The problem is a familiar one, but the solution is new.
Laurie Holtz, of the Miami-based firm Rachlin Cohen & Holtz, related a recent case of the Florida Insurance Department taking on a viatical scam.
"The state secured information, but didn't know what to do with it," he said. "We retrieved some 800 e-mails that a company thought they had deleted from their computers. In effect, we were able to retrieve records of a company that they believed they had destroyed and, consequently, the results destroyed them."
The phenomenon is computer forensics - the application of computer investigation and analysis techniques in the interests of determining potential legal evidence that might be sought in a wide range of computer crime or misuse, including theft of trade secrets, destruction of intellectual property and fraud. Computer specialists can draw on an array of methods for discovering data that reside in a computer, or recovering deleted, encrypted or damaged file information.
Few people today know how to do it and many don't really understand it. Yet it is vital in today's forensics. The bottom line is that computer forensics gives the accountant the ability to retrieve things in an astounding way.
New force on the block
Statistics and reports show that organizations suffer tremendous costs as a result of occupational fraud and abuse, a widespread problem that affects practically every organization, regardless of size, location or industry.
Small businesses suffer disproportionately large losses due to occupational fraud and abuse. According to the Association of Certified Fraud Examiners' 2004 Report to the Nation on Occupational Fraud, the median cost experienced by small businesses was $98,000.
The loss caused by occupational fraud is directly related to the position of the perpetrator. Frauds committed by owners and executives caused a median loss of $900,000, which was six times higher than the losses caused by managers, and 14 times higher than the losses caused by employees.
The most cost-effective way to deal with fraud is to prevent it. According to a recent ACFE study, once an organization has been defrauded, it is unlikely to recover its losses. The median recovery among victim organizations in the study was only 20 percent of the original loss. Almost 40 percent of victims recovered nothing at all.
Computer forensics itself is a relatively new area. In fact, according to Holtz, in the past six years, "it has gone from zero to an incredible number today."
Jonathan Bobb, a partner in the Chicago-based accounting firm of McGovern & Greene, agreed. "I started doing computer forensics about four years ago as part of our fraud investigations. Back then, I spent around 10 to 20 percent of my time with general forensics, versus combing through papers trying to unravel paper trails. Now, I spend 100 percent of my time performing computer forensic investigations and electronic discovery. It is presently a stand-alone service offered by our firm, in addition to our regular forensic accounting practice."
He pointed out that when you said the words "computer forensics" a few years ago, "people looked at you kind of strange and said, 'What is that?' Now, just type those words into Google and you'll see everyone who claims to be a computer forensic specialist, technologist, examiner - you name it."
According to Jack Seward, an expert on e-discovery and finding hidden assets, there has been a prolific rise in corporate and personal complexity that demands computer forensic solutions. "This complexity is a product of electronic communications and commerce, with the spider web of personal and corporate data integration the common thread."
Randall Wilson, director of fraud at RGL in St. Louis, agreed that the growth in computer forensics has been nothing short of incredible, especially in the area of employee misappropriation. "I have picked up countless cases of collusion between employees and outside vendors, complete with fraudulent invoices. Clearly, there has been an increase in the opportunities for fraud and, consequently, increased opportunities for catching fraud."
Unlike many accounting firms, RGL works exclusively in forensic accounting and consulting. RGL combines three core skills: forensic and investigative accounting (uncovering the facts), economic loss calculation (establishing the correct numbers), and financial valuation (determining business value).
More fraud, more forensics
Wilson explained that what has happened in the business world has triggered a rise in fraudulent activities. "As a result, we are doing more data mining, simulation, fraud detection and prevention." He also said that archiving has seen steady growth, with 1,000 gigabytes now common on the computer. "We've had an awareness like never before of incidences of fraud and how pervasive they are. Obviously, Sarbanes-Oxley had much to do with this, as CPAs have become more proactive, as well as the prevalence of computers."
Bobb said that the primary reason for the increase has been the adoption of electronic discovery by attorneys and law firms. "As soon as e-mail and other electronic communications became common in the workplace, and it was revealed how much evidence could be obtained through these forms of communication, the growth just exploded."
Kelly Todd, senior manager of Summerford Accountancy, in Birmingham, Ala., noted that almost all information generated today is the manifestation of computer data. "The increased use of digital technology by business can create a breeding ground for fraud or other misconduct. More frauds are perpetrated with the use of computers. Accountants and attorneys involved in dispute resolution are relying more heavily on using the same technology to ferret out the truth."
"Yet obtaining, accessing and analyzing the available data can be a monumental task without an understanding of the information that may exist and where it may exist," she said. "We have experienced an increase in computer forensics in both conducting fraud investigations and in aiding attorneys with their electronic discovery by helping them to identify, obtain, assess and analyze data that may be pertinent to their case - regardless of whether there are accounting issues involved."
She added that since beginning in the fraud and forensic accounting business in 1992, she has seen a consistent need for her services. "Fraud is really nothing new; however, with the accounting scandals in recent years, we have seen an increased awareness of fraud among business owners and the public at large."
Seward pointed out that the growth in the use of computer forensics has been unbelievable. "There is no magic pill in computer forensics; just the regimen necessary for the discovery and recovery of the trail left behind by digital fraudsters who are performing at the best of their game. I had a great conversation with the national director of forensics for one of the Big Four regarding this very point. We reminisced how, 10 years ago, a case would involve a few computer hard drives. Now, a case is often hundreds of hard drives, numerous servers and tape archives. Bottom line? From the top of this mountain there is no end in sight for computer forensics technology. After all, 92 percent of all information created is in digital form; computer forensic technology is here to stay."
Popular frauds
McGovern & Greene's Bobb said that most of his cases are related to employment issues or intellectual property. "For example, take an employee who leaves company A and goes to work for a competitor of company A, or starts a competing business. Usually before that employee leaves, he or she decides to either copy files off their work computer or e-mail it to an offsite location. In this instance, I wind up doing electronic discovery work for clients who receive a subpoena requesting keyword searches of e-mail files or the contents of a hard drive."
John Meara, a founder of Meara King & Co., in Kansas City, Mo., said that the cases he is getting typically relate to suspected asset misappropriations, many of which are, at the core, the theft of cash. "Others involve more complicated plots relating to attempts to undermine or steal a portion of a company's business."
According to John Mallery, managing consultant at BKD, in Kansas City, Mo., businesses today don't understand how widely information is being disseminated. "Got a call from a company who told me, 'We thought we had $4 million in our account. The bank tells us we are overdrawn by $500,000 and we can't find our CFO.' We went into the computers and found money going out. What happened? The CFO was a compulsive gambler."
Mallery explained that most people do shady things on the home computer, and "here you need a court order or subpoena to get to that hard drive, but you will prevail if you can show good reason to suspect illicit goings on."
He emphasized that often what you don't find can be just as important as what you do find. "For instance, a bank employee has been making unauthorized loans. The bank knows how much has been made. So, we go in and find no e-mails or other evidence of any other specific unauthorized loans. That isolated the matter. In effect, we found the hole and the bank plugged it."
Other areas, he added, involve labor and employment issues, sexual harassment, and age discrimination. "We can uncover supposedly deleted memos that are still lurking in the hard drive. With computer forensics, most of the work we get comes from lawyers. For example, people went to work for a competitor, taking information with them. We find that they e-mailed five-year plans from the old employer to the new one weeks before they left."
Summerford's Todd revealed that her firm is getting quite a bit of business dealing with fraud examinations, from discovering employees who have misappropriated company assets, to assisting investors who were defrauded. "In addition, there are considerable litigated and non-litigated matters, including assisting attorneys with their electronic discovery, helping them to identify, obtain, assess and analyze data, and determining the extent of economic damages."
Seward noted that digital or computer forensics has proven itself in commercial litigation, discovering theft of intellectual property and uncovering accounting frauds. "Does any business not have electronic books and records or e-mail?"
He said that electronic data discovery in litigation is practically mandatory. "The Federal Rules of Civil Procedure are currently in the process of being amended to include numerous provisions for electronic data discovery. That's not to say e-discovery is not now being used - just that it's about to become the law of the land."
Seward also noted that the computer forensics cases he sees are extremely varied and include collection judgments after discovery of hidden assets found on hard drives, business valuations, discovery of hidden financial information, examination of e-mail history, electronic data discovery in commercial litigation, recovery of deleted books and records, recovery of corrupt database files, and recovery of print files for use in commercial litigation.
Fraud 'war stories' vary
McGovern & Greene's Bobb recounted one case where his firm was performing a fraud investigation regarding an advertising executive whom they believed was embezzling from the company.
"Our usual procedures of following the paper trail were not turning up enough evidence to indicate whether or not the allegations were true or false," he said. "One of the investigators noted that the suspect never left his laptop unattended while at the office and always took it home with him. I was called in to image the suspect's laptop when it was discovered that he had taken it down to IT to get a problem fixed. I arrived on short notice, imaged the hard drive, and the laptop was returned to the suspect without his knowledge. After performing a keyword search on the hard drive and returning the results to the client, the suspect was terminated and prosecuted for embezzlement."
Meanwhile, Meara King's Meara highlighted a case of employee fraud at an insurance company.
"The controller became suspicious that a high-level executive assistant was circumventing internal controls. We ghost-copied some computer hard drives and performed data analysis on its disbursements history. We also analyzed the programs that were managed by the identified suspect."
He reported that in less than 30 days, the firm had identified $50,000 that was embezzled from an agent promotion program, embezzled cell phone service that appeared to be linked to illegal contraband distribution, e-mail activity that indicated improper business practices, vendor files that needed to be deleted or updated, and general deficiencies in internal controls.
Todd cited one case involving the second largest school district in the United States - Los Angeles.
"With over 730,000 students and 75,000 employees, it spans 700 square miles and has an annual budget in excess of $9 billion," she said. "Initially, its decision to build a learning center on a former oil field raised questions about the site selection process, but the project developer concluded the site was safe and should proceed as planned. Once the building was 60 percent complete, large pockets of methane gas were discovered that posed an immediate and serious safety risk. It was too late to install a methane barrier that would have stabilized the site, and the school district had to stop construction. Eventually, the site selection problem was revealed to be one of many serious flaws in how the project was managed."
She said that, in the media uproar following the announcement of the construction's termination, the Los Angeles Board of Education's inspector general demanded a full inquiry into the management of the project. Summerford Accountancy was engaged to determine the sources and uses of funds for the learning center and to advise the school district on system weaknesses.
"Achieving fast results was critical, given the daily media barrage focused on this high-profile project and the size of the expenditures involved," she said. "By acquiring the electronic data, we were able to uncover and identify fraudulent transactions within millions of lines of data quickly and efficiently."
Todd explained that Summerford's investigation of 10 years of electronic data uncovered the fact that 48 budget transfers authorized by one employee for $49,999 - each within a four-month period - had circumvented the district's policy requiring approval from the Board of Education of any transfer greater than $50,000. That translated into an over-billing of $2.1 million through payment applications made by the project developer, construction contractor and some of the sub-contractors, a circumvention of internal controls using direct payments that resulted in incorrect outstanding encumbrances over a period of five fiscal years totaling approximately $77.8 million. It also included fictitious vendors, duplicate payments and widespread violations of the competitive bidding policies throughout the district.
Seward related a fraud case that was slightly atypical.
"It is not often that a case goes to trial when computer forensic evidence is used to support the allegations contained in the court papers," he said. "This case was about greed, and the plaintiff attempting to collect on a promissory note that was not owed. In a jury-waived trial that lasted 16 full trial days and 18 witnesses, the opponent lost in the trial court and again before the appeals court. Perhaps one of the more difficult things to do in court is to argue and prove you do not owe the money (after you acknowledge its receipt) and you signed a promissory note. That is prima facie grounds, and in court, you can get ready to count one, two, three strikes, you lose. However, the client alleged an accord and satisfaction of the promissory note. The client borrows the money from the plaintiff, but the client was owed a similar amount from the plaintiff's corporation. The court found that the plaintiff and client reached an accord and satisfaction and the promissory note has been satisfied because of third-party trial testimony related to the computer forensic evidence. The computer forensic evidence was overwhelming against the plaintiff's attempt to collect on the already satisfied promissory note and the court awarded the client his legal fees."
Seward said that the computer forensic evidence showed that the plaintiff caused his corporation to remove the accounting entry for the accord and satisfaction (which had taken place more than a year prior to the filing of the lawsuit) three days before his scheduled deposition. "At the deposition, the plaintiff produced the altered financial statements of the plaintiff's corporation showing the amount was due the client, in an attempt to prove that no accord and satisfaction had been made."
In short, he said that the electronic database containing the books and records of the plaintiff's corporation was recovered from a laptop. As is often the case, the database was encrypted, but the password was easily decrypted in less than a minute during the computer forensic investigation.
"The plaintiff identified the monthly financial statements showing the amount owed the client as being the original and correct under oath at trial. At trial, the controller for the plaintiff's corporation and the CPA modified their deposition testimony when shown the computer forensic evidence. They then both testified the plaintiff's corporation books were altered to show the money was owed to the client and this was done after the filing of the lawsuit."
RGL's Wilson related the story of a bookkeeper at a school district office who went into the computer and changed the payees of the checks prior to the checks being issued, then changed them back again to the correct payees. This went on for years as the bookkeeper made the funds payable to her mortgage company. She ran up $330,000 in payments and was only caught when she was unexpectedly sick for a week. A temporary bookkeeper found pre-addressed checks in her drawer and began an audit of what had been going on over the years.
The requisite skills
Bobb said that the biggest benefit that a firm like his can render a potential client is that a computer forensic examiner is not only able to retrieve electronic evidence from a computer, but can also assist the client in understanding or interpreting what that potential evidence means and how it relates to their case.
"There are a lot of pieces to the puzzle when trying to uncover fraud in an organization, and the computer is one of those pieces. The examiner needs to be a member of the fraud investigation team," he explained. "An examiner needs to have a well-rounded background not only in computer forensics but also in business, accounting and some law to fully understand how to conduct a proper fraud/financial investigation that results in a benefit to the company."
Todd emphasized that the skills she employs involve identifying likely sources of relevant information, helping to ensure that data is not overlooked, obtaining the electronic evidence, and taking care to avoid spoliation and to maintain a defensible chain of custody.
She added that it also entails converting relevant data to a readable and usable format, including deleted, encrypted, compressed and password-protected files; filtering data to locate case-relevant information, including data that a user has attempted to conceal or destroy; and analyzing transactional data to determine the extent of fraudulent misconduct.
Meara said that his work requires a cross-discipline of accounting knowledge, general IT knowledge, and the ability to use the most cutting-edge software tools. "You have to know what the data means, where it is, how to get it and how to manipulate it."
Holtz added that at RC&H, "Our computer forensic specialists focus on providing sophisticated technical analysis and support in three primary areas: electronic discovery, computer investigation and incident response." One of the nation's pioneers in the area of investigative accounting, Holtz is known for his ability to track financial footprints and to present valid, accurate evidence of the nature and logistics of fraud.
BKD's Mallery maintained that computer forensics should not exist in a vacuum.
"I work with highly talented people who are expert in all sorts of fraud and forensics work," he said. "The field of computer forensics has increased dramatically over the past five years. Much has come about because of changes in the law, and various procedural rules have aided its growth. We're in a digital society now."
