Read TBL_MAY_10.qxp text version

The Bottom Line May 2010

FOCUS

11

Cybercrime now has a professional sheen

By GRANT ROWSON he movie Sneakers came out in the early 1990s, starring Robert Redford, Ben Kingsley and many other prominent acting talents. The premise was simple: in 1969, Redford and Kingsley were young university students who were hacking into the relatively primitive computer networks of the day, with the usual intent of protesting against the establishment, social activism, and, to some lesser extent, trying to right the social wrongs of the `haves' versus the `have-nots.' One night, Redford went out to pick up pizza. Upon return, he saw the police arresting Kingsley and hauling him off to jail. Eating a slice of pepperoni, Redford quickly skipped town, changed his name and grew up to be what we call today a `penetration consultant' -- one who tests the general security of organizations such as businesses and banks for a fee. All's going well, until Redford discovers a plot to break the encryption/security codes of all systems around the world -- government, military, business, financial, you name it. As it turns out, it's his old friend, Kingsley, who made some new friends while in prison, and they took a very keen interest in his computer skills. Kingsley's character was now working for the mob. It's funny how fiction can become reality. Up until the turn of the century, most computer hacking was done by your somewhat opportunistic kid who was just after free Internet, free longdistance phoning or cable TV. Yet some of the ones with lower moral standards were only interested in obtaining credit card numbers just so they could purchase something online (especially if they were underage). They really weren't interested in stealing identities per se -- just getting the goods that they wanted. But that's all changed, and most of today's hacking seems to be run by organized crime. Virtually all spam emails one receives, most viruses, almost all trojans/worms, the majority of rootkits and all botnets are the fruit of organized crime in their intent to: a) take over your computer resources for other purposes; b) steal your identity for fraudulent commerce or hide the real purposes of their commercial activity; or c) to gain access to corporate/governmental/institutional secrets and resources. Many technical articles are written about how to protect your computer systems, resources, and identity. This article delves into the types of perpetrator behaviour, the whole criminal `underground.'

T

others -- ZeuS botnet has created a variation of the popular free virtual network computing tool to allow the crook complete remote control of your computer. Price: $10,000. The `corporate' level will have full departments and office facilities. The corporate `head office' looks just like any other organization with a receptionist out front, cubicles for the workers, lunch rooms and water coolers. Staffers are paid wages, they have a bonus structure, retirement plans, and group benefits. A textbook example was a Ukrainian company that supposedly was selling antivirus software, until it was shut down recently following a lawsuit from the U.S. Federal Trade Commission. The lawsuits alleged that what the company sold worldwide was malware. The allegation was that the company would contaminate a computer with some malware that's aimed at specifically disabling the user's mainstream antivirus systems. Then, according to the suit, they spoofed the web browser to point to their company's `antivirus solution' to rid the system of the malware. But the system merely turned off all of the spoofed malware symptoms. The user had parted with their US$50 for the annual subscription (corporate licences were available, too). According to the lawsuit, the company raked in almost $200million (US) in worldwide sales. The corporate feel goes one step further: when one calls for technical support or complaints about the system, a fully-staffed call centre kicks in to assist you with your technical difficulties. All of the call scripts lead to the product or your system being tweaked for maximum contamination, and an eventual fake message saying that your system is now `safe.' Probably many of the employees were unaware that their corporate world was really a front for cybercrime. The cybercrime world has grown up over the last few years. In some cases, one can't even tell the legitimate companies from the crooked ones. The day where you can purchase spy software complete with 30-day warranties is a sobering sign as to maturity and sophistication of this underworld marketplace. Grant Rowson, CISA, CGA, is the manager of BDO Canada Technology Solutions, Inc.s infor' mation solutions practice in Thunder Bay Ont. and, a frequent event speaker and writer on IT topics.

The corporate `head office' looks just like any other organization with a receptionist out front, cubicles for the workers, lunch rooms and water coolers.

Grant Rowson, BDO Canada

For starters, the malware business isn't very different from conventional businesses around the world. You have sole proprietors, partnerships and corporations. In the true spirit of entrepreneurism, the `sole proprietor' category tends to consist of the lone programmer who has a simple business model in mind: sell a product or service for simple profit. Generally speaking, this crowd seems to be interested primarily in stealing people's credentials in particular -- ID numbers, usernames, passwords, expiration dates of credit cards, the CVV2 (credit verification value) and similar card identifiers -- than a person's full identify in general. Because these practitioners are the most common, they focus on easily obtained information -- and in great quantity. As with all basic commodities, the cost per unit drives this market. Essentially, the `merchants' constantly try to sell the greatest number of credit cards for the least amount of money. These pilfered credit card numbers are usually not part of extreme identity theft -- they're intended for one-time fraudulent purchases. In the `partnership' category, you see the programmers partnering with talent to build the start of a robust organization. There are partners with strengths in sales, technical support, and distribution channels. At this point, the `company' starts taking on a formal organizational structure. The targets tend to elevate beyond mere credit card or credential theft. The company might be hired to move into the realm of targeted hacking. Why? Well, to target a company for hacking requires a considerable amount of profiling -- identification of key staff, familiarization with the security products used by the target, understanding of the business practices, to say the least. Also in this middle zone you see the emergence of sophisticated and modern software development: proper testing/quality assurance processes, version numbers and upgrade tracking, tech support, and other aspects comparable to the expectations of tradiaccounting software. Some parts of the distribution channel make the following claims: · Purchaser entitled to free upgrade to next point version if product is detected/removed by any antivirus/spyware program within three months of purchase · Free tech support during the warranty period (albeit by email only) Samples of the modules for the Zeus botnet are as follows: · Basic starter kit US$3,000$4,000. Good for all Microsoft systems up to and including XP. Allows the crook to capture financial usernames/passwords from infected computers. · Optional `back-connect' module (US$1,500) allows the crook to instigate a financial transaction back through the victim's computer (rather than from any computer) in order to spoof banks/financial companies who try to verify that it was really the proper user instigating the transaction. · The Windows Vista/7 version of the above costs additional $2,000. · If your bank uses software/tokens to create random number passwords for your account, another $500 add-on will capture and forward the next token to the crook -- allowing them to process fraudulent transactions on your account -- and then regenerate the next token and place it back on your system. · If the crook wants complete access to a hijacked computer -- akin to what you can do with PCAnywhere, GoToMyPC and

tional commercial software. For example, the Zeus botnet -- one of the `most wanted' ones for wreaking havoc on business systems in North America and a botnet aimed primarily at trying to hack financial transactions -- is sold in modules, just like most mid-range and large enterprise

R OWSON

16

FOCUS

The Bottom Line May 2010

Understanding signs of employee duress

By JODIE L. WOLKOFF mployees have many opportunities to commit fraud and do so most commonly by falsifying documentation to evade internal controls. Accountants are often in the best position to identify areas at higher risk for fraud because they have a deep understanding of how businesses operate, the flow of f inancial transactions in an organization and the relationships between items on a financial statement. According to the Association of Certified Fraud Examiners, companies on average lose f ive per cent of revenue to fraud per year. In most instances, external audits are not designed to and, therefore, do not detect fraud. Many frauds are committed internally and smaller organizations are at particular risk of loss, as they tend to have fewer internal controls. Employees who commit fraud are typically motivated by financial need, an available opportunity and the perception that the risk of being caught is low. Generally, fraud within an organization can be classified in five categories: asset misappropriation; financial statement manipulation; corruption; conflicts of interest; and technology tampering. While volumes could be written on each of these types of fraud, the focus of this article is on employee asset misappropriation. Asset misappropriation refers to schemes that involve the intentional misuse or theft of an organization's assets. Examples include skimming cash, payroll fraud, expense report fraud, inventory fraud, fraudulent billings and procurement fraud. The following are examples of red flags that could suggest employee fraud. However, it is important to note from the outset that the existence of one or more of these red flags does not necessarily mean that a fraud is occurring. If these signs are present, a company must still consider taking steps to determine whether something underhanded is actually happening. Lack of segregation of duties: Smaller corporations are more susceptible to internal control weaknesses resulting from a lack of segregation of duties. As a simple example, the same person should not have sole responsibility for receiving customer payments, depositing the payment into the bank, posting deposits to a customer's account and preparing the bank reconciliation. If these duties are segregated among two or more employees, it decreases the risk of theft and makes it more difficult to conceal such misappropriation.

E

However, companies who do not take action against employee fraud may create an environment where employees come to believe that fraud will be tolerated.

Jodie Wolkoff, Wintrip Wolkoff Shin

Failure to reconcile accounts regularly: Without regular reconciliations, management is unable to determine if the accounting is accurate. Failure to perform timely reconciliations creates an opportunity for employees, as they become aware that a theft can go unnoticed for an extended period of time. Bank accounts require frequent reconciliation, as do accounts receivable, payroll, accounts payable, shareholder and related party accounts. Poor accounting records: This problem is common to companies of all sizes, but is particularly relevant for large companies that have expanded through acquisition, but have failed to integrate accounting systems. It's also an issue during the transition to a new reporting system. Poor accounting records can make it diff icult to monitor transactions, and offer another opportunity for theft and concealment over time. Lack of information: In the regular course of business, from time to time documents get lost without explanation. However, if documentation is missing on a regular basis, and a pattern is recognizable -- for example, the missing documents concern the same customer over a certain period of time and type of transaction -- that may be a warning sign that something is going on. Change in employee lifestyle: Has an employee suddenly had a signif icant change in spending habits, for example purchasing a larger house, an expensive new car or other big ticket items that appear to be beyond his or her means? This could indicate both the need to commit fraud -- to support this lifestyle -- as well as fraud itself. the receipt of tips from employees, vendors, customers or other related parties. The credibility of any tips should be assessed before a full investigation is undertaken. Credible tips have a suff icient amount of information to corroborate the allegations. In many cases, anonymous tips can be useful but a tipster who provides a name does bring an added measure of credibility. Although not based in any scientif ic method, management as well as an experienced investigator may have a `sixth sense' or gut feeling that something is awry. Intuition is important in identifying and investigating both potential and alleged frauds. Intuition may lead the investigator to analyze facts that appear to be suspicious or counterintuitive. A gut feeling should not be ignored. A strategy of watchfulness can help companies reduce losses and can stop a perpetrator from attempting or continuing to commit fraud. Employee fraud can be costly to investigate and the result is often minimal recovery of a company's losses. However, companies who do not take action against employee fraud may create an environment where employees come to believe that fraud will be tolerated. To avoid the costs and complications of an investigation, it is best for companies to establish appropriate policies and controls

from the outset. Setting the right tone at the top of the organization will help establish a culture of integrity. If it is made clear that fraud will not be tolerated, the risk can be reduced. Conversely, if management displays an attitude of entitlement, this attitude may filter down to the rest of the organization and create a problematic situation. Employee fraud is unfortunately a common part of business, so people need to know how to react should it happen. A company may decide to conduct its own internal investigation or to work with a third-party investigator. While an internal investigation can be successful, the benef it of retaining a third party is added credibility. If the investigation relates to areas of misappropriation of assets, fraudulent f inancial reporting, corruption and bribery or money laundering, then one should consider engaging a forensic accountant. Forensic accountants have specialized expertise in f inancial analysis, asset tracing, reconstruction of transactions and interviewing skills. Furthermore, forensic accountants have extensive expertise working with lawyers and within the legal system. If the investigation is complex and a company wants to keep it private, hiring a forensic accountant is highly recommended. A forensic accountant will review accounting records, emails and other documentation and will be able to assess losses and possibly identify other areas at risk. Due to the voluminous nature of electronic evidence, a computer forensics expert may be required as well to extract electronic data available on hard drives and servers. Forensic accountants work with legal counsel to prepare the briefs to be used in legal proceedings and can testify in court if necessary. Accounting expertise can help make or break a fraud case, so it's important to consider working with the top specialists to help protect an organization's assets and reputation. Jodie Wolkoff, CA-IFA, CBV, MBA, is a chartered accountant with a specialization in investigative and forensic accounting. She has worked exclusively in the field of forensic and investigative accounting, including litigation support and business valuations. She is a founding member of Wintrip Wolkoff Shin, a boutique CA firm specializing in forensic accounting, litigation and valuation services. She can be reached at [email protected]

Changes in behaviour: Has an employee started to act outside their normal character -- perhaps become argumentative, unco-operative or defensive? This could include displaying characteristics related to substance abuse or gambling problems. Behavioural changes may indicate a response to stress as an employee attempts to undertake or conceal a fraud. One of the most common ways a company detects fraud is through

W OLKOFF

The Bottom Line May 2010

FOCUS

15

How to create a culture of compliance F

By EARL BASSE raud costs Canadian businesses a substantial amount of money each year, affecting most companies. Yet, most small and medium-sized firms don't believe they are at risk of this happening to them. These misconceptions are a result of three myths that need to be dispelled. · Myth: It can't happen here because our people are honest and would not commit fraud against us. Reality: Fraud exists in all organizations and no one can vouch for all their employees. · Myth: We have internal controls in place to prevent fraud. Reality: Internal controls are often outdated and are neither reviewed nor tested on a regular basis to ensure they perform the functions for which they have been designed. It is estimated that internal controls uncover only 15 per cent of frauds perpetrated against a corporation. · Myth: If fraud did occur it would be found quickly and damage would be minimal. Reality: Experience has shown that this is not the case. Fraud is often perpetrated over a long period of time and generally escalates as time passes. thefts and fraud against companies are perpetrated by employees. To protect the organization, don't hire thieves. Of course, thieves don't walk around with a sign on their forehead. But if a person has committed theft on their employer in the past, they will do it again. Many companies do not perform basic background screening on prospective employees for fear that this is a violation of the Privacy Act. If conducted properly, background screening is not only legal, but effective in weeding out undesirables. How many businesses have proprietary information that would be valuable to competitors? Are they protecting that resource? Are employees following procedures in securing information contained on laptops and servers? The fourth step is to be proactive in protecting the company's assets and resources. Regularly review internal controls to ensure they are effective and performing in accordance with the needs of the organization. Conduct a threat, risk and vulnerability assessment to identify weaknesses in security. Review and improve corporate security, ensuring access

controls, alarms and other technical security assets are operating in accordance with the company's needs. Audit IT security on a regular basis to ensure it meets the organization's needs. Experience has shown that effective corporate security will significantly reduce inventory shrinkage.

See All on page 18

EYV 5VWZ_ZeZgV 6gV_e Z_

:_gVdeZXReZgV R_U 7`cV_dZT 2TT`f_eZ_X

?`gV^SVc $ % #!"!

E96 [email protected]? 46?EC6 [email protected]@[email protected] [email protected]@[email protected] @?E2C:@

So, if fraud exists in all organizations and if internal controls don't always work, how can a business be protected from internal fraud? Although there are many ways to accomplish this, developing and practising a `culture of compliance' within an organization has been found to be the most costeffective and successful program to protect valuable assets and resources from fraud. A culture of compliance is essentially a program where standards of ethical conduct are set and steps are taken to ensure that each employee or third party operates in accordance with those standards. There are six steps to developing this culture. The first and most important is getting buy-in from executive management. Executive management must not only possess integrity but must also demonstrate and support integrity in all its actions. The second is developing a clear policy on ethics and conduct. This policy must include zero tolerance for theft, fraud or other similar conduct. It must be clear about what appropriate conduct is and is not. It must also be clear on how to handle any violator of the code of conduct, including sanctions for inappropriate conduct. The third is arguably the most effective of all practices to prevent internal theft and fraud within an organization. Eighty per cent of

:_gVdeZXReZgV R_U 7`cV_dZT 2TT`f_eZ_X 4`_WVcV_TV

2 T`_WVcV_TV UVdZX_VU Sj 42:72d W`c eYV :72 4`^^f_Zej

6Rc_

fa e` "# Y`fcd 4A5 `_ e`aZTd Z_T]fUZ_X 7cRfU :_gVdeZXReZ`_d =`dd BfR_eZWZTReZ`_ =ZeZXReZ`_ Dfaa`ce CZd\ >R_RXV^V_e 5ZdafeV CVd`]feZ`_ R_U :_dfcR_TV >ReeVcd

#!"!

;`Z_

42:72d 2]]ZR_TV DfSdTcZSVcd 42d [email protected] :_eVc_R] 2fUZe`cd 4`_ec`]]Vcd R_U `eYVcd Z_eVcVdeVU Z_ Z_gVdeZXReZgV R_U W`cV_dZT RTT`f_eZ_X ?`gV^SVc $ % W`c eh` URjd `W VddV_eZR] VUfTReZ`_ R_U _Veh`c\Z_X

R]`_XdZUV Z_Ufdecj ]VRUVcd Rd ViaVced Z_ eYVZc WZV]Ud Via]`cV hYRe ^ReeVcd ^`de e` j`f R_U j`fc `cXR_ZkReZ`_

=VRc_

7`c ^`cV Z_W`c^ReZ`_ `c e` cVXZdeVc gZdZe hhhTaU TZTRTR ZRWR

14

FOCUS

The Bottom Line May 2010

Psychology was pivotal in Madoff's con

By ARI KASHTON ernie Madoff operated a massive Ponzi fraud for years. One of the ways he had so many people invest so much money -- the scheme was valued at almost $65 billion -- was through the use of psychology to dupe many intelligent people into believing in his authenticity. The figures of the Madoff con are staggering. On Dec. 1, 2008, the monthly investment statements of Madoff investors totalled $64.8 billion. Analysts estimate $20 billion represented invested money; the remaining $44.8 billion paper returns. Ten days later, Madoff (almost out of money) confessed to the FBI that his investment management business was a giant Ponzi scheme. So how did Madoff mange to con experienced investors and professional money managers out of $20 billion? Madoff wasn't academically intelligent (he graduated from high school with middling marks, earned a degree in political science, but never completed his studies at Brooklyn Law School). And he wasn't a brilliant investor, either. He did not have any investment credentials or formal investment education -- in 1960, he founded Bernard L. Madoff Investment Securities LLC, a penny-stock trading firm. Instead, he excelled in gaining people's confidence. Even though Madoff 's `split strike conversion' investment strategy was a sham -- he fabricated the investment returns from historical trading data -- he artfully applied the psychological factors of influence and persuasion to control employees, evade regulators and fleece investors. There are significant psycholog-

B

In a busy world, it is much simpler to rely on decision making shortcuts than to perform cognitively challenging and time consuming due diligence.

Ari Kashton, Soberman LLP

ical factors in play when it comes to financial frauds. Renowned social psychologist Robert Cialdini defines six fundamental principles of persuasion and influence: liking, reciprocity, social proof, commitment and consistency, authority and scarcity. The principles are applicable to Madoff investors as follows: Liking: people like to invest with people they like; Reciprocity: people tend to repay favours in kind; Social proof: people tend to look to their peer group for investment guidance; Commitment and consistency: people, once committed, like to be consistent with their initial investment decisions; Authority: people look to authorities to make their investment decisions; Scarcity: people value scarce investment opportunities more. Consider the above principles with this published story from January of last year. It was reported that an old high school friend of Madoff 's wife, Ruth, called to inquire about getting in the fund. Madoff initially turned Donny Rosenzweig down before giving it more thought. Madoff told Rosenzweig that since they went back a long time, he would let him in, and that the minimum investment was $2 million. Rosenzweig, not having that kind of money, gathered up a number of immediate family members to contribute. Let's analyze this situation using Cialdini's principles: One by-product of commitment is that, in the face of contrary evidence, investors create supporting justifications for their initial investment decisions. Many investors faced with questions about how Madoff made his consistent returns (when no one else could duplicate same), simply reasoned that Madoff was a better investor or had superior information. When questions arose regarding Madoff 's lack of disclosure, many investors agreed with the defence that Madoff need not disclose his `trade secrets.' Once invested, it was virtually impossible to convince Madoff investors that they made a bad choice -- especially when they looked at their inflated monthly investment statements. · Authority: Rosenzwieg viewed Madoff as an investment authority. By now, Madoff had been trading and investing for over 30 years. Madoff reported trading results were consistent, stable and positive. Madoff was also a prominent member of the securities industry throughout his career serving, among other prominent positions, as the chairman of the National Association of Securities Dealers (the industry funded self-regulatory organization). Many investors did not look past Madoff 's investment industry pedigree and reported returns. · Scarcity: Rosenzweig was first told the fund was full. It was only through Madoff 's generosity and sentimentality that he was `letting

· Liking: Rosenzweig had a connection to Madoff via Ruth. They shared the same background. This likeness and liking engendered affinity and trust. · Reciprocity: Madoff did Rosenzweig a `favour' by allowing him to invest in the fund, which Madoff originally indicated was full. Rosenzweig, in return for this `favour,' repaid Madoff by selling the investment to his family to make up the $2 million minimum investment. · Social proof: The popular word was that Madoff was a good investment and that appears to have been good enough for Rosenzwieg to invest all available money. · Commitment and consistency: Rosenzweig was committed to the investment, so much so that he convinced his family to invest.

him in.' Not only did this boost Rosenzweig's opinion of Madoff, but Rosenzweig had been granted access to an `exclusive' investment opportunity. Now that he had made it in, he wouldn't be leaving quickly. This sheds light on why so many Madoff investors instructed their spouses to never sell their investments. Madoff used the scarcity principle to create great loyalty. Cialdini's six principles of influence and persuasion all have one common thread. Investors can be influenced to favour emotive decision making over detailed analysis. In a busy world, it is much simpler to rely on decision making shortcuts than to perform cognitively challenging and time consuming due diligence. There is no substitute for proper investment due diligence. Standard due diligence requires that the investors maintain critical scepticism, pose difficult questions and critically evaluate the answers. More importantly, investors should be particularly cognizant of how social influences may cloud their investment decisions. An awareness of and sensitivity to the potential impact of the six principles of persuasion and influence may save an otherwise unwary investor from falling prey to the next Ponzi scheme. Ari Kashton, CA-IFA/CBV CFE, , is a senior manager in the business valuation and litigation support division of Soberman LLP He spe. cializes in investigative and forensic accounting, including, fraud investigation, investment due diligence, damage quantification and expert testimony. He can be reached at 416-963-7150 or [email protected] soberman.com.

Low salary doesn't go with pricey car

Continued from page 13

of spare time, including weekends, at the casino would be a red flag. Employers have to be careful not to infringe on an individual's privacy, but they also must be duly diligent. Companies also need to be mindful when setting compensation strategies to ensure that they don't end up encouraging and rewarding inappropriate behaviour. Education is an important prevention technique. By educating all employees about the red flags of fraud and ways they can escalate or communicate concerns on an anonymous or conf idential basis, companies can enhance the chances of detecting a potential fraud in the early stages. Some companies also provide toll-free conf idential help lines that employees can call for consultation and support. Rationalization The third element of fraud is rationalization, a factor that allows fraudsters to convince themselves that their actions are justified. Rationalization can operate at the individual level, which may be a reflection of a different system of values and beliefs. Rationalization may also reflect the corporate culture -- that there is no `tone at the top,' there is a lack of understanding about what is acceptable, a tolerance of petty wrongdoing or a lack of business principles. There are a number of actions a company can take to address rationalization --by setting the standards for expected behaviour through an effective set of policies and procedures. One helpful tool is an effective anti-fraud policy that: · Defines fraud · States the company's position on fraud · Lays out the actions the company will take to investigate fraud · Clearly states the consequences of fraudulent acts The anti-fraud policy should include clear instructions about the actions employees should take when they suspect fraud. The policy needs to be communicated to employees at all levels in the company. The policy might even require employees in key roles to sign an annual declaration of compliance with company policies. Employers can also minimize the rationalization element by cultivating and maintaining good employee morale, treating employees fairly and reinforcing the message that their contributions to the company are valued. There is no `one size f its all' solution. The first step is to recognize that it's virtually impossible to prevent all fraud. But knowing and understanding the fraud triangle can help you prevent, detect and combat fraud, and signif icantly reduce your exposure. Bob Ferguson ([email protected]), CA-IFA, is a partner in the Fraud Investigation and Dispute Services group at Ernst & Young LLP in Toronto. He

KASHTON

has more than 20 years of experience in forensic and investigative accounting.

F ERGUSON

The Bottom Line May 2010

FOCUS

13

Downturn cutbacks can increase fraud T

By BOB FERGUSON wo of the most common rationalizations encountered by forensic accountants investigating misappropriated assets are, "I've earned it" or "I'm just borrowing it. I'm going to pay it back when things get better." And there are others. Rationalization represents one of the three elements required for fraud to occur. When added to the other two -- opportunity and motivation -- they form the `fraud triangle,' a potent combination of elements that can expose your company to signif icant risk. Understanding the fraud triangle can help manage risk exposure and even prevent fraud before it can do significant damage to a company. transactions or a high incidence of trade commissions and discounts. Company-specif ic factors can include large volumes of relatedparty transactions, ineffective supervision and monitoring by management, unduly complex transactions or tax structures, or operations in remote or high-risk locations. In an economic downturn, many companies reduce their head count. Depending on which part of the company is affected, this can have a direct impact on internal control systems -- possibly resulting in the elimination of internal controls, a level of approval or, worse, the consolidation of previously segregated functions into one role. Either way, the risk of fraud is increased because opportunities that did not previously exist are suddenly brought into play. As a result, management's ability to review and supervise effectively may be strained by the combination of heavier workloads

Whatever the cause, desire can be a powerful motivator, which is compounded by early success in a fraudulent scheme.

Bob Ferguson, Ernst & Young

Opportunity This first element of the fraud triangle can include industry or company-specif ic factors, or a combination of both. Industry-specific factors create opportunities, such as large volumes of cash

and increased emphasis on achieving business imperatives, such as sales growth or cost containment. Corporate oversight functions, such as internal audit, corporate compliance and general counsel, may not be able to fully compensate for the increased risk. To effectively address the opportunity element of fraud risk, companies need to ensure that they have an effective system of internal control in place, and that any changes to their operations take into account both prevention and detection elements of this system. This means that headcount reductions should take into consideration the potential impact

on segregation of duties or internal approval levels. As well, companies need to ensure that remediation plans relating to previously identified internal control weaknesses are adequate and on schedule. Motivation The second element of the fraud triangle is motivation, which is sometimes referred to as the `need or greed' factor. A person may be motivated by lifestyle issues -- say, the desire for a bigger house, a nicer car or a vacation property -- or vices, such as drug, gambling or alcohol addictions. Motivation may also be

driven by excessive dependence on variable compensation closely linked to results or share price. Whatever the cause, desire can be a powerful motivator, which is compounded by early success in a fraudulent scheme. The key to addressing the motivation element is to be conscious of the value of red flags as an early warning mechanism. While a red flag does not necessarily mean there is a problem, it indicates that some follow-up should take place to confirm or refute the existence of a potential issue. Companies should be cognizant of employees with lifestyles that are inconsistent with their status in the company and investigate discrepancies. For example, an employee in a relatively lowpaying position driving a new high-end sports car would be a red flag. Likewise, an employee in a position of trust who spends a lot

See Low on page 14

The Accountant's Handbook of Fraud Prevention and Detection

Your best defence against fraud

12

FOCUS

The Bottom Line May 2010

Hard, not impossible, to see dirty money

By JENNIFER FIDDIANGREEN n the most basic terms, money laundering is the process by which large amounts of illegally obtained money is given the appearance of having originated from a legitimate source. There are no exceptions here in Canada. For example, a Toronto lawyer was recently sentenced to 39 months in jail following criminal charges that he and a law school classmate came up with an illegal insider trading scheme that netted US$9 million through sharing secrets about dozens of corporate clients in Canada and the United States. Stan Grmovsek pleaded guilty to criminal fraud and money laundering charges by the RCMP. His Osgood Hall law school classmate, Gil Cornblum, killed himself in Toronto one day before criminal proceedings took place. Globally, financial crimes continue to become more complex and so the concept of `financial intelligence,' obtaining information on the financial affairs of individuals, continues to evolve and is critical in combating international crime and terrorism. Money laundering is a process that is accomplished in three basic steps, including placement, layering and integration. These steps can be taken in the course of a single transaction or can appear at different times. Three common factors identified in laundering operations are the need to conceal where the proceeds originated from, the

I

Forensic accountants work to strip away the layers of deceit and reveal the shady transactions.

need to maintain control of the proceeds, and the need to condense the huge volumes of cash generated. Transactions that lead to suspicious of money laundering must be reported, as per the regulations of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (or the PCMLTFA), in Canada by: financial entities such as banks and financial dealers, money services businesses, life insurance companies and agents, certain government agencies that take deposits (such as Canada Post), accountants or accounting firms, real estate agents and brokers and casinos. The suspicious reports are received by Canada's financial intelligence unit, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The idea is that the reports are then analyzed, with Canadian law enforcement given the information to investigate and combat the illegal activities generating the ill-gotten gains, and to target the actual proceeds of the crime. Accountants have requirements too -- it is mandatory for chartered accountants and CA firms to know client procedures, documentation and reporting in instances when they obtain professional fees for receiving or paying funds on behalf of a third party, or providing instructions in respect of these activities. There are a variety of methods used to launder money such as structured deposits, using banks and shell companies. To detect and deter money laundering activity, certain types of transactions, including cash deposits and international wire transfers equal to or over $10,000, need to be reported to FINTRAC and similar types of agencies around the world. To work around these laws, launderers will hire low-level assistants to make multiple smaller deposits, either on different days or at various branches on the same day. There are still locations around the world which are viewed as being more accommodating to individuals looking to legitimize their cash; nations which do not have burdensome banking laws and anti-laundering procedures, but which may have secrecy laws that ultimately help the launderers hide. Opening accounts in a number of these, typically offshore accounts, allows launderers to move their money around and create nearly impenetrable defences against

curious investigators. Some countries have a history of well-established underground banks that have been accepting what we might view here as sketchy deposits for centuries; individuals legally operating outside of the mainstream banking system and outside the control of the government. There is often no paperwork, just the reputation of the principals involved. Enterprising criminals looking to clean their cash can set up various shell companies that exist for the sole purpose of money laundering. These companies can offer some sort of service that can easily be papered. Other cash-based businesses (like beauty salons and trades like plumbing) can also be used as front for money laundering ­ the dirty money can be funneled into the company, made to look like

Enhance your career in Forensic Accounting

Learning Approach...

· 2-year distance learning program with 10 courses including Introductory & Capstone residency sessions · Case-based learning from anywhere in the world · Instruction by industry practice leaders · Expert witness training & assessment included

Program Coverage...

· · · · Practice Issues Legal Process Loss Quantification Investigative-Related Matters

Admission Requirements...

· Undergraduate degree in business or accounting · 2 years relevant accounting experience

F IDDIAN -G REEN

Jennifer Fiddian-Green, Grant Thornton

legitimate income with fake invoices and receipts and then transferred to the accounts of a shell company as clean, wonderfully spendable cash money. An easy way to take dirty money and turn it into good money is through buying gambling chips or tokens from a casino with the dirty money and, over time, turning them in for clean money. Casinos are regulated and do need to ask for identification for transactions over a certain dollar amount, but it is difficult to prove the money was ever dirty in the first place. After a few turns at the gaming table, the player can also cash in for a cashier's cheque which can easily be deposited to bank and other accounts. Forensic accountants work to strip away the layers of deceit and reveal the shady transactions. The work is a very detailed process, often requiring that each individual transaction be reviewed while keeping track of the big picture in order to put the pieces of the puzzle together. A former executive of Bennett Environmental Inc., Canadian Robert P. Griffiths, pleaded guilty to the Antitrust Division of the United States Department of Justice for participating in a conspiracy to pay kickbacks and commit fraud at the U.S. Environmental Protection Agency. As well, he pleaded guilty to money laundering charges related to laundering kickback amounts received through shell companies and bank accounts in New Jersey. The money laundering conspiracy with which Griffiths is charged carries a maximum penalty of 20 years in prison, five years of supervised release, and a $500,000 fine, or twice the value of the funds involved in the transportation, transmission, or transfer, whichever is greater. Canada, and all its financial professionals, need to continue to strengthen and work among our local and international partnerships to prevent, detect and combat money laundering. As accountants, we are well equipped to conduct financial intelligence and investigations -- we can show the money launderers there is no place to hide. Jennifer Fiddian-Green, CAIFA, CMA, CFI, CFE, CAMS, is a partner with Grant Thornton LLP's Specialist Advisory Services, practicing exclusively in the area of forensic accounting and investigative services. Jennifer is an antimoney laundering specialist and has investigated, reported and managed numerous fraud investigations involving both civil and criminal allegations.

In Partnership with...

DIFA

Diploma in Investigative & Forensic Accounting Program

www.utoronto.ca/difa

The Bottom Line May 2010

17

DIRECTORY FORENSIC ACCOUNTING & FRAUD

WITH OVER 95 OFFICES ACROSS CANADA

-- from our rural centres to our largest markets -- BDO has experts at your doorstep.

Leading Canadian experts in forensic accounting, investigations, damages quantification, business valuation, computer forensics and eDiscovery. Toronto » 416.777.2440 Roddy Allan, CA.IFA Jennie Chan, CA.IFA Farley Cohen, MBA, CA.IFA, CIRP, CBV, ASA Paula Frederick, CA, CBV Deborah Gold, LL.B Ross Hamilton, CA.IFA, CFE Bob Macdonald, FCA, CA.IFA Peter McFarlane, CA.IFA, ACA, CFE Nancy Rogers, CA.IFA, CBV, CIP Peter Steger, CA.IFA, CBV, CFE Alan Stewart, CA.IFA Ottawa » 613.230.4500 Greg McEvoy, CA.IFA, CBV, CFE Steve Whitla, CA.IFA, CBV, CFE Montreal » 514.798.5874 Richard Forand, CA.EJC/IFA Alain Lajoie, FCA, CA.EJC/IFA Andre Lepage, CA.EJC/IFA, CFE Paul Levine, FCA, CA.IFA, CBV, CFE Quebec City » 418.780.5874 Francois Filion, CA.EJC/IFA, EEE/CBV Manon Roy, CA.EJC/IFA 1,800 professional staff worldwide Offices in over 40 cities worldwide www.navigantconsulting.com

Employment/Labour Law Matters Specialists in "Forensic Investigations"

Crimes Investigated/ Uncovered:

· Theft of Trade Secrets / Proprietary Information / Sensitive Data · Corporate Espionage · Suspicious Activities · Fraud / Kick Backs / Embezzlement · Suspect Contractor Relationships / Secret Commissions · Expense Accounting Irregularities · Misappropriation of Corporate Assets · Workplace Bullying & Harassment · Libel & Slander · Pornography · Gambling · Threats / Extortion / Harassment · Termination / Wrongful Dismissal Issues

TORONTO TEL: (416) 386-1967 KAWARTHA DISTRICT TEL: (705) 652-9090 E-mail: [email protected]

BDO. More than you think.

www.bdo.ca/advisoryteam

Call CanLNC for Nursing and Medical Experts

· Interviewing · Statement Taking · Reconstruction o Collision o Accident o Incident o Scene o Cause · Forensic Animations A valuable visual tool · Surveillance · Expert Witness PERSONAL INJURY · Auto, Premises, Workplace, · Public PROPERTY · Fire & Theft LIABILITY · General, Professional & Municipal (Fire & Police)

Stern Cohen Valuations Inc.

INVESTIGATION EXPERTS

Business Valuations Litigation Accounting

EXPERT UNDERWRITING OPINIONS ON LIFE, DISABILITY AND CRITICAL ILLNESS CLAIMS

· Former Chief Underwriter Over 25 years of Underwri ng Experience Available to both Plain Defendants s&

Guidance at every turn.

·

· Business and intellectual property valuation · Damage quantification · Forensic accounting · Transfer pricing

Peter Weinstein MBA, CA.I FA, CBV 416.967.5100 [email protected]

·

Plaintiff or Defence

403-278-9273 www.CanLNCExperts.ca [email protected]

Decades of Experience and Excellent Results Contact Jim Jasper or Lee Thistle 905-502-3480 www.tsisolutionsinc.com

Stern Cohen

Contact: Barry J. Plener, BA Tel: 416-402-0008 www.barryplener.com

TO ADVERTISE CONTACT ACCOUNT MANAGER ,

JIM GRICE (905) 415-5807

OR

[email protected]

Information

TBL_MAY_10.qxp

7 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

1274998