Jim Ratley and ACFE: Going Broad on Fraud

Five years post-Enron, corporate fraud and white-collar crime continue to make headlines. Jim Ratley of the Association of Certified Fraud Examiners checks in to talk about corporate fraud and effective investigations.

1 2 Page 2
Page 2 of 2

You can't give prevalence to either one. Both are serious problems. However, the insider threat is much more common. It makes sense since employers have more access. It comes down to access to information. The outsider threat is still a serious problem but it's just not as common.These latest cases come five years after Enron and all the others, and after the passage of Sarbanes-Oxley and other controls. It makes us wonder if we're any better off than we were before in terms of fraud.I definitely don't think we're safer. The threats are still out there and growing. What I see is often the corporation is still unwilling to invest the resources needed for training and technology to give security people the tools they need to keep up. For the most part, investigative techniques and security departments tend to be reactive. I think security departments need to be proactive and start building preventive measures. I can already hear readers say, Yeah we know that! But our bosses won't give us the money!I know exactly what you're saying. Someone asked me recently what to do when a fraud prevention program costs more than the dollar amount that would have been lost in a fraud they detected. What to do? And I suggest to you that the fraud prevention program costs more than the dollar amount you show you saved when it is working and effective. Instead of reacting to the fraud and investigating it and bringing it to conclusion, you're preventing it from happening in the first place. To a lot of management, you're spending money on a negative, but statistics have shown that you can cut fraud dramatically with just a few simple techniques in a fraud prevention program, the first one being you tell people you're looking for it. [When you do that] you take that person who might be tempted to perpetrate the fraud and move them back to a person who's not tempted.

What are some other techniques for fraud prevention?

I think the most important thing is to educate your employees. When you have employee orientation, when you talk about insurance and 401(k)s, I think you throw fraud education into that process. Show them the ethics policy. Say, Here's what we do and how we look for improper, illegal and unethical acts.

And give them a way to report it if they see it. Anonymous hotlines make a difference.

What do CFEs talk to each other about at cocktail parties these days?

The advancements in the IT end of [the] fraud examination field. Within the next five years I would guess the trained fraud examiner is going to have to have a strong background in computer forensics. Technology has made our world much, much better. We have more tools. More solid audit trails to go after fraudsters. Most people are unsophisticated when it comes to the new technology. Other than the use of the computer, they have no idea how to hide or bury their trail. That makes life great for me because I do know how to go in and find what's been on their computer. But at the same time, technology has given the perpetrator much more opportunity to violate trust and perpetrate the fraud.

So computer forensics are the core of what you do these days?

What I've found is there are so many facets to fraud examination. You need somebody who has the legal background to prevent something like what we're reading about in the paper now [with HP]. You need someone with the investigative skills, for doing admission-seeking interviews and document collection. You need someone who can look at financial documents and understand what they're seeing. You need someone who can pull stuff off computers. It's hard to find any one person who has a background in all of those.

What else are CFEs talking about?Probably about the prosecution of offenders. Back five years ago, before some of the big corporate

scandals, it was practically impossible to get somebody prosecuted, and if you did, it was generally a plea bargain. I'm familiar with one case in California where a woman stole over $10 million and served less than 11 months in jail. Often, fraud was swept under the carpet.

So in one sense, the effect of those scandals has been positive?Fraud's not as hidden anymore, and I hope it stays this way. It has given corporate security an avenue to pursue. In the past, they've contacted local law enforcement or federal bureaus and they got no response to a fraud case. And that's still a problem, I don't mean to say it's no longer an issue, but less so. Also, you are sometimes still restricted to civil prosecution, which can be useless because the

perpetrator doesn't have any money. People don't steal money to save it. They steal it to replace money

they've already spent.

Is it necessary for CFEs to think like a thief to understand the crime?

Where we run into a problem as fraud examiners is that it's very hard not to judge someone by your

own standards. If you're driving down the highway, anyone driving slower than you is an old fogey and

anyone driving faster is an idiot. So we tend to want to judge people by our own standards, and you

can't do that with a fraud perpetrator. I've been involved in cases where the only reasonable outcome of

the person's actions were they were going to be caught. We had a case where a young lady, 23 years

old, had a lapping scheme, where someone would pay their bill and she'd steal the money, and then

when the next person paid their bill, she'd put part of that money to the first person's account. This

lady made less than $20,000 a year, and in six months she stole over $200,000. Now theoretically, if

she had stayed there the rest of her life and continued to lap those accounts, she'd be all right. But

that's not going to happen, so the only way it could go undetected is if she could replace that

$200,000. But she couldn't do that because in that six months, she paid cash to have her house

remodeled, she bought a dog for $1,000, she had some cosmetic surgery for $3,500 and she bought

an $80,000 sports car.

That's a lot of red flags.

Well when management called us and described the situation their first question was, Do you think we

have a problem? And when we asked them what her job position was and we told them what we

thought was happening, it took them less than 10 minutes to find the evidence in the lap drawer of her

desk while she was gone to lunch. They recovered the car but for the rest of it there was no recovery.

You could sue her but that's throwing good money after bad.

But if the perp knew they'd get caught, why would they do something like that?

I asked a fraud perpetrator, Walt Pavlo, who went to prison for stealing money from MCI, "How did you

ever think you were going to get out of this once it started?" And he had already been to prison so he

could smile from time to time. He looked at me and smiled and said, "That's a great question. I never

thought about it until after I started the fraud." Dr. Donald Cressey, who studied white-collar crime, had

the fraud triangle where he laid out the three elements of financial crime. One is the opportunity. The

next is the financial need, which the company has no control over. I mean I've heard one story of a

person who stole because his financial need was his neighbor had two Mercedes and he only had one,

so [he] felt like less of a father. So it can be ridiculous, but in their heads they think it's a financial need.

But the third and most controllable element is the rationalization. We perceive ourselves as we intend to

be. I perceive myself as an excellent driver, yet on the other hand my wife, who rides with me all the

time, has a much more accurate perception of my driving ability. I cannot tell you how many fraud

perpetrators I've talked to who tell me, "You know, they've never paid me overtime." I had one person

who saved his company $40,000. He was a claims adjuster for an insurance company. And he told me,

"They never gave me my piece of the rock, so I took it." And his piece of the rock eventually turned out

to be $2.5 million. And you talk to some of these people and it's a rude awakening for them. It's almost

like they've been in a trance or something and they break out of it right there and say, "You know, $2.5

million is too much for saving $40,000."

It seems like a psychologist could be a valuable partner to a CFE.

The fraud examiners themselves know this stuff. Usually a psychologist has three months to get

someone to admit they hate their mother. A corporate security person has three hours to get someone

to admit they killed their mother. It's a big difference, and I'll match the trained fraud interviewer

against any psychologist you want. If they're skilled, if they're experienced, the fraud investigator

knows how to play somebody like that. If someone comes up and tells me, "They owed me that money,"

I'll fall right in line. I'll say, "Tell me about that."

What are some other tips for successful interviews?

First off, there are no lucky interviews. The good interviewers I know never walk into an interview

without as much preparation as is available. They know the case backwards and forwards. They know

the documents backwards and forwards. That way, when you come up to me and make a statement that

might not be factual, I can confront you with it. I might confront you now or 30 minutes from now, and

I have to know how to confront you. If I just say, "You lied to me," well, now I've challenged you and

that might not work. Instead, I might throw in some tie-down or tag questions to make you lie to me:

"Now you'd never do anything like that wouldja?" Later on, "Let me show you this document here." And

that way I've not challenged you. I make it easy for you to tell me what you've done. I'm not judgmental.

I impress you with my knowledge of the incident. There is an art to the interview. People get better

during their careers. I've never met the best interviewer in the world because that person hasn't been

invented yet. The good ones keep getting better. If I were a corporate executive in charge of security,

with a limited training budget, the one thing I would make sure everyone on my staff were trained to do

is interview and do admission-seeking interviews. That's the backbone to everything we do.

Dealing with suspects is one thing. What about clients? Don't fraud victims sometimes resist admitting

they've been duped?

It's one of the major obstacles we run into. And here's why: We've all worked around people we don't

like. And television trains us that law breakers, fraud perpetrators, are going to be people we don't like.

In reality, when we get to work, it's the person we go to church with, the person that last November we

went to dinner with, that we called a friend. And it's so hard for us to realize that person will cross the

line. Generally speaking when I go into an investigation, and they say it could be anyone except Joe

over there, Joe's the first person I look at. No one's watching him because they trust him.

Can you share any stories of new kinds of fraud you're seeing?

There are few new frauds. We had a young man in central Texas who had a secret European investment

fund. If you invested your money, in 30 to 45 days, you'd get a 75 to 100 percent return on your

money. His girlfriend's parents gave him $80,000 and a few months later he gives them a million

dollars back. Well they were big church members, so they told everybody at church. Before long you

had people taking equity loans on their houses and cashing out their 401(k)s. The guy had a five million

dollar mansion on a lake here in Texas. He had a jet, nine luxury cars and a helicopter. If you invested

more than $20,000 with him, you got a helicopter ride. And of course he didn't have any secret

investment fund. He had a Ponzi scheme. He was paying earlier investors with later investors' money.

This scheme dates back to 1923, with Charles Ponzi. Yet it's used over and over successfully. Right

after that a former NFL football player was doing the same thing, using a foreign currency investment

scheme. We actually don't run across much that's new. We run across people who are innovative in how

they perpetrate the older frauds. Oftentimes at a seminar I'll mention a fraud, but I won't mention the

name of the company. At the end of the lecture, a person will come up to me and say, Oh I work for

that company. They probably didn't, but the same thing happened at their company. We see the same

stuff over and over again.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)