Category Archives: Forensic Accounting

Trust but Check

The community support for a business, and business in general, depends on the credibility that stakeholders place in corporate commitments, the company’s reputation, and the strength of its competitive advantage. All of these depend on the trust that stakeholders place in a company’s activities. Trust, in turn, depends on the values underlying corporate activities. Off-shore accounts, manipulation of shell corporations to evade taxes, loan fraud and management self-dealing are just a few instances of the moral cancer that, drop by drop, erodes trust until the point where the free enterprise systems of democratic nations are replaced by naked oligarchy, kleptocracy and cultures of corruption.

If the interests of all stakeholders are systematically not respected, then action that continues to be often painful to shareholders, officers, and directors usually occurs. In fact, it is unlikely that businesses or professions can achieve their long-run strategic objectives without the support of key stakeholders, such as shareholders, employees, customers, creditors, suppliers, governments, and host communities.

A constant theme and trend (as echoed in the trade press) has become increasingly more evident since the turn of the century. The judgment and moral character of executives, owners, boards of directors, and auditors has been often insufficient, on their own, to prevent increasingly severe corporate, ethical, and governance scandals. Governments and regulators world-wide have been required to constantly tighten guidelines and governance regulations to assure the protection of the public. The self-interested lure of greed has proven to be too strong for many to resist, and they have succumbed to conflicts of interest when left too much on their own. Corporations that were once able to shift jurisdictions to avoid new regulations regarding tax and other matters now are facing global measures designed to expose and control questionable ethics and governance practices. Assurance professionals themselves, of all types, are also facing international standards of behavior.

These changes have come about because of the pressures brought to bear on corporations and management by the reporting of scandals and abuses by a still potent free press and by suits by activist investors and other involved stakeholders. But changes in laws, regulations, and standards are only part of what stakeholders have contributed. The expectations for good ethical behavior and good governance practices have changed. Failure to comply with these expectations now impacts reputations, profits, and careers even if the behavior is strictly within legal boundaries.

As ACFE training tells us, it’s become increasingly evident to most executives, owners, and auditors that their individual success is directly related to their ability to develop and maintain a corporate culture of integrity. They cannot afford the loss of reputation, revenue, reliability, and credibility as a result of a loss of integrity. It is no longer an effective, sustainable, or medium or long-term strategy to project or practice questionable ethics. ACFE training goes on to indicate a number of causes, or signs, of ethical problems within any given corporation:

— Pressure to meet goals, especially financial ones, at any cost;
–A culture that does not foster open and candid conversation and discussion;
–A CEO who is surrounded by people who will agree and flatter the CEO, as well as a CEO whose reputation is ‘beyond criticism’;
–Weak boards that do not exercise their fiduciary responsibilities with diligence;
–An organization that promotes people on the basis of nepotism and favoritism;
–Hubris. The arrogant belief that rules are for other people, but not for us;
–A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

The LIBOR rate scandal of 2012 is an almost perfect example of ethical collapse and manifests a majority of the red flags enumerated above. The scandal featured the systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, in an environment where little or no regulation prevailed. After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally undertaken resulting in prosecutions and huge penalties for the banks and the individual traders involved.

The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average, and its publication, and dissemination. Reuters set aside the four highest and four lowest estimates and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation.

Insiders to the banking system knew about the manipulation of LIBOR rate submissions for decades, but changes were not made until the public became aware of the problem, and until the U.S. Department of Justice (DOJ) forced the U.K. government to act. The president of the New York Federal Reserve Bank (Fed), at that time emailed the governor of the Bank of England in June 2008, suggesting ways to “enhance” LIBOR. Although ensuing emails report agreement on the suggestions, and articles appeared in the trade press from 2008 to 2011, serious changes were not applied until October 2012 when the U.K. government accepted the recommendations of the Wheatley Review of Libor. This Review by Martin Wheatley, managing director of British Financial Services Authority, was commissioned in June 2012 in view of investigations, charges and settlements that were raising public awareness of LIBOR deficiencies.

One of the motivations for creating the Wheatley Review involved the prosecution of a former UBS and later Citigroup Inc. trader, on criminal fraud charges for manipulating the LIBOR rates. The trader, known to insiders as the “Rain Man” for his abilities and demeanor, allegedly sought his superiors approval before attempting to influence the LIBOR rates, an act that some observers thought at the time would provide a strong defense against conviction.

Insiders who knew of LIBOR manipulations were generally reluctant to take a public stand for earlier change. However, on July 27, 2012, a former trader for Morgan Stanley in London, published an article that told of his earlier attempts to bring LIBOR rate manipulations to the attention of authorities, but without success. In his article, he indicated how he learned as a new trader in 1991 that the banks manipulated their rate submissions to make profit on specific contracts, and to mask liquidity problems such as during the subprime lending crisis of 2008. For example, if the LIBOR rate submissions were misstated to be low, the discounted valuation of related assets would be raised, thus providing misleadingly higher levels of short-term, near-cash assets than should have been reported.

Numerous studies since the scandal have detailed the effects of unethical LIBOR manipulation. Just two examples of such manipulation. At the time of the scandal many home owners borrowed their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers received a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for the period 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. As a consequence, one observer estimated that each LIBOR submitting bank may be liable for as much as $2.3 billion.

Municipalities raise funds through the issue of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were eventually launched to recover these losses, which cost municipalities, hospitals, and other non-profits as much as $600 million a year.

At the end of the day, trust in each other and in our counter-parties is all we really have as economic actors; CFE’s and forensic accountants thus have a vital role to play in investigating, documenting and assisting in the identification and possible prosecution of those who, like the LIBOR manipulators, knowingly collude in making the choice to violate that trust.

Targeting the Blockchain

Both the blockchain and its digital engineering support structures underlying the digital currencies that are fast becoming the financial and transactional media of choice for the nefarious, are now increasingly finding themselves under various modes of fraudster attack.

Bitcoins, the most familiar blockchain application, were invented in 2009 by a mysterious person (or group of people) using the alias Satoshi Nakamoto, and the coins are created or ‘mined’ by solving increasingly difficult mathematical equations, requiring extensive computing power. The system is designed to ensure no more than twenty-one million Bitcoins are ever generated, thereby preventing a central authority from flooding the market with new Bitcoins. Most Bitcoins are purchased on third-party exchanges with traditional currencies, such as dollars or euros, or with credit cards. The exchange rates against the dollar for Bitcoin fluctuate wildly and have ranged from fifty cents per coin around the time of its introduction to over $1,240 in 2013 to around $600 today.

The whole point of using a blockchain is to let people, in particular, people who don’t trust one another, share valuable data in a secure, tamper-proof way. That’s because blockchains store data using sophisticated math and innovative software rules that are extremely difficult for attackers to manipulate. But as cases like the Mount Gox Bitcoin hack demonstrate, the security of even the best designed blockchain and associated support systems can fail in places where the fancy math and software rules come into contact with humans; humans who are skilled fraudsters, in the real world, where things quickly get messy. For CFEs to understand why, start with what makes blockchains “secure” in principle. Bitcoin is a good example. In Bitcoin’s blockchain, the shared data is the history of every Bitcoin transaction ever made: it’s a plain old accounting ledger. The ledger is stored in multiple copies on a network of computers, called “nodes:’ Each time someone submits a transaction to the ledger, the nodes check to make sure the transaction is valid, that whoever spent a bitcoin had a bitcoin to spend. A subset of the nodes competes to package valid transactions into “blocks” and add them to a chain of previous blocks. The owners of these nodes are called miners. Miners who successfully add new blocks to the chain earn bitcoins as a reward.

What makes this system theoretically tamperproof is two things: a cryptographic fingerprint unique to each block, and a consensus protocol, the process by which the nodes in the network agree on a shared history. The fingerprint, called a hash, takes a lot of computing time and energy to generate initially. It thus serves as proof that the miner who added the block to the blockchain did the computational work to earn a bitcoin reward (for this reason, Bitcoin is said to employ a proof-of-work protocol). It also serves as a kind of seal, since altering the block would require generating a new hash. Verifying whether or not the hash matches its block, however, is easy, and once the nodes have done so they update their respective copies of the blockchain with the new block. This is the consensus protocol.

The final security element is that the hashes also serve as the links in the blockchain: each block includes the previous block’s unique hash. So, if you want to change an entry in the ledger retroactively, you have to calculate a new hash not only for the block it’s in but also for every subsequent block. And you have to do this faster than the other nodes can add new blocks to the chain. Consequently, unless you have computers that are more powerful than the rest of the nodes combined (and even then, success isn’t guaranteed), any blocks you add will conflict with existing ones, and the other nodes will automatically reject your alterations. This is what makes the blockchain tamperproof, or immutable.

The reality, as experts are increasingly pointing out, is that implementing blockchain theory in actual practice is difficult. The mere fact that a system works like Bitcoin, as many copycat cryptocurrencies do, doesn’t mean it’s just as secure as Bitcoin. Even when developers use tried and true cryptographic tools, it’s easy to accidentally put them together in ways that are not secure. Bitcoin has been around the longest, so it’s just the most thoroughly battle-tested.

As the ACFE and others have indicated, fraudsters have also found creative ways to cheat. Its been shown that there is a way to subvert a blockchain even if you have less than half the mining power of the other miners. The details are somewhat technical, but essentially a “selfish miner” can gain an unfair advantage by fooling other nodes into wasting time on already-solved crypto-puzzles.

The point is that no matter how tamperproof a blockchain protocol is, it does not exist in a vacuum. The cryptocurrency hacks driving recent headlines are usually failures at places where blockchain systems connect with the real world, for example, in software clients and third-party applications. Hackers can, for instance, break into hot wallets, internet-connected applications for storing the private cryptographic keys that anyone who owns cryptocurrency requires in order to spend it. Wallets owned by online cryptocurrency exchanges have become prime targets. Many exchanges claim they keep most of their users’ money in cold hardware wallets, storage devices disconnected from the internet. But as the recent heist of more than $500 million worth of cryptocurrency from a Japan based exchange showed, that’s not always the case.

Perhaps the most complicated touchpoints between blockchains and the real world are smart contracts, which are computer programs stored in certain kinds of blockchain that can automate financial and other contract related business transactions. Several years ago, hackers exploited an unforeseen quirk in a smart contract written on Ethereum’s blockchain to steal 3.6 million Ether, worth around $80 million at the time from a new kind of blockchain-based investment fund. Since the investment fund’s code lived on the blockchain, the Ethereum community had to push a controversial software upgrade called a hard fork to get the money back, essentially creating a new version of history in which the money was never stolen. According to a number of experts, researchers are scrambling to develop other methods for ensuring that smart contracts won’t malfunction.

An important supposed security guarantee of a blockchain system is decentralization. If copies of the blockchain are kept on a large and widely distributed network of nodes, there’s no one weak point to attack, and it’s hard for anyone to build up enough computing power to subvert the network. But recent reports in the trade press indicate that neither Bitcoin nor Ethereum is as decentralized as the public has been led to believe. The reports indicate that the top four bitcoin-mining operations had more than 53 percent of the system’s average mining capacity per week. By the same measure, three Ethereum miners accounted for 61 percent of Ethereum transactions.

Some experts say alternative consensus protocols, perhaps ones that don’t rely on mining, could be more secure. But this hypothesis hasn’t been tested at a large scale, and new protocols would likely have their own security problems. Others see potential in blockchains that require permission to join, unlike in Bitcoin’s case, where anyone who downloads the software can join the network.

Such consensus systems are anathema to the antihierarchical ethos of cryptocurrencies, but the approach appeals to financial and other institutions looking to exploit the advantages of a shared cryptographic database. Permissioned systems, however, raise their own questions. Who has the authority to grant permission? How will the system ensure that the validators are who they say they are? A permissioned system may make its owners feel more secure, but it really just gives them more control, which means they can make changes whether or not other network participants agree, something true believers would see as violating the very idea of blockchain.

So, in the end, for CFEs, the word ‘secure’ ends up being very hard to define in the context of blockchains. Secure from whom? Secure for what?

A final thought for CFEs and forensic accountants. There are no real names stored on the Bitcoin blockchain, but it records every transaction made by your user client; every time the currency is used the user risks exposing information that can tie his or her identity to those actions. It is known from documents leaked by Edward Snowden that the US National Security Agency has sought ways of connecting activity on the Bitcoin blockchain to people in the physical world. Should governments seek to create and enforce blacklists, they will find that the power to decide which transactions to honor may lie in the hands of just a few Bitcoin miners.

#We Too

The #Me Too phenomenon is just one of the latest instances of a type of fraud featuring a betrayal of trust by a fellow community member which is as old as humanity itself. The ACFE calls it affinity fraud, and it is one of the most common instances of fraud with which any CFE or forensic account is ever called upon to deal. The poster boy for affinity frauds in our time is, of course, Bernard L. Madoff, whose affinity fraud and Ponzi scheme ended with his arrest in 2008. The Madoff scandal is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s clientele grew to include prominent persons in the entertainment industry, including Steven Spielberg and Larry King. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his investment customers were defrauded of approximately twenty billion dollars.

But not all targets of affinity fraud are wealthy investors; such scams touch all genders, religions, age groups, races, statuses, and educational levels. One of the saddest are affinity frauds targeting children and the elderly.

Con artists prey on vulnerable underage targets by luring them to especially designed websites and phone Aps and then collecting their personal information. TRUSTe, an Internet privacy seal program, is a safe harbor program under the terms of the Children’s Online Privacy Protection Act (COPPA) administered by the U.S. Federal Trade Commission. This was the third safe harbor application approved by the Commission. Safe harbor Aps and programs are submitted by the Children’s Advertising Review Unit (CARL) of the Council of Better Business Bureaus, an arm of the advertising industry’s self-regulatory program, and the Entertainment Software Rating Board (ESRB), which were both previously approved as COPPA safe harbors. Sadly, in spite of all this effort, data collection abuses by websites and Aps targeting children continue to increase apace to this day.

Then there’s the elderly. It’s an unfortunate fact that elderly individuals are the most frequent targets of con artists implementing all types of affinity frauds. Con artists target the elderly, since they may be lonely, are usually willing to listen, and are thought to be more trusting that younger individuals. Many of these schemes are performed over the telephone, door-to-door, or through advertisements. The elderly are especially vulnerable targets for schemes related to credit cards, sweepstakes or contests, charities, health products, magazines, home improvements, equity skimming, investments, banking or wire transfers, and insurance.

Fraudsters will use different tactics to get the elderly to cooperate in their schemes. They can be friendly, sympathetic, and willing to help in some cases, and use fear tactics in others. The precise tactics used are generally tailored to the type of individual situation the con artist finds herself in in relation to the mark.

Ethically challenged fraud practitioners frequently focus on home ownership related schemes to take advantage of the vulnerable elderly. The scammer will recommend a “friend” that can perform necessary home repairs at a reasonable price. This friend may require the mark to sign a document upon completion confirming that the repairs have been completed. In some cases, the elderly victim later learns that s/he signed the title of his house over to the repairman. In other cases, not only is the person overcharged for the work, but the work is not performed properly or at all.

Another frequent scheme targeting the elderly involves sweepstakes or prizes. The fraudster continues to influence the elderly victim over a period of time with the hope that the victim will eventually win the “grand prize” if they will just send in another fee or buy a few more magazines.

Fraudsters also frequently solicit the elderly with “great” investment opportunities in precious metals, artwork, securities, prime bank guarantees, futures, exotics, micro-cap stocks, penny stocks, promissory notes, pyramid and Ponzi schemes, insurance, and real estate. Other common scams involve equity skimming programs, debt consolidation offers, or other debt relief services which only result in the loss of the home used as collateral if the victimized debtor misses a payment.

The societal effects of affinity fraud are not limited solely to the amount of funds lost by investors, churches, the elderly or by other types of victims. Once these frauds are uncovered, investor confidence can diminish the financial and other legitimate markets, and a general level of distrust can decrease the government’s ability to provide protection. Loss of confidence manifested itself after the Madoff fiasco with such negative effects evident throughout the economy. Unfortunately, affinity fraud erodes the trust needed for legitimate investments to occur and grow our economy. Essentially, affinity fraud victims of all types become less likely to trust any future monetary request and honest charitable organizations suffer from a loss of endowments. Subsequent to a large affinity fraud being discovered, time is spent by regulators and law enforcement not only prosecuting these cases but also in the expenditure of endless taxpayer dollars assessing what went wrong. Time consuming, expensive investigations generally also include implementation of regulatory changes in an attempt to assist in detection of these frauds in the future, another costly burden on taxpayers.

Once affinity fraud offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential victims. By having an esteemed figurehead who appears to be knowledgeable about the investment or other opportunity and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was a highly esteemed member of the community he victimized.

Experts tells us that projection bias is one reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they both shared the same value system.

Because victims in affinity frauds are less likely to question or go outside of their group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religion related cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to even believe they have been defrauded and also unlikely to investigate the con.

The ACFE tells us that in order to stop affinity frauds from occurring in the first place, one of the best fraud prevention tools is the implementation of increased educational efforts. Education is especially important in geographical areas where tight-knit cultural communities reside who are particularly vulnerable to these frauds. By reaching out to the same cultural or religious leaders that fraudsters often target in their schemes, law enforcement could launch collaborative relationships with these groups in their educational efforts.

In summary, frauds like Madoff’s occur daily on a much smaller scale in communities across the United States. The effects of these affinity frauds are widespread, and the emotional consequences experienced by the victims of these scams cannot be overstated. CFEs, assurance professionals, regulators and law enforcement and investigative personnel need to assess the harm caused by affinity fraud and continue to determine what steps need to be taken to effectively confront these types of scams. State and Federal laws should be reviewed and amended where necessary to ensure appropriate enhanced sentencing is enforced for all egregious crimes involving affinity fraud. Regulators and law enforcement should approach fraud cases from different angles in an attempt to determine if new methods may be more effective in their prosecution.

Additionally, anti-fraud education as provided by the ACFE is needed for both the general and investing publics and for regulators and law enforcement personnel to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of scenarios. Affinity frauds are not easily anticipated by the victims because people are not naturally inclined to think that one of their own is going to cheat them. Affinity frauds can, therefore, only be most effectively curtailed by the very communities who are their victims.

Skilled for Success

Our Chapter is periodically contacted by human resource staff and others seeking CFEs for recruitment to both in-house staff and management positions. I took the opportunity afforded by one such call this last week to query the caller about what her ideal CFE candidate would look like. What attributes came to mind when she pictured the experienced CFE she was seeking? Technical ability? Investigative knowledge? Attention to detail?

All of those were certainly important, she said, but since this position would supervise others and deal directly with clients, she mentioned what she called ‘success skills’ (sometimes termed soft skills) as of over-riding importance. I asked her what she meant by success skills specifically and she said that for her and for many other human resource professionals, the culture of the organization she is recruiting for and the professional’s interpersonal behaviors and critical reasoning and judgment can frequently heavily outweigh technical skills and relevant experience. After I referred her to several folks who had furnished our Chapter with resumes for just this kind of enquiry, my caller pointed me to several sources where I could obtain information on the types of skills to which she was referring.

My somewhat cursory research revealed that some of the most common success skills employers look for and which they use to assess experienced employment candidate CFEs today include:

1. A strong work ethic — are they motivated and dedicated to getting the job done, no matter what? Will they be conscientious and do their best work?
2. A positive attitude — are they optimistic and upbeat? Will they generate good energy and good will especially with subordinates and clients?
3. Good communication skills — are they verbally articulate and good listeners? Can they make their case and express their needs in a way that builds bridges with colleagues, clients and team members?
4. Time management abilities – does the CFE candidate know how to prioritize tasks and work on a number of different projects at once? Will they use their time on the job wisely?
5. Problem-solving skills — are they resourceful and able to creatively solve problems that will inevitably arise during challenging investigations? Will they take ownership of problems or leave them for someone else?
6. Being a team player — will they work well in groups and teams? Will they be cooperative and take a leadership role when appropriate?
7. Self-confidence — do they truly believe they can do the job? Will they project a sense of calm and inspire confidence in others during investigative assignments? Will they have the courage to ask the questions that need to be asked and to freely contribute their ideas?
8. Ability to accept and learn from criticism — will they be able to handle criticism? Are they coachable and open to learning and growing as a person and as a professional no matter their present experience and authority level?
9. Flexibility/adaptability — are they able to adapt to new situations and challenges? Will they embrace change and be open to innovative ideas and investigative approaches?
10. Working well under pressure — can they handle the stress that accompanies investigative and reporting deadlines and crises? Will they be able to do their best work and come through for the employer in a pinch?

Armed with this information, I got back in touch with my caller and asked a few more questions; she was very forthcoming. It turns out that there is a wide range of questions interviewers can ask when trying to gauge the soft skills of a potential CFE hire. When it comes to interpersonal skills, my interviewee told me they may ask candidates to describe an unusual person they know and why the person may be different. Communication skills can be determined by having candidates relate their experiences with an angry or frustrated corporate counsel, client, coworker or interviewee. A popular question that is often asked to measure the ability of a candidate to work on a team is centered on the discussion of an investigative project that was not successful and how it was handled. The question of solutions to problems may also deal with negative situations and how they were overcome. Therefore, questions used to assess success skills often have an individual addressing the how and why, rather than what, where or who.

The next question I had for my respondent was regarding her opinion as to how a candidate CFE could go about acquiring and strengthening these skills since they really don’t involve the type of technical matters typically focused on in the everyday business school training curriculum. She replied that working with people who exhibit strong soft skills is an effective way of learning those skills. Many professional organizations like the ACFE run internal mentoring programs so that senior practitioners can pass on their knowledge and experience to newer professionals. Training events of local chapters of associations such as the ACFE are another good place to meet with experienced professionals who can assist with mentoring and soft skills.

It seems to me that success skill communication especially under-pin all aspects of the CFEs work. I can remember very early on in my auditing career reading that communication is not easy because something said doesn’t mean it was said correctly; something said correctly doesn’t
mean it has been heard; something heard doesn’t mean it was understood; something understood doesn’t mean it has been agreed upon; something agreed upon doesn’t mean it has been applied; something applied doesn’t mean it has been continually practiced. Communicating anything effectively as a professional is, therefore, an on-going continuous process that is almost never complete and seldom perfect.

The desire to grow professionally and develop a successful career is evident in most CFEs, as in all other professionals, and while the opportunity to be on the forefront of this challenge exists, it is not emphasized enough, hence what recruiters and human resource professionals have identified as the success skills gap. Critical success skills, such as interpersonal behavior, communication, report writing and presentation skills, that augment technical skills are important in developing a successful career. However, to the disadvantage of employees, especially young professionals, these skills are seldom even emphasized let alone actively taught in the typical workplace. Similarly, employees do not recognize the lack of or need for such skills and miss valuable opportunities to improve them.

In an increasingly information- and technology-driven society, success skills increasingly shape the structure of the workplace. This fact is found to be especially evident in the audit, investigative and information systems environments. Assurance professionals need to interact seamlessly with customers/clients, work in teams, communicate technical details and build relationships.

Managers hiring new and experienced CFEs will always ask: Is the candidate able to lead a team successfully, communicate effectively, make presentations or write an investigative report to management? These are key skills that determine promotions, raises and job success.

In summary, CFE job applicants are always weighed on their technical ability and, increasingly today, on their success skills. Employers often ask whether job candidates are the best fit for the organization or whether candidates will align well with the organization’s culture. Furthermore, as a number of headhunters have told me, employers can easily teach the technical skills. The success skills that make up a candidate’s character and demeanor are not so easily taught yet can have an enormous impact on whether a candidate eventually gets his or her dream job or the top-floor corner office. So, a mix of both cognitive and noncognitive skills, the latter such as motivation, self-esteem and perseverance, determine many life outcomes, including education, health and even involvement in crime.

To benefit from strong success skills and develop a long-term career, the foremost step for young professionals as for any other professional, is to own their career. The ability to direct and fill roles in opportunity areas highly depends on career ownership and effective personal management. Success skills are increasingly becoming the often-unrecognized element for career mastery; as recruiters tell me, the bottom line is that a full professional success depends on their mastery.

Loose Ends

A forensic accountant colleague of mine often refers to “loose-ends”. In his telling, loose-ends are elements of an investigation that get over-looked or insufficiently investigated which have the power to come back and bite an examiner with ill effect. That a small anomaly may be a sign of fraud is a fact that is no surprise to any seasoned investigator. Since fraud is typically hidden, the discovery of fraud usually is unlikely, at least at the beginning, to involve a huge revelation.

The typical audit does not presume that those the auditor examiners and the documents s/he reviews have something sinister about them. The overwhelming majority of audits are conducted in companies in which material fraud does not exist. However, the auditor maintains constant awareness that material fraud could be present.

Imagine a policewoman walking down a dark alley into which she knows a suspect has entered just before her. She doesn’t know where the suspect is, but as she walks down that alley, she is acutely aware of and attuned to her surroundings. Her senses are at their highest level. She knows beyond the shadow of a doubt that danger lurks nearby.

Fraud audits (and audits in general) aren’t like that. Fraud audits are more like walking through a busy mall and watching normal people go about their daily activities. In the back of the examiner’s mind, he knows that among all the shoppers are a few, a very few, shoplifters. They look just like everyone else. The examiner knows they are there because statistical studies and past experience have shown that they are, but he doesn’t know exactly where or who they are or when he will encounter them, if at all. If he were engaged to find them, he would have to design procedures to increase the likelihood of discovery without in any way annoying the substantial majority of honest shoppers in whose midst they swim.

A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control.

It occurred to me a while back that a fraud risk assessment can of thought of as ignoring a loose-end if it fails to include sufficient consideration of the client organization’s ethical dimension. That the ethical dimension is not typically included as a matter of course in the routine fraud risk assessment constitutes, to my mind, a lost opportunity to conduct a fuller, and potentially, a more useful assessment. As part of their assessments, today’s practitioners can potentially use surveys, Control Self-Assessment sessions, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline. Under this expanded model, the most successful fraud risk assessment would include small brainstorming sessions with the operational management of the business process(s) under review. Facilitated by a Certified Fraud Examiner (CFE), these assessments would look at typical fraud schemes encountered in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.

Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the CFE understand the actual robustness and resilience of the control and of the control environment and estimate the potential risk to the organization.

One challenge at this point in the process is ensuring that the analysis assesses not just roles, but also those specific individuals who are responsible for the controls. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert like the CFE can help facilitate the discussion and ensure that nothing is left off the table. To ask and get the answers to the right questions, the CFE facilitator should help the respondents keep in mind that:

o Fraud entails intentional misconduct designed to avoid detection.
o Risk assessments identify where fraud might occur and who the potential perpetrator(s) might be.
o Persons inside and outside of the organization could perpetrate such schemes.
o Fraud perpetrators typically exploit weaknesses in the system of controls or may override or circumvent controls.
o Fraud perpetrators typically find ways to hide the fraud from detection.

It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to by the ACFE as measuring the organization’s ethical baseline.

Organizations can determine their ethical baseline by periodically conducting either CFE moderated Control Self-Assessment sessions including employees from high-risk business processes, through an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation. The survey can ask respondents to rate questions or statements on a scale, ranging from 1—Strongly Disagree to 5—Strongly Agree. Sample statements might include:

1. Our organizational culture is trust-based.
2. Missing approvals are not a big deal here.
3. Strong personalities dominate most departments.
4. Pressure to perform outweighs ethical behavior.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here.
7. The saying “Don’t rock the boat!” fits this organization.
8. I am encouraged to speak up whenever needed.
9. Ethical behavior is a top priority of management.
10.I know where I can go if I need to report a potential issue of misconduct.

The ethical baseline should not be totally measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If repeated over time, the baseline can help identify both positive and negative trends. The results of the ethical baseline survey should be discussed by the CFE with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization.

In summary, the additional value created by combining of the results of the traditional fraud risk assessment with an ethical baseline assessment can help CFEs better determine areas of risk and control that should be considered in building the fraud prevention and response plans. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden by management may require more frequent assurance from prevention professionals than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent assessment of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By adding ethical climate evaluation to their standard fraud risk assessment procedures, CFEs can tie up what otherwise might be a major loose-end in their risk evaluation.

When You Assume

by Rumbi Petrozzello
2018 Vice President – Central Virginia ACFE Chapter

On November 8, 2007, in the small town of Constantine, Michigan, 11-year-old Jodi Parrack was reported missing. Residents from the surrounding region volunteered to search for the missing girl, including Ray McCann, a police reservist. During the search, Ray suggested to Jodi’s mother, Valerie, that they should search for Jodi in the local cemetery. Valerie and Ray did so and, tragically, found her daughter there; she had been murdered.

Almost immediately, Ray came under suspicion. His reaction to Jodi’s death appeared to some of the investigators to be suspicious and why had he suggested that he and Valerie go to the cemetery, of all places, to look for Jodi? Then, during their subsequent investigation, the police found Jodi’s DNA on Ray’s body; according to Ray this was because he had pulled Valerie away from Jodi when he and her mother discovered the child’s body.

For years, Ray was under suspicion. He was brought in for questioning by the police on multiple occasions, and his answers, as far as the police were concerned, were not particularly convincing. He claimed to have been in one place and the police said that there was proof that he was not there. Seven years after Jodi’s murder, Ray was arrested and charged with perjury, related to the answers he had originally given the police; this seems to have been a tactic the police employed to hold him while they continued to try to gather enough evidence to charge him with Jodi’s murder.

While Ray was being held and facing from two to twenty years behind bars, another girl was attacked; she fought back, escaped and led the police to another man, Daniel Furlong. It turned out that Furlong’s DNA had been found on Jodi’s body during the original investigation as well as Ray’s and yet, the police had persisted in focusing solely on Ray. It was also revealed that the authorities were not honest when they told Ray that they possessed evidence Ray was lying. All the police really had was a deeply held conviction that Ray was being deceptive, leading to their determination to somehow develop evidence to validate that feeling.

By the time Ray was released after spending 20 wasted months of his life behind bars, he had lost his job, his family and the trust of the community in which he lived and which he had hoped someday to serve.

As Fraud Examiners and/or Forensic Accountants, we are engaged to investigate alleged wrongdoing and to follow up on leads as we work to resolve often confusing and contradictory matters. As we seek evidence, interview people and try to figure out what happened and who did what, it can be all too easy to make the mistake of viewing a red flag as somehow constituting proof. If someone giggles when they’re telling you they know nothing; if a person taps her foot throughout an interview, or if someone is extremely helpful, none of those things in themselves means anything definitive in resolving the question as to whether or not they have done anything wrong, let alone illegal.

Professional skepticism is a CFE’s tendency not to believe or take anyone’s assertions at face value, a mental tendency to ask every assertion to “prove it” (with evidence). The inevitable occurrence of confusion, errors and deception in all situations involving actual or suspected fraud dictates this basic aspect of professional skepticism. Persuading a skeptical CFE or forensic accountant is not impossible, just somewhat more difficult than persuading a normal person in an everyday context. Our skepticism protects the Ray McCann’s of this world because it’s a manifestation of objectivity, holding no special concern for preconceived conclusions on any side of an issue. Skepticism is not an attitude of being cynical, hypercritical, or scornful. The properly skeptical investigator asks these questions (1) What do I need to know? (2) How well do I know it? (3) Does it make sense?

Professional skepticism should lead investigators to appropriate inquiry about every clue involving seeming wrong doing. Clues should lead to thinking about the evidence needed, wringing out all the implications from the evidence, then arriving at the most suitable and supportable explanation. Time pressure to complete an investigation is no excuse for failing to exercise professional skepticism and bias and prejudice are always unacceptable. Too many investigators (including auditors) have gotten themselves into trouble by accepting some respondent’s glib assertion and stopping too early in an investigation without seeking facts supportive of alternative explanations.

A red flag means only that further investigation is warranted; it definitely does not mean that the examiner should shut down all other avenues of investigation and it certainly does not mean that an attempt should ever be made to make the crime fit the person. In the sad case of Ray McCann, the police continued to pursue him to the exclusion of all others even though they had found someone else’s DNA on Jodi’s body. They never appeared to be even looking for any other suspect. Even when Daniel Furlong subsequently confessed to murdering Jodi, the local authorities still persisted in implying that Ray was somehow connected to the crime; in the face of all contradictory evidence, the police still stubbornly refused to let go of their original hypothesis.

As we pursue our work as forensic accountants and fraud examiners, we should be constantly reviewing our hypotheses and assessing our approaches.

• Are we trying to make evidence fit the facts as we initially suppose them to be?
• Are we ignoring evidence because it does not fit the story we’re trying to tell?
• Are we letting a particular person’s behavior cloud a more objective judgment of the totality of what’s going on?

Often, even after a person has been cleared of suspicion in a case, we hear parties involved in the investigation make statements along the lines of, “I just know they are good for something.” Fortunately, our practice is not founded on feelings and gut instincts; our practice, and profession, is one that relies on evidence. As you’re investigating a matter, keep in mind:

• Following your defined process and procedure throughout is paramount to investigative success. Even if someone or some aspect of a case looks totally transparent within the context of the investigation, be thorough and follow your evidence all the way through.

• If your findings do not support your original premise, don’t try to force things. Step back and ask yourself why this is the case. Ask yourself if you need to reconsider your foundational hypothesis.

• Beware of confirmation bias – that is be careful that you are not looking only for data that reinforces the conclusion(s) that you have already reached (and, in so doing, ignoring anything that might prove contradictory).

• Even if your team is determined to work the assignment in a particular direction, make sure you speak up and let them know about any reservations you might have. You may not have the popular position, but you may end up expressing the critical position if it turns out that there is other evidence in light of which the conclusions the team has made need to be adjusted.

In summary, when you feel it in your gut and you are absolutely sure that you are right about a hypothesis, it’s very difficult to look beyond your conviction and to see or even consider other options. It’s vital that you do so since, as the ACFE has pointed out so many times, there is a hefty price to be paid professionally for ignoring evidence which eventually proves to be critical simply because it appears not to corroborate your case. Due professional care requires a disposition to question all material assertions made by all respondents involved in the case whether oral or written. This attitude must be balanced with an open mind about the integrity of all concerned. We CFEs should neither blindly assume that everyone is dishonest nor thoughtlessly assume that those involved in our investigations are not ethically challenged. The key lies in the examiner’s attitude toward gathering the evidence necessary to reach reasonable and supportable investigative decisions.

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

The Healthcare Fraud Circus

The trade press indicates that healthcare expenditures are again on the rise while the ACFE tells us that approximately $25 million dollars per hour is stolen, wasted or abused in the provision of healthcare services in the US alone. Not surprisingly, our Chapter members, CFEs and forensic accountants, employed by both governmental and private institutions, are being increasingly called upon to grapple with the fallout.

The Centers for Medicare and Medicaid Services (CMS) defines healthcare fraud as the intentional deception or misrepresentation that an individual knows, or should know, to be false, or does not believe to be true, and makes, knowing the deception could result in some unauthorized benefit to himself or some other person(s). The Health Insurance Portability and Accountability Act (HIPAA) is more specific, defining the term federal healthcare offense as “a violation of, or a criminal conspiracy to violate” specific provisions of the U.S. Code, “if the violation or conspiracy relates to a health care benefit program” 18 U.S.C. § 24(a).

The statute goes on to define a health care benefit program as any public or private plan or contract, affecting commerce, under which any medical benefit, item, or service is provided to any individual, and includes any individual or entity who is providing a medical benefit, item, or service for which payment may be made under the plan or contract. Finally, health care fraud is defined as knowingly and willfully executing a scheme to defraud a healthcare benefit program or obtaining, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by. . . any healthcare benefit program. HIPAA establishes specific criminal sanctions for offenses against both private and public health insurance programs. These offenses are consistent with the common definitions of fraud in that they involve false statements, misrepresentations, or deliberate omissions that are critical to the determination of benefits payable and which may obstruct fraud investigations.

Practitioners new to fraud examination and forensic accounting in the healthcare arena need to develop a familiarity with the players involved in the provision of and payment for healthcare services if they are to effectively investigate identified instances of fraud, waste, and abuse in this ever-expanding sector of the economy.

Healthcare fraud differs from healthcare abuse. CMS says that abuse refers to incidents or practices that are not consistent with the standard of medical care (in other words, with substandard care)

–Unnecessary costs to a program, caused either directly or indirectly;
–Improper payment or payment for services that fail to meet professional standards;
–Medically unnecessary services;
–Substandard quality of care (e.g., in nursing homes);
–Failure to meet coverage requirements.

Healthcare fraud, in comparison, typically takes one or more of the following forms:

–False statements or claims;
–Elaborate schemes;
–Cover-up strategies;
–Misrepresentations of value;
–Misrepresentations of service.

It’s important to appreciate that healthcare is a dynamic and segmented market among parties that deliver or facilitate the delivery of health information, healthcare resources, and the financial transactions that underly and support the functioning of all the many components of the total business process. To fully appreciate what healthcare fraud looks like, it’s important to understand traditional and nontraditional players. The patient is the individual who actually receives a healthcare service. The provider is an individual or entity that delivers or executes the healthcare service. The payer is the entity that processes the financial transaction. The plan sponsor is the party that funds the transaction. Plan sponsors include private self-insurance programs, employer-based premium programs, and government programs such as Medicare and Medicaid. A vendor is any entity that provides a professional service or materials used in the delivery of patient care. Complicating matters is that each one of these player entities has a distinct perspective and point of view of the overall process which can differ significantly from that of each of the others.

So, what does healthcare fraud look like from the individual patient’s perspective? The patient may submit a false claim with no participation from any other party. The patient may exaggerate a workers’ compensation claim or allege that an injury took place at work when in fact it occurred outside of work. The patient may participate in collusive fraudulent behavior with other parties. A second party may be a physician who fabricates a service for liability compensation. The patient may be involved in an established crime ring that involves extensive collusive behavior, such as staging an auto accident. The schemes typically repeat themselves as well as constantly evolve in the creativity they demonstrate.

And from the provider’s perspective? The fraud schemes can vary from simple false claims to complex financial arrangements. The traditional scheme of submitting false claims for services not rendered has always been and continues to be a problem. Other maneuvers, such as submitting duplicate claims or not acknowledging duplicate payments, are issues as well.

Some schemes manifest great complexity and sophistication in their understanding of payer systems. One example is the rent-a-patient scheme where criminals pay “recruiters” to organize and recruit beneficiaries to visit clinics owned or operated by the criminals. For a fee, recruiters “rent,” or “broker,” the beneficiaries to the criminals. Recruiters often enlist beneficiaries at low-income housing projects, retirement communities, or employment settings of low-income wage earners. Detecting complicated misrepresentations that involve contractual arrangements with third parties or cost report manipulations submitted to government programs requires a niche expertise for identification representing an opportunity for anti-fraud practitioners expert in data mining.

And from the payer’s perspective? The fraud schemes perpetrated by this group tend to be pursued mostly in response to transactions between the payer and a government plan sponsor. They include misrepresentations of performance guarantees, not answering beneficiary questions on claims status, bad-faith claim transactions, and financial transactions that are not contractually based. Other fraudulent activities include altering or reassigning the diagnosis or procedure codes submitted by the provider. Auditing payer activities also requires a niche expertise involving operational as well as contractual issues.

Healthcare fraud schemes perpetrated by employers include underreporting the number of employees, employee classifications, and payroll information; failing to pay insurance premiums, which results in no coverage; creating infrastructures that make employees pay for coverage via payroll deductions; engaging in management activities that discourage employees from seeking medical treatment; and referring employees to a medical facility and in turn receiving compensation for the referrals.

Vendor perpetrated schemes furnishes numerous examples involving a range of participants, from professional healthcare subcontractors to suppliers of equipment, products, services, and pharmaceuticals. These schemes include false claims, claims for altered products, counterfeit medications, and services from unlicensed professionals. They include collusive behavior among several entities as well as between individual professionals.

In summary, the take away for anti-fraud professionals is that Healthcare fraud is growing at an accelerated rate in the United States. Traditional schemes include false claim submissions, care that lacks medical necessity, controlled substance abuse, upcoding (billing for more expensive procedures), employee-plan fraud, staged-accident rings, waiver of copayments and deductibles, billing experimental treatments as nonexperimental ones, agent-broker fraud relationships, premium fraud, bad-faith claim payment activities, quackery; overutilization (rendering more services than are necessary), and kickbacks. Evolved schemes include complex rent-a-patient activities, 340 B program abuse activities (setting aside discounted drugs, making them unavailable to those in need), pill-mill schemes (schemes to falsely bill prescriptions), counterfeit drug activities, and organized criminal schemes.

CFEs and forensic accountants have a significant role in combating all of this. The good news is that much information is available to guide practitioners from both governmental and private sources.

Concealment Strategies & Fraud Scenarios

I remember Joseph Wells mentioning at an ACFE conference years ago that identifying the specific asset concealment strategy selected by a fraudster was often key to the investigator’s subsequent understanding of the entire fraud scenario the fraudster had chosen to implement. What Joe meant was that a fraud scenario is the unique way the inherent fraud scheme has occurred (or can occur) at an examined entity; therefore, a fraud scenario describes how an inherent fraud risk will occur under specific circumstances. Upon identification, a specific fraud scenario, and its associated concealment strategy, become the basis for fraud risk assessment and for the examiner’s subsequent fraud examination program.

Fraud concealment involves the strategies used by the perpetrator of the fraud scenario to conceal the true intent of his or her transaction(s). Common concealment strategies include false documents, false representations, false approvals, avoiding or circumventing control levels, internal control evasion, blocking access to information, enhancing the effects of geographic distance between documents and controls, and the application of both real and perceived pressure. Wells also pointed out that an important aspect of fraud concealment pertains to the level of sophistication demonstrated by the perpetrator; the connection between concealment strategies and fraud scenarios is essential in any discussion of fraud risk structure.

As an example, consider a rights of return fraud scenario related to ordered merchandise. Most industries allow customers to return products for any number of reasons. Rights of return refers to circumstances, whether as a matter of contract or of existing practice, under which a product may be returned after its sale either in exchange for a cash refund, or for a credit applied to amounts owed or to be owed for other products, or in exchange for other products. GAAP allows companies to recognize revenue in certain cases, even though the customer may have a right of return. When customers are given a right of return, revenue may be recognized at the time of sale if the sales price is substantially fixed or determinable at the date of sale, the buyer has paid or is obligated to pay the seller, the obligation to pay is not contingent on resale of the product, the buyer’s obligation to the seller does not change in the event of theft or physical destruction or damage of the product, the buyer acquiring the product for resale is economically separate from the seller, the seller does not have significant obligations for future performance or to bring about resale of the product by the buyer, and the amount of future returns can be reasonably estimated.

Sales revenue not recognizable at the time of sale is recognized either once the return privilege has substantially expired or if the conditions have been subsequently met. Companies sometimes stray by establishing accounting policies or sales agreements that grant customers vague or liberal rights of returns, refunds, or exchanges; that fail to fix the sales price; or that make payment contingent upon resale of the product, receipt of funding from a lender, or some other future event. Payment terms that extend over a substantial portion of the period in which the customer is expected to use or market the purchased products may also create problems. These terms effectively create consignment arrangements, because, no economic risk has been transferred to the purchaser.

Frauds in connection with rights of return typically involve concealment of the existence of the right, either by contract or arising from accepted practice, and/or departure from GAAP specified conditions. Concealment usually takes one or more of the following forms:

• Use of side letters: created and maintained separate and apart from the sales contract, that provide the buyer with a right of return;

• Obligations by oral promise or some other form of understanding between seller and buyer that is honored as a customary practice but arranged covertly and hidden;

• Misrepresentations designed to mischaracterize the nature of arrangements, particularly in respect of:

–Consignment arrangements made to appear to be final sales;

–Concealment of contingencies, under which the buyer can return the products, including failure to resell the products, trial periods, and product performance conditions;

–Failure to disclose the existence, or extent, of stock rotation rights, price protection concessions, or annual returned-goods limitations;

–Arrangement of transactions, with straw counterparties, agents, related parties, or other special purpose entities in which the true nature of the arrangements is concealed or obscured, but, ultimately, the counterparty does not actually have any significant economic risk in the “sale”.

Sometimes the purchaser is complicit in the act of concealment, for example, by negotiating a side letter, and this makes detection of the fraud even more difficult. Further, such frauds often involve collusion among several individuals within an organization, such as salespersons, their supervisors, and possibly both marketing and financial managers.

It’s easy to see that once a CFE has identified one or more of these concealment strategies as operative in a given entity, the process of developing a descriptive fraud scenario, completing a related risk assessment and constructing a fraud examination program will be a relatively straight forward process. As a working example, of a senario and related concealment strategies …

Over two decades ago the SEC charged a major computer equipment manufacturer with overstating revenue in the amount of $500,000 on transactions for which products had been shipped, but for which, at the time of shipment, the company had no reasonable expectation that the customer would accept and pay for the products. The company eventually accepted back most of the product as sales returns during the following quarter.

The SEC noted that the manufacturer’s written distribution agreements generally allowed the distributor wide latitude to return product to the company for credit whenever the product was, in the distributor’s opinion, damaged, obsolete, or otherwise unable to be sold. According to the SEC, in preparing the manufacturer’s financial statements for the target year, company personnel submitted a proposed allowance for future product returns that was unreasonably low in light of the high level of returns the manufacturer had received in the first several months of the year.

The SEC determined that various officers and employees in the accounting and sales departments knew the exact amount of returns the company had received before the year end, when the company’s independent auditors finished their fieldwork on the annual audit. Had the manufacturer revised the allowance for sales returns to reflect the returns information, the SEC concluded it would have had to reduce the net revenue reported for the fiscal year. Instead, the SEC found that several of the manufacturer’s officers and employees devised schemes to prevent the auditors from discovering the true amount of the returns, including 1), keeping the auditors away from the area at the manufacturer’s headquarters where the returned goods were stored, and 2), accounting personnel altering records in the computer system to reduce the level of returns. After all the facts were assembled, the SEC took disciplinary action against several company executives.

As with side agreements, a broad base of inquiry into company practices may be one of the best assessment techniques the CFE has regarding possible concealment strategies supporting fraud scenarios involving returns and exchanges. In addition to inquiries of this kind, the ACFE recommends that CFE’s may consider using analytics like:

• Compare returns in the current period with prior periods and ask about unusual increases.

• Because companies may slow the return process to avoid reducing sales in the current period, determine whether returns are processed in timely fashion. The facts can also be double-checked by confirming with customers.

• Calculate the sales return percentage (sales returns divided by total sales) and ask about any unusual increase.

• Compare returns after a reporting period with both the return reserve and the monthly returns to determine if they appear reasonable.

• Determine whether sales commissions are paid at the time of sale or at the time of collection. Sales commissions paid at the time of sale provide incentives to inflate sales artificially to meet internal and external market pressures.

• Determine whether product returns are adjusted from sales commissions. Sales returns processed through the so-called house account may provide a hidden mechanism to inflate sales to phony customers, collect undue commissions, and return the product to the vendor without being penalized by having commissions adjusted for the returned goods.

Every Seat Taken!

Our Chapter’s thanks to all our attendees and to our partners, the Virginia State Police and national ACFE for the unqualified success of our May training event, Cyberfraud and Data Breaches! Our speaker, Cary Moore, CFE, CISSP, conducted a fully interactive, two-day session on one of the most challenging and relevant topics confronting practicing fraud examiners and forensic accountants today.

The event examined the potential avenues of data loss and guided attendees through the crucial strategies needed to mitigate the threat of malicious data theft and the risk of inadvertent data loss, recognizing that information is a valuable asset, and that management must take proactive steps to protect the organization’s intellectual property. As Cary forcefully pointed out, the worth of businesses is no longer based solely on tangible assets and revenue-making potential; the information the organization develops, stores, and collects accounts for a large share of its value.

A data breach occurs when there is a loss or theft of, or unauthorized access to, proprietary information that could result in compromising the data. It is essential that management understand the crisis its organization might face if its information is lost or stolen. Data breaches incur not only high financial costs but can also have a lasting negative effect on an organization’s brand and reputation.

Protecting information assets is especially important because the threats to such assets are on the rise, and the cost of a data breach increases with the number of compromised records. According to a 2017 study by the Ponemon Institute, data breaches involving fewer than 10,000 records caused an average loss of $1.9 million, while beaches with more than 50,000 compromised records caused an average loss of $6.3 million. However, before determining how to protect information assets, it is important to understand the nature of these assets and the many methods by which they can be breached.

Intellectual property is a catchall phrase for knowledge-based assets and capital, but it’s helpful to think of it as intangible proprietary information. Intellectual property (IP) is protected by law. IP law grants certain exclusive rights to owners of a variety of intangible assets. These rights incentivize individuals, company leaders, and investors to allocate the requisite resources to research, develop, and market original technology and creative works.

A trade secret is any idea or information that gives its owner an advantage over its competitors. Trade secrets are particularly susceptible to theft because they provide a competitive advantage. What constitutes a trade secret, however, depends on the organization, industry, and jurisdiction, but generally, to be classified as a trade secret, information must:

• Be secret: The information is not generally known to the relevant portion of the public.
• Confer some sort of economic benefit on its holder: The idea or information must give its owner an advantage over its competitors. The benefit conferred from the information, however, must stem from not being generally known, not just from the value of the information itself. The best test for determining what is confidential information is to determine whether the information would provide an advantage to the competition.
• Be the subject of reasonable efforts to maintain its secrecy: The owner must take reasonable steps to protect its trade secrets from disclosure. That is, a piece of information will not receive protection as a trade secret if the owner does not take adequate steps to protect it from disclosure.

Cary presented in-depth information on the various types of threats to data security including:

–Insiders
–Hackers
–Competitors
–Organized criminal groups
–Government-sponsored groups

Protecting proprietary information is a timely issue, but it is difficult. The event presented a list of common challenges faced when protecting information assets:

–Proprietary information is among the most valuable commodities, and attackers are doing everything in their power to steal as much of this information as possible.
–The risk of data breaches for organizations is high.
–New and emerging technologies create new risks and vulnerabilities.
— IT environments are becoming increasingly complex, making the management of them more expensive, difficult, and time consuming.
–There is a wider range of devices and access points, so businesses must proactively seek ways to combat the effects of this complexity.
–The rise in portable devices is creating more opportunities for data to “leak” from the business.
–The rise in Bring Your Own Device (BYOD) initiatives is generating new operational challenges and security problems.
–The rapidly expanding Internet of Things (IoT) has significantly increased the number of network connected things (e.g., HVAC systems, MRI machines, coffeemakers) that pose data security threats, many of which were inconceivable only a short time ago.
–The number of threats to corporate IT systems is on the rise.
–Malware is becoming more sophisticated.
–There is an increasing number of laws in this area, making information security an urgent priority.

Cary covered the entire gamut of challenges related to cyber fraud and data breaches ranging from legal issues, corporate espionage, social engineering, the use of social media, the bring-your-own-devices phenomenon, and the impact of cloud computing. The remaining portion of the event was devoted to addressing how enterprises can effectively respond when confronted by the challenges posed by these issues including breach response team building and breach prevention techniques like conducting security risk assessments, staff awareness training and the incident response plan.

When an organization experiences a data breach, management must respond in an appropriate and timely manner. During the initial response, time is critical. To help ensure that an organization responds to data breaches timely and efficiently, management should have an incident response plan in place that outlines how to respond to such issues. Timely responses can help prevent further data loss, fines, and customer backlash. An incident response plan outlines the actions an organization will take when data breaches occur. More specifically, a response plan should guide the necessary action when a data breach is reported or identified. Because every breach is different, a response plan should not outline how an organization should respond in every instance. Instead, a response plan should help the organization manage its response and create an environment to minimize risk and maximize the potential for success. In short, a response plan should describe the plan fundamentals that the organization can deploy on short notice.

Again, our sincere thanks go out to all involved in the success of this most worthwhile training event!