00 Fraud Examination, 4th Edition - Copy-231-250 PDF

206 Appendix A: Examples of the Data-Driven Approach
small suppliers, but one represented a relationship with unit prices of 19 and 12 each. The volume
with one of the refinerys largest vendors. on these items far exceeded the refinerys needs.
The search for multiple invoices for the same item The search for contractor employees with excessive
description by vendor uncovered six invoices for overtime was one of the most useful analyses. Four
the same amount from the same vendor on the companies had employees who reported working
same day, all for $1,044,000. Three invoices from 150+ hours over 20 consecutive two-week pay
the same vendor, on the same day, for the same periods. Employees of one company submitted
items, each for $900,000, were also found. time cards from different locations for the same
Using various combinations of red flags, four period. Another companys employees averaged
companies that appeared to be committing large- 2,046 hours of overtime for the year. In one year,
scale contractor fraud were identified. The refinery 10 companies had averages of over 200 overtime
no longer conducts business with two of these hours per two-week period, 388 had some over-
vendors and is pursuing recovery. time, and hundreds had no overtime.
The search for price increases greater than 30 Per-hour charges by craft and by company and
percent per year for four consecutive years un- employee ranged from $56.11 per hour to $15.43
covered one company that had increased prices for the same craft. Also, 40 companies had stan-
581,700 percent and another that had increased dard deviations for rates billed that were over 40
prices by 331,879 percent. In total, 35 companies percent of the average rates billed for the same
had raised prices over 1,000 percent, and 202 craft.
companies had raised prices over 100 percent. Invoices from seven companies exceeded purchase
No incidences were found where employee and order amounts by over $100,000. The largest differ-
vendor telephone numbers were the same, but six ence was $713,791 on an original invoice of $21,621.
employees had the same addresses as vendors. The search for vendors with sequential invoices
Of the 319 vendors with common names and ad- revealed 19 vendors that submitted sequentially
dresses, all but two of these had reasonable expla- numbered invoices in over 50 percent of all in-
nations for the coincidence. voices. With one vendor, over 83 percent of the
The search for vendors not listed in the master file invoices submitted were sequential.
uncovered one unapproved vendor from whom The search uncovered three companies with over
the company had purchased $791,268 of services. 100 zero-amount purchase orders.
Purchases from all other unapproved vendors to- Nine contractors had cost overruns exceeding 50
taled less than $10,000. percent and $100,000. The highest percentage
In 20 purchases over $100,000, the quantity paid overrun was 2,431 percent.
for was greater than the quantity received. Finally, only 65 companies could not be matched
The search for high-volume purchases by vendor with Dun & Bradstreet listings. Except in a few
uncovered only one vendor with unusually high instances, purchases from nonlisted companies
transactions. The company paid $56,201 for items were small.
Copyright 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
PART 4
Fraud Investigation
7 Investigating Theft Acts 209
8 Investigating Concealment 231
9 Conversion Investigation Methods 251
10 Inquiry Methods and Fraud Reports 275
207
1019763_FM_VOL-I.qxp 9/17/07 4:22 PM Page viii
1
2
3
4
5
6
7
8
9
10
11 This page was intentionally left blank
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
S 50
R 51
1st Pass Pages

CHAPTER 7
Investigating Theft Acts
LEARNING OBJECTIVES TO THE STUDENT
After studying this chapter, you should be able to: Investigation is one of the
most interesting facets of be-
Discuss theft investigation methods and how they are used to investigate suspected
ing a fraud investigator. This
fraud.
chapter introduces you to
Understand how to coordinate an investigation, using a vulnerability chart. the different methods used
Describe the nature of surveillance and covert operations. for investigation, from sur-
veillance to invigilation to
Understand the effectiveness of invigilation to investigate fraud. electronic and computer
Explain how to obtain physical evidence and how it can be used in a fraud searches. As you read the
investigation. chapter, think of where each
method would be most use-
Understand how to seize and analyze electronic information from cell phones, hard
ful, and consider the skills
drives, e-mail, and other sources.
you need to master each
one.
209
210 Part 4: Fraud Investigation
o single promotion lured more people to According to federal prosecutors, at

NMcDonalds than its popular Monopoly least 17 recruits won ill-gotten prizes. Be-
gameuntil August 2001, when it was dis- sides the 13 winners of the $1 million
covered that the Monopoly game was a game, one recipient won a 1996 Dodge
large fraud. Simon Marketing, which ran the Viper valued at about $60,000 and others
Monopoly game on behalf of McDonalds, won cash prizes of $100,000 and $200,000.
was responsible for the fraud. Simon Market- Without the informant who contacted the
ing allegedly defrauded McDonalds out of Jacksonville FBI office, the contest rip-offs
$13 million worth of game prizes over the allegedly orchestrated by Jacobson would
promotion period.1 likely have continued unabated. FBI agents
In a quiet, upper-class subdivision of obtained court permission for several tele-
brick-and-stucco mansions in Lawrenceville, phone wiretaps, and they began tailing
Georgia, Jerome Jacobson spent the past Jacobson and others. The FBI also received
six years masterminding one of the largest McDonalds cooperation in delaying the issu-
promotional contests ever held. As Simons ing of checks to winners, which helped the
longtime manager of game security, Jacob- FBI secure evidence from wiretaps.
son, 58, traveled the country and randomly
placed winning peel-off contest stickers on In previous chapters, we discussed fraud prevention
things like soft-drink cups and French fry and detection. In this chapter, we will discuss different
boxes in McDonalds restaurants and methods of investigating a theft act once predication is
found. Figure 7.1 shows the fraud triangle plus inquiry
inserted instant-winner tickets in magazines approach to investigations, a comprehensive model for
and Sunday newspaper circulars. However, investigations. It includes four different investigative
the FBI says that Jacobson devised his own methods: theft, concealment, conversion, and inquiry.
cash-in schemeembezzling winning game While fraud investigations progress in unique ways to
pieces and instant tickets. In turn, he sold meet their specific needs, most investigations contain
them to prearranged winners for kickbacks elements of the four methods. These methods are dis-
cussed in this and the following chapters.
of $50,000 or more.
Jacobson pocketed at least $50,000
each from up to 13 separate $1 million When to Investigate
prizewinners. The governments lengthy Before we discuss specific types of evidence that should
complaint described Jacobson as a savvy be gathered in a case, you should understand the con-
manipulator and crime ringleader, willing siderations involved in deciding whether to investigate
to double-cross those who dared to hold or not. As we have discussed previously, investigation
back payments. Jacobson recruited at least of a fraud only follows when there is predication,
meaning that there are symptoms or indications (red
two accomplices who acted as recruiters flags) that a fraud may be occurring. That predication
themselves. may have arisen because someone provided an indica-
In exchange for negotiated payments, the tion that fraud may be occurring (such as providing a
winners were provided winning game tip or complaint) or it may have come from proactively
pieces and instant-prize tickets. They were searching for fraud. Once there is predication, those
involved must decide whether or not to investigate.
also instructed at length on how to disguise
That decision is often made by auditors, security per-
their actual residences and what to tell McDo- sonnel, human resource personnel, attorneys, or even
nalds about where and how they had picked law enforcement officials. You will likely be a key per-
up game pieces and instant-winner tickets. son in this decision. Some of the factors that are
Chapter 7: Investigating Theft Acts 211
FIGU RE 7.1 FRAU D TRIA NGLE PLUS I NQU IRY A PPROA CH T O IN VESTIG ATION S
Theft Investigative Methods

1. Surveillance and covert operations
2. Invigilation
3. Seizing and searching computers
4. Physical evidence
Concealment Conversion
Investigative Methods Investigative Methods
1. Document examination 1. Searching public records
2. Audits 2. Online resources
3. Electronic searches 3. The net worth method
4. Physical asset counts
+
Inquiry
Investigative Methods
1. Interviews and interrogation
2. Honesty testing
considered in deciding whether or not to investigate are the specific fraud. For example, because inventory
the following: frauds involve the transporting of stolen goods, such
frauds are often investigated by using theft investigative
Perceived strength of the predication
techniques to gather physical evidence. On the other
Perceived cost of the investigation
hand, payroll frauds, such as charging excess overtime
Exposure or amount that could have been taken
or adding ghost employees to the payroll, can usually
The signal that investigation or noninvestigation
be most easily investigated by focusing on concealment
will send to others in the organization
efforts. Such frauds must be concealed in the records of
Risks of investigating and not investigating
an organization, and it is usually easiest to gather doc-
Public exposure or loss of reputation from investi-
umentary evidence. With collusive or kickback-type
gating and not investigating
frauds, however, there is usually no direct documentary
Nature of the possible fraud.
evidence (although there might be indirect documen-
For example, under recent changes in the laws, the tary evidence such as purchasing records that show
risks would be much higher for not fully investigating a increasing prices or increasing work by a particular
potential fraud perpetrated by the CEO of an organiza- vendor). As a result, concealment investigative techni-
tion than it would be to not investigate a fraud perpe- ques usually do not work well in kickback situations.
trated by a line employee. With such frauds, investigators often use theft act in-
Generally, once there is predication, the best policy is vestigative methods, such as tailing or wiretaps, which
to investigate the potential fraud to determine the who, were used in the McDonalds case, or gather circum-
why, how, and how much questions of the fraud. Some- stantial conversion evidence from public records and
times what is observed or what resulted in predication is other sources showing a lifestyle beyond what the per-
only the tip of the iceberg. Other times, the investigation petrators known income could support. Inquiry inves-
of predication may exonerate those who were suspected tigative methods are usually helpful in investigating all
of wrongdoing. And, as we have already discussed, since types of frauds, but they are most useful after you have
most frauds grow geometrically over time, it is better to gathered other types of evidence and know who to in-
investigate them while they are still relatively small than terview and what questions to ask.
to wait until they bankrupt a division or cause extreme As you investigate, it is important to remember to
embarrassment for an organization. remain objective. You want to be smart and informed
Once the decision has been made to investigate, in- so you do not miss potential indicators. Look at people
vestigators must decide what methods to use to gather and evidence in a case with professional skepticism. Do
evidence. In deciding which methods to use, investiga- not take things you see or read at face value. Try to
tors should focus on the strongest type of evidence for read between the lines to see what others might have
missed. On the other hand, it is not wise to think of F IGU RE 7. 2 EXAMPLE THEFT ACT
everyone you meet as a criminal. During your career, INVESTIGATIVE PATTERN
you may meet investigators who have become somewhat
callused toward people and evidence because of past
any records (s
investigation experiences with less-than-honest people. omp uch
rc
Instead, try to find a balance where you can exercise so as
rd pu
good judgment as a professional fraud investigator. co p loyers or unsu r
em c
ch
ce
er
lr
i nv i g il s
as
, a s
rds tio
ne
m n,
ing
co
fu
on
o
o
Theft Act Investigative re u yers, c
lv
f
b
er
ers
rec
w
rs
o
en
c
th
vie
bli
ur
w
Check p
ords)
Inter view o
Methods
Search pu
or
o
Inter
ve
rs
kers, etc.
illance
Theft act investigations are those activities which directly Interview
suspect
investigate the fraud act, such as surveillance and covert
operations, invigilation, obtaining physical evidence, and
gathering electronic evidence. These investigations should
usually begin by using techniques that will not arouse sus-
picion and, most importantly, will not wrongly incriminate
innocent people. Therefore, initially, as few people as pos-
sible should be involved, words such as investigation
should be avoided (audit and inquiry are more appro-
priate), and the investigation should be started by using
techniques that will not likely be recognized. As the inquiry
proceeds, investigative methods will work inward toward conducted. For example, security personnel, auditors, and
the prime suspect, until finally he or she is confronted in an fraud examiners commonly examine personnel records
interview. By waiting to interview the primary suspect, you during normal audits. Similarly, purchasing records and
can gather sufficient evidence to conduct a powerful, di- public records searches usually do not create suspicion,
rected interview without giving your case away prema- because they are normal audit procedures or because
turely. Figure 7.2 provides an illustration of this pattern. they can be performed offsite. Searching of e-mail files
To illustrate, suppose a purchasing employee is sus- can be done on the corporate server rather than on the
pected of taking kickbacks. The investigation might suspects computer, and hard drive information can be
proceed through the following steps: searched from centralized backups.
1. Check the employees personnel records for evi- Surveillance, when properly performed, is done with-
dence of liens, other financial difficulties, or previ- out the perpetrators knowledge. Only when interviews
ous problems. begin is the suspect likely to become aware of the investi-
2. Perform a special audit of the purchasing function gation. Even then, interviews should normally be con-
in order to examine trends and changes in prices ducted first with individuals who are objective and not
and purchasing volume from various vendors. currently associated with the suspect and should work
3. Search the suspects e-mail and other electronic re- inward until the suspect is finally interviewed. The pur-
cords for communication with outside vendors, poses of starting tangentially and working inward are to
spreadsheets, or other records related to the kickback. avoid alerting suspects too early that they are under inves-
4. Search public records and other sources to gather tigation and to avoid creating undue stress or suspicion
evidence about the suspects lifestyle. among other employees. Once a case is revealed, evidence
5. Perform surveillance or other covert operations. and people often have a way of disappearing. In addi-
6. Interview former buyers and unsuccessful vendors. tion, this process best protects the target of the investiga-
7. Interview current buyers, and, if no collusion with man- tionespecially if evidence later reveals that the
agement is suspected, interview the suspects manager. individual was not, in fact, involved.
8. Simultaneously interview the suspected buyer and
the suspected vendor. S T O P & T H I N K Why is it important to conduct
activities that do not arouse suspicion first and interview
Several of these steps can be performed without arous-
the primary subject near the end of your investigation?
ing suspicion or without anyone who does not have the
What could occur if you fail to do this?
need to know being aware that an investigation is being
Developing a Vulnerability Chart observed, (7) pressures of possible perpetrators, (8) rational-
When beginning a fraud investigation, it is often useful to ization of perpetrators, and (9) key internal controls that
develop theories about what kind of fraud could have oc- had to be compromised for the theft to occur. For example,
curred, who the possible perpetrators could have been, assume that a bank customer complained that a deposit
what their motivations might have been, and how much she made last month was not credited to her account. A
might have been taken. One way to develop such theories vulnerability chart similar to the one in Table 7.1 would
is to use a vulnerability chart as a tool for explicitly con- identify all the factors involved in the fraud.
sidering all aspects of the fraud and for establishing fraud As shown in the top section of this vulnerability
theories. A vulnerability chart coordinates the various ele- chart, the assets that may have been taken included
ments of the possible fraud, including (1) assets that were the customers deposit. Theft opportunities may have
taken or are missing, (2) individuals who have theft oppor- been available to the teller who processed the trans-
tunities, (3) theft investigative methods, (4) concealment action, to an operations officer who supervised the
possibilities, (5) conversion possibilities, (6) symptoms teller, or to the proof operator who processed the credit
TA BLE 7. 1 E X A M P L E VU L N E R A B I L I T Y C H A R T
VUL NE R ABILI T Y C HART
POSSIBLE MOTIVE(S)
How How
What Who were How was are Key
was had assets theft assets Red flag Ration- Internal
taken? opportunity? moved? concealed? converted? symptoms? Pressures alizations Controls
Computer Teller Entering Destroying Unlimited Changed Tax lien Feels Use
deposit operations verified old or cre- behavior underpaid processing
officer credits ating a new New or poorly jacket
deposit slip Changed home treated
Proof operator Stealing lifestyle Certification
Divorce
check; Forged
Customer Teller
endorsing signature
complaint counts
it
Entering customer
credit in receipts
own
account Restrict
computer
access
Not allow-
ing employ-
ees to credit
their own
account
Goods Receiving Not Night Fenced Control not New car Passed Receiving
delivered trucker received followed over for report
Included Used Spouse promotion
Truck with trash personally Goods not laid off
counted
Over- Purchasing N/A Kickback Cash Extravagant Maintain Greed Bids

charged agent lifestyle lifestyle
for goods Hire spouse
Assets sold
inexpensively
to the customers account. Movement of the assets was Simple fixed-point or stationary observations can
easy and could have occurred by entering a credit in the be conducted by anyone. In conducting these observa-
wrong account, placing the checks (if the deposit in- tions, the investigator should locate the scene that
volved checks) in the cash drawer and withdrawing should be observed, anticipate the action that is
cash, stealing cash, or falsely endorsing checks. Conceal- most likely to occur at the scene, and either keep de-
ment was possible by destroying the customers deposit tailed notes on all activities involving the suspect or
slip, creating a new deposit slip, or forging a signature. record them on film or tape. The detailed records
Since the stolen funds involved cash, conversion oppor- should include the date and day of observation, the
tunities were unlimited. Symptoms observed might in- name of the observer, the names of corroborating wit-
clude changed behavior, an improved lifestyle, or nesses, the position from which the observation was
another customer complaint. Pressures motivating the made, its distance from the scene, and the time the
fraud could have involved a tax lien against the tellers observation began and ended, along with a detailed
property, an expensive new home purchased by the time log of all the movements and activities of the
proof operator, or a recent divorce by the operations suspect. An example of a surveillance log is shown
officer. Rationalizations could have involved the perpe- in Table 7.2. The person under surveillance was sus-
trators feelings of being underpaid or treated poorly. pected of taking kickbacks from a vendor.
Key internal controls that would have had to be overrid- Mobile observation, or tailing, as was used in the
den could have involved not allowing an employee to McDonalds fraud, is much more risky than stationary
enter credits into his or her own account, use of proces- surveillance. In one case, an internal auditor was shot
sing jackets in the proof department, the teller omitting at while tailing a suspect. While the potential rewards
certification, or restricted access to the computer system. for this type of surveillance are high and may include
Similar vulnerability charts can be prepared for identifying the receiver of stolen goods or the payer of
any potential fraud. For example, frauds involving bribes or kickbacks, the chances of failure are high.
stolen inventory and overcharged goods are also Tailing should only be done by professionals.
shown in the vulnerability chart in Table 7.1. The Electronic surveillance of employees, using video
advantage of using a vulnerability chart is that it cameras, is frequently used. Wiretapping, another
forces investigators to explicitly consider all aspects form of surveillance, is usually only available to law
of a fraud. enforcement officers. Electronic surveillance may have
limited value in the investigation of employee frauds
and many other white-collar crimes because of con-
Remember this
cerns regarding employees privacy in the workplace.
A vulnerability chart is a tool that coordinates However, it is useful in kickback-type schemes, such
the assets that were taken, individuals who had as the McDonalds case, where law enforcement is
theft opportunities, investigation methods, con- involved. Many corporations have instituted strict con-
cealment and conversion possibilities, symptoms trols over all forms of electronic surveillance, including
observed, pressures, rationalizations, and key video and wiretapping. However, most have policies
controls that had to be compromised. that state that all data on corporate computers, includ-
ing personal e-mail and documents, are property of the
corporation and can be used in investigations. Be sure
to check with legal counsel before proceeding with any
Surveillance and Covert Operations of these methods.
Surveillance and covert or undercover operations are Surveillance and covert operations are normally legal
theft investigation techniques that rely on the senses, as long as they do not invade a persons reasonable ex-
especially hearing and seeing. Surveillance or observa- pectation of privacy under the Fourth Amendment to
tion means watching and recording (on paper, film, or the Constitution, which protects the right of a person
magnetic tape) the physical facts, acts, and movements, against unreasonable searches. Again, legal counsel and
which form part of a fraud. The three types of surveil- human resource personnel should always be consulted
lance are: (1) stationary or fixed point, (2) moving or before any form of surveillance takes place. In addition,
tailing, and (3) electronic surveillance. Some form of all corporations and institutions should implement strict
surveillance is used in investigating most frauds, in- protocols regarding the use of any form of surveillance
cluding even financial statement frauds. in order to ensure that controls are in place and that a
T A B LE 7 .2 SU R V EI L L A N CE L O G
reasonable person test is given to any application. The
value of surveillance can be more than offset by em-
JANUARY
ployee problems caused by inappropriate or improper
2 9, 20 10
DA TE/ TIM E E VENT
application of the techniques.
Undercover operations are both legal and valid,
6:30 p.m. Instituted surveillance at Flatirons Country provided they are not used as fishing expeditions.
Club, 457 W. Arapahoe, Boulder, CO. Undercover operations are extremely costly and time
6:40 p.m. Alex Tong and unidentified white male consuming and should be used with extreme care.
seen leaving racquetball courts and Undercover investigations should be used only when (1)
entering locker rooms. large-scale collusive fraud or crime is likely, (2) other
7:00 p.m. Both men seen leaving locker room. methods of fraud investigation fail, (3) the investigation
can be closely monitored, (4) there is significant reason
7:05 p.m. Tong and white male enter club restaurant
and order drinks. White male orders beer; to believe that the fraud is occurring or reoccurring, (5)
Tong orders orange liquid drink. the investigation is in strict compliance with the laws
and ethics of the organization, (6) the investigation
7:10 p.m. Both men order dinner.
can remain secretive, and (7) law enforcement authori-
7:25 p.m. Dinner arrives. Tong has white, cream- ties are informed when appropriate evidence has been
based soup and club sandwich. White male
accumulated.
has steak and potatoes.
7:30 p.m. Break: Surveillance terminated. C A U T I O N Surveillance and covert activities can be
7:36 p.m. Surveillance reinstituted. Both men still dangerous to you and your case when used incorrectly or
eating at table. without the proper training.
7:55 p.m. Tong goes to restroom. White male
remains at table. Three illustrations of actual undercover operations
8:00 p.m. Tong returns to table. highlight some of the risks involved. In the first instance,
which was successful, collusive fraud was suspected. The
8:15 p.m. Both men order a drink each.
undercover agent was able to get valuable evidence that
8:25 p.m. White male requests check. led to the conviction of several individuals. The other two
8:30 p.m. Check arrives and is presented to white undercover operations, which were unsuccessful, con-
male. White male hands credit card to cerned suspected drug dealing at manufacturing facilities.
waitress without examining check. Drug dealing is an activity that no organization can tol-
8:35 p.m. Waitress returns, gives bill to white male, erate, because if an employee purchases and uses drugs
who signs bill. Waitress gives yellow slip on the job and then is involved in an automobile
to white male. No indication of Tong accident on the way home from work, for example, the
attempting to pay check. organization may be legally liable for damages. In
8:40 p.m. White male removes envelope from port- the second operation, the agent became fearful and quit.
folio and gives it to Tong. Tong looks In the third operation, the agent became sympathetic to
pleased and places envelope in his pocket. the suspects and was not helpful.
Twosome leaves and is seen getting into With developments in technology, many companies
a Mercedes Benz and a 2008 Lexus, are using database searches and artificial intelligence sys-
respectively, and driving away.
tems to provide surveillance or filter huge amounts of
8:45 p.m. Waitress is interviewed. She displays a data and identify suspicious transactions. These methods
copy of a Citibank Gold MasterCard were discussed in Chapter 6 and are part of the proactive
charge slip in the name of Christopher D.
method of fraud detection. Instead of tailing or following
Ballard, account number 5424-
1803-1930-1493. Card expires 03/2009.
individuals, programs using artificial intelligence now tail
The amount of the check is $78.65. Wait- or monitor transactions to find transactions that are un-
ress is given $20 cash tip for information. usual or look suspicious. For example, it has been esti-
9:00 p.m. Surveillance terminated.
mated that credit card fraud costs the industry about $1
billion a year, or 7 cents out of every $100 spent on
plastic. But the estimate is down significantly from its for multiple users to review and manage the alerts that
peak about a decade ago. This decrease is due, in large are generated and the patterns that are used.
part, to the use of powerful technology that works like a Whether the surveillance is manual or electronic, ob-
surveillance camera and can recognize unusual spending serving someones activities is a fraud detection tool that
patterns. Many of us have been participants in this credit attempts to catch fraud and other types of crime at the
card surveillance activity. Have you ever made a large or theft act stage. Those who use such methods are not
unusual charge purchase and had the credit card com- trying to understand the cover-up or concealment of
pany contact you to make sure the purchase was made by fraud or even how the money is being spent, unless, of
you? Its surveillance tracking system likely recognized the course, the spending of the money is the actual theft act
transaction that appeared unusual given your typical as it would be with credit card fraud.
spending habits.
Driven by needs ranging from security to fraud pro-
tection to quality of service, applications for monitoring, Invigilation
surveillance, and recording are growing in importance Invigilation (in-vij-uh-ley-shun) is a theft act investi-
and sophistication. In telecommunications systems, for gative technique that involves close supervision of sus-
example, signaling protocols provide access to databases pects during an examination period. Such strict
and real-time call establishment requests containing temporary controls are imposed on an activity that,
highly detailed and useful information regarding loca- during the period of invigilation, makes fraud virtually
tions, calling patterns, destinations, duration, and call impossible to commit. As we have already indicated,
frequency. These data are often mined for a variety of opportunity is one of the three conditions that must
functions from traditional call-setup to billing, while sig- exist before fraud can occur. When controls are made
naling traffic can also be monitored for quality of ser- so strict that opportunities to commit fraud are nonex-
vice, fraud prevention, legal intercept, and billing. These istent, a fraud-free profile can be established. Compa-
capabilities can greatly enhance service providers efforts nies normally do not implement controls at this level
to reduce expenses, preserve capital, and retain custo- because their detail is cost prohibitive. However, during
mers. They can also provide telecommunications ven- a fraud investigation, changes seen between the control
dors with a vast source of information from which periods highlight where fraud may be occurring.
they can build new applications and revenues. The use of detail record keeping before, during, and
As a final example of electronic surveillance, con- after invigilation is key to this method. The diagram
sider the tracking system used by the Financial Indus- in Figure 7.3 outlines invigilation.
try Regulatory Authority, Inc. (FINRA). FINRA is the The following is an example of invigilation to detect
largest securities industry self-regulatory organization a fraud involving inventory losses:
in the United States. FINRA develops rules and regula-
tions, conducts regulatory reviews of members activi-
An oil distributor was experiencing inventory losses of 0.23
ties and designs, and operates and regulates securities
percent of the inventory. The manager suspected that fraud
markets all for the benefit and protection of investors.
was taking place but was not sure how or when. Observa-
FINRA is contracted to oversee security firms, pro- tion and other investigative methods failed to produce evi-
fessional training, testing, and licensing on all the ma- dence. For a 30-day period, the installation was saturated
jor U.S. stock markets. The market regulation with security guards and auditors. Every movement of
department is responsible for monitoring all activity goods both in and out was checked, all documents were
to ensure compliance with market rules in order to verified, and inventory and equipment were regularly
provide a level playing field for all market participants reviewed. During the period of invigilation, losses ceased.
and investors. An automated system screens all trades After the invigilation, records kept at the plant were exam-
and quotes according to approved, standardized crite- ined for absolute, proportional, and reasonableness
ria to identify potential violations for review and, if changes during the invigilation period. Two service sta-
tionswhich before the exercise had bought an average
appropriate, regulatory action.
of only 2,000 gallons of gasoline a weeksuddenly dou-
Fraud detection capabilities are provided through
bled their orders. During the 30 days, in fact, each received
rule and sequence-matching algorithms, which are more than 19,000 gallons. In addition, a shift foreman, who
used to detect instances in the database that match pat- in 23 years of service had taken no sick leave, was away
terns that could indicate fraud. The surveillance techni- from work on 19 of the 30 days. Two or three months
ques provide customized visualizations for depicting the were allowed to elapse, and during this time, covert obser-
relevant relationships in the data, as well as capabilities vation was maintained on the service stations, whose
FI GU RE 7.3 INVI GILATIO N DI AGR AM
Before invigilation
(Detailed records are maintained)
14 30 days
Invigilation Period
(Detailed records are maintained)
14 30 days
After Invigilation
(Detailed records are obtained)
14 30 days
orders by this time had reverted to 2,000 gallons per week. one month, Mark was to inform all employees that the
Using night vision equipment and cameras, unrecorded de- sale had fallen through and that he was not going to sell
liveries to the service stations were detected. The owners the shop. Following the invigilation period, Mark was again
were interviewed, and their books were examined. They to copy bank statements and other cash records for one
were subsequently charged with fraud extending back month. To Marks surprise, cash paid by customers as a
two years and involving 62,000 gallons of gasoline. percentage of total receipts (customers either paid by
check, credit card, or cash) was 7 percent before the invigi-
lation period, 15 percent during the one-month invigilation
This example of invigilation took place in a large period, and again approximately 7 percent in the month
company and involved losses in inventory. Invigilation following the invigilation period. Faced with the evidence,
can also be used as a fraud investigation tool in smaller John admitted that he had been embezzling cash from
organizations. The following example illustrates such a Marks business. A subsequent analysis revealed that the
scenario: total amount he had stolen exceeded $600,000.
Mark owned an auto tune-up shop. The company had 12

Invigilation is an investigative technique that can be
bays, 12 mechanics, and 1 accountant, John, who Mark
completely trusted with all accounting duties, including
expensive. It should be used only with managements
cash receipts, bank deposits, the writing of checks, payroll,
approval, and it should be restricted to a discrete and
and taxes. Each year, Marks business serviced more cars, self-contained area of business. Most commonly, it is
but each year cash flows became worse. Not knowing what used in such high-risk areas as expensive inventory,
to do, Mark consulted a friend, who was a CPA. The friend areas with poor controls over the receipt and loading
performed various cost, volume, and profit analyses and of goods, and areas with poor controls over accounting
informed Mark that he should be profitable. He suggested records.
to Mark that maybe someone was embezzling money. When using invigilation, management must decide
Marks reply was that the only one that was in a position on the precise nature of the increased temporary con-
to embezzle was John. The CPA friend encouraged Mark
trols necessary to remove fraud opportunities. Past re-
to try an experiment. He suggested that Mark first make
cords should be analyzed in order to establish an
copies of all bank statements and other cash records for
operating profile for the unit under review. This profile
one month. Next, Mark should tell all employees, including
John, that he was thinking about selling the shop and that must include such things as normal losses, the number
the prospective buyer insisted on daily audited records for and nature of transactions per day, the number and
one month. During this month, an outside CPA would type of exceptional transactions, and the number of
come daily to count cash receipts, make bank deposits, vehicle movements in and out of the facility. To get
write all checks, and check on parts and inventory. After an accurate reading, it is generally agreed that the
invigilation period must be at least 14 days in length. In

individual cases, however, the optimal duration will de- Burns used a four-digit number preceded by xx, which
pend on the frequency and nature of transactions. was imprinted on the burlap covering of a sofa shipped
from the United States to Costa Rica. In the sofa were hid-
Invigilation should be used wisely and with caution
den nearly 1 million counterfeit pesos. By tracing the clue
because it can backfire in some cases. One company,
to its source, Burns gained a great deal of evidence, blew
for example, was suffering significant small tool losses the case wide open, and was instrumental in sending the
from its manufacturing plant. To determine who was counterfeiters to Sing Sing State Prison. The steps that
taking the tools, the company decided to inspect all Burns took in making the investigation are as follows:
workers lunch boxes as they exited the facility. The
1. Located and called on burlap manufacturers.
practice so upset employees that it caused a work slow-
2. Learned the significance of the imprinted number
down that was more expensive than the fraud losses.
on the burlap covering and how it might help in trac-
ing the specific piece of burlap to its purchaser.
3. Dug for the precise four-digit order number in a pile
Remember this of old, discarded order forms.
Invigilation is a technique that imposes signifi- 4. Located the retail dry goods store that had sold the
cant controls to make fraud impossible to com- particular piece of burlap.
5. Asked a retail clerk about the specific purchase and
mit for a period of time. Profiles and trends can
obtained a description of the person who had pur-
be found by analyzing the differences in the
chased the burlap: a little old lady dressed in black
before, during, and after invigilation periods. and wearing a shawl.
6. Located the purchaser. (Burns later learned that she
had bought the burlap for her son-in-law.)
Physical Evidence 7. Invented a pretense to take the young retail clerk with
him to call on the lady, so that the clerk would later be
Physical evidence can be useful in some cases, espe- able to identify her.
cially those involving inventory where physical stock 8. Checked out a number of furniture moving compa-
can be counted and missing inventory can be searched nies to locate the one that had moved the old couch
for. However, in most cases, physical evidence, like a containing the pesos to the docks.
fired bullet or a dead body, is more associated with 9. Questioned a succession of dockhands until he found
nonfraud types of crimes, such as property crimes, one who remembered loading the sofa. The dock-
murder, rape, and robbery. Because fraud is rarely hand also remembered the undue concern of a dark,
seen and has few physical symptoms, physical evi- handsome man, who constantly urged the dockhands
dence can often be difficult to find. to handle the sofa with care. The dockhand said he
was sure he could identify the man.
Gathering physical evidence involves analyzing ob-
10. Located the man who had been so concerned for the
jects such as inventory, assets, and broken locks; sub-
safe shipment of the sofa.
stances such as grease and fluids; traces such as paints 11. Discovered that the man, whose name he now knew,
and stains; and impressions such as cutting marks, tire had made a trip to Costa Rica shortly before the
tracks, and fingerprints. Physical evidence also involves shipment of the peso-packed sofa. He had been
searching computers. For example, physical evidence accompanied by a beautiful woman who traveled un-
was used to discover who was involved in the 1993 der her real name.
bombing of the World Trade Center in New York 12. Learned who had engraved the counterfeit plates used
City. The vehicle identification number engraved on to print the pesos. The engraver turned out to be the son
the axle of the rented van that contained the explosives of a lithographer in a plant owned by the two people
made it possible to trace the van to a rental agency. who had traveled to Costa Rica. The chief product of the
plant was revolutionary literature that tied in with the
When the perpetrator came back to the rental agency
plot to overthrow the Costa Rican government.
to recover his deposit and make a claim that the van
had been stolen, the FBI arrested him.
Another example of the use of physical evidence in-
volved the famed detective, William J. Burns, who once
solved a counterfeit currency conspiracy by tracking Electronic Evidence
down a single clue to its source. Here is how he used One type of physical evidence that has seen a signifi-
the clue to solve the case. cant increase in use in recent years is electronic
evidence. The gathering of electronic evidence is usu- having an affair with someone in Puerto Rico. While man-
ally termed computer forensics. Today, it is rare that agement didnt approve of the activity or the use of
the confiscating and searching of computers is not as- corporate resources for personal calls, the executives were
relieved that Jacks behavior did not involve company pa-
sociated with a fraud investigation. The following case
tents or other work-related issues. Management dropped
illustrates where electronic evidence can be the smok-
the case, and Jack was exonerated as a fraud suspect.
ing gun in a case:
Because of the wide variety of electronic media

The management of a company suspected that kickbacks available today, the process for gathering electronic ev-
were occurring between an employee, Mary, and an external
idence may vary from device to device. For example,
vendor, ABC, Inc. In the evidence-gathering stage of the case,
cell phones and PDAs have limited solid state memory,
Marys e-mail was searched by going through back e-mails
on the corporate server. Investigators found an e-mail that
while computers have significant amounts of both
became the basis for the entire case against Mary. memory and hard drives. For this discussion, well as-
Allegedly, the kickback relationship between Mary and sume you are investigating data on a computer hard
ABC had deteriorated over time to the point where ABC drive and give the general process for obtaining elec-
had quit giving Mary her kickbacks. Since Mary had been tronic evidence from hard drives. In practice, you can
keeping detailed records of all purchases from ABC, she modify this process for each specific device.
prepared a spreadsheet that listed each transaction, her You should normally work with IT support person-
appropriate percentage, and the side payments from ABC nel and legal counsel to gather electronic evidence be-
to her. The result at the bottom of the spreadsheet showed cause of the significant amount of technical knowledge
a large amount owed to Mary.
it takes to perform the tasks correctly. For example, if
Mary then proceeded to write a flaming e-mail to ABC
you incorrectly seize a hard drive, you may damage its
regarding its negligence in paying her, and she attached
the spreadsheet to her e-mail. When investigators found
data or make it inadmissible in court. This chapter
this e-mail in her sent mailbox, they retrieved a foundation gives an overview of the steps that should be performed
piece of evidence. so you can work effectively with these people.
C A U T I O N The gathering of electronic evidence is a

Another example shows where an employee was highly technical task that must be performed correctly. You
exonerated through electronic evidence. may want to include a computer forensics specialist on
your team.
Jack was a computer programmer at a small startup com-

pany in Atlanta. His behavior became more erratic as the
The general process for gathering electronic evidence
weeks went on, and finally management looked into his is given in Figure 7.4. These steps are explained next.
phone records. The phone records showed many calls
that were out of the ordinary. For example, on a holiday
Step 1: Secure the Device and Perform
when Jack was the only person in the office, management
Initial Tasks
found that he called a hotel room in Puerto Rico several The first step in any electronic evidence collection is
times, and each call was several hours in length. One call the seizure of the device. Be sure that you have the legal
in particular was over 10 hours long. right to seize the hardware by checking with the cor-
The company held several patents and suspected that porations policies and legal counsel. When you seize the
Jack might be selling company secrets. They surmised hard drive, exercise care with respect to chain of cus-
that the long calls might have been modem connections tody, evidence marking, and so forth. Take pictures of
to Puerto Rico through which he transferred data to an out- the seizure site and have neutral witnesses on the scene.
side source. The hotel room might have been used be-
These topics are discussed at length in Chapter 9.
cause it provided a level of anonymity for the receiver.
Recently, it has become common to get a snapshot
Management hired a fraud investigator to analyze Jacks
computer after work one night. The fraud investigator
of active memory before turning the computer off. The
started Jacks computer with a self-booting CD to bypass computer programs described later in this chapter are
his passwords so his operating system log files would not capable of taking a snapshot of memory. Be careful
show the activity. As the night continued, it became increas- because every action you take on the computer poten-
ingly obvious from digital photos at the beach, e-mail com- tially overwrites empty space and could invalidate the
munications, and letters on his computer that Jack was hard drives admissibility in court. Your IT staff may
FI GUR E 7 .4 PROCESS FOR GATHERING would take additional, unneeded time. The data re-
ELECTRONIC EVIDENCE mains accessible in special recovery utilities until an-
other program writes to that location of the disk. This
Step 1:
fact is extremely important for fraud examiners because
Secure the device and perform initial tasks subjects may delete important files in an attempt to
hide their frauds.
A cyclic redundancy check (CRC) number is a
Step 2:
calculation (using encryption algorithms) based on
Clone the device and calculate a CRC checksum
the contents of a disk or file. CRC numbers are engi-
neered so that even small changes in the source data
Step 3: will produce significantly different checksum results.
Search the device manually Checksums have been used in court cases to prove
that data have not been adversely affected during anal-
Step 4: ysis. By calculating the checksum number immediately,
Search the device using automated procedures you can prove later (1) that your cloned hard drive
exactly matched the original drive (by running the
checksum on both drives and comparing) and (2)
that you have not modified data since the hard drive
recommend or counsel against this action, depending was seized. Checksums have a wide variety of uses; for
upon the case and technology being investigated. example, they are integral to the Internet because they
After these preliminary steps, turn the computer off ensure that packets of data are not modified during
by cutting power to the machine (or removing the battery transit from one computer to another. The checksum
on laptops). Do not turn the computer off normally be- is calculated and sent with the packet. The receiving
cause doing so will overwrite important parts of the disk. device recalculates the CRC and compares it with the
When most operating systems shut down, they clear im- sent number. If the two are different, the data were
portant disk caches that might contain evidence. Cutting likely damaged in transit, and the receiving side auto-
power to a computer ensures that the operating system matically requests the packet to be sent.
does not have the opportunity to modify the disk further. The two primary checksum methods used today
Note that this is a general rule; some modern devices can are the MD5 and SHA-1 algorithms. MD5 is an older
become unstable if they are not properly shut down. As algorithm; SHA-1 was developed to replace it, and it is
with cloning a devices running memory, recommenda- often considered more advanced and secure. Both
tion of cutting power is device and case specific. are commonly used in forensics. Table 7.3 shows the
SHA-1 result for two sentences. Note that a change in
Step 2: Clone the Device and Calculate only two letters produces a significantly different result.
a CRC Checksum The SHA-1 result is always the same length regardless
Once the disk is in your custody, clone the entire hard of the length of the input data. The result is a number
drive to a separate copy and calculate a checksum to that is normally shown in base-16 (hexadecimal).
validate its authenticity. Seal away the original disk as
you would any other type of physical evidence. All fur- Step 3: Search the Device Manually
ther investigation is done on the cloned copy. This step Because software packages make it so easy to run auto-
is important so you keep the original disk in its seized mated searches, many investigators skip the most obvi-
state. If you accidentally modify data or ruin the disk ous and often most fruitful step in analysis: searching
during analysis, you can create a new clone and con- the hard drive manually. Each operating system has a
tinue analysis. It is also important to show in court that common directory layout that helps in investigation.
you have not modified the original hard drive.
When cloning the hard drive, use software that T A B L E 7 .3 S E C U R E H A S H A L G O R I T H M
copies bit for bit. A typical hard drive contains a sig-
DA TA SH A-1 HEXADECIMAL RESULT
nificant amount of empty space that may contain
valuable evidence. When a file is deleted on a disk, its The fat cat sat 919d1cb454e3225455fd41c402b9f89ba5a0b8c8
space is marked as empty in the disks index. The data
The fat cat met 4458151a5f69f0911c2bb745b98eb843db12481e
are not actually removed from the disk because removal
For example, all modern operating systems generally Forensic Software Packages
save documents in the Documents directory by de- Computer forensics is a fast-growing field with many
fault. Graphics and pictures are saved in the Pictures software vendors. Many universities now have degrees
directory, and movies are saved in the Videos direc- or specialties in computer forensics. While new soft-
tory. Manually searching these common locations al- ware is constantly being developed for forensics,
lows an investigator to use human intuition while Guidance Softwares EnCase Forensic Edition and Ac-
searching. Automated searches, while also useful, cessDatas The Forensic Toolkit (FTK) are in common
sometimes overlook near matches that are obvious use today. These software packages lead the investiga-
hits to a human searcher. tor through the entire process described earlier and en-
Common areas of the disk to search include the sure that important steps are followed correctly. They
following: support the tasks of cloning, CRC calculations, and
Computer logs such as Web activity, recent files searching using a variety of methods.
on the Start menu, Web favorites, and the browser Many open source packages are also available for
history. The browser history can often highlight computer forensics. Some of these, such as e-fense
the existence of online e-mail account, online data Inc.s Helix or Remote-Exploit.orgs BackTrack, come
storage, common searches, or other useful locations. as bootable CDs that support the investigation and
The Documents, Videos, Pictures, and related folders searching of computers. For example, Helix was used
since most applications save data to these locations. to investigate the phone calls made to Puerto Rico in
The trash can or recycle bin. the case described earlier in this chapter. Since manage-
USB keys, CDs, or other media found around ment was not ready to start a case (i.e., seize the com-
the computer. puter, clone the data, etc.), the investigator used a
Recently loaded files listed in the File menu of bootable CD to boot the computer, bypass passwords,
many applications (such as Microsoft Word or and search the drive without ever starting the normal
Excel). operating system. These CDs generally have very ad-
Chat logs and e-mail client caches. For example, vanced tools for password cracking, searching using a
most Instant Messenger clients save conversations method called regular expressions, and network analysis
in the background. programs. The open source solutions are generally not
as easy to use as EnCase or FTK, and they do not have
the same precedence in court. However, they are ex-
Step 4: Search the Device Using
tremely useful in the right hands and in the right
Automated Procedures
circumstances.
After manual search methods are exhausted, investigators
should search the entire hard drive (including empty
space) using keyword and other automated searches. E-mail Systems
For example, in a case involving interactions between E-mail systems often prove to be an incredible reposi-
Dave Smith and Jan Johansen, keyword searches for these tory of communications between suspects and other
names in the same document are useful. Because modern people. It is surprising how many people still believe
investigative software packages index the entire hard e-mail to be a secure method of communicating.
drive for keywords, these searches can be done quickly A single e-mail can become a smoking gun on which
and easily. Some packages support the use of powerful an entire case is based. In todays world of electronic
pattern matching languages, keyword proximity searches, media, e-mail should nearly always be considered dur-
or even sentence comprehension using natural language ing investigation.
processing (such as finding instances of the word Today, many different communication methods be-
purchase only when used as a noun). yond traditional e-mailsuch as text messagesare
Additionally, the software packages usually present being analyzed during investigations. For example, in
summary statistics about the hard drive (number of some countries, more people have cell phones than
documents, spreadsheets, most recently opened files, have computers. Consequently, text messaging is used
etc.). They find and show common files in areas like much more than traditional e-mail and provides a
a picture gallery of every graphic file on the hard drive. better information source for investigations. Regardless
See the documentation for your software for its search- of the media being investigated, the process is generally
ing capabilities. the same.
E-mail is given special consideration because copies amounts of incoming cash because no credit cards or
often exist in many places: on the sending computer, on checks were accepted. However, a huge risk existed that
the two (or more) e-mail servers involved in transmis- employees would figure out a way to divert incoming
cash into their own pockets.
sion, and on the receiving computer. With some e-mail
Larry Swenson, Northern Exposures owner, was not
servers, messages only reside on the server; seizing the
satisfied with the 10 percent margins being realized. He en-
client laptop will not allow you to search e-mail. Talk gaged two fraud examiners to determine why the club was
with your IT support personnel to understand the type not generating the 35 percent margins he had expected.
of e-mail used in each case and how it can be searched. They embarked upon a typical fraud examination, whose
One type of e-mail, Web-based e-mail within a steps include understanding cash controls, generating
users browser, is especially difficult to search. Hotmail, fraud theories, collecting and evaluating evidence, estimat-
Yahoo! Mail, and Gmail are examples of this type of ing losses, assisting in filing claims or bringing charges,
e-mail. In these cases, all e-mail is stored at the provi- and making recommendations.
ders site, and you will likely need a warrant to access it. By interviewing Swenson and other personnel, the fraud
However, some information may still be on the hard investigators learned that cash flowed into the business as
follows: Customers paid a $6 cover charge to enter the club.
drive in the form of cached Web pages and can be
No receipt was given, nor was a head count made. Custo-
found with keyword searches. In fact, the user may
mers placed orders for food or beverages with the servers.
have even saved his or her Webmail passwordtaking The servers started out with $40 in a cash pouch. They paid
the users Web browser to his or her Webmail site may the bartenders for their orders from this pouch and then col-
autofill the username and password fields. The legality lected payment from the customer. At their shifts end, the
of this and all approaches discussed in this chapter var- server gave the initial $40 back to the manager and kept the
ies based on your country and situation. Always check difference as tips. At the end of the night, the manager
with legal counsel to ensure that your planned methods counted the cash and closed out the cash registers; the cash
are both legal and ethical. was deposited by the manager the next morning. Changes in
beer and liquor inventory were not reconciled to the drinks
rung into the cash register, nor were the register tapes recon-
A Comprehensive Example of ciled to deposits listed on the bank statements.
The fraud examiners determined that it would be rela-
Using Theft Act Investigation tively easy for employees to steal and not be caught, based
on the control levels they discovered. They developed the
Methods following fraud theories:
To conclude this chapter and illustrate the value of Employees collecting the $6 cover charge could pocket
theft act investigation methods, lets review excerpts some of the money or allow free admission to friends.
from an article written by Thomas Buckhoff and James Servers and bartenders could get drinks for custo-
Clifton that appeared in The CPA Journal entitled mers, not ring them into the registers, and pocket
Exotic Embezzling: Investigating Off-Book Fraud the cash received from the customers.
Schemes. The investigators in this fraud case made Anyone with access to the cash registers (i.e., ser-
extensive use of both surveillance and invigilation. vers, bartenders, and the manager) could simply
take cash directly from the registers.
The manager could perpetrate any of the schemes
Northern Exposure (case names changed) was a gentle- available to the employees and could steal part of
mans club featuring exotic dancers. Its primary revenue the deposit.
sources were cover charges and food, beer, and liquor
Off-book frauds such as the first two are called skimming
sales. A recent local ordinance outlawed the type of enter-
and are essentially unrecorded sales. The second two would
tainment offered by Northern Exposure. The clubs man-
be considered on-book frauds. Because there was a transac-
ager, however, successfully petitioned the city council to
tion record, the fraud could be detected by reconciling the
obtain an exemption, and Northern Exposure was allowed
cash register tapes to the deposits. In Northern Exposures
to continue operations in a competition-free environment.
case, however, cash register printing ribbons were not re-
The substantial effort by the manager on the clubs behalf
placed on a timely basis, resulting in illegible tapes.
earned her the owners trust and loyalty. In the initial fraud
investigation interview, the owner said that anyone could
be a suspectexcept the manager. Collecting and Evaluating Evidence
Because of the exemption, the clubs profit potential Indirect investigative methods were used to test the four
was enormous. Northern Exposure generated huge possible fraud theories. Financial statement analysis is
one such method that can be used to test all four fraud the- The first day brought an incident that greatly height-
ories presented. If employees are indeed stealing cash ened the perception of detection. Meals were served down-
from the club, then the actual sales markup-over-cost ratios stairs, away from the live entertainment area. Suspecting
are expected to be less than the budgeted ratios. Accord- the single server working downstairs of skimming money
ingly, the fraud investigators determined the actual from food sales, one of the investigators conducted a sur-
markup-cost ratios for beer and food sales. Beer was pur- prise cash count and reconciled cash rung into the register
chased for $0.60 per bottle and then sold to customers for to meals prepared by the cooks. The server had skimmed
$3 each, a markup of 500 percent. Food items costing $5 $25 in the first hour she worked. When confronted with the
were sold to customers for $12.50, a 250 percent markup. evidence, the server confessed and was immediately termi-
One years budgeted revenue was calculated, based on nated. News quickly spread to the other employees, who
cost of sales and expected markup ratios, and then com- realized that their activities were indeed under close sur-
pared to one years actual revenue. The significant differ- veillance. No other employees were caught skimming dur-
ences in ratios clearly supported the fraud theoriesin ing the remainder of the invigilation.
fact, food sales were less than their cost of sales! Using During the invigilations first night, a Friday, $8,300 in
this indirect investigative method, the total estimated an- cash was deposited into the bankthe largest sum for
nual fraud loss due to skimming or cash larceny was one night in the entire 15-year history of the club. This oc-
$379,974. curred on what was considered a slow nightunlike the
The investigators now knew that the club had a big previous week, which had seen near-record attendance.
problem with fraud; determining which employees were The manager and employees all soon realized that setting
responsible came next. Undercover surveillance can be such a record on a slow night reflected poorly on them.
used effectively for identifying dishonest employees. Pos- This convinced Swenson that his employees were stealing
ing as customers, a team of six trained fraud investigators from him, and he wanted to fire everyone on the spot. The
(with experience as bartenders and servers) spent a collec- investigators persuaded him to allow the invigilation to
tive 40-hour week at the club observing the employees ac- continue for the entire week as planned. The results of the
tivities and behavior. This surveillance revealed that 90 week-long invigilation are summarized as follows:
percent of them, including the manager, regularly stole Gross cash receipts during the invigilation were
cash from the club, with little regard to subtlety. The rea- $30,960, compared with $25,775 the previous week and
son that employees never complained about salary levels, $22,006 for the annual weekly average. The revenue during
despite low base wages and a lack of raises, became clear. the week of invigilation exceeded the average weekly reve-
In fact, several servers and bartenders had been there nue by $8,954 and the previous weeks revenue by $5,185,
for years, which is highly unusual for this type of club. despite being a slow week. The above differences implied
The lead investigators communicated their findings to that at least $259,250 and as much as $447,700 was skimmed
Swenson, who, though concerned, was reluctant to take ac- per year. (After changes were implemented following the in-
tion without more substantive evidence of employee theft. vestigation, the remaining nine months sales were $300,000
To more firmly establish the fraud losses and estimate higher than for the same period in the prior year.)
their amount, the fraud investigators conducted a week- Swenson no longer doubted that his employees were
long invigilation. As discussed, in invigilation, the cash re- stealing from him. As noted earlier, Swenson had had diffi-
ceived and deposited during the invigilation period is com- culty believing his manager was stealing because of her
pared to the periods before and after. As an indirect efforts to exempt the club from the city ordinance. It be-
investigative method, invigilation can be very effective in came apparent that these efforts were motivated by a de-
estimating fraud losses. The key to invigilation success is sire to protect her illicit cash flow.
making the employees think that any theft during that pe- Employee interviews were held during the week of the
riod will be detected. Instilling the perception of detection invigilation. Their purpose was twofold: to further enhance
in this case was accomplished by sending in the same the perception of detection during the invigilation period
team of six investigators to watch the employees for one and to provide employees with an opportunity to report
week. The clubs employees and manager were informed any fraudulent activities. Very specific questions were
that the investigators were there to make sure that every asked during the interviews, based upon information from
dollar collected from customers made it into the bank at the prior undercover surveillance and the ongoing invigi-
the end of the day and that changes in consumable inven- lation. While no one admitted to stealing, they did impli-
tories were properly accounted for. During the invigilation, cate fellow employees; many claimed that manager Betsy
the investigators conspicuously watched employees han- Smith was the primary thief.
dling cash, conducted surprise cash counts, reconciled During her interview, Betsy Smith was confronted with
changes in inventory to cash register tapes, monitored the evidence from the undercover surveillance, invigilation,
end-of-night cash counts, and witnessed the daily cash and employee interviews. After two hours, she admitted to
deposits. stealing almost $100,000 over three years. Her admission
was converted to a written statement, which she ultimately Describe the nature of surveillance and covert
signed. The statement detailed the amounts she had operations. Surveillance and covert operations
skimmed, when she had done so, and the various techni- are theft act investigative methods that usually in-
ques (skimming from liquor sales, bank deposits, video
volve observing or listening to potential perpetra-
sales, and food deliveries) she had used. An attached sum-
tors. Possible surveillance and covert operation
mary totaled the funds skimmed by source. Since evidence
collected in resolving off-book fraud schemes is mostly in-
methods include recording conversations, tailing,
direct and circumstantial, obtaining a signed admission using cameras, using undercover agents, or observ-
statement greatly facilitates the filing of employee dishon- ing individuals in various settings.
esty insurance claims or criminal charges. In this case, Understand the effectiveness of invigilation to
such a claim was filed by the fraud investigators on behalf investigate fraud. For fraud to occur, three ele-
of Northern Exposure. ments are necessary: pressure, opportunity, and
The insurance company restituted Northern Exposure rationalization. Invigilation involves implementing
for the maximum coverage amount provided by its policy, such strong control procedures or observations
$50,000. Clearly, the coverage amount was inadequate that fraud is impossible to perpetrate or is obvious
given the exposure to risk for such a cash-intensive busi-
when it is perpetrated. Invigilation allows investiga-
ness. As required by the insurance provider, evidence col-
tors to compare results prior to implementing the
lected during the fraud examination was turned over to
local law enforcement for prosecution.
controls, while implementing the fraud-eliminating
controls, and the post period when fraud-
constraining controls are lifted. Invigilation allows
investigators to compare results (profits, inventory
Review of the Learning movements, revenues, etc.) when fraud is and is not
occurring. In addition to helping investigators un-
Objectives derstand if fraud is occurring, invigilation can also
help estimate the amount of the fraud.
Discuss theft investigation methods and how Explain how to obtain physical evidence and
they are used to investigate suspected fraud. how it can be used in a fraud investigation. Typ-
Theft act investigation methods include activities ical fraud investigators are usually not very famil-
that directly investigate the theft act (not conceal- iar with gathering physical evidence such as tire
ment or conversion) element of fraud. Their pur- tracks, broken locks, stains, fingerprints, etc. As a
pose is to catch perpetrators in the act of result, most often, fraud investigators use law en-
committing fraud and include such investigative forcement officials or consultants to obtain physi-
methods as surveillance, invigilation, obtaining cal evidence.
physical evidence (e.g., tire tracks, broken locks, Understand how to seize and analyze electronic
etc.), and gathering electronic evidence (e.g., information from cell phones, hard drives,
e-mails, text messages, etc.) e-mail, and other sources. Electronic evidence is
Understand how to coordinate an investigation, extremely useful evidence that, because of its tech-
using a vulnerability chart. When beginning a nical nature, usually involves IT support personnel
fraud investigation, an investigator usually tries to and legal counsel in gathering. There are several
develop theories about who committed the fraud, steps in gathering electronic evidence: (1) secure
how the fraud was committed, etc. One way to do the device, (2) clone the device (cell phone, com-
this is to prepare a vulnerability chart which coor- puter, etc.) and calculate a CRC checksum,
dinates all the elements of the fraud: which assets (3) search the device manually, and (4) search
were taken, who had theft opportunities, possible the device using automated procedures.
theft methods, concealment possibilities, conver-
sion possibilities, symptoms observed, pressures
on various individuals, rationalizations that were KEY TERMS
heard or could have justified someone to commit theft act investigations, computer forensics,
the act, and key internal controls that were missing p. 212 p. 219
or could have been overridden. Often, tying these surveillance, p. 212 cyclic redundancy check
elements together provides initial indications of vulnerability chart, p. 213 (CRC) number, p. 220
who could have committed the fraud. invigilation, p. 216
QUESTIONS 9. Investigation of fraud should only take place when

predication has first been established.
Discussion Questions 10. If possible, when using theft act investigation
methods, interviewing the prime suspects should
1. How are theft investigative methods used to inves- happen last.
tigate suspected fraud? 11. Tailing includes the use of video, e-mail, wiretap-
2. What factors should be considered when deciding ping, and access to PCs.
whether or not to investigate a case of fraud? 12. Invigilation is a theft act investigative technique
3. How does a vulnerability chart help coordinate an that involves close supervision of suspects during
investigation of suspected fraud? an examination period.
4. What is a surveillance log? 13. To get an accurate reading, it is generally agreed
5. What is invigilation? that the invigilation period should be at least four
6. How is physical evidence used to investigate fraud? days in length.
7. What are the steps to collecting electronic evidence? 14. In determining which investigative method to use,
8. Why is it important to use investigation techniques it is most important that investigators focus on the
that will not arouse suspicion among possible costs of each possible method.
perpetrators? 15. Seizing and searching computers is illegal because
9. Why is it important to consult legal counsel and it infringes on the rights guaranteed by the Fourth
human resources before any form of surveillance Amendment to the Constitution.
takes place? 16. It is impossible to retrieve the data from a file that
10. What role does the Fourth Amendment to the has been deleted on a computer.
Constitution play in cases of fraud investigation? 17. The SHA-1 checksum method is more advanced and
11. What four methods of investigation constitute is considered more robust than the MD5 method.
the fraud triangle plus inquiry approach to
investigations? Multiple Choice
12. What are the potential benefits and drawbacks of
using open source, self-booting CDs for computer 1. Which of the following is not a category used in
forensics? the fraud triangle plus inquiry paradigm?
a. Theft investigative techniques.
True/False b. Concealment investigative techniques.
c. Action investigative techniques.
1. The fraud triangle plus inquiry paradigm is an ef- d. Conversion investigative techniques.
fective way to understand the various types of in- 2. When beginning an investigation, fraud examiners
vestigative methods. should use techniques that will:
2. One advantage of using a vulnerability chart is a. Not arouse suspicion.
that it forces investigators to consider all aspects b. Identify the perpetrator.
of a fraud. c. Determine the amount of the fraud.
3. Electronic surveillance is often of limited value in d. Identify when the fraud occurred.
the investigation of employee fraud because of con- 3. When conducting interviews during an investiga-
cerns regarding employees privacy rights. tion, which of the following words should usually
4. Surveillance is a theft investigation technique that be avoided?
relies on the examination of documents. a. Audit.
5. Mobile observation is usually much more risky b. Inquiry.
than stationary surveillance. c. Investigation.
6. During invigilation, no controls are imposed on d. Record examination.
any activities. 4. When beginning a fraud investigation, which of
7. Surveillance logs should always be drafted before the following methods is most useful in identifying
an investigation begins. possible suspects?
8. Not only are undercover operations both legal and a. Preparing an identification chart.
valid, but they are also inexpensive. b. Preparing a vulnerability chart.

00 Fraud Examination, 4th Edition - Copy-231-250 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

00 Fraud Examination, 4th Edition - Copy-231-250 PDF

Uploaded by

Copyright:

Available Formats

206 Appendix A: Examples of the Data-Driven Approach

1st Pass Pages

LEARNING OBJECTIVES TO THE STUDENT

o single promotion lured more people to According to federal prosecutors, at

Theft Investigative Methods

Over- Purchasing N/A Kickback Cash Extravagant Maintain Greed Bids

FI GU RE 7.3 INVI GILATIO N DI AGR AM

Mark owned an auto tune-up shop. The company had 12

invigilation period must be at least 14 days in length. In

Because of the wide variety of electronic media

C A U T I O N The gathering of electronic evidence is a

Jack was a computer programmer at a small startup com-

QUESTIONS 9. Investigation of fraud should only take place when

You might also like