To Catch A Thief: Forensic Experts Weigh In On The Fraudster Profile
The Editor interviewsDavid Glusman,Partner-in-Charge of the Philadelphia office, andFrank Rudewicz,Principal, both in the Advisory Services Department of Marcum LLP.
Editor: Please tell us about your professional background.
Glusman: I’ve been a CPA for 42 years. I started in traditional public accounting with a large national firm, during which time I inadvertently worked on my first fraud event as a traditional auditor by stepping into a situation where we didn’t know we would uncover criminal activity. Several years later, I served as the neutral accountant in a very large law firm breakup, which entailed keeping track of costs and files for several thousand cases. Then, in the late ’70s, a lawyer friend began asking for my assistance on a series of interesting forensic accounting and business valuation cases, and by around 1980, I was focusing a significant piece of my practice on those fields.
Rudewicz: I started in traditional law enforcement, having spent 15 years with a large municipal department, spending several years with the U.S. Attorney/FBI Strike Force. Most of my career was in the investigative bureaus, gathering intelligence and investigating public corruption, fraud schemes, and organized crime. Subsequently, I was director of security and investigations for a large regional bank and was responsible for all fraud investigations across the country in over 300 locations. As an attorney, I am admitted to the federal bar and the Connecticut state bar. For the last 16 years, I have been managing investigative consulting practices with international firms and have spent the last eight years in public accounting.
Editor: What are the types of corporate fraud that exist, and which are the most common?
Glusman: There’s no limit to the types of corporate fraud people can come up with, including Ponzi-like schemes in which a corporation creates fictitious sales and builds on them. But many of the frauds we see involve fictitious employees (sometimes referred to as “ghosts”) and fictitious vendors. A perpetrator can create a company and start making modest payments for non-existent services and goods. Those are the sort of “plain vanilla” situations we run into.
Contract-related fraud might include accounting and financial fraud, with the books being cooked. Let's say I’m an employee who will receive a bonus based on meeting certain criteria – for example, if I hit $10 million in sales in my division this quarter, I will receive a $10,000 bonus. So, if I’m running along at a rate of $9.5 million, knowing I need only half a million dollars in sales, I can create false contracts, invoices and shipping documents. In recent years, technology has made the creation of fake documents much easier.
Rudewicz: The prevalence of certain kinds of fraud is industry-specific. With public projects, we see more in the way of fictitious employees and of extending fraud through the bidding and contractual process. In smaller companies, fraud tends to center around cash – cash schemes, asset misappropriation schemes and check tampering. At lending organizations, we see a lot of asset-based lending fraud involving misappropriations and deviations in inventory accounts, so that a perpetrator can receive monies from his/her lending institution.
Glusman: In the auto industry, one of the schemes involves having the same car counted as collateral under two different loans. The car industry’s floor plan methodology unfortunately allows for this possibility. Let’s say a GM car dealer has borrowed from GMAC for a portion of his floor plan and through a local bank for the rest - say, the used cars. But GMAC and the local bank don’t check against each other: these organizations often use independent companies to count the cars, and it’s highly unlikely that inspectors from both companies will come at the same moment. So, a sales or general manager can exploit this by listing the same new cars as collateral on both loans. He might be selling other cars and taking cash, then replacing actual cars with non-existent ones in his records. Or, he may be trying to inflate his sales numbers by showing certain cars as sold. This can go on for some period of time before it is discovered.
In the healthcare industry, fraud often entails billing insurance companies, usually government programs, for patient services that either didn’t exist or weren’t medically necessary. Among certain patient populations, the patients don’t ever see the bill, let alone understand the explanation of benefits forms they receive.
Rudewicz: Since 2002, every biannual survey of the Association of Certified Fraud Examiners has found that “asset misappropriation” accounts for about 90 percent of all fraud events across industries, but these also result in the smallest individual losses. The largest losses result from financial statement fraud at large public companies, but they account for only about five percent of fraud events.
Editor: How are fraudulent activities uncovered?
Rudewicz: It’s usually by tip, either from an anonymous source or from inside the organization.
Editor: And once that happens, what first steps should the legal department and senior management take?
Rudewicz: The first step in any investigation is simple: verify the occurrence. Ask yourself if this fraud is even possible, and, if so, can you go anyplace with it? Often a tip is not investigated because very little information has been provided. However, in all cases, you must gather enough information to verify the event and put an investigative plan together.
It’s important to realize early on that, depending on the type of fraud, some actions need to be taken immediately, especially around data. You will have to freeze your computer systems, which in most cases requires an outside IT expert in data forensics, and you need to make sure that the chain of custody is clear when you copy hard drives. If there’s a perpetrator or two, first copy their computers –again, with the assistance of a computer forensics expert to ensure data integrity and defensibility – then lock down and take their computers.
Glusman: At this time, you begin to do the forensic work and the interviews. Both Frank and I conduct interviews and have learned specialized techniques over many years. First, you must know whether to make the suspect more comfortable or less comfortable – the way an interview room is set up can affect how much information you glean. Then you set up your controls: you ask the interviewees questions you know the answers to and observe how they react. It’s critical to have developed skills such that you ask the right questions and that you understand the other party’s verbal and non-verbal responses. There’s a whole science to the way people react – everything from the timing of the answer, to where their eyes go, to whether they repeat things, to the tone of voice.
Rudewicz: There are two primary objectives when you believe a fraud has been committed. One, obviously, is that you want to catch the perpetrator, and sometimes that becomes the sole focus to the detriment of the company – because the other objective is that you need to stop the bleeding. If the fraud has been ongoing, you must stop it so you can minimize the loss and continue your investigation effectively.
Editor: David, can you recount for us a recent case in which you were involved?
Glusman: I worked on a dramatic case that occurred in a manufacturing environment in Maryland. Elderly and no longer actively running the business day to day, the owner and chairman of the board brought in someone to be his COO. Over the course of two and a half years, the COO gained more and more of the owner’s trust, eventually gaining almost total control of the company; in fact, the owner had written him into his will, giving him partial ownership in the event of the owner’s death, and over time began treating him like a son.
Then, after traveling abroad for a period, the owner came back, and on the Friday before Memorial Day he called his bank to make some transfers. The bank officer told him his line of credit was down to zero, when it should have been close to a million dollars. By 4 o’clock that afternoon, I was on the phone with him, and by 5 o’clock, we had a team headed to his site. Over the long holiday weekend, we uncovered two categories of theft. First, there was a half-million-dollar wire transfer that the perpetrator made during the owner’s absence, from a Maryland bank to a Pennsylvania bank.
Our investigation uncovered that the perpetrator had a previous criminal charge, for which he had a nolo contendere plea and was making restitution. While the owner was away, the COO's parole officer discovered that he had lied about his salary and the value of his home to her and that he had missed two payments on his half-million-dollar restitution. She demanded that he either come up with full restitution or she would pull his parole. So under that pressure, the perpetrator went to the corporate bank account and made his transfer. Second, we found that over the previous two years, he had charged to the business a significant amount of work on his home. (He’d also been charging the business for cell phones for his wife, two of his children and three of his girlfriends.)
The accounting records revealed that other individuals had signed off on some of these charges, so we called three of them – the controller, the HR director and the accounts payable manager – for interviews on Monday. We found out that none of them was stealing, but each of them had been given perks they weren’t really entitled to by the perpetrator. When the perpetrator came to work on Wednesday morning, outside counsel, the HR director and I were waiting for him. As soon as he got out of his company car, it was disabled by a private guard, and he was escorted into a conference room. We started the interview almost immediately, wanting him to be off-guard, but he was the coolest cucumber I’ve seen in the circumstances. For an hour and a half, he answered some questions and didn’t answer others – apparently picking up on exactly what we knew, because eventually he told us everything we already knew, but he didn’t tell us about another $250,000 worth of personal expenditures that we found during the next week and a half of forensic work.
In addition, there was a fidelity bond in place, so we really had three issues. First, the company was trying to get back the money it was owed. Second, there was a federal investigation (because there was an illegal transfer across state lines from one federal bank to another) over which we had no control. Third, we had the fidelity bond issue, with the insurance company taking the position that, because the fraud went on for two years, the company "knew or should have known" of the theft and the COO’s criminal activity, and they tried to deny coverage. So we worked first with the company lawyer, then with the FBI agents – giving them copies of everything we had done – and finally we worked on behalf of the company in the lawsuit that was settled against the insurance company for coverage.
Editor: Were there early warning signs that should have been caught?
Glusman: The perpetrator completely “bypassed” the internal controls – the controller, the HR director and the accounts payable manager – by manipulating them with perks! The lesson here is that an effective whistleblower program should inform employees that unusual behavior – including being treated extraordinarily well by another employee – should be reported. This company had no whistleblower policy in place at all, and they were completely pulled in by the perpetrator. Today there is a whistleblower policy in place, with an anonymous hotline.
An interesting sideline – I mentioned that the perpetrator had been treated like a son. Over that holiday weekend, both the attorney and I realized that our suspect stood to inherit part of the business should the owner suddenly die. So counsel quickly wrote a codicil to the will on Memorial Day. Thirteen days later, the owner literally dropped dead on the shop floor. So we headed off another problem by quick thinking in the moment.
Rudewicz: As far as red flags go, many times internal controls are either in place and bypassed, or just nonexistent. But there are behavioral red flags for individuals themselves –or, rather, changes in behavior. Suddenly they are living beyond their means; they have addiction problems; they’re under pressure from within the organization; they’ve got financial difficulties – all of which develop over time and, if you look for them, may be readily apparent.
Editor: Where do you most often find weaknesses in the system? I imagine HR may be particularly vulnerable?
Glusman: Yes, it is. In one case, the termination of an employee was being handled by an individual in HR who, rather than putting the information into the system herself, handed off the task to a subordinate – who immediately realized he had an opportunity. Instead of entering the employee as terminated, he simply gave the individual a new address – that of his girlfriend – and then set up a bank account in the employee’s name. The first HR employee had entrusted a sensitive document to someone who in fact never should have touched it, either electronically or physically.
Rudewicz: Cross-training of employees is critical because, particularly in small businesses, we tend to give the extra duties to our most trusted employees, rather than taking the time to properly cross-train someone for the role. But not doing so can break down, or at least water down, the internal controls, the checks and balances.
Glusman: More than one person should do the same job. If Mary and Fred are both in accounts payable, and they always work on the same letters of the alphabet, one of them could create a fake vendor that will never be discovered. But if Mary handles Fred’s letters every other month, the opportunity disappears. Likewise, for staff who handle payroll, it’s best to have them rotate duties.
Rudewicz: An inordinate number of frauds have been perpetrated because the individual responsible for a certain function just has never gone on vacation, so no one else has seen what he or she has been doing. Or, no one else is cross-trained, so when the individual does go away, the work sits there until that individual gets back. Fraud is often uncovered when a person takes some time off and someone else takes a look around.
We’ve seen cases in which owners and managers don’t open bank statements before handing them to the bookkeeper – when the whole point is to have those parties receive the mail as an internal control. Taking a few minutes each month to quickly go through those statements is well worth the time; furthermore, knowing that you’re checking will make the staff far more reluctant to perpetrate a fraud. I’ve done it in my own practice, and I’ve encouraged clients to do it. Each month, ask your employees two or three questions that you know the answer to, just to let them know you’re looking.
Glusman: In the last five to ten years, it’s become more common for companies with no suspicion of fraud to conduct a search proactively and check their accounts. As forensic accountants, we use tools such as IDEA™, a data-mining tool that can take huge volumes of data across multiple platforms and make comparisons and contrasts. For instance, this tool would uncover a fictitious vendor by finding that the employer identification number, Social Security number or address matches someone else in the system. These are among the tools we have installed for some of our clients to help them avoid errors as well as fraud.
Editor: Are there other accounting red flags that you see?
Glusman: One thing we see is an extraordinary number of journal entries that don’t make sense – items going into inventory, out of inventory, back in, back out. You start getting dizzy and you fail to realize that there’s not an even number of transactions, that the adjustments aren’t balanced.
Rudewicz: One of the problems is that red flags aren’t recognized as such; even though management spots an aberration, it may look like a variance on what an account clerk is supposed to be doing. And a skilled fraudster will convince management that this is exactly the case. It’s not until later when everything unravels that management realizes that they should have taken an action way back when.
Editor: Frank, are there ways an entity can protect against a skilled fraudster?
Rudewicz: The number one way to keep a criminal from perpetrating a fraud in your workplace is not to hire them in the first place. It’s important to conduct a thorough background check – including the individual’s credit history, particularly for sensitive positions such as those related to finance – as this will usually reveal any red flags. A surprising number of companies don’t go that route. I should note here that $25 background checks are often worthless: it’s critical to understand what the information is telling you or not telling you, which is where a forensics expert can help.
Traditional fraud research refers to the “fraud triangle” – wrongdoers see an opportunity; they are under some external pressure; and they are able to rationalize the fraud. More recent research speaks of a “fraud diamond” and focuses on a fourth piece –the human element: fraud capability, which, the researchers say, comprises six different characteristics. One is a positioning characteristic: they must be able to get themselves into position to commit the fraud, whether that’s as a CFO or an account clerk or some other area. Second, they must be creative and intelligent enough to think of a plan and carry it through. Third, they must have a large enough ego to know they can pull off the fraud, confidently throwing others off the scent. Fourth, they must be persuasive, and able to coerce or manipulate others into either going along with the plan or looking the other way. Fifth, they must be skilled at lying convincingly and keeping track of their stories. And sixth, they must be able to withstand stress, because committing fraud is extremely stressful. A thorough investigative due diligence before hiring someone or at the onset of an investigation might point you in the right direction regarding these characteristics.
Editor: If you catch somebody early on and question him or her about it, does that ever deter the ongoing fraud?
Glusman: If you catch a perpetrator and don’t get rid of him, shame on you. More than once I’ve been called into a situation in which the client said, “Well, I know Mary was stealing, and when I caught her last time,” and my head just spins. As Albert Einstein said, “Insanity is doing the same thing over and over again and expecting a different result.” As Frank indicated earlier, people who want to continue committing fraud are going to be very adept at explaining it away. Most likely, they will make their actions sound reasonable and rational, but that doesn’t mean that you let it go, even if you believe them. Whether it’s the next day or the next month, conduct a surprise audit, or else make focused checks on that one issue to make sure that the aberration is not continuing, or to make sure that the given explanation still holds weight. That’s what falls by the wayside – despite having been stolen from, people get lazy.
Rudewicz: Remember that this isn’t a stranger – this is someone you know and you want to believe him or her.
Glusman: Usually, if you do catch and fire the perpetrator, the fraud problem is over. However, you do need to continue the discussion and your investigation to make sure, first, that there’s not someone else who was working with the perpetrator and, second, whether someone else now continues it in his or her absence. You also need to find where the internal controls failed and amend them.
Editor: When fraud cases come to litigation, in what capacity do you serve? Do you serve as expert witnesses?
Rudewicz: Yes, frequently. On the investigative side, I have been called on to conduct an independent review such as a proof of loss investigation, either as an independent for the policyholder to certify that there was a loss, or for the insurance company on whether to pay out the claim. In litigation, I have testified as a subject matter expert in a number of different matters.
Glusman: Most of us at Marcum LLP don’t represent one side or the other. I have worked on behalf of an insurance company, trying to show that a fraud that may in fact have existed didn’t result in the loss that was reported – or to show that the fraud was discovered much earlier and should have been reported at that time – and that denying coverage is appropriate. We don’t opine on the legal aspects, only the facts.
In the case I described earlier, we were prepared to testify, and the government called me as a witness in the criminal case, almost two years from the time I finished the work. I knew the perpetrator had been arrested, but nobody from the government kept me informed of the upcoming trial. Then out of nowhere, on a Friday afternoon I received a call from the an FBI agent in Philadelphia regarding a subpoena being sent by fax for a trial that Monday. I’d never been contacted about it, and, as a result, the other side believed I wouldn’t be appearing at trial. Sunday afternoon, the U.S. attorney on the case called to tell me I wouldn’t be needed at trial. The defense had been assuming they would get an acquittal because I was the only one who could tie up all of the records as evidence, but once they learned I was showing up, they took a plea.
Every once in awhile, a case settles just before the expert testifies. We all like to think it’s because they’re scared of us, but we know that it’s the forensic accounting piece. The testimony I would have given – while some parts would have put people to sleep – would ultimately place all four sides of the box around the perpetrator. And Marcum has a whole team of people like us around the country. When we testify on fraud, we also present our experts on data integrity, who will testify that the data being introduced comes from the company computers as
they existed at that time. As forensic accountants, we will say that the data shows these transactions clearly were in the books and records of the company, and that there were other transactions that the perpetrators were likely trying to hide.