Category Archives: theinnerauditor Blog

Inventory of Fraud

One of the first frauds I worked on early in my career was a scheme by management to overstate the periodic inventory of the Prison Industries system of a state Department of Corrections.   In that case the manipulation was carried out by creating false inventory counts and altering records after the physical count.

What made this an especially interesting case of management fraud were the various reasons that the audit report subsequently revealed why accounting management had decided to overstate the inventory:

  • To overstate the income of Prison Industries.
  • To achieve internally projected goals.
  • To increase Prison Industry’s perceived value in the eyes of State government administration.
  • To meet Department of Corrections stiff goals for Prison Industry management.
  • To hide poor operational performance.
  • To enhance the perceived performance of individual members of Prison Industries management.
  • To hide the theft of some inventory.

These reasons are in contrast to fraudster goals if a fraud scheme’s overall objective is to show reduced inventory:

  • To reduce income.
  • The entity has achieved its goals and wants to show reduced results.
  • To reduce the overall value of the business or enterprise.
  • A new management team is in place and wants to defer reporting additional performance to the future.

Such inventory counting related schemes are likely to occur with inventory components perceived to be less likely of being counted or in conjunction with a planned reason for the false count. The hope is that any examiner/auditor will view the false count as an error versus an intentional plan to misstate the inventory. Therefore, the examiner needs to ensure that management has no record of the test counts. Certain types of inventory counts are more susceptible to being false, such as:

  • Periodic Inventory. This particular inventory is susceptible to false counting because the auditor has no inventory reports to determine what the inventory should have been prior to the count.
  • Perpetual Inventory. Variances or in-transit items are often used as an explanation for any deviations.
  • Multiple Inventory locations. The non-tested sites are susceptible to false counts because the auditor is not performing procedures at those locations. Management may also use other scams in conjunction with the false-count fraud schemes.

As every accounting student knows, inventory is tangible property that either (1) is held for sale in the ordinary course of business (finished goods); (2) is in the process of production for such sale (work in process); or (3) is currently consumed either directly or indirectly in the production of goods or services available for sale (raw materials). The primary basis of accounting for inventory is cost. By definition, inventory excludes long-term assets subject to depreciation accounting.

The inventory records at Prison Industries were complex. Inventory was constantly being transferred between manufacturing processes, was often dispensed in several locations across the state’s correctional system, and normally comprised a significantly large amount of items. For these reasons, as well as the variety of decisions made about direct valuations, inventory was an appealing place for management to decide to commit financial statement fraud, in this case by manipulating and altering the physical inventory count.

Inventory falsification occurred at Prison Industries when the entity showed inventory on its financial statements that both did not exist and was improperly valued;  the two methods were  used simultaneously.  Techniques used to inflate the value of inventory included the creation of false documents, such as inventory count sheets, receiving reports, and manipulation of the actual physical inventory. During the fraud, it was common for management to insert phony inventory count sheets during the inventory observation or to alter the quantities on the count sheets. There where instances where management created the illusion that inventory existed with the help of phony inventory items. Simply put, some items of inventory that appeared real on paper were actually fake.

The fraud examination was originated as a result of predication provided by a Hot Line tip and featured the application of a number of procedures.

Interviews were conducted with management and personnel. Questions asked included the following to determine whether the inventory represented by management actually existed and whether it was properly valued:

– Do the inventories included in the Prison Industries balance sheet physically exist?
– Does the inventory represent items held for use in the ordinary course of production?
– Do inventory quantities include all items on hand or in transit?
– Are inventory listings accurately compiled and are they properly included in the inventory accounts?
– Does the State have legal title or ownership rights to the inventory items?
– Does the inventory exclude items billed to customers or owned by others?
– Are inventory costs the result of an acceptable method consistently applied?
– Are inventories properly classified in the balance sheet and are the related disclosures adequate?

The examiners calculated the inventory turnover ratio. The inventory turnover ratio measures how fast inventory was moving through the entity. If the inventory is inflated, then the average inventory balance will be overstated, causing the inventory turnover ratio to decline. The  inventory turnover ratio was compared with the results from prior years and with industry averages for reasonableness.

Price tests were performed. A fraud examiner must determine whether the pricing of the inventory is reasonable. Price testing employs vouching, tracing, and re-computation procedures to test the auditee’s  pricing of its inventory. An examiner should test the application of prices by vouching items to vendors’ invoices and to cost accounting records to verify that the inventory is properly priced. For example, an examiner selects from the inventory detail item L243, classified as a raw material. According to the company’s records as of the balance sheet date, there are twenty L243s at $120 apiece. The examiner reviews the last invoice representing the purchase of L243s and discovers that the company purchased the L243s at $60 apiece. This price discrepancy is a sign that management might be trying to inflate the value of its inventory. Vendors’ invoices should also be traced to the books to confirm proper price recording. Examiners should recompute the quantities indicated on-hand by the observation with vendor prices to determine that the inventory, balances on the balance sheet are correct.

Following the fraud examination inventory was re-performed. The physical inventory was re-performed to ensure that the enterprise’s application of corrective action to methods for counting inventory would result in an accurate and reliable count in future. The re-examination of physical inventory included observation, as well as inquiries and physical examination (i.e., test counts). It is important to remember that management is responsible for the propriety of the inventory. The examiner observed the re-taking of the inventory to satisfy his/her reliance on management’s representations of the quantities and prices.

Cut off tests were performed. A cut-off test is a procedure to control the shipping and receiving activities at the physical inventory date. For the time of the physical inventory, the examiner  noted the numbers of the last pre-numbered shipping and receiving documents because purchases of inventory often are recorded when received and sales recorded when shipped. Identifying the document numbers helped the examiner determine whether the inventory was properly or improperly included or excluded from the inventory counts. For instance, if management indicated that the last shipping document for 1991 was #2500, then the examiner would assume that #2501 was shipped in January 1992. If, upon review of shipping document #2501, the examiner notices that the inventory was shipped in 1991, then there is the possibility that management is inflating the quantity and value of the company’s inventory at year-end. Therefore, inquiry and further testing are warranted. These cut-off numbers are often used in conjunction with the cut-off test used in accounts receivable and accounts payable testing. If cut-off procedures appear unclear or indicate possible inclusions in inventory of goods sold, then cut-off tests should be expanded.

There are several other audit procedures that can be used in detecting inventory fraud scenarios. These include:

  • Reviewing the statement of cash flows and asking whether the increases and decreases in cash make sense in relation to the inventory account balances and changes.
  • Computing the inventory turnover ratio and days-to-sell ratio. Do these ratios make sense in relation to what the auditor has verified regarding the physical aspects of the inventory?
  • Computing the percentage of gross profit and the related percentage of the cost of goods sold, and then the trend to look for understatement of the cost of goods sold percentage.
  • Ensuring there is a consistent use of the inventory cost flow assumption. For example, the use of first-in-first out (FIFO) gives a higher net income in an inflationary environment.

It was the large number of items comprising the inventory that made it an attractive target for fraudulent manipulation at Prison Industries. Theft and misuse are the actions of choice when it comes to inventory fraud. The rationale typically Is: “Who is going to miss a few hundred widgets in an inventory of thousands, perhaps millions?” The size of inventory as a percentage of the amount of total assets also makes it an easy target for management-initiated financial reporting misstatement. Having the possibility of two types of fraudulent acts ganging up on inventories at the same time, the CFE doesn’t want to waste time going down the wrong path, so it’s very important to determine which fraudulent act is likely occurring.

Any discussion of fraud likelihood involves the concepts of concealment, conversion, and opportunity. So, in addition to “how” the Inventory fraud took place, other questions need to be addressed, such as: How sophisticated is the concealment strategy? Who has the most benefit to gain by the theft, misuse, or misstatement of the inventories? Who has and where are the opportunities to divert/misstate inventories? These are the questions that need to be answered by the CFE/auditor, and fortunately, the tools and guidance are available from the ACFE to achieve the right answers when faced with almost any pattern of inventory fraud.

On Motivation

The ACFE tells us that there is no simple profile for employees who commit fraud. However, some ACFE statistics are available. Its research has repeatedly shown that about 10 percent to 15 percent of employees are fundamentally dishonest and are likely to steal from their company if given the opportunity. About 66 percent of employees are likely to steal under the right circumstances, such as when under pressure, or when “everyone is doing it,” and the opportunity exists. In contrast, about 20 percent to 25 percent of employees are fundamentally honest and are unlikely to steal under any circumstances.

Furthermore, those employees who do steal from the company are unlikely to have a prior criminal record, and those with a good education, family, background, and work record can be just as likely to steal as anyone else.

On the other hand, research shows that the three elements of the standard fraud triangle, with which we’re all familiar, have proven themselves descriptive over many the years in explaining which employees may defraud our client companies.

• Pressure – Usually related to financial pressure such as large medical bills, gambling problems, drug habits, and extravagant living.

• Opportunity – Required to commit any fraud.

• Rationalization – Likely depends on the type of criminal and the criminal’s personality type or possible personality disorder.

The rationalization component of the fraud triangle suggests possible types of individuals who may commit fraud:

• The fundamentally dishonest employee without a personality disorder. This person could habitually be dishonest but does not have a personality disorder. Rationalization comes easily because the person is accustomed to dishonesty. Therefore, the rationalizations are likely to include statements such as “I need it more than they do” and “They won’t miss it.”

• The fundamentally dishonest employee with a personality disorder. Various personality disorders may contribute to the ability of the employee to rationalize fraud. Psychiatry uses the diagnosis antisocial personality disorder and the related diagnosis dissocial personality disorder. The following are characteristics that apply to persons with these types of mental disorders:

— Nonconformist behavior; tend to be misfits.
— Habitual lying and dishonesty.
— Impulsiveness.
— Irritability and aggressiveness.
— Insensitivity to harming self or others.
— Strong disregard for the needs of self and others.
— Tendency to blame others for personal faults and mistakes.
— Lack of responsibility.
— Difficulty in establishing and maintaining close relationships.
— Absence of the ability to feel emotions or the full range of normal emotions.

The deceitfulness dimension of these disorders could enable the person to hide some or all of his or her antisocial characteristics. This type of person is often able to steal without giving much conscious thought to rationalizations. The crime could simply arise out of the mental disturbance.

• Then there is the normally honest employee who steals given pressure and opportunity and rationalizes the theft. A person who does not normally steal is likely to give serious thought to rationalizing the theft. One common rationalization is that the person is only borrowing the money; often the person takes money with the intent to pay it back, and many times does in fact pay it back. The result is that the corporate till can become the employee’s personal lending institution; however, in many cases, the person is never able to pay back the ill-gotten loan. The normally honest employee is likely to steal out of a sudden financial need or because of a problem with a financially excessive lifestyle.

The ACFE advises us to consider possible motives when examining evidence related to an occupational fraud. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes: it can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused; and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, s/he might suspect a payroll employee who recently complained about not having received a raise in the past two years. Although such information does not mean that the payroll employee committed fraud, the possible motive can guide the examiner.

During the process of interviewing suspects, interviewers should seek to understand the possible motives of interviewees. To do this, interviewers should suspend their own value system. This will better position the interviewer(s) to persuade suspects to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions.

In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his or her motivations, even if the suspect reveals those motivations in an indirect manner.

In interviewing suspects for motives:

• Leave your ego at the door.
• Talk to the suspected perpetrator as an adult.
• Do not patronize the suspect.
• Use good communication skills to develop rapport with subjects so that they will feel comfortable talking to you.
• Avoid being confrontational with the suspect. If the interviewer is confrontational, the perpetrator will be less likely to make an admission.

When conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work and how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s “normal” behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Next, the interviewer might ask non-accusatory questions related to the issue at hand, such as:

• Why do you think someone would do something like this?
• What do you think should happen to a person who would do something like this?
• Of all of the people who work in this area, who could be involved?

The answers to these questions can help the interviewer understand the possible motives of various suspects, narrow the pool of suspects, or even obtain an admission. For example, a suspect who answers the question “Why do you think someone would do something like this?” with a sympathetic answer might be trying to appeal to the interviewer’s sense of compassion to reduce or minimize his or her punishment.

The more the interviewer knows about the perpetrator, the better chance s/he will have of identifying the perpetrator’s motive and rationalization. Once the perpetrator thinks that the interviewer understands her motive, she will become more likely to confess.

During the motivation identifying interview, fraud examiners must also remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. Unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason.

Situational fraudsters, those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises, do not tend to view themselves as criminals. This is in contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud. Situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if s/he can genuinely communicate that s/he understands how anyone under similar-circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is constructing a trap, s/he generally will not make an admission of wrongdoing.

In summary, the fraud triangle is always helpful in explaining motivations for employees to defraud their employing organization by drawing attention to pressure, opportunity, and rationalization. Pressure is typically caused by sudden financial needs arising from things such as medical bills, gambling problems, drug habits, and extravagant living. The opportunity depends on the employee’s position and the strength of the company’s internal control processes. Rationalization depends on the type of criminal. The pure sociopath may need little or no rationalization. The fundamentally dishonest employee may give some conscious thought to rationalizing crimes, but the rationalization comes easily because the person is accustomed to dishonesty. Finally, the normally honest employee generally expends the most effort in rationalizing the crime, and often this type of person will really think that s/he is only borrowing the money.

Cloud Shapes

Just as clouds can take different shapes and be perceived differently, so too is cloud computing perceived differently by our various types of client companies. To some, the cloud looks like web-based applications, a revival of the old thin client. To others, the cloud looks like utility computing, a grid that charges metered rates for processing time. To some, the cloud could be parallel computing, designed to scale complex processes for improved efficiency. Interestingly, cloud services are wildly different. Amazon’s Elastic Compute Cloud offers full Linux machines with root access and the opportunity to run whatever apps the user chooses. Google’s App Engine will also let users run any program they want, as long as the user specifies it in a limited version of Python and uses Google’s database.

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It is also important to remember what our ACFE tells us, that the Internet itself is in fact a primitive transport cloud. Users place something on the path with an expectation that it will get to the proper destination, in a reasonable time, with all parties respecting the privacy and security of the artifact.

Cloud computing, as everyone now knows, brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, a tablet or other device. Today, any device that can access the Internet can run a cloud-based application. Application services are available independent of the user’s home or office devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. End users don’t have to worry about storage capacity, compatibility or other similar concerns.

From a fraud prevention perspective, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client. Cloud computing is also beneficial for our client’s vendors. Businesses frequently find themselves using the vast majority of their computing capacity in a small percentage of time, leaving expensive equipment often idle. Cloud computing can act as a utility grid for vendors and optimize the use of their resources. Consider, for example, a web-based application running in Amazon’s cloud. Suppose there is a sudden surge in visitors as a result of media coverage, for example. Formerly, many web applications would fail under the load of big traffic spikes. But in the cloud, assuming that the web application has been designed intelligently, additional machine instances can be launched on demand.

With all the benefits, there are related constraints. Distrust is one of the main constraints on online environments generally. particularly in terms of consumer fraud, waste and abuse protection. Although the elements that contribute to building trust can be identified in broad terms, there are still many uncertainties in defining and establishing trust in online environments. Why should users trust cloud environments to store their personal information and to share their privacy in such a large and segregated environment? This question can be answered only by investigating these uncertainties in the context of risk assessment and by exploring the relationship between trust and the way in which the risk is perceived by stakeholders. Users are assumed to be willing to disclose personal information and have that information used subsequently to store their personal data or to create consumer profiles for business use when they perceive that fair procedures are in place to protect their individual privacy.

The changing trust paradigm represented by cloud computing means that less information is stored locally on our client’s machines and is instead being hosted elsewhere on earth. No one for the most part buys software anymore; users just rent it or receive it for free using the Software as a Service (SaaS) business model. On the personal front, cloud computing means Google is storing user’s mail, Instagram their photographs, and Dropbox their documents, not to mention what mobile phones are automatically uploading to the cloud for them. In the corporate world, enterprise customers not only are using Dropbox but also have outsourced primary business functions that would have previously been handled inside the company to SaaS providers such as,, and

From a crime and security perspective, the aggregation of all these data, exabytes and exabytes of it, means that user’s most personal of information is no longer likely stored solely on their local hard drives but now aggregated on computer servers around the world. By aggregating important user data, financial and otherwise, on cloud-based computer servers, the cloud has obviated the need for criminals to target everybody’s hard drive individually and instead put all the jewels in a single place for criminals and hackers to target (think Willie Sutton).

The cloud is here to stay, and at this point there is no going back. But with this move to store all available data in the cloud come additional risks. Thinking of some of the largest hacks to date, Target, Heartland Payment Systems, TJX, and Sony PlayStation Network; all of these thefts of hundreds of millions of accounts were made possible because the data were stored in the same virtual location. The cloud is equally convenient for individuals, businesses, and criminals.

The virtualization and storage of all of these data is a highly complex process and raises a wide array of security, public policy, and legal issues for all CFEs and for our clients. First, during an investigation, where exactly is this magical cloud storing my defrauded client’s data? Most users have no idea when they check their status on Facebook or upload a photograph to Pinterest where in the real world this information is actually being stored. That they do not even stop to pose the question is a testament to the great convenience, and opacity, of the system. Yet from a corporate governance and fraud prevention risk perspective, whether your client’s data are stored on a computer server in America, Russia, China, or Iceland makes a difference.

ACFE guidance emphasizes that the corporate and individual perimeters that used to protect information internally are disappearing, and the beginning and end of corporate user computer networks are becoming far less well defined. It’s making it much harder for examiners and auditors to see what data are coming and going from a company, and the task is nearly impossible on the personal front. The transition to the cloud is a game changer for anti-fraud security because it completely redefines where data are stored, moved, and accessed, creating sweeping new opportunities for criminal hackers. Moreover, the non-local storage of data raises important questions about deep dependence on cloud-based information systems. When these services go down or become unavailable i.e., a denial of service attack, or the Internet connection is lost, the data become unavailable, and your client for our CFE services is out of business.

All the major cloud service providers are routinely remotely targeted by criminal attacks, including Dropbox, Google, and Microsoft, and more such attacks occur daily. Although it may be your client’s cloud service provider that is targeted in such attack, the client is the victim, and the data taken is theirs’s. Of course, the rights reserved to the providers in their terms of service agreements (and signed by users) usually mean that provider companies bear little or no liability when data breaches occur. These attacks threaten intellectual property, customer data, and even sensitive government information.

To establish trust with end users in the cloud environment, all organizations should address these fraud related risks. They also need to align their users’ perceptions with their policies. Efforts should be made to develop a standardized approach to trust and risk assessment across different domains to reduce the burden on users who seek to better understand and compare policies and practices across cloud provider organizations. This standardized approach will also aid organizations that engage in contractual sharing of consumer information, making it easier to assess risks across organizations and monitor practices for compliance with contracts. policies and law.

During the fraud risk assessment process, CFEs need to advise their individual corporate clients to mandate a given cloud based activity in which they participate to be conducted fairly and to address their privacy concerns. By ensuring this fairness and respecting privacy, organizations give their customers the confidence to disclose personal information on the cloud and to allow that information subsequently to be used to create consumer profiles for business use. Thus, organizations that understand the roles of trust and risk should be advised to continuously monitor user perceptions to understand their relation to risk aversion and risk management. Managers should not rely solely on technical control measures. Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast. issues revolving around the use of computers by lay users and the creation of active incentives to avoid fraud have been relatively neglected. Many ACFE lead studies have shown that human errors are the main cause of information security incidents.

Piecemeal approaches to control security issues related to cloud environments fail simply because they are usually driven by a haphazard occurrence; reaction to the most recent incident or the most recently publicized threat. In other words, managing information security in cloud environments requires collaboration among experts from different disciplines, including computer scientists. engineers. economists, lawyers and anti-fraud assurance professionals like CFE’s, to forge common approaches.

MAC Documents

As our upcoming Ethics 2019 lecture for January-February 2019 makes clear, many of the most spectacular cases of fraud during the last two decades that were, at least initially, successfully concealed from auditors involved the long running falsification of documents. Bernie Madoff and Enron come especially to mind. In hindsight, the auditors involved in these individual cases failed to detect the fraud for multiple reasons, one of which was a demonstrated lack of professional skepticism coupled with a general lack of awareness.

Fraud audit and red flag testing procedures are designed to validate the authenticity of documents and the performance of internal controls. Red flag testing procedures are based on observing indicators in the internal documents and in the internal controls. In contrast, fraud audit testing procedures verify the authenticity of the representations in the documents and internal controls. While internal controls are an element of each, they are not the same as the testing procedures performed in a traditional audit. Considering that fraud audit testing procedures are the basis of the fraud audit program, the analysis of documents will differ between the fraud audit and the traditional verification audit. Business systems are driven by paper documents, both imaged paper documents and electronic documents. Approvals are handwritten, created mechanically, or created electronically through a computerized business application. Therefore, the ability to examine a document for the red flags indicative of a fraud scenario is a critical component in the process of fraud detection.

The ACFE points out that within fraud auditing, there are levels of document examination: the forensic document examination performed by a certified document examiner and the document examination performed by an independent external auditor conducting a fraud audit are distinct. Clearly, the auditor is not required to have the skills of a certified document examiner; however, the auditor should understand the difference between questioned document examination and the examination of documents for red flags.

Questioned, or forensic, document examination is the application of science to the law. The forensic document examiner, using specialized techniques, examines documents and any handwriting on the documents to establish their authenticity and to detect alterations. The American Academy of Forensic Sciences (AAFS) Questioned Document Section and the American Society of Questioned Document Examiners (ASQDE) provide guidance and standards to assurance professionals in the field of document examination. For example, the American Society for Testing and Materials, International (ASTM) Standard E444-09 (Standard Guide for Scope of Work of Forensic Document Examiners) indicates there are four components to the work of a forensic document examiner. These components are the following:

1. Establish document genuineness or non-genuineness, expose forgery, or reveal alterations, additions, or deletions.
2. Identify or eliminate persons as the source of handwriting.
3. Identify or eliminate the source of typewriting or other impression, marks, or relative evidence.
4. Write reports or give testimony, when needed, to aid the users of the examiner’s services in understanding the examiner’s findings.

CFEs will find that some forensic document examiners (FDEs) limit their work to the examination and comparison of handwriting, however, most inspect and examine the whole document in accordance with the ASTM standard.

The fraud examiner or auditor also focuses on the authenticity of the document, with two fundamental differences:

1. The degree of certainty. With forensic document examination, the forensic certainty is based on scientific principles. Fraud audit document examination is based on visual observations and informed audit experience.
2. Central focus. Fraud audit document examination focuses on the red flags associated with a hypothetical fraud scenario. Forensic document examination focuses on the genuineness of the document or handwriting under examination.

Awareness of the basic principles and objectives of forensic document examination is of assistance to any auditor or examiner in determining if, when and how to use the services of a certified document examiner in the process of conducting a fraud audit.

ACFE training indicates that documentary red flags are among the most important of all red flags. Examiners and auditors need to be aware not only of how a fraud scenario occurs, but also of how to employ the correct methodology in identifying and describing the documents related to a given scenario. These capabilities are critical as well in order to be successful in the identification of document related red flags. Specifically, a document must link to the fraud scenario and to the key controls of the involved business process(es).

The target document should be examined for the following: document condition, document format, document information, and industry standards. To these characteristics the concepts of missing, altered, and created content should be applied. The second aspect of the document examination is linking the document to the internal controls. Linking the document examination to the internal controls is a critical aspect of developing the decision tree aspect of the fraud audit program. Using a document examination methodology aids the fraud auditor in building his or her fraud audit program.

The ACFE’s acronym MAC is a useful aid to assist the auditor in identifying red flags and the corresponding audit response. The ‘M’ stands for missing, either missing the entire document or missing information on a document; the ‘A’ for altered information on a document; and the ‘C’ for created documents or information on a document. Specifically:

A missing document is a red flag. Missing documents occur because the document was never created, was destroyed, or has been misfiled. Documents are either the basis of initiating the transaction or support the transaction.

The frequency of missing documents must be linked to the fraud scenario. In some instances, missing one document may be a red flag, although typically repetition is necessary to warrant fraud audit testing procedures. The audit response should focus on the following attributes assuming the document links to a key control:

— Is the document externally or internally created? The existence of externally created documents can be confirmed with the source, assuming the source is not identified as involved in the fraud scenario.
— Is the document necessary to initiate the transaction or is the document a supporting one? Documents used to initiate a transaction had to have existed at some point; therefore, logic dictates that the document was destroyed or misfiled.
— One, two, or all three of the following questions could apply to internal documents:

• Is there a pattern of missing documents associated with the same entity?
• Is there a pattern of missing documents associated with an internal employee?
• Does the document support a key anti-fraud control, therefore being a trigger red flag, or is the missing document related to a non-key control?

With regard to missing information on a document, several questions arise, one of which is: are there tears, torn pieces, soiled areas, or charred areas that cause information to be missing? To address any of these situations, finding a similar document type is needed to determine if the intent of the document has changed because of the missing information. Another question is: is information obliterated (e.g., covered, blotted, or wiped out)? Overwriting is commonly used to obscure existing writing. Correction fluid is also a common method, but the underlying writing can be read and photographed using transmitted light from underneath the document.

Scratching out writing with a pen will obliterate writing successfully if it results in the page being torn. Spilled liquids can also obliterate writing.

‘A’, altered, pertains to changing or adding information to the original document. The information may be altered manually or through the use of desktop publishing capabilities. For example, manual changes tend to be visible through a difference in handwriting, and electronic documents would generally be altered via the software used to create the document.

Any altering of information would be detected through the same red flags as adding information. In the context of fraud, forgery is the first thing that comes to mind in any discussion of the altering of documents. Forgery is a legal term applied to fraudulent imitation. It is an alteration of writing as to convey a false impression that a document itself, not its contents, is authentic, thereby imposing a legal liability. It is an alteration of a document with the intent to defraud. It should be noted that it is possible for a document examiner to identify a document or signature as a forgery, but it is much less common for the examiner to identify the forger. This is due to the nature of handwriting, whereby a forger is attempting to imitate the writing habit of another person, thereby suppressing his own writing characteristics and style, and in essence, disguising his or her writing.

A ‘C’, or created document is any document prepared by the perpetrator of the fraud scenario. This type of changed document can include added or created documents or added and created text on a document. The document can be prepared by an external source (e.g., a vendor in an over-billing scheme) or an internal source (e.g., a purchasing agent who creates false bids).

Some signs of document creation can include the age of the document being inconsistent with the purported creation date, or the document lacking the sophistication typically associated with normal business standards. Added or created text can inserted with the use of ink or whatever type of writing instrument was used on the original. It can also be added through cutting and pasting sections of text, then photocopying the document to eliminate any outline. When pages are suspected of being added in this manner, a comparison of the type of paper used for the original and the photocopy should be made. In terms of computer-generated and machine-produced documents differences in the software used may result in textual differences.

As the MAC acronym seeks to demonstrate, fraudulent document information can be categorized as missing information, incorrect information, or information inconsistent with normal business standards. Therefore, the investigating CFE or auditor needs to have the requisite business and industry knowledge to correctly associate the appropriate red flags with the relevant documentary information consistent with the fraud scenario under investigation.

The Human Financial Statement

A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.

ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.

That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.

Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.

A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.

CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.

You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.

Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.

What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.

Forensic Data Analysis

As a long term advocate of big data based solutions to investigative challenges, I have been interested to see the recent application of such approaches to the ever-growing problem of data beaches. More data is stored electronically than ever before, financial data, marketing data, customer data, vendor listings, sales transactions, email correspondence, and more, and evidence of fraud can be located anywhere within those mountains of data. Unfortunately, fraudulent data often looks like legitimate data when viewed in the raw. Taking a sample and testing it might not uncover fraudulent activity. Fortunately, today’s fraud examiners have the ability to sort through piles of information by using special software and data analysis techniques. These methods can identify future trends within a certain industry, and they can be configured to identify breaks in audit control programs and anomalies in accounting records.

In general, fraud examiners perform two primary functions to explore and analyze large amounts of data: data mining and data analysis. Data mining is the science of searching large volumes of data for patterns. Data analysis refers to any statistical process used to analyze data and draw conclusions from the findings. These terms are often used interchangeably. If properly used, data analysis processes and techniques are powerful resources. They can systematically identify red flags and perform predictive modeling, detecting a fraudulent situation long before many traditional fraud investigation techniques would be able to do so.

Big data are high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization. Simply put, big data is information of extreme size, diversity, and complexity. In addition to thinking of big data as a single set of data, fraud investigators and forensic accountants are conceptualizing about the way data grow when different data sets are connected together that might not normally be connected. Big data represents the continuous expansion of data sets, the size, variety, and speed of generation of which makes it difficult for investigators and client managements to manage and analyze.

Big data can be instrumental to the evidence gathering phase of an investigation. Distilled down to its core, how do fraud examiners gather data in an investigation? They look at documents and financial or operational data, and they interview people. The challenge is that people often gravitate to the areas with which they are most comfortable. Attorneys will look at documents and email messages and then interview individuals. Forensic accounting professionals will look at the accounting and financial data (structured data). Some people are strong interviewers. The key is to consider all three data sources in unison.

Big data helps to make it all work together to bring the complete picture into focus. With the ever-increasing size of data sets, data analytics has never been more important or useful. Big data requires the use of creative and well-planned analytics due to its size and complexity. One of the main advantages of using data analytics in a big data environment is that it allows the investigator to analyze an entire population of data rather than having to choose a sample and risk drawing erroneous conclusions in the event of a sampling error.

To conduct an effective data analysis, a fraud examiner must take a comprehensive approach. Any direction can (and should) be taken when applying analytical tests to available data. The more creative fraudsters get in hiding their breach-related schemes, the more creative the fraud examiner must become in analyzing data to detect these schemes. For this reason, it is essential that fraud investigators consider both structured and unstructured data when planning their engagements.

Data are either structured or unstructured. Structured data is the type of data found in a database, consisting of recognizable and predictable structures. Examples of structured data include sales records, payment or expense details, and financial reports. Unstructured data, by contrast, is data not found in a traditional spreadsheet or database. Examples of unstructured data include vendor invoices, email and user documents, human resources files, social media activity, corporate document repositories, and news feeds. When using data analysis to conduct a fraud examination, the fraud examiner might use structured data, unstructured data, or a combination of the two. For example, conducting an analysis on email correspondence (unstructured data) among employees might turn up suspicious activity in the purchasing department. Upon closer inspection of the inventory records (structured data), the fraud examiner might uncover that an employee has been stealing inventory and covering her tracks in the record.

Recent reports of breach responses detailed in social media and the trade press indicate that those investigators deploying advanced forensic data analysis tools across larger data sets provided better insights into the penetration, which lead to more focused investigations, better root cause analysis and contributed to more effective fraud risk management. Advanced technologies that incorporate data visualization, statistical analysis and text-mining concepts, as compared to spreadsheets or relational database tools, can now be applied to massive data sets from disparate sources enhancing breach response at all organizational levels.

These technologies enable our client companies to ask new compliance questions of their data that they might not have been able to ask previously. Fraud examiners can establish important trends in business conduct or identify suspect transactions among millions of records rather than being forced to rely on smaller samplings that could miss important transactions.

Data breaches bring enhanced regulatory attention. It’s clear that data breaches have raised the bar on regulators’ expectations of the components of an effective compliance and anti-fraud program. Adopting big data/forensic data analysis procedures into the monitoring and testing of compliance can create a cycle of improved adherence to company policies and improved fraud prevention and detection, while providing additional comfort to key stakeholders.

CFEs and forensic accountants are increasingly being called upon to be members of teams implementing or expanding big data/forensic data analysis programs so as to more effectively manage data breaches and a host of other instances of internal and external fraud, waste and abuse. To build a successful big data/forensic data analysis program, your client companies would be well advised to:

— begin by focusing on the low-hanging fruit: the priority of the initial project(s) matters. The first and immediately subsequent projects, the low-hanging investigative fruit, normally incurs the largest cost associated with setting up the analytics infrastructure, so it’s important that the first few investigative projects yield tangible results/recoveries.

— go beyond usual the rule-based, descriptive analytics. One of the key goals of forensic data analysis is to increase the detection rate of internal control noncompliance while reducing the risk of false positives. From a technology perspective, client’s internal audit and other investigative groups need to move beyond rule-based spreadsheets and database applications and embrace both structured and unstructured data sources that include the use of data visualization, text-mining and statistical analysis tools.

— see that successes are communicated. Share information on early successes across divisional and departmental lines to gain broad business process support. Once validated, success stories will generate internal demand for the outputs of the forensic data analysis program. Try to construct a multi-disciplinary team, including information technology, business users (i.e., end-users of the analytics) and functional specialists (i.e., those involved in the design of the analytics and day-to-day operations of the forensic data analysis program). Communicate across multiple departments to keep key stakeholders assigned to the fraud prevention program updated on forensic data analysis progress under a defined governance program. Don’t just seek to report instances of noncompliance; seek to use the data to improve fraud prevention and response. Obtain investment incrementally based on success, and not by attempting to involve the entire client enterprise all at once.

—leadership support will gets the big data/forensic data analysis program funded, but regular interpretation of the results by experienced or trained professionals are what will make the program successful. Keep the analytics simple and intuitive; don’t try to cram too much information into any one report. Invest in new, updated versions of tools to make analytics sustainable. Develop and acquire staff professionals with the required skill sets to sustain and leverage the forensic data analysis effort over the long-term.
Finally, enterprise-wide deployment of forensic data analysis takes time; clients shouldn’t be lead to expect overnight adoption; an analytics integration is a journey, not a destination. Quick-hit projects might take four to six weeks, but the program and integration can take one to two years or more.

Our client companies need to look at a broader set of risks, incorporate more data sources, move away from lightweight, end-user, desktop tools and head toward real-time or near-real time analysis of increased data volumes. Organizations that embrace these potential areas for improvement can deliver more effective and efficient compliance programs that are highly focused on identifying and containing damage associated with hacker and other exploitation of key high fraud-risk business processes.

Regulating the Financial Data Breach

During several years of my early career, I was employed as a Manager of Operations Research by a mid-sized bank holding company. My small staff and I would endlessly discuss issues related to fraud prevention and develop techniques to keep our customer’s checking and savings accounts safe, secure and private. A never ending battle!

It was a simpler time back then technically but since a large proportion of fraud committed against banks and financial institutions today still involves the illegal use of stolen customer or bank data, some of the newest and most important laws and regulations that management assurance professionals, like CFEs, must be aware of in our practice, and with which our client banks must comply, relate to the safeguarding of confidential data both from internal theft and from breaches of the bank’s information security defenses by outside criminals.

As the ACFE tells us, there is no silver bullet for fully protecting any organization from the ever growing threat of information theft. Yet full implementation of the measures specified by required provisions of now in place federal banking regulators can at least lower the risk of a costly breach occurring. This is particularly true since the size of recent data breaches across all industries have forced Federal enforcement agencies to become increasingly active in monitoring compliance with the critical rules governing the safeguarding of customer credit card data, bank account information, Social Security numbers, and other personal identifying information. Among these key rules are the Federal Reserve Board’s Interagency Guidelines Establishing Information Security Standards, which define customer information as any record containing nonpublic personal information about an individual who has obtained a financial product or service from an institution that is to be used primarily for personal, family, or household purposes and who has an ongoing relationship with the institution.

Its important to realize that, under the Interagency Guidelines, customer information refers not only to information pertaining to people who do business with the bank (i.e., consumers); it also encompasses, for example, information about (1) an individual who applies for but does not obtain a loan; (2) an individual who guarantees a loan; (3) an employee; or (4) a prospective employee. A financial institution must also require, by contract, its own service providers who have access to consumer information to develop appropriate measures for the proper disposal of the information.

The FRB’s Guidelines are to a large extent drawn from the information protection provisions of the Gramm Leach Bliley Act (GLBA) of 1999, which repealed the Depression-era Glass-Steagall Act that substantially restricted banking activities. However, GLBA is best known for its formalization of legal standards for the protection of private customer information and for rules and requirements for organizations to safeguard such information. Since its enactment, numerous additional rules and standards have been put into place to fine-tune the measures that banks and other organizations must take to protect consumers from the identity-related crimes to which information theft inevitably leads.

Among GLBA’s most important information security provisions affecting financial institutions is the so-called Financial Privacy Rule. It requires banks to provide consumers with a privacy notice at the time the consumer relationship is established and every year thereafter.

The notice must provide details collected about the consumer, where that information is shared, how that information is used, and how it is protected. Each time the privacy notice is renewed, the consumer must be given the choice to opt out of the organization’s right to share the information with third-party entities. That means that if bank customers do not want their information sold to another company, which will in all likelihood use it for marketing purposes, they must indicate that preference to the financial institution.

CFEs should note , that most pro-privacy advocacy groups strongly object to this and other privacy related elements of GLBA because, in their view, these provisions do not provide substantive protection of consumer privacy. One major advocacy group has stated that GLBA does not protect consumers because it unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect his or her data, GLBA weakens customer power to control their financial information. The agreement’s opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to do so by their customers and, if customers neglect to respond, it gives institutions the freedom to disclose customer nonpublic personal information.

CFEs need to be aware, however, that for bank clients, regardless of how effective, or not, GLBA may be in protecting customer information, noncompliance with the Act itself is not an option. Because of the current explosion in breaches of bank information security systems, the privacy issue has to some degree been overshadowed by the urgency to physically protect customer data; for that reason, compliance with the Interagency Guidelines concerning information security is more critical than ever. The basic elements partially overlap with the preventive measures against internal bank employee abuse of the bank’s computer systems. However, they go quite a bit further by requiring banks to:

—Design an information security program to control the risks identified through a security risk assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.
—Evaluate a variety of policies, procedures, and technical controls and adopt those measures that are found to most effectively minimize the identified risks.
—Application and enforcement of access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
—Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals.
—Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may gain access.
—Procedures designed to ensure that customer information system modifications are consistent with the institution’s information security program.
—Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
—Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems.
—Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
—Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

The Interagency Guidelines require a financial institution to determine whether to adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this control, a financial institution also should consider the need for a firewall to safeguard confidential electronic records. If the institution maintains Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, the institution must consider whether its risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt necessary encryption measures that protect information in transit, in storage, or both. The Interagency Guidelines do not impose specific authentication or encryption standards, so it is advisable for CFEs to consult outside experts on the technical details applicable to your client institution’s security requirements especially when conducting after the fact fraud examinations.

The financial institution also must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, the institution should evaluate the ability, or lack thereof, of its staff to rapidly and accurately identify an intrusion. It also should assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken.

The regulatory agencies have also provided our clients with requirements for responding to information breaches. These are contained in a related document entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Incident Response Guidance). According to the Incident Response Guidance, a financial institution should develop and implement a response program as part of its information security program. The response program should address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Finally, the Interagency Guidelines require financial institutions to train staff to prepare and implement their information security programs. The institution should consider providing specialized training to ensure that personnel sufficiently protect customer information in accordance with its information security program.

For example, an institution should:

—Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext spam calling.
—Provide staff members responsible for building or maintaining computer systems and local and wide area networks with adequate training, including instruction about computer security.
—Train staff to properly dispose of customer information.

An Ancient Skill

I remember Professor Jerome Taylor in his graduate class at the University of Chicago introducing us to the complexities of what the ancients called the trivium. Because the setting for the process of fraud examination is so often fraught with emotion and confusion, even a beginning fraud examiner quickly realizes that presenting evidence collected during examination fieldwork merely as a succession of facts often isn’t enough to fully convince clients and to adequately address their many concerns (many of which always seem to emerge all at once). To capture stakeholders’ attention, and to elicit a satisfactory response, CFEs need to possess some degree of rhetorical skill.

Rhetoric refers to the use of language to persuade and instruct. Throughout the Middle Ages, European universities taught rhetoric to beginning students as one of three foundational topics composing what was known as the trivium. Logic and grammar, the other two foundational topics, refer to the mechanics of thought and analysis, and to the mechanics of language, respectively. We CFEs and forensic accountants essentially follow the trivium in our work, whether we realize it or not. After gathering evidence through fieldwork, we apply logic to analyze that evidence and to present our vision of the facts to our client organizations in our final reports. We also use grammatical rules to structure text within our reports and memorandum.

Applying the trivium requires a balanced approach; too much focus on any one of the three components to the exclusion of the others can lead to ineffective communication. Fraud examiners need to consider all three trivium components evenly and avoid the common trap of collecting too much evidence or performing too much analysis in the belief that such concentrations will help strengthen our final reports.

The ancient Greeks defined three key components of rhetoric, the speech itself (text), the speaker delivering the speech (author), and those who listen to the speech (audience). Collectively, these components form what’s called the rhetorical triangle. For CFEs, the triangle’s three points equate to the final report or memorandum, the CFE him or herself, and our clients or stakeholders. All three of the rhetorical triangle components are interrelated, and they are each essential to the success of all investigative and/or assurance work. Each should be considered before any engagement and kept in mind throughout the engagement life cycle but especially during the report writing and presentation process.

Although the investigative team lead would be considered the primary author, each of the engagement team members plays a supporting role by authoring observations and preliminary findings that are then compiled into an integrated report. The person performing the important task of draft reviewer also has a role to play, ensuring that the final report meets ACFE and other applicable standards and fulfills the overall purpose defined in the planning document.

The character of the intended audience should be considered with each engagement. Audience members are not homogeneous; each may have different perspectives and expectations. For this reason, CFEs need to consult with them and consider their perspectives even before the engagement begins to the extent feasible.

Once engagement fieldwork has been completed, the authors compose a written report containing the results of the investigative field work. The report represents perhaps the most important outcome communication from the examination process, and the best chance to focus the client’s attention.

When crafting the final report, three separate but interrelated components, designated ‘appeals’, need to be considered and applied: ethos, logos, and pathos.

Ethos is an appeal to the audience’s perception of the honesty, authority, and expertise of the report’s author. Closely related to reputation, ethos is established when the audience determines that the author is qualified, trustworthy, and believable. Because the term ethics derives from ethos, adhering to ACFEs standards and Code of Ethics supports this appeal.

Some helpful formulations, in the form of questions, to keep in mind regarding the ethos component when formulating your report are:

–What assumptions does your audience likely make about you and the investigative process, what you produce, and the level of service you and your team provide?
–Is there a way to take advantage of their positive assumptions to improve the fraud investigation process for the future?
–What can you do to overcome their negative assumptions, if any?
–Do you create the expectation that what you produce and the level of service you provide will be above average or even exceptional?
–Are you using all the available channels to create an impression of excellence?

For CFEs with an on-going or long-term employment or other relationship with the client, the need to consider ethos begins long before the start of any particular engagement. Ethos is supported by the structure and governance of the fraud examination or forensic accounting function as well as by the selection of team members, including alignment between the type of engagements to be performed and the team’s qualifications, education, and training. The ethos appeal is also established by choosing to comply with examination and audit standards and with other professional requirements to demonstrate a high level of credibility, build trust, and gain a favorable reputation over time.

Logos appeals to the audience’s sense of logic, encompassing factors such as the reason and analysis used, the underlying meaning communicated, and the supporting facts and figures presented. The written document’s visual appeal, diagrams, charts, and other elements, as well as how the information is organized, presented, and structured, also factor into logos. Story conveys meaning. From the time we’re born we learn about the world around us through narratives. This aspect of logos continues to be important throughout our lives. We experience the world through our senses, particularly our eyes. Design and visual attractiveness are key to engaging an audience made up of the visual animals we are.

–Is what you are presenting easy to understand?
–Is your presentation design simple and pleasing to the eye?

Investigators need for logos is addressed by their written report’s executive summary; detailed observations, and findings as well as appendices with secondary information that can be used to further instruct the audience. The report describes the origin, drivers and overall purpose of the engagement, its findings, and conclusions. Ultimately, from a rhetorical standpoint, examiners try to tell a convincing, self-contained short story that conveys key messages to the audience. The structure and format of the report, together with its textual content and visual elements, also support the logos appeal.

Like ethos, the logos appeal is fulfilled long before an individual engagement begins. It starts with the rational, periodic assessment and identification of business processes at high-risk for fraud; areas requiring management’s attention, resulting in the development and implementation of effective anti-fraud controls. CFEs are then prepared to undertake engagements, executing steps to collect valid and relevant evidence to justify conclusions and to guide and support the client’s initiation of successful prosecutions.

Pathos is an appeal to the audience’s emotions, either positive (joy, excitement, hopefulness) or negative (anger, sadness). It is used to establish compassion or empathy. Unlike logos, pathos focuses on the audience’s irrational modes of response. The Greeks maintained that pathos was the strongest and most reliable form of persuasion. Pathos can be especially powerful when it is used well and connects with the audience’s underlying values and perspective. Used incorrectly, however, pathos can distort or detract from the impact of actual factual evidence.

Examiners should strive to walk a mile in someone else’s shoes and look for ways to better understand the client/audience’s perspective. Attention to pathos can help support not only examination objectives, but the overarching goal of creating a satisfactory investigative outcome. CFEs should also be mindful of their overall tone and word selection, and ensure they balance negative and positive comments giving credit to individuals and circumstances where credit is due.

To some extent, pathos is interdependent with ethos and logos: The sting of negative results can be reduced somewhat by the positive effect of the other two appeals. For example, clients/audience members are more likely to accept bad news from someone they trust and respect, and who they know has followed a rational, structured approach to the engagement. But at the same time, ethos and logos can be offset by negative pathos. Preferred practice generally consists of holding regular meetings with corporate counsel and/or other critical stakeholders over the course of the investigation, maintaining transparency, and providing stakeholders with an opportunity to address investigative findings or provide evidence that counters or clarifies the CFEs observations.

In summary, while all three elements of rhetorical appeal play an important role in communication and while none should be neglected, CFEs and forensic accountants should pay particular attention to pathos. The dominance of feelings over reason is part of human nature, and examiners should consider this powerful element when planning and executing engagements and reporting the results. By doing so, certified investigators can help ensure audiences accept our message and make informed judgements related to fraud recovery, prosecution and possible restitution.

The Versatile Microcap

A microcap is a publicly traded company whose stock might be worth only pennies, which causes its price to be volatile and thus easier for fraudsters to manipulate. Although CFEs like our Central Virginia Chapter members might not regularly come across microcap stock manipulation, it’s important for all of us to be aware of the methods and motivations behind this significant criminal activity. In this scheme, promoters and insiders, after cheaply purchasing a stock, typically pump up its value through embellished or entirely false news. However, as reported recently in the trade press, other fraudsters have successfully employed much more creative strategies in exploiting microcaps. Several articles and books have told of the involvement of organized crime, especially throughout the ’00s and ’10s, in this highly profitable illegal business.

Basic pump and dump schemes, also known as hype and dump manipulation, involve the touting of a company’s stock (typically micro-cap companies) through false or misleading statements to the marketplace. After pumping up the stock, scam artists make huge profits by selling or dumping their cheap stock onto the market. Today, pump and dump schemes have been updated and most frequently occur over the Internet, where it is common to see e-mail and other messages posted that urge consumers to buy a stock quickly or to sell their stocks before the price goes down. In some cases, a spam-call telemarketer contacts potential investors using the same sort of pitch. Often the promoters claim to have inside information about an impending development, or to have employed an infallible combination of economic and stock market data to pick stocks. In reality, they may be company insiders or paid promoters who stand to gain by selling their shares after the stock price is pumped up by the buying frenzy they create. Once these fraudulent promoters dump their shares and stop hyping the stock, the price typically falls and investors lose their money.

In another recent but simple form of the micro-cap scheme, a caller leaves a message on a potential victim’s voice mail under the guise of someone who dialed the wrong number. Sounding as if they didn’t realize they had misdialed, the message contains a hot investment tip for a friend. However, the caller is actually a spammer, someone being paid to tout this stock on hundreds of cell phones. Those behind the scheme generally own some of the stock and hope to profit by pumping up the share price and selling off their investments.

Pump-and-dump schemes can be as relatively simple as the one above, or such as an individual or small group releasing false information in a chat room or insiders publishing inflated company information. Sometimes the business owners themselves are complicit, especially with shell corporations that have little actual operations or value. Occasionally, scammers dupe business owners into participating in schemes through promises of investment support and/or related marketing help. Or fraudsters, unbeknownst to the victim company, hijack their target company’s stock and falsely hype it, which often causes irreparable damage to the owners’ and to their business’ reputations. CFEs whose clients include small or new venture businesses should be especially cautious of unsolicited offers made to their clients to receive loans or to raise capital through microcap stock offerings. Criminals commonly target businesses in the pharmaceutical, energy or technology sectors, attempting to use their names and initial offerings to manipulate stock for profit.

More complex microcap stock manipulation schemes involving organized crime typically employ a number of persons who are instructed to buy in at various points that coincide with a series of false press releases and concurrent investor forum-controlled chat and spam emails. This orchestrated activity provides the illusion of stock movement resulting from large investor interest thus drawing in the required funds of outsider victims. The actual manipulation often resembles a series of smaller pumps and dumps instead of one large event. So the fraudsters can use the same stock over and over with less chance of detection by regulatory authorities. More refined players also employ foreign or off-shore brokerage accounts as a further veil over their illegal activities.

When the organized manipulation plan succeeds, the ringleaders will permit the accomplices to sell and obtain their related profit depending on their hierarchy in the organization. However, the end process is often far from perfect. Occasionally, accomplices don’t follow instructions, at their significant personal risk, and sell too early or late. Even if the manipulation isn’t always successful, organized crime members who have invested in the process expect and demand a certain profit, which places additional pressure on participants who might find they have debt on their hands because of their failures.

Occasionally, outsiders also take large positions either profiting from or destroying the momentum of the criminal group. In the 1990s, when trades were completed through actual brokers, criminals could use threats or actual violence to control such unwanted participants. However, technological trading platforms have made this more difficult.

A less common, yet also profitable, technique is to put downward pressure on a stock (or cause the price to decrease) after buying the equity on loan through a contract, or option, with the hopes of buying the stock or settling the contract once the stock has dropped in price. Fraudsters can initiate this manipulation technique, commonly known as ‘short and distort,’ by promoting rumors such as a bad quarter or failed new drug test.

The ability to manipulate microcap stocks with relative ease also makes the activity an ideal tool to hide payments between parties and launder money. Instead of paying cash or wiring funds to settle a drug debt, one can simply provide a tip relating to a microcap stock that’s about to be manipulated. The party who’s owed the debt then only has to buy the stock cheaply and await for the pump to make the sale and generate the profit.

Perpetrators also have used the same process to offer bribes to public servants. Troublesome envelopes or bags of cash aren’t required. The profit appears as a simple lucky or astute stock pick, and culprits can even report them as capital gains thus removing the risk of highly feared and powerful tax investigators becoming involved in a possible money-laundering investigation. Police and securities regulatory authorities have observed and reported such suspicious activity. However, it’s often difficult to link those who profit from the manipulation with the culpable manipulators. Also, considering that organized crime elements employ microcap manipulation for debt payments and as profitable crimes, it’s again challenging for authorities to identify the exact goals of their participation without some inside knowledge. Proving all the elements of the crime is nearly impossible without wire taps or a co-conspirator witness.

With all this said, it’s ironic, yet not surprising, that more than one organized-crime figure has said they don’t invest their own criminal earnings in microcap stocks because they deem such markets to be too risky and plagued by manipulators.

So, in summary, if you, as a CFE, come across information relating to a microcap investment involving a case you’re working, you might want to take a closer look.

With regard to preventing investment fraud schemes in general … caution your clients:

• to not invest in anything based upon appearances. Just because an individual or company has a flashy website doesn’t mean it is legitimate. Websites can be created in a matter of hours and taken down even faster. After a short period of taking money, a site can vanish without a trace.
• to not invest in anything about which they are not absolutely sure. Do homework on an investment to ensure it is legitimate.
• to thoroughly investigate the offering individual or company to ensure legitimacy.
• to check out other websites regarding this person or company.
• to be cautious when responding to special investment offers (especially through unsolicited e-mail) by fast talking telemarketers. Know with whom you are dealing!
• to inquire about all the terms and conditions involved with the investors and the investment.
• Rule of thumb: If it sounds too good to be true, it probably is.

Your Friendly Pharmacy

The tragic consequences of the currently raging opioid epidemic are splashed across the headlines and vividly displayed in television documentaries every day and yet, unless they specialize in the healthcare sector, I’ve found that most CFEs and forensic accountants are relatively unfamiliar with the mechanics of prescription drug and pharmacy fraud.

The reality is that, in many communities across America today, obtaining illegal prescriptions and the related controlled drugs of choice can be as easy as ordering a sandwich. Licensed physicians in every part of the country are daily arrested for on-demand prescribing of Oxycontin, Vicodin and Xanax. The resulting grand jury indictments usually feature some version of charges related to ‘prescribing drugs outside the usual course of professional practice and without a legitimate medical purpose’.

According to the Centers for Disease Control and Prevention (CDC), U.S. non-medical use of prescription painkillers results in more than $72.5 billion annually in direct healthcare costs and identifies prescription drugs as the second most-abused category of drugs after marijuana. In addition, the U.S. Department of Justice Office of Inspector General (OIG) has released several reports on prescription drug fraud in the Medicaid and Medicare Part D populations.

This epidemic has not only led to an increase in prescription drug fatalities, it’s also fueled opportunities for a host of ethically challenged individuals. This category of fraudsters has many faces: patients, patients’ family members, prescribers, pharmacy staff, medical employees, service contractors, recruiters and countless others are continuously involved in ever-mutating prescription drug fraud schemes.

Patients who commit prescription fraud often do so to acquire drugs to support their own addictions. But prescription drugs are a commodity with a high resale value, so fraudsters also divert prescription drugs for profit. Fraudsters illegally sell Oxycontin for $1 to $2 per milligram on the street. Some retirees on fixed incomes visit physicians complaining of phantom pain just so they can receive prescriptions for controlled drugs to re-sell for additional income.

Sometimes medical services’ employees, patients, family members, family friends and others fraudulently acquire prescription pads. In a recently reported case, owners of a professional cleaning service stole prescription pads and an ink signature pad from a doctor’s office they were hired to clean.

Some bypass obtaining prescriptions entirely by stealing controlled substances directly from pharmacies. Many pharmacies in hard hit areas no longer carry selected drugs or have increased their security.

Here are other common examples of the various ways individuals have chosen to defraud the system:
• Doctor shopping: visiting multiple doctors in search of prescriptions.
• Pharmacy shopping: filling prescriptions at multiple pharmacies to avoid being denied service.
• Prescription alteration: increasing dosage, quantity or refills on existing prescriptions.
• Washed prescriptions: washing ink off written prescriptions to create blanks and re-writing new fraudulent prescriptions.
• Forged prescriptions: using copy machines or computers to create fake prescriptions.
• Fax and phone prescriptions: faxing fraudulent prescriptions to pharmacies or phoning pharmacies to call in and/or verify prescriptions.
• Illegal market: acquiring drugs from illegal sources.

Regarding providers, some medical providers have turned to selling prescriptions to patients or anyone willing to pay their fees, even when there’s no medical justification for the drug therapies; this activity might or might not take place in the prescribers’ place of business.

As the ACFE indicates, prescribers of large volumes of pain drugs risk being identified as “pill mill” operators. Pain clinics, legitimate and otherwise, often prescribe large volumes of controlled pain drugs. In typically reported cases, patients line up outside the pain clinics prior to their opening because they know they can easily obtain prescriptions for controlled drugs.

Prescribers who knowingly commit prescription fraud have turned to some of the following schemes to defraud the system:

• Medically unnecessary prescribing.
• Internet prescribing.
• Self-prescribing.
• Diversion.
• Collusion.

Like enterprising patients and prescribers, pharmacies that participate in fraud schemes often do so for enhanced profit. In a recent case which received enhanced media coverage, a pharmacist, a doctor and others were among the a number arrested for “prescription harvesting”. The accused fraudsters stole patients’ identities to bill Medicare and Medicaid for $18 million in illegitimate prescriptions. Approximately $7.3 million in taxpayer dollars was lost in this scheme.

Other prosecuted pharmacy schemes have included:

• False claims: submitting claims for payment for which no prescription or authorization exists.
• Buy-backs: buying back prescriptions from patients – often at a discount.
• Kickbacks: receiving or providing monetary incentive for selling certain prescriptions.
• Shell or vanishing pharmacies: operating pharmacies in name only – or operating pharmacies just long enough to submit false claims for profit.
• Shell ownership: masking pharmacies’ ownership to hide identities of the true owners.
• Online pharmacies: selling controlled substances illegally with relative anonymity.
• Counterfeit products: knowingly dispensing counterfeit drugs.

Recruiters are intermediaries who engage partners to carry out fraudulent activity. In most cases, recruiters conspire with prescribers and/or pharmacies to enlist patients to carry out their fraudulent billings and/or diversion schemes. Documented cases show that patients, prescribers, pharmacies and recruiters have conspired to submit false claims, and to support buy-backs, kickbacks and diversions.

More than 80 pharmacists, physicians and others in a large metropolitan area conspired to establish a network of pill mills that issued prescriptions, many for controlled drugs such as hydrocodone and oxycodone, to patients without a legitimate need. The patients used Medicaid, Medicare or private insurance coverage to pay for the drugs. The principal pharmacist owned and operated 26 different pharmacies; following prosecution, he was sentenced to 17 years in prison.

Many U.S. federal, state and private organizations are now vigorously data mining prescription activity to detect fraud at all levels. Federal examples include the Drug Enforcement Agency, the DOJ OIG and routine Federal analysis of vendor contracts. Each U.S. state (except Missouri) now has a Prescription Drug Monitoring Program, which receives all information on prescription drug activity for controlled substances from both cash and insurance provider imbursed prescription transactions. Also, state law enforcement and vendors provide detection activities. Health care entities in the private sector, such as health plans and other payers, sometimes perform the data mining themselves or work with vendors. Private citizens frequently act as whistleblowers to expose fraudsters.

The entities charged with exposing schemers now use numerous methods to detect fraud and are developing new approaches every day just to keep up with all the evolving scenarios. Audits can be an effective detection method when conducted by trained, knowledgeable staff. Those who are called upon to perform desk and onsite audits must be cognizant of current activities and patterns and ensure that involved investigative groups are working together so leads from these audits can be directed to the appropriate law enforcement entities.

To identify aberrant behaviors, investigators utilize a number of different detection processes including:

• Sending confirmation letters to patients or prescribers to validate services received or rendered.
•Analyzing patient, prescriber, pharmacy and drug activities to identify aberrant utilization, prescribing, dispensation and/or processing patterns.
• Analyzing drug utilization by therapy classification and/or risk category.
• Reviewing prescribers by medical specialty to identify individuals prescribing outside the normal scope of their specialties.
• Focusing on geographic areas where fraud is an issue.
• Applying geospatial analyses to determine distances traveled by patients and to identify clusters.
• Searching for historical and current patterns to anticipate future fraudulent behaviors.
• Expert fraud examiners can assist in many ways in the performance of different types of analytics on prescription claim data. They use public and private data sources and sophisticated algorithms for retrospective, predictive and geospatial analyses.

Prescription drug fraud goes far beyond the headlines about controlled drugs. The ACFE reports that fraudsters also target high-dollar retail drugs of all kinds. These medications are used for the treatment of HIV, mental health issues, diabetes and cancer and can all command high fees from desperate patients.

It’s imperative for CFEs, forensic accountants and other assurance professionals to be aware of past and present drug diversion schemes and mindful of the changing health care environment and its associated vulnerabilities no just to keep pace with fraudsters but, more importantly to more effectively support the law enforcement professionals who rely on us for the high quality investigative materials so vital to successful prosecutions.