Fraud Case Preparation: Know Your Goal, Know Your Role

Non-sworn fraud examiners can optimize their chances for prosecution of white-collar crimes by avoiding things that law enforcement officers just hate.

Sharon was a soccer mom who had a soft spot for “Precious Moments” figurines and The Carpenters and an even greater appetite for Harley-Davidsons and luxury vacations. She used her gentle disposition – and her primary authority over her department’s employees, finances and computer processes – to embezzle nearly a quarter of a million dollars. By cajoling her subordinates into letting her borrow their passwords and by temporarily suspending their computer access, Sharon directed to herself in two years more than 30 “bonus” payments in both paper check and electronic transfer format. At the sentencing, she looked very much as she did when I first interviewed her. Only now, she’s a convicted felon.

As an internal auditor whose job is devoted to fraud examinations, my primary purpose is to facilitate justice for my employer. Designing the right methodology, conducting meaningful interviews, gathering and reviewing evidence, and writing the final report, all require thoughtful, meticulous, and often, time-consuming effort. While some of my examinations are conceptually simple, those that take the most time and, typically, involve the greatest dollar losses, are often the most complicated.

My employer’s policies make it easier for me than might be true of other organizations. Once I have reasonable suspicion of criminal activity and I can produce evidence obtained through our internal resources and/or the public domain, I am obliged to refer the matter to law enforcement whose prerogative it is to pursue a criminal examination beyond my own civilian/administrative work.

Whether the allegations involve federal or state-level action, I am convinced that cultivating and maintaining positive relationships with law enforcement personnel and prosecutors have had significant bearing on the successful prosecution of our major cases. When presenting your case to law enforcement, remember these five words:

Give them what they want. 

Consider the following techniques that have worked for me.

1. Know Your Goal: Before you develop your work plan, resolve that the primary goal of your examination is to identify and report evidence that supports the filing of criminal charges and the prosecution of the subject.

Law enforcement agents and prosecutors reject cases for which the work product isn’t directly germane to the alleged crime. Whether a defendant is prosecuted in criminal court or sued in the civil arena, every shred of paper, electronic file, sample item, and analysis that an auditor generates is potentially subject to discovery. (Some might be privileged or irrelevant.)

Defense attorneys often build their strategies on the mountains of data that have less to do with the actions of their clients than with your organization’s business processes. Despite otherwise compelling evidence, prosecutors tell us that excessive material regarding the context in which the alleged crime occurred distracts and befuddles juries and judges alike.

While the ideal scenario would see all white-collar criminals indicted, busy prosecutors don’t accept cases that they don’t believe they can win. And law enforcement agents don’t want to develop reputations for presenting non-winners to prosecutors.

The dilemma that civilian investigators, such as fraud examiners and internal auditors, face is that, in addition to preparing a solid criminal case, we’re also obligated to evaluate and report on our victim/employers’ control processes. Where fraud is suspected, our failure to perform a meaningful controls review – and to offer timely, specific recommendations – would constitute an abrogation of our professional code and deprive our employer of much-needed information to stem recurrence of the fraud.

Yet, we should take care to avoid creating a work product that is more an “audit” of an operation than an examination of a possible crime. I’ve found that concentrating on the method in which the subject manipulated both automated and “human” systems brings into clearer focus the weak points in the unit’s control structure.

Let’s look again at Sharon’s case. As a chief financial officer in a large department, she embezzled $246,000 in two years by generating 31 “bonus” payments ranging from $4,000 to $12,000 apiece. Some payments were issued through the central payroll office as traditional paper checks and others were transferred to Sharon’s bank account through our organization’s electronic paycheck mechanism.

Our central, mainframe-based payroll system contains an embedded control feature that matches users’ access codes with employee identification numbers to prevent employees from updating their own payroll accounts. Indeed, an automated transaction history showed that all 31 payments to Sharon were processed under the user IDs of two subordinates, Howard and Michael.

In addition, the mainframe’s access history showed that Sharon – who was also her department’s computer security administrator – had frequently suspended and then restored the computer functionalities of Howard and Michael and other employees in her unit.

In my organization’s decentralized business model, department security administrators are empowered to configure the types and levels of their subordinates’ computer access depending on the nature of their job duties. As a control technique, the security administrator is required to assign one or more additional employees to receive an instant, e-mailed copy of every electronic transaction processed through the major applications (e.g., purchasing, accounts payable, personnel, payroll) that reside on the mainframe.

By building in this automatic, “post-audit” notification, each employee is prevented from processing a payment or other critical transaction without a qualified, secondary review. However, in the case of Sharon’s 31 bonus payments, the post-audit notification didn’t occur. By temporarily suspending the access of certain subordinates – entirely without their knowledge – electronic copies of the bogus payments that were processed under Howard and Michael’s access codes were never sent to other employees for their customary, post-audit review. It was like pulling the plug and then reinserting it in the socket before anyone tried to turn on the light.

So we discovered a suspicious pattern that suggested abuse of a fairly sophisticated system. If this were a classic audit and not an examination, we might have tested much more data such as access patterns of other employee users and security administrators across the greater organization to gain a broader base of support for a statement of potential risk.

Therein lays the peril of the auditor. But also therein lays the “beauty” of fraud: the proof of risk is its actualization. If your purpose in gathering more data is to ensure sufficient support to convince senior management of a problem – stop; you already have it.

To illustrate the components of Sharon’s scheme, we kept it simple: On a single 8 1/2 by 11-inch Excel grid (a portion of it in redesigned form is included in the exhibit, “Schedule of Improper Payments” above) we juxtaposed the dates and exact times of the 31 bonus payments processed under Howard and Michael’s user IDs with the dates and times at which Sharon suspended and reinstated certain employees’ access capabilities. In our interview with Sharon, she readily admitted cajoling Howard and Michael into letting her use their logged-in terminals on the pretext of changing her personal tax exemption withholding. And she said she was sorry.

We used the same data to highlight the major control weaknesses in and around Sharon’s department. These included: a failure to segregate the assigned roles and capabilities of the department’s chief financial administrator and computer security officer, a financial and operational configuration that insulated Sharon and her unit from independent oversight, and a profound lack of training among Sharon’s subordinates regarding our organization’s policies governing computer and financial security and individual accountability.

By focusing on the methodology of the crime, we fulfilled our obligation to management without overburdening the local police detective and the deputy district attorney with too much of a “good” thing.

(Sharon was arrested and charged with grand theft by embezzlement. To prepare for a trial, the deputy district attorney enlarged the Excel grid we provided to movie-screen size. However, Sharon eventually pleaded guilty. She served eight months in the county jail and received an eight-year suspended state prison sentence.)

2. Restrict the examination report to the particulars of the alleged crime. 

Prosecutors and law enforcement agents are likely to read your examination report before reviewing any of the supporting evidence. As such, it’s your “audition” before the justice system. Just as your investigative work focuses on the methodology of the alleged crime, so should you construct your examination report.

Be succinct and objective as you tell the story of the examination. Include the predication or basis for the examination, the theory of how the alleged crime was executed, the methodology that you pursued to reach the conclusion, the statements made by the subject, and clear descriptions of the most compelling evidence that supports your findings.

Make sure your conclusion clearly states the loss to your organization! Failure to follow policies and procedures – “gross misconduct” – even a “suspicious” behavior pattern – such as Sharon’s suspending/reinstating her subordinates’ computer access – all may provide the management of your organization with valid reasons for terminating the subject’s employment. However, without showing how the misconduct or the suspicious behavior pattern led to an identifiable loss of assets, law enforcement agents won’t likely accept the matter as a criminal case.

We all know that few, if any, systems are fool-proof, or more accurately, “fraud-proof,” and that the most control-conscious business operations still assume a realistic amount of risk in order to function. However, focusing the examination report on non-compliance with organizational rules, instead of describing how the employee manipulated the system for personal gain, could be a deterrent to having your case accepted for prosecution. A well-known technique of criminal defense attorneys is to cite their clients’ “ignorance” or “breach of policy” with the intention of deflecting criminal charges in favor of some type of non-criminal consequence.

Your investigative report shouldn’t blame the victim for the crime. Rarely is white-collar crime committed in a context where the subject’s co-workers, supervisors, subordinates, and/or the employer’s systems and processes don’t fail on some level! Defense attorneys will cite those failures as they attempt to transfer culpability from their clients to all of those individuals and conditions that “made” their clients steal from the organization.

In the above example – understanding that the internal auditor’s responsibilities also require analysis and reporting of “what went wrong” – we found it more effective to write a separate report to management for that purpose. In fact, we do so with nearly every examination that supports a loss due to suspected criminal behavior. The separate report begins with the premise of the fraud examination, followed by full descriptions of the internal controls, policies and procedures that were breached, the systems that failed, and our recommendations to prevent or deter recurrence.

3. Don’t compromise the evidence.  

Make certain that you maintain proper chain of custody over all the materials that you intend to use to substantiate the alleged crime. Be able to account for when, where, and how you obtained evidence, and where it’s been since you got it.

Don’t transfer evidence to the police or federal agents with the expectation that they will return any materials to you. Always retain copies of everything in paper and electronic format that you will provide to law enforcement and prosecutors.

Never write on any original document that may be used as evidence and remember that sometimes the only “originals” are actually reproductions (photocopies, microfilm, or microfiche) of the originals. Avoid cross-referencing the pages of your work product. To borrow from singer Garth Brooks, “blame it all on our roots.” Many internal auditors have been trained, under dire penalty, to cross-reference our work papers. In the investigative arena, cross-referencing documents alters them, making them potentially inadmissible.

Page numbering could also become a hindrance if your investigative work papers are subpoenaed. As noted previously, the attorneys on both sides of the case – and, at times, the judge – will receive copies of your work papers. The documents likely will be duplicated by a legal copy service that commits the images to microfiche or CD-ROM and affixes uniform serial numbers (called “Bates stamping”) each time the service is asked to generate additional sets of copies. Whether in open court or in alternate settings where witnesses’ sworn statements are taken, the attorneys will refer to the pages by their “Bates stamp” numbers. At that stage, your “internal” page numbers may prove confusing and frustrating.

My chosen alternative to cross-referencing and numbering documents is to insert them into clear, plastic sleeves and affix small stickers to the outside of the plastic. The stickers may be numbered for internal purposes, and the documents may be extracted from the sleeves for legal copying.

In the next issue: know your role as a non-sworn fraud examiner 

Ellen A. Fischer, CFE, CIA, is the audit manager for investigations for a large U.S. university.