Forensic Accounting Issues

The Opioid Crisis: What Can CPAs Do?


In 2016, about 63,000 Americans lost their lives to drug overdoses and about 42,000 of these deaths were linked to Opioids. Despite progress in the fight, abuse of Opioids is the most significant health care issue going into 2019.  So how does this affect the accounting industry?  The American Institute of Certified Public Accountants (AICPA) requested a review of the Opioid abuse landscape and a subsequent presentation to member CPAs.

I thoroughly enjoyed teaming with Ms. Valerie Rock, CHC and CPC at PYA, P.C., Atlanta, Georgia to research and present the following information to CPAs at the AICPA Forensic and Valuation Conference, Atlanta, Georgia, in November 2018.

Main Points for Consideration:

  1. Drug overdoses are the leading cause of death for Americans under the age of 50.
  2. Drug overdoses were linked to Opioids found in prescription drugs, heroin, and other synthetic drugs such as Fentanyl.
  3. The Opioid crisis affects Medicare, Medicaid, Tricare, and Private Insurance industries.
  4. CPAs occupy many roles found in these programs.
  5. CPAs are in unique positions to be part of the solution to the Opioid Crisis.

What Are Opioids?

                Legally manufactured Opioids are drugs that can treat both acute and chronic pain. Most people are probably familiar with Opioids such as Hydrocodone, Methadone, Oxycodone, and now Fentanyl.  Fentanyl is often prescribed for cancer patients and people in severe pain who cannot tolerate morphine.  Fentanyl is a synthetic Opioid narcotic similar to morphine, but 50 to 100 times stronger. 

What is the Opioid Crisis?

                The Opioid crisis it two-fold.  First, overprescribing Opioids to control pain can result in addiction and dependency.  A second darker side emerges with illegally obtained Fentanyl.  Starting in 2013, the United States was flooded with illegally manufactured Fentanyl from nefarious foreign actors who profited from distributing the drugs.  Illegal Fentanyl is cheaper to make than heroin, very potent, and results in more doses per batch made.  U.S. Drug Enforcement agents see illegal Fentanyl appearing in counterfeit pain pills found in the form of powder, blotter paper, patches, and counterfeit tablets.  Heroin, of course, is illegal and highly addictive.

                Synthetic drugs are created using man-made chemicals rather than natural ingredients.  Examples of other synthetic drugs would be Ecstasy, LSD, Methamphetamine, Synthetic Marijuana, and Designer Drugs (chemically made version of illegal drugs that was slightly altered to avoid having it classified as illegal). YF

What Industries Are Affected by the Opioid Crisis and How are Accountants Involved?

                Opioid abuses have entered the mainstream of American life.  Legally prescribed Opioids appear in established medical communities such as Physician Practices, Hospitals, Pharmacies, Distributors, Wholesalers, and Drug Manufactures.

                The accounting industry is deeply imbedded in the medical community and may appear as Chief Financial Officers, Controllers, Internal Auditors, External Auditors, Compliance Officers, Government Auditors, and Government Investigators. `

What is the Response from the U.S. Government?

                In July 2017, President Donald Trump declared a public health emergency and formed the President’s Commission on Combating Drug Addiction and Opioid abuse.  The President tasked the U.S. Department of Justice to address the problem.  In response, the Department of Justice added more prosecutors to high-risk areas to support the arrest, prosecution and conviction of fentanyl dealers.  A new Opioid Fraud and Abuse Detection Unit was formed to deploy a data-analytics program that focuses specifically on Opioid related health care fraud matters.

                The data analytics teams were assigned to identify:

  • Which physicians are writing Opioid prescriptions at a higher rate exceeding peers.
  • How many of a doctor’s patients died within 60 days of an Opioid prescription
  • Average age of patients receiving prescriptions
  • Pharmacies that dispense disproportionately large amounts of Opioid
  • Regional spots for Opioid issues

Government investigators then began to focus on the flow of money through audits and investigations.  Practitioners began to see increased audit and investigative scrutiny of tax dollars expended through Medicare, Medicaid, Tricare, and private insurance.

Tidal Wave of Litigation

                The drug industry, including Opioid painkiller manufactures, distributors, wholesalers, and pharmacy chains began to experience a tidal wave of litigation.  At least 30 states, cities, and counties have either filed lawsuits or are formally recruiting lawyers to initiate legal actions.  The complainants argue that manufactures used aggressive sales tactics to boost revenues while downplaying the risks and turning a blind eye to excessive orders.

                In August of 2018, President Trump called on the Attorney General to bring a major lawsuit against drug companies that are sending Opioids at a level that should not be happening.

Nationwide sweeps indicted and arrested several medical practitioners who profited from overprescribing the addictive Opioids.  In one case investigated, billing records showed one physician seeing 80 to 145 patients a day, writing prescriptions for all the patients seen, the visits lasted only five minutes or less, follow-ups for medication refills lasted less that two minutes, and the physician did not obtain prior medical records and did not treat with anything other than controlled substances.

What Can CPAs Do?

CPAs have earned the respect and trust of the public through years of public service and are regarded as trusted advisors.  CPAs are encouraged to gain knowledge of the breadth and scope of the Opioid Crisis and become part of the solution.  By understanding how government auditors and investigators identify suspicious trends, CPAs can conduct similar inquiries with clients to identify activity that may hit the “radar screens” of government agents.  Here are some suggestions for consideration by CPAs:

  1. When reviewing accounts and documentation of medical related practices, consider:
    • Do the numbers add up?
    • Can these volumes and revenues be supported by the current staffing?
    • For example, is it possible for one physician to see 100+ patients a day?
  2. For Health Care Entities:
    • Monitor drug costs, particularly opioid drug costs, and investigate significant changes in drug expenses
    • Consider using internal data to identify “super-prescribers” of Opioids
    • Consider sharp increases in drug costs that can highlight inventory issues.
    • Regardless of quantities of Opioids in inventories, evaluate sufficiency of physical and financial controls needed to mitigate opportunities for theft and misuse.
    • Internal audits should be used to test the controls.
  3. For Pharmaceutical Company Payments:
    • Investigate increases in revenue for Opioids.
    • Understand when doctors receive payments from drug companies.
    • Although most payments are small (meals, drinks, etc.), research indicates pharmaceutical payments result in increased prescribing of marketed medication.
  4. For Urine Drug Screens and Testing Revenue:
    • Payers view the billing of urine drug screens as unnecessary and fraudulent when the documentation does not clearly indicate medical necessity per their coverage guidelines.
    • If significant increase is seen, confirm that the appropriate monitoring and auditing is performed.
    • Ensure that documentation supports the order – per state and federal governmental and payer guidance.
    • Ensure there are no medical necessity concerns.
  5. For a Laboratory:
    • Monitor the marketing department’s spending on complimentary supplies provided to physicians and other ordering providers.
  6. To Avoid Litigation:
    • Verify the legality of any payments received from drug companies.
    • Ensure the payments are reported in accordance with the Physician Payments Sunshine Act.
    • If you identify any undefined or uncategorized revenue streams, ask questions about the origin of the revenue.

Conclusion: Guidelines have changed significantly as Opioid prescription use has increased.  Regardless of quantities of Opioids in inventories, sufficient physical and financial controls are needed to mitigate opportunities for theft and misuse, and internal audits should be used to test these controls.  A robust monitoring process is important in identifying potential fraud waste abuse and compliance risks.  It is just as important to have communication protocols in place.  Work with your organization’s compliance officer to determine potential indicators of an issue, including indicators that affect the entity’s revenue, legal, and compliance issues.  If an issue is identified, notify your compliance officer. 

Your knowledge in accounting coupled with health care experience can help identify potential fraud and abuse to mitigate risks.

Forensic Accounting Issues, Uncategorized

Cyber Attacks: Effective Employee Training

Computer Fraud Button.jpg

IBM recently announced the results of research worldwide data breaches and reports the average cost of a data breach is $3.86 million. The average cost for each stolen record containing sensitive and confidential information is $148.00.
In my previous blog we discussed the variety of ways that business cyber systems are attacked and compromised, and in these discussions, we emphasize the use of e-mails to penetrate the cyber defenses by our adversaries. In general, the actors will compromise cyber defenses by using social media and/or computer intrusions. Most of the cyber defense recommendations I have read will recommend “Training the Employees”, but how do we train our employees to protect the businesses? So here are some suggestions for training employees to spot suspicious e-mails, attachments, or apps.
First, I would recommend briefing your employees on the current trends in cyber crime in businesses. We discuss those trends in the previous blog – but the current trends are Business Email Compromise and Email Account Compromise scams, Ransomware, Theft of Personally Identifiable Information (PII), and Theft of Data by outside actors and/or by corrupt insiders. One common denominator running through each of these attack vectors is the careless use of emails that allow penetration by the bad actors. The cyber criminals are always looking for weaknesses in your IT system such as outdated software, outdated or absence of anti-virus and anti-malware software, weak passwords, and any other wormhole into your system. But one common denominator running through the threat vectors is the use of Phishing and Spear Phishing attacks to convince someone to respond to a spoofed email or open an attachment containing malicious code to infect your system.
From my experience, the best scenario to training your employees is a small group setting led by someone with actual experience in working cyber fraud cases. You don’t want the discussion leaders to just regurgitate what they find on the internet. Have everyone in the room silence their phones. The meeting should be in a quiet setting so that everyone can speak and be heard in a normal conversational manner. PowerPoint presentations are not required but acceptable if people are comfortable enough to interact and ask questions. Early or mid-morning times are great, as is lunchtime, but not while people are eating lunch while the discussions are ongoing. The training should be in the range of 45 minutes to 1.5 hours with cushion for additional time for questions and answers if needed. The afternoon hours can work but people tend to lose interest after lunch or close to quitting time. I would also recommend ongoing training to stay up-to-date on emerging threats or employee turnover.
Prior to training session:
1. Discuss date, time, location
2. Discuss Media Requirements
3. Discuss length of time
4. Evaluate any prior training to minimize duplication
5. Discuss nature of the business to tailor presentation to actual needs
Here is a suggested outline for a training session:
I. Introductions
II. Case Examples relating to your business environment.
III. Current Threat Vectors
a. BEC and EAC Scams
b. Ransomware
c. Theft of PII
d. Theft of Data (outside actors and corrupt insiders)
IV. Methods used by Adversaries
V. What is an E-mail
VI. What is Phishing and Spear-Phishing
VII. What is Malware
VIII. What is Spoofing
IX. How to Identify possible Spoofing
X. Recommended Protective Measures
a. Discuss several options and suggestions from list
XI. Conclusion
a. Be aware of organization’s footprint facing the internet
b. Have a response plan
c. Consider cyber-crime insurance
d. Encourage Employees to suggest protective measures
Conclusion: Cyber defense is often considered a technological problem however, it is also a human problem. Creating effective defenses in your business will be dependent on the buy-in by employees. Can you motivate your employees to practice good cyber hygiene? Will they comply with rules and regulations in place to prevent cyber intrusions? The answers to these questions may be the difference between an expensive attack or effective prevention of the attack in the first place.

Forensic Accounting Issues

Current Cybercrime Threats to Businesses

Cyber Security.jpg

Introduction: I mentioned in a previous discussion and blog that Knowing Your Cyber System is imperative to protecting your business. This discussion is intended to introduce the concepts of immediate threats experienced by most, if not all, business structures to their cyber environment. There will certainly be additional cyber threat considerations at the business grows and prospers, but these concepts should get you thinking about how to make the business a hard target against attacks.
Main Talking Points:
1. Business Email Compromise (BEC), Email Account Compromise (EAC) scams, and Ransomware attacks continue to cause tens of millions of dollars in losses.
2. Primary attack vectors are BEC, EAC, Ransomware, theft of PII, and Theft of Data from inside and outside actors.
3. The weakest links in cyber defense are e-mails, attachments, and apps.
4. Small Businesses are frequently attacked.
5. Attacks can be motivated towards financial gain, obtaining competitive advantage, or from hostile governments intent on stealing secrets.
6. Potential for corrupt insiders cannot be overlooked.
7. Cyber fraud and cyber crime attacks are often treated as technological problems, but they are also personnel problems.
8. Best mitigation steps recommended by the FBI and U.S. Department of Homeland Security are discussed.

I queried several different sources to gain an understanding of the main cyber related threats to business enterprises, to include the FBI, U.S. Department of Homeland Security, National Institute of Standards and Technology (NIST), Kapersky Labs, CSO Online, and the American Institute of Certified Public Accountants (AICPA). Most tend to agree that the top threats are listed as:
BEC and EAC Schemes
Ransomware
Identity Theft
Data Theft (Inside and Outside Threats)

Business E-mail Compromise and E-Mail Account Compromise Schemes:

There are many definitions of Business E-mail Compromise (BEC) schemes to let’s start with the definition used by the FBI: Business E-mail Compromise is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
E-mail Account Compromise (EAC), according to the FBI is a sophisticated scheme that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. The EAC scam is very similar to the BEC scam, except that it targets individuals rather than businesses.
Criminals can obtain the necessary information to execute BEC and EAC attacks through social engineering and computer intrusion techniques. Social Engineering is the psychological manipulation of people to perform actions or divulge confidential information. The goal of the criminal actors is to gain access to the internal communication systems of the victim business to surveille the business practices of the payment systems. The scams are usually committed by the perpetrator using a hacked or “spoofed” e-mail address. A spoofed e-mail is created by the hacker to mimic a legitimate vendor e-mail to convince the victim to send money to an account held by the criminal. The financial institutions conducting the wire transfers are using actual funds and therefore, are not exposed to losses. The losses are sustained by the victim company.
Ransomware:
Ransomware is a form of Malware that targets both human and technical weaknesses in organizations to deny the availability of critical data and/or systems. When the victim organization determines they are no longer able to access their data, the criminals demand payment of a ransom in exchange for regaining access to their systems. Ransomware attacks are decreasing in number but increasing in variants. Ransomware is also known to infect smart phones, as well.
The top targets of Ransomware are academic organizations, government agencies, healthcare organizations and hospitals, and any organization with sensitive client data such as law firms.
Victims are targeted through e-mails, attachments, or links containing malicious code. Opening corrupted attachments and links results in the encryption of files that restricts access to files, or entire systems, until an extortion payment is received. In addition to siphoning data from the victim, criminals hold the data hostage until payment, often in the form of Bitcoin or other cryptocurrencies.
Executive management will have to decide to pay or not pay the ransom based on the facts of the situation, but, in general, payment of the ransom is not recommended. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved.
Identity Theft:
Referring to the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) illustrates that money is not the only target of cyber thieves. Criminal actors sell the stolen PII on underground markets, i.e., the Dark Web. PII is any information about an individual, including any information that is used to distinguish or race an individual’s identity such as name, Social Security number, date and place of birth, mother’s maiden name or biometric records, medical, educational, financial and employment information. Theft of PII often leads to other crimes such as tax-refund fraud, credit card fraud, loan fraud, synthetic identity theft, and others.
Data Theft:
According to the American Institute of Certified Public Accountants (AICPA), sensitive data is an attractive target for cyber thieves. The crimes occur when a cyber criminal gains access to the internal cyber system of the victim to steal the sensitive data. Sometimes, these crimes target governments or other large organizations with more resources using a combination of malicious methods to first gain access to an organization’s networks, referred to as an Advanced Persistent Threat (APT). Then, the actor proceeds to monitor activity and siphon data in an undetected manner over an extended period of time.
Smaller businesses are also targeted for the theft of sensitive data. The theft schemes targeted towards businesses can be conducted by actors outside of the company, but also from insiders. Corrupt employees, to include contractors and vendors, have access to the most valuable secrets of an organization. Those bent on stealing the intellectual property will exploit weaknesses in the internal controls to copy, download, and remove the valuable information. They can sell the information to competitors, steal the information to start their own companies, or steal the information to take jobs with competitors. Some are complicit with hostile foreign intelligence services intent on stealing the secrets for use by their respective governments. Businesses should also consider the potential for corrupt insiders to plant malware or viruses to destroy the cyber environment. Some insiders will implant hidden “back doors” to the systems for later access by themselves or complicit actors.
The FBI advises that the insiders are interested in the following areas: Information and Communication Technology; Business information pertaining to scarce natural resources to provide global actors an edge in negotiations with the U.S. Government; Military Technologies, Civilian and Dual-Use technologies in clean energy, health care/pharmaceuticals, and agricultural technology. Motives could include greed or financial need, unhappiness at work, allegiance to another country, vulnerability to blackmail, the promise of a better job, and/or drug use or dependence.
The FBI also advises that certain behaviors of the actors may be missed that could have been picked up ahead of time. Those behaviors and warning signs include:
(1) They work odd hours without authorization.
(2) Without need or authorization, they take proprietary or other information home in hard copy form and/or on thumb drives, computer disks, or e-mail.
(3) They unnecessarily copy material especially if it’s proprietary or classified.
(4) They disregard company policies about installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential material.
(5) They take short trips to foreign countries for unexplained reasons.
(6) They engage in suspicious personal contacts with competitors, business partners, or other unauthorized individuals.
(7) They buy things they cannot afford.
(8) They are overwhelmed by life crises or career disappointments.
(9) They are concerned about being investigated, leaving traps to detect searches of their home or office or looking for listening devices or cameras.
FBI Recommended Cyber Crime Preventative Measures:
(1) Employee Training – because end users are often targeted, employees should be made aware of the threats, how attacks are delivered, and trained on best practices for good cyber hygiene.
(2) Patch Operating system, software, and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered, which is made easier through a centralizes patching system.
(3) Ensure anti-virus and anti-malware solutions are set to automatically update.
(4) Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary and should operate with standard user accounts at all other times.
(5) Similar to administrative accounts: file directory, and network share permissions should also implement least privilege. If a user only needs to read specific files, they should not have write access to those files, directories or shares. Configure access controls with least privilege in mind.
(6) Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
(7) Implement Software Restriction Policies or other controls to prevent programs from executing from common locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the APPData/LocalAppData folder.
(8) Back up data regularly, and regularly verify the integrity of those backups.
(9) Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline.
The United States Department of Homeland Security provides the following seven strategies to defend control systems as suggestions to protect the cyber environment:
(1) Implement Application Whitelisting – Application Whitelisting (restricting systems      from running software unless it has been cleared for safe execution) can detect and          prevent attempted execution of Malware uploaded by adversaries.                                          (2) Ensure Proper Configuration/Patch Management – Adversaries attack unpatched          systems. A configuration/patch management program centered on the safe                          importation and implementation of trusted patches will help keep control systems            more secure. Use best practices when downloading software and patches destined for      your control network. Take measures to avoid “watering hole” attacks (attacker                  guesses which websites the group often uses and infects one or more of them with              Malware). Use a web Domain Name System (DNS) reputation system. Get updates              from authenticated vendor sites. Validate the authenticity of downloads. Insist that            vendors digitally sign updates, and/or publish hashes via an out-of-bound                           communications path and use these to authenticate. Don’t load updates from                       unverified sources.
(3) Reduce Your Attack Surface Area. Isolate ICS networks from any untrusted                     networks, especially the Internet. Lock down all unused ports. Turn off all unused             services. Only allow real-time connectivity to external networks if there is a defined           business requirement or control function. In one-way communication can accomplish       a task, use optical separation (“data diode”). If bidirectional communication is                     necessary, then use a single open port over a restricted network path.                                     (4) Build a Defendable Environment. Limit damage from network perimeter breaches.     Segment networks into logical enclaves and restrict host-to-host communications               paths. This can stop adversaries from expanding their access, while letting the normal     system communications continue to operate. Containment provided by enclaving also       makes incident cleanup significantly less costly.
(5) Manage Authentication – Adversaries are increasingly focusing on gaining control       of legitimate credentials, especially those associated with highly privileged accounts.         Implement multi-factor authentication where possible and emphasize strong                       passwords. Require separate credentials for corporate and control network zones and       store these n separate trust stores.
(6) Implement Secure Remote Access. Some adversaries are effective at gaining remote     access into control systems, finding obscure access vectors, even “hidden back doors”       intentionally created by system operators. Remove such accesses whenever possible         especially modems as these are fundamentally insecure.
(7) Monitor and Respond. Consider monitoring programs in the following five key             areas:
a. Watch IP traffic on ICS boundaries for abnormal or suspicious communications.
b. Monitor IP traffic within the control network for malicious connections or content.
c. Use host-based products to detect malicious software and attack attempts.
d. Use login analysis (time and place for example) to detect stolen credential usage or        improper access, verifying all anomalies with quick phone calls.
e. Watch account/user administration actins to detect access control manipulation.
Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for Malware, disabling affected user accounts, isolating suspect systems, and immediate 100% password reset. The Plan may include incident response, investigation, and public affairs activities.
Have a restoration plan, including having “gold disks” ready to restore systems to known good states.

Conclusion: The common link in these vulnerabilities is often the lax behavior of people using e-mails corrupted apps. The careless use of e-mails provides criminals the easiest avenue of penetrating the cyber environment. One of the most effective methods of surveilling the cyber systems is to compromise the internal mailboxes of executives and key employees. From this position, the actors can learn about job positions, levels of authority, speech habits, bank accounts, decision making authorities, travel, vendors, customers, and attachments to emails. Such knowledge allows the actor to successfully mimic the language of users to misdirect wire transfers, steal sensitive information, or plant Malware to inflict damage to the system.
No one can prevent all attempts at cyber fraud making it important to recognize that all business structures, regardless of the size, are targets of adversarial actors. Often, cyber-fraud and cyber-crime attacks are treated as technological problems, but they are also personnel problems. Reviewing past cases have shown that the victims failed to have quality preventative measures in place, as well as cases where controls were in place but disregarded by careless employees. Effective defenses necessarily will have to be multi-layered, continuously upgraded, and rigorously tested to offer the best chance to prevent damage or to discover problems at the early stages.

Forensic Accounting Issues

Five Recommendations to Protect Your Business from CyberFraud

We all know that forming and running a business, as rewarding as it is, will keep the owners and managers extremely busy as they work to grow their operations. They will hear from professional accountants about the necessity of creating good internal controls to protect the company. But oftentimes, the ideal structure of internal controls may require more people to implement division of responsibilities. Then, reality sets in. Wages and benefits spent on hiring more employees who do not generate profits are called unhappy dollars. To reduce these unhappy dollars, divisions of responsibilities are collapsed into a fewer number of trusted employees to guard the money and intellectual property of the entity. Many businesses operate safely and profitably using fewer people to oversee the internal controls, but the risk of fraud increases as these controls are collapsed into the job descriptions of fewer people.
To be sure, determined crooks will defeat the best designs of internal controls in any size of business entity. However, more opportunity for mischief is created in smaller business models with more emphasis on the trust of fewer people, or maybe even one employee. Some of our most devastating embezzlement losses have occurred in this environment of complete trust engendered to a small number of people. This is particularly true in crooked accountant bookkeeper cases, whom I call crookkeepers.
It is extremely important to point out that the accounting and bookkeeping professions produce dedicated and reliable people to professionally maintain accurate books and records. Just like anything else, a few of these people create enormous problems when they decide to commit fraud. Other key employees in a company can also steal money and assets from a business. so let’s discuss some effective methods of preventing or discovering the misdeeds of corrupt employees.
After years of working as a financial crime investigator, I have had the advantage of interviewing a wide variety of criminals. I have always carefully questioned those crooks who agreed to be interviewed. In addition to having them describe the scheme, I would ask: Why did you do this? Well, what kept you up at night? How did you get caught? What would you have done differently to avoid detection? During your scheme, when was the first time you knew that you crossed the line into actual indefensible fraud? What recommendations would you forward to the victims of such schemes to prevent people like you from stealing from them? From this, I and many of my colleagues have gained valuable insights about how to make victims harder targets against fraudulent conduct. These suggestions are not usually found in accounting classes or online searches.
The knowledge gained from conducting the fraud autopsies of numerous cyber and financial fraud cases reveal many clues left behind by the fraudsters. These clues were in plain sight but overlooked during the schemes. More importantly, many of these same clues appear in different cases.
One of the challenges in the practice of Forensic Accounting is to leverage this information to identify practical and cost-effective fraud preventative solutions for business owners, to include partnerships, churches, and other non-profits. Therefore, I always try to find no-cost, low-cost, and then the high-cost solutions. Naturally, people want to hear about the no-cost solutions first, so I came up with a list of five things that stakeholders can apply today, at no-cost, to make their business models harder targets against corrupt employees. So, the list I provide and discuss is:
Know Your Employees
Know Your Vendors
Know Your Credit Cards
Know Your Business
Know Your Cyber System
I am convinced that these recommendations, if implemented, will not prevent the attempts at fraud schemes, but they will offer the best chances for prevention and early detection of problems. That’s the point. You want to identify the warning signs of problems in the early stages to prevent devastating losses from off-the-books and on-the-books fraud schemes. First, though, I want to describe the important differences between off-the-books and on-the-books schemes.

Off-the-books schemes primarily appear in cases where the perpetrator(s) will steal money and not really care if the transactions are recorded in the accounting system. Thefts of cash and other valuable assets, maybe from the inventory system, are common. Opportunities to steal cash make good people go bad and bad people go worse. Many thieves will steal cash knowing that it may be discovered one day. They rely on poor internal controls and lack of proof to keep from being fired or prosecuted. So, people like me will be telling business folks to reduce the opportunities for cash thefts by getting the cash into the bank accounts as soon as possible. Keeping cash in storage, even safes, will not deter the thieves. One secret in removing cash from the business is establishing a positive relationship with your financial institution about your banking procedures, particularly in cash deposits. Your banker is required to report suspicious patterns of cash deposits which may appear designed to avoid Currency Transaction Reporting requirements of cash transactions over $10,000.00. A more personal relationship with your financial institution may alleviate these concerns. Please do not forget about protecting your intellectual property and trade secrets from theft. These thefts would not necessarily appear on your accounting system.
On-the-books schemes are described as schemes where the corrupt employee is stealing money while creating false and fictitious accounting entries to hide the thefts. In a normal accrual-based dual-entry accounting system, each transaction will create a debit and credit entry. At the end of each transaction, at the end of each day, at the end of each accounting period, debits and credits should equal. The sophisticated thieves certainly know this. Some of our most significant and devastating losses from embezzlements are on-the-books schemes designed to survive the review and audit process. Undetected, these schemes can last several months or years, and may never be discovered. Payments of bribes and kickbacks can be hidden in webs of misdirected accounting entries. Corrupt business partners and company executives can drain the profits out of a business and hide behind falsified accounting entries. Crooks will look for and exploit weaknesses in the internal control systems. For example, we have seen many theft suspects in churches and non-profits admit to some form of taking money, but they will say that they are being reimbursed for previous personal expenditures. Without a reliable internal control system covering reimbursement of expenses, it becomes difficult to independently prove or disprove these representations. These schemes present significant challenges to the auditing profession and even more challenges to businesses operating without professional audits.
Know Your Employees
When doing presentations on fraud prevention, I field several questions about how to hire quality employees such as “What questions should be asked?” “Can we ask about their criminal record?” “Can we review their Social Media”. These are valid questions, but present-day government rules, regulations, procedures, and laws make the answers more complex. I always recommend the services of competent legal counsel to navigate these issues.
After investigating and studying numerous corrupt employee matters, I can say that clues were left behind by many of the thieves during the application and hiring process. I always request or subpoena the employee files to review the initial application and disclosures. In many, but not all, cases, the corrupt employee embellished accomplishments, omitted key information, or outright lied on the application. The clues were undiscovered because no one conducted research on the applicant’s representations. A Google search is not adequate. A misrepresentation on an application could very well be a mistake or honest oversight. The hiring and interview process offer the best chance to address these issues. Verification of key information about education, previous employers, awards, accreditations, are easily verified before an interview even takes place. These recommendations gain in importance when hiring people in key financial and management positions. Here are some additional steps for consideration:
Identify Employees in Sensitive Positions for increased vigilance
Review and Verify Applications/Resumes
Obtain Credit Reports
Consider Background Checks for Employees in Sensitive Positions
Consider Fidelity Bonds
Know Your Vendors
In the above discussion of on-the-books fraud schemes, I point out that the perpetrators will record false and misleading accounting entries to hide their fraud schemes. One of the most common methods of doing just this is to form fake vendors and add the vendors to the approved vendor list. Once the fake vendor is added to the approved list, fake invoices are submitted to the company for payment. The payments are then directed to bank accounts controlled by the embezzler. Sounds simple, right? This format appears in many long-term embezzlement cases causing hundreds of thousands or even millions of dollars in losses. This is why I recommend monitoring the vendor list and looking for the conflicts of interest and unholy financial relationships between vendors and your employees, particularly with new vendors.
Know Your Credit Cards
Investigators and Forensic Accountants often see cases where personal expenses are charged to the corporate credit cards. We also see situations where the embezzler will obtain personal credit cards from the same credit card company used to sponsor corporate credit cards, charge personal expenses on the new cards, and pay all the credit cards with corporate funds. I call these parasite credit cards. If the person using the credit cards is the same person responsible for paying the credit card companies, losses can accumulate very quickly. I have seen cases where the losses from parasite credit cards hits the six and seven-figure dollar range. Misuse of company credit cards does not always stand alone in a fraud scheme and is often combined with other methods of stealing money. Here are some additional steps for consideration:
Determine how many credit cards are being paid through the company
Determine who has custody over the credit cards
Clear company policies concerning proper use of credit cards should be in written guidelines.
Always review the credit card statements.

Know Your Business
Of course you know your business, but how closely do you monitor the different types of expenses being charged to the business? While unraveling on-the-books fraud schemes, we find that many of the expenses charged to fake companies made absolutely no sense to the business model of the victim. Many embezzlers will try to outfox you by charging “soft” costs like “consulting”, reasoning that no one can really tell what is going on. Careful monitoring of the expenses being paid is critical in catching schemes at an early stage.
Know Your Cyber System
I field many questions concerning protecting businesses from cyber-related crime. In short, we should consider the difference between financially motivated cyber fraud schemes vs. cyber-attacks designed to damage the computer system. Cyber fraud schemes can originate from corrupt employees or from outside forces intent on stealing assets. Intellectual property, trade secrets, and client lists, are glaring targets of corrupt employees and outside cyber criminals. For profit cyber-attacks include Business Email Compromise schemes, Email Account Compromise schemes, and Ransomware schemes. Cyber attacks designed to damage the cyber system can originate from outside the business or from disgruntled insiders. Here are some basic steps for consideration:
Learn about Common Attack Vectors and Mitigation Best Practices
Conduct a Security Audit and Assess Controls
Keep your Cyber system modern and up-to-date
Employee Training
Consider Business Insurance
Create a Response Plan
Conclusion:
I am convinced that any one or more of these no-cost recommendations would have prevented or discovered significant embezzlement schemes resulting in hundreds of thousands of dollars in losses in actual cases. These are lessons learned from analyzing internal fraud schemes as well as information gleaned from debriefing the actual thieves.
These recommendations are only briefly described to keep this blog within a reasonable length. I plan on writing additional blogs and podcasts to provide more detail on these matters, particularly on protecting the cyber system of businesses.

Forensic Accounting Issues

Mobile and On-line Banking Safety Considerations

I was recently interviewed by Margarette Burnette, a personal finance writer at NerdWallet and asked to offer an opinion to the question she entitled “Is it Safer to Bank by Phone or Computer? In this article she says “Two thirds of Americans use mobile or online banking as their main way to access their accounts. If you belong to that group, chances are you lean heavily on a smart phone or computer to pull up your bank information. But both gadgets also happen to be popular targets for online fraudsters itching to infiltrate your accounts”. You can view her report at the link I provided.
After researching the issues and thinking about some of the hard-earned lessons of investigating actual cases, I responded by saying that the safety infrastructure in both methods is very solid and constantly improving. They need to improve because determined fraudsters are always trying new methods to defeat the security structures of the systems. I chose to turn the question around and approach the answer from the perspective of the criminals. In other words, by “Thinking Like a Thief”.
If I were running a criminal organization and wanted to compromise the online banking world, my efforts would be directed towards attacking the smart phone side. People are trending away from relying on desktops, laptops, and tablets for every-day use. The smart phone is really a portable computer, completely mobile, and has many of the same security features as PCs and laptops. As our society moves more towards the connected world of the Internet of Things (IoT), 5G technology, smart homes and cities”, and the increasing capabilities of smart phones, we become more tethered to these devices. Criminal actors are always finding new ways to crack through the security features of our PCs, laptops, tablets and related peripherals. But they are also honing their skills to attack smart phones.
And, let’s face it, two of the weakest links to protecting our home, business, or smart phone cyber systems are e-mails and corrupted apps. Crooks rely on lax behavior by users such as not shielding their smart phones screens, using unprotected wi-fis, sending or receiving unsolicited emails, opening unverified attachments, downloading sketchy apps, or protecting the phones from theft. Considering the increasing reliance on smart phones, it appears to me that cyber criminals will be devoting more time and resources towards compromising the smart phone environment.
The reporter’s question may generate different answers but regardless of the devices used, learning and practicing good cyber hygiene has never been more important.

Additional blogs and podcasting on cyber security best practices are forthcoming.