Security Investigations and Consulting

Hypothetical Incident and Response
Investigating Fraud and Embezzlement in White Collar Crime
Incident
It is believed by the CEO of a medium-sized tech company that the CFO is engaged in the white collar crime of embezzlement. He is not sure why this is, but he has a gut feeling that the CFO—although well-liked by everyone—is doing something illegal. What has set him on edge about the CFO is that the company’s bank called while the CFO was on holiday and inquired about a check written to the CFO. The CEO could not say why such a check would be written to the CFO and all of a sudden it seemed that numerous red flags were visible: unexplained expenses charged to other units, for instance. Various units have made comments over the years that unexplained large expenses seemed to be charged to their units. Nothing was ever done because it seemed like a typical mistake of poor accounting. However, now the CEO is suspicious. The CEO wants the private investigator to look into this. If the CFO is embezzling, there should be some signs of this that an investigator could identify.
How It Occurred
It turns out the CEO is right to be concerned. The CFO is embezzling. His method is this: the company has a two-factor authentication process in place for authorizing all funds released by check—each check needs two signatures. The CFO would stop busy executives on their way out the door for holidays and get their signatures on several checks, saying that this would be just in case funds were needed while the executive was on holiday. The CFO would then use the signed blank checks to move money from the company’s accounts to his own. Then he would cancel the check, remove it from the bank’s reconciliation and destroy it. To reconcile the company’s accounting books, the CFO would charge the stolen amount to another’s unit as an expense.
What the Investigator Will Do
According to Nemeth (2019) and Sennewald (2004), white collar crime involving accounting means there should be an independent audit to see whether red flags can be identified and whether a paper trail can be discerned. The investigator should order an audit of the company’s accounts. If there are extraneous expenses to units, these should be flagged to see if there is a pattern. If units are unable to explain the expenses, a record should be made. Red flags do not prove fraud—but they may indicate that there is smoke, and where there is smoke it is very likely that there is fire.
What the investigator should do next is look at the people involved. The CFO is going to need to be investigated. For instance, what kind of home does he live in? Where is it? How luxurious is his lifestyle? What is his salary? Is the life he is living supportable on the salary he is receiving? Where did he come from? Fraudsters typically have a past history of fraud, so it would be worth looking into his background and what his history is with his other employers. They might be able to testify as to his character. Their stories will help further give information about who this CFO is.
Bank records also need to be consulted. If there is a series of canceled checks coming from the company to the CFO, this is going to be another pattern, and if the canceled checks align with the amounts expensed to the various units, it is going to be evidence of fraud. This information can all be gathered and used to confront the CFO. It may well be that it is enough to convince him to come clean.
Interview Plans for the Witnesses
The plan for interviewing witnesses is first to understand how the fraud might have been perpetrated at the company. Since a two-signature method is needed, it is necessary to understand how this would have happened. Only executives can sign checks so what is wanted is any information on the matter they can give. The plan here is to ask them if they have any memory of being asked to sign blank checks for the CFO.
The next step is to interview the CFO’s previous employers. What is wanted here is information that will help the investigator to build out a profile of the CFO—who he is, what he has done in his past workplaces, and what can be understood about his character. HR should have the CFO’s resume on file, and this will give an indication of where he has been employed in the past. These companies should be contacted and the employers interviewed to see what information from them can be attained. The questions should focus on obtaining a perspective of the individual when he was working with the company. What was the experience? Good, bad, indifferent? Any trust issues?
Employees at the current company should also be interviewed to help build out the profile. What should be asked here is anything out of the ordinary with respect to the conduct of the CFO—the way he talks about himself, how he defines success, the impression he gives to others aside from whatever benevolent expressions of cordiality he might give. It may also be that the CFO is not acting alone. If there are any other red flags among employees—such as employees living exorbitantly or beyond their means, or employees fraternizing with the CFO in a suspicious way—this will be an indication that there is an accomplice and it would mean conducting surveillance to obtain more information on the matter.
What Evidence to Collect, How and Why
What the investigator needs to piece together is a picture of the Opportunity Triangle—that is, the opportunity to commit the fraud, conceal the fraud, and convert the stolen money into his own. This needs to be shown with each case of stolen funds. Where the money came from, how it was concealed, and where it went. Purchases made from the personal bank account of the CFO should correspond with the possessions currently enjoyed by the CFO—such as the house, the luxury cars, the boat, etc. These should line up and indicate the paper trail allowing one to follow the money.
The accounting process, the audit procedure and both the company’s and the CFO’s finances need to be audited in accordance with standard investigative procedure in forensic accounting (Chen, 2019). The CFO’s finances would require a warrant or the CFO’s permission to access, and that cannot be obtained without going through legal channels or tipping the hat and asking the CFO for that information directly. Instead, the investigator could conduct a covert investigation of the CFO’s personal assets through direct observation of what is public information (registered assets, etc.). An assessment of the company’s internal controls is also needed so as to develop a fuller picture of the opportunity to commit crime. If there is a lack of internal controls that the CFO could exploit, it will be easier to show how he committed his crime even if he was able to “conceal” it from the accounting books by destroying canceled checks. What the investigator will want here is an assessment of the segregation of duties to see if there is a way for the CFO to have access to funds or to checks that would give him the funds he needs. If he has opportunity to manipulate data to cover his tracks, this has to be seen. Separation of functions is another aspect of internal controls that should be seen in the company, but if there is a way for the CFO to exploit that separation that will also need to be shown (Municipal Association of South Carolina, 2013). Additionally, it has to be seen that the CFO has control of physical assets, such as checks or accounting books that could be used to commit the fraud. Since this is the case it should not be a problem.
Evidence of how the CFO will have spent the money he has stolen needs to be documented, and this must align with the amounts stolen from the canceled checks. The profile of the CFO as given by witnesses from past places of employment should also be used, especially if it is found that the CFO committed prior acts of fraud but was never prosecuted because he always expressed contrition and was generally well-liked. If there is a pattern of fraud, this has to be counted as evidence. If it is shown that he settled past cases out of court and is paying back previous victims, it gives a motive as well and that will be added to the whole picture. This can be determined by interviewing past employers. The purpose for this is to see whether the CFO has a history of fraud or if there is a motive to his stealing now.
It will also be necessary to see if there is an accomplice in the fraud. If other employees—such as an executive—is assisting in the scheme and is accepting kickbacks, there should be some indication of this, either in payments made or in some form of fraternization.
Information must be collected in such a way that no suspicion is raised. This means that instead of interviewing witnesses about the CFO exclusively or even about the possibility of fraud, questions have to be asked in such a way that the desired information is given without the witness realizing that it has been given—if at all possible. The investigator does not want word getting around that the CFO is suspected of fraud, because if the company wants to conduct further surveillance, it does not want to tip its hand and cause the CFO to alter his behavior.
Type of Surveillance
If it is decided that the CEO wants to sit on the information for now and see if the CFO can be caught red-handed, the type of surveillance that will be wanted is digital—surveillance of the company’s accounts, expenses, and checks; and surveillance of the CFO’s own personal accounts; however, the latter would not be provided without consent of the CFO or court order/warrant. Barring either, the surveillance would have to be of the individual’s public actions—such as direct observation of purchases made. This would mean covert surveillance. Covert surveillance may also be warranted if there is suspicion or a desire on the part of the CEO to see if any other employees are acting with the CFO to defraud the company. Investigators should be able to extract information from those who are willing to give it as well as from those who are unwilling to give it. Cooperation is not always going to come easy, especially if an investigator is getting close to a culprit involved in some form of wrongdoing. Investigators need to be tenacious and attentive to what is going on around them, but they should also be unassuming for presumptions can lead them into dead ends.
What to Include in the Report
What should be included in the report is the nature of the crime, the evidence accumulated, how the crime was conducted if it is found that a crime was conducted, who were the persons involved in conducting the crime, and the time periods in which the crime was conducted, if the evidence shows this happened. The report should describe where information came from and how the investigation proceeded.
The report should be detailed and should begin with a statement of what the investigator set out to find. The findings should be clearly stated and it should be shown how those findings were arrived at, and what conclusions are drawn from the investigation.
The report should consist of facts only—no opinions or speculation. It should begin with an introduction that describes the nature and scope of the investigation. This should be followed by a summary of the investigation, including what the investigation was able to substantiate.
Next, the subject of the investigation should be identified and described. The individual at the heart of this report would be the CFO, and he should be described in full, including past employment history, present employment history, where he lives, what he does, and so on.
The investigative methods used should be described in a step by step manner. It should include everything the investigator did—where he went, when, to whom he talked, what times everything took place, how the investigation was conducted, and when the investigation ended.
It should close with a conclusion that describes the results of the investigation and what has been learned. It should end with closing remarks that show one is a professional, i.e., an expression of professional courtesy and thanks towards the client and to anyone else who contributed to or aided the investigation in any way. Exhibits and attachments may also be included, such as photographs, records legally obtained, video still frames, or anything else referenced in the report that could help to make it fuller.
References
Chen, J. (2019). Forensic accounting. Retrieved from https://www.investopedia.com/terms/f/forensicaccounting.asp
Municipal Association of South Carolina. (2013). Internal controls to prevent fraud. Retrieved from https://www.masc.sc/Pages/resources/Internal-controls-key-to-preventing-fraud.aspx
Nemeth, C. P. (2019). Private Security and the Investigative Process, 4th Edition. Florida: CRC Press.
Sennewald, C. A. (2004). Security Consulting, 3rd Edition. Butterworth-Heinemann.