Hacking Exposed
Page 43
In reality, everyone makes mistakes. Each of these areas may yield valuable evidence toward establishing an improper relationship between two parties—and sometimes that may be enough. Combined with other analytical information that investigators may obtain involving the hiring, contracting, or bid award practices of an individual, qualified fraud examiners and investigators may be able to make persuasive arguments about the potential for improper practices.
Where the company is suspected of being the perpetrator of fraud, including the payment of bribes of illegal kickbacks, the investigation may follow procedures similar to those used in relation to other types of employee fraud. Where bribes or kickbacks are suspected, the primary focus is to “follow the money.” (Where did the money come from to pay the bribe or kickback? How is it reflected on the books and records of the company?) Often, the direct payment of a bribe or kickback may actually be in the books and records of the company, but disguised as some other payment or transaction. Or the questionable payment may have come from an off-book account or slush fund created and maintained by the company for that purpose. Such questions and avenues open up numerous possibilities for potential investigation as the efforts to create and maintain an off-book bank account or slush fund can often involve numerous falsified documents and/or fictitious transactions. Needless to say, an experienced fraud examiner or investigator may see numerous paths for review where computer forensic capabilities would prove valuable.
In summary, detecting and investigating corruption can be significantly more difficult than investigating other types of employee fraud, especially in situations where the company is the victim. Regardless, corruption follows the same basic principals as most fraud in that it involves a deception of some type, as well as efforts to conceal that deception, and transactions and payments that may ultimately be detrimental to the company. Armed with these basic facts, a trained fraud examiner or investigator with the assistance of computer forensics specialists can usually figure out where to start looking, and for what.
What to Look For
With respect to corruption, the types of information that may require the use of computer forensics can vary widely depending on whether the allegations are specific to an individual or more broadly targeted at corporate-wide practices, as well as whether the company is the victim or the alleged perpetrator. However, while we have noted that practices may be initiated through personal interaction, the pattern of corruption may often be supported by e-mail, voice mail, contact lists, and other electronic information, especially when someone believes she is not being watched.
Finding Communications Indicating Corruption
As discussed earlier, generally some type of communication will exist between the person paying the kickbacks and the group receiving them. Much past that overly broad statement, however, gets a lot more complicated. What methods did the person use to communicate with the payee? Were code words/terms used to describe the actual fraud? Who was involved, and was the person you have identified merely a middleman for a larger corruption cabal? Using phone records, e-mail, and other types of communication, you can put together a proper social network and show how all the actors interacted with each other. If you encounter communications that you think may be relevant or if you can’t tell what they are discussing, you should run it by experts in the area you are looking for. For instance, an attorney versed in what constitutes a violation of the FCPA can take one look at an e-mail you may think is harmless and note five different violations of the law. As always, if you think you need extra help in deciphering what it all means, don’t hesitate to bring in external assistance.
Building the Social Network
Multiple tools on the market today can show you who e-mailed whom and when. They create this pretty graph, with lines showing who e-mailed what to whom, with the thickness and color of the lines based upon things such as the volume of e-mails sent back and forth that are keyword responsive. Those types of graphs can be extremely helpful when people are not attempting to hide their communications. If they are attempting to hide what they are doing, these tools can fall flat on their faces. And, more often than not, in these corruption investigations the people involved are definitely trying to hide what they are doing. Let’s look at some alternative ways to reconstruct this social network.
Look for Aliases This ties into the money laundering investigations we will discuss later in the book, but its important to mention here as well. Oftentimes the person asking for the bribe or kickback will use some type of alias to ask for the money, so as to distance himself from the transaction. These aliases often attempt to be as anonymous as possible, and the person will use free public web-based e-mail to communicate. Look for e-mails to and from these services (Yahoo!, Hotmail, Gmail—the “usual suspects”) and have someone perform a content review. If it looks like the person is discussing things he has no business discussing over webmail with a random stranger, that’s a clue that an alias could be in use. Mark the dates and times of these communications and match these up to when large business events occurred in the company. This may help to determine the context of why the parties were talking, and why increased communications occurred during those time periods.
Look for Personal E-mail The individual you are investigating may also be using an alias. He may also be communicating through webmail because he thinks it is off the company’s or regulatory body’s radar. Make sure you do a thorough audit of not only what webmail exists on the machine, but also the various e-mail addresses and accounts that are used on the computer. Again, map these out onto the timeline so you can get the bigger picture of what may have been occurring at that point in time.
Cell Phone Records The communications may not have occurred via e-mail at all. Grab the phone records from the cell phone using techniques discussed earlier in the book. Look for unusual area codes or country codes dialed. If an unusual number keeps popping up during time periods that are critical to the business, that can be a sign to investigate further. If you believe an outside organization was involved, look for country and area codes that track back to the company, as well as the exchange number. If the organization is large enough, it may have an entire exchange dedicated to it (the first three numbers of the seven-digit phone number), and this can be a huge clue that the individual is communicating with others inside the organization.
Voice Mails and Corporate Phone Records If the company you are working with is on a modern PBX or voice-over-IP (VOIP) system, you should be able to recover the voice mail messages for the individual back to a certain point in time. Which point in time depends on the company’s backup policy and how it retains the files in question. Normally these are stored in some type of proprietary WAV format, and the maker of the system can usually provide a utility to convert the file to a traditional WAV or PCM file. If a huge amount of voice mails are present, it may make sense to send them off to a transcriber to listen to them and transcribe them to text that you can search. Also, don’t forget to pull the phone call logs from their phone and look at those in the same manner as the cell phone logs.
Calendar and Journal Entries Look for cryptic calendar events that occur around company events. If the individual normally uses the full names and phone numbers of the people participating in a meeting, but you have found a meeting reminder for something to the effect of “meeting with RTL,” that may indicate that the person doesn’t want anyone to know who is RTL. This is why it’s important to map out all this information on a timeline, as you can see who the person may have called, e-mailed, or otherwise communicated with when the meeting was set up, or immediately before or after the meeting.
Building the Network Once you have completed all these tasks and have mapped out a timeline, certain key players and fact patterns will start to emerge. Who knew what when, who was involved at what times, and what role each person played will likely start to bubble up. With this information in hand, you can work with forensic accountants to expand the investigation
to other individuals and start to look at the financial transactions that occurred around the communications. Using these facts in concert can help to elucidate who was involved, the mechanics of the fraud used, the extent of the corruption, and its effects on both the deals struck and society as a whole.
TYING IT TOGETHER
Of paramount importance in a fraud examination is the determination of who was involved, what they took, and whether or not anything can be recovered, as well as working with various authorities in that effort. However, investigating various forms of employee fraud is also as much about the “story” of how the fraudulent scheme was perpetrated as it is about what was taken and by whom. Being able to tell the story, often with small and circumstantial pieces of evidence, will help the fraud examiner or investigator effectively communicate to a prosecutor, regulatory authority, insurance company, and/or jury the nature and extent of the nature of the fraud, how it was able to have been perpetrated for so long, who else may have been involved, and the magnitude of the potential loss to the company.
What Is the Story?
Some types of employee fraud can be simple thefts of cash, which are easy to explain and understand. However, other types of fraud can be elaborate schemes in which individuals have circumvented internal controls, falsified documents, created fictitious companies, and otherwise avoided detection for years (often in collusion with others). In these instances, it is important to map the pieces of evidence together into a “story” of how the fraud was perpetrated, by whom, and how it has damaged the company. This is often accomplished through detailed timelines of activities and diagrams of interrelationships between parties who may have been acting in collusion to defraud the company. These timelines, diagrams, charts, and graphs often serve to show the connections and links between small, and often circumstantial, pieces of evidence to create a dynamic and compelling picture of the intricacies of the deception and fraud over time. Sometimes a single e-mail may be all that exists to connect two individuals, but it subsequently becomes clear that the “story” of the fraud could not have been accomplished without this connection because of its importance in being able to falsify certain documents or circumvent other internal controls.
Individual pieces of evidence can take on new meaning and significance when plugged into the overall picture of the fraudulent scheme. While this exercise is important for the pursuit of criminal or civil remedies with regard to the suspected employee(s), they are also important for the company in its efforts to enhance its systems of internal, and possibly external, controls to avoid falling victim to such frauds in the future. Companies often follow a significant fraud investigation with an in-depth evaluation of their internal controls and the corporate environment that allowed such abusive practices to take place. Whether changes in job functions, the implementation of job rotations, the creation of internal auditing functions, or the application of more sophisticated electronic checks and balances, companies often implement new policies and procedures to prevent future occurrences.
Estimating Losses
Various types of employee fraud can go undetected for years. However, it is rare that an individual initiates a massive fraud in collusion with others from the outset. Often the fraud starts with a single individual or transaction, sometimes by mistake, that subsequently goes undetected. As time passes, and the confidence of not being detected grows, the fraud may expand, become more refined, and may potentially increase in scope to include other areas of the business and sometimes other employees or parties outside of the company. This general observation is important because it helps you understand how to evaluate and estimate the potential losses to the company. Employees guilty of committing fraud seldom confess to everything. They often will confess only to what the fraud examiner or investigator has discovered. As such, the ability to identify fraudulent activity not just from the current period, but from historical periods as well, is important in establishing the period, and potential magnitude, of the losses to the company.
A computer forensics specialist can play an important role in assisting the fraud examiner or investigator in estimating the potential losses to the company. While sufficient evidence may have been identified to prove the existence of a fraud, evidence may be limited as to the scope of the fraud. Forensic evidence must be sought not only to uncover the fraudulent scheme, but to determine the length of the scheme and its extent or magnitude from one period to the next. Once a scheme has been uncovered and sufficient evidence identified to understand its nature, attention must be focused on expanding the search for evidence to enable an accurate estimate of the potential losses to the company. In other words, you need answers to the questions “How long has this been going on?” and “How much did they steal over the years?”
Working with Higher-Ups
As with other types of fraud, employee misconduct, and IP theft, a company’s senior management, as well as in-house attorneys, will likely be involved in the investigation and efforts to address the failures in the company’s internal controls, policies, and procedures that allowed the fraud to go undetected. Apart from wanting to understand the computer forensic techniques employed to search for and identify evidence, and the significance of the evidence identified, senior management also will likely have a keen interest in whether documents were falsified and how, whether individuals gained unauthorized access to key systems and how, and whether other internal controls were circumvented and how. The importance of these questions is obvious. As the fraud investigation evolves into a period of self-evaluation by the company, the computer forensics specialists may be called upon to provide assistance in strengthening the company’s system of checks and balances to prevent similar occurrences in the future.
Working with Outside Counsel and Investigators
Various types of employee fraud, in addition to the termination of the employee(s) in question, will often involve either criminal proceedings, civil lawsuits, or both. Often outside counsel, forensic accountants, and specialized fraud examiners and investigators will be retained to assist in investigating the fraud and in estimating the losses to the company. As described, the information uncovered may be used in criminal proceedings against the employee(s) and others in question, as well as in support of civil lawsuits where the company may sue the individual(s) involved to recover additional funds. Sometimes what is required in one may be different than what is required in the other. While objectives are often aligned, at times the level of forensic evidence required to meet a certain criminal standard may be greater than that required to meet certain civil liability standards. As such, the computer forensic specialist may be called upon to provide support to various parties in their efforts on behalf of the company to bring matters to fruition, including expanding their efforts in various areas deemed necessary by the parties involved.
CHAPTER 19
CORPORATE FRAUD
The accounting, financial statements, and decisions of senior executives at many of the best-known companies in the world are being questioned every day. Since the corporate scandals at Enron, WorldCom, and HealthSouth in the late 1990s and the early part of this decade, accounting practices in the corporate world have been the subject of unprecedented public and regulatory scrutiny and litigation. Tough questions are routinely being asked by government and regulatory agencies, law enforcement, corporate shareholders, and the press. In 2006, a single article in the Wall Street Journal citing potential evidence that corporations may have backdated their stock option grants to senior executives and others launched a massive investigative effort by Securities and Exchange Commission (SEC) and internal investigative efforts by hundreds of corporations nationwide.
The pressure on boards of directors, corporate executives, accounting and auditing firms, bankers, and attorneys has never been greater. Shareholders, regulatory agencies, and others demand action when evidence of potential impropriety or fraud is first identified. The lessons learned over the past decade in relation to var
ious long-standing corporate frauds is that they often involve very complex financial transactions, that participation can run deep into the organization and can involve various outside parties, and that the ultimate cost to the shareholders can reach into the millions and sometimes even the billions of dollars.
As the interdependence of today’s global economies and the number and complexity of financial transactions between corporation’s within those economies continues to grow, so do the instances of corporate fraud, with estimates of overall fraud-related losses reaching as high as the hundreds of billions of dollars. Many of the world’s best-known companies routinely engage in complex cross-border financial transactions involving complex financial instruments and derivatives. While most of these transactions are governed by various accounting standards, SEC regulations, and currency exchange requirements, their complexity makes them difficult for any one party to evaluate and comprehend fully without in-depth analysis.
As instances of corporate fraud have increased over the years, so, too, have the numbers of experienced financial investigators and examiners, forensic accountants, data recovery and retrieval specialists, and computer forensics experts who bring the required experience and expertise in preventing, detecting, and investigating risks or threats to people, premises, and financial and intellectual assets.