Tag Archives: forensic accounting

And the Cash Flows On

As a fraud examiner and information systems auditor, I’ve always been a big fan of the cash flow statement and I think you should be too. For the non-accountant investigators among you, the cash flow statement reveals what happened to the client’s cash during the reporting period. It’s very much like your bank account statement: You have a beginning balance of cash at the start of the month, you deposit your paycheck, you write some checks for your mortgage and groceries, and then you end the month with a new cash balance. This is what a cash flow statement is: simply a beginning balance of cash, plus or minus some cash transactions, to arrive at an ending cash balance.

Another way to view the cash flow statement is as an income statement that is adjusted for non-cash transactions and transactions that have not yet impacted cash. Non-cash transactions are transactions that affect the income statement but will never affect cash. Depreciation is a non-cash transaction that is added back to profits on the cash flow statement since cash is never paid out or collected when an asset is depreciated. The cash flow statement also clarifies transactions that immediately impact cash. A company can make a sale but not collect on it, or incur an expense and not immediately pay for it in cash. These are called accounts receivable and accounts payable, respectively. Revenues that are earned but not received and expenses that are incurred but not paid would show up on the income statement, but not on the cash flow statement. So the formula for the statement is simply …

Beginning Cash Balance
+I- Net Cash Flows from Operating Activities
+I- Net Cash Flows from Investing Activities
+I- Net Cash Flows from Financing Activities
= Ending Cash Balance

There are two methods of reporting cash flows from operations; in the direct method, the sources of operating cash flows are listed along with the uses of operating cash flows, with the difference between them being the net cash flow from operating activities. In contrast, the indirect method reconciles net income per the income statement with net cash flows from operating activities; that is, accrual-basis net income is adjusted for non-cash revenues and expenses to arrive at net cash flows from operations. The net cash flows from operating activities is the same amount regardless of which method is used. The indirect method is usually easier to compute and provides a comparison of the company’s operating results under the accrual and cash methods of accounting. As a result, most companies choose to use the indirect method, but either method is acceptable.

So what does all this provide as a tool for the fraud examiner? Simply, the cash flow statement provides any CFE with lots of neat information for further analysis in a very compact form. First of all, the statement tells you what the company’s cash receipts and cash payments were for the period. Remember that it’s unlike the income statement in that the income statement takes into account all revenue and expense transactions, whether or not they affected cash. The cash flow statement only considers transactions that involve cash.

The cash flow statement divides the company’s cash transactions into three categories:

• Operating activities, which include all cash received and paid out in connection with the company’s normal business operations, such as cash received from customers and funds paid to vendors. This category essentially encompasses any cash transactions that affect items on the income statement.
• Investing activities, which are cash flows related to the sale or purchase of non-current assets, such as fixed assets, intangible assets, and investments. This category generally covers those cash transactions that affect the asset side of the balance sheet.
• Financing activities, which are all cash inflows and outflows pertaining to the company’s debt and equity financing. Inflows include the proceeds received from issuing stocks and bonds and from borrowing money from a bank. Outflows include debt repayments and cash dividends paid to shareholders. In general, this category includes the cash transactions that affect the liabilities and owners’ equity side of the balance sheet.

In a perfect world, a company should only need loans when it has a timing problem between collecting and spending money or when it’s expanding. However, if a company expends more money than it will ever make, it will eventually go out of business. This is where the cash flow statement is so useful to the fraud examiner. You will want to get an idea of the cash flow necessary to run the business so that you will be able to tell whether the company is generating enough cash from operations to continue to do business. The examiner can also evaluate the relationship between total cash generated from financing and investing activities and the amount generated by operating activities.

Some things you will want to note from the cash flow statement in connection with any suspected financial fraud:
• Does the company have heavy demands on its operating cash each period?
• Do the inflows equal or exceed the outflows?
• Is the cash balance increasing or decreasing over time?
• Is the company making smart decisions about sources and uses of cash given its apparent financial condition?

This is information pertinent to the investigation of a wide range of fraud scenarios, the successful investigation of which involves different data than that commonly available in the income statement. The income statement alone does not reveal a complete picture of the company’s financial health, necessary for a full investigation of so many types of fraud. Evaluating income and cash flows includes considering the timing of items, such as collections of accounts receivable. In the end, a company might have a fabulous looking income statement, but might not have any cash available for operations. This may occur because the revenues recorded on the income statement have not been collected. Remember, as part of doing business, companies usually allow customers to make purchases on credit; this means the companies will collect the cash subsequent to the actual recording of the revenues. For example, a small high-tech manufacturer might have a healthy looking profit on its income statement, but not be able to pay its employees’ salaries. However, the entrepreneurial owners of the company expect all is well, since they think the net income on the income statement to be equal to the amount of cash in the company’s bank account. But, as is often the case, there’s a timing difference between when the company records a sale and when it actually receives the cash from its customers. As a result, the cash balance seldom, if ever, will match the income on the income statement. Other transactions – such as accrued or prepaid expenses, depreciation, and inventory purchases – will also cause a disparity between an organization’s net income and its net cash flows.

The statement of cash flows represents a trove of invaluable information that can cast light on virtually every aspect of a client’s financial health and, thus inform any investigation. Use it to your advantage.

Reaching Behind the Curtain

Not too long ago a close friend of one of our Chapter members paid a substantial sum of money to a relative, the owner of a closely held corporation, in exchange for a piece of the relative’s real estate to which, it turns out,  the relative/owner did not have clear title.  The relative apparently used a substantial portion of the funds to immediately clear debts of his corporation of which he and his wife are the sole officers and shareholders.  He now claims that, since he used the sale proceeds for corporate purposes, the refund of the purchase price he owes our Chapter member’s friend is a debt of the corporation and not of his personally.   Our Chapter’s friend has engaged an attorney at the suggestion of our certified Chapter member.

Our legal system recognizes that corporations have a separate existence from their shareholders/owners and are treated as ‘individuals’ under the law. There are two ways for a wrong-doer to use the existence of a corporation to avoid efforts to recover a money damage judgment from him or her:

–As in this case, the scammer argues that the corporation and not the shareholder/owner committed the offense, and therefore the shareholder’s personal assets and property should not be used to satisfy any judgment for the offense.

–Argues that the wrongdoer/shareholder’s property is held in the name of the corporation, and therefore s/he has no personal assets that can be used to satisfy a judgment against him  or her.

The first reflects the classic doctrine that shareholder/owners are not liable for the debts or liabilities of the corporation. Of course, if the shareholder/owner also controls the corporation and personally acted wrongfully, s/he may still be liable for her misconduct, and the corporation may simply be jointly and severally liable together with her. Whether the wrongful conduct was that of the corporation or that of an individual shareholder usually is a question of fact to be decided by the jury.

The second reflects the corporation’s ability, as a separate legal entity, to own its own property. If the corporation owns the property, then the individual shareholder does not.  Since both pre-judgement attachment writs and writs of execution can only reach a defendant’s interest in leviable assets, a wrongdoer can appear without assets and judgment proof – and your client can be unable to satisfy a money judgment against her- if the wrongdoer/shareholder has transferred title in her personal assets to the corporation. This does not apply to a non-money judgment to recover specific money or property which can reach proceeds or property in the hands of the wrongdoer or of third persons. Of course, if the wrongdoer’s transfer of assets to the corporation was to defraud creditors, the injured party can seek to have the transfers set aside.

However, even where a corporation apparently shields the defendant or his or her property, the wrongdoer and her leviable property can still be reached if the court can be convinced to disregard the corporation or to regard it merely as her alter ego. The court may do so if it can be proved that the corporation is merely a sham whose sole purpose is to help the wrongdoer fraudulently avoid liability for her conduct. This is sometimes called piercing the corporate veil.

If the corporation is found to be the alter ego of the shareholder, then either or both of the following consequences apply, depending on the goal in piercing the corporate veil:

–The wrongdoer is no longer shielded from liability for the corporation’s misconduct because the wrongdoer and the corporation are viewed by the court as one and the same.

–Corporate property can be reached to satisfy a judgment against the wrongdoer because the property is now regarded, properly, as the wrongdoer/shareholder’s property.

One of the factors to consider in attempting to pierce the corporate veil is whether the corporation is closely held; i.e. owned or directed by one or by a small or limited number of shareholders, officers, and directors (often all the members of the same family). Obviously, the larger the number of shareholders, and the more broadly the corporation’s directing positions are distributed, the less likely it is to be a sham or alter ego for one person. However, given the lawful goals and purposes of incorporation, even a small, closely held corporation may be legitimate. Conversely, the existence of other shareholders or other directors and officers may not mean that the corporation is not a sham.

The ACFE tells us that there is no hard and fast test to determine whether a corporation is a sham. Instead, courts will look at a variety of factors to determine whether to pierce the corporate veil. These factors include:

–As in this case, does the wrongdoer exercise sole or ultimate control over the activities of the corporation?

–Does the corporation’s charter describe the approved activities of the corporation with some specificity, or is it left largely to the discretion of the wrongdoer?

–Does the corporation fail to hold director’s and shareholder’s meetings, record minutes of those meetings, and otherwise observe the formalities of corporate existence?

–Is the corporation so undercapitalized as to raise questions about its viability as a separate entity?

–Are the corporation’s finances so intertwined or identifiable with those of the wrongdoer as to raise questions about its separate existence?

–Does the corporation own property which does not seem to reasonably relate to its activities, particularly as described in its charter?

–Does the wrongdoer use the corporation’s property as if they were her own, personal assets, including but not limited to whether she uses them for purposes not within the corporation’s approved activities?

These and similar or related facts can indicate that the corporation is a sham and has no true, separate existence from the wrongdoer/shareholder. In that case, the court would be justified in ruling that the corporation should be regarded as an alter ego of the wrongdoer and that the corporation and the wrongdoer be considered as one and the same ‘person’ for purposes of determining liability or levying on assets to satisfy a money judgment.

Many thanks to our member for bringing this case to our attention!

The Critical Twenty Percent

According to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes. Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continue unabated, with organizations of all kinds losing productivity, revenue and more customers every month. ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies. As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s most sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls. And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing change. It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work. By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

• Are systems monitored for unauthorized changes in real time?
• Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations. Researchers found that these top six controls help organizations help manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and to look backward, identifying definitively the source of outages, fraud associated abnormalities or service issues. Because they have a process that tracks and records all changes to their infrastructure and their associated success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and remediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail. The organization must cultivate a ‘culture’ of change management and causality throughout, with zero tolerance for any unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all change must follow an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy. One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.
Perhaps most important for responding to changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from security incidents, and dramatically longer and less-effective resolution times. On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of a high volume of failed system changes. All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

Do We Owe It?

During one of our past May training events, our speaker, shared a fascinating, real life example from her own practice of how detailed analytic analysis could be especially helpful in addressing false billing frauds. In addition, she explained at length just how this type of fraud works.

In a false billing scheme, an employee or outside party creates false vouchers or submits false invoices to a target organizational payer. These documents cause the payer to issue payments for goods or services that are either completely fictitious or overstated in price. The perpetrator then collects the fraudulent payments/checks and converts them for personal use. Another common billing fraud involves buying personal goods or services with company money.

A false billing fraud affects the purchasing cycle, causing the company to pay for nonexistent or non-essential goods or services. Most false billing frauds involve a service, since it is easier to conceal a service that is never performed than to conceal goods never received. As our speaker’s example demonstrated, the most common billing scheme, is setting up one or more bogus vendors. There are several ways to do this. The most common is to create a fictitious vendor (often called a shell company), open a bank account in the shell company’s name, and bill the victimized company. The perpetrator then creates an invoice and sends it to his/her employer. Invoices can be professionally produced via computer and desktop publishing software, typewritten, or even prepared manually. Often, the most difficult aspect of a fraudulent billing scheme is getting the false invoice approved and paid. In many instances of billing fraud, the person perpetrating the fraud is also the person in the company who is authorized to approve invoices for payment. Another popular means of getting invoice approval is to submit invoices to an inattentive, trusting, or “rubber-stamp” manager. Furthermore, perpetrators often create false supporting documents to facilitate approvals and payments, e.g., voucher packages.

A perpetrator can also use a shell company to perpetrate a pass-through billing scheme: the perpetrator places orders for goods with his shell company, has his shell company order the goods from a legitimate supplier at market prices, and then sells those goods to his employer at inflated prices. The fraud lies in the fact that the victimized company is buying the goods it needs from an unauthorized vendor at inflated prices. The perpetrator “profits” from the inflated prices gained while acting as an unauthorized middle-man in a necessary company transaction.

Rather than utilizing shell companies to overbill, some employees generate false disbursements through invoices of non-accomplice vendors. In what is called a pay and return scheme, the perpetrator makes an error in a vendor payment to facilitate the theft. One way to do that is to overpay or double-up on payments, request a check from the vendor for the excess, and steal the check when it arrives. Another scenario is to pay the wrong vendor by placing vendor checks in the wrong envelopes, then calling the vendors to explain the mistake and requesting the return of the checks. When the checks return, they are stolen. The support documents are sent through the accounts payable system a second time; and these checks are sent to the proper vendors.

Another scheme involves purchasing personal items with company money. One popular way to do this is to make a personal purchase, then run the unauthorized invoice through the accounts payable system. If the perpetrator is not in a position to approve the purchase, s/he may have to create a false purchase order to make the transaction appear legitimate or alter an existing purchase order and have an accomplice in receiving remove the excess merchandise.
Another way to purchase personal items with company money is to have the company order merchandise, then intercept the goods when they are delivered. To avoid having the merchandise delivered to the company, the perpetrator often will have it diverted to their home or some other address, such as a spouse’s business address. A third way to purchase personal items with company money is to make personal purchases on company credit cards. No matter which of the approaches is used, the perpetrator will either keep the purchases for personal use or turn the purchase into cash (or a credit card refund) by returning the merchandise.

Our event speaker pointed out that, in some ways, it’s easier to conceal a billing fraud than other frauds, but in other ways, it’s harder. It’s easier in that the perpetrator does not have to remove cash or inventory from company premises; instead, the company mails her a check. It’s more difficult in that, when the perpetrator creates a bogus vendor or shell company, s/he has to come up with a name, mailing address (often the fraudster’s home address or a postal box), and phone number (often a home phone number); open a bank account in the shell company’s name (usually requiring him or her to file or forge articles of incorporation) or in his own name; deposit and withdraw money; and create and send vendor invoices. Any of these can lead back to the perpetrator, making it easier to find him once the fraud is detected and the shell company identified.

Depending on the scheme and organizational controls in place, the perpetrator may have to falsify or alter a purchase requisition, purchase order, receiving report, or vendor invoice, or fool or force the authorizing person to approve or forge an authorization. Perpetrators involved in a pay and return fraud usually have to intercept any checks that are returned.

Our speaker additionally presented a number of red flags usually present when a false billing fraud is taking place, including:

• An unexplained increase in services performed (services that were paid for, but never performed);
• Payments to unapproved vendors;
• Invoices approved without supporting documents;
• Falsified or altered voucher documents; for example, altering a purchase order after its approval;
• Inflated prices on purchases or orders of unnecessary goods and services;
• Payments to an entity controlled by an employee;
• Multiple payments on the same invoice or over payments on an invoice;
• Personal purchases with company credit cards or charge accounts;
• Excessive returns to vendors, or full payment not received for items returned;
• A vendor with a post office box address (many post office box addresses are legitimate, but a smart.

On May 15-16th, 2019 our Chapter will be hosting a two-day ACFE lead seminar entitled, ‘How to Testify’. Our speaker, Hugo Holland, wants to make a courtroom pro out of you! Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course. To review the event content and to register to attend, click here. Hope you can join us!

Fraudsters, All Too Human

Our certified Chapter members often get questions from clients and employers related to why a fraudster who’s victimized them did what he or she did. Examiners with the most experience in the process of interviewing those later convicted of fraud comment again and again about the usefulness to their overall investigation of a basic understanding of the fraudster’s basic mind set. Such knowledge can aid the examiner in narrowing down the preliminary pool of suspects, and, most importantly, assist in gaining an admission in a subsequent admissions seeking interview. ACFE experts regard fraud (and the process of interviewing) primarily as human constructs, and especially within the content of the interview process, to be able to tie in the pressure that the individual might have been under (as they perceived it) to the interview process; to understand that individual with regard to their rationalization as they were able to affect it, significantly increases the possibility of getting the compliance and cooperation that the examiner wants from the interviewee.

During your investigation, it’s important to remember that people do things for a reason. The fraud examiner might not understand the reasons a fraudster commits his or her crime, but the motivations certainly make sense to the perpetrator. For example, a perpetrator might commit fraud because her life has spiraled out of control, although it might not be out of control under a objective, reasonable person’s definition. But in the perpetrator’s view, her life has become so problematic that fraud is the only way she can see to restore balance. And during the fraud examination, if the examiner can get the suspected perpetrator to talk about the lack of control in her life, the examiner can often use this information to compel the fraudster to admit guilt and provide valuable insight into ways that similar frauds might be prevented in the future.

As a continuation of this line of thought, the examiner should consider possible human motives when examining evidence. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes. It can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused, and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, she might suspect a payroll employee who recently complained about not receiving a raise in the past two years. Although such information doesn’t mean that the payroll employee committed fraud, the possible motive can guide the examiner.

ACFE experts also agree that interviewers should seek to understand the possible motives of the various suspects they encounter during an examination. To do this, interviewers should suspend their own value system. This will better position the interviewer to persuade the suspect(s) to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions. In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his motivations, even if the suspect reveals her motivations in an indirect manner. So when conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work as opposed to how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s normal behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Always remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. As indicated above, unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason. Situational fraudsters (those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises) do not tend to view themselves as criminals. In contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud, situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if she can genuinely communicate that she understands how anyone under similar circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is presenting a trap, he generally will not make any admission of wrongdoing.

So, in your examinations, never lose sight of the human element; that by definition, fraud involves human deception for personal gain. Why do people deceive to get what they want, or in some cases, what they need? Most humans commit deceptive acts to protect themselves from various consequences of the truth. Avoiding punishment is the most common reason for deception, but there are other reasons, including to protect another person, to win the admiration or respect of others, to avoid embarrassment, enjoy the thrill of accomplishment and to avoid hard work to achieve goals. When people feel that their self-security is threatened, they might resort to deception to preserve their image. Further, people can become so engaged in managing how others perceive them that they become unable to separate the truth from fiction in their own minds.

The ability to sympathetically cast oneself into the human situation of others is one of the most valuable skills that a fraud examiner can have in our efforts to determine the truth.

Cash In – Cash Out

One of our associate Chapter members has become involved in her first fraud investigation just months after graduating from university and joining her first employer. She’s working for a restaurant management consulting practice and the investigation involves cash theft targeting the cash registers of one of the firm’s smaller clients. Needless to say, we had a lively discussion!

There are basically two ways a fraudster can steal cash from his or her employer. One is to trick the organization into making a payment for a fraudulent purpose. For instance, a fraudster might produce an invoice from a nonexistent company or submit a timecard claiming hours that s/he didn’t really work. Based on the false information that the fraudster provides, the organization issues a payment, e.g., by sending a check to the bogus company or by issuing an inflated paycheck to the employee. These schemes are known as fraudulent disbursements of cash. In a fraudulent disbursement scheme, the organization willingly issues a payment because it thinks that the payment is for a legitimate purpose. The key to the success of these types of schemes is to convince the organization that money is owed.

The second way (as in our member’s restaurant case) to misappropriate cash is to physically remove it from the organization through a method other than the normal disbursement process. An employee takes cash out of his cash register, puts it in his pocket, and walks out the door. Or, s/he might just remove a portion of the cash from the bank deposit on their way to the bank. This type of misappropriation is what is referred to as a cash theft scheme. These schemes reflect what most people think of when they hear the term “theft”; a person simply grabs the money and sneaks away with it.

What are commonly denoted cash theft schemes divide into two categories, skimming and larceny. The difference between whether it’s skimming or larceny depends completely on when the cash is stolen, a distinction confusing to our associate member. Cash larceny is the theft of money that has already appeared on a victim organization’s books, while skimming is the theft of cash that has not yet been recorded in the accounting system. The way an employee extracts the cash may be exactly the same for a cash larceny or skimming scheme. Because the money is stolen before it appears on the books, skimming is known as an “off-book” fraud. The absence of any recorded entry for the missing money also means there is no direct audit trail left by a skimming scheme. The fact that the funds are stolen before they are recorded means that the organization may not be “aware” that the cash was ever received. Consequently, it may be very difficult to detect that the money has been stolen.

The basic structure of a skimming scheme is simple: Employee receives payment from a customer, employee pockets payment, employee does not record the payment. There are a number of variations on the basic plot, however, depending on the position of the perpetrator, the type of company that is victimized, and the type of payment that is skimmed. In addition, variations can occur depending on whether the employee skims sales or receivables (this post is only about sales).

Most skimming, particularly in the retail sector, occurs at the cash register – the spot where revenue enters the organization. When the customer purchases merchandise, he or she pays a cashier and leaves the store with whatever s/he purchased, i.e., a shirt, a meal, etc. Instead of placing the money in the cash register, the employee simply puts it in his or her pocket without ever recording the sale. The process is made much easier when employees at cash collection points are left unsupervised as is the case in many small restaurants. A common technique is to ring a “no sale” or some other non-cash transaction on the employee’s register. The false transaction is entered on the register so that it appears that the employee is recording the sale. If a manager is nearby, it will look like the employee is following correct cash receipting procedures, when in fact the employee is stealing the customer’s payment. Another way employees sometimes skim unrecorded sales is by conducting sales during nonbusiness hours. For instance, many employees have been caught selling company merchandise on weekends or after hours without the knowledge of the owners. In one case, a manager opened his store two hours early every day and ran it business-as-usual, pocketing all sales made during the “unofficial” store hours. As the real opening time approached, he would destroy all records from the off-hours transactions and start the day from scratch.

Although sales skimming does not directly affect the books, it can show up on a company’s records in indirect ways, usually as inventory shrinkage; this is how the skimming thefts were detected at our member’s client. The bottom line is that unless skimming is being conducted on a very large scale, it is usually easier for the fraudster to ignore the shrinkage problem. From a practical standpoint, a few missing pieces of inventory are not usually going to trigger a fraud investigation. However, if a skimming scheme is large enough, it can have a marked effect on a small business’ inventory, especially in a restaurant where profit margins are always tight and a few bad sales months can put the concern out of business. Small business owners should conduct regular inventory counts and make sure that all shortages are promptly investigated and accounted for.

Any serious attempt to deter and detect cash theft must begin with observation of employees.  Skimming and cash larceny almost always involve some form of physical misappropriation of cash or checks; the perpetrator actually handles, conceals, and removes money from the company. Because the perpetrator will have to get a hold of funds and actually carry them away from the company’s premises, it is crucial for management to be able to observe employees who handle incoming cash.

Charting the Road Ahead

There are a number of good reasons why fraud examiners and forensic accountants should work hard at including inclusive, well written descriptions of fraud scenarios in their reports; some of these reasons are obvious and some less so. A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud. It’s been my experience that well written reports, couched in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.

A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board. They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur. The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its reoccurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves. A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore, only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling. A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome. Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate. The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can sometimes be many and related. Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls work as separate lines of defense, at times in a sequential way, and at other times interacting with each other to help prevent the re-occurrence of the adverse event. The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts. Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation. If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them. These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time. This question is best answered by involved managers, in particular with the loss prevention manager. If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence. Is it the worst case loss, or the most likely or median loss? In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization. Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face). Documented control failures should always be clearly associated with the losses. Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine fraud prevention programs. Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the ongoing process of fraud risk assessment for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

! RVACFES May 2019 Spring Training Event !

The ACFE wants to help establish you as a consummate courtroom professional! Certified Fraud Examiners, accountants, auditors and investigative/assurance professionals of all kinds are called upon to provide testimony in criminal and civil prosecutions where their services can be used to support investigations of matters such as financial frauds, embezzlements, misapplication of funds, bankruptcy fraud, improper accounting practices, and tax fraud. Fraud examiners may also be used as defense witnesses or to support the defendant’s counsel on matters that involve accounting or audit related issues.

LEARN MORE

There are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing lay testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

As you will learn, the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Our speaker, HUGO HOLLAND, CFE, JD,  will expound in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” an expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this. The best thing for an inexperienced expert witness is to work with experienced attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• How to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• Remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• How best to state the facts. The expert witness should tell truth plainly and simply. You will learn how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which she does not know the answer but should simply say that she does not know or does not have enough information to form an opinion.

• Learn to control the pace The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that she is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.
• Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course.

REGISTER HERE

The Association of Certified Fraud Examiners is the world’s largest anti-fraud organization and premier provider of antifraud training and education. Together with more than 85,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. Visit ACFE.com to learn more.

“ACFE,” “CFE,” “Certified Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Inflexible Reporting

Our Chapter and the ACFE have published a number of articles and posts over the last few years about the various types of pressures that can push ethically challenged employees over the line between temptation and the perpetration of an actual accounting fraud. One category of such pressure stems directly from the nature of our present system of periodic financial reporting which, it can be argued, not only creates unnecessary volatility in the stock and financial markets but ends up requiring rational investors to demand a premium for securities investments by emphasizing the short term risk that near term, inflexable, quarterly earnings targets will not be met. The pressure to meet these short term targets can only give rise to operational inefficiencies which in turn drive up the inherent inefficiency in the transmission of information from public companies to financial markets based on a model which hasn’t changed much since its original definition during the Great Depression years of the 1930’s.

I’ve seen articles in the Journal of Accountancy and in other authoritative financial publications pointing toward a better way and, with the advent of and widening support for the electronic reporting of financial results to the SCC (the XBRL initiative), we can hope we’re well into the drawn of a new age. That there’s been pushback to this effort is understandable. Those familiar with the technical and professional minefield of the present quarterly reporting process can only feel sympathy with those financial officers who have to go through it, quarter by quarter and year after year. Questions originally abounded about process and mechanics like how is electronically published financial information going to be verified and what real controls are there over its reliability? What happens if there’s an honest mistake?

Think about all this from the point of view of the fraud examiner. If enterprises, listed and non-listed, can make the transition from a periodic to a real-time, electronic based financial reporting system, the resulting efficiencies and the decrease in numerous types of fraud related risk would be truly striking. Real-time financial reporting would free our clients from the tyranny of the present, economically nonsensical, reporting of quarterly results. How much of the incentive to commit financial fraud to meet the numbers does that immediately alleviate? As one financial expert after another has pointed out over the years, there’s just no justification for focusing on a calendar quarter as the unit in which to take stock of financial performance, beyond the fact that that’s what’s presently codified in the law. By contrast, what if financial information were published and available to all users on a real-time basis? The immediate availability of such information, continuously updated, on whatever basis is appropriate for the individual enterprise and its industry, would force companies to adopt a reporting unit that ready makes sense to them and to their principal information users. For some companies that unit might be a week, a month, a quarter, semi-annually or a year. So be it. Let a thousand flowers bloom; the upshot is that what would end up being reported would make sense for the company, its industry and for the information users rather than the one-size fits all, set in stone, prescription of the present law.

An additional advantage, and one with immediate implications for fraud prevention, would be the opportunity for increased efficiency in financial markets as investment dollars could be allocated not according to quarterly results or according to the best guess estimates of financial analysts, but by reliable financial information provided directly by the company all the time; goodbye to many of the present information control vulnerabilities that support insider trading because information is not widely and efficiently disseminated. The point is that by employing digital, cloud-based analytics report building tools properly, users of all kinds could customize a set of up-to-date financial reports (in whatever format) on whatever time period, that suits their fancy.

But many have also pointed out that if there is to be such a shift from periodic to real-time financial reporting, there needs to be a fundamental change in basic attitudes toward financial reporting. Those who report and those who inspect financial information will have to change their focus from methods by which the numbers themselves are checked (audited) to methods (as with XBRL) that focus on the reliability of the system that generates the numbers. That’s where fraud examiners and other financial insurance professionals come in. On-line financial information will be published with such frequency and so rapidly, that there will be no time to “check” individual numbers; the emphasis for assurance professionals will, therefore, need to shift away from checking numbers and balances to analysis of and reporting on the integrity of the system of internal controls over the reporting system itself; understanding of the details of the internal control system over financial reporting will gain a level of prominence it’s never had before.

Fraud examiners need to be aware of these issues when counseling clients about the profound impact that digitally based, on-line reporting of financial information is and will have on their fraud prevention and fraud risk assessment programs. As with all else in life, real time financial reporting will inevitably decrease the risk of some fraud scenarios and increase the risk of others.

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.