Category Archives: Forensic Accounting

Cash In – Cash Out

One of our associate Chapter members has become involved in her first fraud investigation just months after graduating from university and joining her first employer. She’s working for a restaurant management consulting practice and the investigation involves cash theft targeting the cash registers of one of the firm’s smaller clients. Needless to say, we had a lively discussion!

There are basically two ways a fraudster can steal cash from his or her employer. One is to trick the organization into making a payment for a fraudulent purpose. For instance, a fraudster might produce an invoice from a nonexistent company or submit a timecard claiming hours that s/he didn’t really work. Based on the false information that the fraudster provides, the organization issues a payment, e.g., by sending a check to the bogus company or by issuing an inflated paycheck to the employee. These schemes are known as fraudulent disbursements of cash. In a fraudulent disbursement scheme, the organization willingly issues a payment because it thinks that the payment is for a legitimate purpose. The key to the success of these types of schemes is to convince the organization that money is owed.

The second way (as in our member’s restaurant case) to misappropriate cash is to physically remove it from the organization through a method other than the normal disbursement process. An employee takes cash out of his cash register, puts it in his pocket, and walks out the door. Or, s/he might just remove a portion of the cash from the bank deposit on their way to the bank. This type of misappropriation is what is referred to as a cash theft scheme. These schemes reflect what most people think of when they hear the term “theft”; a person simply grabs the money and sneaks away with it.

What are commonly denoted cash theft schemes divide into two categories, skimming and larceny. The difference between whether it’s skimming or larceny depends completely on when the cash is stolen, a distinction confusing to our associate member. Cash larceny is the theft of money that has already appeared on a victim organization’s books, while skimming is the theft of cash that has not yet been recorded in the accounting system. The way an employee extracts the cash may be exactly the same for a cash larceny or skimming scheme. Because the money is stolen before it appears on the books, skimming is known as an “off-book” fraud. The absence of any recorded entry for the missing money also means there is no direct audit trail left by a skimming scheme. The fact that the funds are stolen before they are recorded means that the organization may not be “aware” that the cash was ever received. Consequently, it may be very difficult to detect that the money has been stolen.

The basic structure of a skimming scheme is simple: Employee receives payment from a customer, employee pockets payment, employee does not record the payment. There are a number of variations on the basic plot, however, depending on the position of the perpetrator, the type of company that is victimized, and the type of payment that is skimmed. In addition, variations can occur depending on whether the employee skims sales or receivables (this post is only about sales).

Most skimming, particularly in the retail sector, occurs at the cash register – the spot where revenue enters the organization. When the customer purchases merchandise, he or she pays a cashier and leaves the store with whatever s/he purchased, i.e., a shirt, a meal, etc. Instead of placing the money in the cash register, the employee simply puts it in his or her pocket without ever recording the sale. The process is made much easier when employees at cash collection points are left unsupervised as is the case in many small restaurants. A common technique is to ring a “no sale” or some other non-cash transaction on the employee’s register. The false transaction is entered on the register so that it appears that the employee is recording the sale. If a manager is nearby, it will look like the employee is following correct cash receipting procedures, when in fact the employee is stealing the customer’s payment. Another way employees sometimes skim unrecorded sales is by conducting sales during nonbusiness hours. For instance, many employees have been caught selling company merchandise on weekends or after hours without the knowledge of the owners. In one case, a manager opened his store two hours early every day and ran it business-as-usual, pocketing all sales made during the “unofficial” store hours. As the real opening time approached, he would destroy all records from the off-hours transactions and start the day from scratch.

Although sales skimming does not directly affect the books, it can show up on a company’s records in indirect ways, usually as inventory shrinkage; this is how the skimming thefts were detected at our member’s client. The bottom line is that unless skimming is being conducted on a very large scale, it is usually easier for the fraudster to ignore the shrinkage problem. From a practical standpoint, a few missing pieces of inventory are not usually going to trigger a fraud investigation. However, if a skimming scheme is large enough, it can have a marked effect on a small business’ inventory, especially in a restaurant where profit margins are always tight and a few bad sales months can put the concern out of business. Small business owners should conduct regular inventory counts and make sure that all shortages are promptly investigated and accounted for.

Any serious attempt to deter and detect cash theft must begin with observation of employees.  Skimming and cash larceny almost always involve some form of physical misappropriation of cash or checks; the perpetrator actually handles, conceals, and removes money from the company. Because the perpetrator will have to get a hold of funds and actually carry them away from the company’s premises, it is crucial for management to be able to observe employees who handle incoming cash.

Charting the Road Ahead

There are a number of good reasons why fraud examiners and forensic accountants should work hard at including inclusive, well written descriptions of fraud scenarios in their reports; some of these reasons are obvious and some less so. A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud. It’s been my experience that well written reports, couched in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.

A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board. They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur. The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its reoccurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves. A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore, only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling. A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome. Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate. The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can sometimes be many and related. Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls work as separate lines of defense, at times in a sequential way, and at other times interacting with each other to help prevent the re-occurrence of the adverse event. The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts. Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation. If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them. These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time. This question is best answered by involved managers, in particular with the loss prevention manager. If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence. Is it the worst case loss, or the most likely or median loss? In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization. Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face). Documented control failures should always be clearly associated with the losses. Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine fraud prevention programs. Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the ongoing process of fraud risk assessment for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

! RVACFES May 2019 Spring Training Event !

The ACFE wants to help establish you as a consummate courtroom professional! Certified Fraud Examiners, accountants, auditors and investigative/assurance professionals of all kinds are called upon to provide testimony in criminal and civil prosecutions where their services can be used to support investigations of matters such as financial frauds, embezzlements, misapplication of funds, bankruptcy fraud, improper accounting practices, and tax fraud. Fraud examiners may also be used as defense witnesses or to support the defendant’s counsel on matters that involve accounting or audit related issues.

LEARN MORE

There are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing lay testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

As you will learn, the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Our speaker, HUGO HOLLAND, CFE, JD,  will expound in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” an expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this. The best thing for an inexperienced expert witness is to work with experienced attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• How to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• Remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• How best to state the facts. The expert witness should tell truth plainly and simply. You will learn how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which she does not know the answer but should simply say that she does not know or does not have enough information to form an opinion.

• Learn to control the pace The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that she is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.
• Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course.

REGISTER HERE

The Association of Certified Fraud Examiners is the world’s largest anti-fraud organization and premier provider of antifraud training and education. Together with more than 85,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. Visit ACFE.com to learn more.

“ACFE,” “CFE,” “Certified Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Inflexible Reporting

Our Chapter and the ACFE have published a number of articles and posts over the last few years about the various types of pressures that can push ethically challenged employees over the line between temptation and the perpetration of an actual accounting fraud. One category of such pressure stems directly from the nature of our present system of periodic financial reporting which, it can be argued, not only creates unnecessary volatility in the stock and financial markets but ends up requiring rational investors to demand a premium for securities investments by emphasizing the short term risk that near term, inflexable, quarterly earnings targets will not be met. The pressure to meet these short term targets can only give rise to operational inefficiencies which in turn drive up the inherent inefficiency in the transmission of information from public companies to financial markets based on a model which hasn’t changed much since its original definition during the Great Depression years of the 1930’s.

I’ve seen articles in the Journal of Accountancy and in other authoritative financial publications pointing toward a better way and, with the advent of and widening support for the electronic reporting of financial results to the SCC (the XBRL initiative), we can hope we’re well into the drawn of a new age. That there’s been pushback to this effort is understandable. Those familiar with the technical and professional minefield of the present quarterly reporting process can only feel sympathy with those financial officers who have to go through it, quarter by quarter and year after year. Questions originally abounded about process and mechanics like how is electronically published financial information going to be verified and what real controls are there over its reliability? What happens if there’s an honest mistake?

Think about all this from the point of view of the fraud examiner. If enterprises, listed and non-listed, can make the transition from a periodic to a real-time, electronic based financial reporting system, the resulting efficiencies and the decrease in numerous types of fraud related risk would be truly striking. Real-time financial reporting would free our clients from the tyranny of the present, economically nonsensical, reporting of quarterly results. How much of the incentive to commit financial fraud to meet the numbers does that immediately alleviate? As one financial expert after another has pointed out over the years, there’s just no justification for focusing on a calendar quarter as the unit in which to take stock of financial performance, beyond the fact that that’s what’s presently codified in the law. By contrast, what if financial information were published and available to all users on a real-time basis? The immediate availability of such information, continuously updated, on whatever basis is appropriate for the individual enterprise and its industry, would force companies to adopt a reporting unit that ready makes sense to them and to their principal information users. For some companies that unit might be a week, a month, a quarter, semi-annually or a year. So be it. Let a thousand flowers bloom; the upshot is that what would end up being reported would make sense for the company, its industry and for the information users rather than the one-size fits all, set in stone, prescription of the present law.

An additional advantage, and one with immediate implications for fraud prevention, would be the opportunity for increased efficiency in financial markets as investment dollars could be allocated not according to quarterly results or according to the best guess estimates of financial analysts, but by reliable financial information provided directly by the company all the time; goodbye to many of the present information control vulnerabilities that support insider trading because information is not widely and efficiently disseminated. The point is that by employing digital, cloud-based analytics report building tools properly, users of all kinds could customize a set of up-to-date financial reports (in whatever format) on whatever time period, that suits their fancy.

But many have also pointed out that if there is to be such a shift from periodic to real-time financial reporting, there needs to be a fundamental change in basic attitudes toward financial reporting. Those who report and those who inspect financial information will have to change their focus from methods by which the numbers themselves are checked (audited) to methods (as with XBRL) that focus on the reliability of the system that generates the numbers. That’s where fraud examiners and other financial insurance professionals come in. On-line financial information will be published with such frequency and so rapidly, that there will be no time to “check” individual numbers; the emphasis for assurance professionals will, therefore, need to shift away from checking numbers and balances to analysis of and reporting on the integrity of the system of internal controls over the reporting system itself; understanding of the details of the internal control system over financial reporting will gain a level of prominence it’s never had before.

Fraud examiners need to be aware of these issues when counseling clients about the profound impact that digitally based, on-line reporting of financial information is and will have on their fraud prevention and fraud risk assessment programs. As with all else in life, real time financial reporting will inevitably decrease the risk of some fraud scenarios and increase the risk of others.

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.

The Multi-Purpose Final Report

ACFE training has long told us that a prudently crafted final examination report can have a variety of important uses. As we know, when the fraud investigation has been completed, the investigator writes a formal report. The report itself plus expert opinions and testimony are then used as needed to support the resolution of issues that can relate to a whole host of matters potentially concerning taxes, employment, regulatory reporting, litigation (civil and criminal), and insurance claims.

Because the report can be used for such varied purposes, it should always be constructed under the assumption that it will be challenged in court. This requires that the report meet very high standards; any errors or misstatements in it may be used to undermine the credibility of both the report and of the investigator who wrote it.

Frauds typically result in business losses. For income tax purposes, such losses may be classified as either deductions or offsets to reportable revenues depending on the type of loss and the taxing authority. In cases of misappropriation, almost any type of asset can be fraudulently converted, and in some cases, a valuation expert might be needed to determine the dollar amount of the loss.

In cases of occupational fraud, the financial records can be so damaged from the fraud scheme that an exact determination of the loss is impossible. In such cases, the report may attempt to estimate the loss using any reasonable means available because taxing authorities often permit estimation of losses in cases of destroyed records.

Some occupational fraud schemes result in so much damage to the financial records that the entity will not have enough information to file tax returns. This can happen, for example, if the revenue records are either destroyed or rendered unreliable as a result of fraudulent transactions and journal entries. In such cases, it might be necessary to conduct a major reconstruction of the accounting records before losses can be determined, reliable financial statements can be generated, and tax returns can be filed. In fact, in some cases, the fraud investigator’s report might need to focus on the loss due to destruction of the financial records and leave open the issue of misappropriation pending reconstruction of the financial records. Of course, depending on the scope of the investigation and the available information, the investigator might both reconstruct the financial records and report on any misappropriation losses.

Another tax-related issue involves the embezzlement of funds set aside to pay payroll taxes. The U.S. federal tax system sometimes refers to such funds as trust fund taxes because under tax law, these funds belong to the Internal Revenue Service (IRS) from the moment they are collected. The business and the owners merely serve as trustees in collecting the taxes on behalf of the IRS.

Employers who terminate an employee for committing fraud can eventually battle the employee in litigation. In some cases, the former employee may sue for wrongful termination of employment, defamation, or discrimination. In other cases, an employee who is to be fired might have collective bargaining rights that require an arbitration process with a right of appeal. Fired employees may also attempt to claim government unemployment compensation benefits.

As a general rule, employees who are fired for serious misconduct (e.g., fraud) are not entitled to benefits. However, employees may argue that their termination was not deserved and may request a hearing to argue their side of the story. If this occurs, a fraud investigation report could serve as important evidence.

Whether a fired employee receives unemployment benefits may be important in determining the amount the company is required to pay for unemployment insurance. As a result, an employer who routinely fires employees runs the risk of incurring considerable increases in the cost of unemployment insurance. To make things even worse, if a fired employee was the one in charge of making unemployment insurance contributions but did not make them on time, a penalty rate of 150 percent could be applied to the employer’s future contributions. The exact consequences depend on the particular state involved because rules for unemployment insurance for state and federal governments differ. As a result of the possible tax and legal consequences as well as of possibly embarrassing publicity, employers are frequently reluctant to fire dishonest employees. Instead, they do things to encourage dishonest employees to leave voluntarily after taking measures to prevent them from continuing the fraud. In some cases, employers actually give dishonest employees favorable recommendations for future jobs.

Sometimes, a fraud investigation report may trigger mandatory reporting of the fraud to a government agency. For example, §1233.3 (a) of Title 12 (Banks and Banking) of the U.S. Electronic Code of Federal Regulations states the following:

‘A regulated entity shall submit to the Director a timely written report upon discovery by the regulated entity that it has purchased or sold a fraudulent loan or financial instrument, or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.’

A fraud investigation report can sometimes be more helpful in ruling out fraud than in ruling it in. For example, a report might read, “A detailed examination of the financial records did not reveal any intentional irregularities or evidence of fraud or misappropriation.” On the other hand, when there is fraud, the report might read something like, “There was a series of irregular computerized journal entries made in the accounts receivables ledgers and corresponding shortages in the cash account. The employee in charge of the computerized journal entries left the company before this investigation began and was not available for an interview. The owner states that only she and the former employee had access to the journal in question.”

The wording in this report suggests that the former employee may have embezzled funds from collections on account by making irregular journal entries. But the report cannot guarantee that s/he did so, nor can it definitively conclude that a fraud occurred. As a general rule in advance of an occupational fraud investigation, interested parties should not assume that the investigation will result in a report that gives a definitive answer to whether a fraud occurred. A more reasonable outcome is a report that identifies missed or damaging records or missing assets.

Fraud reports can be very helpful in both criminal and civil litigation. However, they can be less than satisfying in trying to persuade authorities to prosecute a suspect. What happens too often is that police or prosecutors browse through a fraud investigation report looking for a clear statement that identifies the guilty person. But, of course, such statements don’t appear in independent fraud investigation reports written by CFEs.

In many cases, a fraud investigation report is enough to at least persuade authorities to look at a case, especially with the hope of getting a quick confession. But if the suspect denies everything or lawyers up, law enforcement quickly realizes that they will need to hire a forensic accountant (because it is unlikely that they have one of their own) and will be forced to try to understand what they consider to be arcane and obscure accounting concepts.

The saying in law enforcement circles (as with the news media) is “if it bleeds, it leads.” In a metropolitan area, police quickly send a dozen squad cars, a SWAT team, and a helicopter to pursue someone who robs a liquor store of $100 with a penknife. But the same police respond with glassy eyes if the owner of the same liquor store reports that his accountant has robbed the business of $100,000 using a computer to manipulate the accounting records.

Although it does happen, most victims do not sue their fraudsters, primarily because fraudsters are typically judgment proof, meaning they do not have sufficient assets to repay their victims. However, criminal courts can and do order restitution, which can provide a strong motive for the victim to prosecute the perpetrator. In some jurisdictions, courts order convicted fraudsters to make regular restitution payments directly to the court, which then distributes them to the victim.

Finally, many companies have insurance with coverage for losses related to fraud. This coverage can include losses such as those due to the costs of preparing a proof of loss, losses due to embezzlement, losses of valuable papers and records, and loss of income. Independent fraud investigation reports can be very helpful in supporting insurance claims. Furthermore, one nice thing about embezzlement coverage is that some polices are written so that it is necessary only to prove that a loss has occurred, not who the guilty party is. The usefulness of a fraud investigation report with respect to losses of valuable papers and records, and loss of income, depends on the scope of the investigation. In many cases, the scope does not include determining the amount of losses of income or damage to valuable papers and records.

Taken Hostage

by Rumbi Petrozzello
2019 Vice President – Central Virginia ACFE Chapter

On March 22, 2018, I flew into the Atlanta Airport and stopped by the airport’s EMS offices to request an incident report. The gentleman who greeted me at the entrance to the offices was very kind and asked me to wait while he pulled up the details of the report for me. He called over to his coworker, who was sitting in front of a computer, and asked him for help. I heard the coworker clicking on his mouse a few times and then he said that his machine didn’t seem to be working. “It hasn’t been working all morning,” he added. The gentleman then gave me a phone number to call for assistance and apologized for not being more helpful. After I called the number, got voicemail and left a message, I became concerned because I was leaving the country the next day for a week and a half and so hoped that someone would get back to me that day.

Unfortunately, no one had called me back by the time I left. When I returned, I found no voicemail. I called again and left a message. A week after that, the airport EMS Chief returned my call with apologies for the delay – their computers had been down, and he was only now able to start getting back to people. Because I had been out of the country and not really following the news, it was only after a couple of months that I put two and two together. At that point I was working on Eye on Fraud, a publication of the AICPA’s Fraud Task Force. The edition was on Ransomware and as I looked at the information concerning Atlanta, I noticed the dates and realized that the day that I flew into Atlanta and visited the EMS office was the same day that the city of Atlanta was struck by a ransomware attack that crippled the city for over a week and resulted in costs to the city exceeding $2.6 million; a lot more than the $52,000 that was demanded in ransom by the attackers. In late November, two Iranians were indicted for the Atlanta and other attacks. The Atlanta ransomware attack featured many characteristics shared by such attacks, be they on individuals, companies, or governments.

Ransomware attacks have been a problem for decades; the first such documented attack took place in 1989. At that time the malicious code was delivered to victims’ computers via floppy disk and the whole exploit was very easy for victims to reverse. 2006 saw a big uptick in ransomware attacks and, today, ransomware is big business for individual cyber criminals and for organized gangs alike, earning them about a billion dollars in 2016.

Ransomware is a form of malware (malicious software), and works in one of two general ways:

1. Crypto-ransomware encrypts hard drives or files and folders.
2. Locker-ransomware locks users out of their machines, without employing encryption.

As time has gone on, ransomware has become more complex and ransomware attacks more sophisticated. One way in which cyber criminals break into computer systems is via human engineering. This can take the form of an email with a malicious attachment or a link to a compromised website. Cyber criminals also take advantage of known weaknesses in computer operating systems. The WannaCry ransomware, which swept the globe several years ago, took advantage of a flaw in Microsoft Windows. This underscores how essential it is to provide cyber training to employees and to update this training often. Employees must be taught to always be vigilant and on the lookout for such attacks, and to maintain awareness of how such threats are constantly changing and migrating. All it takes is a single employee lapse in judgment and attention for malware to get into a business’s computer system. It’s also essential to keep computers and software up to date with the latest patches. WannaCry was successful in part because Microsoft had discontinued its support of some versions of Windows, including for Windows XP and Windows Server 2003. The amount of money companies thought they were saving by continuing to use old unsupported software was dwarfed by the cost of recovery from malware attacks specifically targeting that software.

When CFEs and forensic accountants dialogue with clients about ransomware attack scenarios, we should remind them that cyber criminals are equal opportunity offenders when it comes to such exploits. Employees should be alert to this whether they are working on an employer’s machine or on a personal one. Ransomware has now made its way into the smartphone space, so employees should be made aware that heightened vigilance should extend even to their smartphones. CFEs should additionally work with clients to fund penetration and phishing tests to determine how effective staff training has been and to highlight areas for improvement.

Both individuals and companies should have a plan on how they will deal with a possible ransomware attack. A well-thought out plan can minimize the effects of an attack and can also mean that the reaction to the attack is measured and not mounted on the basis of uncoordinated panic. For example, when LabCorp was attacked in July 2018, the company contained the spread of the malware in less than an hour. Its, therefore, doubly important that we CFEs and forensic accountants work with IT specialists to formulate an advance plan in case of a ransomware or other malware, attack.

Experts recommend that ransom should not be paid. Clients need to be made to understand that when their systems are taken hostage, they are dealing with criminals and criminals are, more often than not, not to be trusted. When the city of Leeds, Alabama, was attacked, the city paid the cyber criminals $12,000 in ransom. Despite making this payment, the hackers restored only a limited number of files. The city was then faced with the expenditure of additional funds in the attempt to recover or rebuild the remaining files. Sometimes hackers will disappear with ransom and restore nothing. In the face of this, companies and individuals should be encouraged to have back up and restoration plans. To be useful, backups must be made regularly and kept physically separate from the machine or network being protected. The recovery plan should be tested at least annually.

Ransomware exploits are not going away any time soon. Ransomware attacks are a way to get money, not only through the ransom demanded itself but also through access to other sensitive information belonging to employees and clients. Often the hacker will demand a nominal amount in ransom and sell the information stolen by access to the company’s network for a lot more.

We, as CFEs and forensic accountants, can help our client address the ballooning threat in a number of ways:

• by performing a risk assessments of clients’ systems and processes, to identify weaknesses and areas for control improvement.
• by providing staff training on security best practices. This training should be updated at least once a year; in addition to updating staff on changes, this will also serve to remind employees to be vigilant. This training must include everyone in a company, even top management and the board.
• by reminding clients to keep software up to date and to consider upgrades or total changes when an application is no longer supported. Encourage management to have software updates automated on employees’ machines.
• by working with clients to create a backup and recovery system, that features off-site backups. This program should be tested regularly, and backups should be reviewed to ensure their integrity.
• by working with IT and third-party vendors on annual penetration and social engineering testing at client locations. The third-party vendors used should be rotated ever three years.

CSO Online predicts that ransomware attacks will rise to one every 14 seconds by the end of 2019. We CFEs and forensic accountants should work with our clients to innovate effective ways to protect themselves and to mitigate the effects of the future attacks that certainly will occur. The key is to ensure that clients remain educated, vigilant and prepared.