Académique Documents
Professionnel Documents
Culture Documents
FIGHTER
YOUR SECRET WEAPON IN THE WAR ON FRAUD
IN THE NEWS
Sean ODowd, Esq., Bernstein Litowitz Berger & Grossmann LLP
www.wccfighter.com
VOLUME 12 NO. 7 JULY/AUGUST 2010
WHISTLEBLOWER HOTLINES
Steps to Success
Step 2: Publicize the hotline. You t is no secret among anti-fraud professionals that employee tips repre- may have the greatest hotline system in sent the most common leads to man- the world, but if employees, customers, agement detection of fraud within their vendors and others with the ability to organizations. The Association of submit tips dont know about it, your Certified Fraud Examiners recently pub- money is wasted and fraud will continlished 2010 Report to the Nations on ue to go undetected. Moreover, proper publicizing of the Occupational Fraud and Abuse reveals that of all frauds detected by organiza- hotlines details is required by the tions with hotlines in place, 47% were federal Sentencing Guidelines. Most detected via tips, while organizations effective: Posters with hotwith no hotlines had only 33.8% of all Of all tips where the case outcome line details and the detected frauds was provided by respondents in 2008, assurance of non-retaliation for whistlerevealed by tips. 71% warranted an investigation. blowers, located liberAdditional findally throughout the ing: According to the 2009 Corporate Governance and physical premises. Intranet notices. Compliance Hotline Benchmarking Employee fraud awareness trainReport, by The Network and BDO Consulting, of all tips where the case ing. Managements continuous emphaoutcome was provided by respondents in 2008, 71% warranted an inves- sis on the urgent importance of a culture of compliance. Employees who tigation. understand that management walks the PRACTICAL MATTER talk with regard to ethics and zero tolTo optimize success and avoid erance toward fraud are more likely errors and inefficiencies in setting up than otherwise to use the fraud hotline. and managing your whistleblower Step 3: Provide a choice of reporthotline, consider following these 11 ing options. Toll-free telephone hotsteps... lines are essential but may not be suffiStep 1: Establish an easily accessi- cient for gathering as many tips as posble reporting channel. Ensure that sible. Some potential tipsters prefer your hotline... anonymous E-mail addresses, Web sites, Uses a toll-free number. drop-boxes or anonymous P.O. boxes. Worksliterally! Make sure the line Others prefer to report fraud or suspiis functioning... that callers arent get- cious activity directly to their superviting busy signalsthat the number sors. actually goes to the intended recipiKey: All of these reporting channels entideally a live, trained call recipient. should be available and publicized on a
IN THIS ISSUE CYBER-CRIME FIGHTER The number one threat and what you can do................... 3 DOING THE HOMEWORK Proactive fraud prevention..... 4 CONTROL CENTER Procure to Pay: Essential internal controls .........................5 THE CONS LATEST PLOY Law-enforcement successes from around the country........ 7
White-CollarCrime
FIGHTER
Editor Peter Goldmann. MSc, CFE Consulting Editor Jane Y. Kusic Managing Editor Juliann Lutinski Senior Contributing Editor David Simpson Associate Editor Barbara Wohler Design & Art Direction Ray Holland, Holland Design & Publishing
Panel of Advisers
Credit Card Fraud Tom Mahoney, Merchant 911.org Forensic Accounting Stephen A. Pedneault, Forensic Accounting Services, LLC Fraud and Cyber-Law Patricia S. Eyres, Esq., Litigation Management & Training Services Inc. Corporate Fraud Investigation R.A. (Andy) Wilson, Wilson & Turner Incorporated Corporate Integrity and Compliance Martin Biegelman, Microsoft Corporation Securities Fraud G.W. Bill McDonald, Investment and Financial Fraud Consultant Prosecution Phil Parrott, Deputy District Attorney Denver District Attorneys Office, Economic Crime Unit Computer and Internet Investigation Donald Allison, Senior Consultant, Stroz Friedberg LLC Fraud Auditing Tommie W. Singleton, PhD University of Alabama at Birmingham White-Collar Crime Fighter (ISSN 15230821) is published monthly by White-Collar Crime 101, LLC, 213 Ramapoo Rd., Ridgefield, CT 06877. www.wccfighter.com. Subscription cost: $295/yr. Canada, $345. Copyright 2010 by White Collar Crime 101, LLC. No part may be reproduced without express permission of the publisher.
Mission Statement
White-Collar Crime Fighter provides information of maximum practical value to organizations and individuals involved in all facets of investigating, detecting and preventing economic crime. This community includes law internal auditorsfraud examinersregulatory officialscorporate security professionalssenior executivesprivate investigatorsand many more. The editors of White-Collar Crime Fighter strive to gather and compile the most useful and timely information on economic crime issues. Comments, suggestions and questions are welcome. Please fax us at 203-431-6054, or E-mail us at edi tor@wccfighter.com. Visit us on the Internet at www.wccfighter.com.
CYBER-CRIME FIGHTER
Lynn Goodendorf, CIPP, CISSP, Good Security Consulting, LLC
Encourage suppliers, customers and any other potential sources to use your hotline as well.
Step 10: Implement audit committee review procedures. The audit committee must carefully evaluate the sensitivity/materiality to determine the need for a full outside investigation of a specific hotlinereported incident. In many instances, sensitive or material matters should be referred to independent counsel for outside investigation. Other outside partiesforensic accountants, additional independent auditors, etc.may be required depending on the substance of complaint. From there, actions required may include launching a full-fledged investigation, supporting law enforcement in any necessary legal action and being prepared to produce evidence in the event that it is subpoenaed by legal authorities. Step 11: Prepare and secure summary reports. The audit committee should prepare and save reports summarizing the resolution of all hotline-reported incidents. Reason: It is important to show compliance with SOX and other applicable laws, or obtain lenience under U.S. Sentencing Guidelines in the event that the organization is investigated by legal or regulatory authorities.
White-Collar Crime Fighter source: Sean ODowd, Esq., Bernstein Litowitz Berger & Grossmann LLP, New York City-based attorneys. Sean specializes in prosecuting corporate fraud cases and has written about and worked with whistleblowers in a variety of contexts. He can be reached at seano@ blbglaw.com.
bers information, these settings default to low or no privacy. So if the settings are not changed by the user, all of his or her information may be open to everyone on Facebook.
STEALTH-WARE Malware is special software planted on target computers to collect and transmit sensitive data without being detected
Example: Among the most wellknown malware-based schemes are those based on mass distribution of phishing Emails(commonly referred to as spam) that contain a link to a fraudsters Web site. Psychological or emotional tactics are used to prompt the recipient to click on a link. The link may take the victim to a site that appears normal but visiting the site alone triggers downloads of malware.
MODERN-DAY MALWARE As more employees use laptops or mobile devices to work remotely, an increased vulnerability of these devices to E-mail/phishing malware attacks has emerged. The risk is compounded by use of cell phones and other mobile devises for accessing social media such as Facebook,Twitter, YouTube and LinkedIn.
Example: Facebook now claims to have more than 400 million members. Although Facebook has privacy settings available to restrict who can see a mem-
Result: Any Facebook member can collect names of other peoples family members, birthday, hometown, schools attended, names of pets and other personal details that are often used on business systems as Secret Questions to verify authorized use when logging in. Moreover, fraudsters on Facebook can often view enough information about a person to pose as someone from their high school or childhood neighborhood or even a business acquaintance and send an invitation. If the invitation is accepted, they can then find information on more people in that circle of friends. Self-defense: Only connect and accept invitations from people you know. Caution: It is generally more difficult to implement and maintain security controls for computers of mobile or remote workers than for desktop computers in a traditional office environment. For example, the Telework Coalition reports that 89% of top US companies offer telecommuting and 58% of companies consider themselves a virtual workplace. FIGHTING BACK The findings of the 2009 Verizon Breach Report revealed that 87% of information security breaches by outside hackers could have been avoided with simple controls. This principle holds true for defending against malware attacks as well. The steps described below are neither expensive nor difficult to implement. But
Continued on pg. 4 3
they do require commitment and consistency Enforce a robust and thorough process for security patches and software updates. Many organizations mistakenly treat this as a security enhancement project with a beginning and an end to be checked off as complete. But this process is more of a preventive maintenance function requiring ongoing attention. Effective: Because most professionals relish the satisfaction of completing a task, it is highly effective to implement a weekly or monthly report to management on the status of patching and updates. This provides greater appreciation for the effort involved and can help sustain this type of security work. Enforce procedures for creating and maintaining strong passwords. This is a basic anti-malware measure that is mentioned over and over by information security experts. Strong passwords continue to be your organizations first line of defense. Critical guideline: Effective passwords comprise a combination of letters and numbers and exceed six characters. In January 2010, Imperva, a company that specializes in Internet security (http://www.imperva.com), conducted a detailed analysis of 32 million breached consumer passwords and found that the most common password was 123456.
Helpful: Use automated tools to prompt and check password strength for users at the time the passwords are created. This type of automated tool is called password filtering and a leading product available is nFront Security, http://www.nfrontsecurity.com.
ting outright fraud, there is still the chance that passive deception is in play, such as failure to accurately or fully report key financial information.
Recommended: Rather than overhauling your due diligence practices, focus on ensuring that they reach more broadly and deeply into the target company. Conduct probing, indepth discussions with the target companys management to gain a better understanding of specific fraud risk factors affecting product(s) or ser4
Use only authentic software and operating systems with legal licenses. Counterfeit software or unlicensed copies are high-risk because they may already be infected with malware and cannot be updated or patched. An estimated 20% of US software is pirated or counterfeit. The main clue that software is pirated or unlicensed is a price that is far below retail. Educate employees on how to respond to spam to thwart persistent types of malware. Key points for users: Never click on embedded links. Never open mail from
Continued on page 5
CONTROL CENTER
Christine Doxey, CAPP, CCSA, CICA, Business Strategy Inc.
unknown senders. Always check extension names on attachments for anything that looks unusual. For instance, double extensions such as file.doc.doc may indicate that a document is malicious. Always verify E-mail senders and be aware that sender addresses can be spoofed or falsified. If the message asks for confidential information or does not seem like a typical message from the sender, send a reply and ask the sender to confirm the message. If a legitimate senders E-mail address was spoofed, a reply message will not be delivered to the legitimate owner of the E-mail address and the fraud can be avoided. Never give personal information in reply to an Instant Message or unsolicited E-mail. SECURITY MUSTS FOR IT ADMINISTRATORS Your organizations IT department of course plays a critical role in protecting your PCs and servers from malware attacks (as well as other information security crimes). Caution: Avoid underestimating the risk of loss or compromise of confidential data due to improper computer or network configuration.
Example: Hackers scan the Internet for computers that have an open Port 445 which is used for File Sharing. If this port is not blocked by a firewall or router settings, a hacker can take control of the computer and make it a zombie. This tactic has been used to build hacker attack armies (called botnets) consisting of millions of compromised computers. In short, Port 445 should never be connected or exposed to the Internet.
PROCURE TO PAY
Essential Internal Controls For Fraud Prevention
hen identifying and reducing fraud risk in your organizations procure-to-pay (P2P) cycle it is essential to document and test controls in the entire cycle.
Key: This approach helps your procurement and accounts payable (AP) teams to understand how their processes interact with each other and to coordinate fraud risk assessments. This in turn sets the groundwork for effectively optimizing anti-fraud controls in business processes throughout the P2P cycle.
SEGREGATION OF DUTIES IN P2P Segregation of duties (SoD) lies at the heart of effective anti-fraud controls for P2P. SoD benefits:
Prevention of most common procurement and AP fraud schemes. Prevention of collusive fraud schemes between procurement and AP personnel. Enhanced likelihood that honest errors will be found. How it works: In its most general sense, SoD means that no individual has control over two or more phases of any P2P transaction or operation that would enable him or her to commit fraud.
Example: If a single procurement or AP employee can carry out and conceal fraudulent activities in the course of his or her daily work processes, the individual has what are called incompatible duties or responsibilities, and by extension, has an opportunity to commit billing schemes, false vendor fraud and numerous other procurement and/or AP frauds.
ment to eliminate them to avoid being victimized by such frauds. Mini case study 2: An AP supervisor had access to all areas of the finance module in her companys enterprise resource planning (ERP) system. She set up a fraudulent vendor, created a phony invoice, paid the invoice and altered financial records to conceal the fraud. Key: SoD was not in place to ensure controlled system access. The employee was caught when the company initiated an audit of ERP system access. Red flags were discovered and the employee confessed to stealing $300,000.
P2P ANTI-FRAUD CONTROLS MODEL The focus of the P2P anti-fraud controls model is on SoD throughout the cycle. The model thus encompasses identification of risk and enforcement of specific anti-fraud SoD and SoDrelated controls for:
Procurement Check requests Vendor maintenance Disbursements Goods receipt Accounting Invoice processing
Critical: Ensure that virus and antispam products purchased and implemented by your IT department include a feature called URL filtering which will block known malicious Web sites. Leading vendors include Norton by Symantec, Trend Micro, Kaspersky and McAfee. Challenge: In many organizations, IT system administrators are not security specialists. It is therefore essential that they either have security training specific to their job roles or guidance and reviews related to security. One of the best security training resources for IT staff is the SANS Institute (http://www.sans.org).
White-Collar Crime Fighter source: Lynn Goodendorf, CIPP, CISSP, Good Security Consulting LLC, provider of risk-based strategies for Security and Privacy. Lynn can be contacted at lynn@goodsecurityconsulting.com.
Mini case study 1: A procurement employee approves a phony vendor and enters it into the vendor master file (VMF). Fraudulent invoices are sent to the AP department and paid to the employee. Key: A well-designed P2P controls program would immediately identify these SoD conflicts and signal manage-
Encouraging: While ACH debit gradually increases as a form of business payment, organizations appear to be implementing some of the effective anti-fraud measures available for electronic payment. In 2009, 11% of organizations said ACH debit fraud increased, while in 2008, the figure was 14%. Important: Due to effective anti-fraud measures, most organizations that were targeted by payments fraudsters did not actually lose money to fraud attempts. In fact 70% of targeted organizations reported no loss, up from 63% the year before. Caveat: Of the 30% of organizations that did suffer losses to payments fraud, the percentage represented by check fraud was up in 2009 to 64% from 60% the year before. Important indicator: While, as mentioned above, use of checks continues to decline, check fraud losses continue to grow. Organizations must thus be more aggressive in implementing anti-check fraud controls such as positive paypayee positive payreverse positive payand post no checks on depository accounts (blocks checks from a depository account or from an account dedicated to electronic debits).
White-Collar Crime Fighter sources: 2010 AFP Payments Fraud and Control Survey Report of Survey Results, Association for Financial Professionals, www.AFPonline.org/researchJP Morgan Chase Fraud Prevention, https://www.chase.com/index.jsp?pg_name=ccpmapp/commercial/pro d_serv/page/fps_overview.
accordance with the organizations (DoA) protocols. (DoA is an essential anti-fraud controls system that augments SoD by establishing limits on financial transaction authority by management level or function.) DoA approval rules are periodically reviewed and updated to ensure appropriate approval levels. Service requisitions contain detailed documentation. Only authorized personnel can review and/or edit requisitions. PRs must be properly approved before proceeding to PO release. PO data transmission to vendors is verified. (Automated PO data may be sent to certain vendors and can facilitate quick procurement of small, routine orders.) Only authorized buyers can review, edit and release POs. Annual supplier reviews. Reviews include reassessment of established key performance indicators (KPIs). Contract compliance reviews are conducted annually to ensure that terms and conditions have been properly executed.
Details: The whistleblower provisions of the Act empower the government to award financial rewards to individuals who provide 10% to 30% of monetary sanctions over $1 million to individuals who provide information which leads to a successful SEC enforcement. Added change: The new law also allows a whistleblower to receive an award regardless of whether any violation of a provision of the securities laws, or a rule or regulation thereunder underlying the SEC enforcement action occurred prior to the date of enactment of the provisions. Key: Employees who become aware of potential violations of the FCPA by their employers now have legal protections and a financial incentive to report the misconduct to the federal government.
While some groups and attorneys feel that the governments failure to exclude the FCPA from the bounty provisions of the Act could lead to unfair awards to whistleblowers because many if not most FCPA cases are settled rather than litigated without the target company being forced to admit any wrongdoing, others predict that the new law will greatly increase the number of FCPA matters under government investigation.
White-Collar Crime Fighter sources: Dodd-Frank Wall Street Reform and Consumer Protection Act, http://thomas.loc.gov/cgi-bin/bdquery/z?d111:H.R.4173:Mike Kohler, assistant professor of Business Law at Butler University moderator of the FCPA Professor blog at http://fcpaprofessor.blogspot.com/...Proposed Rewards for FCPA Whistleblowers Raise Risk for Multinational Corporations, alert from Morgan Lewis & Bockius LLP www.morganlewis.com. , 6
general ledger accounts is in place for receipts that do not reflect a purchase order, cost center or account. All reversals of goods receipts made after an invoice receipt posts are validated according to set authorizations. SoD for warehouse management is continuously monitored and enforced.
Invoice processing...
Invoices are paid upon validation with goods received and POs. Blocked three-way match exceptions are flagged and reviewed by AP for clearing. Purchase authorization conforms with approval policies which are carefully designed for optimal SoD. EDI transactions are accurate and accurately recorded in the ERP.
THE CONS LATEST PLOY files ... From White-Collar Crime Fighters
Denver, CO
Check requests...
Check requests are routed to appropriate personnel in Accounting for reviewprior to payment release. Check requests conform with authorized purposes and amount limitations.
Disbursements...
All disbursement transactions are traceable to the GL and bank statement. Appropriate anti-fraud audit testing is performed to monitor compliance. Vendor discounts are taken according to company policy. Disbursements are recorded in the period in which they were made. Expenses are accurately recorded in accounting records during the period in which the liabilities were incurred. Blank checks are properly stored and safeguarded. Void or canceled checks are accurately recorded. Banking and disbursement data is protected from loss or destruction. All key checking accounts are set up with positive pay, payee positive payee or reverse positive pay or a combination of the three.
Accounting...
All AP-related accounts are reconciled on a monthly basis. Essential:
Variances are aged and explained. Action plans are specified to address variances. Significant balance fluctuations are explained. Account reconciliations are appropriately approved.
ank branch manager, trusted for 32 years, stole for more than 25 of them. Margaret Migues pled guilty in federal court to one count of embezzlement by a bank employee. According to the U.S. Attorneys Office for the Southern District of Mississippi, Migues worked in the banking business for 32 years, starting at the Pascagoula Moss Point Bank which was later bought by Hancock Bank where she worked until she was caught stealing in July 2009. Details: According to the indictment, filed in March, Migues and two of her coworkers began the scheme on or around 1980. They embezzled money from elderly customers accounts and concealed the embezzlements by preventing account statements from being sent to the customers, and making sure that Migues and her two co-workers were the only ones who dealt with their victims. By the time the scheme was discovered in July 2009, the bank had already destroyed most of the records from the early years of the embezzlement. The total amount embezzled from October 1995 to July 2009 was $2,386,451.84. The total amount stolen will likely never be known due to the absence of the older records. It was determined, however, that Migues and her co-conspirators executed at least 1,600 illegal transactions and the victims ranged in age from 71 to 102 years old.
Clearing accounts are reconciled on a monthly basis. Debit balances are treated and aged as accounts receivable.
White-Collar Crime Fighter source: Christine Doxey, CAPP, CCSA, CICA, vice president of business development, Business Strategy Inc., a Grand Rapids, MI-based accounts payable and contract compliance audit and automation solutions firm. Chris can be reached at cdoxey@businessstrategy.com.
Baltimore, MD
f you were the CFO, would you write 47 company checks to yourself and expect not to get caught? Ernest Theodore Solo apparently thought so. He pled guilty to
Philadelphia, PA
verybodys safe: Its baseball season and with men on base, two outs and the game on the line, the smallest error in the field can mean runners safely make it home when they should be out. Making it safely home is exactly what two former high-level executives of pharmaceuticals giant Bristol-Myers Squibb (BMS) achieved when, after seven years of criminal investigation, the federal government decided to let the bosses walk on charges of massive accounting fraud. Details: The case involves BMSs practice of channel stuffinga scheme whereby a seller (in this case BMS) provides financial incentives (better known as payoffs) to buyers (in this case large drug wholesalers) to purchase product they dont yet need.This of course enables the perpetrator to report receivables that arent really receivables because the buyers would normally not have made the purchases without the bribe. Specifically, according to course documents, between 2000 and 2001, BMS gave wholesalers financial incentives, amounting to tens of millions of dollars each quarter ... to spur them to buy its products in excess of prescription demand projections. For example, in August 2001 [the defendants] approved $47 million in sales incentives for the third quarter, and in November 2001 [they] approved $85 million in sales incentives for the
fourth quarter. These incentives [were recorded as costs to cover] the wholesalers carrying costs and guaranteed return on their investment until they sold the products. [Prosecutors] characterized this as a deceptive strategy to increase sales and earnings in the short term to meet Bristols aggressive sales and earnings targets and, in turn, artificially inflate the stock price. Outcome: After a lengthy trial and appeal, the government decided that the legal technicalities in the case were too complex to sustain their charges against the executives, so DoJ officials offered a deferred prosecution agreement (DPA) (see also, White-Collar Crime Fighter, April 2010, p. 1). Under the agreement, the former executives will each pay a modest fine and agree not to serve in comparable positions in public companies for two years. Bottom line: After causing a multibillion plunge in BMSs stock price as a result of news of the investigation and having allegedly committed massive accounting fraud and covered it up. The bosses were cleared by DoJ as an apparent matter of expeditiousness. But the precedent set wont help the batting averages of prosecutors going for convictions of future corporate fraudsters.
White-Collar Crime Fighter sources: United States Of America, Appellant V. Frederick S. Schiff, Nos. 08-1903, 08-1909. Off the Hook: Why Drug Prosecutions Are Targeting Middle Managers and Letting Bosses Slide, article by Jim Edwards, on bnet.com, http://industry.bnet.com/pharma/10008772/offthe-hook-why-drug-prosecutions-are-targeting-mid dle-managers-and-letting-bosses-off-the-hook/.
WHITE-COLLAR CR ME
Your Secret Weapon in the War on Fraud
FIGHTER
YES! I want to save $100 on a one-year subscription to WHITE-COLLAR CRIME FIGHTER! By subscribing now, Ill get the money-saving introductory subscription rate of $150. Thats $100 off the regular subscription price of $250! Plus, send mefor FREEThe new book, Detecting and Preventing Fraud in Accounts Payable. This is a $50 valueyours absolutely FREE with your subscription to White-Collar Crime Fighter! Payment enclosed (or) Charge my Card # Signature Name Affiliation Address City State Z ip Visa Mastercard AMEX Discover Bill me
achieving its security objectives. Key: The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.
For valuable details on cyber-crime prevention download the study, First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies, conducted by the Ponemon Institute at http://www.arcsight.com/collater al/whitepapers/Ponemon_Cost_of_C yber_Crime_study_2010.pdf.
Expiration date
COMING SOON IN
White-Collar Crime Fighter
Detecting and preventing management override of internal controls New electronic evidence rules and procedures Information security strategies for non-technical decision-makers Professional skepticism: Essential to fraud detection
Call 1-800-440-2261Or Fax this order form to: 203-431-6054 Or subscribe on-line at www.wccfighter.com.
Or mail this form and your check to: White-Collar Crime Fighter, 213 Ramapoo Rd., Ridgefield, CT 06877. You can contact White-Collar Crime Fighter by E-Mail: subscribe@wccfighter.com