It turns out that bases aren't the only thing stolen at Shea Stadium. After staggering through a losing season, the New York Mets suffered yet another indignity last October when it was revealed that four former Mets employees had allegedly bilked the ball club out of $2 million over a period of six years. According to Queens prosecutors, the suspects pulled off a variety of cons with the assistance of two accomplices who worked for team vendors. By overbilling the team for office supplies such as copy paper, setting up bogus companies and cooking up kickback schemes, the sextet netted hundreds of thousands of dollars a year for supplies that were never delivered. The Mets and Sterling Doubleday Enterprises, the Mets parent company at the time, proved to be easy marks. They were completely unaware of the scams, which dated back to 1994, until an internal audit in 2000 brought them to light.
As a company whose only product is baseball, the Mets organization provides relatively few opportunities for procurement fraud, certainly far fewer than do larger corporations. But even on a small scale, fraud can be incredibly damaging, and the Mets are a good example of both the ease with which fraud can be perpetrated and the difficulty of tracking it down. The "2002 Report to the Nation" from the Association of Certified Fraud Examiners found that the average fraud scheme lasts 18 months before it's detected, and that internal controls seldom catch the crooks. In fact, according to the survey (based on 663 reported occupational fraud cases that caused more than $7 billion in losses), the top two cited means of detecting a fraud were a "tip from an employee" (26 percent) and "by accident" (19 percent)hardly methods on which most companies are willing to stake their reputation or financial security.
As CSOs' responsibilities expand, fraud is a problem that increasingly falls into their lap. Whether they lead their company's fraud unit or govern just a piece of that apparatus, the CSOs' expertise with layered security architectures and forensic tools, and their understanding of the importance of enforced processes and procedures make them invaluable players in the battle against corporate fraud. When it comes to fraud, "the CSO is responsible for detection, protection, prevention and recovery of all the organization's assets," summarizes Vincent DeLuca, vice president of fraud control, security and risk management for MasterCard International. But DeLuca stresses that success in preventing and detecting fraud requires that CSOs build strong working relationships with the other key executives who also play a part in fraud response. "The CSO must first align himself with the CEO and senior management," he says. "They set the tone within the organization and [affirm] its commitment to protecting corporate assets."
In fact, CSOs—as relatively new corporate players—are often in the position of joining an effort already in progress. Their challenge is to figure out the best way to enhance the process using their experience.
John Frazzini, a former special agent with the U.S. Secret Service financial crimes division, believes that even though fraud-prevention teams, investigative departments, IT security staff and legal counsel are already entrenched in dealing with fraud, there remains a crucial role that the CSO is well positioned to fill. "Tearing down the walls between those departments and getting them to work together is the most cost-effective way to get ahead of the risk," says Frazzini. "CSOs should take the 50,000-foot view and make sure that, as the company moves forward with a fraud program, it does so with one voice."
This story will look at the technical and organizational challenges of fraud detection for CSOs, the relationships they need to build in order to be effective and the best practices that some CSOs have unearthed for tackling corporate fraud head-on.
Culprits and Schemes
The first thing to understand about fraud is its incredible breadth. Fraud encompasses everything from expense account and procurement scams to financial reporting irregularities, bid-rigging, intellectual property theft and more. Furthermore, specific financial-service sector industries such as insurance and banking have their own unique strains of fraud to worry about as well.
To a degree, fraud is still a pretty old-fashioned type of crime. Some of the techniques used in detection may have gone high-tech, but the same culprits and schemes that were popular a hundred years ago are still going strong. The vast majority of corporate fraud is perpetrated by insiders—employees and other trusted individuals who exploit their authorized access to do unauthorized things. Whether these people are embittered, financially strapped or just criminally opportunistic, they trade on their insider status by submitting doctored purchasing slips, thickly padding their expenses, setting up ghost employees or vendors, or simply selling the company's customer list or other valuable information to an interested outside party. Unlike the "pump-and-dump" stock fraud schemes that were popular during the 1990s market boom and the accounting scandals that have dominated the news in the past year, individual expense and procurement frauds, embezzlement and misappropriation don't wax and wane with the fortunes of the economy. They are easy to commit, produce high returns, are very hard to detect and are likely to fly under the corporate radar. Worse, in many cases they are tolerated as a cost of doing business. But when they rise above a certain financial threshold, these low-grade frauds become a legitimate business concern.
External frauds may be less common than internal ones, but the perpetrators are far more adept at using technology. Frazzini notes that one of the largest threats businesses now face is from organized crime syndicates out of Eastern Europe that specialize in identity and credit card theft for the purposes of extortion or financial fraud. "[Between] 15,000 and 20,000 customer account records can be stolen at a time," he says. "Technology has given these criminals the ability to conduct mass victimizations because all the information is often stored in a single depository."
Not surprisingly, financial services companies are the biggest targets. Techniques like "salami slicing" (stealing small, hard-to-notice amounts from many thousands of accounts on a given day) are profitable scams in the aggregate. Credit card numbers are often sold in chat rooms for $2.50 each; a few dollars more can get you enough information on a person to perpetrate identity theft. "Many of the countries [where this is done] don't even have cybercrime laws," says Tom Kellerman, a data risk-management specialist for the financial strategy and policy sector of the World Bank. "From their perspective, we are the wealthy elite, we created the game of capitalism, and now we're seeing the dark side of it."
Not only do CSOs have to stay up on the various flavors of fraud, old and new, but they are also under increasing pressure—especially in financial services—to comply with such government regulations as the USA Patriot Act. This omnibus antiterrorism law mandates that financial institutions verify the identity of anyone seeking to open an account, maintain records of their identification and check all such people against the "denied persons" list of suspected terrorists. That has added another layer of complexity to corporate antifraud measures in these industries.How CSOs Plan to Fight FraudCSOs' reporting relationships may define their degree of responsibility for fraud detection and prevention. A CSO who reports to IT is likely to govern the technical side of a fraud investigation, whereas a CSO who reports to the legal, risk-management or CEO's office may handle the investigation from both the business and IT angles. Rick Mercuri, vice president and corporate security director for Citizens Financial Group (the parent company of Citizens Bank), has worked in fraud investigations for 19 years. At Citizens, he and his group of 25 investigators are responsible for investigating all fraud incidents and the tracking, statistical reporting and trend analysis of fraud across the company. That is in addition to his role in managing the company's physical security. Mercuri stakes a large part of his unit's success on its independence from business functions that may hamper fraud investigations. He reports to the auditing group and then ultimately to the group executive of risk management. Both of those entities are historically autonomous. "In my career, I've seen cases where the investigation group reported to HR or another business unit that had too much of a vested interest," he says. "I've seen investigations that were hindered, where there was too much oversight or involvement. With straight-line reporting to auditing and risk management, we have free reign over investigations."
In order to fulfill their security responsibilities (which, like fraud, touch almost all aspects of the business), most CSOs have already started building strong relationships with the so-called "other Os"—the top executives of the various business functions that are generally represented in the fraud unit. These established relationships place the CSO in the unique position of being the only executive with the necessary technical and business perspectives to knit together this diverse group of corporate characters.
At MassMutual Financial Group, a special investigative unit (SIU) is responsible for policing both internal and external fraud. CISO Bruce Bonsall is a member of the 2-year-old SIU team. He coordinates the security function's active collaboration with the other members of the SIU, who are from internal audit and the legal department. The group meets quarterly to discuss new fraud trends and the investigative process.
"Don't try to go it alone," Bonsall advises security executives. "Good relationships with audit departments and legal people are critical because at some point something bad will happen, and [by then] it's too late to start thinking about how you'll handle those events as a group."
The CSO must draw on different players for different objectives. HR and legal representatives will help determine how background checks and employee monitoring should be conducted, facilitate fraud-related terminations, and develop policy and legal parameters for employee conduct and investigation procedures. The public relations and general counsel offices will help strategize over what recourse the company will pursue when fraud is discovered, whether to bring in law enforcement, and when and how instances of fraud are announced to customers and the public. The IT, security and audit team members will be the corporate detectives who undertake the technical and physical sleuthing necessary to detect, contain and build a body of evidence to prosecute fraud.
Virtually all accounting and financial control systemsthe candy stores of the fraud setare computerized. CSOs already have the necessary understanding of the overall security architecture and the controls it has in place; they can take the leadership role in determining where those controls may have broken down and allowed fraud to occur. Their experience with incident-response planning around security breaches suits them well to drive the development of similar plans for incidents of fraud. A fraud-response effort will have to formulate how incidents should be handled, the mechanism for communicating those decisions through the executive branches and procedures for documenting the plan so that when an incident occurs there can be a rapid, decisive response. The plan should identify the "go to" people who are tasked with responding to each aspect of an incident. It should also define the appropriate procedures for conducting a fraud investigation so that evidence that is pulled off corporate networks isn't tainted in the process.How Technology Can HelpTechnology is an important part of a company's fraud prevention and detection program, but the good guys aren't the only ones exploiting its capabilities. Crooks are often among the earliest adopters of new technology (remember the fondness of drug dealers for pagers back in the 1980s?). Frazzini notes that the drug cartels alone have invested $1 billion in technology. "Sleep with one eye open if you're relying on technology," he cautions. "[Criminals] will invest money, time and energy to beat you at the technology game." CSOs need to view technology as just part of their defense rather than a panacea.
Companies can either buy customizable software or write their own rules-based programs that analyze network activity for specific indicators of fraud. For example, if corporate policy decrees that all purchases above $20,000 require approval, then a program that flags purchase orders for amounts between $19,000 and $20,000 could be useful in fraud monitoring. Similarly, a program could compare vendor addresses with employee addresses to detect "ghost" vendors.
The insurance industry is a frequent target of fraudsters. According to the Insurance Information Institute, property and casualty insurers alone pay about $30 billion annually in fraudulent claims (which includes the administrative and investigative costs of fraud). This leads, as we're often reminded, to higher premiums for consumers.