Non-Cash Asset Fraud Schemes

Occupational fraud and abuse comes in many forms. One form of occupational fraud is called asset misappropriations. Asset misappropriation, as defined by The Complete Idiot’s Guide to Frauds, Scams, and Cons, is, “when your employees take your stream of revenue and divert some of it into their own pockets.” (Swierczynski, 2003)

Asset misappropriations can be broken down into two different silos, cash and non-cash assets. According to the 2006 National Fraud survey, conducted by the Association of Certified Fraud Examiners (ACFE), states that cash assets have a higher frequency of misappropriations with 87.7% of all asset misappropriations. Although cash misappropriations are more frequent then non-cash assets, non-cash asset schemes are more costly to the company.

The ACFE also states that the cash asset median loss is $150,000 dollars compare that to non-cash assets at $200,000 dollars. (ACFE, 2006) Non-cash misappropriations schemes can be broken down into five categories. The five categories are misuse, unconcealed larceny, asset requisitions and transfers, purchasing and receiving schemes, and fraudulent shipments. Of the five categories of non-cash misappropriations schemes, I will be taking a closer look into unconcealed larceny schemes and how they can be prevented.

Unconcealed larceny is one of the most basic types of thefts as employees simply walk out with the company’s assets without trying to cover up the accounting books or records. As you can assume, larceny of the company’s inventory can be very costly for employers. If an ongoing larceny scheme goes unnoticed over a period of time, the damage can easily be estimated in the millions. One such story of unconcealed larceny that went unnoticed for five years cost one New York based jewelry store an estimated $3 - $12 million dollars of lost inventory. (Huff, 2009)

Teresa Tambunting worked for the jewelry store for over twenty-eight years and was thought to be a trusted employee. However, somewhere along the way Teresa got sticky fingers. During the last five years that Teresa was employed with the jewelry company she began to stuff some of the jewelry into her purse as she walked out. Over a five year span, Teresa amassed a mountain of gold by patiently carrying out her scheme one gold nugget at a time.

From the fraudster’s point of view, the main problem with unconcealed larceny is the absence of cooking the books or manipulating the records to account for the missing inventory. Eventually, the store realized that between $3 and $12 million dollars worth of inventory was missing and conducted an investigation. Teresa returned one suitcase full of jewelry while authorities found another 447 pounds of gold in her house. As you can see, unconcealed larceny can be very costly to unsuspected employers.

Companies put in a lot of hard work to produce and stock inventory for their company and customers. It should also be important to not let someone walk-off with that hard worked inventory. Joseph T. Wells, CFE is a well known author on fraud and Mr. Wells has a few ideas on how you can prevent and detect larceny of non-cash assets. (Wells, 2008)

First, separation of duties between requisitioning, purchasing, and receiving should be maintained. Further separation of duty would include accounts payable with accounts receivable and purchasing. These separations of duty are set in place to make it harder for one employee to commit fraud without having to include an accomplice.

Physical security is another way to stop larceny of your company’s inventory. Keeping the company inventory behind locked doors will keep most employees from being able gain access to the inventory while maintaining a log on all personnel that do have access will provide you with a list of employees encase inventory does go missing. If the employee believes that there is a high chance for them to be caught, the employee will most likely not commit the fraud according to Richard C. Hollinger and the Hollinger-Clark study. (Wells, 2008)

To exploit this technique of perception, the installation of surveillance cameras can aide in the deterrence of larceny of inventory. The security cameras should not be hidden but placed in a dominant spot for all to see. To prevent the loss of inventory over an extended period of time, you should conduct physical inventory counts on a frequent basis to determine if your inventory control system is the same as your physical count of the inventory.

Your company’s life line lies within the health of your inventory. When your employees start to steal from your inventory, the company will slowly become sick as profits are being lost. To keep the company healthy proper internal controls that allow you to deter and detect non-cash asset schemes from occurring will help keep the company doctor away.


By: Joseph Dustin

Reference

Wells, J. T. (2008). Principles of Fraud Examination 2nd edition. Hoboken, New Jersey: John Wiley & Sons, Inc.
read more “Non-Cash Asset Fraud Schemes”

Cybersecurity Act of 2009

A new Cybersecurity bill is “shaking up” the information security world.

If it becomes law, HR 4061 will help "strengthen domestic cybersecurity talent and find new ways to leverage the expertise that exists in the private sector," says Rep. James Langevin, D-Rhode Island. (USAToday, 2009)

The House passed H.R. 4061, the Cybersecurity Enhancement Act, with an overwhelming number of votes 422 Yes to 5 No and 7 not voting at all. (NYTimes, 2009)

H.R. 4061, now being tossed around in the Senate, is known as SB773 - Cybersecurity Act of 2009. Both Security and Compliance professionals will endure many changes if this bill makes it to the President’s desk.

The Cybersecurity Act of 2009 is broken down into 23 sections and cover a wide range of topics.

Sec. 2 - Findings

In section 2, Congress lists 14 separate reasons as to why this bill is vital to our national security. Among the listed are:

(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.

(4) The Director of National Intelligence testified before the Congress on February 19, 2009, that ‘a growing array of state and non-state adversaries are increasingly targeting-for exploitation and potentially disruption or destruction-our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries’ and these trends are likely to continue.

(8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall. What is particularly important in this analogy is that, unlike conventional warfare where deployment takes time and money and is quite visible, in the cyber world, when the attackers find a new weapon, they can attack millions of computers, and successfully infect hundreds of thousands, in a few hours or days, and remain completely hidden.’.

The Cybersecurity Act of 2009 has the potential of turning Cybersecurity into the new Arms Race. An arms race that will take place between Cybersecurity minded professionals and those who wish to exploit the latest vulnerabilities in our nation's security systems.

By: Joseph Dustin

CommentsClose CommentsPermalink
read more “Cybersecurity Act of 2009”

Corporate Integrity – A Toolkit for Managing Beyond Compliance


Donna Kennedy-Glans & Bob Schulz have put together a comprehensive toolkit for managing Corporate Integrity beyond compliance.

Many companies already know about the value of implementing an “ethics and integrity program” and they have created elaborate ethical policies to protect themselves from compliance related issues. However, they often fall short when aligning their “corporate walk with their corporate talk.”

Corporate Integrity – A Toolkit for Managing Beyond Compliance is a great book to help organizations align their “corporate walk with their corporate talk.” The authors state,

“Compliance is a minimum standard of corporate performance and is often insufficient response to a corporation’s integrity values” and

“Overall, this is a practical how-to book that tailors, aligns, and consolidates business tools that enable companies to effectively and efficiently operationalize business integrity values.”

Corporate Integrity is divided into three parts:

Part 1: New Frontiers in Managing Corporate Integrity

Part 2: Process for Managing corporate Integrity and Scenario Applications

Part 3: The Road Ahead For Corporate Integrity

Each part has detailed Business Tools that will allow you to measure, monitor, and manage integrity. Some of the tools outlined in this book are:

  • The Integrity Ladder
  • Stakeholder Grid and Impact Assessment Tool
  • The Integrity Grid
  • Permeation of Change Model
  • Adapted Best Practices Tool
  • Benchmarking Practices
  • Community Investment Strategy Tool

I would highly recommend this book, Corporate Integrity, to any Ethics Professional interested in improving their Compliance and Ethics Program.


By: Joseph Dustin

read more “Corporate Integrity – A Toolkit for Managing Beyond Compliance”

The Sound of Corruption

John Yeh is a businessman. Like most businessmen, John has the drive and determination that inspire people to succeed. John went to college at the University of Maryland where he earned his bachelor’s degree in mathematics and then pursued his master’s in computer science.

After graduation John started his own company. The company was known as Integrated Microcomputer Systems and after a few successful government contracts, John’s company quickly grew with a revenue of $21 million in 1987.

What makes John Yeh any different from others that have succeeded?

John has a disability that made him have to work a little bit harder than most. Born without the ability to hear, John needed to find an alternate way to communicate. Growing up in China, Taiwan, and Brazil he learned to read lips and knew Chinese sign language.

At the age of 15, John arrived in the United States were he had to translate Chinese to English and then English to sign language. In school he was put in a class with eight and nine year olds, leaving John feeling embarrassed; yet determined.

After graduation he struggled to land a job. When John was ready to start his own company he found it difficult to obtain a loan. Every bank that he went to, turned John away. Then, as luck would have it, John discovered a loan that was available to the handicapped through the U.S. Small Business Administration in the amount of $100,000 dollars. (Knocke, 1989) As you can see, John’s life was not that of anything I would call normal.

John went on to become the 2008 Deaf Person of the Year by Deaf Life magazine and Gallaudet University once honored him as Entrepreneur of the Year. (Washington Post) All of which makes John Yeh’s arrest seem to come as a shock.

What would drive John, who seems to have everything finally going right for him, to commit an occupational fraud? Although that question may never be answered, the Department of Justice unsealed twenty-six indictments on November 19, 2009. (Department of Justice Press Release, 2009) The twenty-six, including John Yeh, was charged with engaging in a scheme to steal millions of dollars from the Federal Communications Commission’s (FCC) Video Relay Service program.

John’s company, Viable Communications, makes Communication devices that allow deaf people to communicate over the telephone through a video type interface. The video shows a translator that translates the voice or data type message and then uses sign language to communicate back. John Yeh was then able to bill the FCC for a portion of the time being used. The program started off in 1993 with about $30 million and quickly grew to over $400 million in 2007. (Potter, 2010)

John is accused of coaching employees and other on how to make false calls that would not be suspicious. Some of the other twenty-five indictments include those involved with the scheme from various other call centers. Six other call centers are independently owned and did contract work for Viable Communications. Altogether, officials still have not said precisely how much they think was stolen, but the estimate was approximately in the “tens of millions.” (Glod & Johnson, 2010)

The question still remains; did John Yeh use his fiduciary powers to make people commit occupational fraud when they normally would not have?

Occupational fraud is a term that is used to describe a wide variety of corporate fraud cases and can be broken down into more distinct segments to help identify the different types of frauds being committed. Each type of fraud can be easily identified in some schemes, while other schemes are more difficult to identify. One reason for the difficulty in identifying a fraud type is during some cases where fraudsters are committing several fraudulent acts to commit their crimes, thus making it harder to categorize each scheme. For example, one investigation may start with a billing fraud scheme and turn into a conflict of interest/corruption scheme with multiple parties involved.

Corruption, according to Joseph T. Wells, can be defined as an act in which a person uses his or her position to gain some personal advantage at the expense of the organization he or she represents. (Wells, 2008) In this light, John Yeh had the equipment that was needed to deploy the services. John also worked with other independent contractor that needed what John had to offer to turn a profit. This would leave me to believe that he defiantly had the ability to misuse his fiduciary powers to conspire with other and corrupt their business relationships.

In the case of John Yeh, the details may not be clear as to the extent of the corruption. Details such as who was the initiator are still not clear. Knowing who the initiator would better determine the type of corruption, such as economic extortion or bribery.

In either case, to help deter corruption, you should keep an eye out for gifts and create an ethical policy that states employee are not allowed to receive gifts over a certain amount. Maintain a set of reports that actively looks for financial changes and policy deviations as red flags may indicate corruption.

When corruption is at its worst the amount of damage caused is hard to place a price tag on. Although millions of dollars are alleged to be stolen using this scheme, the money itself may not be the only thing lost. If John Yeh is convicted of his crimes, how will it affect all the deaf people that used the service legitimately? Will the service be discontinued or will the price go up if the government chooses to stop giving money for the program?

By: Joseph Dustin
read more “The Sound of Corruption”

Cressey's - Fraud Triange

At Indiana University during the 1940’s, Donald Cressey worked on his PH.D in criminology; his hypothesis became what is now known as the “Fraud Triangle.” (Wells, 2008) The fraud triangle seeks to explain the elements that must be present before fraud can occur.

Nicole Merke, CPA, CFE, columnist for Examiner.com, states, “Cressey is honored by many anti-fraud organizations, including the Association of Certified Fraud Examiners.” (Merkle, 2009) Cressey’s fraud triangle consisted of three elements that reoccurred in all the cases that he studied. Opportunity, Incentive (Pressure), and Rationalization are the three elements that make up the fraud triangle. Using the fraud triangle to gauge why employees take part in abusive conduct will give us three distinctive categories that can be analyzed to better understand the fraudsters.

Opportunity
is simply having the ability to commit abusive conduct. There are two parts to opportunity, General information and technical skill. (Wells, 2008) General information is when you that the fraud can be committed and technical skill is the ability to carry out the fraud.

Incentive or Pressure refers to a financial burden that the fraudster feels that they must find a way out of. A fraudster may feel pressure to keep a certain social status in order to keep up with those they work with.

Rationalization is when the fraudster justifies the crime to which he attempts. Cressey believes that rationalization is part of the motivation for the crime and that the fraudster does not see himself as a criminal. (Wells pg. 18) The fraudster may feel that their employer owes them something and thus are not thieves.


By: Joseph Dustin

References

Wells, J. T. (2008). Principles of Fraud Examination 2nd edition. Hoboken, New Jersey: John Wiley & Sons, Inc.

read more “Cressey's - Fraud Triange”

Passwords Don't Secure Sh@t!

I often hear the term strong and secure when talking about passwords and this can have adverse affects on overall security. System Access Controls are often considered the first line of defense against cyber-attacks and hackers. The problem we face with using passwords for authentications are that passwords are often written down and shared with other. I have seen passwords left in desks, taped to monitors, and placed under the keyboard. When passwords are written down, security becomes fragile.

Even the strongest of passwords are considered weak. To strengthen the access controls over an IT system will require what is known as two-factor authentication or three-factor authentication. Authentication is based upon three known factors:

Something You Know – Like passwords, Pin numbers, or passphrases, which are considered the weakest of all the Authentication types. Passwords can be guess, brute forced, shared, stolen, or compromised.

Something You Have – Like smart cards, USB tokens, and key fobs, which can be lost, stolen, broken, shared, borrowed, or duplicated.

Something You Are – biometrics are types of authentication used; they include devices like fingerprints scans, voice scans, and retina/iris scans.

What is then meant by two-factor Authentication is the combination of using two types of authentication. An example would be passwords combined with key fobs or something similar to the Kronos Time System I currently use at work. Kronos requires employees to use a badge and the employee's finger print to clock in. Three-Factor would require all three and is considered the strongest.

So the next time you hear someone say they have a secure password, please let them know that passwords used for authentication is not considered secure. Secure is accomplished through two or three-factor authentication.


By: Joseph Dustin

read more “Passwords Don't Secure Sh@t!”

National Procrastination Week

National Procrastination Week, (March 1st – 7th), has arrived and I’m already creating a list in my head of things I’m going to put off this week. After first hearing about this holiday, my first impression was that I should take the week off. Then, I got to thinking maybe there is more to this holiday then procrastinating; maybe it’s about educating and training employees how to be more proactive and punctual.

After a little online research about the topic, I was crushed, my week off was tossed in the trash quicker than my last pay raise. It looks like it might be time to motivate the troops and see what we can do to stop procrastination.

First, we need to identify exactly what makes a procrastinator. An online article at PsychologyToday.com, Procrastination: Ten Things To Know by Hara Estroff Marano, states 10 things about procrastination.

1. Twenty percent of people identify themselves as chronic procrastinators.

2. It's not trivial, although as a culture we don't take it seriously as a problem. It represents a profound problem of self-regulation.

3. Procrastination is not a problem of time management or of planning.

4. Procrastinators are made not born.

5. Procrastination predicts higher levels of consumption of alcohol among those people who drink.

6. Procrastinators tell lies to themselves. Such as, "I'll feel more like doing this tomorrow." Or "I work best under pressure." But in fact they do not get the urge the next day or work best under pressure.

7. Procrastinators actively look for distractions, particularly ones that don't take a lot of commitment on their part. Checking e-mail is almost perfect for this purpose. They distract themselves as a way of regulating their emotions such as fear of failure.

8. There's more than one flavor of procrastination. People procrastinate for different reasons. Dr. Ferrari identifies three basic types of procrastinators:

  • arousal types, or thrill-seekers, who wait to the last minute for the euphoric rush.
  • avoiders, who may be avoiding fear of failure or even fear of success, but in either case are very concerned with what others think of them; they would rather have others think they lack effort than ability.
  • decisional procrastinators, who cannot make a decision. Not making a decision absolves procrastinators of responsibility for the outcome of events.

9. There are big costs to procrastination. Health is one. Just over the course of a single academic term, procrastinating college students had such evidence of compromised immune systems as more colds and flu, more gastrointestinal problems. And they had insomnia. In addition, procrastination has a high cost to others as well as oneself; it shifts the burden of responsibilities onto others, who become resentful. Procrastination destroys teamwork in the workplace and private relationships.

10. Procrastinators can change their behavior—but doing so consumes a lot of psychic energy. And it doesn't necessarily mean one feels transformed internally. It can be done with highly structured cognitive behavioral therapy.


What are the costs associated with procrastination?

CC Holland blogged about the Staggering Cost of Procrastination; he states a recent study by research firm Basex puts the “cost of unnecessary interruptions” in terms of lost productivity and innovation at a shocking $650 billion.

If these unnecessary interruptions are costing companies so much what are they doing to combat this pandemic? Maybe it’s time we quit procrastinating and create policy to help fight the problem.

By: Joseph Dustin
read more “National Procrastination Week”

An Overview of Loss Prevention and I.T. Security

Loss prevention encompasses a wide range of threats and Loss Prevention Professionals have to be ready to handle each type of threat that could affect their corporation.

There are four main types of threats;
  • Natural
  • Environmental
  • Technical
  • Human

Natural Threats – Tornados, Earthquakes, Hurricane/Typhoons, Floods, Landslides, Lightning Storms, Heavy Rains, Blizzards, Fires, ect.

Environmental Threats – Gas Leak, Fires, Toxic Waste, Pandemics, Fuel Outage, Drainage Chokes, Neighborhood Hazards, ect.

Technical Threats – Power Outage, IT systems Failure, Fires, System Breakdowns, Manufacturing Defects, Malicious Codes, ect.

Human Threats – Terrorism, War, Spying, Sabotage, Theft, Arson, Hacking, Immoral Employee Ethics, Legal Disputes, Unaware Users, ect.


A study conducted by Robert W. Taylor et al., in the book Digital Crime and Digital Terrorism, states that 73% of the risk to computer security is from internal sources; while 23% is attributable to external sources. Internal threats include violence in the workplace, theft of proprietary information, sabotage, infiltration by gangs or organized crime, and terrorism. (Purpura pg. 134, Security and Loss Prevention) One of the most obvious of threats would be theft. Theft can be broken down into sub-categories to include shoplifting, occupational fraud and abuse, employee theft, and as described by Purpura theft of proprietary information.

The I.T. threat from within is of great concern to those who wish to protect a company’s proprietary information. There are many reasons that companies would want to protect their data. Reasons may stem from loss of trade secrets, compliance, national defense, the fear of lawsuits, defalcation, or business continuity. Whatever the reason, companies have good reason to be concerned about I.T. security.

The Fourth Annual US Cost of Data Breach Study, an independent study conducted by Ponemon Institute, states that the average cost of data loss has risen to $202, up from last year’s $197 per customer record.

Internal threats and data loss can be intentional or accidental and are caused by current employees, non-current employees, or Third Party Employees. There are many I.T. threats that corporations face with everyday. I.T. threats include many of the main threats listed above with an emphasis on Information Technology Business Continuity and Security.

To get a better understanding for what an I.T. Security Professional needs to know we can look at the International Information Systems Security Certifications Consortium (ISC)2 for guidance. (ISC)2 has developed one of the highest regarded and sought after information security certificates called, Certified Information Systems Security Professional (CISSP) certification. Books that help you study for the CISSP, such as CISSP for Dummies by Lawrence Miller and Peter Gregory, are broken down into what is know as the Common Body of Knowledge (CBK) domains. Ten domains illustrate the vast range of topics that must be master to earn the CISSP certification. The domains are (excerpted from CISSP for Dummies):

Access Control – is about securing the perimeter; many security breaches result from inadequate Access Controls.

Telecommunications and Network Security – This domain is easily the most extensive and encompasses topics like networking models, protocols, standards, services, technologies, and vulnerabilities.

Information Security and Risk Management – This domain gets to the heart of Information Security Concepts and Risk Management concepts.

Application Security – essential concepts to understand in this domain are principles of applications, applications, application development, and databases.

Cryptography – you must fully understand the basic operation of cryptographic systems and how they apply in real-world applications.

Security Architecture and Design – this domain requires knowledge of security models, embedded systems, and basic computer architecture.

Operations Security – this domain details resources that must be protected, who should be restricted, control mechanisms available, the potential for abuse of access, appropriate controls, and good practices.

Business Continuity and Disaster Recovery Planning – detailed knowledge of Business continuity Planning and Disaster Recovery Planning are needed.

Legal, Regulations, Compliance, and Investigations – in this domain you must know what a computer crime is, how to conduct an investigation and collect evidence, and understand what laws may have been violated and the (ISC)2 Code of Ethics.

Physical (Environmental) Security – understand the various threats to physical security. Elements include planning and design, physical security controls, and administrative controls, physical security controls, access controls and technical controls.

By: Joseph Dustin
read more “An Overview of Loss Prevention and I.T. Security”