WHITE-COLLAR CR ME

FIGHTER
YOUR SECRET WEAPON IN THE WAR ON FRAUD
IN THE NEWS
Sean ODowd, Esq., Bernstein Litowitz Berger & Grossmann LLP

www.wccfighter.com
VOLUME 12 NO. 7 JULY/AUGUST 2010

Will New Whistleblower Protections Deter Fraud?

critical though under-publicized component of the financial reform legislation signed into law by President Obama in July gives whistleblowers monetary incentives to report suspected securities fraud to the Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC). The provision makes employees eligible for 10% to 30% of fines over $1 million collected by the SEC or CFTC (see also p. 6). Long overdue: By also allowing whistleblowers to file complaints of retaliation for SarbanesOxley-protected activity in federal court, the new law enables these employees to bypass the OSHA process completely. According to one prominent law firm specializing in labor law, this is an option many employees may prefer given the notoriously high percentage of dismissals of corporate whistleblower tips and the low number of favorable OSHA rulings. Bottom line: If nothing else, the new provision will almost certainly force management to focus more on compliance with securities lawsto avoid the enhanced risk of being the target of the bounty provision of the new law.

WHISTLEBLOWER HOTLINES
Steps to Success
Step 2: Publicize the hotline. You t is no secret among anti-fraud professionals that employee tips repre- may have the greatest hotline system in sent the most common leads to man- the world, but if employees, customers, agement detection of fraud within their vendors and others with the ability to organizations. The Association of submit tips dont know about it, your Certified Fraud Examiners recently pub- money is wasted and fraud will continlished 2010 Report to the Nations on ue to go undetected. Moreover, proper publicizing of the Occupational Fraud and Abuse reveals that of all frauds detected by organiza- hotlines details is required by the tions with hotlines in place, 47% were federal Sentencing Guidelines. Most detected via tips, while organizations effective: Posters with hotwith no hotlines had only 33.8% of all Of all tips where the case outcome line details and the detected frauds was provided by respondents in 2008, assurance of non-retaliation for whistlerevealed by tips. 71% warranted an investigation. blowers, located liberAdditional findally throughout the ing: According to the 2009 Corporate Governance and physical premises. Intranet notices. Compliance Hotline Benchmarking Employee fraud awareness trainReport, by The Network and BDO Consulting, of all tips where the case ing. Managements continuous emphaoutcome was provided by respondents in 2008, 71% warranted an inves- sis on the urgent importance of a culture of compliance. Employees who tigation. understand that management walks the PRACTICAL MATTER talk with regard to ethics and zero tolTo optimize success and avoid erance toward fraud are more likely errors and inefficiencies in setting up than otherwise to use the fraud hotline. and managing your whistleblower Step 3: Provide a choice of reporthotline, consider following these 11 ing options. Toll-free telephone hotsteps... lines are essential but may not be suffiStep 1: Establish an easily accessi- cient for gathering as many tips as posble reporting channel. Ensure that sible. Some potential tipsters prefer your hotline... anonymous E-mail addresses, Web sites, Uses a toll-free number. drop-boxes or anonymous P.O. boxes. Worksliterally! Make sure the line Others prefer to report fraud or suspiis functioning... that callers arent get- cious activity directly to their superviting busy signalsthat the number sors. actually goes to the intended recipiKey: All of these reporting channels entideally a live, trained call recipient. should be available and publicized on a

IN THIS ISSUE CYBER-CRIME FIGHTER The number one threat and what you can do................... 3 DOING THE HOMEWORK Proactive fraud prevention..... 4 CONTROL CENTER Procure to Pay: Essential internal controls .........................5 THE CONS LATEST PLOY Law-enforcement successes from around the country........ 7

WHITE-COLLAR CRIME FIGHTER

staff. Properly fielding a call from an continuous basis. Step 4: Staff your hotline with often nervous anonymous caller is not independent, trained personnel. as easy as it may sound. Special interIndependent does not necessarily viewing skills are required to draw the mean third-party. Some companies caller out and to share as much as he or including very large publicly traded she knows about the incident as possionesprefer to keep their hotline ble. If you choose to manage your hotoperations in-house, based on the belief line in-house, it often pays to engage a that their own employees understand professional interviewing coach to the culture of the company better than assist in this training. Such a person will a third-party provider be able to develop can. Properly fielding a call from an Important: There often nervous anonymous caller detailed scripts to followincluding the is no firm rule on is not as easy as it may sound. best wording to conwhether an internally vince callers that managed hotline is better than a third-party service there will be no retaliation. Step 6: Establish and maintain a provider or vice versa. The critical factor is that regardless of who is answer- detailed claim/tip log. As soon as a ing hotline calls, they must have the tip is received, hotline personnel independence necessary to engage should immediately initiate an entry callers in such a way as to earn their into a claim log. trust and cooperation. Call recipients Key: To preserve anonymity, each (or their supervisors) must also have claim must receive a unique claim the freedom to directly contact the number or other anonymous identifier. organizations audit committee in the The log should also be used to docuevent that a reported fraud implicates ment the critical details about each one or more members of top manage- individual tip. ment. Important: Claim/tip logs serve as Step 5: Properly train hotline initial hard copy records for compliance and complaint resolutionand for potential future legal purposes. DETECTING AND PREVENTING Step 7: Make your hotline available to all stakeholders. SarbanesFRAUD IN TODAYS Oxley only requires companies to proHIGH-CRIME CLIMATE" vide hotline facilities for employees, but outsiders often know of wrongdoA SPECIAL HOW-TO LEARNING SERIES ing too. Encourage suppliers, cusFROM AUDITNET AND FRAUDAWARE tomers and any other potential sources et Expert Advice on how to stay a to use your hotline as well. step ahead of fraudsters with proven Step 8: Appoint a claims screentactics and techniques. ing committee for initial claims After completing this carefully assessment. Responsibility for hotline designed series of 12 high-impact supervision rests with the audit comWebinars featuring the anti-fraud profesmittee. But in most organizations, it is sions top experts, your auditors, investiimpractical to expect the committee to gators, accounting staff, financial personhandle every fraud tip. Recommended: nel, compliance officers and senior manHave your claims screening comagement teams will have a unique body mittee make the initial determination of knowledge, skills and abilities to as to whether claims have merit and launch highly effective initiatives that might adversely affect the organizabeat fraudsters at their own games tions financial performanceand/or affordably and efficiently. its reputation. Sign up now for this unique series of learning sessions that get right to the Ensure that claims committee brass tacks of using your organizations members have ready access to manresources to safeguard its financial, intelagement to contribute to deliberations lectual and physical assets from the growon whether to initiate an investigation. ing army of fraudsters. Implement and enforce a clear proFor full details, dates, CPE credits and tocol detailing when and under which registration options, PLUS VALUABLE circumstances to escalate matters to FREE BONUSES please visit http:// the audit committee or another desigwww.auditnet.org/FASTPACKdm.htm nated executive or regulatory body.

White-CollarCrime
FIGHTER
Editor Peter Goldmann. MSc, CFE Consulting Editor Jane Y. Kusic Managing Editor Juliann Lutinski Senior Contributing Editor David Simpson Associate Editor Barbara Wohler Design & Art Direction Ray Holland, Holland Design & Publishing

Panel of Advisers
Credit Card Fraud Tom Mahoney, Merchant 911.org Forensic Accounting Stephen A. Pedneault, Forensic Accounting Services, LLC Fraud and Cyber-Law Patricia S. Eyres, Esq., Litigation Management & Training Services Inc. Corporate Fraud Investigation R.A. (Andy) Wilson, Wilson & Turner Incorporated Corporate Integrity and Compliance Martin Biegelman, Microsoft Corporation Securities Fraud G.W. Bill McDonald, Investment and Financial Fraud Consultant Prosecution Phil Parrott, Deputy District Attorney Denver District Attorneys Office, Economic Crime Unit Computer and Internet Investigation Donald Allison, Senior Consultant, Stroz Friedberg LLC Fraud Auditing Tommie W. Singleton, PhD University of Alabama at Birmingham White-Collar Crime Fighter (ISSN 15230821) is published monthly by White-Collar Crime 101, LLC, 213 Ramapoo Rd., Ridgefield, CT 06877. www.wccfighter.com. Subscription cost: $295/yr. Canada, $345. Copyright 2010 by White Collar Crime 101, LLC. No part may be reproduced without express permission of the publisher.

Mission Statement
White-Collar Crime Fighter provides information of maximum practical value to organizations and individuals involved in all facets of investigating, detecting and preventing economic crime. This community includes law internal auditorsfraud examinersregulatory officialscorporate security professionalssenior executivesprivate investigatorsand many more. The editors of White-Collar Crime Fighter strive to gather and compile the most useful and timely information on economic crime issues. Comments, suggestions and questions are welcome. Please fax us at 203-431-6054, or E-mail us at edi tor@wccfighter.com. Visit us on the Internet at www.wccfighter.com.

WHITE-COLLAR CRIME FIGHTER

Step 9: Enforce clear escalation policies and procedures. If a fraud tip does require the attention of the audit committee, your claims screening committee should prepare a report for the committee as soon as possible. At this stage, an additional interview with the whistleblower should be conducted by a trained, independent interviewer and incorporated into the case report. Aim: To gather as many additional details about the reported fraud incident as possible in support of a potential investigation and/or legal action.

CYBER-CRIME FIGHTER
Lynn Goodendorf, CIPP, CISSP, Good Security Consulting, LLC

The No.1 Threat in Cyber-Security and What You Can Do

ne of the top threats in cybersecurity is malwarethe short (and colloquially used) term for malicious software. Malware is used to steal passwords, login credentials, Social Security and credit card numbers and other types of sensitive confidential data in order to gain access to business databases or systems. Login credentials may also be collected from social networking sites such as Facebook, Linked In and MySpace to obtain E-mail addresses and other personal data used to gain access to corporate or business systems.

Encourage suppliers, customers and any other potential sources to use your hotline as well.
Step 10: Implement audit committee review procedures. The audit committee must carefully evaluate the sensitivity/materiality to determine the need for a full outside investigation of a specific hotlinereported incident. In many instances, sensitive or material matters should be referred to independent counsel for outside investigation. Other outside partiesforensic accountants, additional independent auditors, etc.may be required depending on the substance of complaint. From there, actions required may include launching a full-fledged investigation, supporting law enforcement in any necessary legal action and being prepared to produce evidence in the event that it is subpoenaed by legal authorities. Step 11: Prepare and secure summary reports. The audit committee should prepare and save reports summarizing the resolution of all hotline-reported incidents. Reason: It is important to show compliance with SOX and other applicable laws, or obtain lenience under U.S. Sentencing Guidelines in the event that the organization is investigated by legal or regulatory authorities.
White-Collar Crime Fighter source: Sean ODowd, Esq., Bernstein Litowitz Berger & Grossmann LLP, New York City-based attorneys. Sean specializes in prosecuting corporate fraud cases and has written about and worked with whistleblowers in a variety of contexts. He can be reached at seano@ blbglaw.com.

bers information, these settings default to low or no privacy. So if the settings are not changed by the user, all of his or her information may be open to everyone on Facebook.

STEALTH-WARE Malware is special software planted on target computers to collect and transmit sensitive data without being detected
Example: Among the most wellknown malware-based schemes are those based on mass distribution of phishing Emails(commonly referred to as spam) that contain a link to a fraudsters Web site. Psychological or emotional tactics are used to prompt the recipient to click on a link. The link may take the victim to a site that appears normal but visiting the site alone triggers downloads of malware.

MODERN-DAY MALWARE As more employees use laptops or mobile devices to work remotely, an increased vulnerability of these devices to E-mail/phishing malware attacks has emerged. The risk is compounded by use of cell phones and other mobile devises for accessing social media such as Facebook,Twitter, YouTube and LinkedIn.
Example: Facebook now claims to have more than 400 million members. Although Facebook has privacy settings available to restrict who can see a mem-

Result: Any Facebook member can collect names of other peoples family members, birthday, hometown, schools attended, names of pets and other personal details that are often used on business systems as Secret Questions to verify authorized use when logging in. Moreover, fraudsters on Facebook can often view enough information about a person to pose as someone from their high school or childhood neighborhood or even a business acquaintance and send an invitation. If the invitation is accepted, they can then find information on more people in that circle of friends. Self-defense: Only connect and accept invitations from people you know. Caution: It is generally more difficult to implement and maintain security controls for computers of mobile or remote workers than for desktop computers in a traditional office environment. For example, the Telework Coalition reports that 89% of top US companies offer telecommuting and 58% of companies consider themselves a virtual workplace. FIGHTING BACK The findings of the 2009 Verizon Breach Report revealed that 87% of information security breaches by outside hackers could have been avoided with simple controls. This principle holds true for defending against malware attacks as well. The steps described below are neither expensive nor difficult to implement. But
Continued on pg. 4 3

WHITE-COLLAR CRIME FIGHTER

DOING THE HOMEWORK

Continued from page 3

Proactive Fraud Prevention: Due Diligence

s is painfully obvious, the reces- vice(s), technology and reputation. sion and the credit crisis created OPERATIONAL DUE DILIGENCE serious debt and cash flow To identify odd or questionable patproblems for organizations of all types. Many if not most are still strug- terns in the operations of a company, gling to recover from the greatest try to directly approach staff or service financial upheaval in recent memory. providers in operations, HR and other Result: Cash-strapped companies functional areas. Example: You can discover evidence of are looking for buyers or merger partpossible fraud by walking ners as they attempt Cash-rich companies are bargain through a plant and talkto capitalize on the hunting and often tempted to forgo ing to people on the depressed value of comprehensive due diligence in shop floor. No one is their companies and their rush to take advantage of more capable of identifying potential fraud than avoid bankruptcy. the buyers market. people who work at the Flip side of the coin: With bargains to be had, owners process level. However, your due diligence and executives of cash-rich companies team must also verify the reliability of the are bargain hunting and are often tempt- information being provided by these sources. ed to forgo proper due diligence in their INVESTIGATIVE AND REPUTATIONAL rush to exploit the buyers market. DUE DILIGENCE Danger: Acquiring companies risk Because fraud often starts at the top, learning the hard way that an acquisi- prospective buyers should perform backtion can quickly become more of a ground checks on a targets management problem than an opportunity. team. If any of these individuals has a hisKey: There are always reasons why tory of fraudulent activitiesor other companies and assets are distressed. questionable financial issuesthat histoToo often these reasons involve fraud ry is a sign to look closely for financial that has either caused the financial anomalies in the target company. problemsor has been perpetrated to Example: A probe might uncover conceal them. one or more executives propensity to To avoid being victimized by fraud suddenly extract the value from a comas the result of an acquisition, compa- pany before selling what remains. nies must be more vigilant than ever Thus, if members of a target companys about the due diligence process. management team sold another company Primary reason: Executives at several years ago, if the entity no longer target companies have compelling exists, determine whether this was incentives to present their companies because it was legitimately absorbed by financial health in the best light possithe acquiring company or if there were ble. Even if the management team of a financially questionable circumstances. potential target company is not commit-

they do require commitment and consistency Enforce a robust and thorough process for security patches and software updates. Many organizations mistakenly treat this as a security enhancement project with a beginning and an end to be checked off as complete. But this process is more of a preventive maintenance function requiring ongoing attention. Effective: Because most professionals relish the satisfaction of completing a task, it is highly effective to implement a weekly or monthly report to management on the status of patching and updates. This provides greater appreciation for the effort involved and can help sustain this type of security work. Enforce procedures for creating and maintaining strong passwords. This is a basic anti-malware measure that is mentioned over and over by information security experts. Strong passwords continue to be your organizations first line of defense. Critical guideline: Effective passwords comprise a combination of letters and numbers and exceed six characters. In January 2010, Imperva, a company that specializes in Internet security (http://www.imperva.com), conducted a detailed analysis of 32 million breached consumer passwords and found that the most common password was 123456.
Helpful: Use automated tools to prompt and check password strength for users at the time the passwords are created. This type of automated tool is called password filtering and a leading product available is nFront Security, http://www.nfrontsecurity.com.

ting outright fraud, there is still the chance that passive deception is in play, such as failure to accurately or fully report key financial information.

CONTROLS ANALYSIS Scrutinize the targets internal controls.

Example: There should be strong segregation of duties, with appropriate internal controls that are handled by two parties and reported to an independent entity such as an audit committee or external auditor.
White-Collar Crime Fighter source: Fraud in the Economic Recovery, report by Grant Thornton Advisory Services Practices, www.GrantThornton.com/advisory, coauthored by Warren Stippich, Partner, Business Advisory Services and Mark Sullivan, practice leader, Forensic Accounting and Investigative Services.

Recommended: Rather than overhauling your due diligence practices, focus on ensuring that they reach more broadly and deeply into the target company. Conduct probing, indepth discussions with the target companys management to gain a better understanding of specific fraud risk factors affecting product(s) or ser4

Use only authentic software and operating systems with legal licenses. Counterfeit software or unlicensed copies are high-risk because they may already be infected with malware and cannot be updated or patched. An estimated 20% of US software is pirated or counterfeit. The main clue that software is pirated or unlicensed is a price that is far below retail. Educate employees on how to respond to spam to thwart persistent types of malware. Key points for users: Never click on embedded links. Never open mail from
Continued on page 5

WHITE-COLLAR CRIME FIGHTER

Continued from page 4

CONTROL CENTER
Christine Doxey, CAPP, CCSA, CICA, Business Strategy Inc.

unknown senders. Always check extension names on attachments for anything that looks unusual. For instance, double extensions such as file.doc.doc may indicate that a document is malicious. Always verify E-mail senders and be aware that sender addresses can be spoofed or falsified. If the message asks for confidential information or does not seem like a typical message from the sender, send a reply and ask the sender to confirm the message. If a legitimate senders E-mail address was spoofed, a reply message will not be delivered to the legitimate owner of the E-mail address and the fraud can be avoided. Never give personal information in reply to an Instant Message or unsolicited E-mail. SECURITY MUSTS FOR IT ADMINISTRATORS Your organizations IT department of course plays a critical role in protecting your PCs and servers from malware attacks (as well as other information security crimes). Caution: Avoid underestimating the risk of loss or compromise of confidential data due to improper computer or network configuration.
Example: Hackers scan the Internet for computers that have an open Port 445 which is used for File Sharing. If this port is not blocked by a firewall or router settings, a hacker can take control of the computer and make it a zombie. This tactic has been used to build hacker attack armies (called botnets) consisting of millions of compromised computers. In short, Port 445 should never be connected or exposed to the Internet.

PROCURE TO PAY
Essential Internal Controls For Fraud Prevention

hen identifying and reducing fraud risk in your organizations procure-to-pay (P2P) cycle it is essential to document and test controls in the entire cycle.

Key: This approach helps your procurement and accounts payable (AP) teams to understand how their processes interact with each other and to coordinate fraud risk assessments. This in turn sets the groundwork for effectively optimizing anti-fraud controls in business processes throughout the P2P cycle.

SEGREGATION OF DUTIES IN P2P Segregation of duties (SoD) lies at the heart of effective anti-fraud controls for P2P. SoD benefits:
Prevention of most common procurement and AP fraud schemes. Prevention of collusive fraud schemes between procurement and AP personnel. Enhanced likelihood that honest errors will be found. How it works: In its most general sense, SoD means that no individual has control over two or more phases of any P2P transaction or operation that would enable him or her to commit fraud.
Example: If a single procurement or AP employee can carry out and conceal fraudulent activities in the course of his or her daily work processes, the individual has what are called incompatible duties or responsibilities, and by extension, has an opportunity to commit billing schemes, false vendor fraud and numerous other procurement and/or AP frauds.

ment to eliminate them to avoid being victimized by such frauds. Mini case study 2: An AP supervisor had access to all areas of the finance module in her companys enterprise resource planning (ERP) system. She set up a fraudulent vendor, created a phony invoice, paid the invoice and altered financial records to conceal the fraud. Key: SoD was not in place to ensure controlled system access. The employee was caught when the company initiated an audit of ERP system access. Red flags were discovered and the employee confessed to stealing $300,000.

P2P ANTI-FRAUD CONTROLS MODEL The focus of the P2P anti-fraud controls model is on SoD throughout the cycle. The model thus encompasses identification of risk and enforcement of specific anti-fraud SoD and SoDrelated controls for:
Procurement Check requests Vendor maintenance Disbursements Goods receipt Accounting Invoice processing

Critical: Ensure that virus and antispam products purchased and implemented by your IT department include a feature called URL filtering which will block known malicious Web sites. Leading vendors include Norton by Symantec, Trend Micro, Kaspersky and McAfee. Challenge: In many organizations, IT system administrators are not security specialists. It is therefore essential that they either have security training specific to their job roles or guidance and reviews related to security. One of the best security training resources for IT staff is the SANS Institute (http://www.sans.org).
White-Collar Crime Fighter source: Lynn Goodendorf, CIPP, CISSP, Good Security Consulting LLC, provider of risk-based strategies for Security and Privacy. Lynn can be contacted at lynn@goodsecurityconsulting.com.

SPECIFIC ANTI-FRAUD SoD CONTROLS Procurement controls

Catalog items such as office supplies that are authorized for purchase are periodically reviewed and updated to prevent unauthorized purchases. Authorized catalog item prices, vendors, units of measure, etc. cannot be altered. Requisitions are associated with specified general ledger codes. Employee adherence to the codes is continuously monitored by an accountable manager. Authorized approvers are added to each purchase request (PR) based on departmental and financial guidelines in
5

Mini case study 1: A procurement employee approves a phony vendor and enters it into the vendor master file (VMF). Fraudulent invoices are sent to the AP department and paid to the employee. Key: A well-designed P2P controls program would immediately identify these SoD conflicts and signal manage-

WHITE-COLLAR CRIME FIGHTER

Continued from page 5

FRAUD-FIGHTERS NEED-TO-KNOW HOT LINE

Payments Fraud: Checks Increasingly Vulnerable
isturbing trend: Despite the gradual reduction in the proportion of business transactions concluded via check, check fraud continues to grow at a rapid rate. In 2009, 89% of organizations said that check fraud increased in 2009, compared with only 82% the year before.

Encouraging: While ACH debit gradually increases as a form of business payment, organizations appear to be implementing some of the effective anti-fraud measures available for electronic payment. In 2009, 11% of organizations said ACH debit fraud increased, while in 2008, the figure was 14%. Important: Due to effective anti-fraud measures, most organizations that were targeted by payments fraudsters did not actually lose money to fraud attempts. In fact 70% of targeted organizations reported no loss, up from 63% the year before. Caveat: Of the 30% of organizations that did suffer losses to payments fraud, the percentage represented by check fraud was up in 2009 to 64% from 60% the year before. Important indicator: While, as mentioned above, use of checks continues to decline, check fraud losses continue to grow. Organizations must thus be more aggressive in implementing anti-check fraud controls such as positive paypayee positive payreverse positive payand post no checks on depository accounts (blocks checks from a depository account or from an account dedicated to electronic debits).
White-Collar Crime Fighter sources: 2010 AFP Payments Fraud and Control Survey Report of Survey Results, Association for Financial Professionals, www.AFPonline.org/researchJP Morgan Chase Fraud Prevention, https://www.chase.com/index.jsp?pg_name=ccpmapp/commercial/pro d_serv/page/fps_overview.

accordance with the organizations (DoA) protocols. (DoA is an essential anti-fraud controls system that augments SoD by establishing limits on financial transaction authority by management level or function.) DoA approval rules are periodically reviewed and updated to ensure appropriate approval levels. Service requisitions contain detailed documentation. Only authorized personnel can review and/or edit requisitions. PRs must be properly approved before proceeding to PO release. PO data transmission to vendors is verified. (Automated PO data may be sent to certain vendors and can facilitate quick procurement of small, routine orders.) Only authorized buyers can review, edit and release POs. Annual supplier reviews. Reviews include reassessment of established key performance indicators (KPIs). Contract compliance reviews are conducted annually to ensure that terms and conditions have been properly executed.

Vendor maintenance controls...

Only designated staff can update the database. Inactive vendors are promptly removed from the master file. Changes to vendor master files are validated by authorized management prior to finalization. New-vendor address and banking details are validated by individuals other than those responsible for receiving and recording the data. Testing ensures that Electronic Data Interchange (EDI) POs are not sent with the EDI transmittal. Standard VMF naming conventions are maintained. Duplicate vendors and remit-to addresses are eliminated.

Financial Reform Bill Impacts FCPA

he Dodd-Frank Wall Street Reform and Consumer Protection Acts new whistleblower protection provisions (see also p. 1) could have a major impact on enforcement of the Foreign Corrupt Practices Act (FCPA). Already being aggressively enforced by the US Department of Justice (DoJ) and Securities and Exchange Commission (SEC), the reform act expands whistleblower protections to all securities laws violations. The FCPA is part of the Securities and Exchange Act of 1934.

Details: The whistleblower provisions of the Act empower the government to award financial rewards to individuals who provide 10% to 30% of monetary sanctions over $1 million to individuals who provide information which leads to a successful SEC enforcement. Added change: The new law also allows a whistleblower to receive an award regardless of whether any violation of a provision of the securities laws, or a rule or regulation thereunder underlying the SEC enforcement action occurred prior to the date of enactment of the provisions. Key: Employees who become aware of potential violations of the FCPA by their employers now have legal protections and a financial incentive to report the misconduct to the federal government.

Goods receipt controls...

Employees responsible for posting receipt of goods to accounts receivable systems are not the same individuals verifying delivery contents. Access to accounting systems for posting receipt of goods is tightly restricted. Receiving policies and procedures for entering goods receipts into the system are clear and consistently enforced. Receipt of goods or services cannot post against a closed line item on the purchase order. Receipt of goods or services cannot exceed PO amount and/or quantity. Proper review and assignment of

While some groups and attorneys feel that the governments failure to exclude the FCPA from the bounty provisions of the Act could lead to unfair awards to whistleblowers because many if not most FCPA cases are settled rather than litigated without the target company being forced to admit any wrongdoing, others predict that the new law will greatly increase the number of FCPA matters under government investigation.
White-Collar Crime Fighter sources: Dodd-Frank Wall Street Reform and Consumer Protection Act, http://thomas.loc.gov/cgi-bin/bdquery/z?d111:H.R.4173:Mike Kohler, assistant professor of Business Law at Butler University moderator of the FCPA Professor blog at http://fcpaprofessor.blogspot.com/...Proposed Rewards for FCPA Whistleblowers Raise Risk for Multinational Corporations, alert from Morgan Lewis & Bockius LLP www.morganlewis.com. , 6

WHITE-COLLAR CRIME FIGHTER

Continued from page 6

general ledger accounts is in place for receipts that do not reflect a purchase order, cost center or account. All reversals of goods receipts made after an invoice receipt posts are validated according to set authorizations. SoD for warehouse management is continuously monitored and enforced.

Invoice processing...
Invoices are paid upon validation with goods received and POs. Blocked three-way match exceptions are flagged and reviewed by AP for clearing. Purchase authorization conforms with approval policies which are carefully designed for optimal SoD. EDI transactions are accurate and accurately recorded in the ERP.

THE CONS LATEST PLOY files ... From White-Collar Crime Fighters
Denver, CO

of new scam, scheme and scandal reports

embezzling more than $2.7 million from the oil distributor Chesapeake Petroleum and Supply Inc., where he worked for about 40 years. In 1990 he was promoted to CFO of the company.Apparently bored or broke after 10 years on the job, Solo started taking advantage of his position and the lack of controls governing disbursements. Details: According to the Maryland U.S. Attorneys Office, between 2000 and 2008 Solo authorized and signed company checks made payable to himself or to Chase Mortgage which held the mortgage on one of his properties. Solo also stole $333,000 from Chesapeake Petroleums petty cash fund, which he also had exclusive control over, by writing fraudulent checks. According to court documents, Solo wrote 47 checks to himselfand six checks each for $75,000 to Chase Mortgage. He tried to conceal the embezzlement by falsifying and destroying financial records and hiding the fraud from outside auditors hired by the company. Solo faces a maximum penalty of 20 years in prison and a fine of $250,000 or twice the gain or loss associated with the crime. According to the U.S. Attorneys office, investigation of the Solo case was the work of the Financial Fraud Enforcement Task Force (FFETF), which was established by President Obama in November 2009 to investigate and prosecute financial crimes. Chesapeake Petroleum filed a civil lawsuit against Solo in Montgomery County (MD) Circuit Court in Rockville on March 3, charging him with breach of fiduciary duty, misrepresentation of facts, two counts of unjust enrichment and three counts of fraud, according to court documents.
7

Check requests...
Check requests are routed to appropriate personnel in Accounting for reviewprior to payment release. Check requests conform with authorized purposes and amount limitations.

Disbursements...
All disbursement transactions are traceable to the GL and bank statement. Appropriate anti-fraud audit testing is performed to monitor compliance. Vendor discounts are taken according to company policy. Disbursements are recorded in the period in which they were made. Expenses are accurately recorded in accounting records during the period in which the liabilities were incurred. Blank checks are properly stored and safeguarded. Void or canceled checks are accurately recorded. Banking and disbursement data is protected from loss or destruction. All key checking accounts are set up with positive pay, payee positive payee or reverse positive pay or a combination of the three.

Accounting...
All AP-related accounts are reconciled on a monthly basis. Essential:
Variances are aged and explained. Action plans are specified to address variances. Significant balance fluctuations are explained. Account reconciliations are appropriately approved.

ank branch manager, trusted for 32 years, stole for more than 25 of them. Margaret Migues pled guilty in federal court to one count of embezzlement by a bank employee. According to the U.S. Attorneys Office for the Southern District of Mississippi, Migues worked in the banking business for 32 years, starting at the Pascagoula Moss Point Bank which was later bought by Hancock Bank where she worked until she was caught stealing in July 2009. Details: According to the indictment, filed in March, Migues and two of her coworkers began the scheme on or around 1980. They embezzled money from elderly customers accounts and concealed the embezzlements by preventing account statements from being sent to the customers, and making sure that Migues and her two co-workers were the only ones who dealt with their victims. By the time the scheme was discovered in July 2009, the bank had already destroyed most of the records from the early years of the embezzlement. The total amount embezzled from October 1995 to July 2009 was $2,386,451.84. The total amount stolen will likely never be known due to the absence of the older records. It was determined, however, that Migues and her co-conspirators executed at least 1,600 illegal transactions and the victims ranged in age from 71 to 102 years old.

Clearing accounts are reconciled on a monthly basis. Debit balances are treated and aged as accounts receivable.
White-Collar Crime Fighter source: Christine Doxey, CAPP, CCSA, CICA, vice president of business development, Business Strategy Inc., a Grand Rapids, MI-based accounts payable and contract compliance audit and automation solutions firm. Chris can be reached at cdoxey@businessstrategy.com.

Baltimore, MD

f you were the CFO, would you write 47 company checks to yourself and expect not to get caught? Ernest Theodore Solo apparently thought so. He pled guilty to

WHITE-COLLAR CRIME FIGHTER

Philadelphia, PA
verybodys safe: Its baseball season and with men on base, two outs and the game on the line, the smallest error in the field can mean runners safely make it home when they should be out. Making it safely home is exactly what two former high-level executives of pharmaceuticals giant Bristol-Myers Squibb (BMS) achieved when, after seven years of criminal investigation, the federal government decided to let the bosses walk on charges of massive accounting fraud. Details: The case involves BMSs practice of channel stuffinga scheme whereby a seller (in this case BMS) provides financial incentives (better known as payoffs) to buyers (in this case large drug wholesalers) to purchase product they dont yet need.This of course enables the perpetrator to report receivables that arent really receivables because the buyers would normally not have made the purchases without the bribe. Specifically, according to course documents, between 2000 and 2001, BMS gave wholesalers financial incentives, amounting to tens of millions of dollars each quarter ... to spur them to buy its products in excess of prescription demand projections. For example, in August 2001 [the defendants] approved $47 million in sales incentives for the third quarter, and in November 2001 [they] approved $85 million in sales incentives for the

fourth quarter. These incentives [were recorded as costs to cover] the wholesalers carrying costs and guaranteed return on their investment until they sold the products. [Prosecutors] characterized this as a deceptive strategy to increase sales and earnings in the short term to meet Bristols aggressive sales and earnings targets and, in turn, artificially inflate the stock price. Outcome: After a lengthy trial and appeal, the government decided that the legal technicalities in the case were too complex to sustain their charges against the executives, so DoJ officials offered a deferred prosecution agreement (DPA) (see also, White-Collar Crime Fighter, April 2010, p. 1). Under the agreement, the former executives will each pay a modest fine and agree not to serve in comparable positions in public companies for two years. Bottom line: After causing a multibillion plunge in BMSs stock price as a result of news of the investigation and having allegedly committed massive accounting fraud and covered it up. The bosses were cleared by DoJ as an apparent matter of expeditiousness. But the precedent set wont help the batting averages of prosecutors going for convictions of future corporate fraudsters.
White-Collar Crime Fighter sources: United States Of America, Appellant V. Frederick S. Schiff, Nos. 08-1903, 08-1909. Off the Hook: Why Drug Prosecutions Are Targeting Middle Managers and Letting Bosses Slide, article by Jim Edwards, on bnet.com, http://industry.bnet.com/pharma/10008772/offthe-hook-why-drug-prosecutions-are-targeting-mid dle-managers-and-letting-bosses-off-the-hook/.

If Youre Still Not Convinced that Cyber-Crime Is Very Serious Business...

Cyber-crimes can do serious harm to your organizations bottom line.The median annualized cost of 45 organizations in a new study is $3.8 million per year, but can range from $1 million to $52 million per year per company. Cyber-crimes are disturbingly common. Companies in the study experienced a total of 50 successful attacks per week more than one successful attack per company per week. The most costly cyber-crimes are those caused by Web attacks, malicious code and malicious insiders. These account for more than 90% of all cybercrime costs on an annual basis. Information theft represents the greatest external cost, followed by costs associated with the disruption to business operations. On an annualized basis, information theft accounts for 42% of total external costs. Costs associated with disruption to business or lost productivity accounts for 22% of external costs. Detection and recovery together account for 46% of total internal activity cost with labor representing the majority of these costs. Urgent lesson: A strong security program reduces the impact and cost of cyber attacks. The study used a statistic known as the Security Effectiveness Score (SES) to measure an organizations ability to meet reasonable security objectives.The higher the SES score, the more effective the organization is in

WHITE-COLLAR CR ME
Your Secret Weapon in the War on Fraud

FIGHTER

YES! I want to save $100 on a one-year subscription to WHITE-COLLAR CRIME FIGHTER! By subscribing now, Ill get the money-saving introductory subscription rate of $150. Thats $100 off the regular subscription price of $250! Plus, send mefor FREEThe new book, Detecting and Preventing Fraud in Accounts Payable. This is a $50 valueyours absolutely FREE with your subscription to White-Collar Crime Fighter! Payment enclosed (or) Charge my Card # Signature Name Affiliation Address City State Z ip Visa Mastercard AMEX Discover Bill me

achieving its security objectives. Key: The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.
For valuable details on cyber-crime prevention download the study, First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies, conducted by the Ponemon Institute at http://www.arcsight.com/collater al/whitepapers/Ponemon_Cost_of_C yber_Crime_study_2010.pdf.

Expiration date

COMING SOON IN
White-Collar Crime Fighter
Detecting and preventing management override of internal controls New electronic evidence rules and procedures Information security strategies for non-technical decision-makers Professional skepticism: Essential to fraud detection

Call 1-800-440-2261Or Fax this order form to: 203-431-6054 Or subscribe on-line at www.wccfighter.com.
Or mail this form and your check to: White-Collar Crime Fighter, 213 Ramapoo Rd., Ridgefield, CT 06877. You can contact White-Collar Crime Fighter by E-Mail: subscribe@wccfighter.com