provider whom we’ll call Dr. Fraudster, some of whose billing data reveals a higher than average percentage of complicated (and costly) patient visits. It also seems that Dr. Fraudster apparently generated some of this billings while travelling outside the country.  There were also referred patient visits to chiropractors, acupuncturists, massage therapists, nutritionists and personal trainers at a local gym whose services were also billed under Dr. Fraudster’s tax ID number as well as under standard MD Current Procedural Terminology (CPT) visit codes.  In addition, a Dr. Outlander, a staff physician, and an unlicensed doctor, was on Dr. Fraudster’s staff and billed for $5 an hour.  Besides Outlander, a Dr. Absent was noted as billing out of Dr. Fraudster’s clinic even though he was no longer associated with the clinic.

First off, in the initial detection phase, its seems Dr. Fraudster’s high-volume activity flagged an edit function that tracks an above-average practice growth rate without the addition of new staff on the claim form.  Another anomalous activity picked up was the appearance of wellness services presented as illness based services.  Also the billed provision of services while travelling is also certainly anomalous.

The following investigation phase involves ascertaining whether various activities or statements are true.  In Dr. Fraudster’s case, evidence to collect regarding his on-staff associate, Dr. Outlander, may include confirmation of license status, if any; educational training, clinic marketing materials and payroll records.  The high percentage of complicated visits and the foreign travel issues need to be broken down and each activity analyzed separately in full detail.  If Dr. Fraudster truly has a high complication patient population, most likely these patients would be receiving some type of prescription regime.  The lack of a diagnosis requirement with associated prescriptions in this case limited the scope of the real-life investigation.  Was Dr. Fraudster prescribing medications with no basis?  If he uses an unlicensed Doctor on his staff, presents wellness services as illness related services, and sees himself (perhaps) as a caring doctor getting reluctant insurance companies to pay for alternative health treatments, what other alternative treatment might he be providing with prescribed medications?  Also, Dr. Fraudster had to know that the bills submitted during his foreign travels were false.  Statistical analysis in addition to clinical analysis of the medical records by actual provider and travel records would provide a strong argument that the doctor had intent to misrepresent his claims.

The mitigation phase typically builds on issues noted within the detection and investigation phases.  Mitigation is the process of reducing or making a certain set of circumstances less severe.  In the case of Dr. Fraudster, mitigation occurred in the form of prosecution.  Dr. Fraudster was convicted of false claims and removed from the Medicare network as a licensed physician, thereby preventing further harm and loss.  Other applicable issues that came forward at trial were evidence of substandard care and medical unbelievability patterns (CPE codes billed that made no sense except to inflate the billing).  What made this case even more complicated was tracking down Dr. Fraudster’s assets.  Ultimately, the real-life Dr. Fraudster did receive a criminal conviction; civil lawsuits were initiated, and he ultimately lost his license.

From an analytics point of view, mitigation does not stop at the point of conviction of the perpetrator.  The findings regarding all individual anomalies identified in the case should be followed up with adjustment of the insurance company’s administrative adjudication and edit procedures (Medicare was the third party claims payer in this case).  What this means is that feedback from every fraud case should be fed back into the analytics system.  Incorporating the patterns of Dr. Fraudster’s fraud into the Medicare Fraud Prevention Model will help to prevent or minimize future similar occurrences, help find currently on-going similar schemes elsewhere with other providers and reduce the time it takes to discover these other schemes.  A complete mitigation process also feeds detection by reducing the amount of investigative time required to make the existence of a fraud known.

As practicing fraud examiners, we are provided by the ACFE with an examination methodology quite powerful in its ability to extend and support all three phases of the health care fraud anomaly identification process presented above.  There are essentially three tools available to the fraud examiner in every health care fraud examination, all of which can significantly extend the value of the overall analytics based health care fraud investigative process.  The first is interviewing – the process of obtaining relevant information about the matter from those with knowledge of it.  The second is supporting documents – the examiner is skilled at examining financial statements, books and records.   The examiner also knows the legal ramifications of the evidence and how to maintain the chain of custody over documents.  The third is observation – the examiner is often placed in a position where s/he can observe behavior, search for displays of wealth and, in some instances, even observe specific offenses.

Dovetailing the work of the fraud examiner with that of the healthcare analytics team is a win for both parties to any healthcare fraud investigation and represents a considerable strengthening of the entire long term healthcare fraud mitigation process.

Of Estimates, Errors & Fraud

fraud-warningThere was a local case of embezzlement in the news last week in which the suspected perpetrator claimed that a number of her seemingly fraudulent transactions, as identified by her company’s external auditors, were in reality ‘mistakes’ (mostly either accounting or estimating errors) or, in other cases, just simple missteps occasioned by ignorance of her company’s accounting policies. Somewhat surprisingly, this all too common defense seemed to cast some doubt, at least from the newspaper’s point of view, on the overall propriety of the entire prosecution. For me, the case brought to mind, on one hand, the differing roles of external auditors and forensic accountants and, on the other, the often critical role played in investigations by the introduction of the foggy elements of accounting estimates, simple errors and ignorance.

Unlike the external auditors in this case, the forensic accounting investigator’s concern is not limited to reaching a general opinion on financial statements taken as a whole, derived from reasonable efforts within a reasonable materiality boundary. Instead, the forensic accounting investigator’s concern is, at a much more granular level, with the detailed development of factual information—derived from both documentary evidence and testimonial evidence—about the who, what, when, where, how, and why of a specific, suspected or known impropriety.  In my opinion, it’s the lack of such investigative granularity in the follow-up to the simple discovery of the individual fraud by the auditors in this recent case that resulted in the ‘ambiguity’ expressed by the newspaper.

The auditors discovered the suspected fraud through their routine sampling procedures, which predication of the existence of an impropriety would have furnished the starting point for the work of a forensic accountant had one been called in. Think of it like the relationship between the accountant and the financial analyst.  The financial analyst’s work typically begins when that of the accountant ends; the audited financial statements are the foundation on which the work of the financial analyst rests.  So too do discoveries of improprieties by auditors often lead to a subsequent investigative hand off to forensic investigators.  The forensic investigator starts by seeking and examining all relevant evidence concerning the particular case made available, not only by the auditors, but by all the concerned parties.  Based on the investigative findings, the forensic accounting investigator then assesses and measures losses or other forms of damage to the organization and recommends and implements corrective actions, often including changes in accounting processes and policies and/or personnel actions. In addition, the forensic accounting investigator assists management in taking preventive actions to eliminate recurrence of the problem. In contrast to the external auditors, the forensic accounting investigator’s more complete findings and recommendations may form the basis of testimony in litigation proceedings or criminal actions against the perpetrators. They may also be used in testimony to government agencies such as the Securities and Exchange Commission in the United States or the Serious Fraud Office in the United Kingdom. Accordingly, the scope of the investigation and the evidence gathered and documented must be capable of withstanding challenges that may be brought by adversely affected parties on both sides of the prosecution or by skeptical regulators.

Clearly, there are many commonalities between auditing and forensic accounting which, at best , can support the formation of a close working partnership. Both rely on:

  • Knowledge of the industry and the company, including its business practices and processes;
  • Knowledge of the generally accepted accounting principles of the jurisdiction in question;
  • Interpretation of business documents and records;
  • Independence and objectivity—perhaps the most important commonality.

The foggy nature of estimates and errors arises in financial transactions and statements due to the continuous nature of business. Unlike a footrace that ends at the finish line or an athletic contest that ends with the final buzzer, a business and its transactions are continually in varying stages of completion. There are many items in a financial statement for which the final outcome is not known with precision. Given the complexity and continuity of business, it’s difficult to capture a clear snapshot of a company’s financial position and performance at a random point in time. As a general matter, estimates are most commonly made concerning the final amounts of cash that will be received or paid once assets or liabilities are finally converted into cash. Such estimates can encompass, for example, allowances for uncollectible customer receivables, estimates of liabilities for claims or lawsuits brought against a company, the amount of profit or loss on a long-term contract, and the salability of inventory that is past its prime. Most estimates are based on three types of information: past performance of the same or similar items, what is currently occurring, and what management perceives as the probable outcome. Further complicating matters, the weight to assign each type of information varies depending on the particular circumstances. But no matter how determined, unlike the score of a sporting contest, an estimate on the books or in financial statements is a prediction of what will happen, not the objective tally of what has already taken place.  For all these and a host of other reasons, the ACFE tells us that accounting estimates are always a fertile ground for every type of financial fraud.

What the forensic investigator brings into this mix is his or her informed, holistic approach (as outline above) to the detailed analysis of any specific, predicated fraud.   Legitimate assertion of managerial confidence in the business’s ability to achieve certain estimated results is one thing. A deceptive misinterpretation that is intended to generate a favorable estimate is another thing altogether and may pose a substantial investigative challenge well beyond the scope of most routine financial audits. Practicing forensic accounting investigators are trained to address the often vexing complexities and alternative rationales that may be offered to explain the difference between an estimate and an actual result. Given that estimates often constitute the cause of material differences in financial statement presentations, the ability to distinguish between the manipulatively self-serving and the merely incorrect is a critical element of many forensic investigations.

To get back to our newspaper case, U.S. auditing standards state that the main difference between fraud and error is intent. Errors are unintentional misstatements or omissions of amounts or disclosures in financial statements. So, errors may involve:

  • Mistakes in gathering or processing data from which financial statements are prepared;
  • Unreasonable accounting estimates arising from oversight or misinterpretation of facts;
  • Mistakes in the application of accounting principles related to amount, classification, manner of presentation, or disclosure.

Fraud, on the other hand, is defined in SAS 99 as an intentional act that results in a material misstatement. The motive or intent of an individual in making accounting entries is not the primary focus of the external auditor’s procedures as it is of the forensic investigators. Auditors direct their efforts toward determining objectively measurable criteria regarding account balances and transactions by asking: Do the assets exist? How much was paid? What is the basis of the estimate? Is it reasonable? How much was collected? Were the goods shipped to the customer? By asking questions such as these and obtaining evidence to support the estimate where appropriate, auditors can be better positioned to ascertain that the amounts in the books are correct. Thus, given the focus of the auditor, intent is not uniformly relevant; evaluation of intent is a subjective as opposed to an objective evaluation, and ascertaining intent is a difficult exercise at which the trained forensic accountant is highly skilled.

For the foreseeable future, corporate fraud will continue to present substantial challenges and opportunities for fruitful partnership between auditors and forensic accounting investigators. However, it must be recognized that the complexities of the business world and the ingenuity of highly educated, white-collar criminals will always manage to produce schemes that unfortunately go undetected until they reach significant proportions. Forensic accounting investigators will investigate, prosecutors will convict, and regulators will react with new and more requirements … and, without question,  the fraudsters will always be with us.

Mining the General Ledger

miningI was chatting via Skype over this last week-end with a former officer of our Chapter who left the Richmond area many years ago to found his own highly successful forensic accounting practice on the west coast.  During our conversation, he remarked that he never fails to intensively indoctrinate trainees new to his organization in an understanding of the primary importance of the general ledger in any investigation of financial fraud.  With a good sense of those areas of the financial statements most vulnerable to fraud, and with whatever clues the investigative team has gleaned from an initial set of interviews focusing on those accounting entries initially arousing suspicion, he tells his trainees that they’re ready to turn their attention to a place with the potential to provide a cornucopia of useful information. That place is the client firm’s own accounting system general ledger.

My old colleague pointed out that for a fraud examiner or forensic accountant on the search for fraud, there are several great things about the general ledger. One is that virtually all sophisticated financial reporting systems have one. Another is that, as the primary accounting tool of the company, it reflects every transaction the company has entered.

He went on to say that unless the fraud has been perpetrated simply through last-minute topside adjustments, it’s captured in the general ledger somewhere. What’s vital is knowing how, and where, to look. The important thing to keep in mind is the way the ACFE tells us that financial fraud starts and grows. That guidance says that ledger entries entered at particular points of time — say, the final days leading up to the end of a quarter — are more likely to reflect falsified information than entries made at earlier points. Beyond that, a fraudulent general ledger entry in the closing days of a quarter may reflect unusual characteristics. For example, the amounts involved say, having been determined, as they were, by the need to cross a certain numerical threshold rather than by a legitimate business transaction may by their very nature look a bit strange.  Perhaps they’re larger than might be expected or rounded off. It also may be that unusual corporate personnel were involved—executives who would not normally be involved in general ledger entries. Or, if the manipulating executives are not thinking far enough ahead, the documentation behind the journal entries themselves may not be complete or free from suspicion. For example, a non-routine, unusually large ledger entry with rounded numbers that was atypically made at the direction of a senior executive two days before the end of a quarter should arouse some suspicion.

Indeed, once a suspicious general ledger entry has been identified, determining its legitimacy can be fairly straightforward. Sometimes it might involve simply a conversation with the employee who physically made the entry.  My colleague went on to point out that, in his experience, senior executives seeking to perpetrate financial fraud often suffer from a significant handicap: they don’t know how to make entries to the accounting system. To see that a fraudulent entry is made, they have to ask some employee sitting at a computer screen somewhere to do it for them, someone who, if properly trained, may want to fully understand the support for a non-routine transaction coming from an unusual source. Of course, if the employee’s boss simply orders him or her to make the entry, resistance may be awkward. But, if suspicions are aroused, the direction to enter the entry may stick in the employee’s memory, giving the employee the ability to later describe in convincing detail exactly how the ledger entry came to be made. Or, concerned about the implications and the appearance of his own complicity, the employee may include with the journal entry an explanation that captures his skepticism. The senior executive directing the entry may be oblivious to all this. S/he thinks she has successfully adjusted the general ledger to create the needed earnings. Little does she know that within the ledger entry the data-entering employee has embedded incriminating evidence for the forensic accountants to find.

The general ledger may reflect as well large transactions that simply by their nature are suspicious. The investigators may want to ask the executive responsible about such a transaction’s business purpose, the underlying terms, the timing, and the nature of the negotiations. Transaction documentation might be compared to the general ledger’s entry to make sure that nothing was left out or changed. If feasible, the forensic accountants may even want to reach out to the entry’s counter-party to explore whether there are any unrecorded terms in side letters or otherwise undisclosed aspects of the transaction.

As we all know, an investigation will not ordinarily stop with clues gleaned from the general ledger. For example, frequently a useful step is to assess the extent to which a company has accounted for significant or suspicious transactions in accordance with their underlying terms. Such scrutiny may include a search for undisclosed terms, such as those that may be included in side letters or pursuant to oral agreements. In searching for such things, the investigators will seek to cast a wide net and may try to coax helpful information from knowledgeable company personnel outside the accounting function. As our former Central Virginia Chapter officer put it, “I like to talk to the guys on the loading dock. They’ll tell you anything.”

As I’m sure most readers of this blog are aware, while such forensic accounting techniques, and there are many others, can be undertaken independently of what employee interviews turn up, usually the two will go hand in hand. For example, an interview of one employee might yield suspicions about a particular journal entry, which is then dug out of the accounting system and itself investigated. Or an automated search of the general ledger may yield evidence of a suspicious transaction, resulting in additional interviews of employees. Before long, the investigative trail may look like a roadmap of Washington DC. Clues are discovered, cross-checked against other information, and explored further. Employees are examined on entries and, as additional information surfaces, examined again. As the investigation progresses, shapes start to appear in the fog. Patterns emerge. And those executives not being completely candid look increasingly suspicious.

So, with thanks to our good friend for sharing, in summary, if there is predication of a fraud, what sorts of things might a thorough forensic examination of the general ledger reveal?

–The journal entries that the company recorded to implement the fraud;

–The dates on which the company recorded fraudulent transactions;

–The sources for the amounts recorded (e.g., an automated sub-accounting system, such as purchasing or treasury, versus a manually prepared journal entry);

–The company employee responsible for entering the journal entries into the accounting system;

–Adjusting journal entries that may have been recorded.