1.01k likes | 1.27k Views
How to Conduct An Internal Investigation D. Larry Crumbley, CPA, CFF, Cr.FA , MAFF, FCPA KPMG Endowed Professor Department of Accounting Louisiana State University Room 2833, Business Education Complex Baton Rouge, LA 70803 225-578-6231 225-578-6201 Fax dcrumbl@lsu.edu. Dr. Crumbley is the
E N D
How to Conduct An Internal InvestigationD. Larry Crumbley, CPA, CFF, Cr.FA, MAFF, FCPAKPMG Endowed ProfessorDepartment of AccountingLouisiana State UniversityRoom 2833, Business Education ComplexBaton Rouge, LA 70803225-578-6231225-578-6201 Faxdcrumbl@lsu.edu Dr. Crumbleyis the Editor of the Journal of Forensic & Investigative Accounting. Former editor of the Journal of Forensic Accounting: Auditing, Fraud, and Risk, Former chair of the Executive Board of Accounting Advisors of the American Board of Forensic Accountants, Former member of the NACVA’s Fraud Deterrence Board,and On the AICPA’s Fraud Task Force (2003-2004). A frequent contributor to the Forensic Examiner and Value Examiner, Professor Crumbley is an author of more than 55 books and 350 articles. His latest book entitled Forensic and Investigative Accounting, 5th edition, is published by Commerce Clearing House (800-224-7477). Some of his 13 educational novels, e.g., Trap Doors and Trojan Horses and The Big R: A Forensic Accounting Action Adventure, have as the main character a forensic accountant. His goal is to create a television series based upon the exciting life of a forensic accountant and litigation consultant. 1
Wide Variety of Investigations Fraud investigation Tracing assets Damages calculations Valuation calculations Witness location Employment investigations Worker compensation claims Private family investigations Homicide Suicide Missing person investigation Personal background checks Corporate investigations Civil investigations Negligence or criminal investigations Source: Erik Laykin, Investigative Computer Forensics, Hoboken, N.J.: John Wiley, 2013, p.130. 2
SAS No. 99: SKEPTICISM An attitude that includes a questioning mind and a critical assessment of audit evidence. An auditor is instructed to conduct an audit “with a questioning mind that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor’s belief about management’s honesty and integrity.” “Things are not always as they appear, sonny boy.” James Patterson, Honeymoon, Warner Books, 2006. 3
Mind-Set: SKEPTICISM Ronald Reagan said with respect to Russia, “Trust, but verify.” FA’s motto should be “Trust no one; question everything; verify.” As Charles Manson said, “Total paranoid is total awareness.” ----------------------------------------------------- Ron Durkin says auditors must go beyond skepticism to “thinking forensically.” [More than skeptical ] ----------------------------------------------------- This ain’t my first rodeo I didn’t make it all the way through school. But my mama didn’t raise no fool. I may not be the Einstein of our time. But honey, I’m not dumb and I’m not blind. Vern Gosdin 4
Predication The ACFE group indicates that in the private sector, a fraud investigation should not be conducted without proper predication. Examples: Anonymous tips, complaints, audit inquires, conflict of interest. Thus, predication is the basis for undertaking a fraud investigation. Without predication, the target might be able to sue for real or imaginary damages. 5
Be An Investigator “Because I was an investigator,” he said. “O.K.,” she said. “Investigators investigate. That, I can follow. But don’t they stop investigating? I mean, ever? When they know already?” “Investigator never know,” he said. “They feel, and they guess.” “I thought they dealt in facts.” “Not really,” he said. “I mean, eventually they do, I suppose. But ninety-nine percent of the time it’s ninety-nine percent about what you feel. About people. A good investigator is a person with a feel for people.” Lee Child, Echo Burning, N.Y.: Jove Books, 2001, p. 281. 6
Investigative Technique “You know how it goes,” I said. “You get a case. You just keep poking around, see what scurries out.” p. 144. ------------------------------------------------------------ “How,” Susan said, “on earth are you going to unravel all of that?” “Same way you do therapy,” I said. “Which is?” “Find a thread, follow it where it leads, andkeep on doing it.” “Sometimes it leads to another thread.” “Often,” I said. “And then you follow that thread.” “Yep.” “Like a game,” Susan said. “For both of us,” I said. Susan nodded. “Yes,” she said, “tracking down of a person or an idea or an evasion.” pp. 270 – 271. -------------------------------------------------------------------------------- Source: R.B. Parker, Widow’s Walk, Berkley Books, 2002. 7
Fraud Detection Process Discuss facts and objectives with client/attorney (e.g., conflict of interests). Evaluation whether to accept the engagement. Prepare a work program. Develop time and fee schedule. Obtain approval of work program, staff assignments, and fee estimates. Obtain an engagement letter. 7/8. Identify fraud exposures and symptoms. 9/10. Evaluate evidence obtained and determine if more evidence is needed. 11/12. Search for and evaluate additional evidence. Discuss preliminary findings with client/attorney. Draft a final report. Review the report and work papers. Resolve professional disputes. Clear review points and open items. Communicate report or findings. Help attorney prepare court case/testify. Perform follow-up procedure. File work papers/report. Source: Carmichael et. al, PPC Fraud Detection, Vol.1, Ch. 2 (2002). 8
Wandering Around • Informal observations while in the business. • Especially valuable when assessing the internal controls. • Observe employees while entering and leaving work and while on lunch break. • Observe posted material, instructions, job postings. • Observe information security and confidentiality. • Observe the compliance with procedures. • Appearance is not necessarily reality. Man of La Mancha 9
Investigative Techniques “Facts weren’t the most important part of an investigation, the glue was. He said the glue was made of instinct, imagination, sometimes guesswork and most times just plain luck.” (p. 163). -------------------------------------------------- “In his job, he [Bosch] learned a lot about people from their rooms, the way they lived. Often the people could no longer tell him themselves. So he learned from his observations and believed that he was good at it.” (p. 31). -------------------------------------------------- Michael Connelly, The Black Ice, St. Martin’s Paperbacks, 1993. 10
Investigative Techniques and Evidence Documentary evidence – written evidence on paper or computer medium. Testimonial evidence – testimony of individuals. Observational evidence – evidence, actions, or observations seen by an investigator. Physical examination of evidence (e.g., counts or inspections). Fixed point observations of activities (e.g., watching a scene and recording). Moving observations. Invigilation – strict temporary controls are imposed so that fraud virtually impossible. Keep detailed records. Covert observations. Forensic document examination. Source: D.R. Carmichael et.al., Fraud Detection, Vol. I, Practitioners Publishing Co., 2002, pp. 3-1 to 3-4
Documentation The forensic accountant needs to track and document the steps in any investigation process, including: • Items maintained as privileged or confidential. • Requests for documents, electronic data, and other information. • Memoranda of interviews conducted. • Analysis of documents, data, and interviews and conclusions drawn. Source: Managing the Business Risk of Fraud: A Practical Guide, IIA, AICPA, ACFE; http://www.acfe.com/documents/managing-business-risk.pdf, 2008, p. 43. 12
Chain of Custody Just as in the movies or on a television show such as CSI, forensic accountants must safeguard evidence through a financial chain of evidence (e.g., fraud in a computer). There must be a way to show that the evidence has not been tampered with or damaged. If documents are seized, the forensic accountant should put his or her initials and date of the seizure on the back of each document. Or put the document in a transparent envelope and write a description on the envelope. Store the original and work only with a copy.
Enforcement Manual Enforcement Manual History and Custody of Documents U.S. Department of Labor Pension and Welfare Benefits Administration Date _______________________________ Case Number________________________ Case Name __________________________ 22. How were the documents obtained? ____ By consent (note any significant comments of the principal or third party witness and any unusual circumstances which occurred)? ____ By legal process (describe). • What is the relationship between the documents and the person submitting them? 22. Were manual transcripts or facsimile copies made of any of the documents either in whole or in part?. ______ Yes ______No If Yes, list documents copies. Manner of reproduction 22. Have all copies been compared with the original documents and identified? _____Yes _____No If No, why not? 22. Were the original documents described herein under your control or supervision at all times prior to their return to the principal, third party witness, or representative? _____Yes _____No If No, set forth circumstances of any transfer in control. 22. Did the principal, third party witness, or a representative request access to the documents during your custody? ___ Yes ___ No If Yes, who requested access and what action was taken? Signature ___________________ Title ________________________ PWBA 219 (May 1987)
Principles of Investigation Documentation • Take notes on everything you do. • Document every effort to contact a witness and all surveillance in the running resume. • Prepare a report whenever there is a possibility you will have to testify. • Take verbatim statements from hostile or unhelpful witnesses; obtain declarations from friendly witnesses. • Provide all of the case’s documents to the client at the conclusion of the case – or have a document retention policy that decrees the maintenance of most records for at least five years. P.A. Becnel, IV and S.J. Krischke, Principles of Investigative Documentation, Springfield, IL: C. C. Thomas Publisher, 2012, 172 pp.
Scienter Necessary To prove any type of fraud, prosecutors must show that scienter was present. That is, the fraudster must have known that his or her actions were intended to deceive. ------------------------------------------------- The allure of numbers to most of us, is like the excitement of settling sand--a narcoleptic surety. Crafty criminals prey on this boredom. They pile on the numbers, spewing meaningless records in the false books. Cory Johnson 16
Two Major Types of Fraud Investigations Reactive: Some reason to suspect fraud, or occurs after a significant loss. Proactive: First, preventive approach as a result of normal operations (e.g., review of internal controls or identify areas of fraud exposure). There is no reason to suspect fraud. Second, to detect indicia of fraud. Source: H.R. Davia, “ Fraud Specific Auditing,” Journal of Forensic Accounting, Vol. 111, 2002, pp. 111-120 17
Proactive Is Beneficial The threat of a future investigation reduces the occurrence of fraudulent behavior from 75% to only 43%. The larger the pay-off, the more likely a person will commit fraudulent behavior. Give the fox a key to the hen house and he/ she is going to eat hens. Source: S. L. Tate et. al, “The Small Fraud Paradigm: An Examination of Situational Factors That Influence the Non-Reporting of Payment Errors,” J. of Forensic Accounting, Vol.7, 2006, p. 406. --------------------------- The greater the risk of detection, theless likely a person is to violate the law. Jeremy Bentham 18th Century Philosopher 18
Proactive vs. Reactive Approaches Proactive approaches include Effective internal controls, Financial and operational audits, Intelligence gathering, Logging of exceptions, and Reviewing variances. Reactive detection techniques include Investigating complaints and allegations, Intuition, and Suspicion. Jack Bologna and Robert Lindquist, Fraud Auditing and Forensic Accounting, 2d Edition, New York: John Wiley, 1995, p. 137. 19
Proactive Is Best When the IRS began requiring banks to issue Form 1099s reporting interest, the reported interest income increased by $8 billion (even though for 3 years the IRS did not have computer matching capacity). When the IRS began to require taxpayers to list a social security number for dependents, the next year the number of reported dependents dropped by seven million. More than 11,000 of these taxpayers claimed seven or more dependents in 1986, but they claimed none in 1987. When the IRS began to require taxpayers to list a name, address, and social security number for babysitters, two years later 2.6 million babysitters disappeared. 20
Fraud Deterrence Better Than Fraud Investigation Fraud deterrence less expensive. Deterrence is more comprehensive. Fraud deterrence produces greater savings. Deterrence is faster. Fraud deterrence promotes better customer relations. Daniel Finnegan, “Deterring Fraud,” Quality Planning Corporation, 1991. 21
Fraud Deterrence Review Analysis of selected records and operating statistics. Identify operating and control weaknesses. Proactively identify the control structure in place to help prevent fraud and operate efficiently. Not an audit; does not express an opinion as to financial statements. May not find all fraud especially where two or more people secretively agree to purposely deceive with false statements or by falsifying documents. [Always get a comprehensive, signed engagement letter defining objectives.] 22
Financial Fraud Detection Tools Interviewing the executives Analytics Percentage analysis Horizontal analysis Vertical analysis Ratio analysis Using checklists to help detect fraud SAS checklist Attitudes/Rationalizations checklist Audit test activities checklist Miscellaneous fraud indicator checklist “Objectively obtaining and evaluating evidence is the essence of auditing.” (AAA, Committee on Basic Auditing Concepts, 1973, 2) 23
Analytical Procedures Analytical procedures involve the study or comparison of the relationship between two or more measures for the purpose of establishing the reasonableness of each one compared. Five types of analytical procedures help find unusual trends or relationships, errors, or fraud: Horizontal or Percentage Analysis Vertical Analysis Variance Analysis Ratio Analysis or Benchmarking Comparison with other operating information Source: D.L. Crumbley, J.J. O’Shaughnessy, and D.E. Ziegenfuss, 2002 U.S. Master Auditing Guide, Chicago: Commerce Clearing House, 2002, p. 592. 24
Financial Statement Fraud Audit Obtain current year’s financial statements. Obtain prior 3 years’ financial statements. Perform vertical/ horizontal analysis of the 4 years, plus all current quarters. Pay attention to footnotes. Analysis of %s and footnotes by senior auditors. Nonsense %s and footnotes inquire explanations from financial management. Interview lower level financial employees who approved questionable journal vouchers. Combine explanations with visits to accounting records/ source documents. 25
Horizontal Analysis Suppose advertising in the base year was $100,000 and advertising in the next three years was $120,000, $140,000, and $180,000. A horizontal comparison expressed as a percentage of the base year amount of $100,000 would appear as follows: 26
Red Flags with Horizontal Analysis When deferred revenues (on the balance sheet) risesharply, a company may be having trouble delivering its products as promised. If either accounts receivable or inventory is risingfaster than revenue, the company may not be selling its goods as fast as needed or may be having trouble collecting money from customers. For example, in 1997 Sunbeam’s revenue grew less than 1% but accounts receivable jumped 23 percent and inventory grew by 40 percent. Six months later in 1998 the company shocked investors by reporting a $43 million loss. If cash from operations is increasing or decreasing at a different rate than net income, the company may be being manipulated. Falling reserves for bad debts in relation to account receivables falsely boosts income (cookie jaraccounting). 27
More Red Flags Look for aggressive revenue recognition policies (Qwest Communication, $1.1 billion in 1999-2001). Beware of hockey stick pattern. Beware of the ever-present nonrecurring charges (e.g., Kodak for at least 12 years). Check for regular changes to reserves, depreciation, amortization, or comprehensive income policy. Related-party transactions (e.g., Enron). Complex financial products (e.g., derivatives). Unsupported top-side entries (e.g., WorldCom). Under-funded defined pension plans. Unreasonable management compensation Source: Scott Green, “Fighting Financial Reporting Fraud,” Internal Auditor, December 2003, pp. 58-63. 28
Ink Analysis Martha Stewart was undone by a blue ballpoint pen. Stockbroker belatedly inserted a note to help cover up Ms. Stewart’s improper stock trading. Blue ballpoint ink used is different from ink elsewhere on the trading worksheet. Prosecutors used forensic ink analysis in Rite Aid case to show that certain documents were backdated (ink used to sign letter was not commercially available until 3 months after the letter was dated). Xerox laser printers now encode the serial number of each machine in tiny yellow dots in every printout, nestled within the printed words and margins. It tracks back to you like a license plate. Advice for fraudsters: use pencils. Source: Mark Maremont, “In Corporate Crimes, Paper Trail Often Leads to Ink Analysts’ Door,” Wall Street J., July 1, 2003, p. A-1. 29
Invigilation Invigilation is a rather expensive investigating technique that can be used in potential fraud situations to discover the fraud and can later be used in the courtroom. Here detailed records are kept before and after the invigilation period to determine the amount of fraud. During the invigilation period strict controls are imposed (e.g., cameras) so that the fraud is virtually impossible. Or the invigilation period could be while the suspect is on vacation.
Invigilation Technique Controls or vacation No controls No controls 14 days 14 days 14 days $67,000 lost $0 lost $62,000 lost
When Fraud Is Discovered Notify management or the board when the incidence of significant fraud has been established to a reasonable certainty. If the results of a fraud investigation indicate that previously undiscovered fraud materially adversely affected previous financial statements, for one or more years, the internal auditor should inform appropriate management and the audit committee of the board of directors of the discovery. A written report should include all findings, conclusions, recommendations, and corrective actions taken. A draft of the written report should be submitted to legal counsel for review, especially where the internal auditor chooses to invoke client privilege. 32
E-ZPass Catching Cheaters • E-ZPass and similar electronic toll collection systems are emerging as a new and powerful means to prove infidelity. • Generally mounted inside a vehicle's windshield behind the rearview mirror, the remote-sized, E-ZPass devices communicate with antennas at toll plazas, automatically deducting money from the tag-holder's prepaid account and recording when and where the vehicle crossed the toll. • Many states provide electronic toll information in response to court orders for criminal and civil cases, including divorces, which are used to prove the defendant was not where he or she claimed to have been. • "E-ZPass is an E-ZPass to go directly to divorce court, because it's an easy way to show you took the off-ramp to adultery," said Jacalyn Barnett, a New York divorce lawyer who has used E-ZPass records a few times. Chris Newmarker, “E-ZPass records out cheaters in divorce court.” AP, 2007.
Seven Investigative Techniques Public document review and background investigation (non-financial documents). Interviews of knowledgeable persons. Confidential sources. Laboratory analysis of physical and electronic evidence. Physical and electronic surveillance. Undercover operations. Analysis of financial transactions. Source: R.A. Nossen, The Detection, Investigation and Prosecution of Financial Crimes, Thoth Books, 1993. 34
Investigation Tasks 1) Interviewing, including: a) Neutral third-party witnesses. b) Corroborative witnesses. c) Possible co-conspirators. d) The accused. 2) Evidence collection, including: a) Internal documents, such as i) Personnel files. ii) Internal phone records. iii) Computer files and other electronic devices. iv) E-mail. v) Financial records. vi) Security camera videos. vii) Physical and IT system access records. b) External records, such as i) Public records. ii) Customer/vendor information. iii) Media reports. iv) Information held by third parties. v) Private detective reports. 3) Computer forensic examinations. 4) Evidence analysis, including: a) Review and categorization of information collected. b) Computer-assisted data analysis. c) Development and testing of hypotheses. Source: Managing the Business Risk of Fraud: A Practical Guide, IIA, AICPA, ACFE; http://www.acfe.com/documents/managing-business-risk.pdf, 2008, pp. 42-43. 35
Some Important Stuff • Once a USB has been imaged, a forensic accountant should use a read-only copy and investigate the file structure for evidence of financial fraud. • MD5 hashes verified that two files are exactly the same. • Hash values allow forensic accountants to determine if two financial files are exactly the same. • The hash calculator can be downloaded for free. • Disk Investigator can be used to discover what is hidden on a hard drive and help recover lost data. 36
Evidence Requests • Once legal requests for electronic evidence are received, such normal business practices need to be stopped and hard drives need to be imaged. • Evidence requests likely to include all e-mails; e-mail headers; e-mail logs; all data files created with word processing, spreadsheet, accounting software, sound recordings, or presentation software; network activity logs; task lists; databases; and e-calendars. All such requests encompass the data on servers, workstations, laptops, floppy disks, only repositories, tapes, voice messaging systems, CDs, DVDs, memory sticks, cell phones, iPads, and all stored backups of data. • After this request and until the pertinent drives are imaged, new files should not be saved to working computers. 37
So You Find Fraud • Criminal referral — The organization may refer the problem to law enforcement voluntarily, and, in some situations, it may be required to do so. Law enforcement has access to additional information and resources that may aid the case. Additionally, referrals for criminal prosecution may increase the deterrent effect of the organization’s fraud prevention policy. An appropriate member of senior management, such as the chief legal counsel, should be authorized to make the decision as to whether pursuing criminal prosecution is appropriate. • Civil action — The organization may wish to pursue its own civil action against the perpetrators to recover funds. • Disciplinary action — Internal disciplinary action may include termination, suspension (with or without pay), demotion, or warnings. • Insurance claim — The organization may be able to pursue an insurance claim for some or all of its losses. Source: Managing the Business Risk of Fraud: A Practical Guide, IIA, AICPA, ACFE; http://www.acfe.com/documents/managing-business-risk.pdf, 2008, pp. 43-45. 38
KPMG provides 10 steps to follow when an organization finds or suspects fraud: Shut the door! Keep assets secure until you can provide appropriate long-term security. Safeguard the evidence. Ensure that all records and documents necessary for an investigation remain intact and are not altered by you or anyone else. Notify your insurer. Failure to notify may negate your coverage. Call a professional. Do not confront or terminate the employment of a suspected perpetrator without first consulting your legal advisor. Prioritize your objectives. What’s most important: punishment, loss recovery, prevention, detection of future occurrences?
KPMG’s 10 steps to follow contd.. Consider prosecution. Before you make the call, weigh the plusses and minuses and determine if your insurance company requires prosecution. Terminate business relations. If the fraud is external, business relations with the suspect individual or organization should be terminated. Seek advice and assistance. An important consideration is whether you have the knowledge and resources necessary to effectively manage the process. Prepare a witness list. It is important that statements be taken before a “party line” can develop. Consider the message. Whatever you do will affect future situations. Now may be the time to change the way your business operates.
Where Details Communicated Internally Source: Who is the Typical Fraudster (2011) KPMG
Where Details Communicated Externally Source: Who is the Typical Fraudster (2011) KPMG
Outcomes & Responses Source: Who is the Typical Fraudster (2011) KPMG
Interview vs. Interrogation Interview-non-accusatory process where person asks questions to develop factual information (e.g., who, what, when, where, how). Interrogation-accusatory interview to obtain an admission of guilt. ------------------ “Doubt leads to inquiry, and inquiry leads to the truth.” Saint Thomas Aquinas
Selecting the Right Interviewees “Someone knows what is going on. If you tune in, you will get a feel for it.” Lorraine Horton, Kingston, R.I. -------------------------------------------------------------- “It is important that you select the right person to interview, and be conversant in interviewing techniques. For instances, pick someone from customer complaints or an employee who didn’t get a raise for two years, as they would be likely to provide the needed information.” R.J. DiPasquale, Parsippany, N.J. Source: H.W. Wolosky, “Forensic Accounting to the Forefront,” Practical Accountant, February 2004, pp. 23-28 --------------------------------------------------------------------------------------------- Listen to rouges and whistle-blowers who complain.
Differentiate Between the Two Don Rabon, Interviewing and Interrogation, Durham: Carolina Academic Press, 1992, p.5.
Moving from Unwilling to Willing Chair Don Rabon, Interviewing and Interrogation, Durham: Carolina Academic Press, 1992, p.8.
Advantage and Disadvantages Advantages of an interview (non-accusatory) Facilitates the development of cooperation. Easier to develop rapport. More effective way of developing usable information. Disadvantagesof interrogation Interviewee may be alienated and refuse to speak to anyone later. If interviewee will not speak to anyone, ability to obtain information or admission is diminished. Source: John E. Reed Associates, Inc.