workplace fraud and forensics: ferreting out the facts · 9:00 the workplace fraud profile f...
TRANSCRIPT
Friday, July 13, 2012 9 a.m.–4 p.m.
Oregon State Bar Center Tigard, Oregon
6.25 General CLE credits
Workplace Fraud and Forensics: Ferreting Out the Facts
ii
WOrkpLaCE Fraud and FOrEnSiCS: FErrETinG OuT ThE FaCTS
The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.
Copyright © 2012
OREGON STATE BAR16037 SW Upper Boones Ferry Road
P.O. Box 231935Tigard, OR 97281-1935
iii
TaBLE OF COnTEnTS
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Faculty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
1. The Workplace Fraud profile—presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–i— Bill douglas, Cost Advisors, Inc., Portland, Oregon
2. Background Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–i— kelly paxton, Financial CaseWorks LLC, Portland, Oregon
3. Legal issues in Employee Fraud—presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–i— katherine heekin, The Heekin Law Firm, Portland, Oregon
4a. pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4A–i— Joel Brillhart, Professional Forensic Services, Portland, Oregon
4B. Mac and iOS Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4B–i— Eli rosenblatt, Eli Rosenblatt Investigations, Portland, Oregon
5. a Skeptic’s Guide to advanced internet Searching—presentation Slides . . . . . . . . . . . . 5–i— Jan davis, JT Research LLC, Portland, Oregon
6. Which One is different—data Mining and Forensic analytics—presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–i— Bill douglas, Cost Advisors, Inc., Portland, Oregon
iv
v
8:00 registration
9:00 The Workplace Fraud profileF Prevalence of occupational fraudF How fraud is committed and how much is lostF Detecting and preventing fraudF The perpetratorsBill douglas, Cost Advisors, Inc., Portland
10:00 Background ChecksF Why conduct background investigationsF How to conduct a background investigationF Pitfalls of background investigationskelly paxton, Financial CaseWorks LLC, Portland
11:00 Break
11:15 Legal issues in Employee FraudF Gathering evidenceF Interviews—order, environment, and techniquesF DischargeF Engaging law enforcementkatherine heekin, The Heekin Law Firm, Portland
12:15 Lunch
1:00 Computer Forensics: Mac vs. pCF TechniquesF Expected resultsF Case historiesModerator: Bill douglas, Cost Advisors, Inc., PortlandModerator: kelly paxton, Financial CaseWorks LLC, PortlandJoel Brillhart, Professional Forensic Services, PortlandEli rosenblatt, Eli Rosenblatt Investigations, Portland
2:00 a Skeptic’s Guide to advanced internet SearchingF Search engine battles (Bing, Google)F Browsers wars (Firebox, IE)F Business and individual background checksF Social media as a research toolJan davis, JT Research LLC, Portland
2:45 Break
3:00 Which One is different—data Mining and Forensic analyticsF Data mining examplesF Excel as a data mining toolBill douglas, Cost Advisors, Inc., Portland
4:00 adjourn
SChEduLE
vi
vii
Joel Brillhart, Professional Forensic Services, Portland. Mr. Brillhart is a Certified Forensic Computer Examiner by the International Association of Computer Investigative Specialists and a CPA (license issued by the Iowa Accountancy Board). He conducts examinations of computers, cell phones, PDAs, and other digital media and provides expert analysis, data recovery, and witness services for criminal and civil litigation, internal corporate investigations, and private concerns. He has worked as a Media Exploitation Analyst in Iraq, as a Special Agent for the Federal Bureau of Investigation, and as an internal auditor. Mr. Brillhart has lectured on electronic forensics on several occasions.
Jan davis, JT Research LLC, Portland. Ms. Davis is president of JT Research, where she coordinates a team of trained information specialists to provide business professionals with the data they need. Her primary clientele consists of financial analysts, business appraisers, CPAs, business brokers, and economists. Ms. Davis is the former library director at Willamette Management Associates and understands the research needed for business valuation reports and litigation support cases. Her five years of experience as business/economics librarian at Willamette University give her a strong background in academic research. She received her Masters in Library and Information Studies from U.C. Berkeley and has over 15 years of experience in academic and corporate libraries.
Bill douglas, Cost Advisors, Inc., Portland. Mr. Douglas is the president of Cost Advisors, Inc., a consulting firm that he founded in 1999; Cost Advisors’ focus is accounting investigation and fo-rensics. Mr. Douglas also volunteers with the Fraud and Identity Theft Enforcement Team of the Washington County Sheriff’s Office. He has managed nearly 100 financial projects at both large and small companies. Before founding Cost Advisors, Mr. Douglas held management positions at Tektronix, Inc., and FLIR Systems, Inc. He has also been an auditor with Deloitte and CFO of a software firm. Mr. Douglas is a CPA in Oregon, California, and Washington, certified in Financial Forensics, a Certified Information Technology Professional, a Certified Fraud Examiner, a Certified Internal Auditor, and an Oregon Licensed Private Investigator. He is a member of the American Institute of CPAs, the Northwest Fraud Investigators Association, and the Oregon Association of Licensed Investigators and an affiliate member of the Multnomah Bar Association. Mr. Douglas is past chair of the Oregon Society of CPAs Business & Industry Committee, a past board member of the Oregon Association of Certified Fraud Examiners, and a past officer of the Oregon chapter of the Institute of Internal Auditors. He is a frequent speaker, writer, and trainer on topics related to white-collar crime and financial controls.
katherine heekin, The Heekin Law Firm, Portland. Ms. Heekin resolves business disputes, particu-larly complex fraud-related claims. As an attorney and a certified fraud examiner, Ms. Heekin is among a select group of professionals educated, trained, and experienced in preventing and rem-edying fraud. She is also a proven leader in electronic evidence management techniques and tech-nologies. She has been engaged as a consultant in electronic evidence management and as a trainer in fraud prevention. She is a Fellow of the American Bar Foundation, an instructor for the Forensic Accounting Academy, a member of the Federal Bar Association, and a member and past secretary of the Uniform Civil Jury Instructions Committee.
FaCuLTy
viii
kelly paxton, Financial CaseWorks LLC, Portland. Ms. Paxton specializes in financial investigations from the initial background interview to the tracing of funds in embezzlement, elder abuse, and misappropriation of assets. Ms. Paxton also has investigated mortgage fraud. She brings over 13 years of law enforcement experience to her current role as principal of Financial CaseWorks LLC, a private investigative firm. Ms. Paxton also is a contract special investigator for Keypoint Government Services, performing background investigations for the Department of Homeland Security. She maintains a security clearance for this contract. In addition, Ms. Paxton has been a public arbitrator for the Financial Industry Regulatory Authority since 2001. Previously, Ms. Paxton was the analyst for the Fraud Identity Theft Enforcement Team at the Washington County Sheriff’s Office, where she worked with FITE detectives on a variety of financial crime cases. Ms. Paxton started her law enforcement career as a Special Agent for the U.S. Customs Office of Investigations. Before entering law enforcement, Ms. Paxton was a licensed stockbroker and a trader/contract negotiator.
Eli rosenblatt, Eli Rosenblatt Investigations, Portland. Trained in the early 1990s at the California Appellate Project, Mr. Rosenblatt began freelance work assisting attorneys with death penalty appeals and expanded his investigation practice to include numerous types of criminal defense and civil cases. He now works as an investigator and forensic expert based in Portland, where he conducts workplace, background, fraud, civil, and criminal defense investigations for lawyers and individuals. As a Certified Fraud Examiner who is also certified for forensic examination of Apple devices, Mr. Rosenblatt is especially qualified to conduct comprehensive professional forensic ex-aminations to detect and understand evidence of alleged fraud on all Macs and iOS devices. Mr. Rosenblatt is Oregon’s only Board Certified Criminal Defense Investigator (CCDI) and one of only three CCDIs in the nation that is also a Certified Fraud Examiner. In addition, he is a Certified Forensic Interviewer and has been certified by the State Medical Examiner as a Medicolegal Death Investigator.
FaCuLTy (Continued)
1–i
Chapter 1
ThE WOrkpLaCE Fraud prOFiLE—prESEnTaTiOn SLidES
Bill Douglas
Cost Advisors, Inc.Portland, Oregon
1–ii
Chapter 1—The Workplace Fraud profile—presentation Slides
1–1
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
1
The Workplace Fraud ProfileBill Douglas
Cost Advisors’ Background
Founded in 1999Mission: Improve our client’s business and the lives of our employeesFocus on Accounting Investigation and ForensicsLogo symbolizes partnership with our clients
© 2008 Cost Advisors, Inc. All rights reserved.
2
1–2
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
2
Bill Douglas’ BackgroundPresident at Cost Advisors, Inc. 33 years experience
Management positions in Accounting, Sales, MarketingCFO, IPO, 'Big 4' public accounting, business processes, recovery auditing, internal controls, fraud, internal auditing, Sarbanes-Oxley (SOX)Financial project management at both large and small public companiesVolunteer Washington County Sheriff’s Dept. – Fraud Team
Frequent speaker and writer about Internal Controls, Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
3
Bill Douglas’ Background
Credentials and memberships:OR, CA, WA Certified Public Accountant (CPA) Certified Internal Auditor (CIA)Certified Fraud Examiner (CFE)Certified in Financial Forensics (CFF)Certified IT Professional (CITP)OR Licensed Private Investigator (PI)
54 years old, happily married 29 years, no addictions, drive a Subaru
© 2012 Cost Advisors, Inc. All rights reserved.
4
Northwest Fraud InvestigatorsAssociation
MULTNOMAH BAR
ASSOCIATION (Affiliate Member)
1–3
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
3
Fraud Vocabulary Quiz
© 2012 Cost Advisors, Inc. All rights reserved.
5
Baksheesh
Bicheiro
a) type of pita breadb) bribec) water pipe for smoking tobacco
a) female puppyb) large sunhatc) numbers banker, bookie, or racketeer
Left Blank Intentionally
Left Blank Intentionally
a) specified charges on a water billb) expenses written off in quarterly financial statements when a
company would record a loss anywayc) membership fees to join an Arab political party
Big Bath Charges
Left Blank Intentionally
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
6
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
1–4
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
4
Worldwide Corruption (Kroll % in white)
© 2012 Cost Advisors, Inc. All rights reserved.
7
84%85%
84%
Wait, wait…don’t tell meOver the last year, what percentage of companies (worldwide) were affected by fraud?
a. 10%b. 50%c. 75%d. 100%
© 2012 Cost Advisors, Inc. All rights reserved.
8
Left Blank Intentionally
1–5
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
5
Kroll Global Fraud Report 2011/2012*
75% (66% in North America) of companies affected by at least one fraud*
© 2012 Cost Advisors, Inc. All rights reserved.
9
* Worldwide survey of 1200+ senior executives June, July 2011 by The Economist Intelligence Unit..
http://www.krollconsulting.com/insights-reports/global-fraud-reports//
0.00%1.00%2.00%3.00%4.00%5.00%
Average 18% ofCompanies
Fraud % of Revenue
Left Blank Intentionally
The 2011 PwC Global Cyber & Economic Crime Survey*
Cybercrime: It’s IT + HR + Marketing34% affected in last 12 monthsCompanies that looked for fraud, found fraud
© 2012 Cost Advisors, Inc. All rights reserved.
10
* 3,877 respondents in 78 countries completed web-based survey. Published November 2011.
www.pwc.com/crimesurvey
Left Blank Intentionally
1–6
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
6
© 2012 Cost Advisors, Inc. All rights reserved.
11
Based on 1,388 fraud cases investigated worldwide.
© 2012 Cost Advisors, Inc. All rights reserved.
12
Based on 473 cases appearing in court records, prosecutorial press releases, media accounts, vital records, government & regulatory filings and other public information.
Findings noted in green.
1–7
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
7
Prevalence of Fraud
U.S. organizations lose 5%* of their
annual revenues to fraud
© 2012 Cost Advisors, Inc. All rights reserved.
13
Source: *Estimated in ACFE 2012 Report to the Nations. Kroll found 2.1%.
Amounts Lost (or Spent)
0
100
200
300
400
500
600
700
800
WorldCom Enron Madoff Lehman U.S. Fraud
1160 65 49
737
Billion
s
© 2012 Cost Advisors, Inc. All rights reserved.
14
Every Year!
1–8
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
8
Distribution of Dollar Loss
© 2012 Cost Advisors, Inc. All rights reserved.
15
Source: ACFE 2012 Report to the Nations
Median$140,000
Median$340,000per 2011 MarquetReport
Recession – What Increased?
© 2012 Cost Advisors, Inc. All rights reserved.
16
Source: ACFE Occupational Fraud: A Study of the Impact of an Economic Recession, 2009.
Kroll+55% 2011
1–9
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
9
Fraud Triangle
© 2012 Cost Advisors, Inc. All rights reserved.
17
Pressure
OpportunityRationalization
Housing Bubble = Pressure
© 2012 Cost Advisors, Inc. All rights reserved.
18
23% homes with negative equity now
1–10
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
10
Unemployment = Pressure
© 2012 Cost Advisors, Inc. All rights reserved.
19
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
20
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
1–11
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
11
Wait, wait…don’t tell meThe most frequent type of workplace fraud:
a. Theft (misappropriation)b. Corruptionc. Misstated financial statementsd. Odometer fraud
© 2012 Cost Advisors, Inc. All rights reserved.
21
Left Blank Intentionally
Occupational Fraud by Category -Frequency
© 2012 Cost Advisors, Inc. All rights reserved.
22
Source: ACFE 2012 Report to the Nations
1–12
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
12
Misappropriation Frequencies and $
© 2012 Cost Advisors, Inc. All rights reserved.
23
Source: ACFE 2012 Report to the Nations
Cash Receipts 26%
Cash Disbursements 64%
Other 29%
Skimming14.6%
Cash Larceny 11%
Billing 24.9%
$58K $54K
CheckTampering
11.9%
ExpenseReimbursements
14.5%$100K $143K $26K
Payroll 9.3%
CashRegister
3.6%$48K $25K
Cash on Hand 11.8%
Non-Cash17.2%
$20K $58K
New Cybercrime category
Types of Cyber Attack:Economic Crime - hackingEspionage – IP theft. Kroll: 50% Co.'s vulnerableActivism - WikiLeaksTerrorism – Power grid, Financial SystemsWarfare
© 2012 Cost Advisors, Inc. All rights reserved.
24
Source: Cybercrime: protecting against the growing threat, November 2011, PwC
Cybercrime – economic crime using computers and the internet
1–13
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
13
Fraud by Category – ACFE vs. PwC
© 2012 Cost Advisors, Inc. All rights reserved.
25
Source: ACFE 2012 Report to the Nations & PwC Cybercrime Report 2011
Cybercrime a Growth Business!
© 2012 Cost Advisors, Inc. All rights reserved.
26
Robbery WhiteCollar
Cybercrime
Rewards are greaterLess chance of detectionLess chance of identificationLess chance of prosecution
Criminal is remoteLaw enforcement is not equippedLess evidence
Smaller penalties
1–14
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
14
Wait, wait…don’t tell meHow long does the average fraud last before detection?
a. 1 monthb. 1 yearc. 2 yearsd. Until the next administration is sworn in
© 2012 Cost Advisors, Inc. All rights reserved.
27
Left Blank Intentionally
Median Duration of Fraud Based on Scheme Type
© 2012 Cost Advisors, Inc. All rights reserved.
28
Source: ACFE 2012 Report to the Nations
Median is 24 months
Median is 49 months per 2011 MarquetReport
1–15
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
15
Fraud Vocabulary Quiz
© 2012 Cost Advisors, Inc. All rights reserved.
29
Top Hatting
Wet Ink Policies
a) when a person wears a large hat to cover up their lack of hair, or baldnessb) cover-up of something bigc) changing a bet after the outcome has already been decided
a) life insurance policies that are sold immediately after being issuedb) precautions a person must follow after getting a new tattooc) prohibition of using jell pens to sign legal documents
Left Blank Intentionally
Left Blank Intentionally
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
30
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
1–16
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
16
Wait, wait…don’t tell meHow is fraud most often detected?
a. Auditors find itb. By policec. A tipd. By accident
© 2012 Cost Advisors, Inc. All rights reserved.
31
Left Blank Intentionally
Initial Detection of Occupational Frauds
© 2012 Cost Advisors, Inc. All rights reserved.
32
Source: ACFE 2012 Report to the Nations * Top detection per PwC
**
1–17
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
17
Percent of Tips by Source
© 2012 Cost Advisors, Inc. All rights reserved.
33
Large % from external sources
34% in companies without hotlines
Source: ACFE 2012 Report to the Nations
© 2008 Cost Advisors, Inc. All rights reserved.
34
Controls that make a difference
Frequency of Anti-Fraud Controls
Source: ACFE 2012 Report to the NationsSOX = Controls required by the Sarbanes-Oxley Act
1–18
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
18
Other Warning SignsRecords are disorganized or missingThere are unexplained changes in your accounting recordsThere is an unusual drop in available cashThere are unusually large or numerous credit memos to othersBank reconciliations are lateBank deposits are delayed (i.e. deposits in transit too high)There are too many increases in past due accounts receivableCheck amounts are alteredDuplicate payments are madeToo many payments are being made to individuals with the same name or address
© 2012 Cost Advisors, Inc. All rights reserved.
35
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
36
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
1–19
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
19
Type of Victim Organization -Frequency
© 2012 Cost Advisors, Inc. All rights reserved.
37
Source: ACFE 2012 Report to the Nations
Size of Victim Organization -Frequency
© 2012 Cost Advisors, Inc. All rights reserved.
38
Small organizations more likely to be hit...but PwC results show the opposite
Source: ACFE 2012 Report to the Nations
1–20
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
20
Victim Industry Frequency
© 2012 Cost Advisors, Inc. All rights reserved.
39
Some industries are more likely to hire CFEs
Source: ACFE 2012 Report to the Nations * Top industries per PwC
*
*
*
*Industry Number of Cases Percent of Cases
Banking and Financial Services 229 16.70%Government and Public Administration 141 10.30%Manufacturing 139 10.10%Health Care 92 6.70%Education 88 6.40%Retail 83 6.10%Insurance 78 5.70%Services (Professional) 55 4.00%Religious, Charitable or Social Services 54 3.90%Services (Other) 48 3.50%Construction 47 3.40%Oil and Gas 44 3.20%Telecommunications 43 3.10%Technology 38 2.80%Transportation and Warehousing 36 2.60%Arts, Entertainment and Recreation 32 2.30%Real Estate 28 2.00%Wholesale Trade 27 2.00%Utilities 24 1.80%Agriculture, Forestry, Fishing and Hunting 20 1.50%Mining 9 0.70%Communications and Publishing 9 0.70%Other 7 0.50%
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
40
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
1–21
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
21
Wait, wait…don’t tell meWhat age group commits the most frauds?
a. > 60 year olds (their medical bills are higher)b. 46 to 60 year olds (can’t pay their mortgage)c. 36 to 45 year olds (divorce) d. 26 to 35 year olds (student loans, credit cards)e. < 26 year olds (minimum wage is not enough)
© 2012 Cost Advisors, Inc. All rights reserved.
41
Left Blank Intentionally
Age of Perpetrator — Frequency
© 2012 Cost Advisors, Inc. All rights reserved.
42
Source: ACFE 2012 Report to the Nations
Cybercrime criminals usually <40 years old (PwC)
1–22
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
22
Wait, wait…don’t tell meWho is more likely to commit fraud?
a. Short-term employees (< 5 years)b. Long-term employees (> 5 years)
© 2012 Cost Advisors, Inc. All rights reserved.
43
Left Blank Intentionally
Tenure of Perpetrator — Frequency and Median Loss
© 2012 Cost Advisors, Inc. All rights reserved.
44
Source: ACFE 2012 Report to the Nations
53%47%
1–23
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
23
Education of Perpetrator — Median Loss
© 2012 Cost Advisors, Inc. All rights reserved.
45
The value of a good education!
Source: ACFE 2012 Report to the Nations
Wait, wait…don’t tell meMale or Female?
a. Maleb. Female
© 2012 Cost Advisors, Inc. All rights reserved.
46
Left Blank Intentionally
1–24
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
24
© 2012 Cost Advisors, Inc. All rights reserved.
47
Source: ACFE 2012 Report to the Nations
The Glass Ceiling
36% male and 64% female per 2011 Marquet Report
Glass ceiling:77 cents per $1 all occupations 44 cents per $1 in fraud
High Ethical Standards?
© 2012 Cost Advisors, Inc. All rights reserved.
48
0
10
20
30
40
50
60
70
80
90
Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.
1–25
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
25
Perpetrator’s Department
© 2012 Cost Advisors, Inc. All rights reserved.
49
Source: ACFE 2012 Report to the Nations
72% Accountants
per 2011 Marquet Report
Fraud Perception vs. Reality
© 2012 Cost Advisors, Inc. All rights reserved.
50
0
10
20
30
40
50
60
70
80
90
Ranked ‘Very High’ or ‘High’ in ethical standards according to a Gallup Poll from November, 2008.
22% - 72% of frauds
1–26
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
26
Wait, wait…don’t tell meWhat are the ‘red flags’ of a fraudster (all that apply)?
a. Living beyond meansb. Divorcec. Wheeler-dealer attituded. Addiction problemse. Pornographyf. Slicked-back hair
© 2012 Cost Advisors, Inc. All rights reserved.
51
Left Blank Intentionally
Red Flags
© 2012 Cost Advisors, Inc. All rights reserved.
52
Source: ACFE 2012 Report to the Nations
Acting alone 89.8% of the time per 2011 Marquet Report
0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00%
Living Beyond Means
Financial Difficulties
Unusually Close Association with Vendor/Customer
Control Issues, Unwillingness to Share Duties
Divorce/ Family Problems
Wheeler-Dealer Attitude
Irritability, Suspiciousness or Defensiveness
Addiction Problems
Past Employment-Related Problems
Complained About Inadequate Pay
Refusal to Take Vacations
Excessive Pressure from Within Organization
Past Legal Problems
Complained About Lack of Authority
Excessive Family/Peer Pressure for Success
Instability in Life Circumstances
1–27
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
27
Red Flags – Deviant Behavior Hypothesis
Drivers: Money, Power, SexWorkplace: Porn, affairs, harassment, bullying, fraud, theft
© 2012 Cost Advisors, Inc. All rights reserved.
53
Source: Using Deviant Behaviors of Others to Find Fraud (UDBOFF), Ryan Hubbs, June 2011.
Power
Money
Sex
Red Flags – Per KPMGBullies co-workers, rude, aggressive, threateningStressed, unhappy, unmotivatedReluctance to produce recordsOutsized lifestyle, financial problemsAccepts (improper) gifts, breaks rulesRumored bad habits, addictions, vices
© 2012 Cost Advisors, Inc. All rights reserved.
54
Source: Who is a Typical Fraudster?, KPMG analysis of 349 actual fraud cases in 69 countries from January 2008 until December 2010.
1–28
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
28
Agenda – Occupational Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
55
1. Prevalence
2. How it’s committed
3. Detection
4. Victims
5. Perpetrators
6. Preventing
Wait, wait…don’t tell meWhich control (of those in the list below) is MOST effective in reducing amounts lost to fraud?
a. Surprise Auditsb. Code of Conductc. Whistleblower hotlined. Mandatory vacations
© 2012 Cost Advisors, Inc. All rights reserved.
56
Left Blank Intentionally
1–29
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
29
Effectiveness of Controls
© 2012 Cost Advisors, Inc. All rights reserved.
57
Source: ACFE 2012 Report to the Nations
Audits less effective
Cash Fraud Detection MeasuresBank statements received unopened by mgr.
Review for unknown charges (ACH, wires)Review checks for unknown payees (vendors)Review checks for unusual endorsementsNote time lag in deposits reaching the bank
© 2012 Cost Advisors, Inc. All rights reserved.
58
1–30
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
30
Cash Fraud Detection MeasuresDeposits
Deposit slips – trend of cash vs. checks depositedCash receipts reconciled to deposit slipsInvestigate complaints about ‘unpaid’ balance
© 2012 Cost Advisors, Inc. All rights reserved.
59
Cash Fraud Detection MeasuresAccounts Receivable
Unauthorized write-offs (credits)Aged receivablesDecrease in revenues
© 2012 Cost Advisors, Inc. All rights reserved.
60
1–31
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
31
Cash Fraud Detection Measures
Bank ReconciliationsPerformed by an independent personUnusual entries to cash general ledger accountsCross-outs, white-out, photocopies
© 2012 Cost Advisors, Inc. All rights reserved.
61
Takeaways5% of revenue, two yearsTypes:
Corruption – largest organization lossesMisappropriation – accountant’s favorite
Watch out for 50-year-old male, divorced, accountant, with addiction problem, and a new sports car!Implement hotline, fraud training and reconciliations
© 2012 Cost Advisors, Inc. All rights reserved.
62
1–32
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
32
Backup Slides
Deducting Embezzlement LossesThe loss is deducted in the year discovered.
Even if tax years are ‘closed’The loss is reported NET of recovery.
Issuing a Form 1099 MISC to the suspect is optional. If a form 1099 is issued:
A separate Form 1099 may be issued for each year of loss ORA single 1099 MISC may be issued in the year the loss was discovered
1–33
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
33
How to work with your Bank
Bank Anti-fraud Reliance
Standard ProceduresEnhanced Services
© 2012 Cost Advisors, Inc. All rights reserved.
66
1–34
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
34
Standard Bank ProceduresSignatures on checks
Signature Cards may be scannedTeller will verify if presented at drawn bankNot useful if presented at another bank or ATM
Banks don’t check below a dollar thresholdFees start at $50 per month
Electronic TransfersRequire a requester and approverTemplates can be changed by the requester
© 2012 Cost Advisors, Inc. All rights reserved.
67
Enhanced Procedure - Positive Pay
© 2012 Cost Advisors, Inc. All rights reserved.
68
BankCompany
Vendor
Che
ck
Positive Pay File
Starts at ~ $65 per month
Compares
Source: Bank of the Cascades
1–35
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
35
Enhanced Procedure-ACH Filter (or Block)
© 2012 Cost Advisors, Inc. All rights reserved.
69
BankCompany
Vendor
Internet Transfer Request
Starts at ~ $25 per month per account
Blo
cked
Subsidiary
Source: Bank of the Cascades
How to Pick a Bankwww.FDIC.gov
© 2012 Cost Advisors, Inc. All rights reserved.
70
1–36
Chapter 1—The Workplace Fraud profile—presentation Slides
6/22/2012
36
Fraud Vocabulary Quiz
© 2012 Cost Advisors, Inc. All rights reserved.
71
Channel Stuffing
Share Market Fraud
a) when a person stuffs the remote into their clothing to prevent others from changing the television channel
b) shipping unwanted inventory to retailers ahead of schedule which fills the distribution channels with more product than needed
c) throwing garbage into a river, clogging and polluting it
a) companies secretly strip assets of their firms or illegally allocate shares of stock
b) companies that lie about their ‘market share’c) collusion by stock brokerage firms sharing the best practices to defraud
investors
a) when a person steals money by hiding it in a doggie bagb) a bar that delivers beer to the home without checking IDc) a warning to a conman that he is under suspicion
Take-out
Left Blank Intentionally
Left Blank Intentionally
Left Blank Intentionally
For More Information
Cost Advisors, Inc. 503-704-3719
www.costadvisors.com
Download: ‘Embezzlement Response Guide’
© 2012 Cost Advisors, Inc. All rights reserved.
72
1–37
Chapter 1—The Workplace Fraud profile—presentation Slides
1–38
Chapter 1—The Workplace Fraud profile—presentation Slides
2–i
Chapter 2
BaCkGrOund ChECkSKelly Paxton
Financial CaseWorks LLCPortland, Oregon
Table of Contents
I. Background Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1
II. Why Do a Background Investigation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1
III. Business Necessity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–2
IV. Current Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–2
V. Social Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–2
VI. Other Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3
VII. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–5
VIII. Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–5
Appendix—Presentation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–7
2–ii
Chapter 2—Background Checks
2–1
Chapter 2—Background Checks
i. BaCkGrOund invESTiGaTiOnS
Background investigations are an important tool not only for employment purposes but also due diligence purposes. Approximately 93% of all businesses utilize background investigations for some poten-tial applicants and 73% for all potential applicants according to the 2010 report by the Society for Human Resource Management. A background investigation can cost as little as $20 to as much as $4,300. There are ap-proximately 1,200 firms that offer background investigations. The back-ground industry is a $4 to $5 billion per year industry according to the National Association of Professional Background Screeners, the indus-try trade group.
ii. Why dO a BaCkGrOund invESTiGaTiOn?
According to numerous studies, one in three applicants is consid-ered to have lied on his or her resume and/or application. The business that does not vet its executives well is the one that ends up with the bad press. A recent example is the CEO of Yahoo.
Yahoo’s chief executive officer Scott Thompson stepped down yesterday after an investigation by Third Party, a hedge fund and major investor in the company, revealed that he had lied about his education on his resume. Al-though Mr. Thompson’s biography indicated that he had earned degrees in accounting and computer science from Stonehill College, he never actually earned a degree in computer science.
Mr. Thompson is not the only executive to resign follow-ing revelations that he or she lied or embellished academic credentials:
In April 2007, the admissions dean for the Massachusetts Institute of Technology was forced to resign following revelations that she had fabricated academic degrees from Union College, Rensselaer Polytechnic Institute and Al-bany Medical School.
In 2006, CEO of RadioShack, Dave Edmonson, resigned after it emerged that he lied about having degrees in theol-ogy and psychology.
In 2002, Veritas Software’s stock price fell some 16% after it emerged that its CFO had fabricated his education. Not surprisingly, the revelation also led to his resignation.
In 2002, the CEO of Bausch & Lomb, Ronald Zarrella, was forced to forfeit his bonus after it was revealed that he had never earned his MBA from New York University as claimed. Mr. Zarrella attended the university but never ac-tually completed the program.
Resume padding and exaggerating academic credentials are more common that one might think, and its prevalence
2–2
Chapter 2—Background Checks
extends far beyond the C-suite. In 2010, a HireRight sur-vey of 1,818 organizations found that 69% of respondents reported that they had caught a job candidate lying on his or her resume. Moreover, the FBI has estimated that over 500,000 people nationwide claim college degrees that they never actually earned. Even in cases much less high-pro-file than Yahoo’s assuming that qualifications presented by potential candidates are always legitimate can damage your company’s reputation and bottom line.
(Courtesy of MSA Investigations–New York City.)
iii. BuSinESS nECESSiTy
Being consistent is a very integral part of the background inves-tigation process for a business. According to the Insurance Information Network of California, lawsuits for negligent hiring, retention, and out-of-court settlements in California due to workplace violence averaged over $500,000; jury verdicts in these cases averaged about $3 million (Rosen, L. 2006).
iv. CurrEnT iSSuES
State lawmakers also are concerned about employers looking into people’s credit. Over the past three years, seven states have enacted laws barring employers in many instances from gaining access to credit reports. Fifteen states have similar legislation pending. No one expects a sudden stop to background checks. The key will be what employers do with the information they gather. Companies should ask applicants about potentially negative reports to give them a chance to explain away errors that inevitably come up and also to put their circumstances into context, says Cynthia Springer, a labor and em-ployment lawyer in Indiana. “Collecting the information isn’t the big issue right now, it’s how it’s being used,” Springer says. “You should be doing a case-by-case analysis anytime you’re using criminal background information in making a decision.”
v. SOCiaL MEdia
A few weeks ago, Maryland became the first state to pass legisla-tion that would ban employers from demanding that employees or job candidates turn over their social media. Rep. Eliot Engel (D–NY) has in-troduced legislation in the U.S. House of Representatives that would out-law this practice nationally. The bill, known as Social Networking Online Protection Act (SNOPA) (http://www.govtrack.us/congress/bills/112/hr5050), is broader than the Maryland bill. According to a press release (http://engel.house.gov/index.cfm?sectionid=24&itemid=3199) from Congressman Engel, SNOPA covers not only employers but also schools and universities. Although the text of the bill is not yet available online, the press release further notes that SNOPA would accomplish two objectives:
2–3
Chapter 2—Background Checks
F Prohibit current or potential employers from re-quiring a username, password or other access to online content. It does not permit employers to demand such ac-cess to discipline, discriminate or deny employment to in-dividuals, nor punish them for refusing to volunteer the information.
F Apply the same restrictions to colleges and univer-sities, and K–12 schools as well.
While I agree that requiring applicants to furnish social media passwords as a condition of employment is, gen-erally, a bad business practice, I fear that the firestorm [http://www.theemployerhandbook.com/2012/03/employer-demand-facebook-password.html] about em-ployers supposedly demanding social media passwords is drastically overblown. The examples of employers—most notably the City of Bozeman [http://arstechnica.com/web/news/2009/06/bozeman-apologizes-backs-down-over-facebook-login-request.ars] and the Mary-land Department of Corrections ]http://www.switched.com/2011/02/23/maryland-stops-asking-applicants-for-facebook-login/]—who have made this stupid mistake are old news. Both employers were publicly scrutinized and shamed into stopping.
(Courtesy of The Employer Handbook.)
vi. OThEr iSSuES
Perhaps we are asking the wrong question. Let me suggest that the proper question is not “Can the employer conduct a background check?” but rather “Can an employer use the information found on the background check to deny employment to the applicant or employee?” The short an-swer is “Yes, under the right circumstances.” So let’s see if we can get some help in determining when and how we can use background checks in the hiring process.
While the EEOC has not issued regulations, it has provid-ed some guidelines. Employers are expected to consider the following factors:
1. The nature and gravity of the offense(s);
2. The time that has passed since the conviction and/or completion of the sentence; and
3. The nature of the job held or sought.
The federal courts have also stated that employers need to have a legitimate business justification, which can include, in addition to the above EEOC guidelines, safety and well being of others at the job site or in the immediate area. The
2–4
Chapter 2—Background Checks
policy must then be narrowly tailored to meet the stated justification.
Essentially, the EEOC, and the federal courts expect em-ployers to weigh the type of offense and time passed since the offense against the nature of the job to determine if the employer has a justification for refusing to hire a can-didate. For example, an applicant’s 15-year old DWI con-viction is unlikely to be relevant if s/he is applying for a bookkeeping position. For that matter if s/he was ar-rested but not convicted for DWI, then denying him or her the job will also be inappropriate and perhaps illegal. If however, this same applicant for the bookkeeping posi-tion has a 3-year old embezzlement conviction, the em-ployer could refuse to hire. When might a DWI conviction be relevant? In the Pepsi case if the applicant sought work for Pepsi as a driver, s/he should probably expect to be rejected. OK, how about one final example: suppose you have a male applicant with a sexual assault conviction and you employ mostly women, some of whom often stay late when the area may not be well-trafficked or well-lit? One would be hard-pressed to argue lack of business justifica-tion there!
So, here are some take-away’s for employers:
1. If you do not already have one, create a written policy that discusses your hiring criteria and how you will screen your applicants and hiring criteria. This policy should take into consideration the type of positions for which you are hiring and should allow you to make a de-termination on a case by case basis and take all relevant facts into consideration.
2. Be able to easily articulate a justification any time you deny a job to an applicant based on his/her back-ground check results.
3. Make sure your policy is narrowly tailored to meet your business
4. Justification(s). If your policy is broader than neces-sary to meet the justification(s) you have articulated (even if only to yourself) you will be vulnerable if an applicant files an EEOC complaint.
Finally, one more caveat: As of today, at least 25 states and at least one city have passed their own laws limiting the circumstances under which employers can inquire into an applicant’s criminal history. Check to see if your state (or city) has imposed any such limitations!
(Courtesy of Janet Levey Frisch.)
2–5
Chapter 2—Background Checks
vii. COnCLuSiOn
Background investigations are a useful tool if used properly. There are numerous pitfalls, though, that can cost a business money and reputation. Background investigations no longer just consist of crimi-nal history and credit checks. If a business does not believe it is able to adequately and appropriately complete the process, it should seek to outsource the function. Social media is now a part of the background investigation process. Social media is not just something your kids use. Social media is important in hiring and employment decisions. Social media is not going away. There are a lot of excellent resources to help you navigate this new and growing part of the background investiga-tion process.
viii. BiBLiOGraphy
F Rosen, Lester (2006), The Safe Hiring Manual. F Society for Human Resource Management. F Frisch, Janet Levey (2012). F MSA Investigations New York City (2012). F Meyer, Eric, The Employer Handbook (2012).
2–6
Chapter 2—Background Checks
2–7
Chapter 2—Background Checks
appEndix—prESEnTaTiOn SLidES
6/20/2012
1
Background Investigations
Oregon State BarJuly 13, 2012
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Goals
What is a Background Investigation?Why do a Background Investigation?How to do a Background Investigation (or where to get one done)
2–8
Chapter 2—Background Checks
6/20/2012
2
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Old School vs. New School
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Name that CEO
2–9
Chapter 2—Background Checks
6/20/2012
3
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Scott Thompson-Yahoo!
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Local Resume Padding
2–10
Chapter 2—Background Checks
6/20/2012
4
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Robert Hulshof-Schmidt
Hulshof-Schmidt, 46, admitted to forging his employment application by representing that he had a graduate degree. He did not.According to the court, his formal application included a University of Washington transcript that he had altered to show completed coursework.
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Kelly Paxton, CFE, PI
Licensed Private Investigator (OR)Certified Fraud ExaminerPrincipal, Financial CaseWorks LLCSpecial Agent US Customs 1993-1998Registered Stock/Commodity Broker 1987-1990
2–11
Chapter 2—Background Checks
6/20/2012
5
Page© 2012 Financial CaseWorks LLC. All rights reserved.
BI – What exactly is one?
Fingerprints?Internet Sites?Big Brother surprise
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Websites & Databases
No single databaseNo LEDS/NCICPrivate CompaniesSearch enginesBlog searches
2–12
Chapter 2—Background Checks
6/20/2012
6
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Background Investigation Facts
93% of organizations use some form of BI(SHRM 2010)1 in 3 applicant falsifies information$20 to $4300$4-5 billion industry with 1200 companies
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Reasons for BI’s
Pre-employment screeningEmployee promotion/transferOutside party for board positionScreening third party service providersDue diligenceInvestigating any suspected theft/misuse
2–13
Chapter 2—Background Checks
6/20/2012
7
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Why do a Background Investigation?
What you don’t know can/will hurt youKnowledge is good
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Applicant Lies
Degree not earnedDiploma Mills/Fake DegreeJob TitleEmployment DatesCompensationLack of criminal record
2–14
Chapter 2—Background Checks
6/20/2012
8
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Even George Costanza did it
http://www.youtube.com/watch?v=_T35QhLx_KI
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Careerexcuse.com
Careerexcuse.com
2–15
Chapter 2—Background Checks
6/20/2012
9
Page© 2012 Financial CaseWorks LLC. All rights reserved.
How to do a Background Investigation
Where to start?ResourcesThe actual interview
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Starting the Process
Job Description-Business NecessityForms-application, FCRA and waivers
2–16
Chapter 2—Background Checks
6/20/2012
10
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Critical Application Items
Background CheckBroadest language about convictionsRelease for previous employers5-10 years employment7-10 years addressesContact current employer??
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Red Flags
Not completing applicationNot signing applicationNo consent for background screeningCriminal questions left blank
2–17
Chapter 2—Background Checks
6/20/2012
11
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Red Flags cont’d
Can’t recall former supervisorGaps in employment historyExcessive crossouts/changes
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Expungement
Difficult in today’s environmentPrivate databases unaffected by court’sexpungement orderAttorneys now suggest preparing letter addressing issueBe upfront and honest
2–18
Chapter 2—Background Checks
6/20/2012
12
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Resources
Google is your BFF (best friend forever but be careful)The deep web (PIPL, Spokeo)Background screening firms (NAPBS)
Page© 2012 Financial CaseWorks LLC. All rights reserved.
www.pipl.com
http://www.pipl.com
2–19
Chapter 2—Background Checks
6/20/2012
13
Page© 2012 Financial CaseWorks LLC. All rights reserved.
The Interview
RapportFill in the gapsBody languageAsk the right questionsGet more references
Page© 2012 Financial CaseWorks LLC. All rights reserved.
New Age Lie Detector Test
Background checks-Concerns?Criminal convictions-Concerns?Previous employers-What will they say?Previous employers-job issues etc?Unexplained gaps in employment history?
2–20
Chapter 2—Background Checks
6/20/2012
14
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Good vs. BadHave you ever used a
different name?Maiden Name?
If hired, can you show proof of age?
When did you graduate high school?
If hired will you be able to provide proof of eligibility
to work in the US?
Are you a US Citizen?
Can you be reached at this address?
Do you own your home or rent?
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Social Networking
What can you use?Technology ahead of the lawPolicies and procedures
2–21
Chapter 2—Background Checks
6/20/2012
15
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Reasons they don’t use SM-Per SHRM
Page© 2012 Financial CaseWorks LLC. All rights reserved.
SNOPA
2–22
Chapter 2—Background Checks
6/20/2012
16
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Social Networking Online Protection ActIf passed, SNOPA would "prohibit current and potential
employers for requiring a username, password or other access to online content," according to a news release on Engel's website. These constraints would also apply to schools from kindergarten through university level.
What is SNOPA?
Page© 2012 Financial CaseWorks LLC. All rights reserved.
SNOPA cont’dThe SNOPA bill's other co-sponsor, Schakowsky, said in a prepared statement: "The American people deserve the right to keep their personal accounts private. No one should have to worry that their personal account information, including passwords, can be required by an employer or educational institution, and if this legislation is signed into law, no one will face that possibility.”Maryland 1st state to do this-other states in process
2–23
Chapter 2—Background Checks
6/20/2012
17
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Lifestyle issues?
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Pay attention
He noticed a change in Milligan’s behavior and wondered how she could afford the assets she had — including a Cadillac Escalade, a horse arena, and several horses — on her salary.5/17/2012 Rhonda Milligan pled guilty to 1 count, admitted $848k embezzlement
2–24
Chapter 2—Background Checks
6/20/2012
18
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Oregon and Credit Checks
House Bill 1045Exceptions: banks and credit unions, public safety and LEOs“Substantially job-related-no guidance from State but probably very narrow
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Credit Reports
Today’s economyNegative information valid predictor of job performance?Outside of applicant’s control?Consistent in use of negative information?Have you documented the decision?
2–25
Chapter 2—Background Checks
6/20/2012
19
Page© 2012 Financial CaseWorks LLC. All rights reserved.
After the Investigation
HousekeepingComplying with FCRAPurging the files
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Background Investigations
ResourcesLimits of BIsFair Credit Reporting ActNot just for employeesBe consistent
2–26
Chapter 2—Background Checks
6/20/2012
20
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Resources-Always Changing!
GooglePiplSocial networking- Facebook- Twitter- Spokeo
Credit reports??
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Final Thoughts
BI’s are not just for employmentWhat you don’t know can hurt youThe Internet makes it easier and more difficult
2–27
Chapter 2—Background Checks
6/20/2012
21
Page© 2012 Financial CaseWorks LLC. All rights reserved.
Typical ClientMedical offices – Employee theft/dishonesty, new hiresFamilies – Elder Financial Fraud, backgrounds on caregiversSmall Business owners – Due diligence on potential business dealings/partners, new hiresAttorneys – litigation support, asset research and identification and recovery
Page© 2012 Financial CaseWorks LLC. All rights reserved.
ReferencesShepard, I.M. and Duston, R (1998) Thieves at Work: An Employer’sGuide to Combating Workplace Dishonesty. Murphy, K.R. (1993) Honesty in the Workplace. The Background InvestigatorBrody, Richard G. (2008) Beyond the Basic Background Check: Hiring
the “Right” Employees. Rosen, Lester S. (2006) The Safe Hiring Manual Society of Human Resource Management SurveyMeyer, Eric The Employer Handbook (2012)
2–28
Chapter 2—Background Checks
6/20/2012
22
Page 43© 2012 Financial CaseWorks LLC. All rights reserved.
Questions?
Contact Kelly Paxton at:
2–29
Chapter 2—Background Checks
2–30
Chapter 2—Background Checks
3–i
Chapter 3
LEGaL iSSuES in EMpLOyEE Fraud—prESEnTaTiOn SLidES
Katherine heeKin
The Heekin Law FirmPortland, Oregon
3–ii
Chapter 3—Legal issues in Employee Fraud—presentation Slides
3–1
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
1
LEGAL ISSUES IN EMPLOYEE FRAUD
JULY 13, 2012Katherine Heekin
808 S.W. Third Ave., Suite 540Portland, OR 97204
503-222-5578
3–2
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
2
Conducting an Investigation
• Upjohn v. United States, 449 U.S. 383 (1981), warnings– Give before interview begins.– Interview is confidential and may not disclose substance.– Privilege held by entity. Disclose without notifying you.– Allow for questions.– Memorialize that warning was given.
• Employees who report to internal compliance programs are not whistleblowers and often are not protected after making an internal complaint. E.g.Brown & Root v. Donovan, 747 F.2d 1029 (5th Cir. 1984).
3–3
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
3
Discipline and Termination
• Clear, written policies• Communicated regularly• Enforced consistently• Documented adequately
Relevant Case Law
• ORS 659A.300(1) states no polygraphs for private sector employers
• Buckel v. Nunn, 133 Or App 399, 405-07 – false imprisonment factors – door blocked, one phone call, threatened jail
• Asay v. Albertson’s, Inc., 2007 US Dist LEXIS 31678 (Or App 2007) – fear alone is insufficient to show restraint of freedom
• ORS 659A.199 – protection for whistleblowers from retaliation
3–4
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
4
Representative CasesIn the Matter of Banc of Am. Sec. LLC, SEC Admin. Proc. File No. 311425 Exchange Act Release No. 34 49386, 82 SEC Docket 1264 (Mar. 10, 2004) ($10 million fine for allegedly misleading securities regulators and delay in producing evidence)
Coleman (Parent) Holdings Inc. v. Morgan Stanley & Co., Inc., 2005 WL 674885 (Fla. Cir. Ct. Mar. 23, 2005) (adverse inference, partial default judgment, attorney fees, and jury verdict of $1.5 billion in compensatory and punitive damages)
In re September 11th Liability Insurance Coverage Cases, 243 F.R.D. 114, 132 (S.D.N.Y. 2007) (insurer and counsel jointly and severally liable for $500,000 as Rule 37 sanctions); and 18 U.S.C. §§ 1512, 1519, 1520(b), 1520(c) (Sections 802 and 1102 of the Sarbanes-Oxley Act imposing fines and prison terms for altering or destroying electronic information).
Moore v. Gen. Motors Corp., 558 S.W.2d 720, 735-37 (Mo. App. 1977) (no spoliation where records destroyed as required by policy and no knowledge of pending litigation, no evidence of fraud, deceit or bad faith, and plaintiff made no effort to obtain through discovery once suit began)
Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605, at *8 (N.D.Ill. May 27, 2003)(magistrate recommended dismissal and attorney fees to defendant because plaintiff violated duty to preserve by using a software program to erase the contents of a hard drive), report and recommendation adopted as modified by Kucala Enterprises., Ltd. v. Auto Wax Co., Inc., 2003 WL 22433095 (N.D.Ill. Oct 27, 2003)
Qualcomm Inc. v. Broadcom Corp., 2008 WL 66932 (S.D. Cal Jan. 7, 2008) (sanctions in excess of $8 million against Qualcomm, in-house and former outside counsel ordered to participate in case review and enforcement of discovery obligations program, and judge referred possible ethics violations to California state bar)
3–5
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
5
Recouping Losses
• Criminal Action • Confession of Judgment• Civil Action• Insurance claim
Ripped from the Headlines
3–6
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
6
Enron
Fastow’s testimonyBehind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 217,
Spring 2007, Number 2
3–7
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
7
The Corporate CultureBehind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 219, Spring
2007, Number 2
Whistleblowing Behind the Scenes of the Enron Trial: Creating the Decisive Moments, 44 American Criminal Law Review 221, Spring
2007, Number 2
3–8
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
8
MADOFF
“BM had a marketing strategy that appeared to be based on false trust, not
analysis.”--Harry Markopolos, CFA, CFE, written
testimony before the U.S. House of Representatives Committee on Financial
Services, 2/4/09
3–9
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
9
The False Trust• BM was a founder and a former head of NASDAQ• BM’s brother, Peter, was a former vice-chairman of NASD and
former director of Depository Trust Corporation• Brother-in-law is the only auditor to protect Madoff’s
proprietary trading strategy • Affinity communities• “Special access”• Complicated structure and strategy• Unbelievable Returns• Secrecy
Complicated Structure• “[T]he hedge fund isn’t organized as a hedge fund by Bernard
Madoff (BM) yet it acts and trades like one.” - Harry Markopolos letter to SEC dated 11/7/05.
• Pays 1% management fee and 20% of profits to other hedge fund managers.
• Earns undisclosed commissions on trades.• “The investors that pony up the money don’t know that BM is
managing their money. That Madoff is managing the money is purposely kept secret from the investors.” – SEC letter at 3.
• Cheaper money is available in the short-term credit markets.
3–10
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
10
Complicated Strategy: the split-strike conversion
• Purchase stock in index form (S & P 100) to match the index options plan to use.
• Sell call options to generate income.• Buy put options to protect against market price
declines.• “He knew most wouldn’t understand it and would be
embarrassed to admit their ignorance so he would have less questions to answer.” – Markopolos testimony to Congress
Unbelievable Returns Attachment 1 to Markopolos SEC letter
3–11
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
11
Madoff’s auditor’s office: Friehling & Horowitz
Article by AP journalist, Jim Fitzgerald, dated Dec. 18, 2008 www.northjersey.com/
business/36363009.html
Tipsters
• “It is a sickening thought but if the SEC had bothered to pick up the phone and spend even one hour contacting the leads, then BM could have been stopped in early 2006.” –Markopolos written testimony to Congress at 24.
3–12
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
12
Local Stories
3–13
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
13
3–14
Chapter 3—Legal issues in Employee Fraud—presentation Slides
7/3/2012
14
Contact
Katherine Heekin808 S.W. Third Ave., Suite 540Portland, OR 97204503-222-5578
3–15
Chapter 3—Legal issues in Employee Fraud—presentation Slides
3–16
Chapter 3—Legal issues in Employee Fraud—presentation Slides
4A–i
Chapter 4a
pC vS. MaC COMpuTEr FOrEnSiCS rEGiSTry anaLySiS—Win 7
FOCuS—prESEnTaTiOn SLidESJoel Brillhart
Professional Forensic ServicesPortland, Oregon
4A–ii
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
4A–1
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
1
Prepared By:Joel Brillhart, CFCE
Professional Forensic Services, LLC503-348-6407
4A–2
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
2
The Microsoft Computer Dictionary defines the registry as:
◦ A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.
◦ The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used.
The Microsoft Computer Dictionary defines the registry
– A central hierarchical database used in the Microsoft Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.
System Configuration User Names, Personal Settings & Preferences You can determine where a computer has been
through Wi-Fi Geo locations You can determine what Devices (USB/Printers/
Phones/PDA’s) have been connected You can see Web Browsing Activity by user Find out what Programs have been executed,
installed and deleted See what files have been viewed by the user You can find out User Entered Search Keywords
4A–3
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
3
4A–4
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
4
4A–5
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
5
4A–6
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
6
4A–7
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
7
4A–8
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
8
4A–9
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
9
4A–10
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
10
4A–11
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
11
Mumbo Jumbo “Rot 13 Encoded”
4A–12
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
12
4A–13
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
13
4A–14
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
14
4A–15
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
6/19/2012
15
Thanks
Joel Brillhart, CFCEProfessional Forensic Services, [email protected]
4A–16
Chapter 4a—pC vs. Mac Computer Forensics registry analysis—Win 7 Focus—presentation Slides
4B–i
Chapter 4B
MaC and iOS COMpuTEr FOrEnSiCSeli rosenBlatt
Eli Rosenblatt InvestigationsPortland, Oregon
Table of Contents
I. Macs in the Workplace: More Macs Than Ever Before . . . . . . . . . . . . . . . . . . . . 4B–1
II. Macs in the Workplace: Proliferation of (and Concerns with) BYOD (Bring Your Own Device) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4B–1
III. Why Do Forensics on a Mac? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4B–2
IV. Why Do Mac Forensics on a Mac? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4B–2
V. Why Use a Mac-Certified Forensic Examiner? . . . . . . . . . . . . . . . . . . . . . . . . 4B–3
4B–ii
Chapter 4B—Mac and iOS Computer Forensics
4B–1
Chapter 4B—Mac and iOS Computer Forensics
i. MaCS in ThE WOrkpLaCE: MOrE MaCS Than EvEr BEFOrE
A. Apple’s market share in the pc world continues to surge: http://www.maclife.com/article/news/apples_market_share_pc_world_ continues_surge.
B. Here’s the real reason Microsoft should be worried about Apple: http://wallstcheatsheet.com/stocks/here’s-the-real-reason-microsoft-should-be-worried-about-apple.html/.
C. Survey: 8 in 10 businesses now using Macs: http://www.computerworld.com/s/article/9103958/Survey_8_in_10_businesses_now_using_ Macs?intsrc=hm_list.
D. Apple infiltrates the enterprise: 1/5 of global info workers use Apple products for work! http://blogs.forrester.com/frank_gillett/12-01-26-apple_infiltrates_the_enterprise_15_of_global_info_workers_use_ apple_ products_for_work_0.
E. Apple computer sales grow faster than PC sales for five years: http://www.guardian.co.uk/technology/blog/2011/may/24/apple- sales- growth-pc-market.
F. Apple’s enterprise reach growing thanks to iPad and iPhone: http://gigaom.com/apple/apples-enterprise-reach-growing-thanks-to-ipad- and-iphone/.
G. More iPhones/iPads subject to search warrants: http://gigaom.com/apple/more-iphones-subject-to-search-warrants-ipads-too/.
ii. MaCS in ThE WOrkpLaCE: prOLiFEraTiOn OF (and COnCErnS WiTh) ByOd (BrinG yOur OWn dEviCE)
A. IBM stung by BYOD pitfalls: http://gigaom.com/cloud/ibm-stung-by-byod-pitfalls/.
B. Study finds BYOD devices not secured: http://gcn.com/articles/2012/04/09/byod-devices-not-secured-study-finds.aspx? sc_lang=en.
C. Two-thirds of the phones sold in Q1 were iPhones: http://gigaom.com/apple/report-23-of-top-u-s-carrier-sales-in-q1-were-iphones/.
D. The new iPad has CIOs quaking in their cubicles: http://gigaom.com/cloud/the-new-ipad-has-cios-quaking-in-their-cubicles/.
E. iOS domination of the tablet market: http://www.gartner.com/it/page.jsp?id=1800514.
4B–2
Chapter 4B—Mac and iOS Computer Forensics
iii. Why dO FOrEnSiCS On a MaC?
A. Apple’s significantly lower total cost of ownership (TCO): Stories at ZDNet,1 TUAW,2 TechPatio,3 Opensurge,4 Kirk Knoernschild’s Tech District,5 American Chronicle,6 Salon.com,7 Mac-vs-PC,8 and great anec-dotal evidence from my own and colleagues’ practices).
B. Flexibility: As one among many examples, the Hi-Tech Crimes Division of a metropolitan Southern California police department re-cently described the main reasons behind their having an all-Mac crime lab: The ability to run windows on a Mac, the proliferation of Macs found in evidence, and a major cost savings.
C. Solid forensic tools, support, and training from BlackBag Technologies. 1. BlackBag brings experience:9 Decades of experience from law enforcement and corporate computer labs, the Department of De-fense Cyber Crime Center, Defense Cyber Crime Institute, Defense Computer Forensics Laboratory, and California of Justice. In addition, cofounder and CTO Derrick Donnelly is the former Information Sys-tems & Technology Security Manager at Apple. 2. BlackBag tools include MacQuisition10 for data acquisi-tion, targeted data collection, and forensic imaging and BlackLight11 for comprehensive forensic examinations. 3. BlackBag provides comprehensive Mac and iOS forensic training12 for law enforcement and private sector analysts.
iv. Why dO MaC FOrEnSiCS On a MaC?
A. Importance of a “native perspective”—best possible understand-ing for the examiner and viewers of the report of investigation.
B. If using Windows, the Windows OS is interpreting the Mac data, and significant data is often missed and/or misinterpreted.
1 http://www.zdnet.com/blog/apple/tco-new-research-finds-macs-in-the-enterprise-easier-cheaper-to-manage-than-windows-pcs/6294.
2 http://www.tuaw.com/2009/03/13/macs- still- cheaper- when- you- look- at-tco/.
3 http://techpatio.com/2010/apple/mac/it- admins-total- cost- ownership- mac- less-pc.
4 http://opensurge.blogspot.com/2010/08/in-mac-vs-pc-cost-comparison-downtime.html.
5 http://techdistrict.kirkk.com/2010/03/11/cost-mac-or-pc-a-look-at-tco/.6 http://www.americanchronicle.com/articles/view/38285.7 http://www.salon.com/2007/11/07/mac_price/singleton/.8 http://macvspc.info/.9 https://www.blackbagtech.com/about.html.10 https://www.blackbagtech.com/forensics/macquisition/macquisition.
html.11 https://www.blackbagtech.com/forensics/blacklight/blacklight.html.12 https://www.blackbagtech.com/training.html.
4B–3
Chapter 4B—Mac and iOS Computer Forensics
C. Can mount any type of Mac-accessible volume (and lock it to preserve evidence, while reviewing that evidence in its original form, including the use of any applications not on the analyst system).
D. QuickLook13 feature for easily viewing results without opening a file or starting an application.
E. iWork files (Pages, Numbers, Keynote) generally not accessible to Windows forensics tools (incorrectly opens single bundled file as series of jumbled files).
F. Windows treats the different “forks” of a single Mac file as sep-arate files, thus giving inaccurate file counts, and missing potentially important file attributes such as color, locked status, visibility, and alias information.
G. Case-sensitive file system used by iPhones and other iOS devices (as well as many Mac-formatted drives): Windows can’t properly han-dle files it sees as named the same.
(Adapted from Mac Forensics: The Case for Native Analysis, a white paper published by BlackBag Technologies in September 2011.)
v. Why uSE a MaC-CErTiFiEd FOrEnSiC ExaMinEr?
A. An Apple Certified Macintosh Technician (ACMT14) and/or Mac and iOS Certified Forensic Examiner (MiCFE15) understands all these issues and can help ensure industry best practices are followed.
B. These professionals undergo rigorous Mac-specific training and stay up-to-date on all of the latest hardware and software changes and developments.
13 http://www.apple.com/findouthow/mac/%23quicklook.14 http://training.apple.com/certification/acmt.15 https://www.blackbagtech.com/training/micfe-certification.html.
4B–4
Chapter 4B—Mac and iOS Computer Forensics
5–i
Chapter 5
a SkEpTiC’S GuidE TO advanCEd inTErnET SEarChinG—
prESEnTaTiOn SLidESJan Davis
JT Research LLCPortland, Oregon
5–ii
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
5–1
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
1
A Skeptic’s Guide to Advanced Internet SearchingOregon State BarPortland, OregonJuly 13, 2012
Jan Davis, MLISJT Research LLCPO Box 8705Portland, OR [email protected]
Research Strategy The Internet “Library”
Reference room Portals Fee-based websites
“Card Catalog” Search Engines
Storage The deep web
5–2
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
2
Research Strategy What is the question? What are the keywords and phrases? Multiple spellings of names? Who would write about it? What format would the Who would talk about it? What would the ideal document contain and in what format? Should I go to a fee-based database first, or the “free” internet, or
pick up the phone?Answering these questions helps determine where to search and how to search
Search Engines
Two unique databases: GoogleBing, which feeds Yahoo!
Ask, Gigablast, Exalead International
Baidu (China) http://www.baidu.com/ Yandex (Russia) http://www.yandex.com/ Directory at http://www.searchenginecolossus.com/
For more information on how to search: notess.com
5–3
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
3
Precision Searching Advanced search templates
Now hard to find these templates! Command language
Phrase Field searching
5–4
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
4
Specialty Search Engines
Let’s really get to know Google http://www.google.com/intl/en/about/products/index.html
Images Videos News Books Scholar Patents
Portals – Public Records
Public Records Search http://www.publicrecordsources.com/
Professional License Verifier http://verifyprolicense.com
BlackBook www.blackbookonline.info
5–5
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
5
Portals – Company Info
• Rutgers• http://libguides.rutgers.edu/companies
• Use red tabs at top of page
• Hoovers.com• Privco.com• Securities and Exchange Commission
• http://www.sec.gov/edgar/searchedgar/webusers.htm
People Search
People 123people (www.123people.com/) Spokeo (www.spokeo.com) Zabasearch (www.zabasearch.com) Zoominfo (www.zoominfo.com) Pipl (www.pipl.com) Intellius (www.intellius.com)
5–6
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
6
Social Media Facebook LinkedIn Plaxo StumbleUpon Blogs Twitter Dating Sites (www.directoryofdating.com and
http://www.bigdatingdirectory.com) Many many other social sites (see Pandia)
Searching Social Media Google search and add “blog” or “LinkedIn” etc. Blogs
www.technorati.com Twitter
Search.twitter.com Yauba.com Friendfeed.com
5–7
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
7
The Deep Web Wayback Machine
www.archive.org
Fee-Based Databases Pacer (www.pacer.gov)
Public access to court electronic records Alacra (www.alacra.com) Accurint (www.accurint.com) Factiva – Dow Jones (www.dowjones.com) Lexis-Nexis (www.lexisnexis.com) KnowX.com
5–8
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6/21/2012
8
Conclusion Develop a research strategy Know the difference between Google and other search
engines Consider fee-based sources Verify the data Hire an expert:
http://www.oregon-acfe.org www.aiip.org
5–9
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
5–10
Chapter 5—a Skeptic’s Guide to advanced internet Searching—presentation Slides
6–i
Chapter 6
WhiCh OnE iS diFFErEnT—daTa MininG and FOrEnSiC anaLyTiCS—
prESEnTaTiOn SLidESBill Douglas
Cost Advisors, Inc.Portland, Oregon
6–ii
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6–1
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
1
Which One is DifferentData Mining and Forensic AnalyticsBill Douglas
Agenda1. Data Mining Examples2. Data mining you can do in Excel
© 2012 Cost Advisors, Inc. All rights reserved.
2
6–2
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
2
1. Data Mining for Fraud
© 2012 Cost Advisors, Inc. All rights reserved.
3
What is CAATs?
Example #1 Accounting Queries
Example #2 Scanning Bank Statements
Example #3 Benford’s Law
What is CAATs?Computer Assisted Audit Tools (CAATs)Examine 100% of transactionsAnalysis available:
DuplicatesMissing RecordsQueries (meeting certain criteria)Population summaries by field (pivot tables)Population statistics
© 2012 Cost Advisors, Inc. All rights reserved.
4
6–3
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
3
Data Sources
Import data from many sourcesExcelAcrobat (.pdf)Text Files (.txt, .doc)Print files (.prn)Hardcopy scans
© 2012 Cost Advisors, Inc. All rights reserved.
5
.PRN File
© 2012 Cost Advisors, Inc. All rights reserved.
6
6–4
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
4
Example #1 Accounting Queries
© 2009 Cost Advisors, Inc. All rights reserved.
7
Disbursements(Checks)
Vendor Master List
Employee Master List
Accounting System
Data Mining Tool
Example #1 Accounting Queries
© 2009 Cost Advisors, Inc. All rights reserved.
8
Disbursements(Checks)
Vendor Master List
Employee Master List
6–5
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
5
Example #1 Six Accounting Queries
© 2009 Cost Advisors, Inc. All rights reserved.
9
Vendors with same address as employeeVendors using SS# as EIN
Payee not on Vendor List Non-payroll, non-expense report, payments to employees
Duplicate Payments
Employees with no address
Disbursements(Checks)
Vendor Master List
Employee Master List
Example #2One Set of Books?
© 2009 Cost Advisors, Inc. All rights reserved.
10
Victim’sAccounting System = Victim’s
Bank Statement
6–6
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
6
Data Extraction - Review
© 2009 Cost Advisors, Inc. All rights reserved.
11
Disbursements(Checks)
Vendor Master List
Employee Master List
Accounting System
Disbursements in Excel
© 2009 Cost Advisors, Inc. All rights reserved.
12
Disbursements(Checks)
6–7
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
7
Example #2-Scanning Bank Statements
© 2009 Cost Advisors, Inc. All rights reserved.
13
=Electronic Comparison
Victim’sBank Statement
Disbursements(per Accounting
System)
Missing
Example #3 -Benford’s LawFrank Benford (1938), Simon Newcomb (1881)Some leading digits occur more/less frequently in most data
© 2012 Cost Advisors, Inc. All rights reserved.
14
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
1 2 3 4 5 6 7 8 9
Probability
Leading Digit
6–8
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
8
Example #3 -Benford’s LawCompares expected amounts to actual amountsThere were 1,368 occurrences of amounts beginningwith $250
© 2012 Cost Advisors, Inc. All rights reserved.
15
Summary of CAATsData from any sourceEvery transaction can be tested (no sampling)Many tests possible. Comparison examples:
Within accounting filesAccounting records to bank statementsActual records to expected values (Benford)
© 2012 Cost Advisors, Inc. All rights reserved.
16
6–9
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
9
Agenda1. Data Mining Examples2. Data mining you can do in Excel
© 2012 Cost Advisors, Inc. All rights reserved.
17
Goals and AssumptionsDo basic investigation yourself1 hour spent here will save dozens (hundreds?) of hours at work
Assumptions:Data is in Excel 2007 or 2010Basic knowledge of Excel (info for advanced Excel too)
© 2012 Cost Advisors, Inc. All rights reserved.
18
6–10
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
10
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
19
Data Filters - Setting
© 2012 Cost Advisors, Inc. All rights reserved.
20
6–11
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
11
Data Filters - Blanks
© 2012 Cost Advisors, Inc. All rights reserved.
21
Data Filters - Others
© 2012 Cost Advisors, Inc. All rights reserved.
22
6–12
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
12
Data Filters - Suggestions
© 2012 Cost Advisors, Inc. All rights reserved.
23
Blank invoice numbersEmployees or vendors with no addressVendors using a social security instead of EINOdd characters at the end of the invoice number or check number (“.” “–” “a”)Invoice numbers 100, 101, 1000 or 1001
Data Filters - Clearing
© 2012 Cost Advisors, Inc. All rights reserved.
24
6–13
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
13
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
25
Conditional Formatting -
© 2012 Cost Advisors, Inc. All rights reserved.
26
6–14
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
14
Conditional Formatting with Data Filter
© 2012 Cost Advisors, Inc. All rights reserved.
27
Conditional Format & Filter - Result
© 2012 Cost Advisors, Inc. All rights reserved.
28
6–15
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
15
Conditional Format - Suggestions
© 2012 Cost Advisors, Inc. All rights reserved.
29
Look for duplicates of:Invoice dateInvoice numberInvoice amountVendor name
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
30
6–16
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
16
Comparing Excel Files – First Sheet
© 2012 Cost Advisors, Inc. All rights reserved.
31
Comparing Excel Files – Second Sheet
© 2012 Cost Advisors, Inc. All rights reserved.
32
6–17
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
17
Comparing Excel Files – Result
© 2012 Cost Advisors, Inc. All rights reserved.
33
These vendors are missing from the vendor master list
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
34
6–18
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
18
Pivot Table – Largest Vendors (step 1)
© 2012 Cost Advisors, Inc. All rights reserved.
35
Pivot Table – Largest Vendors (step 2)
© 2012 Cost Advisors, Inc. All rights reserved.
36
6–19
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
19
Pivot Table – Largest Vendors (step 3)
© 2012 Cost Advisors, Inc. All rights reserved.
37
Pivot Table – Largest Vendors -Suggestions
© 2012 Cost Advisors, Inc. All rights reserved.
38
Look for unusual vendor names and names of employees (‘cash’, ‘petty cash’, <blanks>, ‘bank’, ‘credit card’, etc.)Discuss vendor disbursement levels with management
6–20
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
20
PivotTables –MissingCheck #s
© 2012 Cost Advisors, Inc. All rights reserved.
39
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
40
6–21
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
21
What is PowerPivotFrom Microsoft for Office (Excel) 2010It’s Free
FeaturesTurns Excel into a relational databaseCompresses dataSpeeds recalculation(DAX Reporting tool)
© 2012 Cost Advisors, Inc. All rights reserved.
41
How to Get PowerPivot64 bit Excel vs. 32 bit Excel
© 2012 Cost Advisors, Inc. All rights reserved.
42
6–22
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
22
Menu
© 2012 Cost Advisors, Inc. All rights reserved.
43
Normal Tabs
PowerPivot Tabs
Menu
© 2012 Cost Advisors, Inc. All rights reserved.
44
Normal Tabs
PowerPivot Tabs
6–23
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
23
Pivot Fields from Multiple Tabs (Tables)
© 2012 Cost Advisors, Inc. All rights reserved.
45
PowerPivot Compression, SpeedAccess Excel (native) PowerPivot
Compression 327MB 82MB 12MBRecalculation ~ 30min < 30 secondsWorksheet size ~ 2GB 1,048,576 rows Millions of rows
~2GB
© 2012 Cost Advisors, Inc. All rights reserved.
46
6–24
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
24
Data Mining in ExcelData Filters
Empty data fieldsConditional formatting
DuplicatesComparing two Excel files
Payee not on vendor listPivot Tables
High-dollar vendorsMissing checks
PowerPivotReporting
© 2012 Cost Advisors, Inc. All rights reserved.
47
Reporting – Set Print Area
© 2012 Cost Advisors, Inc. All rights reserved.
48
6–25
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
25
Reporting –Setup(Header)
© 2012 Cost Advisors, Inc. All rights reserved.
49
Reporting– Setup (Footer)
© 2012 Cost Advisors, Inc. All rights reserved.
50
6–26
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
26
Reporting –Setup (Result)
© 2012 Cost Advisors, Inc. All rights reserved.
51
Reporting - Duplicating Tabs
© 2012 Cost Advisors, Inc. All rights reserved.
52
6–27
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
27
Reporting – Removing Meta Data
© 2012 Cost Advisors, Inc. All rights reserved.
53
Reporting – encrypting for sending
© 2012 Cost Advisors, Inc. All rights reserved.
54
Be sure to save the workbook with a new name - append
“(encrypted)” to the filename
6–28
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6/22/2012
28
For More Information
Cost Advisors, Inc. 503-704-3719
www.costadvisors.com
Download: ‘Embezzlement Response Guide’
© 2012 Cost Advisors, Inc. All rights reserved.
55
6–29
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides
6–30
Chapter 6—Which One is different—data Mining and Forensic analytics—presentation Slides