Category Archives: theinnerauditor Blog

Better Call Saul

As reported so often in the press these last few years, even when well-intentioned employees feel they’re doing the right thing by reporting acts of wrongdoing, their reports aren’t always well received. Numerous studies conducted by the ACFE strikingly bear this out.  And this is so much the case that any employee (public or private) who witnesses acts of wrongdoing and decides to report them is well advised to seek legal counsel before doing so.  When a whistle-blower also happens to be a CFE, the same advice applies. Every CFE should learn just when, where, and how to report fraudulent acts before blowing the whistle, if only so they can comply with the often complex procedures required to receive any available protections against retaliation.

All the U.S. states have laws to protect public sector employees from retaliation for whistle-blowing. Indeed, most of the state whistle-blowing laws were enacted specifically to actively encourage public sector employees to report fraud, waste, and abuse both in and without government agencies. Some state laws protect only public employees; others include government contractors and private-sector employees as well.  Many of the laws protecting private sector employees involve workplace safety. They were designed and enacted decades ago to protect employees from retaliation when reporting occupational safety issues. Public and private employees can use them, but they might not apply in all situations. Over the years, reporting in some other specific situations has also received protection.

Facts to keep in mind. Whistle-blowing, as it relates to fraud, is the act of reporting fraud, waste, and abuse. Reporting any act of wrongdoing is considered whistle-blowing, regardless if it’s reported by a public or private employee or to persons inside or outside of the victim organization.  Anyone can report wrongdoing, but the subsequent level of protection against retaliation an employee will receive will differ depending on whether they’re public or private, to whom they report, the manner in which they report, the type of wrongdoing they report, and the law(s) under which they report.  The ACFE tells us that a majority of unprotected whistle-blowers end up being terminated.  Among those unterminated, some are suspended, some transferred against their wishes and some are given poor performance evaluations, demoted or harassed.  To address their situation, some choose recourse to the courts.  The rub here is that to prevail, the employee will probably have to link their whistleblowing directly to the retaliation. This can be difficult for the employee experiencing any kind of current problem in the workplace because employers will claim their adverse personnel actions were based on the employees’ poor performance and not on the employees’ decision to blow the whistle. It’s especially easy for employers to assert this claim if the person who conducted the retaliation claims no knowledge of the whistle-blowing, which is very frequently the case.

Additionally, many whistle-blowers lose their cases because they didn’t comply with some technicality in the laws. Protection laws are very specific on how whistle-blowers must report the wrongdoing. Failing to comply with any aspect of the law will result in a loss of protection. Some examples:

  • Subject Matter Jurisdiction – the court must have the power to hear the kind of issue in the whistle-blower’s suit. Subject matter jurisdiction is based on the law the whistle-blower plans to use. Generally speaking, federal courts hear violations of federal laws and state courts hear violations of state laws, although this isn’t always the case. Employees can file alleged violations of their civil rights in state or federal courts under Section 1983 of Title 42 of the U.S. Code of

Federal Regulations. While rarely used in the past, today Section 1983 is part of the Civil Rights Act and the primary means of enforcing all Constitutional rights. Subject Matter Jurisdiction can help employees decide to file in federal or state court. Of course, the employer might ask to have the case moved to another court.

  • Personal Jurisdiction – the employee should make sure the court has power over the party s/he wants to sue. A court must have personal jurisdiction over the defendant to hear a case. Courts usually have personal jurisdiction over the people and organizations residing or doing business in their jurisdiction.
  • Venue – venue refers to the court that will hear the employee’s case. The proper venue is the jurisdiction in which the defendant lives or does business, where the contract was signed or carried out, or the incident took place. More than one court can have jurisdiction over the case. The employee should pick the venue most convenient for her.

As I said above, most whistle-blower laws were written and are intended to protect public-sector employees who report violations affecting public health and safety. Proving public interest is easy for public-sector employees because their work involves public protection. It’s not as easy for private-sector employees.  A goodly percentage of private-sector whistle-blowers lose their cases because the matters didn’t involve public policy.   Whistle-blowers can improve their chances of success by preparing early and reading the whistle-blowing laws of their state of jurisdiction. The case law is also important because it shows the precedent already set by the courts. The better prepared the employee is, the less likely s/he will make avoidable mistakes.  An evolving issue is the extent to which whistle-blowers must be certain of violations. Many laws already require the employee to state the specific law that was broken. Some courts require whistle-blowers to be certain of their allegations. Trends requiring certainty will make it increasingly difficult for whistle-blowers to receive protection.

As a final point.  A goodly percentage of whistle-blowers fail to achieve protection each year because of their own improper conduct. Some of these whistle-blowers misused their employers’ property; some of them stole it. Employees must ensure their conduct is above scrutiny because some courts will apply the “doctrine of unclean hands” and bar whistle-blowers from protection, if they’ve engaged in misconduct directly related to their complaints. The doctrine of unclean hands can work against employers, just as it does employees. In Virginia not too long ago, a Medicaid provider submitted documents containing incorrect claims information to the court. The whistle-blower proved the information was false and won his case on those grounds alone. Thus, it’s important for employers and employees to comport themselves with integrity.

Whistle-blowers who commit unlawful acts to advance their cases don’t do well in court, but neither do whistle-blowers who refuse to commit unlawful acts on behalf of their employers. Most state whistle-blower laws are designed to protect employees that refuse to commit unlawful acts, but it can be difficult to receive even that protection.

All this by way of saying that the laws governing whistle-blower protection are many and varied.  As fraud examiners and auditors it behooves us to be as familiar with these laws in the jurisdictions in which we practice as we reasonably can be.  But always, when confronted with such cases, always consult counsel.  As my father told me so long ago, the man or women who acts as their own attorney has a fool for a client.

Just Like Me

During a joint training seminar between our Chapter and the Virginia State Police held a number of years ago, I took the opportunity to ask the attendees (many of whom are practicing CFE’s) to name the most common fraud type they’d individually investigated in the past year. Turned out that one form or another of affinity fraud won hands down, at least here in Central Virginia.

This most common type of fraud targets specific sectors of society such as religious affiliates, the fraudster’s own relatives or acquaintances, retirees, racial groups, or professional organizations of which the fraudster is a member. Our Chapter members indicate that when a scammer ingratiates himself within a group and gains trust, an affinity fraud of some kind can almost always be expected to be the result.

Regulators and other law enforcement personnel typically attempt to identify instances of affinity fraud in order to prosecute the perpetrator and return the fraudulently obtained goods to the victims. However, affinity fraud tends to be an under reported crime since victims may be embarrassed that they so easily fell prey to the fraudster in the first place or they may remain connected to the offender because of emotional bonding and/or cultivated trust. Reluctance to report the crime also frequently stems from a misplaced belief that the fraudster is fundamentally a good guy or gal and will ultimately do the right thing and return any funds taken. In order to stop affinity fraud, regulators and law enforcement must obviously first be able to detect and identify the crime, caution potential investors, and prevent future frauds by taking appropriate legal actions against the perpetrators.

The poster boy for affinity fraud is, of course, Bernard Madoff.   The Madoff tragedy is considered an affinity fraud because the vast majority of his clientele shared Madoff’s religion, Judaism. Over the years, Madoff’s list of victims grew to include prominent persons in the finance, retail and entertainment industries. This particular affinity fraud was unprecedented because it was perpetrated by Madoff over several decades, and his customers were defrauded of approximately twenty billion dollars. It can be debated whether the poor economy, lack of investor education, or ready access to diverse persons over the internet has led to an increase in affinity fraud but there can be no doubt that the internet makes it increasingly easy for fraudsters to pose as members of any community they target. And, it’s clear that affinity frauds have dramatically increased in recent years. In fact, affinity fraud has been identified by the ACFE as one of the top five investment schemes each year since 1998.

Affinity frauds assume different forms, e.g. information phishing expeditions, investment scams, or charity cons. However, most affinity frauds have a common element and entail a pyramid-type of Ponzi scheme. In these types of frauds, the offender uses new funds from fresh victims as payment to initial investors. This creates the illusion that the scam is profitable and additional victims would be wise to immediately invest. These types of scams inevitably collapse when it either becomes clear to investors or to law enforcement that the fraudster is not legitimate or that there are no more financial backers for the fraud. Although most fraud examiners may be familiar with the Madoff scandal, there are other large scale affinity frauds perpetrated across the United States almost on a daily basis that continue to shape how regulators and other law enforcement approach these frauds.

Perpetrators of affinity frauds work hard, sometime over whole years, to make their scams appealing to their targeted victims. Once the offenders have targeted a community or group, they seek out respected community leaders to vouch for them to potential investors. By having an esteemed figurehead who appears to be knowledgeable about the investment and endorses it, the offender creates legitimacy for the con. Additionally, others in the community are less likely to ask questions about a venture or investment if a community leader recommends or endorses the fraudster. In the Madoff case, Madoff himself was an esteemed member of the community. As a former chair of the National Association of Securities Dealers (NASD) and owner of a company ranked sixth largest market maker on the National Association of Securities Dealers Automated Quotations (NASDAQ), Madoff’s reputation in the financial services industry was impeccable and people were eager to invest with him.

The ACFE indicates that projection bias is yet another reason why affinity fraudsters are able to continually perpetrate these types of crimes. Psychological projection is a concept introduced by Sigmund Freud to explain the unconscious transference of a person’s own characteristics onto another person. The victims in affinity fraud cases project their own morals onto the fraudsters, presuming that the criminals are honest and trustworthy. However, the similarities are almost certainly the reason why the fraudster targeted the victims in the first place. In some cases when victims are interviewed after the fact, they indicate to law enforcement that they trusted the fraudster as if they were a family member because they believed that they shared the same value system.

Success of affinity fraud stems from the higher degree of trust and reliance associated with many of the groups targeted for such conduct. Because of the victim’s trust in the offender, the targeted persons are less likely to fully investigate the investment scheme presented to them. The underlying rationale of affinity fraud is that victims tend to be more trusting, and, thus, more likely to invest with individuals they have a connection with – family, religious, ethnic, social, or professional. Affinity frauds are often difficult to detect because of the tight-knit nature common to some groups targeted for these schemes. Victims of these frauds are less likely to inform appropriate law enforcement of their problems and the frauds tend to continue until an investor or outsider to the target group finally starts to ask questions.

Because victims in affinity frauds are less likely to question or go outside of the group for assistance, information or tips regarding the fraud may not ever reach regulators or law enforcement. In religious cases, there is often an unwritten rule that what happens in church stays there, with disputes handled by the church elders or the minister. Once the victims place their trust in the fraudster, they are less likely to believe they have been defrauded and also unlikely to investigate the con. Regulators and other law enforcement personnel can also learn from prior failures in identifying or stopping affinity frauds. Because the Madoff fraud is one of the largest frauds in history, many studies have been conducted to determine how this fraud could have been stopped sooner. In hindsight, there were numerous red flags that indicated Madoff’s activity was fraudulent; however, appropriate actions were not taken to halt the scheme. The United States Securities and Exchange Commission (SEC) received several complaints against Madoff as early as 1992, including several official complaints filed by Harry Markopolos, a former securities industry professional and fraud investigator. Every step of the way, Madoff appeared to use his charm and manipulative ways to explain away his dealings to the SEC inspection teams. The complaints were not properly investigated and subsequent to Madoff’s arrest, the SEC was the target of a great deal of criticism. The regulators obviously did not apply appropriate professional skepticism while doing their jobs and relied on Madoff’s reputation and representations rather than evidence to the contrary. In the wake of this scandal, regulatory reforms were deemed a priority by the SEC and other similar agencies.

Education is needed for the investing public and the regulators and law enforcement personnel alike to ensure that they all have the proper knowledge and tools to be able to understand, detect, stop, and prevent these types of frauds. This is where CFEs and forensic accountants are uniquely qualified to offer their communities much needed assistance. Affinity frauds are not easily anticipated by the victims. Madoff whistleblower Markopolos asserted that “nobody thinks one of their own is going to cheat them”.  Affinity frauds will not be curtailed unless the public, we, the auditing and fraud examination communities, and regulators and other law enforcement personnel are all involved.

Getting Out of Your Own Way

One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process. And at the heart of the interviewing process lies communication. As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If s/he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction. Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects. Why do we identify with and speak more freely to some people? We are naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process. An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter. And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration. If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his or her dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer. Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that is not provided and that is concealed, that is most critical to our professional efforts.

By developing your listening abilities, practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution. If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it is virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject. The effective interviewer, however, has learned to contaminate as little as possible. By retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

The Know It All

As fraud examiners intimately concerned with the general on-going state of health of fraud management and response systems, we find ourselves constantly looking at the integrity of the data that’s truly the life blood of today’s client organizations.  We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data vulnerabilities to a minimum.   Every little bit of critical information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture. 

When it comes to managing its client, financial and payment data, almost every organization has a Pauline.  Pauline’s the person everyone goes to get the answers about data, and the state of the system(s) that process it, that no one else in her unit ever seems to have.  That’s because Pauline is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance.  Pauline is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees.   The great recession of past memory where enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices only exacerbated a still existing, ever growing trend.  The very real threat to the fraud management system that the Pauline’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever present possibility) but that they will retire or get another job out of state, taking their vital knowledge of the company systems and data with them. 

The day after Pauline’s retirement party and, to an increasing degree thereafter, it will dawn on  Pauline’s unit management that it’s lost a large amount of valuable information about the true state of its data and financial processing system(s), of its total lack of a large amount of system critical data documentation that’s been carried around nowhere but in Jane’s head.  The point is that, for some organizations, their reliance on a few key employees for day to day, operationally related information on their data goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their fraud prevention system.  Today’s newspapers and the internet are full of stories about data breeches, only reinforcing the importance of vulnerable data and of its documentation to the on-going operational viability of our client organizations. 

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of that change related information is ever formally documented.  Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily the ones involved in everyday, routine data management projects.  There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them.  The anomalies might be in the form of missing data, changes in data field definitions, or change in the content of the fields; the possibilities are endless.  Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management systems and for the overall fraud risk assessment process itself become almost impossible to determine.   

If our auditor or fraud examiner, operating under today’s typical budget or time constraints,  is not very thorough and misses even finding some of these anomalies, they can end up never being addressed.   How many times as an analyst have you tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah.  Pauline made that change back in February before she retired; we don’t have too many details on it.”  In other words, undocumented changes to transactions and data, details of which are now only existent in Pauline’s head.  When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of overall fraud management.  The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high.  What can’t be seen, can’t ever be managed or even explained. 

It’s truly humbling for any practitioner to experience how much critical financial information resides in the fading (or absent) memories of past or present key employees.  As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent transaction related documentation and the sharing of knowledge on a consistent basis for all systems but especially in matters involving changes to critical financial systems.  One nice benefit of this approach, which I brought to the attention of one of my clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than constantly serving as the encyclopedia for the rest of the operational staff. 

And the Cash Flows On

As a fraud examiner and information systems auditor, I’ve always been a big fan of the cash flow statement and I think you should be too. For the non-accountant investigators among you, the cash flow statement reveals what happened to the client’s cash during the reporting period. It’s very much like your bank account statement: You have a beginning balance of cash at the start of the month, you deposit your paycheck, you write some checks for your mortgage and groceries, and then you end the month with a new cash balance. This is what a cash flow statement is: simply a beginning balance of cash, plus or minus some cash transactions, to arrive at an ending cash balance.

Another way to view the cash flow statement is as an income statement that is adjusted for non-cash transactions and transactions that have not yet impacted cash. Non-cash transactions are transactions that affect the income statement but will never affect cash. Depreciation is a non-cash transaction that is added back to profits on the cash flow statement since cash is never paid out or collected when an asset is depreciated. The cash flow statement also clarifies transactions that immediately impact cash. A company can make a sale but not collect on it, or incur an expense and not immediately pay for it in cash. These are called accounts receivable and accounts payable, respectively. Revenues that are earned but not received and expenses that are incurred but not paid would show up on the income statement, but not on the cash flow statement. So the formula for the statement is simply …

Beginning Cash Balance
+I- Net Cash Flows from Operating Activities
+I- Net Cash Flows from Investing Activities
+I- Net Cash Flows from Financing Activities
= Ending Cash Balance

There are two methods of reporting cash flows from operations; in the direct method, the sources of operating cash flows are listed along with the uses of operating cash flows, with the difference between them being the net cash flow from operating activities. In contrast, the indirect method reconciles net income per the income statement with net cash flows from operating activities; that is, accrual-basis net income is adjusted for non-cash revenues and expenses to arrive at net cash flows from operations. The net cash flows from operating activities is the same amount regardless of which method is used. The indirect method is usually easier to compute and provides a comparison of the company’s operating results under the accrual and cash methods of accounting. As a result, most companies choose to use the indirect method, but either method is acceptable.

So what does all this provide as a tool for the fraud examiner? Simply, the cash flow statement provides any CFE with lots of neat information for further analysis in a very compact form. First of all, the statement tells you what the company’s cash receipts and cash payments were for the period. Remember that it’s unlike the income statement in that the income statement takes into account all revenue and expense transactions, whether or not they affected cash. The cash flow statement only considers transactions that involve cash.

The cash flow statement divides the company’s cash transactions into three categories:

• Operating activities, which include all cash received and paid out in connection with the company’s normal business operations, such as cash received from customers and funds paid to vendors. This category essentially encompasses any cash transactions that affect items on the income statement.
• Investing activities, which are cash flows related to the sale or purchase of non-current assets, such as fixed assets, intangible assets, and investments. This category generally covers those cash transactions that affect the asset side of the balance sheet.
• Financing activities, which are all cash inflows and outflows pertaining to the company’s debt and equity financing. Inflows include the proceeds received from issuing stocks and bonds and from borrowing money from a bank. Outflows include debt repayments and cash dividends paid to shareholders. In general, this category includes the cash transactions that affect the liabilities and owners’ equity side of the balance sheet.

In a perfect world, a company should only need loans when it has a timing problem between collecting and spending money or when it’s expanding. However, if a company expends more money than it will ever make, it will eventually go out of business. This is where the cash flow statement is so useful to the fraud examiner. You will want to get an idea of the cash flow necessary to run the business so that you will be able to tell whether the company is generating enough cash from operations to continue to do business. The examiner can also evaluate the relationship between total cash generated from financing and investing activities and the amount generated by operating activities.

Some things you will want to note from the cash flow statement in connection with any suspected financial fraud:
• Does the company have heavy demands on its operating cash each period?
• Do the inflows equal or exceed the outflows?
• Is the cash balance increasing or decreasing over time?
• Is the company making smart decisions about sources and uses of cash given its apparent financial condition?

This is information pertinent to the investigation of a wide range of fraud scenarios, the successful investigation of which involves different data than that commonly available in the income statement. The income statement alone does not reveal a complete picture of the company’s financial health, necessary for a full investigation of so many types of fraud. Evaluating income and cash flows includes considering the timing of items, such as collections of accounts receivable. In the end, a company might have a fabulous looking income statement, but might not have any cash available for operations. This may occur because the revenues recorded on the income statement have not been collected. Remember, as part of doing business, companies usually allow customers to make purchases on credit; this means the companies will collect the cash subsequent to the actual recording of the revenues. For example, a small high-tech manufacturer might have a healthy looking profit on its income statement, but not be able to pay its employees’ salaries. However, the entrepreneurial owners of the company expect all is well, since they think the net income on the income statement to be equal to the amount of cash in the company’s bank account. But, as is often the case, there’s a timing difference between when the company records a sale and when it actually receives the cash from its customers. As a result, the cash balance seldom, if ever, will match the income on the income statement. Other transactions – such as accrued or prepaid expenses, depreciation, and inventory purchases – will also cause a disparity between an organization’s net income and its net cash flows.

The statement of cash flows represents a trove of invaluable information that can cast light on virtually every aspect of a client’s financial health and, thus inform any investigation. Use it to your advantage.

Reaching Behind the Curtain

Not too long ago a close friend of one of our Chapter members paid a substantial sum of money to a relative, the owner of a closely held corporation, in exchange for a piece of the relative’s real estate to which, it turns out,  the relative/owner did not have clear title.  The relative apparently used a substantial portion of the funds to immediately clear debts of his corporation of which he and his wife are the sole officers and shareholders.  He now claims that, since he used the sale proceeds for corporate purposes, the refund of the purchase price he owes our Chapter member’s friend is a debt of the corporation and not of his personally.   Our Chapter’s friend has engaged an attorney at the suggestion of our certified Chapter member.

Our legal system recognizes that corporations have a separate existence from their shareholders/owners and are treated as ‘individuals’ under the law. There are two ways for a wrong-doer to use the existence of a corporation to avoid efforts to recover a money damage judgment from him or her:

–As in this case, the scammer argues that the corporation and not the shareholder/owner committed the offense, and therefore the shareholder’s personal assets and property should not be used to satisfy any judgment for the offense.

–Argues that the wrongdoer/shareholder’s property is held in the name of the corporation, and therefore s/he has no personal assets that can be used to satisfy a judgment against him  or her.

The first reflects the classic doctrine that shareholder/owners are not liable for the debts or liabilities of the corporation. Of course, if the shareholder/owner also controls the corporation and personally acted wrongfully, s/he may still be liable for her misconduct, and the corporation may simply be jointly and severally liable together with her. Whether the wrongful conduct was that of the corporation or that of an individual shareholder usually is a question of fact to be decided by the jury.

The second reflects the corporation’s ability, as a separate legal entity, to own its own property. If the corporation owns the property, then the individual shareholder does not.  Since both pre-judgement attachment writs and writs of execution can only reach a defendant’s interest in leviable assets, a wrongdoer can appear without assets and judgment proof – and your client can be unable to satisfy a money judgment against her- if the wrongdoer/shareholder has transferred title in her personal assets to the corporation. This does not apply to a non-money judgment to recover specific money or property which can reach proceeds or property in the hands of the wrongdoer or of third persons. Of course, if the wrongdoer’s transfer of assets to the corporation was to defraud creditors, the injured party can seek to have the transfers set aside.

However, even where a corporation apparently shields the defendant or his or her property, the wrongdoer and her leviable property can still be reached if the court can be convinced to disregard the corporation or to regard it merely as her alter ego. The court may do so if it can be proved that the corporation is merely a sham whose sole purpose is to help the wrongdoer fraudulently avoid liability for her conduct. This is sometimes called piercing the corporate veil.

If the corporation is found to be the alter ego of the shareholder, then either or both of the following consequences apply, depending on the goal in piercing the corporate veil:

–The wrongdoer is no longer shielded from liability for the corporation’s misconduct because the wrongdoer and the corporation are viewed by the court as one and the same.

–Corporate property can be reached to satisfy a judgment against the wrongdoer because the property is now regarded, properly, as the wrongdoer/shareholder’s property.

One of the factors to consider in attempting to pierce the corporate veil is whether the corporation is closely held; i.e. owned or directed by one or by a small or limited number of shareholders, officers, and directors (often all the members of the same family). Obviously, the larger the number of shareholders, and the more broadly the corporation’s directing positions are distributed, the less likely it is to be a sham or alter ego for one person. However, given the lawful goals and purposes of incorporation, even a small, closely held corporation may be legitimate. Conversely, the existence of other shareholders or other directors and officers may not mean that the corporation is not a sham.

The ACFE tells us that there is no hard and fast test to determine whether a corporation is a sham. Instead, courts will look at a variety of factors to determine whether to pierce the corporate veil. These factors include:

–As in this case, does the wrongdoer exercise sole or ultimate control over the activities of the corporation?

–Does the corporation’s charter describe the approved activities of the corporation with some specificity, or is it left largely to the discretion of the wrongdoer?

–Does the corporation fail to hold director’s and shareholder’s meetings, record minutes of those meetings, and otherwise observe the formalities of corporate existence?

–Is the corporation so undercapitalized as to raise questions about its viability as a separate entity?

–Are the corporation’s finances so intertwined or identifiable with those of the wrongdoer as to raise questions about its separate existence?

–Does the corporation own property which does not seem to reasonably relate to its activities, particularly as described in its charter?

–Does the wrongdoer use the corporation’s property as if they were her own, personal assets, including but not limited to whether she uses them for purposes not within the corporation’s approved activities?

These and similar or related facts can indicate that the corporation is a sham and has no true, separate existence from the wrongdoer/shareholder. In that case, the court would be justified in ruling that the corporation should be regarded as an alter ego of the wrongdoer and that the corporation and the wrongdoer be considered as one and the same ‘person’ for purposes of determining liability or levying on assets to satisfy a money judgment.

Many thanks to our member for bringing this case to our attention!

The Critical Twenty Percent

According to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes. Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continue unabated, with organizations of all kinds losing productivity, revenue and more customers every month. ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies. As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s most sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls. And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing change. It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work. By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

• Are systems monitored for unauthorized changes in real time?
• Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations. Researchers found that these top six controls help organizations help manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and to look backward, identifying definitively the source of outages, fraud associated abnormalities or service issues. Because they have a process that tracks and records all changes to their infrastructure and their associated success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and remediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail. The organization must cultivate a ‘culture’ of change management and causality throughout, with zero tolerance for any unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all change must follow an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy. One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.
Perhaps most important for responding to changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from security incidents, and dramatically longer and less-effective resolution times. On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of a high volume of failed system changes. All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

Another Sold Out Event!

Our Chapter wants to extend its formal thanks to our partners, national ACFE and the Virginia State Police, but especially to our event attendees who made this year’s May training event a resounding, sold-out success! As the rave attendee evaluations revealed, How to Testify, was one of our best received sessions ever!

Our presenter, Hugo Holland, CFE, JDD, brought his vast courtroom experience as a prosecutor and nationally recognized litigator to bear in communicating every aspect of a complex practice area in a down-to-earth comprehensible manner with no sacrifice of vital detail.

As Hugo made clear, there are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing both lay, and potentially, expert testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the training of the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

Hugo emphasized that the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Hugo expounded in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to employing counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” his or her expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this and Hugo supplied it. Our presenter emphasized repeatedly that the best thing for an inexperienced expert witness to do is to work with experienced employing attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• Attendees learned how to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• To remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• Attendees learned how best to state the facts. The expert witness should tell the truth plainly and simply. Attendees learned how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which s/he does not know the answer but should simply say that s/he does not know or does not have enough information to form an opinion.

• Attendees learned to control the pace. The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that s/he is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.

• Most importantly, Hugo imparted invaluable techniques to survive cross examination. Attendees learned how to testify effectively on both direct and cross examination, basic courtroom procedures, and tricks for general survival on the witness stand. Attendees were told how to improve their techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. All our attendees walked away with more effective report writing and presentation skills as well as benefiting from a solid exploration of the different types of evidence and related legal remedies.

Again, thanks to all, attendees and partners, for making our May 2019 training event such a resounding success!

Do We Owe It?

During one of our past May training events, our speaker, shared a fascinating, real life example from her own practice of how detailed analytic analysis could be especially helpful in addressing false billing frauds. In addition, she explained at length just how this type of fraud works.

In a false billing scheme, an employee or outside party creates false vouchers or submits false invoices to a target organizational payer. These documents cause the payer to issue payments for goods or services that are either completely fictitious or overstated in price. The perpetrator then collects the fraudulent payments/checks and converts them for personal use. Another common billing fraud involves buying personal goods or services with company money.

A false billing fraud affects the purchasing cycle, causing the company to pay for nonexistent or non-essential goods or services. Most false billing frauds involve a service, since it is easier to conceal a service that is never performed than to conceal goods never received. As our speaker’s example demonstrated, the most common billing scheme, is setting up one or more bogus vendors. There are several ways to do this. The most common is to create a fictitious vendor (often called a shell company), open a bank account in the shell company’s name, and bill the victimized company. The perpetrator then creates an invoice and sends it to his/her employer. Invoices can be professionally produced via computer and desktop publishing software, typewritten, or even prepared manually. Often, the most difficult aspect of a fraudulent billing scheme is getting the false invoice approved and paid. In many instances of billing fraud, the person perpetrating the fraud is also the person in the company who is authorized to approve invoices for payment. Another popular means of getting invoice approval is to submit invoices to an inattentive, trusting, or “rubber-stamp” manager. Furthermore, perpetrators often create false supporting documents to facilitate approvals and payments, e.g., voucher packages.

A perpetrator can also use a shell company to perpetrate a pass-through billing scheme: the perpetrator places orders for goods with his shell company, has his shell company order the goods from a legitimate supplier at market prices, and then sells those goods to his employer at inflated prices. The fraud lies in the fact that the victimized company is buying the goods it needs from an unauthorized vendor at inflated prices. The perpetrator “profits” from the inflated prices gained while acting as an unauthorized middle-man in a necessary company transaction.

Rather than utilizing shell companies to overbill, some employees generate false disbursements through invoices of non-accomplice vendors. In what is called a pay and return scheme, the perpetrator makes an error in a vendor payment to facilitate the theft. One way to do that is to overpay or double-up on payments, request a check from the vendor for the excess, and steal the check when it arrives. Another scenario is to pay the wrong vendor by placing vendor checks in the wrong envelopes, then calling the vendors to explain the mistake and requesting the return of the checks. When the checks return, they are stolen. The support documents are sent through the accounts payable system a second time; and these checks are sent to the proper vendors.

Another scheme involves purchasing personal items with company money. One popular way to do this is to make a personal purchase, then run the unauthorized invoice through the accounts payable system. If the perpetrator is not in a position to approve the purchase, s/he may have to create a false purchase order to make the transaction appear legitimate or alter an existing purchase order and have an accomplice in receiving remove the excess merchandise.
Another way to purchase personal items with company money is to have the company order merchandise, then intercept the goods when they are delivered. To avoid having the merchandise delivered to the company, the perpetrator often will have it diverted to their home or some other address, such as a spouse’s business address. A third way to purchase personal items with company money is to make personal purchases on company credit cards. No matter which of the approaches is used, the perpetrator will either keep the purchases for personal use or turn the purchase into cash (or a credit card refund) by returning the merchandise.

Our event speaker pointed out that, in some ways, it’s easier to conceal a billing fraud than other frauds, but in other ways, it’s harder. It’s easier in that the perpetrator does not have to remove cash or inventory from company premises; instead, the company mails her a check. It’s more difficult in that, when the perpetrator creates a bogus vendor or shell company, s/he has to come up with a name, mailing address (often the fraudster’s home address or a postal box), and phone number (often a home phone number); open a bank account in the shell company’s name (usually requiring him or her to file or forge articles of incorporation) or in his own name; deposit and withdraw money; and create and send vendor invoices. Any of these can lead back to the perpetrator, making it easier to find him once the fraud is detected and the shell company identified.

Depending on the scheme and organizational controls in place, the perpetrator may have to falsify or alter a purchase requisition, purchase order, receiving report, or vendor invoice, or fool or force the authorizing person to approve or forge an authorization. Perpetrators involved in a pay and return fraud usually have to intercept any checks that are returned.

Our speaker additionally presented a number of red flags usually present when a false billing fraud is taking place, including:

• An unexplained increase in services performed (services that were paid for, but never performed);
• Payments to unapproved vendors;
• Invoices approved without supporting documents;
• Falsified or altered voucher documents; for example, altering a purchase order after its approval;
• Inflated prices on purchases or orders of unnecessary goods and services;
• Payments to an entity controlled by an employee;
• Multiple payments on the same invoice or over payments on an invoice;
• Personal purchases with company credit cards or charge accounts;
• Excessive returns to vendors, or full payment not received for items returned;
• A vendor with a post office box address (many post office box addresses are legitimate, but a smart.

On May 15-16th, 2019 our Chapter will be hosting a two-day ACFE lead seminar entitled, ‘How to Testify’. Our speaker, Hugo Holland, wants to make a courtroom pro out of you! Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course. To review the event content and to register to attend, click here. Hope you can join us!

Fraudsters, All Too Human

Our certified Chapter members often get questions from clients and employers related to why a fraudster who’s victimized them did what he or she did. Examiners with the most experience in the process of interviewing those later convicted of fraud comment again and again about the usefulness to their overall investigation of a basic understanding of the fraudster’s basic mind set. Such knowledge can aid the examiner in narrowing down the preliminary pool of suspects, and, most importantly, assist in gaining an admission in a subsequent admissions seeking interview. ACFE experts regard fraud (and the process of interviewing) primarily as human constructs, and especially within the content of the interview process, to be able to tie in the pressure that the individual might have been under (as they perceived it) to the interview process; to understand that individual with regard to their rationalization as they were able to affect it, significantly increases the possibility of getting the compliance and cooperation that the examiner wants from the interviewee.

During your investigation, it’s important to remember that people do things for a reason. The fraud examiner might not understand the reasons a fraudster commits his or her crime, but the motivations certainly make sense to the perpetrator. For example, a perpetrator might commit fraud because her life has spiraled out of control, although it might not be out of control under a objective, reasonable person’s definition. But in the perpetrator’s view, her life has become so problematic that fraud is the only way she can see to restore balance. And during the fraud examination, if the examiner can get the suspected perpetrator to talk about the lack of control in her life, the examiner can often use this information to compel the fraudster to admit guilt and provide valuable insight into ways that similar frauds might be prevented in the future.

As a continuation of this line of thought, the examiner should consider possible human motives when examining evidence. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes. It can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused, and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, she might suspect a payroll employee who recently complained about not receiving a raise in the past two years. Although such information doesn’t mean that the payroll employee committed fraud, the possible motive can guide the examiner.

ACFE experts also agree that interviewers should seek to understand the possible motives of the various suspects they encounter during an examination. To do this, interviewers should suspend their own value system. This will better position the interviewer to persuade the suspect(s) to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions. In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his motivations, even if the suspect reveals her motivations in an indirect manner. So when conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work as opposed to how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s normal behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Always remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. As indicated above, unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason. Situational fraudsters (those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises) do not tend to view themselves as criminals. In contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud, situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if she can genuinely communicate that she understands how anyone under similar circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is presenting a trap, he generally will not make any admission of wrongdoing.

So, in your examinations, never lose sight of the human element; that by definition, fraud involves human deception for personal gain. Why do people deceive to get what they want, or in some cases, what they need? Most humans commit deceptive acts to protect themselves from various consequences of the truth. Avoiding punishment is the most common reason for deception, but there are other reasons, including to protect another person, to win the admiration or respect of others, to avoid embarrassment, enjoy the thrill of accomplishment and to avoid hard work to achieve goals. When people feel that their self-security is threatened, they might resort to deception to preserve their image. Further, people can become so engaged in managing how others perceive them that they become unable to separate the truth from fiction in their own minds.

The ability to sympathetically cast oneself into the human situation of others is one of the most valuable skills that a fraud examiner can have in our efforts to determine the truth.