Workplace Fraud and Forensics: Ferreting out the Facts

Workplace Fraud and Forensics: Ferreting Out the Facts

Friday, July 13, 2012 9 a.m.–4 p.m.

Oregon State Bar Center Tigard, Oregon

6.25 General CLE credits Workplace Fraud and Forensics: Ferreting Out the Facts

The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.

OREGON STATE BAR 16037 SW Upper Boones Ferry Road P.O. Box 231935 Tigard, OR 97281-1935 ii Table of Contents

Schedule...... v

Faculty...... vii

1. The Workplace Fraud Profile—Presentation Slides...... 1–i — Bill Douglas, Cost Advisors, Inc., Portland, Oregon

2. Background Checks...... 2–i — Kelly Paxton, Financial CaseWorks LLC, Portland, Oregon

3. Legal Issues in Employee Fraud—Presentation Slides...... 3–i — Katherine Heekin, The Heekin Law Firm, Portland, Oregon

4A. PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides...... 4A–i — Joel Brillhart, Professional Forensic Services, Portland, Oregon

4B. Mac and iOS Computer Forensics...... 4B–i — Eli Rosenblatt, Eli Rosenblatt Investigations, Portland, Oregon

5. A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides...... 5–i — Jan Davis, JT Research LLC, Portland, Oregon

6. Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides...... 6–i — Bill Douglas, Cost Advisors, Inc., Portland, Oregon

iii iv Schedule

8:00 Registration 9:00 The Workplace Fraud Profile F Prevalence of occupational fraud F How fraud is committed and how much is lost F Detecting and preventing fraud F The perpetrators Bill Douglas, Cost Advisors, Inc., Portland 10:00 Background Checks F Why conduct background investigations F How to conduct a background investigation F Pitfalls of background investigations Kelly Paxton, Financial CaseWorks LLC, Portland 11:00 Break 11:15 Legal Issues in Employee Fraud F Gathering evidence F Interviews—order, environment, and techniques F Discharge F Engaging law enforcement Katherine Heekin, The Heekin Law Firm, Portland 12:15 Lunch 1:00 Computer Forensics: Mac vs. PC F Techniques F Expected results F Case histories Moderator: Bill Douglas, Cost Advisors, Inc., Portland Moderator: Kelly Paxton, Financial CaseWorks LLC, Portland Joel Brillhart, Professional Forensic Services, Portland Eli Rosenblatt, Eli Rosenblatt Investigations, Portland 2:00 A Skeptic’s Guide to Advanced Internet Searching F Search engine battles (Bing, Google) F Browsers wars (Firebox, IE) F Business and individual background checks F Social media as a research tool Jan Davis, JT Research LLC, Portland 2:45 Break 3:00 Which One Is Different—Data Mining and Forensic Analytics F Data mining examples F Excel as a data mining tool Bill Douglas, Cost Advisors, Inc., Portland 4:00 Adjourn

v vi Faculty

Joel Brillhart, Professional Forensic Services, Portland. Mr. Brillhart is a Certified Forensic Computer Examiner by the International Association of Computer Investigative Specialists and a CPA (license issued by the Iowa Accountancy Board). He conducts examinations of computers, cell phones, PDAs, and other digital media and provides expert analysis, data recovery, and witness services for criminal and civil litigation, internal corporate investigations, and private concerns. He has worked as a Media Exploitation Analyst in Iraq, as a Special Agent for the Federal Bureau of Investigation, and as an internal auditor. Mr. Brillhart has lectured on electronic forensics on several occasions.

Jan Davis, JT Research LLC, Portland. Ms. Davis is president of JT Research, where she coordinates a team of trained information specialists to provide business professionals with the data they need. Her primary clientele consists of financial analysts, business appraisers, CPAs, business brokers, and economists. Ms. Davis is the former library director at Willamette Management Associates and understands the research needed for business valuation reports and litigation support cases. Her five years of experience as business/economics librarian at Willamette University give her a strong background in academic research. She received her Masters in Library and Information Studies from U.C. Berkeley and has over 15 years of experience in academic and corporate libraries.

Bill Douglas, Cost Advisors, Inc., Portland. Mr. Douglas is the president of Cost Advisors, Inc., a consulting firm that he founded in 1999; Cost Advisors’ focus is accounting investigation and forensics. Mr. Douglas also volunteers with the Fraud and Identity Theft Enforcement Team of the Washington County Sheriff’s Office. He has managed nearly 100 financial projects at both large and small companies. Before founding Cost Advisors, Mr. Douglas held management positions at Tektronix, Inc., and FLIR Systems, Inc. He has also been an auditor with Deloitte and CFO of a software firm. Mr. Douglas is a CPA in Oregon, California, and Washington, certified in Financial Forensics, a Certified Information Technology Professional, a Certified Fraud Examiner, a Certified Internal Auditor, and an Oregon Licensed Private Investigator. He is a member of the American Institute of CPAs, the Northwest Fraud Investigators Association, and the Oregon Association of Licensed Investigators and an affiliate member of the Multnomah Bar Association. Mr. Douglas is past chair of the Oregon Society of CPAs Business & Industry Committee, a past board member of the Oregon Association of Certified Fraud Examiners, and a past officer of the Oregon chapter of the Institute of Internal Auditors. He is a frequent speaker, writer, and trainer on topics related to white-collar crime and financial controls.

Katherine Heekin, The Heekin Law Firm, Portland. Ms. Heekin resolves business disputes, particu- larly complex fraud-related claims. As an attorney and a certified fraud examiner, Ms. Heekin is among a select group of professionals educated, trained, and experienced in preventing and rem- edying fraud. She is also a proven leader in electronic evidence management techniques and technologies. She has been engaged as a consultant in electronic evidence management and as a trainer in fraud prevention. She is a Fellow of the American Bar Foundation, an instructor for the Forensic Accounting Academy, a member of the Federal Bar Association, and a member and past secretary of the Uniform Civil Jury Instructions Committee.

vii FACULTY (Continued)

Kelly Paxton, Financial CaseWorks LLC, Portland. Ms. Paxton specializes in financial investigations from the initial background interview to the tracing of funds in embezzlement, elder abuse, and misappropriation of assets. Ms. Paxton also has investigated mortgage fraud. She brings over 13 years of law enforcement experience to her current role as principal of Financial CaseWorks LLC, a private investigative firm. Ms. Paxton also is a contract special investigator for Keypoint Government Services, performing background investigations for the Department of Homeland Security. She maintains a security clearance for this contract. In addition, Ms. Paxton has been a public arbitrator for the Financial Industry Regulatory Authority since 2001. Previously, Ms. Paxton was the analyst for the Fraud Identity Theft Enforcement Team at the Washington County Sheriff’s Office, where she worked with FITE detectives on a variety of financial crime cases. Ms. Paxton started her law enforcement career as a Special Agent for the U.S. Customs Office of Investigations. Before entering law enforcement, Ms. Paxton was a licensed stockbroker and a trader/contract negotiator. Eli Rosenblatt, Eli Rosenblatt Investigations, Portland. Trained in the early 1990s at the California Appellate Project, Mr. Rosenblatt began freelance work assisting attorneys with death penalty appeals and expanded his investigation practice to include numerous types of criminal defense and civil cases. He now works as an investigator and forensic expert based in Portland, where he conducts workplace, background, fraud, civil, and criminal defense investigations for lawyers and individuals. As a Certified Fraud Examiner who is also certified for forensic examination of Apple devices, Mr. Rosenblatt is especially qualified to conduct comprehensive professional forensic examinations to detect and understand evidence of alleged fraud on all Macs and iOS devices. Mr. Rosenblatt is Oregon’s only Board Certified Criminal Defense Investigator (CCDI) and one of only three CCDIs in the nation that is also a Certified Fraud Examiner. In addition, he is a Certified Forensic Interviewer and has been certified by the State Medical Examiner as a Medicolegal Death Investigator.

viii Chapter 1 The Workplace Fraud Profile— Presentation Slides

Bill Douglas Cost Advisors, Inc. Portland, Oregon

1–i Chapter 1—The Workplace Fraud Profile—Presentation Slides

1–ii 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

The Workplace Fraud Profile Bill Douglas

Cost Advisors’ Background

Founded in 1999 Mission: Improve our client’s business and the lives of our employees Focus on Accounting Investigation and Forensics Logo symbolizes partnership with our clients

1–1

1 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Bill Douglas’ Background

President at Cost Advisors, Inc. 33 years experience Management positions in Accounting, Sales, Marketing CFO, IPO, 'Big 4' public accounting, business processes, recovery auditing, internal controls, fraud, internal auditing, Sarbanes-Oxley (SOX) Financial project management at both large and small public companies Volunteer Washington County Sheriff’s Dept. – Fraud Team Frequent speaker and writer about Internal Controls, Fraud

Bill Douglas’ Background

Credentials and memberships: OR, CA, WA Certified Public Accountant (CPA) Certified Internal Auditor (CIA) Certified Fraud Examiner (CFE) Certified in Financial Forensics (CFF) Certified IT Professional (CITP) OR Licensed Private Investigator (PI)

54 years old, happily married 29 years, no addictions, drive a Subaru

MULTNOMAH BAR ASSOCIATION (Affiliate Member) Northwest Fraud Investigators Association

1–2

2 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Fraud Vocabulary Quiz

Baksheesh

a) type of pita bread b) bribe c) water pipe for smokingLeft tobacco Blank Intentionally

Bicheiro

a) female puppy b) large sunhat Left Blank Intentionally c) numbers banker, bookie, or racketeer

Big Bath Charges a) specified charges on a water bill b) expenses written off inLeft quarterly Blank financial Intentionally statements when a company would record a loss anyway c) membership fees to join an Arab political party

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

1–3

3 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Worldwide Corruption (Kroll % in white)

84% 84% 85%

Wait, wait…don’t tell me

Over the last year, what percentage of companies (worldwide) were affected by fraud?

a. 10% b. 50% c. 75% d. 100% Left Blank Intentionally

1–4

4 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Kroll Global Fraud Report 2011/2012* http://www.krollconsulting.com/insights-reports/global-fraud-reports//

75% (66% in North America) of companies affected by at least one fraud*

Fraud % of Revenue 5.00% 4.00% Left Blank Intentionally 3.00% 2.00% 1.00% 0.00% Average 18% of Companies

The 2011 PwC Global Cyber & Economic Crime Survey* www.pwc.com/crimesurvey

Cybercrime: It’s IT + HR + Marketing 34% affected in last 12 months Companies that looked for fraud, found fraud Left Blank Intentionally

* 3,877 respondents in 78 countries completed web-based survey. Published November 2011.

1–5

5 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Based on 1,388 fraud cases investigated worldwide.

Based on 473 cases appearing in court records, prosecutorial press releases, media accounts, vital records, government & regulatory filings and other public information.

Findings noted in green.

1–6

6 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Prevalence of Fraud

U.S. organizations lose 5%* of their annual revenues to fraud

Source: *Estimated in ACFE 2012 Report to the Nations. Kroll found 2.1%.

Amounts Lost (or Spent)

Every Year! 800 737 700 600 500 400 Billions 300 200 60 65 49 100 11 0 WorldCom Enron Madoff Lehman U.S. Fraud

1–7

7 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Distribution of Dollar Loss

Median $140,000

Median $340,000 per 2011 Marquet Report

Source: ACFE 2012 Report to the Nations

Recession – What Increased?

Kroll +55% 2011

Source: ACFE Occupational Fraud: A Study of the Impact of an Economic Recession, 2009.

1–8

8 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Fraud Triangle

Pressure

Rationalization Opportunity

Housing Bubble = Pressure

23% homes with negative equity now

1–9

9 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Unemployment = Pressure

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

1–10

10 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

The most frequent type of workplace fraud:

a. Theft (misappropriation) b. Corruption c. Misstated financial statements d. Odometer fraud Left Blank Intentionally

Occupational Fraud by Category - Frequency

Source: ACFE 2012 Report to the Nations

1–11

11 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Misappropriation Frequencies and $

Cash Receipts 26% Other 29%

Skimming Cash Larceny Cash on Hand Non-Cash 14.6% 11% 11.8% 17.2% $58K $54K $20K $58K

Cash Disbursements 64%

Billing Check Expense Payroll Cash 24.9% Tampering Reimbursements 9.3% Register 11.9% 14.5% 3.6% $48K $100K $143K $26K $25K Source: ACFE 2012 Report to the Nations

New Cybercrime category

Cybercrime – economic crime using computers and the internet

Types of Cyber Attack: Economic Crime - hacking Espionage – IP theft. Kroll: 50% Co.'s vulnerable Activism - WikiLeaks Terrorism – Power grid, Financial Systems Warfare

Source: Cybercrime: protecting against the growing threat, November 2011, PwC

1–12

12 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Fraud by Category – ACFE vs. PwC

Source: ACFE 2012 Report to the Nations & PwC Cybercrime Report 2011

Cybercrime a Growth Business!

Robbery White Cybercrime Collar Rewards are greater 9 9 Less chance of detection 9 9 Less chance of identification 9 Less chance of prosecution Criminal is remote 9 Law enforcement is not equipped 9 9 Less evidence 9 Smaller penalties 9 9

1–13

13 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

How long does the average fraud last before detection?

a. 1 month b. 1 year c. 2 years d. Until the next administrationLeft Blank Intentionally is sworn in

Median Duration of Fraud Based on Scheme Type

Median is 24 months

Median is 49 months per 2011 Marquet Report

Source: ACFE 2012 Report to the Nations

1–14

14 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Fraud Vocabulary Quiz

Top Hatting

a) when a person wears a large hat to cover up their lack of hair, or baldness b) cover-up of something big c) changing a bet after theLeft outcome Blank hasIntentionally already been decided

Wet Ink Policies

a) life insurance policies that are sold immediately after being issued b) precautions a person mustLeft Blankfollow afterIntentionally getting a new tattoo c) prohibition of using jell pens to sign legal documents

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

1–15

15 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

How is fraud most often detected?

a. Auditors find it b. By police c. A tip d. By accident Left Blank Intentionally

Initial Detection of Occupational Frauds

* *

Source: ACFE 2012 Report to the Nations * Top detection per PwC

1–16

16 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Percent of Tips by Source 34% in companies without hotlines

Large % from external sources

Source: ACFE 2012 Report to the Nations

Frequency of Anti-Fraud Controls

Controls that make a difference

SOX = Controls required by the Sarbanes-Oxley Act Source: ACFE 2012 Report to the Nations

1–17

17 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Other Warning Signs

Records are disorganized or missing There are unexplained changes in your accounting records There is an unusual drop in available cash There are unusually large or numerous credit memos to others Bank reconciliations are late Bank deposits are delayed (i.e. deposits in transit too high) There are too many increases in past due accounts receivable Check amounts are altered Duplicate payments are made Too many payments are being made to individuals with the same name or address

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

1–18

18 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Type of Victim Organization - Frequency

Source: ACFE 2012 Report to the Nations

Size of Victim Organization - Frequency

Small organizations more likely to be hit...but PwC results show the opposite

Source: ACFE 2012 Report to the Nations

1–19

19 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Victim Industry Frequency

Industry Number of Cases Percent of Cases * Banking and Financial Services 229 16.70% Government and Public Administration 141 10.30% * Manufacturing 139 10.10% Health Care 92 6.70% Education 88 6.40% Retail 83 6.10% Insurance 78 5.70% * Services (Professional) 55 4.00% Religious, Charitable or Social Services 54 3.90% Some industries are Services (Other) 48 3.50% more likely to hire Construction 47 3.40% CFEs Oil and Gas 44 3.20% Telecommunications 43 3.10% Technology 38 2.80% Transportation and Warehousing 36 2.60% Arts, Entertainment and Recreation 32 2.30% Real Estate 28 2.00% Wholesale Trade 27 2.00% Utilities 24 1.80% Agriculture, Forestry, Fishing and Hunting 20 1.50% Mining 9 0.70% Communications and Publishing 9 0.70% * Other 7 0.50%

Source: ACFE 2012 Report to the Nations * Top industries per PwC

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

1–20

20 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

What age group commits the most frauds?

a. > 60 year olds (their medical bills are higher) b. 46 to 60 year olds (can’t pay their mortgage) c. 36 to 45 year olds (divorce) d. 26 to 35 year olds (student loans, credit cards) e. < 26 year olds Left(minimum Blank Intentionally wage is not enough)

Age of Perpetrator — Frequency

Cybercrime criminals usually <40 years old (PwC) Source: ACFE 2012 Report to the Nations

1–21

21 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

Who is more likely to commit fraud?

a. Short-term employees (< 5 years) b. Long-term employees (> 5 years)

Left Blank Intentionally

Tenure of Perpetrator — Frequency and Median Loss

47% 53%

Source: ACFE 2012 Report to the Nations

1–22

22 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Education of Perpetrator — Median Loss

The value of a good education!

Source: ACFE 2012 Report to the Nations

Wait, wait…don’t tell me

Male or Female?

a. Male b. Female

Left Blank Intentionally

1–23

23 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

The Glass Ceiling

36% male and 64% female Glass ceiling: per 2011 Marquet Report 77 cents per $1 all occupations 44 cents per $1 in fraud Source: ACFE 2012 Report to the Nations

High Ethical Standards?

Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.

1–24

24 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Perpetrator’s Department

72% Accountants per 2011 Marquet Report

Source: ACFE 2012 Report to the Nations

Fraud Perception vs. Reality

70 22% - 72% of 60 frauds 50

Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.

1–25

25 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Wait, wait…don’t tell me

What are the ‘red flags’ of a fraudster (all that apply)?

a. Living beyond means b. Divorce c. Wheeler-dealer attitude d. Addiction problemsLeft Blank Intentionally e. Pornography f. Slicked-back hair

Red Flags

Instability in Life Circumstances Excessive Family/Peer Pressure for Success Complained About Lack of Authority Past Legal Problems Excessive Pressure from Within Organization Refusal to Take Vacations Complained About Inadequate Pay Past Employment-Related Problems Addiction Problems Irritability, Suspiciousness or Defensiveness Wheeler-Dealer Attitude Divorce/ Family Problems Control Issues, Unwillingness to Share Duties Unusually Close Association with Vendor/Customer Financial Difficulties Living Beyond Means

0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00%

Acting alone 89.8% of the time per 2011 Marquet Report

Source: ACFE 2012 Report to the Nations

1–26

26 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Red Flags – Deviant Behavior Hypothesis

Drivers: Money, Power, Sex Workplace: Porn, affairs, harassment, bullying, fraud, theft

Power Sex

Money

Source: Using Deviant Behaviors of Others to Find Fraud (UDBOFF), Ryan Hubbs, June 2011.

Red Flags – Per KPMG

Bullies co-workers, rude, aggressive, threatening Stressed, unhappy, unmotivated Reluctance to produce records Outsized lifestyle, financial problems Accepts (improper) gifts, breaks rules Rumored bad habits, addictions, vices

Source: Who is a Typical Fraudster?, KPMG analysis of 349 actual fraud cases in 69 countries from January 2008 until December 2010.

1–27

27 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Agenda – Occupational Fraud

1. Prevalence

2. How it’s committed

3. Detection

4. Victims

5. Perpetrators

6. Preventing

Wait, wait…don’t tell me

Which control (of those in the list below) is MOST effective in reducing amounts lost to fraud?

a. Surprise Audits b. Code of Conduct c. Whistleblower hotline Left Blank Intentionally d. Mandatory vacations

1–28

28 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Effectiveness of Controls

Audits less effective

Source: ACFE 2012 Report to the Nations

Cash Fraud Detection Measures

Bank statements received unopened by mgr. Review for unknown charges (ACH, wires) Review checks for unknown payees (vendors) Review checks for unusual endorsements Note time lag in deposits reaching the bank

1–29

29 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Cash Fraud Detection Measures

Deposits Deposit slips – trend of cash vs. checks deposited Cash receipts reconciled to deposit slips Investigate complaints about ‘unpaid’ balance

Cash Fraud Detection Measures

Accounts Receivable Unauthorized write-offs (credits) Aged receivables Decrease in revenues

1–30

30 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Cash Fraud Detection Measures

Bank Reconciliations Performed by an independent person Unusual entries to cash general ledger accounts Cross-outs, white-out, photocopies

Takeaways

5% of revenue, two years Types: Corruption – largest organization losses Misappropriation – accountant’s favorite Watch out for 50-year-old male, divorced, accountant, with addiction problem, and a new sports car! Implement hotline, fraud training and reconciliations

1–31

31 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Backup Slides

Deducting Embezzlement Losses

The loss is deducted in the year discovered. Even if tax years are ‘closed’ The loss is reported NET of recovery. Issuing a Form 1099 MISC to the suspect is optional. If a form 1099 is issued: A separate Form 1099 may be issued for each year of loss OR A single 1099 MISC may be issued in the year the loss was discovered

1–32

32 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

How to work with your Bank

Bank Anti-fraud Reliance Standard Procedures Enhanced Services

1–33

33 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Standard Bank Procedures

Signatures on checks Signature Cards may be scanned Teller will verify if presented at drawn bank Not useful if presented at another bank or ATM Banks don’t check below a dollar threshold Fees start at $50 per month Electronic Transfers Require a requester and approver Templates can be changed by the requester

Enhanced Procedure - Positive Pay Starts at ~ $65 per month

Positive Pay File 9 Compares

Bank Company Check

Vendor Source: Bank of the Cascades

1–34

34 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Enhanced Procedure-ACH Filter (or Block) Starts at ~ $25 per month per account

Internet Transfer Request

Bank Company Blocked

Subsidiary Vendor Source: Bank of the Cascades

How to Pick a Bank

www.FDIC.gov

1–35

35 6/22/2012

Chapter 1—The Workplace Fraud Profile—Presentation Slides

Fraud Vocabulary Quiz

Channel Stuffing a) when a person stuffs the remote into their clothing to prevent others from changing the television channel b) shipping unwanted inventoryLeft Blank to retailers Intentionally ahead of schedule which fills the distribution channels with more product than needed c) throwing garbage into a river, clogging and polluting it

Share Market Fraud a) companies secretly strip assets of their firms or illegally allocate shares of stock b) companies that lie aboutLeft their Blank ‘market Intentionally share’ c) collusion by stock brokerage firms sharing the best practices to defraud investors Take-out a) when a person steals money by hiding it in a doggie bag b) a bar that delivers beerLeft to the Blank home Intentionally without checking ID c) a warning to a conman that he is under suspicion

For More Information

Cost Advisors, Inc. 503-704-3719 www.costadvisors.com

Download: ‘Embezzlement Response Guide’

1–36

36 Chapter 1—The Workplace Fraud Profile—Presentation Slides

1–37 Chapter 1—The Workplace Fraud Profile—Presentation Slides

1–38 Chapter 2 Background Checks

Kelly Paxton Financial CaseWorks LLC Portland, Oregon

Table of Contents

I. Background Investigations ...... 2–1 II. Why Do a Background Investigation? 2–1 III. Business Necessity 2–2 IV. Current Issues ...... 2–2 V. Social Media ...... 2–2 VI. Other Issues ...... 2–3 VII. Conclusion ...... 2–5 VIII. Bibliography ...... 2–5 Appendix—Presentation Slides ...... 2–7

2–i Chapter 2—Background Checks

2–ii Chapter 2—Background Checks

I. Background Investigations Background investigations are an important tool not only for employment purposes but also due diligence purposes. Approximately 93% of all businesses utilize background investigations for some potential applicants and 73% for all potential applicants according to the 2010 report by the Society for Human Resource Management. A background investigation can cost as little as $20 to as much as $4,300. There are approximately 1,200 firms that offer background investigations. The background industry is a $4 to $5 billion per year industry according to the National Association of Professional Background Screeners, the industry trade group. II. Why Do a Background Investigation? According to numerous studies, one in three applicants is consid- ered to have lied on his or her resume and/or application. The business that does not vet its executives well is the one that ends up with the bad press. A recent example is the CEO of Yahoo. Yahoo’s chief executive officer Scott Thompson stepped down yesterday after an investigation by Third Party, a hedge fund and major investor in the company, revealed that he had lied about his education on his resume. Al- though Mr. Thompson’s biography indicated that he had earned degrees in accounting and computer science from Stonehill College, he never actually earned a degree in computer science. Mr. Thompson is not the only executive to resign following revelations that he or she lied or embellished academic credentials: In April 2007, the admissions dean for the Massachusetts Institute of Technology was forced to resign following revelations that she had fabricated academic degrees from Union College, Rensselaer Polytechnic Institute and Al- bany Medical School. In 2006, CEO of RadioShack, Dave Edmonson, resigned after it emerged that he lied about having degrees in theol- ogy and psychology. In 2002, Veritas Software’s stock price fell some 16% after it emerged that its CFO had fabricated his education. Not surprisingly, the revelation also led to his resignation. In 2002, the CEO of Bausch & Lomb, Ronald Zarrella, was forced to forfeit his bonus after it was revealed that he had never earned his MBA from New York University as claimed. Mr. Zarrella attended the university but never actually completed the program. Resume padding and exaggerating academic credentials are more common that one might think, and its prevalence

2–1 Chapter 2—Background Checks

extends far beyond the C-suite. In 2010, a HireRight survey of 1,818 organizations found that 69% of respondents reported that they had caught a job candidate lying on his or her resume. Moreover, the FBI has estimated that over 500,000 people nationwide claim college degrees that they never actually earned. Even in cases much less high-profile than Yahoo’s assuming that qualifications presented by potential candidates are always legitimate can damage your company’s reputation and bottom line. (Courtesy of MSA Investigations–New York City.) III. Business Necessity Being consistent is a very integral part of the background investigation process for a business. According to the Insurance Information Network of California, lawsuits for negligent hiring, retention, and out- of-court settlements in California due to workplace violence averaged over $500,000; jury verdicts in these cases averaged about $3 million (Rosen, L. 2006). IV. Current Issues State lawmakers also are concerned about employers looking into people’s credit. Over the past three years, seven states have enacted laws barring employers in many instances from gaining access to credit reports. Fifteen states have similar legislation pending. No one expects a sudden stop to background checks. The key will be what employers do with the information they gather. Companies should ask applicants about potentially negative reports to give them a chance to explain away errors that inevitably come up and also to put their circumstances into context, says Cynthia Springer, a labor and employment lawyer in Indiana. “Collecting the information isn’t the big issue right now, it’s how it’s being used,” Springer says. “You should be doing a case-by- case analysis anytime you’re using criminal background information in making a decision.” V. Social Media A few weeks ago, Maryland became the first state to pass legislation that would ban employers from demanding that employees or job candidates turn over their social media. Rep. Eliot Engel (D–NY) has in- troduced legislation in the U.S. House of Representatives that would out- law this practice nationally. The bill, known as Social Networking Online Protection Act (SNOPA) (http://www.govtrack.us/congress/bills/112/ hr5050), is broader than the Maryland bill. According to a press release (http://engel.house.gov/index.cfm?sectionid=24&itemid=3199) from Congressman Engel, SNOPA covers not only employers but also schools and universities. Although the text of the bill is not yet available online, the press release further notes that SNOPA would accomplish two objectives:

2–2 Chapter 2—Background Checks

F Prohibit current or potential employers from requiring a username, password or other access to online content. It does not permit employers to demand such access to discipline, discriminate or deny employment to individuals, nor punish them for refusing to volunteer the information. F Apply the same restrictions to colleges and universities, and K–12 schools as well. While I agree that requiring applicants to furnish social media passwords as a condition of employment is, generally, a bad business practice, I fear that the firestorm [http://www.theemployerhandbook.com/2012/03/ employer-demand-facebook-password.html] about employers supposedly demanding social media passwords is drastically overblown. The examples of employers— most notably the City of Bozeman [http://arstechnica. com/web/news/2009/06/bozeman-apologizes-backs- down-over-facebook-login-request.ars] and the Mary- land Department of Corrections ]http://www.switched. com/2011/02/23/maryland-stops-asking-applicants-for- facebook-login/]—who have made this stupid mistake are old news. Both employers were publicly scrutinized and shamed into stopping. (Courtesy of The Employer Handbook.) VI. Other Issues Perhaps we are asking the wrong question. Let me suggest that the proper question is not “Can the employer conduct a background check?” but rather “Can an employer use the information found on the background check to deny employment to the applicant or employee?” The short answer is “Yes, under the right circumstances.” So let’s see if we can get some help in determining when and how we can use background checks in the hiring process. While the EEOC has not issued regulations, it has provid- ed some guidelines. Employers are expected to consider the following factors: 1. The nature and gravity of the offense(s); 2. The time that has passed since the conviction and/ or completion of the sentence; and 3. The nature of the job held or sought. The federal courts have also stated that employers need to have a legitimate business justification, which can include, in addition to the above EEOC guidelines, safety and well being of others at the job site or in the immediate area. The

2–3 Chapter 2—Background Checks

policy must then be narrowly tailored to meet the stated justification. Essentially, the EEOC, and the federal courts expect employers to weigh the type of offense and time passed since the offense against the nature of the job to determine if the employer has a justification for refusing to hire a candidate. For example, an applicant’s 15-year old DWI conviction is unlikely to be relevant if s/he is applying for a bookkeeping position. For that matter if s/he was ar- rested but not convicted for DWI, then denying him or her the job will also be inappropriate and perhaps illegal. If however, this same applicant for the bookkeeping position has a 3-year old embezzlement conviction, the employer could refuse to hire. When might a DWI conviction be relevant? In the Pepsi case if the applicant sought work for Pepsi as a driver, s/he should probably expect to be rejected. OK, how about one final example: suppose you have a male applicant with a sexual assault conviction and you employ mostly women, some of whom often stay late when the area may not be well-trafficked or well-lit? One would be hard-pressed to argue lack of business justification there! So, here are some take-away’s for employers: 1. If you do not already have one, create a written policy that discusses your hiring criteria and how you will screen your applicants and hiring criteria. This policy should take into consideration the type of positions for which you are hiring and should allow you to make a de- termination on a case by case basis and take all relevant facts into consideration. 2. Be able to easily articulate a justification any time you deny a job to an applicant based on his/her background check results. 3. Make sure your policy is narrowly tailored to meet your business 4. Justification(s). If your policy is broader than necessary to meet the justification(s) you have articulated (even if only to yourself) you will be vulnerable if an applicant files an EEOC complaint. Finally, one more caveat: As of today, at least 25 states and at least one city have passed their own laws limiting the circumstances under which employers can inquire into an applicant’s criminal history. Check to see if your state (or city) has imposed any such limitations! (Courtesy of Janet Levey Frisch.)

2–4 Chapter 2—Background Checks

VII. Conclusion Background investigations are a useful tool if used properly. There are numerous pitfalls, though, that can cost a business money and reputation. Background investigations no longer just consist of criminal history and credit checks. If a business does not believe it is able to adequately and appropriately complete the process, it should seek to outsource the function. Social media is now a part of the background investigation process. Social media is not just something your kids use. Social media is important in hiring and employment decisions. Social media is not going away. There are a lot of excellent resources to help you navigate this new and growing part of the background investigation process. VIII. Bibliography F Rosen, Lester (2006), The Safe Hiring Manual. F Society for Human Resource Management. F Frisch, Janet Levey (2012). F MSA Investigations New York City (2012). F Meyer, Eric, The Employer Handbook (2012).

2–5 Chapter 2—Background Checks

2–6 6/20/2012

Chapter 2—Background Checks

Appendix—Presentation Slides

Background Investigations

Oregon State Bar July 13, 2012

Goals

What is a Background Investigation? Why do a Background Investigation? How to do a Background Investigation (or where to get one done)

2–7

1 6/20/2012

Chapter 2—Background Checks

Old School vs. New School

Name that CEO

2–8

2 6/20/2012

Chapter 2—Background Checks

Scott Thompson-Yahoo!

Local Resume Padding

2–9

3 6/20/2012

Chapter 2—Background Checks

Robert Hulshof-Schmidt

Hulshof-Schmidt, 46, admitted to forging his employment application by representing that he had a graduate degree. He did not. According to the court, his formal application included a University of Washington transcript that he had altered to show completed coursework.

Kelly Paxton, CFE, PI

Licensed Private Investigator (OR) Certified Fraud Examiner Principal, Financial CaseWorks LLC Special Agent US Customs 1993-1998 Registered Stock/Commodity Broker 1987-1990

2–10

4 6/20/2012

Chapter 2—Background Checks

BI – What exactly is one?

Fingerprints? Internet Sites? Big Brother surprise

Websites & Databases

No single database No LEDS/NCIC Private Companies Search engines Blog searches

2–11

5 6/20/2012

Chapter 2—Background Checks

Background Investigation Facts 93% of organizations use some form of BI(SHRM 2010) 1 in 3 applicant falsifies information $20 to $4300 $4-5 billion industry with 1200 companies

Reasons for BI’s

Pre-employment screening Employee promotion/transfer Outside party for board position Screening third party service providers Due diligence Investigating any suspected theft/misuse

2–12

6 6/20/2012

Chapter 2—Background Checks

Why do a Background Investigation?

What you don’t know can/will hurt you Knowledge is good

Applicant Lies

Degree not earned Diploma Mills/Fake Degree Job Title Employment Dates Compensation Lack of criminal record

2–13

7 6/20/2012

Chapter 2—Background Checks

Even George Costanza did it

http://www.youtube.com/watch?v=_T35Q hLx_KI

Careerexcuse.com

2–14

8 6/20/2012

Chapter 2—Background Checks

How to do a Background Investigation

Where to start? Resources The actual interview

Starting the Process

Job Description- Business Necessity Forms-application, FCRA and waivers

2–15

9 6/20/2012

Chapter 2—Background Checks

Critical Application Items

Background Check Broadest language about convictions Release for previous employers 5-10 years employment 7-10 years addresses Contact current employer??

Red Flags

Not completing application Not signing application No consent for background screening Criminal questions left blank

2–16

10 6/20/2012

Chapter 2—Background Checks

Red Flags cont’d

Can’t recall former supervisor Gaps in employment history Excessive crossouts/changes

Expungement

Difficult in today’s environment Private databases unaffected by court’s expungement order Attorneys now suggest preparing letter addressing issue Be upfront and honest

2–17

11 6/20/2012

Chapter 2—Background Checks

Resources

Google is your BFF (best friend forever but be careful) The deep web (PIPL, Spokeo) Background screening firms (NAPBS)

www.pipl.com

http://www.pipl.com

2–18

12 6/20/2012

Chapter 2—Background Checks

The Interview

Rapport Fill in the gaps Body language Ask the right questions Get more references

New Age Lie Detector Test

Background checks-Concerns? Criminal convictions-Concerns? Previous employers-What will they say? Previous employers-job issues etc? Unexplained gaps in employment history?

2–19

13 6/20/2012

Chapter 2—Background Checks

Good vs. Bad

Have you ever used a Maiden Name? different name?

If hired, can you show When did you graduate proof of age? high school?

If hired will you be able to Are you a US Citizen? provide proof of eligibility to work in the US?

Can you be reached at Do you own your home or this address? rent?

Social Networking

What can you use? Technology ahead of the law Policies and procedures

2–20

14 6/20/2012

Chapter 2—Background Checks

Reasons they don’t use SM- Per SHRM

SNOPA

2–21

15 6/20/2012

Chapter 2—Background Checks

What is SNOPA?

Social Networking Online Protection Act If passed, SNOPA would "prohibit current and potential employers for requiring a username, password or other access to online content," according to a news release on Engel's website. These constraints would also apply to schools from kindergarten through university level.

SNOPA cont’d

The SNOPA bill's other co-sponsor, Schakowsky, said in a prepared statement: "The American people deserve the right to keep their personal accounts private. No one should have to worry that their personal account information, including passwords, can be required by an employer or educational institution, and if this legislation is signed into law, no one will face that possibility.” Maryland 1st state to do this-other states in process

2–22

16 6/20/2012

Chapter 2—Background Checks

Lifestyle issues?

Pay attention

He noticed a change in Milligan’s behavior and wondered how she could afford the assets she had — including a Cadillac Escalade, a horse arena, and several horses — on her salary. 5/17/2012 Rhonda Milligan pled guilty to 1 count, admitted $848k embezzlement

2–23

17 6/20/2012

Chapter 2—Background Checks

Oregon and Credit Checks

House Bill 1045 Exceptions: banks and credit unions, public safety and LEOs “Substantially job-related-no guidance from State but probably very narrow

Credit Reports

Today’s economy Negative information valid predictor of job performance? Outside of applicant’s control? Consistent in use of negative information? Have you documented the decision?

2–24

18 6/20/2012

Chapter 2—Background Checks

After the Investigation

Housekeeping Complying with FCRA Purging the files

Background Investigations

Resources Limits of BIs Fair Credit Reporting Act Not just for employees Be consistent

2–25

19 6/20/2012

Chapter 2—Background Checks

Resources-Always Changing!

Google Pipl Social networking - Facebook - Twitter - Spokeo Credit reports??

Final Thoughts

BI’s are not just for employment What you don’t know can hurt you The Internet makes it easier and more difficult

2–26

20 6/20/2012

Chapter 2—Background Checks

Typical Client

Medical offices – Employee theft/dishonesty, new hires Families – Elder Financial Fraud, backgrounds on caregivers Small Business owners – Due diligence on potential business dealings/partners, new hires Attorneys – litigation support, asset research and identification and recovery

References

Shepard, I.M. and Duston, R (1998) Thieves at Work: An Employer’s Guide to Combating Workplace Dishonesty. Murphy, K.R. (1993) Honesty in the Workplace. The Background Investigator Brody, Richard G. (2008) Beyond the Basic Background Check: Hiring the “Right” Employees. Rosen, Lester S. (2006) The Safe Hiring Manual Society of Human Resource Management Survey Meyer, Eric The Employer Handbook (2012)

2–27

21 6/20/2012

Chapter 2—Background Checks

Questions?

Contact Kelly Paxton at: 503-956-9147 [email protected]

2–28

22 Chapter 2—Background Checks

2–29 Chapter 2—Background Checks

2–30 Chapter 3 Legal Issues in Employee Fraud—Presentation Slides

Katherine Heekin The Heekin Law Firm Portland, Oregon

3–i Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

3–ii 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

LEGAL ISSUES IN EMPLOYEE FRAUD

JULY 13, 2012 Katherine Heekin 808 S.W. Third Ave., Suite 540 Portland, OR 97204 503-222-5578

3–1

1 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Conducting an Investigation

• Upjohn v. United States, 449 U.S. 383 (1981), warnings – Give before interview begins. – Interview is confidential and may not disclose substance. – Privilege held by entity. Disclose without notifying you. – Allow for questions. – Memorialize that warning was given. • Employees who report to internal compliance programs are not whistleblowers and often are not protected after making an internal complaint. E.g. Brown & Root v. Donovan, 747 F.2d 1029 (5th Cir. 1984).

3–2

2 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Discipline and Termination

• Clear, written policies • Communicated regularly • Enforced consistently • Documented adequately

Relevant Case Law

• ORS 659A.300(1) states no polygraphs for private sector employers

• Buckel v. Nunn, 133 Or App 399, 405-07 – false imprisonment factors – door blocked, one phone call, threatened jail

• Asay v. Albertson’s, Inc., 2007 US Dist LEXIS 31678 (Or App 2007) – fear alone is insufficient to show restraint of freedom

• ORS 659A.199 – protection for whistleblowers from retaliation

3–3

3 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Representative Cases

In the Matter of Banc of Am. Sec. LLC, SEC Admin. Proc. File No. 311425 Exchange Act Release No. 34 49386, 82 SEC Docket 1264 (Mar. 10, 2004) ($10 million fine for allegedly misleading securities regulators and delay in producing evidence)

Coleman (Parent) Holdings Inc. v. Morgan Stanley & Co., Inc., 2005 WL 674885 (Fla. Cir. Ct. Mar. 23, 2005) (adverse inference, partial default judgment, attorney fees, and jury verdict of $1.5 billion in compensatory and punitive damages)

In re September 11th Liability Insurance Coverage Cases, 243 F.R.D. 114, 132 (S.D.N.Y. 2007) (insurer and counsel jointly and severally liable for $500,000 as Rule 37 sanctions); and 18 U.S.C. §§ 1512, 1519, 1520(b), 1520(c) (Sections 802 and 1102 of the Sarbanes- Oxley Act imposing fines and prison terms for altering or destroying electronic information).

Moore v. Gen. Motors Corp., 558 S.W.2d 720, 735-37 (Mo. App. 1977) (no spoliation where records destroyed as required by policy and no knowledge of pending litigation, no evidence of fraud, deceit or bad faith, and plaintiff made no effort to obtain through discovery once suit began)

Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605, at *8 (N.D.Ill. May 27, 2003)(magistrate recommended dismissal and attorney fees to defendant because plaintiff violated duty to preserve by using a software program to erase the contents of a hard drive), report and recommendation adopted as modified by Kucala Enterprises., Ltd. v. Auto Wax Co., Inc., 2003 WL 22433095 (N.D.Ill. Oct 27, 2003)

Qualcomm Inc. v. Broadcom Corp., 2008 WL 66932 (S.D. Cal Jan. 7, 2008) (sanctions in excess of $8 million against Qualcomm, in-house and former outside counsel ordered to participate in case review and enforcement of discovery obligations program, and judge referred possible ethics violations to California state bar)

3–4

4 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Recouping Losses

• Criminal Action • Confession of Judgment • Civil Action • Insurance claim

Ripped from the Headlines

3–5

5 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Enron

Fastow’s testimony Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 217, Spring 2007, Number 2

3–6

6 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

The Corporate Culture Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 219, Spring 2007, Number 2

Whistleblowing Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 221, Spring 2007, Number 2

3–7

7 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

MADOFF

“BM had a marketing strategy that appeared to be based on false trust, not analysis.” --Harry Markopolos, CFA, CFE, written testimony before the U.S. House of Representatives Committee on Financial Services, 2/4/09

3–8

8 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

The False Trust

• BM was a founder and a former head of NASDAQ • BM’s brother, Peter, was a former vice-chairman of NASD and former director of Depository Trust Corporation • Brother-in-law is the only auditor to protect Madoff’s proprietary trading strategy • Affinity communities • “Special access” • Complicated structure and strategy • Unbelievable Returns • Secrecy

Complicated Structure

• “[T]he hedge fund isn’t organized as a hedge fund by Bernard Madoff (BM) yet it acts and trades like one.” - Harry Markopolos letter to SEC dated 11/7/05. • Pays 1% management fee and 20% of profits to other hedge fund managers. • Earns undisclosed commissions on trades. • “The investors that pony up the money don’t know that BM is managing their money. That Madoff is managing the money is purposely kept secret from the investors.” – SEC letter at 3. • Cheaper money is available in the short-term credit markets.

3–9

9 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Complicated Strategy: the split-strike conversion • Purchase stock in index form (S & P 100) to match the index options plan to use. • Sell call options to generate income. • Buy put options to protect against market price declines. • “He knew most wouldn’t understand it and would be embarrassed to admit their ignorance so he would have less questions to answer.” – Markopolos testimony to Congress

Unbelievable Returns Attachment 1 to Markopolos SEC letter

3–10

10 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Madoff’s auditor’s office: Friehling & Horowitz

Article by AP journalist, Jim Fitzgerald, dated Dec. 18, 2008 www.northjersey.com/ business/36363009.html

Tipsters

• “It is a sickening thought but if the SEC had bothered to pick up the phone and spend even one hour contacting the leads, then BM could have been stopped in early 2006.” – Markopolos written testimony to Congress at 24.

3–11

11 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Local Stories

3–12

12 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

3–13

13 7/3/2012

Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

Contact

Katherine Heekin 808 S.W. Third Ave., Suite 540 Portland, OR 97204 503-222-5578

[email protected] WWW.HEEKINLAWOFFICE.COM

3–14

14 Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

3–15 Chapter 3—Legal Issues in Employee Fraud—Presentation Slides

3–16 Chapter 4A PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

Joel Brillhart Professional Forensic Services Portland, Oregon

4A–i Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–ii 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

Prepared By: Joel Brillhart, CFCE Professional Forensic Services, LLC 503-348-6407 [email protected]

4A–1

1 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

The Microsoft Computer Dictionary defines the registry as:

◦ A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.

◦ The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used.  The Microsoft Computer Dictionary defines the registry

– A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.

 System Configuration  User Names, Personal Settings & Preferences  You can determine where a computer has been through Wi-Fi Geo locations  You can determine what Devices (USB/Printers/ Phones/PDA’s) have been connected  You can see Web Browsing Activity by user  Find out what Programs have been executed, installed and deleted  See what files have been viewed by the user  You can find out User Entered Search Keywords

4A–2

2 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–3

3 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–4

4 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–5

5 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–6

6 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–7

7 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–8

8 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–9

9 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–10

10 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

Mumbo Jumbo “Rot 13 Encoded”

4A–11

11 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–12

12 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–13

13 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–14

14 6/19/2012

Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

Thanks

Joel Brillhart, CFCE Professional Forensic Services, LLC 503-348-6407 [email protected]

4A–15

15 Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides

4A–16 Chapter 4B Mac and iOS Computer Forensics

Eli Rosenblatt Eli Rosenblatt Investigations Portland, Oregon

Table of Contents

I. Macs in the Workplace: More Macs Than Ever Before 4B–1 II. Macs in the Workplace: Proliferation of (and Concerns with) BYOD (Bring Your Own Device) ...... 4B–1 III. Why Do Forensics on a Mac? 4B–2 IV. Why Do Mac Forensics on a Mac? ...... 4B–2 V. Why Use a Mac-Certified Forensic Examiner? ...... 4B–3

4B–i Chapter 4B—Mac and iOS Computer Forensics

4B–ii Chapter 4B—Mac and iOS Computer Forensics

I. Macs in the Workplace: More Macs Than Ever Before A. Apple’s market share in the pc world continues to surge: http:// www.maclife.com/article/news/apples_market_share_pc_world_ continues_surge. B. Here’s the real reason Microsoft should be worried about Apple: http://wallstcheatsheet.com/stocks/here’s-the-real-reason-microsoft- should-be-worried-about-apple.html/. C. Survey: 8 in 10 businesses now using Macs: http://www. computerworld.com/s/article/9103958/Survey_8_in_10_businesses_ now_using_Macs?intsrc=hm_list. D. Apple infiltratesthe enterprise: 1/5 of global info workers use Apple products for work! http://blogs.forrester.com/frank_gillett/12- 01-26-apple_infiltrates_the_enterprise_15_of_global_info_workers_ use_apple_products_for_work_0. E. Apple computer sales grow faster than PC sales for five years: http://www.guardian.co.uk/technology/blog/2011/may/24/apple- sales-growth-pc-market. F. Apple’s enterprise reach growing thanks to iPad and iPhone: http:// gigaom.com/apple/apples-enterprise-reach-growing-thanks-to-ipad- and-iphone/. G. More iPhones/iPads subject to search warrants: http://gigaom. com/apple/more-iphones-subject-to-search-warrants-ipads-too/.

II. Macs in the Workplace: Proliferation of (and Concerns with) BYOD (Bring Your Own Device) A. IBM stung by BYOD pitfalls: http://gigaom.com/cloud/ ibm-stung-by-byod-pitfalls/. B. Study finds BYODdevices not secured: http://gcn.com/ articles/2012/04/09/byod-devices-not-secured-study-finds.aspx? sc_lang=en. C. Two-thirds of the phones sold in Q1 were iPhones: http://gigaom. com/apple/report-23-of-top-u-s-carrier-sales-in-q1-were-iphones/. D. The new iPad has CIOs quaking in their cubicles: http://gigaom. com/cloud/the-new-ipad-has-cios-quaking-in-their-cubicles/. E. iOS domination of the tablet market: http://www.gartner.com/ it/page.jsp?id=1800514.

4B–1 Chapter 4B—Mac and iOS Computer Forensics

III. Why Do Forensics on a Mac? A. Apple’s significantly lower total cost of ownership (TCO): Stories at ZDNet,1 TUAW, 2 TechPatio,3 Opensurge,4 Kirk Knoernschild’s Tech District,5 American Chronicle,6 Salon.com,7 Mac-vs-PC,8 and great anec- dotal evidence from my own and colleagues’ practices). B. Flexibility: As one among many examples, the Hi-Tech Crimes Division of a metropolitan Southern California police department re- cently described the main reasons behind their having an all-Mac crime lab: The ability to run windows on a Mac, the proliferation of Macs found in evidence, and a major cost savings. C. Solid forensic tools, support, and training from BlackBag Technologies. 1. BlackBag brings experience:9 Decades of experience from law enforcement and corporate computer labs, the Department of De- fense Cyber Crime Center, Defense Cyber Crime Institute, Defense Computer Forensics Laboratory, and California of Justice. In addition, cofounder and CTO Derrick Donnelly is the former Information Sys- tems & Technology Security Manager at Apple. 2. BlackBag tools include MacQuisition10 for data acquisi- tion, targeted data collection, and forensic imaging and BlackLight11 for comprehensive forensic examinations. 3. BlackBag provides comprehensive Mac and iOS forensic training12 for law enforcement and private sector analysts. IV. Why Do Mac Forensics on a Mac? A. Importance of a “native perspective”—best possible understand- ing for the examiner and viewers of the report of investigation. B. If using Windows, the Windows OS is interpreting the Mac data, and significant data is often missed and/or misinterpreted.

1 http://www.zdnet.com/blog/apple/tco-new-research-finds-macs-in-the- enterprise-easier-cheaper-to-manage-than-windows-pcs/6294. 2 http://www.tuaw.com/2009/03/13/macs-still-cheaper-when-you-look- at-tco/. 3 http://techpatio.com/2010/apple/mac/it-admins-total-cost-ownership- mac-less-pc. 4 http://opensurge.blogspot.com/2010/08/in-mac-vs-pc-cost-comparison- downtime.html. 5 http://techdistrict.kirkk.com/2010/03/11/cost-mac-or-pc-a-look-at-tco/. 6 http://www.americanchronicle.com/articles/view/38285. 7 http://www.salon.com/2007/11/07/mac_price/singleton/. 8 http://macvspc.info/. 9 https://www.blackbagtech.com/about.html. 10 https://www.blackbagtech.com/forensics/macquisition/macquisition. html. 11 https://www.blackbagtech.com/forensics/blacklight/blacklight.html. 12 https://www.blackbagtech.com/training.html.

4B–2 Chapter 4B—Mac and iOS Computer Forensics

C. Can mount any type of Mac-accessible volume (and lock it to preserve evidence, while reviewing that evidence in its original form, including the use of any applications not on the analyst system). D. QuickLook13 feature for easily viewing results without opening a file or starting an application. E. iWork files (Pages, Numbers, Keynote) generally not accessible to Windows forensics tools (incorrectly opens single bundled file as series of jumbled files). F. Windows treats the different “forks” of a single Mac file as separate files, thus giving inaccurate file counts, and missing potentially important file attributes such as color, locked status, visibility, and alias information. G. Case-sensitive file system used by iPhones and other iOS devices (as well as many Mac-formatted drives): Windows can’t properly han- dle files it sees as named the same. (Adapted from Mac Forensics: The Case for Native Analysis, a white paper published by BlackBag Technologies in September 2011.) V. Why Use a Mac-Certified Forensic Examiner? A. An Apple Certified Macintosh echnicianT (ACMT14) and/or Mac and iOS Certified Forensic Examiner (MiCFE15) understands all these issues and can help ensure industry best practices are followed. B. These professionals undergo rigorous Mac-specific training and stay up-to-date on all of the latest hardware and software changes and developments.

13 http://www.apple.com/findouthow/mac/%23quicklook. 14 http://training.apple.com/certification/acmt. 15 https://www.blackbagtech.com/training/micfe-certification.html.

4B–3 Chapter 4B—Mac and iOS Computer Forensics

4B–4 Chapter 5 A Skeptic’s Guide to Advanced Internet Searching— Presentation Slides

Jan Davis JT Research LLC Portland, Oregon

5–i Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

5–ii 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

A Skeptic’s Guide to Advanced Internet Searching

Oregon State Bar Portland, Oregon July 13, 2012

Jan Davis, MLIS JT Research LLC PO Box 8705 Portland, OR 97207 503-827-7241 www.jtresearch.com [email protected]

Research Strategy  The Internet “Library”  Reference room  Portals  Fee-based websites  “Card Catalog”  Search Engines  Storage  The deep web

5–1

1 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Research Strategy  What is the question?  What are the keywords and phrases?  Multiple spellings of names?  Who would write about it?  What format would the  Who would talk about it?  What would the ideal document contain and in what format?  Should I go to a fee-based database first, or the “free” internet, or pick up the phone? Answering these questions helps determine where to search and how to search

Search Engines

Two unique databases:  Google  Bing, which feeds Yahoo! Ask, Gigablast, Exalead  International  Baidu (China) http://www.baidu.com/  Yandex (Russia) http://www.yandex.com/  Directory at http://www.searchenginecolossus.com/  For more information on how to search: notess.com

5–2

2 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Precision Searching  Advanced search templates  Now hard to find these templates!  Command language  Phrase  Field searching

5–3

3 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Specialty Search Engines

 Let’s really get to know Google  http://www.google.com/intl/en/about/products/index.html  Images  Videos  News  Books  Scholar  Patents

Portals – Public Records

 Public Records Search  http://www.publicrecordsources.com/  Professional License Verifier  http://verifyprolicense.com  BlackBook  www.blackbookonline.info

5–4

4 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Portals – Company Info

• Rutgers • http://libguides.rutgers.edu/companies • Use red tabs at top of page • Hoovers.com • Privco.com • Securities and Exchange Commission • http://www.sec.gov/edgar/searchedgar/webusers.htm

People Search

 People  123people (www.123people.com/)  Spokeo (www.spokeo.com)  Zabasearch (www.zabasearch.com)  Zoominfo (www.zoominfo.com)  Pipl (www.pipl.com)  Intellius (www.intellius.com)

5–5

5 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Social Media  Facebook  LinkedIn  Plaxo  StumbleUpon  Blogs  Twitter  Dating Sites (www.directoryofdating.com and http://www.bigdatingdirectory.com)  Many many other social sites (see Pandia)

Searching Social Media  Google search and add “blog” or “LinkedIn” etc.  Blogs  www.technorati.com  Twitter  Search.twitter.com  Yauba.com  Friendfeed.com

5–6

6 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

The Deep Web  Wayback Machine  www.archive.org

Fee-Based Databases  Pacer (www.pacer.gov)  Public access to court electronic records  Alacra (www.alacra.com)  Accurint (www.accurint.com)  Factiva – Dow Jones (www.dowjones.com)  Lexis-Nexis (www.lexisnexis.com)  KnowX.com

5–7

7 6/21/2012

Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

Conclusion  Develop a research strategy  Know the difference between Google and other search engines  Consider fee-based sources  Verify the data  Hire an expert:  http://www.oregon-acfe.org  www.aiip.org

5–8

8 Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

5–9 Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides

5–10 Chapter 6 Which One Is Different—Data Mining and Forensic Analytics— Presentation Slides

Bill Douglas Cost Advisors, Inc. Portland, Oregon

6–i Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

6–ii 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Which One is Different Data Mining and Forensic Analytics Bill Douglas

Agenda

1. Data Mining Examples 2. Data mining you can do in Excel

6–1

1 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

1. Data Mining for Fraud

What is CAATs?

Example #1 Accounting Queries

Example #2 Scanning Bank Statements

Example #3 Benford’s Law

What is CAATs?

Computer Assisted Audit Tools (CAATs) Examine 100% of transactions Analysis available: Duplicates Missing Records Queries (meeting certain criteria) Population summaries by field (pivot tables) Population statistics

6–2

2 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Sources

Import data from many sources Excel Acrobat (.pdf) Text Files (.txt, .doc) Print files (.prn) Hardcopy scans

.PRN File

6–3

3 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Example #1 Accounting Queries

Disbursements (Checks)

Vendor Master Accounting System List

Employee Master List

Example #1 Accounting Queries

Disbursements (Checks)

Data Mining Tool

Vendor Master Employee List Master List

6–4

4 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Example #1 Six Accounting Queries

Disbursements (Checks)

Duplicate Payments Payee not on Vendor List Non-payroll, non-expense report, payments to employees

Vendor Master Employee List Master List

Vendors with same address as employee Vendors using SS# as EIN Employees with no address

Example #2 One Set of Books?

Victim’s Victim’s Accounting System = Bank Statement

6–5

5 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Extraction - Review

Disbursements (Checks)

Vendor Master Accounting System List

Employee Master List

Disbursements in Excel

Disbursements (Checks)

6–6

6 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Example #2- Scanning Bank Statements Victim’s Bank Statement

Disbursements (per Accounting System)

Missing = Electronic Comparison

Example #3 -Benford’s Law

Frank Benford (1938), Simon Newcomb (1881) Some leading digits occur more/less frequently in most data

35.00%

30.00%

25.00%

Probability 20.00%

15.00%

10.00%

5.00%

0.00% 123456789

Leading Digit

6–7

7 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Example #3 -Benford’s Law

Compares expected amounts to actual amounts There were 1,368 occurrences of amounts beginning with $250

Summary of CAATs

Data from any source Every transaction can be tested (no sampling) Many tests possible. Comparison examples: Within accounting files Accounting records to bank statements Actual records to expected values (Benford)

6–8

8 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Agenda

1. Data Mining Examples 2. Data mining you can do in Excel

Goals and Assumptions

Do basic investigation yourself 1 hour spent here will save dozens (hundreds?) of hours at work

Assumptions: Data is in Excel 2007 or 2010 Basic knowledge of Excel (info for advanced Excel too)

6–9

9 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 19 © 2012 Cost Advisors, Inc. All rights reserved.

Data Filters - Setting

6–10

10 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Filters - Blanks

Data Filters - Others

6–11

11 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Filters - Suggestions Blank invoice numbers Employees or vendors with no address Vendors using a social security instead of EIN Odd characters at the end of the invoice number or check number (“.” “–” “a”) Invoice numbers 100, 101, 1000 or 1001

Data Filters - Clearing

6–12

12 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 25 © 2012 Cost Advisors, Inc. All rights reserved.

Conditional Formatting -

6–13

13 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Conditional Formatting with Data Filter

Conditional Format & Filter - Result

6–14

14 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Conditional Format - Suggestions Look for duplicates of: Invoice date Invoice number Invoice amount Vendor name

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 30 © 2012 Cost Advisors, Inc. All rights reserved.

6–15

15 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Comparing Excel Files – First Sheet

Comparing Excel Files – Second Sheet

6–16

16 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Comparing Excel Files – Result

These vendors are missing from the vendor master list

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 34 © 2012 Cost Advisors, Inc. All rights reserved.

6–17

17 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Pivot Table – Largest Vendors (step 1)

Pivot Table – Largest Vendors (step 2)

6–18

18 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Pivot Table – Largest Vendors (step 3)

Pivot Table – Largest Vendors - Suggestions Look for unusual vendor names and names of employees (‘cash’, ‘petty cash’, , ‘bank’, ‘credit card’, etc.) Discuss vendor disbursement levels with management

6–19

19 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Pivot Tables – Missing Check #s

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 40 © 2012 Cost Advisors, Inc. All rights reserved.

6–20

20 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

What is PowerPivot

From Microsoft for Office (Excel) 2010 It’s Free

Features Turns Excel into a relational database Compresses data Speeds recalculation (DAX Reporting tool)

How to Get PowerPivot

64 bit Excel vs. 32 bit Excel

6–21

21 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

PowerPivot Tabs

Normal Tabs

PowerPivot Tabs

Normal Tabs

6–22

22 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Pivot Fields from Multiple Tabs (Tables)

PowerPivot Compression, Speed

Access Excel (native) PowerPivot Compression 327MB 82MB 12MB Recalculation ~ 30min < 30 seconds Worksheet size ~ 2GB 1,048,576 rows Millions of rows ~2GB

6–23

23 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 47 © 2012 Cost Advisors, Inc. All rights reserved.

Reporting – Set Print Area

6–24

24 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Reporting – Setup (Header)

Reporting – Setup (Footer)

6–25

25 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Reporting – Setup (Result)

Reporting - Duplicating Tabs

6–26

26 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

Reporting – Removing Meta Data

Reporting – encrypting for sending

Be sure to save the workbook with a new name - append “(encrypted)” to the filename

6–27

27 6/22/2012

Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

For More Information

Cost Advisors, Inc. 503-704-3719 www.costadvisors.com

Download: ‘Embezzlement Response Guide’

6–28

28 Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

6–29 Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides

6–30