Workplace Fraud and Forensics: Ferreting Out the Facts
Friday, July 13, 2012 9 a.m.–4 p.m.
Oregon State Bar Center Tigard, Oregon
6.25 General CLE credits Workplace Fraud and Forensics: Ferreting Out the Facts
The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.
Copyright © 2012
OREGON STATE BAR 16037 SW Upper Boones Ferry Road P.O. Box 231935 Tigard, OR 97281-1935 ii Table of Contents
Schedule...... v
Faculty...... vii
1. The Workplace Fraud Profile—Presentation Slides...... 1–i — Bill Douglas, Cost Advisors, Inc., Portland, Oregon
2. Background Checks...... 2–i — Kelly Paxton, Financial CaseWorks LLC, Portland, Oregon
3. Legal Issues in Employee Fraud—Presentation Slides...... 3–i — Katherine Heekin, The Heekin Law Firm, Portland, Oregon
4A. PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides...... 4A–i — Joel Brillhart, Professional Forensic Services, Portland, Oregon
4B. Mac and iOS Computer Forensics...... 4B–i — Eli Rosenblatt, Eli Rosenblatt Investigations, Portland, Oregon
5. A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides...... 5–i — Jan Davis, JT Research LLC, Portland, Oregon
6. Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides...... 6–i — Bill Douglas, Cost Advisors, Inc., Portland, Oregon
iii iv Schedule
8:00 Registration 9:00 The Workplace Fraud Profile F Prevalence of occupational fraud F How fraud is committed and how much is lost F Detecting and preventing fraud F The perpetrators Bill Douglas, Cost Advisors, Inc., Portland 10:00 Background Checks F Why conduct background investigations F How to conduct a background investigation F Pitfalls of background investigations Kelly Paxton, Financial CaseWorks LLC, Portland 11:00 Break 11:15 Legal Issues in Employee Fraud F Gathering evidence F Interviews—order, environment, and techniques F Discharge F Engaging law enforcement Katherine Heekin, The Heekin Law Firm, Portland 12:15 Lunch 1:00 Computer Forensics: Mac vs. PC F Techniques F Expected results F Case histories Moderator: Bill Douglas, Cost Advisors, Inc., Portland Moderator: Kelly Paxton, Financial CaseWorks LLC, Portland Joel Brillhart, Professional Forensic Services, Portland Eli Rosenblatt, Eli Rosenblatt Investigations, Portland 2:00 A Skeptic’s Guide to Advanced Internet Searching F Search engine battles (Bing, Google) F Browsers wars (Firebox, IE) F Business and individual background checks F Social media as a research tool Jan Davis, JT Research LLC, Portland 2:45 Break 3:00 Which One Is Different—Data Mining and Forensic Analytics F Data mining examples F Excel as a data mining tool Bill Douglas, Cost Advisors, Inc., Portland 4:00 Adjourn
v vi Faculty
Joel Brillhart, Professional Forensic Services, Portland. Mr. Brillhart is a Certified Forensic Computer Examiner by the International Association of Computer Investigative Specialists and a CPA (license issued by the Iowa Accountancy Board). He conducts examinations of computers, cell phones, PDAs, and other digital media and provides expert analysis, data recovery, and witness services for criminal and civil litigation, internal corporate investigations, and private concerns. He has worked as a Media Exploitation Analyst in Iraq, as a Special Agent for the Federal Bureau of Investigation, and as an internal auditor. Mr. Brillhart has lectured on electronic forensics on several occasions.
Jan Davis, JT Research LLC, Portland. Ms. Davis is president of JT Research, where she coordinates a team of trained information specialists to provide business professionals with the data they need. Her primary clientele consists of financial analysts, business appraisers, CPAs, business brokers, and economists. Ms. Davis is the former library director at Willamette Management Associates and understands the research needed for business valuation reports and litigation support cases. Her five years of experience as business/economics librarian at Willamette University give her a strong background in academic research. She received her Masters in Library and Information Studies from U.C. Berkeley and has over 15 years of experience in academic and corporate libraries.
Bill Douglas, Cost Advisors, Inc., Portland. Mr. Douglas is the president of Cost Advisors, Inc., a consulting firm that he founded in 1999; Cost Advisors’ focus is accounting investigation and fo- rensics. Mr. Douglas also volunteers with the Fraud and Identity Theft Enforcement Team of the Washington County Sheriff’s Office. He has managed nearly 100 financial projects at both large and small companies. Before founding Cost Advisors, Mr. Douglas held management positions at Tektronix, Inc., and FLIR Systems, Inc. He has also been an auditor with Deloitte and CFO of a software firm. Mr. Douglas is a CPA in Oregon, California, and Washington, certified in Financial Forensics, a Certified Information Technology Professional, a Certified Fraud Examiner, a Certified Internal Auditor, and an Oregon Licensed Private Investigator. He is a member of the American Institute of CPAs, the Northwest Fraud Investigators Association, and the Oregon Association of Licensed Investigators and an affiliate member of the Multnomah Bar Association. Mr. Douglas is past chair of the Oregon Society of CPAs Business & Industry Committee, a past board member of the Oregon Association of Certified Fraud Examiners, and a past officer of the Oregon chapter of the Institute of Internal Auditors. He is a frequent speaker, writer, and trainer on topics related to white-collar crime and financial controls.
Katherine Heekin, The Heekin Law Firm, Portland. Ms. Heekin resolves business disputes, particu- larly complex fraud-related claims. As an attorney and a certified fraud examiner, Ms. Heekin is among a select group of professionals educated, trained, and experienced in preventing and rem- edying fraud. She is also a proven leader in electronic evidence management techniques and tech- nologies. She has been engaged as a consultant in electronic evidence management and as a trainer in fraud prevention. She is a Fellow of the American Bar Foundation, an instructor for the Forensic Accounting Academy, a member of the Federal Bar Association, and a member and past secretary of the Uniform Civil Jury Instructions Committee.
vii FACULTY (Continued)
Kelly Paxton, Financial CaseWorks LLC, Portland. Ms. Paxton specializes in financial investigations from the initial background interview to the tracing of funds in embezzlement, elder abuse, and misappropriation of assets. Ms. Paxton also has investigated mortgage fraud. She brings over 13 years of law enforcement experience to her current role as principal of Financial CaseWorks LLC, a private investigative firm. Ms. Paxton also is a contract special investigator for Keypoint Government Services, performing background investigations for the Department of Homeland Security. She maintains a security clearance for this contract. In addition, Ms. Paxton has been a public arbitrator for the Financial Industry Regulatory Authority since 2001. Previously, Ms. Paxton was the analyst for the Fraud Identity Theft Enforcement Team at the Washington County Sheriff’s Office, where she worked with FITE detectives on a variety of financial crime cases. Ms. Paxton started her law enforcement career as a Special Agent for the U.S. Customs Office of Investigations. Before entering law enforcement, Ms. Paxton was a licensed stockbroker and a trader/contract negotiator. Eli Rosenblatt, Eli Rosenblatt Investigations, Portland. Trained in the early 1990s at the California Appellate Project, Mr. Rosenblatt began freelance work assisting attorneys with death penalty appeals and expanded his investigation practice to include numerous types of criminal defense and civil cases. He now works as an investigator and forensic expert based in Portland, where he conducts workplace, background, fraud, civil, and criminal defense investigations for lawyers and individuals. As a Certified Fraud Examiner who is also certified for forensic examination of Apple devices, Mr. Rosenblatt is especially qualified to conduct comprehensive professional forensic ex- aminations to detect and understand evidence of alleged fraud on all Macs and iOS devices. Mr. Rosenblatt is Oregon’s only Board Certified Criminal Defense Investigator (CCDI) and one of only three CCDIs in the nation that is also a Certified Fraud Examiner. In addition, he is a Certified Forensic Interviewer and has been certified by the State Medical Examiner as a Medicolegal Death Investigator.
viii Chapter 1 The Workplace Fraud Profile— Presentation Slides
Bill Douglas Cost Advisors, Inc. Portland, Oregon
1–i Chapter 1—The Workplace Fraud Profile—Presentation Slides
1–ii 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
The Workplace Fraud Profile Bill Douglas
Cost Advisors’ Background
Founded in 1999 Mission: Improve our client’s business and the lives of our employees Focus on Accounting Investigation and Forensics Logo symbolizes partnership with our clients
2 © 2008 Cost Advisors, Inc. All rights reserved.
1–1
1 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Bill Douglas’ Background
President at Cost Advisors, Inc. 33 years experience Management positions in Accounting, Sales, Marketing CFO, IPO, 'Big 4' public accounting, business processes, recovery auditing, internal controls, fraud, internal auditing, Sarbanes-Oxley (SOX) Financial project management at both large and small public companies Volunteer Washington County Sheriff’s Dept. – Fraud Team Frequent speaker and writer about Internal Controls, Fraud
3 © 2012 Cost Advisors, Inc. All rights reserved.
Bill Douglas’ Background
Credentials and memberships: OR, CA, WA Certified Public Accountant (CPA) Certified Internal Auditor (CIA) Certified Fraud Examiner (CFE) Certified in Financial Forensics (CFF) Certified IT Professional (CITP) OR Licensed Private Investigator (PI)
54 years old, happily married 29 years, no addictions, drive a Subaru
MULTNOMAH BAR ASSOCIATION (Affiliate Member) Northwest Fraud Investigators Association
4 © 2012 Cost Advisors, Inc. All rights reserved.
1–2
2 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Fraud Vocabulary Quiz
Baksheesh
a) type of pita bread b) bribe c) water pipe for smokingLeft tobacco Blank Intentionally
Bicheiro
a) female puppy b) large sunhat Left Blank Intentionally c) numbers banker, bookie, or racketeer
Big Bath Charges a) specified charges on a water bill b) expenses written off inLeft quarterly Blank financial Intentionally statements when a company would record a loss anyway c) membership fees to join an Arab political party
5 © 2012 Cost Advisors, Inc. All rights reserved.
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
6 © 2012 Cost Advisors, Inc. All rights reserved.
1–3
3 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Worldwide Corruption (Kroll % in white)
84% 84% 85%
7 © 2012 Cost Advisors, Inc. All rights reserved.
Wait, wait…don’t tell me
Over the last year, what percentage of companies (worldwide) were affected by fraud?
a. 10% b. 50% c. 75% d. 100% Left Blank Intentionally
8 © 2012 Cost Advisors, Inc. All rights reserved.
1–4
4 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Kroll Global Fraud Report 2011/2012* http://www.krollconsulting.com/insights-reports/global-fraud-reports//
75% (66% in North America) of companies affected by at least one fraud*
Fraud % of Revenue 5.00% 4.00% Left Blank Intentionally 3.00% 2.00% 1.00% 0.00% Average 18% of Companies
* Worldwide survey of 1200+ senior executives June, July 2011 by The Economist Intelligence Unit. . 9 © 2012 Cost Advisors, Inc. All rights reserved.
The 2011 PwC Global Cyber & Economic Crime Survey* www.pwc.com/crimesurvey
Cybercrime: It’s IT + HR + Marketing 34% affected in last 12 months Companies that looked for fraud, found fraud Left Blank Intentionally
* 3,877 respondents in 78 countries completed web-based survey. Published November 2011.
10 © 2012 Cost Advisors, Inc. All rights reserved.
1–5
5 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Based on 1,388 fraud cases investigated worldwide.
11 © 2012 Cost Advisors, Inc. All rights reserved.
Based on 473 cases appearing in court records, prosecutorial press releases, media accounts, vital records, government & regulatory filings and other public information.
Findings noted in green.
12 © 2012 Cost Advisors, Inc. All rights reserved.
1–6
6 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Prevalence of Fraud
U.S. organizations lose 5%* of their annual revenues to fraud
Source: *Estimated in ACFE 2012 Report to the Nations. Kroll found 2.1%.
13 © 2012 Cost Advisors, Inc. All rights reserved.
Amounts Lost (or Spent)
Every Year! 800 737 700 600 500 400 Billions 300 200 60 65 49 100 11 0 WorldCom Enron Madoff Lehman U.S. Fraud
14 © 2012 Cost Advisors, Inc. All rights reserved.
1–7
7 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Distribution of Dollar Loss
Median $140,000
Median $340,000 per 2011 Marquet Report
Source: ACFE 2012 Report to the Nations
15 © 2012 Cost Advisors, Inc. All rights reserved.
Recession – What Increased?
Kroll +55% 2011
Source: ACFE Occupational Fraud: A Study of the Impact of an Economic Recession, 2009.
16 © 2012 Cost Advisors, Inc. All rights reserved.
1–8
8 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Fraud Triangle
Pressure
Rationalization Opportunity
17 © 2012 Cost Advisors, Inc. All rights reserved.
Housing Bubble = Pressure
23% homes with negative equity now
18 © 2012 Cost Advisors, Inc. All rights reserved.
1–9
9 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Unemployment = Pressure
19 © 2012 Cost Advisors, Inc. All rights reserved.
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
20 © 2012 Cost Advisors, Inc. All rights reserved.
1–10
10 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
The most frequent type of workplace fraud:
a. Theft (misappropriation) b. Corruption c. Misstated financial statements d. Odometer fraud Left Blank Intentionally
21 © 2012 Cost Advisors, Inc. All rights reserved.
Occupational Fraud by Category - Frequency
Source: ACFE 2012 Report to the Nations
22 © 2012 Cost Advisors, Inc. All rights reserved.
1–11
11 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Misappropriation Frequencies and $
Cash Receipts 26% Other 29%
Skimming Cash Larceny Cash on Hand Non-Cash 14.6% 11% 11.8% 17.2% $58K $54K $20K $58K
Cash Disbursements 64%
Billing Check Expense Payroll Cash 24.9% Tampering Reimbursements 9.3% Register 11.9% 14.5% 3.6% $48K $100K $143K $26K $25K Source: ACFE 2012 Report to the Nations
23 © 2012 Cost Advisors, Inc. All rights reserved.
New Cybercrime category
Cybercrime – economic crime using computers and the internet
Types of Cyber Attack: Economic Crime - hacking Espionage – IP theft. Kroll: 50% Co.'s vulnerable Activism - WikiLeaks Terrorism – Power grid, Financial Systems Warfare
Source: Cybercrime: protecting against the growing threat, November 2011, PwC
24 © 2012 Cost Advisors, Inc. All rights reserved.
1–12
12 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Fraud by Category – ACFE vs. PwC
Source: ACFE 2012 Report to the Nations & PwC Cybercrime Report 2011
25 © 2012 Cost Advisors, Inc. All rights reserved.
Cybercrime a Growth Business!
Robbery White Cybercrime Collar Rewards are greater 9 9 Less chance of detection 9 9 Less chance of identification 9 Less chance of prosecution Criminal is remote 9 Law enforcement is not equipped 9 9 Less evidence 9 Smaller penalties 9 9
26 © 2012 Cost Advisors, Inc. All rights reserved.
1–13
13 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
How long does the average fraud last before detection?
a. 1 month b. 1 year c. 2 years d. Until the next administrationLeft Blank Intentionally is sworn in
27 © 2012 Cost Advisors, Inc. All rights reserved.
Median Duration of Fraud Based on Scheme Type
Median is 24 months
Median is 49 months per 2011 Marquet Report
Source: ACFE 2012 Report to the Nations
28 © 2012 Cost Advisors, Inc. All rights reserved.
1–14
14 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Fraud Vocabulary Quiz
Top Hatting
a) when a person wears a large hat to cover up their lack of hair, or baldness b) cover-up of something big c) changing a bet after theLeft outcome Blank hasIntentionally already been decided
Wet Ink Policies
a) life insurance policies that are sold immediately after being issued b) precautions a person mustLeft Blankfollow afterIntentionally getting a new tattoo c) prohibition of using jell pens to sign legal documents
29 © 2012 Cost Advisors, Inc. All rights reserved.
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
30 © 2012 Cost Advisors, Inc. All rights reserved.
1–15
15 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
How is fraud most often detected?
a. Auditors find it b. By police c. A tip d. By accident Left Blank Intentionally
31 © 2012 Cost Advisors, Inc. All rights reserved.
Initial Detection of Occupational Frauds
* *
Source: ACFE 2012 Report to the Nations * Top detection per PwC
32 © 2012 Cost Advisors, Inc. All rights reserved.
1–16
16 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Percent of Tips by Source 34% in companies without hotlines
Large % from external sources
Source: ACFE 2012 Report to the Nations
33 © 2012 Cost Advisors, Inc. All rights reserved.
Frequency of Anti-Fraud Controls
Controls that make a difference
SOX = Controls required by the Sarbanes-Oxley Act Source: ACFE 2012 Report to the Nations
34 © 2008 Cost Advisors, Inc. All rights reserved.
1–17
17 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Other Warning Signs
Records are disorganized or missing There are unexplained changes in your accounting records There is an unusual drop in available cash There are unusually large or numerous credit memos to others Bank reconciliations are late Bank deposits are delayed (i.e. deposits in transit too high) There are too many increases in past due accounts receivable Check amounts are altered Duplicate payments are made Too many payments are being made to individuals with the same name or address
35 © 2012 Cost Advisors, Inc. All rights reserved.
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
36 © 2012 Cost Advisors, Inc. All rights reserved.
1–18
18 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Type of Victim Organization - Frequency
Source: ACFE 2012 Report to the Nations
37 © 2012 Cost Advisors, Inc. All rights reserved.
Size of Victim Organization - Frequency
Small organizations more likely to be hit...but PwC results show the opposite
Source: ACFE 2012 Report to the Nations
38 © 2012 Cost Advisors, Inc. All rights reserved.
1–19
19 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Victim Industry Frequency
Industry Number of Cases Percent of Cases * Banking and Financial Services 229 16.70% Government and Public Administration 141 10.30% * Manufacturing 139 10.10% Health Care 92 6.70% Education 88 6.40% Retail 83 6.10% Insurance 78 5.70% * Services (Professional) 55 4.00% Religious, Charitable or Social Services 54 3.90% Some industries are Services (Other) 48 3.50% more likely to hire Construction 47 3.40% CFEs Oil and Gas 44 3.20% Telecommunications 43 3.10% Technology 38 2.80% Transportation and Warehousing 36 2.60% Arts, Entertainment and Recreation 32 2.30% Real Estate 28 2.00% Wholesale Trade 27 2.00% Utilities 24 1.80% Agriculture, Forestry, Fishing and Hunting 20 1.50% Mining 9 0.70% Communications and Publishing 9 0.70% * Other 7 0.50%
Source: ACFE 2012 Report to the Nations * Top industries per PwC
39 © 2012 Cost Advisors, Inc. All rights reserved.
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
40 © 2012 Cost Advisors, Inc. All rights reserved.
1–20
20 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
What age group commits the most frauds?
a. > 60 year olds (their medical bills are higher) b. 46 to 60 year olds (can’t pay their mortgage) c. 36 to 45 year olds (divorce) d. 26 to 35 year olds (student loans, credit cards) e. < 26 year olds Left(minimum Blank Intentionally wage is not enough)
41 © 2012 Cost Advisors, Inc. All rights reserved.
Age of Perpetrator — Frequency
Cybercrime criminals usually <40 years old (PwC) Source: ACFE 2012 Report to the Nations
42 © 2012 Cost Advisors, Inc. All rights reserved.
1–21
21 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
Who is more likely to commit fraud?
a. Short-term employees (< 5 years) b. Long-term employees (> 5 years)
Left Blank Intentionally
43 © 2012 Cost Advisors, Inc. All rights reserved.
Tenure of Perpetrator — Frequency and Median Loss
47% 53%
Source: ACFE 2012 Report to the Nations
44 © 2012 Cost Advisors, Inc. All rights reserved.
1–22
22 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Education of Perpetrator — Median Loss
The value of a good education!
Source: ACFE 2012 Report to the Nations
45 © 2012 Cost Advisors, Inc. All rights reserved.
Wait, wait…don’t tell me
Male or Female?
a. Male b. Female
Left Blank Intentionally
46 © 2012 Cost Advisors, Inc. All rights reserved.
1–23
23 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
The Glass Ceiling
36% male and 64% female Glass ceiling: per 2011 Marquet Report 77 cents per $1 all occupations 44 cents per $1 in fraud Source: ACFE 2012 Report to the Nations
47 © 2012 Cost Advisors, Inc. All rights reserved.
High Ethical Standards?
90
80
70
60
50
40
30
20
10
0
Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.
48 © 2012 Cost Advisors, Inc. All rights reserved.
1–24
24 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Perpetrator’s Department
72% Accountants per 2011 Marquet Report
Source: ACFE 2012 Report to the Nations
49 © 2012 Cost Advisors, Inc. All rights reserved.
Fraud Perception vs. Reality
90
80
70 22% - 72% of 60 frauds 50
40
30
20
10
0
Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.
50 © 2012 Cost Advisors, Inc. All rights reserved.
1–25
25 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Wait, wait…don’t tell me
What are the ‘red flags’ of a fraudster (all that apply)?
a. Living beyond means b. Divorce c. Wheeler-dealer attitude d. Addiction problemsLeft Blank Intentionally e. Pornography f. Slicked-back hair
51 © 2012 Cost Advisors, Inc. All rights reserved.
Red Flags
Instability in Life Circumstances Excessive Family/Peer Pressure for Success Complained About Lack of Authority Past Legal Problems Excessive Pressure from Within Organization Refusal to Take Vacations Complained About Inadequate Pay Past Employment-Related Problems Addiction Problems Irritability, Suspiciousness or Defensiveness Wheeler-Dealer Attitude Divorce/ Family Problems Control Issues, Unwillingness to Share Duties Unusually Close Association with Vendor/Customer Financial Difficulties Living Beyond Means
0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00%
Acting alone 89.8% of the time per 2011 Marquet Report
Source: ACFE 2012 Report to the Nations
52 © 2012 Cost Advisors, Inc. All rights reserved.
1–26
26 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Red Flags – Deviant Behavior Hypothesis
Drivers: Money, Power, Sex Workplace: Porn, affairs, harassment, bullying, fraud, theft
Power Sex
Money
Source: Using Deviant Behaviors of Others to Find Fraud (UDBOFF), Ryan Hubbs, June 2011.
53 © 2012 Cost Advisors, Inc. All rights reserved.
Red Flags – Per KPMG
Bullies co-workers, rude, aggressive, threatening Stressed, unhappy, unmotivated Reluctance to produce records Outsized lifestyle, financial problems Accepts (improper) gifts, breaks rules Rumored bad habits, addictions, vices
Source: Who is a Typical Fraudster?, KPMG analysis of 349 actual fraud cases in 69 countries from January 2008 until December 2010.
54 © 2012 Cost Advisors, Inc. All rights reserved.
1–27
27 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Agenda – Occupational Fraud
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
55 © 2012 Cost Advisors, Inc. All rights reserved.
Wait, wait…don’t tell me
Which control (of those in the list below) is MOST effective in reducing amounts lost to fraud?
a. Surprise Audits b. Code of Conduct c. Whistleblower hotline Left Blank Intentionally d. Mandatory vacations
56 © 2012 Cost Advisors, Inc. All rights reserved.
1–28
28 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Effectiveness of Controls
Audits less effective
Source: ACFE 2012 Report to the Nations
57 © 2012 Cost Advisors, Inc. All rights reserved.
Cash Fraud Detection Measures
Bank statements received unopened by mgr. Review for unknown charges (ACH, wires) Review checks for unknown payees (vendors) Review checks for unusual endorsements Note time lag in deposits reaching the bank
58 © 2012 Cost Advisors, Inc. All rights reserved.
1–29
29 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Cash Fraud Detection Measures
Deposits Deposit slips – trend of cash vs. checks deposited Cash receipts reconciled to deposit slips Investigate complaints about ‘unpaid’ balance
59 © 2012 Cost Advisors, Inc. All rights reserved.
Cash Fraud Detection Measures
Accounts Receivable Unauthorized write-offs (credits) Aged receivables Decrease in revenues
60 © 2012 Cost Advisors, Inc. All rights reserved.
1–30
30 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Cash Fraud Detection Measures
Bank Reconciliations Performed by an independent person Unusual entries to cash general ledger accounts Cross-outs, white-out, photocopies
61 © 2012 Cost Advisors, Inc. All rights reserved.
Takeaways
5% of revenue, two years Types: Corruption – largest organization losses Misappropriation – accountant’s favorite Watch out for 50-year-old male, divorced, accountant, with addiction problem, and a new sports car! Implement hotline, fraud training and reconciliations
62 © 2012 Cost Advisors, Inc. All rights reserved.
1–31
31 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Backup Slides
Deducting Embezzlement Losses
The loss is deducted in the year discovered. Even if tax years are ‘closed’ The loss is reported NET of recovery. Issuing a Form 1099 MISC to the suspect is optional. If a form 1099 is issued: A separate Form 1099 may be issued for each year of loss OR A single 1099 MISC may be issued in the year the loss was discovered
1–32
32 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
How to work with your Bank
Bank Anti-fraud Reliance Standard Procedures Enhanced Services
66 © 2012 Cost Advisors, Inc. All rights reserved.
1–33
33 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Standard Bank Procedures
Signatures on checks Signature Cards may be scanned Teller will verify if presented at drawn bank Not useful if presented at another bank or ATM Banks don’t check below a dollar threshold Fees start at $50 per month Electronic Transfers Require a requester and approver Templates can be changed by the requester
67 © 2012 Cost Advisors, Inc. All rights reserved.
Enhanced Procedure - Positive Pay Starts at ~ $65 per month
Positive Pay File 9 Compares
Bank Company Check
Vendor Source: Bank of the Cascades
68 © 2012 Cost Advisors, Inc. All rights reserved.
1–34
34 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Enhanced Procedure-ACH Filter (or Block) Starts at ~ $25 per month per account
Internet Transfer Request
Bank Company Blocked
Subsidiary Vendor Source: Bank of the Cascades
69 © 2012 Cost Advisors, Inc. All rights reserved.
How to Pick a Bank
www.FDIC.gov
70 © 2012 Cost Advisors, Inc. All rights reserved.
1–35
35 6/22/2012
Chapter 1—The Workplace Fraud Profile—Presentation Slides
Fraud Vocabulary Quiz
Channel Stuffing a) when a person stuffs the remote into their clothing to prevent others from changing the television channel b) shipping unwanted inventoryLeft Blank to retailers Intentionally ahead of schedule which fills the distribution channels with more product than needed c) throwing garbage into a river, clogging and polluting it
Share Market Fraud a) companies secretly strip assets of their firms or illegally allocate shares of stock b) companies that lie aboutLeft their Blank ‘market Intentionally share’ c) collusion by stock brokerage firms sharing the best practices to defraud investors Take-out a) when a person steals money by hiding it in a doggie bag b) a bar that delivers beerLeft to the Blank home Intentionally without checking ID c) a warning to a conman that he is under suspicion
71 © 2012 Cost Advisors, Inc. All rights reserved.
For More Information
Cost Advisors, Inc. 503-704-3719 www.costadvisors.com
Download: ‘Embezzlement Response Guide’
72 © 2012 Cost Advisors, Inc. All rights reserved.
1–36
36 Chapter 1—The Workplace Fraud Profile—Presentation Slides
1–37 Chapter 1—The Workplace Fraud Profile—Presentation Slides
1–38 Chapter 2 Background Checks
Kelly Paxton Financial CaseWorks LLC Portland, Oregon
Table of Contents
I. Background Investigations ...... 2–1 II. Why Do a Background Investigation? 2–1 III. Business Necessity 2–2 IV. Current Issues ...... 2–2 V. Social Media ...... 2–2 VI. Other Issues ...... 2–3 VII. Conclusion ...... 2–5 VIII. Bibliography ...... 2–5 Appendix—Presentation Slides ...... 2–7
2–i Chapter 2—Background Checks
2–ii Chapter 2—Background Checks
I. Background Investigations Background investigations are an important tool not only for employment purposes but also due diligence purposes. Approximately 93% of all businesses utilize background investigations for some poten- tial applicants and 73% for all potential applicants according to the 2010 report by the Society for Human Resource Management. A background investigation can cost as little as $20 to as much as $4,300. There are ap- proximately 1,200 firms that offer background investigations. The back- ground industry is a $4 to $5 billion per year industry according to the National Association of Professional Background Screeners, the indus- try trade group. II. Why Do a Background Investigation? According to numerous studies, one in three applicants is consid- ered to have lied on his or her resume and/or application. The business that does not vet its executives well is the one that ends up with the bad press. A recent example is the CEO of Yahoo. Yahoo’s chief executive officer Scott Thompson stepped down yesterday after an investigation by Third Party, a hedge fund and major investor in the company, revealed that he had lied about his education on his resume. Al- though Mr. Thompson’s biography indicated that he had earned degrees in accounting and computer science from Stonehill College, he never actually earned a degree in computer science. Mr. Thompson is not the only executive to resign follow- ing revelations that he or she lied or embellished academic credentials: In April 2007, the admissions dean for the Massachusetts Institute of Technology was forced to resign following revelations that she had fabricated academic degrees from Union College, Rensselaer Polytechnic Institute and Al- bany Medical School. In 2006, CEO of RadioShack, Dave Edmonson, resigned after it emerged that he lied about having degrees in theol- ogy and psychology. In 2002, Veritas Software’s stock price fell some 16% after it emerged that its CFO had fabricated his education. Not surprisingly, the revelation also led to his resignation. In 2002, the CEO of Bausch & Lomb, Ronald Zarrella, was forced to forfeit his bonus after it was revealed that he had never earned his MBA from New York University as claimed. Mr. Zarrella attended the university but never ac- tually completed the program. Resume padding and exaggerating academic credentials are more common that one might think, and its prevalence
2–1 Chapter 2—Background Checks
extends far beyond the C-suite. In 2010, a HireRight sur- vey of 1,818 organizations found that 69% of respondents reported that they had caught a job candidate lying on his or her resume. Moreover, the FBI has estimated that over 500,000 people nationwide claim college degrees that they never actually earned. Even in cases much less high-pro- file than Yahoo’s assuming that qualifications presented by potential candidates are always legitimate can damage your company’s reputation and bottom line. (Courtesy of MSA Investigations–New York City.) III. Business Necessity Being consistent is a very integral part of the background inves- tigation process for a business. According to the Insurance Information Network of California, lawsuits for negligent hiring, retention, and out- of-court settlements in California due to workplace violence averaged over $500,000; jury verdicts in these cases averaged about $3 million (Rosen, L. 2006). IV. Current Issues State lawmakers also are concerned about employers looking into people’s credit. Over the past three years, seven states have enacted laws barring employers in many instances from gaining access to credit reports. Fifteen states have similar legislation pending. No one expects a sudden stop to background checks. The key will be what employers do with the information they gather. Companies should ask applicants about potentially negative reports to give them a chance to explain away errors that inevitably come up and also to put their circumstances into context, says Cynthia Springer, a labor and em- ployment lawyer in Indiana. “Collecting the information isn’t the big issue right now, it’s how it’s being used,” Springer says. “You should be doing a case-by- case analysis anytime you’re using criminal background information in making a decision.” V. Social Media A few weeks ago, Maryland became the first state to pass legisla- tion that would ban employers from demanding that employees or job candidates turn over their social media. Rep. Eliot Engel (D–NY) has in- troduced legislation in the U.S. House of Representatives that would out- law this practice nationally. The bill, known as Social Networking Online Protection Act (SNOPA) (http://www.govtrack.us/congress/bills/112/ hr5050), is broader than the Maryland bill. According to a press release (http://engel.house.gov/index.cfm?sectionid=24&itemid=3199) from Congressman Engel, SNOPA covers not only employers but also schools and universities. Although the text of the bill is not yet available online, the press release further notes that SNOPA would accomplish two objectives:
2–2 Chapter 2—Background Checks
F Prohibit current or potential employers from re- quiring a username, password or other access to online content. It does not permit employers to demand such ac- cess to discipline, discriminate or deny employment to in- dividuals, nor punish them for refusing to volunteer the information. F Apply the same restrictions to colleges and univer- sities, and K–12 schools as well. While I agree that requiring applicants to furnish social media passwords as a condition of employment is, gen- erally, a bad business practice, I fear that the firestorm [http://www.theemployerhandbook.com/2012/03/ employer-demand-facebook-password.html] about em- ployers supposedly demanding social media passwords is drastically overblown. The examples of employers— most notably the City of Bozeman [http://arstechnica. com/web/news/2009/06/bozeman-apologizes-backs- down-over-facebook-login-request.ars] and the Mary- land Department of Corrections ]http://www.switched. com/2011/02/23/maryland-stops-asking-applicants-for- facebook-login/]—who have made this stupid mistake are old news. Both employers were publicly scrutinized and shamed into stopping. (Courtesy of The Employer Handbook.) VI. Other Issues Perhaps we are asking the wrong question. Let me suggest that the proper question is not “Can the employer conduct a background check?” but rather “Can an employer use the information found on the background check to deny employment to the applicant or employee?” The short an- swer is “Yes, under the right circumstances.” So let’s see if we can get some help in determining when and how we can use background checks in the hiring process. While the EEOC has not issued regulations, it has provid- ed some guidelines. Employers are expected to consider the following factors: 1. The nature and gravity of the offense(s); 2. The time that has passed since the conviction and/ or completion of the sentence; and 3. The nature of the job held or sought. The federal courts have also stated that employers need to have a legitimate business justification, which can include, in addition to the above EEOC guidelines, safety and well being of others at the job site or in the immediate area. The
2–3 Chapter 2—Background Checks
policy must then be narrowly tailored to meet the stated justification. Essentially, the EEOC, and the federal courts expect em- ployers to weigh the type of offense and time passed since the offense against the nature of the job to determine if the employer has a justification for refusing to hire a can- didate. For example, an applicant’s 15-year old DWI con- viction is unlikely to be relevant if s/he is applying for a bookkeeping position. For that matter if s/he was ar- rested but not convicted for DWI, then denying him or her the job will also be inappropriate and perhaps illegal. If however, this same applicant for the bookkeeping posi- tion has a 3-year old embezzlement conviction, the em- ployer could refuse to hire. When might a DWI conviction be relevant? In the Pepsi case if the applicant sought work for Pepsi as a driver, s/he should probably expect to be rejected. OK, how about one final example: suppose you have a male applicant with a sexual assault conviction and you employ mostly women, some of whom often stay late when the area may not be well-trafficked or well-lit? One would be hard-pressed to argue lack of business justifica- tion there! So, here are some take-away’s for employers: 1. If you do not already have one, create a written policy that discusses your hiring criteria and how you will screen your applicants and hiring criteria. This policy should take into consideration the type of positions for which you are hiring and should allow you to make a de- termination on a case by case basis and take all relevant facts into consideration. 2. Be able to easily articulate a justification any time you deny a job to an applicant based on his/her back- ground check results. 3. Make sure your policy is narrowly tailored to meet your business 4. Justification(s). If your policy is broader than neces- sary to meet the justification(s) you have articulated (even if only to yourself) you will be vulnerable if an applicant files an EEOC complaint. Finally, one more caveat: As of today, at least 25 states and at least one city have passed their own laws limiting the circumstances under which employers can inquire into an applicant’s criminal history. Check to see if your state (or city) has imposed any such limitations! (Courtesy of Janet Levey Frisch.)
2–4 Chapter 2—Background Checks
VII. Conclusion Background investigations are a useful tool if used properly. There are numerous pitfalls, though, that can cost a business money and reputation. Background investigations no longer just consist of crimi- nal history and credit checks. If a business does not believe it is able to adequately and appropriately complete the process, it should seek to outsource the function. Social media is now a part of the background investigation process. Social media is not just something your kids use. Social media is important in hiring and employment decisions. Social media is not going away. There are a lot of excellent resources to help you navigate this new and growing part of the background investiga- tion process. VIII. Bibliography F Rosen, Lester (2006), The Safe Hiring Manual. F Society for Human Resource Management. F Frisch, Janet Levey (2012). F MSA Investigations New York City (2012). F Meyer, Eric, The Employer Handbook (2012).
2–5 Chapter 2—Background Checks
2–6 6/20/2012
Chapter 2—Background Checks
Appendix—Presentation Slides
Background Investigations
Oregon State Bar July 13, 2012
Goals
What is a Background Investigation? Why do a Background Investigation? How to do a Background Investigation (or where to get one done)
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–7
1 6/20/2012
Chapter 2—Background Checks
Old School vs. New School
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Name that CEO
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–8
2 6/20/2012
Chapter 2—Background Checks
Scott Thompson-Yahoo!
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Local Resume Padding
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–9
3 6/20/2012
Chapter 2—Background Checks
Robert Hulshof-Schmidt
Hulshof-Schmidt, 46, admitted to forging his employment application by representing that he had a graduate degree. He did not. According to the court, his formal application included a University of Washington transcript that he had altered to show completed coursework.
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Kelly Paxton, CFE, PI
Licensed Private Investigator (OR) Certified Fraud Examiner Principal, Financial CaseWorks LLC Special Agent US Customs 1993-1998 Registered Stock/Commodity Broker 1987-1990
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–10
4 6/20/2012
Chapter 2—Background Checks
BI – What exactly is one?
Fingerprints? Internet Sites? Big Brother surprise
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Websites & Databases
No single database No LEDS/NCIC Private Companies Search engines Blog searches
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–11
5 6/20/2012
Chapter 2—Background Checks
Background Investigation Facts 93% of organizations use some form of BI(SHRM 2010) 1 in 3 applicant falsifies information $20 to $4300 $4-5 billion industry with 1200 companies
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Reasons for BI’s
Pre-employment screening Employee promotion/transfer Outside party for board position Screening third party service providers Due diligence Investigating any suspected theft/misuse
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–12
6 6/20/2012
Chapter 2—Background Checks
Why do a Background Investigation?
What you don’t know can/will hurt you Knowledge is good
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Applicant Lies
Degree not earned Diploma Mills/Fake Degree Job Title Employment Dates Compensation Lack of criminal record
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–13
7 6/20/2012
Chapter 2—Background Checks
Even George Costanza did it
http://www.youtube.com/watch?v=_T35Q hLx_KI
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Careerexcuse.com
Careerexcuse.com
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–14
8 6/20/2012
Chapter 2—Background Checks
How to do a Background Investigation
Where to start? Resources The actual interview
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Starting the Process
Job Description- Business Necessity Forms-application, FCRA and waivers
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–15
9 6/20/2012
Chapter 2—Background Checks
Critical Application Items
Background Check Broadest language about convictions Release for previous employers 5-10 years employment 7-10 years addresses Contact current employer??
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Red Flags
Not completing application Not signing application No consent for background screening Criminal questions left blank
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–16
10 6/20/2012
Chapter 2—Background Checks
Red Flags cont’d
Can’t recall former supervisor Gaps in employment history Excessive crossouts/changes
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Expungement
Difficult in today’s environment Private databases unaffected by court’s expungement order Attorneys now suggest preparing letter addressing issue Be upfront and honest
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–17
11 6/20/2012
Chapter 2—Background Checks
Resources
Google is your BFF (best friend forever but be careful) The deep web (PIPL, Spokeo) Background screening firms (NAPBS)
Page © 2012 Financial CaseWorks LLC. All rights reserved.
www.pipl.com
http://www.pipl.com
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–18
12 6/20/2012
Chapter 2—Background Checks
The Interview
Rapport Fill in the gaps Body language Ask the right questions Get more references
Page © 2012 Financial CaseWorks LLC. All rights reserved.
New Age Lie Detector Test
Background checks-Concerns? Criminal convictions-Concerns? Previous employers-What will they say? Previous employers-job issues etc? Unexplained gaps in employment history?
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–19
13 6/20/2012
Chapter 2—Background Checks
Good vs. Bad
Have you ever used a Maiden Name? different name?
If hired, can you show When did you graduate proof of age? high school?
If hired will you be able to Are you a US Citizen? provide proof of eligibility to work in the US?
Can you be reached at Do you own your home or this address? rent?
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Social Networking
What can you use? Technology ahead of the law Policies and procedures
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–20
14 6/20/2012
Chapter 2—Background Checks
Reasons they don’t use SM- Per SHRM
Page © 2012 Financial CaseWorks LLC. All rights reserved.
SNOPA
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–21
15 6/20/2012
Chapter 2—Background Checks
What is SNOPA?
Social Networking Online Protection Act If passed, SNOPA would "prohibit current and potential employers for requiring a username, password or other access to online content," according to a news release on Engel's website. These constraints would also apply to schools from kindergarten through university level.
Page © 2012 Financial CaseWorks LLC. All rights reserved.
SNOPA cont’d
The SNOPA bill's other co-sponsor, Schakowsky, said in a prepared statement: "The American people deserve the right to keep their personal accounts private. No one should have to worry that their personal account information, including passwords, can be required by an employer or educational institution, and if this legislation is signed into law, no one will face that possibility.” Maryland 1st state to do this-other states in process
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–22
16 6/20/2012
Chapter 2—Background Checks
Lifestyle issues?
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Pay attention
He noticed a change in Milligan’s behavior and wondered how she could afford the assets she had — including a Cadillac Escalade, a horse arena, and several horses — on her salary. 5/17/2012 Rhonda Milligan pled guilty to 1 count, admitted $848k embezzlement
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–23
17 6/20/2012
Chapter 2—Background Checks
Oregon and Credit Checks
House Bill 1045 Exceptions: banks and credit unions, public safety and LEOs “Substantially job-related-no guidance from State but probably very narrow
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Credit Reports
Today’s economy Negative information valid predictor of job performance? Outside of applicant’s control? Consistent in use of negative information? Have you documented the decision?
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–24
18 6/20/2012
Chapter 2—Background Checks
After the Investigation
Housekeeping Complying with FCRA Purging the files
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Background Investigations
Resources Limits of BIs Fair Credit Reporting Act Not just for employees Be consistent
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–25
19 6/20/2012
Chapter 2—Background Checks
Resources-Always Changing!
Google Pipl Social networking - Facebook - Twitter - Spokeo Credit reports??
Page © 2012 Financial CaseWorks LLC. All rights reserved.
Final Thoughts
BI’s are not just for employment What you don’t know can hurt you The Internet makes it easier and more difficult
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–26
20 6/20/2012
Chapter 2—Background Checks
Typical Client
Medical offices – Employee theft/dishonesty, new hires Families – Elder Financial Fraud, backgrounds on caregivers Small Business owners – Due diligence on potential business dealings/partners, new hires Attorneys – litigation support, asset research and identification and recovery
Page © 2012 Financial CaseWorks LLC. All rights reserved.
References
Shepard, I.M. and Duston, R (1998) Thieves at Work: An Employer’s Guide to Combating Workplace Dishonesty. Murphy, K.R. (1993) Honesty in the Workplace. The Background Investigator Brody, Richard G. (2008) Beyond the Basic Background Check: Hiring the “Right” Employees. Rosen, Lester S. (2006) The Safe Hiring Manual Society of Human Resource Management Survey Meyer, Eric The Employer Handbook (2012)
Page © 2012 Financial CaseWorks LLC. All rights reserved.
2–27
21 6/20/2012
Chapter 2—Background Checks
Questions?
Contact Kelly Paxton at: 503-956-9147 [email protected]
Page 43 © 2012 Financial CaseWorks LLC. All rights reserved.
2–28
22 Chapter 2—Background Checks
2–29 Chapter 2—Background Checks
2–30 Chapter 3 Legal Issues in Employee Fraud—Presentation Slides
Katherine Heekin The Heekin Law Firm Portland, Oregon
3–i Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
3–ii 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
LEGAL ISSUES IN EMPLOYEE FRAUD
JULY 13, 2012 Katherine Heekin 808 S.W. Third Ave., Suite 540 Portland, OR 97204 503-222-5578
3–1
1 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Conducting an Investigation
• Upjohn v. United States, 449 U.S. 383 (1981), warnings – Give before interview begins. – Interview is confidential and may not disclose substance. – Privilege held by entity. Disclose without notifying you. – Allow for questions. – Memorialize that warning was given. • Employees who report to internal compliance programs are not whistleblowers and often are not protected after making an internal complaint. E.g. Brown & Root v. Donovan, 747 F.2d 1029 (5th Cir. 1984).
3–2
2 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Discipline and Termination
• Clear, written policies • Communicated regularly • Enforced consistently • Documented adequately
Relevant Case Law
• ORS 659A.300(1) states no polygraphs for private sector employers
• Buckel v. Nunn, 133 Or App 399, 405-07 – false imprisonment factors – door blocked, one phone call, threatened jail
• Asay v. Albertson’s, Inc., 2007 US Dist LEXIS 31678 (Or App 2007) – fear alone is insufficient to show restraint of freedom
• ORS 659A.199 – protection for whistleblowers from retaliation
3–3
3 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Representative Cases
In the Matter of Banc of Am. Sec. LLC, SEC Admin. Proc. File No. 311425 Exchange Act Release No. 34 49386, 82 SEC Docket 1264 (Mar. 10, 2004) ($10 million fine for allegedly misleading securities regulators and delay in producing evidence)
Coleman (Parent) Holdings Inc. v. Morgan Stanley & Co., Inc., 2005 WL 674885 (Fla. Cir. Ct. Mar. 23, 2005) (adverse inference, partial default judgment, attorney fees, and jury verdict of $1.5 billion in compensatory and punitive damages)
In re September 11th Liability Insurance Coverage Cases, 243 F.R.D. 114, 132 (S.D.N.Y. 2007) (insurer and counsel jointly and severally liable for $500,000 as Rule 37 sanctions); and 18 U.S.C. §§ 1512, 1519, 1520(b), 1520(c) (Sections 802 and 1102 of the Sarbanes- Oxley Act imposing fines and prison terms for altering or destroying electronic information).
Moore v. Gen. Motors Corp., 558 S.W.2d 720, 735-37 (Mo. App. 1977) (no spoliation where records destroyed as required by policy and no knowledge of pending litigation, no evidence of fraud, deceit or bad faith, and plaintiff made no effort to obtain through discovery once suit began)
Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605, at *8 (N.D.Ill. May 27, 2003)(magistrate recommended dismissal and attorney fees to defendant because plaintiff violated duty to preserve by using a software program to erase the contents of a hard drive), report and recommendation adopted as modified by Kucala Enterprises., Ltd. v. Auto Wax Co., Inc., 2003 WL 22433095 (N.D.Ill. Oct 27, 2003)
Qualcomm Inc. v. Broadcom Corp., 2008 WL 66932 (S.D. Cal Jan. 7, 2008) (sanctions in excess of $8 million against Qualcomm, in-house and former outside counsel ordered to participate in case review and enforcement of discovery obligations program, and judge referred possible ethics violations to California state bar)
3–4
4 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Recouping Losses
• Criminal Action • Confession of Judgment • Civil Action • Insurance claim
Ripped from the Headlines
3–5
5 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Enron
Fastow’s testimony Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 217, Spring 2007, Number 2
3–6
6 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
The Corporate Culture Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 219, Spring 2007, Number 2
Whistleblowing Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 221, Spring 2007, Number 2
3–7
7 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
MADOFF
“BM had a marketing strategy that appeared to be based on false trust, not analysis.” --Harry Markopolos, CFA, CFE, written testimony before the U.S. House of Representatives Committee on Financial Services, 2/4/09
3–8
8 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
The False Trust
• BM was a founder and a former head of NASDAQ • BM’s brother, Peter, was a former vice-chairman of NASD and former director of Depository Trust Corporation • Brother-in-law is the only auditor to protect Madoff’s proprietary trading strategy • Affinity communities • “Special access” • Complicated structure and strategy • Unbelievable Returns • Secrecy
Complicated Structure
• “[T]he hedge fund isn’t organized as a hedge fund by Bernard Madoff (BM) yet it acts and trades like one.” - Harry Markopolos letter to SEC dated 11/7/05. • Pays 1% management fee and 20% of profits to other hedge fund managers. • Earns undisclosed commissions on trades. • “The investors that pony up the money don’t know that BM is managing their money. That Madoff is managing the money is purposely kept secret from the investors.” – SEC letter at 3. • Cheaper money is available in the short-term credit markets.
3–9
9 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Complicated Strategy: the split-strike conversion • Purchase stock in index form (S & P 100) to match the index options plan to use. • Sell call options to generate income. • Buy put options to protect against market price declines. • “He knew most wouldn’t understand it and would be embarrassed to admit their ignorance so he would have less questions to answer.” – Markopolos testimony to Congress
Unbelievable Returns Attachment 1 to Markopolos SEC letter
3–10
10 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Madoff’s auditor’s office: Friehling & Horowitz
Article by AP journalist, Jim Fitzgerald, dated Dec. 18, 2008 www.northjersey.com/ business/36363009.html
Tipsters
• “It is a sickening thought but if the SEC had bothered to pick up the phone and spend even one hour contacting the leads, then BM could have been stopped in early 2006.” – Markopolos written testimony to Congress at 24.
3–11
11 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Local Stories
3–12
12 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
3–13
13 7/3/2012
Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
Contact
Katherine Heekin 808 S.W. Third Ave., Suite 540 Portland, OR 97204 503-222-5578
[email protected] WWW.HEEKINLAWOFFICE.COM
3–14
14 Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
3–15 Chapter 3—Legal Issues in Employee Fraud—Presentation Slides
3–16 Chapter 4A PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
Joel Brillhart Professional Forensic Services Portland, Oregon
4A–i Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–ii 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
Prepared By: Joel Brillhart, CFCE Professional Forensic Services, LLC 503-348-6407 [email protected]
4A–1
1 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
The Microsoft Computer Dictionary defines the registry as:
◦ A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.
◦ The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used. The Microsoft Computer Dictionary defines the registry
– A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.
System Configuration User Names, Personal Settings & Preferences You can determine where a computer has been through Wi-Fi Geo locations You can determine what Devices (USB/Printers/ Phones/PDA’s) have been connected You can see Web Browsing Activity by user Find out what Programs have been executed, installed and deleted See what files have been viewed by the user You can find out User Entered Search Keywords
4A–2
2 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–3
3 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–4
4 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–5
5 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–6
6 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–7
7 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–8
8 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–9
9 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–10
10 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
Mumbo Jumbo “Rot 13 Encoded”
4A–11
11 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–12
12 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–13
13 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–14
14 6/19/2012
Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
Thanks
Joel Brillhart, CFCE Professional Forensic Services, LLC 503-348-6407 [email protected]
4A–15
15 Chapter 4A—PC vs. Mac Computer Forensics Registry Analysis—Win 7 Focus—Presentation Slides
4A–16 Chapter 4B Mac and iOS Computer Forensics
Eli Rosenblatt Eli Rosenblatt Investigations Portland, Oregon
Table of Contents
I. Macs in the Workplace: More Macs Than Ever Before 4B–1 II. Macs in the Workplace: Proliferation of (and Concerns with) BYOD (Bring Your Own Device) ...... 4B–1 III. Why Do Forensics on a Mac? 4B–2 IV. Why Do Mac Forensics on a Mac? ...... 4B–2 V. Why Use a Mac-Certified Forensic Examiner? ...... 4B–3
4B–i Chapter 4B—Mac and iOS Computer Forensics
4B–ii Chapter 4B—Mac and iOS Computer Forensics
I. Macs in the Workplace: More Macs Than Ever Before A. Apple’s market share in the pc world continues to surge: http:// www.maclife.com/article/news/apples_market_share_pc_world_ continues_surge. B. Here’s the real reason Microsoft should be worried about Apple: http://wallstcheatsheet.com/stocks/here’s-the-real-reason-microsoft- should-be-worried-about-apple.html/. C. Survey: 8 in 10 businesses now using Macs: http://www. computerworld.com/s/article/9103958/Survey_8_in_10_businesses_ now_using_Macs?intsrc=hm_list. D. Apple infiltratesthe enterprise: 1/5 of global info workers use Apple products for work! http://blogs.forrester.com/frank_gillett/12- 01-26-apple_infiltrates_the_enterprise_15_of_global_info_workers_ use_apple_products_for_work_0. E. Apple computer sales grow faster than PC sales for five years: http://www.guardian.co.uk/technology/blog/2011/may/24/apple- sales-growth-pc-market. F. Apple’s enterprise reach growing thanks to iPad and iPhone: http:// gigaom.com/apple/apples-enterprise-reach-growing-thanks-to-ipad- and-iphone/. G. More iPhones/iPads subject to search warrants: http://gigaom. com/apple/more-iphones-subject-to-search-warrants-ipads-too/.
II. Macs in the Workplace: Proliferation of (and Concerns with) BYOD (Bring Your Own Device) A. IBM stung by BYOD pitfalls: http://gigaom.com/cloud/ ibm-stung-by-byod-pitfalls/. B. Study finds BYODdevices not secured: http://gcn.com/ articles/2012/04/09/byod-devices-not-secured-study-finds.aspx? sc_lang=en. C. Two-thirds of the phones sold in Q1 were iPhones: http://gigaom. com/apple/report-23-of-top-u-s-carrier-sales-in-q1-were-iphones/. D. The new iPad has CIOs quaking in their cubicles: http://gigaom. com/cloud/the-new-ipad-has-cios-quaking-in-their-cubicles/. E. iOS domination of the tablet market: http://www.gartner.com/ it/page.jsp?id=1800514.
4B–1 Chapter 4B—Mac and iOS Computer Forensics
III. Why Do Forensics on a Mac? A. Apple’s significantly lower total cost of ownership (TCO): Stories at ZDNet,1 TUAW, 2 TechPatio,3 Opensurge,4 Kirk Knoernschild’s Tech District,5 American Chronicle,6 Salon.com,7 Mac-vs-PC,8 and great anec- dotal evidence from my own and colleagues’ practices). B. Flexibility: As one among many examples, the Hi-Tech Crimes Division of a metropolitan Southern California police department re- cently described the main reasons behind their having an all-Mac crime lab: The ability to run windows on a Mac, the proliferation of Macs found in evidence, and a major cost savings. C. Solid forensic tools, support, and training from BlackBag Technologies. 1. BlackBag brings experience:9 Decades of experience from law enforcement and corporate computer labs, the Department of De- fense Cyber Crime Center, Defense Cyber Crime Institute, Defense Computer Forensics Laboratory, and California of Justice. In addition, cofounder and CTO Derrick Donnelly is the former Information Sys- tems & Technology Security Manager at Apple. 2. BlackBag tools include MacQuisition10 for data acquisi- tion, targeted data collection, and forensic imaging and BlackLight11 for comprehensive forensic examinations. 3. BlackBag provides comprehensive Mac and iOS forensic training12 for law enforcement and private sector analysts. IV. Why Do Mac Forensics on a Mac? A. Importance of a “native perspective”—best possible understand- ing for the examiner and viewers of the report of investigation. B. If using Windows, the Windows OS is interpreting the Mac data, and significant data is often missed and/or misinterpreted.
1 http://www.zdnet.com/blog/apple/tco-new-research-finds-macs-in-the- enterprise-easier-cheaper-to-manage-than-windows-pcs/6294. 2 http://www.tuaw.com/2009/03/13/macs-still-cheaper-when-you-look- at-tco/. 3 http://techpatio.com/2010/apple/mac/it-admins-total-cost-ownership- mac-less-pc. 4 http://opensurge.blogspot.com/2010/08/in-mac-vs-pc-cost-comparison- downtime.html. 5 http://techdistrict.kirkk.com/2010/03/11/cost-mac-or-pc-a-look-at-tco/. 6 http://www.americanchronicle.com/articles/view/38285. 7 http://www.salon.com/2007/11/07/mac_price/singleton/. 8 http://macvspc.info/. 9 https://www.blackbagtech.com/about.html. 10 https://www.blackbagtech.com/forensics/macquisition/macquisition. html. 11 https://www.blackbagtech.com/forensics/blacklight/blacklight.html. 12 https://www.blackbagtech.com/training.html.
4B–2 Chapter 4B—Mac and iOS Computer Forensics
C. Can mount any type of Mac-accessible volume (and lock it to preserve evidence, while reviewing that evidence in its original form, including the use of any applications not on the analyst system). D. QuickLook13 feature for easily viewing results without opening a file or starting an application. E. iWork files (Pages, Numbers, Keynote) generally not accessible to Windows forensics tools (incorrectly opens single bundled file as series of jumbled files). F. Windows treats the different “forks” of a single Mac file as sep- arate files, thus giving inaccurate file counts, and missing potentially important file attributes such as color, locked status, visibility, and alias information. G. Case-sensitive file system used by iPhones and other iOS devices (as well as many Mac-formatted drives): Windows can’t properly han- dle files it sees as named the same. (Adapted from Mac Forensics: The Case for Native Analysis, a white paper published by BlackBag Technologies in September 2011.) V. Why Use a Mac-Certified Forensic Examiner? A. An Apple Certified Macintosh echnicianT (ACMT14) and/or Mac and iOS Certified Forensic Examiner (MiCFE15) understands all these issues and can help ensure industry best practices are followed. B. These professionals undergo rigorous Mac-specific training and stay up-to-date on all of the latest hardware and software changes and developments.
13 http://www.apple.com/findouthow/mac/%23quicklook. 14 http://training.apple.com/certification/acmt. 15 https://www.blackbagtech.com/training/micfe-certification.html.
4B–3 Chapter 4B—Mac and iOS Computer Forensics
4B–4 Chapter 5 A Skeptic’s Guide to Advanced Internet Searching— Presentation Slides
Jan Davis JT Research LLC Portland, Oregon
5–i Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
5–ii 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
A Skeptic’s Guide to Advanced Internet Searching
Oregon State Bar Portland, Oregon July 13, 2012
Jan Davis, MLIS JT Research LLC PO Box 8705 Portland, OR 97207 503-827-7241 www.jtresearch.com [email protected]
Research Strategy The Internet “Library” Reference room Portals Fee-based websites “Card Catalog” Search Engines Storage The deep web
5–1
1 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Research Strategy What is the question? What are the keywords and phrases? Multiple spellings of names? Who would write about it? What format would the Who would talk about it? What would the ideal document contain and in what format? Should I go to a fee-based database first, or the “free” internet, or pick up the phone? Answering these questions helps determine where to search and how to search
Search Engines
Two unique databases: Google Bing, which feeds Yahoo! Ask, Gigablast, Exalead International Baidu (China) http://www.baidu.com/ Yandex (Russia) http://www.yandex.com/ Directory at http://www.searchenginecolossus.com/ For more information on how to search: notess.com
5–2
2 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Precision Searching Advanced search templates Now hard to find these templates! Command language Phrase Field searching
5–3
3 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Specialty Search Engines
Let’s really get to know Google http://www.google.com/intl/en/about/products/index.html Images Videos News Books Scholar Patents
Portals – Public Records
Public Records Search http://www.publicrecordsources.com/ Professional License Verifier http://verifyprolicense.com BlackBook www.blackbookonline.info
5–4
4 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Portals – Company Info
• Rutgers • http://libguides.rutgers.edu/companies • Use red tabs at top of page • Hoovers.com • Privco.com • Securities and Exchange Commission • http://www.sec.gov/edgar/searchedgar/webusers.htm
People Search
People 123people (www.123people.com/) Spokeo (www.spokeo.com) Zabasearch (www.zabasearch.com) Zoominfo (www.zoominfo.com) Pipl (www.pipl.com) Intellius (www.intellius.com)
5–5
5 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Social Media Facebook LinkedIn Plaxo StumbleUpon Blogs Twitter Dating Sites (www.directoryofdating.com and http://www.bigdatingdirectory.com) Many many other social sites (see Pandia)
Searching Social Media Google search and add “blog” or “LinkedIn” etc. Blogs www.technorati.com Twitter Search.twitter.com Yauba.com Friendfeed.com
5–6
6 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
The Deep Web Wayback Machine www.archive.org
Fee-Based Databases Pacer (www.pacer.gov) Public access to court electronic records Alacra (www.alacra.com) Accurint (www.accurint.com) Factiva – Dow Jones (www.dowjones.com) Lexis-Nexis (www.lexisnexis.com) KnowX.com
5–7
7 6/21/2012
Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
Conclusion Develop a research strategy Know the difference between Google and other search engines Consider fee-based sources Verify the data Hire an expert: http://www.oregon-acfe.org www.aiip.org
5–8
8 Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
5–9 Chapter 5—A Skeptic’s Guide to Advanced Internet Searching—Presentation Slides
5–10 Chapter 6 Which One Is Different—Data Mining and Forensic Analytics— Presentation Slides
Bill Douglas Cost Advisors, Inc. Portland, Oregon
6–i Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
6–ii 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Which One is Different Data Mining and Forensic Analytics Bill Douglas
Agenda
1. Data Mining Examples 2. Data mining you can do in Excel
2 © 2012 Cost Advisors, Inc. All rights reserved.
6–1
1 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
1. Data Mining for Fraud
What is CAATs?
Example #1 Accounting Queries
Example #2 Scanning Bank Statements
Example #3 Benford’s Law
3 © 2012 Cost Advisors, Inc. All rights reserved.
What is CAATs?
Computer Assisted Audit Tools (CAATs) Examine 100% of transactions Analysis available: Duplicates Missing Records Queries (meeting certain criteria) Population summaries by field (pivot tables) Population statistics
4 © 2012 Cost Advisors, Inc. All rights reserved.
6–2
2 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Sources
Import data from many sources Excel Acrobat (.pdf) Text Files (.txt, .doc) Print files (.prn) Hardcopy scans
5 © 2012 Cost Advisors, Inc. All rights reserved.
.PRN File
6 © 2012 Cost Advisors, Inc. All rights reserved.
6–3
3 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Example #1 Accounting Queries
Disbursements (Checks)
Vendor Master Accounting System List
Employee Master List
7 © 2009 Cost Advisors, Inc. All rights reserved.
Example #1 Accounting Queries
Disbursements (Checks)
Data Mining Tool
Vendor Master Employee List Master List
8 © 2009 Cost Advisors, Inc. All rights reserved.
6–4
4 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Example #1 Six Accounting Queries
Disbursements (Checks)
Duplicate Payments Payee not on Vendor List Non-payroll, non-expense report, payments to employees
Vendor Master Employee List Master List
Vendors with same address as employee Vendors using SS# as EIN Employees with no address
9 © 2009 Cost Advisors, Inc. All rights reserved.
Example #2 One Set of Books?
Victim’s Victim’s Accounting System = Bank Statement
10 © 2009 Cost Advisors, Inc. All rights reserved.
6–5
5 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Extraction - Review
Disbursements (Checks)
Vendor Master Accounting System List
Employee Master List
11 © 2009 Cost Advisors, Inc. All rights reserved.
Disbursements in Excel
Disbursements (Checks)
12 © 2009 Cost Advisors, Inc. All rights reserved.
6–6
6 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Example #2- Scanning Bank Statements Victim’s Bank Statement
Disbursements (per Accounting System)
Missing = Electronic Comparison
13 © 2009 Cost Advisors, Inc. All rights reserved.
Example #3 -Benford’s Law
Frank Benford (1938), Simon Newcomb (1881) Some leading digits occur more/less frequently in most data
35.00%
30.00%
25.00%
Probability 20.00%
15.00%
10.00%
5.00%
0.00% 123456789
Leading Digit
14 © 2012 Cost Advisors, Inc. All rights reserved.
6–7
7 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Example #3 -Benford’s Law
Compares expected amounts to actual amounts There were 1,368 occurrences of amounts beginning with $250
15 © 2012 Cost Advisors, Inc. All rights reserved.
Summary of CAATs
Data from any source Every transaction can be tested (no sampling) Many tests possible. Comparison examples: Within accounting files Accounting records to bank statements Actual records to expected values (Benford)
16 © 2012 Cost Advisors, Inc. All rights reserved.
6–8
8 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Agenda
1. Data Mining Examples 2. Data mining you can do in Excel
17 © 2012 Cost Advisors, Inc. All rights reserved.
Goals and Assumptions
Do basic investigation yourself 1 hour spent here will save dozens (hundreds?) of hours at work
Assumptions: Data is in Excel 2007 or 2010 Basic knowledge of Excel (info for advanced Excel too)
18 © 2012 Cost Advisors, Inc. All rights reserved.
6–9
9 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 19 © 2012 Cost Advisors, Inc. All rights reserved.
Data Filters - Setting
20 © 2012 Cost Advisors, Inc. All rights reserved.
6–10
10 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Filters - Blanks
21 © 2012 Cost Advisors, Inc. All rights reserved.
Data Filters - Others
22 © 2012 Cost Advisors, Inc. All rights reserved.
6–11
11 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Filters - Suggestions Blank invoice numbers Employees or vendors with no address Vendors using a social security instead of EIN Odd characters at the end of the invoice number or check number (“.” “–” “a”) Invoice numbers 100, 101, 1000 or 1001
23 © 2012 Cost Advisors, Inc. All rights reserved.
Data Filters - Clearing
24 © 2012 Cost Advisors, Inc. All rights reserved.
6–12
12 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 25 © 2012 Cost Advisors, Inc. All rights reserved.
Conditional Formatting -
26 © 2012 Cost Advisors, Inc. All rights reserved.
6–13
13 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Conditional Formatting with Data Filter
27 © 2012 Cost Advisors, Inc. All rights reserved.
Conditional Format & Filter - Result
28 © 2012 Cost Advisors, Inc. All rights reserved.
6–14
14 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Conditional Format - Suggestions Look for duplicates of: Invoice date Invoice number Invoice amount Vendor name
29 © 2012 Cost Advisors, Inc. All rights reserved.
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 30 © 2012 Cost Advisors, Inc. All rights reserved.
6–15
15 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Comparing Excel Files – First Sheet
31 © 2012 Cost Advisors, Inc. All rights reserved.
Comparing Excel Files – Second Sheet
32 © 2012 Cost Advisors, Inc. All rights reserved.
6–16
16 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Comparing Excel Files – Result
These vendors are missing from the vendor master list
33 © 2012 Cost Advisors, Inc. All rights reserved.
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 34 © 2012 Cost Advisors, Inc. All rights reserved.
6–17
17 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Pivot Table – Largest Vendors (step 1)
35 © 2012 Cost Advisors, Inc. All rights reserved.
Pivot Table – Largest Vendors (step 2)
36 © 2012 Cost Advisors, Inc. All rights reserved.
6–18
18 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Pivot Table – Largest Vendors (step 3)
37 © 2012 Cost Advisors, Inc. All rights reserved.
Pivot Table – Largest Vendors - Suggestions Look for unusual vendor names and names of employees (‘cash’, ‘petty cash’,
38 © 2012 Cost Advisors, Inc. All rights reserved.
6–19
19 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Pivot Tables – Missing Check #s
39 © 2012 Cost Advisors, Inc. All rights reserved.
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 40 © 2012 Cost Advisors, Inc. All rights reserved.
6–20
20 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
What is PowerPivot
From Microsoft for Office (Excel) 2010 It’s Free
Features Turns Excel into a relational database Compresses data Speeds recalculation (DAX Reporting tool)
41
© 2012 Cost Advisors, Inc. All rights reserved.
How to Get PowerPivot
64 bit Excel vs. 32 bit Excel
42 © 2012 Cost Advisors, Inc. All rights reserved.
6–21
21 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Menu
PowerPivot Tabs
Normal Tabs
43 © 2012 Cost Advisors, Inc. All rights reserved.
Menu
PowerPivot Tabs
Normal Tabs
44 © 2012 Cost Advisors, Inc. All rights reserved.
6–22
22 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Pivot Fields from Multiple Tabs (Tables)
45 © 2012 Cost Advisors, Inc. All rights reserved.
PowerPivot Compression, Speed
Access Excel (native) PowerPivot Compression 327MB 82MB 12MB Recalculation ~ 30min < 30 seconds Worksheet size ~ 2GB 1,048,576 rows Millions of rows ~2GB
46 © 2012 Cost Advisors, Inc. All rights reserved.
6–23
23 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Data Mining in Excel Data Filters Empty data fields Conditional formatting Duplicates Comparing two Excel files Payee not on vendor list Pivot Tables High-dollar vendors Missing checks PowerPivot Reporting 47 © 2012 Cost Advisors, Inc. All rights reserved.
Reporting – Set Print Area
48 © 2012 Cost Advisors, Inc. All rights reserved.
6–24
24 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Reporting – Setup (Header)
49 © 2012 Cost Advisors, Inc. All rights reserved.
Reporting – Setup (Footer)
50 © 2012 Cost Advisors, Inc. All rights reserved.
6–25
25 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Reporting – Setup (Result)
51 © 2012 Cost Advisors, Inc. All rights reserved.
Reporting - Duplicating Tabs
52 © 2012 Cost Advisors, Inc. All rights reserved.
6–26
26 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
Reporting – Removing Meta Data
53 © 2012 Cost Advisors, Inc. All rights reserved.
Reporting – encrypting for sending
Be sure to save the workbook with a new name - append “(encrypted)” to the filename
54 © 2012 Cost Advisors, Inc. All rights reserved.
6–27
27 6/22/2012
Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
For More Information
Cost Advisors, Inc. 503-704-3719 www.costadvisors.com
Download: ‘Embezzlement Response Guide’
55 © 2012 Cost Advisors, Inc. All rights reserved.
6–28
28 Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
6–29 Chapter 6—Which One Is Different—Data Mining and Forensic Analytics—Presentation Slides
6–30