A Guide to Forensic Accounting Investigation

Chapter 1

Fraud: An Introduction

Steven L. Skalak, Manny A. Alas, and Gus Sellitto

Fraud evokes a visceral reaction in us. It is an abuse of our expectation of fair treatment by fellow human beings. Beyond that, it is a blow to our self-image as savvy managers capable of deterring or detecting a fraudulent scheme. Whether we react because of our values or our vanity, nobody likes to be duped. Many elements of modern society are focused on maintaining an environment of fair dealing. Laws are passed; agencies are established to enforce them; police are hired; ethics and morals are taught in schools and learned in businesses; and criminals are punished by the forfeiture of their ill-gotten gains and personal liberty—all with a view to deterring, detecting, and punishing fraud. The profession of accounting and auditing grew out of society’s need to ensure fair and correct dealings in commerce and government.

One of the central outcomes of fraud is financial loss. Therefore, in the minds of the investing public, the accounting and auditing profession is inextricably linked with fraud deterrence, fraud detection, and fraud investigation. This is true to such an extent that there are those whose perception of what can be realistically accomplished in an audit frequently exceeds the services that any accountant or auditor can deliver and, in terms of cost, exceeds what any business might be willing to pay (see Chapter 3). In the past decade, public anger over occurrences of massive fraud in public corporations and the conduct of financial institutions has spawned substantial government spending, regulatory reform, global convergence of accounting standards, new auditing standards, new oversight of the accounting profession, and greater penalties for those who conspire to commit or conceal financial fraud or act corruptly.

This book addresses the distinct roles of corporate directors, management, external auditors, internal auditors, and forensic accounting investigators with respect to fraud deterrence, fraud detection, and fraud investigation.¹ As will quickly become apparent later in this introductory chapter, these professionals are by no means the only ones concerned with combating fraud. However, each has a significant role in the larger effort to minimize fraud.

FRAUD: WHAT IS IT?

Generally, all acts of fraud can be distilled into four basic elements:

1. A false representation of a material nature²

2. Scienter—knowledge that the representation is false, or reckless disregard for the truth

3. Reliance—the person receiving the representation reasonably and justifiably relied on it

4. Damages—financial damages resulting from all of the foregoing

By way of illustration, consider the classic example of the purchase of a used car. The salesperson is likely to make representations about the quality of the car, its past history, and the quality of parts subject to wear and tear, ranging from the transmission to the paint job. The elements of fraud may or may not arise out of such statements. First, there is a distinction between hype and falsehood. The salesperson hypes when he claims that the 1977 Chevy Vega runs like new. However, were he to turn back the odometer, he would be making a false representation. Second, the false statement must be material. If the odometer reading is accurate, the salesperson’s representation that the car runs like new or was only driven infrequently, is, strictly speaking, mere hype: The purchaser need only look at the odometer to form a prudent view of the extent of use and the car’s likely roadworthiness. Third, the fraudster must make the material false misrepresentation with scienter, that is, with actual knowledge that the statement is false or with a reckless disregard for the truth. For example, the car may or may not have new tires. But if the salesperson, after making reasonable inquiries, truly believes that the Vega has new tires, there is no knowing misrepresentation. There may be negligence, but there is no fraud. Fourth, the potential victim must justifiably rely on the false representation. A buyer who wants a blue car may actually believe the salesperson’s representation that it’s really blue but looks red in this light. Reliance in that case is, at best, naive and certainly not justified. Finally, there must be some form of damage. The car must in fact prove to be a lemon when the purchaser drives off in it and realizes that he has been misled. Regardless of context, from Enron, Siemens, or Countrywide to Honest Abe’s Used Car Lot, fraud is fraud, and it displays the four simple elements noted earlier.

FRAUD: PREVALENCE, IMPACT, AND FORM

Fraud is a feature of every organized culture in the world. It affects many organizations, regardless of size, location, or industry. According to the Association of Certified Fraud Examiners’ survey, approximately $994 billion was lost by U.S. companies in 2008 due to occupational fraud and abuse, and over one in four cases cost the organization in excess of $1 million.³ Twenty-nine percent of all fraud is committed by accounting department employees, and 18 percent of frauds were committed by members of upper management.⁴ According to PwC’s 2009 Securities Litigation Study, senior officers of companies continue to be named in the majority of filings during 2009. The percentage of U.S. federal securities class action lawsuits naming the CEO, CFO, chairman, and president were 81 percent, 62 percent, 47 percent, and 62 percent, respectively.⁵

If one were to look at the FBI’s statistics for white-collar crime, however, one would not reach this conclusion because those statistics are based upon prosecutions and, as discussed in Chapter 19, Supporting a Criminal Prosecution, the overwhelming majority of frauds are not prosecuted. Based upon our own experience as well as on surveys conducted by PricewaterhouseCooper (hereafter referred to throughout as PwC) (PwC Economic Crime Survey) and the Association of Certified Fraud Examiners (ACFE), we believe that fraud is pervasive.

According to the 2009 PwC Global Economic Crime Survey statistics, 30 percent of organizations fell victim to fraud over the previous 12 months. This is compared to 43 percent in 2007 and 45 percent in 2005, which both look back two years.⁶ Respondents from Eastern and Western Europe were among the companies reporting the highest incidents of fraud; for example, 71 percent of organizations in Russia and 43 percent in the United Kingdom reported having experienced fraud in their organization.⁷ Across all companies surveyed, 27 percent said that the direct financial impact of fraud exposure was more than $500,000, and 25 percent of those reporting accounting fraud believed that it had cost them more than $1 million.⁸ Overall, the reality of fraud is greater than the perception. Statistics from our 2007 survey show that 13 percent and 6 percent of respondents thought it was likely that they would experience asset misappropriation and accounting fraud, respectively, over the next two years. Interestingly, those numbers may be low, given that in our 2009 survey, 20 percent of companies reported being victims of asset misappropriation and 11 percent reported having experienced accounting fraud.⁹

FRAUD IN HISTORICAL PERSPECTIVE

Fraud in one form or another has been a fact of business life for thousands of years. In Hammurabi’s Babylonian Code of Laws, dating to approximately 1800 B.C.E., the problem of fraud is squarely faced: If a herdsman, to whose care cattle or sheep have been entrusted, be guilty of fraud and make false returns of the natural increase, or sell them for money, then shall he be convicted and pay the owner ten times the loss.¹⁰ The earliest lawmakers were also the earliest to recognize and combat fraud.

In the United States, frauds have been committed since the colonies were settled. A particularly well-known fraud of that era was perpetrated in 1616 in Jamestown, Virginia, by Captain Samuel Argall, the deputy governor. Captain Argall allegedly fleeced investors in the Virginia Co. of every chicken and dry good that wasn’t nailed down.¹¹ According to the book Stealing from America, within two years of Argall’s assumption of leadership in Jamestown, the whole estate of the public was gone and consumed. . . .¹² When he returned to England with a boat stuffed with looted goods, residents and investors were left with only six goats.¹³

Later, during the American Civil War, certain frauds became so common that legislatures recognized the need for new laws. One of the most egregious frauds was to bill the United States government for defective or nonexistent supplies sold to the Union Army. The federal government’s response was the False Claims Act, passed in March 1863, which assessed corrupt war profiteers double damages and a $2,000 civil fine for each false claim submitted. Remarkably enough, this law is still in force, though much amended.

Soon after the Civil War, another major fraud gained notoriety: the Crédit Mobilier scheme of 1872. Considered the most serious political scandal of its time, this fraud was perpetrated by executives of the Union Pacific Railroad Company, operating in conjunction with corrupt politicians. Crédit Mobilier of America was set up by railroad management and by Representative Oakes Ames of Massachusetts, ostensibly to oversee construction of the Union Pacific Railroad.¹⁴ Crédit Mobilier charged Union Pacific (which was heavily subsidized by the government) nearly twice the actual cost of completed work and distributed the extra $50 million to company shareholders.¹⁵ Shares in Crédit Mobilier were sold at half price, and at times offered gratis, to congressmen and prominent politicians for the purpose of buying their support. Among the company’s famous shareholders were Vice President Schuyler Colfax, Speaker of the House James Gillespie Blaine, future vice presidents Henry Wilson and Levi Parsons Morton, and future president James Garfield.¹⁶

TYPES OF FRAUD

There are many different types of fraud, and many ways to characterize and catalog fraud; those of the greatest relevance to accountants and auditors, however, are the following broad categories:

Employee Fraud¹⁷/Misappropriation of Assets. This type of fraud involves the theft of cash or inventory, skimming revenues, payroll fraud, and embezzlement. Asset misappropriation is the most common type of fraud.¹⁸ Primary examples of asset misappropriation are fraudulent disbursements such as billing schemes, payroll schemes, expense reimbursement schemes, check tampering, and cash register disbursement schemes. Sometimes employees collude with others to perpetrate frauds, such as aiding vendors intent on overbilling the company. An interesting distinction: Some employee misdeeds do not meet the definition of fraud because they are not schemes based on communicating a deceit to the employer. For example, theft of inventory is not necessarily a fraud—it may simply be a theft. False expense reporting, on the other hand, is a fraud because it involves a false representation of the expenses incurred. This fraud category also includes employees’ aiding and abetting others outside the company to defraud third parties.

Financial Statement Fraud. This type of fraud is characterized by intentional misstatements or omissions of amounts or disclosures in financial reporting to deceive financial statement users. More specifically, financial statement fraud involves manipulation, falsification, or alteration of accounting records or supporting documents from which financial statements are prepared. It also refers to the intentional misapplication of accounting principles to manipulate results. According to a study conducted by the Association of Certified Fraud Examiners, fraudulent financial statements, as compared with the other forms of fraud perpetrated by corporate employees, usually have a higher dollar impact on the victimized entity as well as a more negative impact on shareholders and the investing public.¹⁹

As a broad classification, corruption straddles both misappropriation of assets and financial statement fraud. Transparency International, a widely respected not-for-profit think tank, defines corruption as the abuse of entrusted power for private gain.²⁰ We would expand that definition to include corporate gain as well as private gain. Corruption takes many forms and ranges from executive compensation issues to payments made to domestic or foreign government officials and their family members. Corrupt activities are prohibited in the United States by federal and state laws. Beyond U.S. borders, contributions to foreign officials are prohibited by the Foreign Corrupt Practices Act.

This book is primarily concerned with fraud committed by employees and officers, some of which may lead to the material distortion of financial statement information, and the nature of activities designed to deter and investigate such frauds. Circumstances in which financial information is exchanged (generally in the form of financial statements) as the primary representation of a business transaction are fairly widespread. They include, for example, regular commercial relationships between a business and its customers or vendors, borrowing money from banks or other financial institutions, buying or selling companies or businesses, raising money in the public or private capital markets, and supporting the secondary market for trading in public company debt or equity securities. This book focuses primarily on three types of fraud:

1. Frauds perpetrated by people within the organization that result in harm to the organization itself

2. Frauds committed by those responsible for financial reporting, who use financial information they know to be false so they can perpetrate a fraud on investors or other third parties, whereby the organization benefits

3. Corrupt acts by companies or their executives, whereby the executive personally or the company benefits

ROOT CAUSES OF FRAUD

As society has evolved from barter-based economies to e-commerce, so has fraud evolved into complex forms—Hammurabi’s concern about trustworthy shepherds was just the beginning. In the early 2000s, companies headquartered in the developed world took the view that their business risk was highest in emerging, or Third World regions, where foreign business cultures and less-developed regulatory environments were believed to generate greater risk.²¹ Gaining market access and operating in emerging or less-developed markets seemed often enough to invite business practices that were wholly unacceptable at home. Sharing this view, the governments of major industrial countries enacted legislation to combat the potential for corruption. The United States enacted the Foreign Corrupt Practices Act (FCPA); countries working together in the Organisation for Economic Co-operation and Development (OECD) enacted the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (known as the OECD Convention); the United Nations adopted the United Nations Convention against Corruption (UNCAC); Canada enacted the Corruption of Foreign Public Officials Act; and the United Kingdom passed its Bribery Act in 2010.

This way of thinking about risk and markets and of combating corruption and fraud is no longer adequate, however. The new paradigm for understanding risk postulates that fraud risk factors are borderless and numerous. Fraud is now understood to be driven by concerns over corporate performance, financing pressures including access to financing, the competition to enter and dominate markets, legal requirements and exposure, and personal needs and agendas.²² The need for this new paradigm has become increasingly clear in the past few years, when the greatest risk to investors has appeared to be participation in the seemingly well-regulated and well-established U.S. and European markets. More recently, events at several major European multinationals have shown that the risk of massive fraud and corruption knows no borders.

The recent spate of Ponzi schemes, corruption, and financial scandals has demonstrated that large-scale corporate improprieties can and do occur in sophisticated markets; they are by no means the exclusive province of foreign or remote markets. Capital market access and the related desire of listed companies to boost revenue growth, and investors’ desire to achieve significant and stable returns, through whatever means necessary, are major factors contributing to financial malfeasance worldwide.

A HISTORICAL ACCOUNT OF THE AUDITOR’S ROLE

We have briefly examined the elements, forms, and evolution of fraud. We can now examine the role of one of the key players in the effort to detect fraud, the auditor.

Auditing: Ancient History

Historians believe that recordkeeping originated about 4000 B.C.E., when ancient civilizations in the Near East began to establish organized governments and businesses. ²³ Governments were concerned about accounting for receipts and disbursements and collecting taxes. An integral part of this concern was establishing controls, including audits, to reduce error and fraud on the part of incompetent or dishonest officials.²⁴ There are numerous examples in the ancient world of auditing and control procedures employed in the administration of public finance systems. The Shako dynasty of China (1122–256 B.C.E.), the assembly in classical Athens, and the Senate of the Roman Republic all exemplify early reliance on formal financial controls.²⁵

Much later, in the twelfth and thirteenth centuries, records show that auditing work was performed in England, Scotland, Italy, and France. The audits in Great Britain performed before the seventeenth century were directed primarily at ensuring the accountability of funds entrusted to public or private officials.²⁶ Those audits were not designed to test the quality of the accounts, except insofar as inaccuracies might point to the existence of fraud.

Economic changes between 1600 and 1800, which saw the beginning of widespread commerce, introduced new accounting concerns focused on the ownership of property and the calculation of profit and loss in a business sense. At the end of the seventeenth century, the first law prohibiting certain officials from serving as auditors of a town was enacted in Scotland, thus introducing the modern notion of auditor independence.²⁷

Growth of the Auditing Profession in the Nineteenth Century

It was not until the nineteenth century, with the growth of railroads, insurance companies, banks, and other joint stock companies, that the auditing profession became an important part of the business environment. In Great Britain, the passage of the Joint Stock Companies Act in 1844 and later the Companies Act in 1879 contributed greatly to the auditing field in general and to the development of external auditing in the United States.²⁸ The Joint Stock Companies Act required companies to make their books available for the critical analysis of shareholders at the annual meeting. The Companies Act in 1879 required all limited liability banks to submit to auditing, a requirement later expanded to include all such companies.²⁹ Until the beginning of the twentieth century, independent audits in the United States were modeled on British practice and were in fact conducted primarily by auditors from Britain, who were dispatched overseas by British investors in U.S. companies. British-style audits, dubbed bookkeeper audits, consisted of detailed scrutiny of clerical data relating to the balance sheet. These audits were imperfect at best. J. R. Edwards, in Legal Regulation of British Company Accounts, 1836–1900, cites the view of Sir George Jessel, a lawyer and judge famous in his day, on the quality of external auditing soon after passage of the Companies Act:

The notion that any form of account will prevent fraud is quite delusive. Anybody who has had any experience of these things knows that a rogue will put false figures into an account, or cook as the phrase is, whatever form of account you prescribe. If anybody imagines that will protect the shareholders, it is simply a delusion in my opinion. . . . I have had the auditors examined before me, and I have said, You audited these accounts? Yes. Did you call for any vouchers? No, we did not; we were told it was all right, we supposed it was, and we signed it.³⁰

Yet by the end of the nineteenth century, the most sophisticated minds in the auditing field were certain that auditors could do much better than this. Witness the incisive view of Lawrence R. Dicksee, author of a manual widely studied in its day (and still available today, many editions later):

The detection of fraud is the most important portion of the Auditor’s duties, and there will be no disputing the contention that the Auditor who is able to detect fraud is—other things being equal—a better man than the auditor who cannot. Auditor[s] should, therefore, assiduously cultivate this branch of their functions. …³¹

In response to the rapidly expanding American business scene, audits in the United States evolved from the more cumbersome British practice into test audits. According to Montgomery’s Auditing, the emergence of independent auditing was largely due to the demands of creditors, particularly banks, for reliable financial information on which to base credit decisions.³² That demand evolved into a series of state and federal securities acts, which significantly increased a company’s burden to publicly disclose financial information and, accordingly, catapulted the auditor into a more demanding and visible role.

Federal and State Securities Regulation before 1934

Before the creation of the Securities and Exchange Commission (SEC) in 1934, financial markets in the United States were severely under-regulated. Before the stock market crash of 1929, there was very little appetite for federal regulation of the securities market, and proposals that the government require financial disclosure and prevent the fraudulent sale of stock were not seriously pursued.³³ Investors were largely unconcerned about the dangers of investing in an unregulated market. In fact, many were seduced by the notion that they could make huge sums of money on the stock market. In the 1920s, approximately 20 million large and small shareholders took advantage of the postwar boom in the economy and tried to make their fortunes by investing in securities.³⁴

Although there was little interest during the first decades of the century in instituting federal oversight of the securities industry, state legislatures had already begun to regulate the securities industry.³⁵ States in the Midwest and West were most active in pursuing securities regulation in response to citizens’ complaints that unscrupulous salesmen and dishonest stock schemes were victimizing them.³⁶ The first comprehensive securities law of the era was enacted by Kansas in 1911. That law, the first of many known as blue-sky laws, required the registration of both securities and those who sold them.³⁷ The intent was to prevent fraud in the sale of securities and also to prevent the sale of securities of companies whose organization, plan of business, or contracts included provisions that were unfair, unjust, inequitable, or oppressive or if the investment did not promise a fair return. In the two years following the enactment of the securities laws in Kansas in 1911, 23 states passed some form of blue-sky legislation.³⁸

It was only after the stock market crash in 1929 and the ensuing Great Depression that interest in enacting federal securities legislation became widespread. Congress passed the Securities Act of 1933, which had the basic objectives of requiring that investors receive financial and other significant information concerning securities offered for public sale, and prohibiting deceit, misrepresentations, and other fraud in the sale of securities. The primary means of accomplishing these goals was the disclosure of important financial information through the registration of securities.³⁹

The second fundamental set of laws, the Securities Exchange Act of 1934, created the Securities and Exchange Commission and granted it broad authority over all aspects of the securities industry, including registering, regulating, and overseeing brokerage firms, transfer agents, and clearing agencies. The Act addressed the need for regulation of the securities industry, as well as the need to address the potential for fraud inherent within it. Several sections of the Act deal with fraud, including Section 9 (Manipulation of Security Prices), Section 10 (Manipulative and Deceptive Devices), Section 18 (Liability for Misleading Statements), Section 20 (Liability of Controlling Persons and Persons Who Aid and Abet Violations), and Section 20A (Liability to Contemporaneous Traders for Insider Trading).

Current Environment

The financial scandals in the years 2000 and 2001 at major corporations and conflict of interest issues in the financial services industry caused investor confidence in the stock market to decline dramatically. In response to the wave of corporate malfeasance, the U.S. Congress passed the Sarbanes-Oxley Act of 2002, intended to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.⁴⁰

Sarbanes-Oxley prohibits accounting firms from providing many consulting services for the companies they audit, requires audit committees to select and essentially oversee the external auditor, and generally strengthens the requirement that auditors must be independent from their clients. Section 101 of the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB) to oversee the audit of public companies that are subject to the securities laws and related matters. The purpose of the PCAOB is to protect the interests of investors and to further the public interest.⁴¹ The PCAOB was authorized to establish auditing and related professional practice standards, and Rule 3100 requires the auditor to comply with these standards.⁴² The Sarbanes-Oxley Act began an extensive and still-evolving series of audit rule changes, prompting the issuance of three auditing standards.

In October 2002, the AICPA issued Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit. Effective for audits of financial statements for periods beginning on or after December 15, 2002, SAS 99 sought to improve auditing practice, especially as it relates to the auditor’s role in detecting fraud, if it exists, in the course of the audit. According to the AICPA president and CEO, the standard was meant to substantially change auditor performance, thereby improving the likelihood that auditors will detect material misstatements due to fraud by putting fraud in the forefront of the auditor’s mind.⁴³ Furthermore, according to the AICPA’s own assessment, the standard would be the cornerstone of a multifaceted effort by the AICPA to help restore investor confidence in U.S. capital markets . . . to reestablish audited financial statements as a clear picture window into Corporate America.⁴⁴ The standard, however, does not increase or alter the auditor’s fundamental responsibility, which is to plan and conduct an audit such that if there is a fraud or error causing a material misstatement of a company’s financial statements, it may be detected. While this seems an unambiguous mandate, there still remains a difference between the public perception that audits should detect all fraud and the actual standards governing the conduct of audits. There is a significant and legitimate difference between performing an audit and conducting a financial fraud investigation. That difference is explored throughout this book.

In November 2003, the SEC approved the final versions of corporate governance listing standards proposed by the NYSE and NASDAQ stock markets. Both standards expand upon the Sarbanes-Oxley Act of 2002 and SEC rules to impose significant new requirements on listed companies. These sweeping reforms mandate independence of directors, increased transparency, and new standards for corporate accountability. These and other governance standards emphasize the importance of enhancing governance, ethics, risk, and compliance oversight capabilities.

In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its new Enterprise Risk Management framework. The new COSO framework identifies key elements of an effective enterprise risk management approach for achieving financial, operational, compliance, and reporting objectives. The new COSO framework emphasizes the critical role played by governance, ethics, risk, and compliance in enterprise management.

On November 1, 2004, the United States Organizational Sentencing Guidelines (the Guidelines) were amended to provide expanded guidance regarding the criteria for effective compliance programs. The Guidelines emphasize the importance of creating a culture of compliance within the organization; establish the governance and oversight responsibilities of the board and senior management; and frame the need for dedicating appropriate resources and authority. The Guidelines also focus on the relationship between governance, ethics, risk management, and compliance.

These efforts, though laudable, have not prevented a further wave of financial market turmoil. The collapse of the credit markets in the United States and Europe was brought on in part by the bursting real estate bubble and the consequent exposure of poor lending practices as financial institutions chased fee income from generating new transactions, instead of traditional sources of profitability based on their interest rate spread between assets and liabilities. At the same time, the rise of unregulated private equity, hedge fund, and other investment partnerships promising returns beyond market expectations in size and stability fueled speculative investing and poor due diligence practices. The failure during this liquidity crisis of massive financial market participants like Countrywide and Merrill Lynch (both absorbed by Bank of America), Bear Stearns being merged with JP Morgan Chase, Lehman Brothers falling into liquidation, and Citigroup and AIG, among others, receiving billions in government support payments (see Exhibit 1.1) has been the consequence of speculation in the markets.

EXHIBIT 1.1 Largest Recipients of TARP: Capital Purchase Program⁵⁷

This volatile combination of investor greed and institutional focus on transaction flow as opposed to credit risk management has spawned a new wave of investor and market protection regulation. Most significant among these newly proposed measures is the proposal (pending at the time this chapter was written) to establish a new oversight agency called the Consumer Financial Protection Agency. Legislation proposed by President Obama’s administration in 2009 calls for the establishment of an agency that will be charged with setting and enforcing clear rules for consumers and banks. The SEC is also taking aim at improving their expertise and efficiency through various initiatives, including creating five new national specialized investigative groups dedicated to high priority areas of enforcement (that is, asset management, market abuse, structured and new products, the Bureau of Consumer Financial Protection, and municipal securities).⁴⁵ Despite the experiences from the burst of the dotcom bubble in 2000 and 2001, it appears that financial markets and financial market participants remained a step ahead of regulations, demonstrating that fraud is a continuing and intractable problem, to which many lend substantial creative energy, as is discussed in Chapter 2, Psychology of the Fraudster.

Other significant developments are attempts at increased transparency relating to corporate risk management and compensation practices, as well as calls for significant pay regulation of top executives, especially at entities funded in part by government money. Effective February 28, 2010, SEC rules require disclosure in proxy and information statements to include:

The relationship of a company’s compensation policies and practices to risk management

The background and qualifications of directors and nominees

Legal actions involving a company’s executive officers, directors, and nominees

The consideration of diversity in the process by which candidates for director are considered for nomination

Board leadership structure and the board’s role in risk oversight

Stock and option awards to company executives and directors

Potential conflicts of interest of compensation consultants⁴⁶

The United Kingdom has acted similarly in this period, proposing a tax on executive bonus of 50 percent on amounts over 25,000 pounds.

Much of this regulatory activity was in response to the fraudulent mortgage origination practices in the U.S. real estate industry. Consistently rising housing prices in many parts of the nation, combined with new financial products and a banking industry that treated mortgages as a fee-flow and an asset to be securitized and sold off to others, and the uniquely irresponsible American approach to credit consumption to keep up with the Joneses created fertile grounds for fraud. One popular mortgage product—the no-documentation loan—went so far as to encourage fraudulent misrepresentation of assets or income by eliminating the documentation requirements.

On the corporate finance front, the basic principles of a fraudulent borrowing scheme were alleged against issuers and brokers of auction rate securities. These short-term corporate finance vehicles, similar to commercial paper, were allegedly sold to investors on the basis of their cash-like security, but with a higher return. The safety of the investor’s money, however, depended entirely upon the sufficiency of bidders at each auction date, at which time the interest rate for the coming period was set. Without sufficient bidders, an investor looking to withdraw his funds could not, and was forced to reinvest. The attorney general of the state of New York brought several successful actions alleging various financial institutions made misrepresentations in their marketing and sales of auction rate securities that were marketed and sold as safe, cash-equivalent products, when in fact they faced increasing liquidity risk.⁴⁷ Several firms, including Merrill Lynch, Goldman Sachs, Deutsche Bank, and Wachovia reached settlements with the attorney general in which the firms agreed to buy-backs of all auction rate securities. In the case against Wachovia,⁴⁸ Wachovia represented to its customers that auction rate securities were money market alternatives and liquid investments, when in fact auction rate securities were different from cash and money market instruments because the liquidity of the auction rate security relied on the successful operation of the auction. According to the attorney general, investors relied upon these representations, and when the market collapsed in February 2008, investors were stuck holding on to securities with no value.

AUDITORS ARE NOT ALONE

Although auditors have long been recognized to have an important role in detecting fraud, it is well recognized that they do not operate in a vacuum. Management, boards of directors, standard setters, and market regulators are key participants in corporate governance, each charged with specific responsibilities in the process of ensuring that financial markets, investors, and other users of corporate financial reports are well served. They are, in effect, links in a corporate reporting supply chain (CRSC) that includes several additional participants (see Exhibit 1.2).

EXHIBIT 1.2 The Corporate Reporting Supply Chain

The concept of the corporate reporting supply chain makes clear that auditors are only one of several interconnected participants having a role in delivering accurate, timely, and relevant financial reports into the public domain.⁴⁹ While many may consider the internal, external, and regulatory auditors as the first lines of defense against fraud, they are, in fact, all in secondary positions. The first line of defense is a properly constructed system of corporate governance, risk management, and internal controls, for which management is responsible. The board, in turn, and its audit committee are responsible for overseeing management on behalf of shareholders, and so the board, too, has its share of responsibility for defending against fraud.

Management and the board share responsibility for certain critical aspects of deterring fraud in financial reporting:

Setting a tone at the top that communicates the expectation of transparent and accurate financial reporting

Responding quickly, equitably, and proportionately to violations of corporate policy and procedure

Maintaining internal and external auditing processes independent of management’s influence

Ensuring a proper flow of critical information to the board and external parties

Establishing an adequate system of internal accounting control that will satisfy the requirements of Section 404 of the Sarbanes-Oxley Act

Investigating and remediating problems when they arise

These duties are far-reaching. They incorporate responsibilities from every component of the fraud deterrence cycle discussed in the next section. And they represent the first line of defense against fraud. While an audit responds to the risk of fraud, the forensic accounting investigation responds to suspicions, allegations, or evidence of fraud. These different activities are explored throughout this text.

DETERRENCE, AUDITING, AND INVESTIGATION

The increased size and impact of financial reporting scandals and the related loss of billions of dollars of shareholder value have rightly focused both public and regulatory attention on all aspects of financial reporting fraud and corporate governance. Some of the issues upsetting investors and regulators—for example, executive pay that could be considered by some to be excessive—are in the nature of questionable judgments, but do not necessarily constitute fraud. At the other end of the spectrum, there have been more than a few examples of willful deception directed toward the investing community through fabricated financial statements, and many of these actions are being identified and punished—for example, Bernie Madoff’s audacious Ponzi scheme. The investing public may not always make a fine distinction between the outrageous and the fraudulent—between bad judgment and wrongdoing. However, for professionals charged with the deterrence, discovery, investigation, and remediation of these situations, a systematic and rigorous approach is essential.

The remainder of this chapter discusses various elements of what we call the fraud deterrence cycle (Exhibit 1.3), many of which will be the topics of chapters to come. Without an effective regimen of this kind, fraud is much more likely to occur. Yet even with a fraud deterrence regimen effectively in place, there remains a chance that fraud will occur. Absolute fraud prevention is a laudable but unobtainable goal. No one can create an absolutely insurmountable barrier against fraud, but many sensible precautionary steps can and should be taken by organizations to deter fraudsters and would-be fraudsters. While fraud cannot be completely prevented, it can and should be deterred.

EXHIBIT 1.3 The Fraud Deterrence Cycle

CONCEPTUAL OVERVIEW OF THE FRAUD DETERRENCE CYCLE

The fraud deterrence cycle occurs over time, and it is an interactive process. Broadly speaking, it has four main elements:

1. Establishment of corporate governance and risk assessment

2. Implementation of transaction-level control processes, often referred to as the system of internal accounting controls; generally of both a deterrent (often called preventative) and detective nature

3. Retrospective examination of governance and control processes through audit examinations

4. Investigation and remediation of suspected or alleged problems

Corporate Governance

An appropriate system of governance should be born with the company itself, and grow in complexity and reach as the company grows. It should predate any possible opportunity for fraud. Corporate governance is about setting and monitoring objectives, tone, policies, risk appetite, accountability, and performance. Embodied in this definition is also a set of attitudes, policies, procedures, delegations of authority, and controls that communicate to all constituencies, including senior management, that fraud will not be tolerated. It further communicates that compliance with laws, ethical business practices, accounting principles, and corporate policies is expected, and that any attempted or actual fraud is expected to be disclosed by those who know or suspect that fraud has occurred. There is substantial legal guidance concerning standards for corporate governance, but generally, the substance and also the vigorous communication of governance policies and controls need to make clear that fraud will be detected and punished. While prevention would be a desirable outcome for corporate governance programs, complete prevention is impossible. Deterrence, therefore, offers a more realistic view. In short, corporate governance is an entire culture that sets and monitors behavioral expectations intended to deter the fraudster.

Today, changes in business are being driven by increased stakeholder demands, heightened public scrutiny, and new performance expectations. Critical issues related to governance reform are surfacing in the marketplace on a daily basis. These issues include:

Protecting corporate reputation and brand value

Meeting increased demands and expectations of investors, legislators, regulators, customers, employees, analysts, consumers, and other stakeholders

Searching for new markets and growth in an increasingly interconnected global economy

Driving value and managing performance expectations for governance, ethics, risk management, and compliance

Managing crisis and remediation while defending the organization and its executives and board members against the increased scope of legal enforcement and the rising impact of fines, penalties, and business disruption

Boards and management must effectively oversee a number of key business processes to better execute effective governance, including the following:

Strategy and operational planning

Risk management

Ethics and compliance (tone at the top)

Performance measurement and monitoring

Mergers, acquisitions, and other transformational transactions

Management evaluation, compensation, and succession planning

Communication and reporting

Governance dynamics

All the preceding elements are critical to a good governance process.

Transaction-Level Controls

⁵⁰

Transaction-level controls are next in the cycle. They are accounting and financial controls designed to help ensure that only valid, authorized, and legitimate transactions occur and to safeguard corporate assets from loss due to theft or other fraudulent activity. These procedures are preventive because they may actively block or prevent a fraudulent transaction from occurring. Such systems, however, are not foolproof, and fraudsters frequently take advantage of loopholes, inconsistencies, or vulnerable employees. As well, they may engage in a variety of deceptive practices to defeat or deceive such controls. Anti-money-laundering procedures employed by financial institutions are an excellent example of a proactive process designed to deter fraudulent transactions from taking place through a financial institution. Another familiar example is policy relating to the review and approval of documentation in support of disbursements.

Retrospective Examination

The first two elements of the fraud deterrence cycle are the first lines of defense against fraud and are designed to deter fraud from occurring in the first place. Next in the cycle are the retrospective procedures designed to help detect fraud before it becomes large and, consequently, harmful to the organization. Retrospective procedures such as those performed by management, auditors, and forensic accounting investigators do not prevent fraud in the same way that front-end transaction controls do, but they form a key link in communicating intolerance for fraud and discovering problems before they grow to a size that could threaten the welfare of the organization. Furthermore, with the benefit of hindsight, the cumulative impact of what may have appeared as innocent individual transactions at the time of execution may prove to be problematic in the aggregate. Although detective controls and auditing cannot truly prevent fraud in the sense of stopping it before it happens, they are an important part of an overall fraud deterrence regime.

Investigation and Remediation

Positioned last in the fraud deterrence cycle is forensic accounting investigation of suspected, alleged, or actual frauds. Entities that suspect or experience a fraud should undertake a series of steps to credibly maintain and support the other elements of the fraud deterrence cycle. Investigative findings often form the basis for both internal actions such as suspension or dismissal and external actions⁵¹ against the guilty parties or restatement of previously issued financial statements. An investigation should also form the basis for remediating control procedures. Investigations should lead to actions commensurate with the size and seriousness of the impropriety or fraud, no matter whether it is found to be a minor infraction of corporate policy or a major scheme to create fraudulent financial statements or misappropriate significant assets.

All elements of the cycle are interactive. Policies are constantly reinforced and revised, controls are continually improved, audits are regularly conducted, and investigations are completed and acted upon as necessary. Without the commitment to each element of the fraud deterrence cycle, the overall deterrent effect is substantially diminished.

FIRST LOOK INSIDE THE FRAUD DETERRENCE CYCLE

We have seen that the fraud deterrence cycle involves four elements: corporate governance, transaction-level controls, retrospective examination, and investigation and remediation. Here we want to take a first look inside each of the elements to identify some of their main features.

Corporate Governance

In our experience, the key elements of corporate governance are:

An independent board composed of a majority of directors who have no material relationship with the company

An independent chairperson of the board or an independent lead director

An audit committee that actively maintains relationships with internal and external auditors

An audit committee that includes at least one member who has financial expertise, with all members being financially literate

An audit committee that has the authority to retain its own advisors and launch investigations as it deems necessary

Nominating and compensation committees composed of independent directors

A compensation committee that understands whether it provides particularly lucrative incentives that may encourage improper financial reporting practices or other behavior that goes near or over the line

Board and committee meetings regularly held without management and CEO present

Explicit ethical commitment (walking the talk) and a tone at the top that reflects integrity in all respects

Prompt and appropriate investigation of alleged improprieties

Internally publicized enforcement of policies on a no-exception or zero-tolerance basis

The board or audit committee’s reinforcement of the importance of consistent disciplinary action of individuals found to have committed fraud

Timely and balanced disclosure of material events concerning the company

A properly administered hotline or other reporting channels, independent of management

An internal audit function that reports directly to the audit committee without fear of being edited by management (CEO, CFO, controller, and others)

Budgeting and forecasting controls

Clear and formal policies and procedures, updated in a timely manner as needed

Well-defined financial approval authorities and limits

Timely and complete information flow to the board

Transaction-Level Controls

Systems of internal accounting control are also key elements in the fraud deterrence cycle. Literature on this topic is extensive, but one manual in particular is widely recognized as authoritative: Internal Control—Integrated Framework, prepared by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and published by the American Institute of Certified Public Accountants. This manual lays out a comprehensive framework for internal control. Any entity undertaking fraud deterrence will want to be conversant with the elements and procedures covered in this book. Briefly, the critical elements highlighted in the COSO framework are:

The Control Environment. This is the foundation for all other components of internal control, providing discipline and structure, and influencing the control awareness of the organization’s personnel. Control environment factors include the integrity, ethical values, and competence of the organization’s people; management’s philosophy and operating style; management’s approach to assigning authority and responsibility; and how personnel are organized and developed.⁵²

Risk Assessment. Effectively assessing risk requires the identification and analysis of risks relevant to the achievement of the entity’s objectives as a basis for determining how those risks should be managed and controlled. Because economic, industry, regulatory, and operating conditions continually change, mechanisms are needed to identify and deal with risks on an ongoing basis.⁵³

Control Activities. Control activities occur throughout an organization at all levels and in all functions, helping to ensure that policies, procedures, and other management directives are carried out. They help, as well, to ensure that necessary actions are taken to address risks that may prevent the achievement of the organization’s objectives. Control activities are diverse, but certainly may include approvals, authorizations, verifications, reconciliations, operating performance reviews, security procedures over facilities and personnel, and segregation of duties.⁵⁴

Information and Communication. Successfully operating and controlling a business usually requires the preparation and communication of relevant and timely information. This function relies in part on information systems that produce reports containing operational, financial, and compliance-related data necessary for informed decision making. Communication should also occur in the broader sense, flowing down, up, and across the organization, so that employees understand their own roles and how they relate to others. Furthermore, there must be robust communication with external parties such as customers, suppliers, regulators, and investors and other stakeholders.⁵⁵

Monitoring. COSO recognizes that no system can be both successful and static. It should be monitored and evaluated for improvements and changes made necessary by changing conditions. The scope and frequency of evaluations of the internal control structure depend on risk assessments and the overall perceived effectiveness of internal controls. However, under the Sarbanes-Oxley requirements, management and the external auditors are each charged with performing an evaluation at least annually.⁵⁶

To serve the needs of a thorough fraud deterrence cycle, several aspects of control processes are of particular importance. Among them are the following:

Additions, changes, or deletions to master data files of customers, vendors, and employees

Disbursement approval processes

Write-off approval processes (in accounts such as bad debt, inventory, and so forth)

Revenue recognition procedures

Inventory controls

Processes for signing contracts and other agreements

Segregation of duties

Information systems access and security controls

Proper employment screening procedures, including background checks

Timely reconciliation of accounts to subsidiary ledgers or underlying records

Cash management controls

Safeguarding of intellectual assets such as formulas, product specifications, customer lists, pricing, and so forth

Top-level reviews of actual performance versus budgets, forecasts, prior periods, and competitors

AUDITING AND INVESTIGATION

The remaining two elements of the fraud deterrence cycle are retrospective examination, that is, auditing and investigation, and remediation of any discovered problems. As discussed later in detail, there are differences between auditing and investigating.

Source: Adapted from Association of Certified Fraud Examiners.

These differences make clear that audits and investigations are not the same. During the course of an audit, an auditor seeks to detect errors or improprieties, absent any specific information that such improprieties exist. During an investigation, a forensic accounting investigator seeks to discover the full methods and extent of improprieties that are suspected or known. Both are important features of the fraud deterrence cycle, but they are, and should be, separate. They involve different procedures and they are performed by professionals with different skills, training, education, knowledge, and experience. This is an important distinction in the current environment, when some commentators have suggested that the spate of corporate scandals cries out for the conversion of the financial statement audit into something resembling an investigation. If an audit in the future were to take this path, the cost of performing audits would most likely increase.

1. Forensic accountants are members of a broad group of professionals that includes but is not limited to those who perform financial investigations. The public often uses the term forensic accountants to refer to financial investigators, although many forensic accountants do not perform financial investigations. In Chapter 29, we discuss the many other services encompassed under the broader term forensic accounting. A forensic accounting investigator is trained and experienced in investigating and resolving suspicions or allegations of fraud through document analysis to include both financial and nonfinancial information, interviewing, and third-party inquiries, including commercial databases. See the Auditing and Investigation section at the end of this chapter. Auditors is used throughout this text to represent both internal and external auditors unless otherwise specified as pertaining to one group or the other.

2. The term material as used in this context is a legal standard whose definition varies from jurisdiction to jurisdiction. It should not be confused with the concept of materiality as used in auditing, in which one considers the effect of fraud and errors related to financial statement reporting.

3. U.S. organizations lose an estimated 7 percent of their annual revenues to fraud, according to a survey of Certified Fraud Examiners who investigated cases between January 2006 and February 2008. When applied to the projected 2008 U.S. Gross National Product, the 7 percent figure translates to approximately $994 billion in fraud losses. The full study can be found at: www.acfe.com/RTTN/2008-rttn.asp. Association of Certified Fraud Examiners, 2008 Report to the Nation on Occupational Fraud and Abuse (Austin, TX: Association of Certified Fraud Examiners, 2004), ii.

4. Id.

5. PricewaterhouseCoopers Securities Litigation Study 2009.

6. PricewaterhouseCoopers, Global Economic Crime Survey 2007, 4, www.pwc.com/en_GX/gx/economic-crime-survey/pdf/pwc_2007gecs.pdf.

7. PricewaterhouseCoopers, Global Economic Crime Survey 2009, 10, www.pwc.com/en_GX/gx/economic-crime-survey/pdf/global-economic-crime-survey-2009.pdf.

8. Id., 13.

9. Id., 18.

10. Hammurabi’s Code of Laws (1780 B.C.E.), L. W. King, trans.

11. Carol Emert, A Rich History of Corporate Crime; Fraud Dates Back to America’s Colonial Days, the San Francisco Chronicle, July 14, 2002.

12. Id.

13. Id.

14. Id.

15. Peter Carlson, High and Mighty Crooked: Enron Is Merely the Latest Chapter in the History of American Scams, The Washington Post, February 10, 2002.

16. D. C. Shouter, The Crédit Mobilier of America: A Scandal that Shook Washington, Chronicles of American Wealth, No. 4, November 30, 2001, www.raken.com/american_wealth/other/newsletter/chronicle301101.asp.

17. Employee here refers to all officers and employees who work for the organization.

18. Association of Certified Fraud Examiners, 2008 Report to the Nation on Occupational Fraud and Abuse (Austin, TX: Association of Certified Fraud Examiners, 2008), 11.

19. Id.

20. Transparency International, TI’s Vision, Mission, Values, Approach and Strategy, www.transparency.org.

21. PricewaterhouseCoopers, Financial Fraud—Understanding Root Causes, Investigations and Forensic Services Report (2002), 1.

22. PricewaterhouseCoopers, Global Economic Crime Survey 2007, www.pwc.com/en_GX/gx/economic-crime-survey/pdf/pwc_2007gecs.pdf.

23. Robert Hiester Montgomery, Montgomery’s Auditing, 12th ed. (New York: John Wiley & Sons, 1998), 1–7.

24. Id.

25. Id.

26. Id.

27. Id.

28. Id.

29. Dr. Sheri Markose, Honest Disclosure, Corporate Fraud, Auditors and Stock Market Valuation, lecture from course EC247: Financial Instruments and Capital Market Institutions, University of Essex (Essex, U.K., 2003).

30. J. R. Edwards, Legal Regulation of British Company Accounts, 1836–1900 (New York: Garland, 1986), 17.

31. L. R. Dicksee, Auditing: A Practical Manual for Auditors (New York: Arno, 1976), 6. Reprint of the 1892 edition.

32. Id., 1–9.

33. U.S. Securities and Exchange Commission, Introduction—The SEC: Who We Are, What We Do, www.sec.gov.

34. Id.

35. Wisconsin Department of Financial Institutions, A Brief History of Securities Regulation, www.wdfi.org/fi/securities/regexemp/history.htm.

36. Id.

37. Id.

38. Id.

39. U.S. Securities and Exchange Commission, Introduction—The SEC: Who We Are, What We Do.

40. Sarbanes-Oxley Act of 2002, Public Law 107–204, 107th Cong., 2d sess. (January 23, 2002), 1 (from statute’s official title: An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes).

41. Public Company Accounting Oversight Board, Sarbanes-Oxley Act of 2002, www.pcaobus.org/rules/Sarbanes_Oxley_Act_of_2002.pdf.

42. Public Company Accounting Oversight Board, Rules of the Board, 127, www.pcaobus.org/documents/rules_of_the_board/Standards-AS1.pdf.

43. American Institute of Certified Public Accountants, AICPA Issues New Audit Standard for Detecting Fraud, Cornerstone of Institute’s New Anti-Fraud Program, October 15, 2002, www.aicpa.org/news/2002/p021015.htm.

44. Id.

45. December 8, 2009, speech by Robert Khuzami, director, Division of Enforcement, SEC staff: Remarks at AICPA National Conference on Current SEC and PCAOB Developments. www.sec.gov.

46. December 16, 2009, SEC Approves Enhanced Disclosure about Risk, Compensation and Corporate Governance, www.sec.gov.

47. www.ag.ny.gov/media_center/2009/feb/feb5c_09.html.

48. Attorney General of the State of New York Investor Protection Bureau in the matter of Wachovia Securities, LLC, and Wachovia Capital Markets, LLC, according to the Wachovia settlement.

49. Samuel A. DiPiazza and Robert G. Eccles, Building Public Trust: The Future of Corporate Reporting (Hoboken, NJ: John Wiley & Sons, 2002), 10–11, 43. This is a principal focus of PCAOB Auditing Standard No. 2 (AS2).

50. Principal focus of PCAOB Auditing Standard No. 2 (AS2).

51. See Chapter 19 for considerations surrounding a referral of matters for prosecution.

52. Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework (New York: Committee of Sponsoring Organizations of the Treadway Commission, 1994), 23. Note: Commonly referred to as the COSO Report.

53. Id., 33.

54. Id., 49.

55. Id., 59.

56. Id., 69.

57. http://financialstability.gov/docs/transaction-reports/3-26-10 Transactions Report as of 3-24-10.pdf.

Chapter 2

Psychology of the Fraudster

Thomas W. Golden

Start with the pleasant assumption that most people are honest. It's a nice way to look at the world, and it summons up childhood memories about learning that honesty is the best policy and George Washington telling his father, I cannot tell a lie.

Sad to say, human history and human nature tell a different story, and so do the statistics that examine them. While most societies explicitly abhor violent crime and bodily harm, many societies hold financial fraud, whatever its scale, as a less reprehensible wrongdoing. Charles Ponzi, creator of the Ponzi scheme, was celebrated in some quarters as a folk hero and cheered by many of the people he helped to defraud. Financiers and executives, whose frauds can disrupt thousands or tens of thousands of lives, have historically been punished with relatively light sentences or serve their time at a low-security federal tennis camp. Some scholars have called this attitude toward white collar crime a perversion of our general societal admiration for intelligence.¹ With the advent of the Sarbanes-Oxley Act in 2002 and recent increases in prison terms for certain financial crimes, there is the expectation that this perception will change and white collar criminals will begin to endure what many would deem just punishment for their crimes.

During much of the past century, psychologists and sociologists struggled to understand the inner workings of people who commit white collar crime. Edwin Sutherland's White Collar Crime,² the most influential work in the field, argued in 1939 that an individual's personality has no relevance to a propensity to commit such crimes. Rather, he said, economic crimes originate from the situations and social bonds within an organization, not from the biological and psychological characteristics of the individual.³ Sutherland also made the useful, if apparent, observation that criminality is not confined to the lower classes and to social misfits but extends, especially where financial fraud is concerned, to upper-class, socially well-adjusted people. Later authors introduced quite different ideas—for example, suggesting that financial fraud is an inevitable feature of capitalism, in which the culture of competition promotes and justifies the pursuit of material self-interest, often at the expense of others and even in violation of the law.⁴

Over the many decades since White Collar Crime was published, persuasive studies have argued that two factors should be considered in analyzing the psychology and personality of the fraudster:

The biological qualities of an individual, which vary widely and influence behavior, including social behavior

The social qualities that are derived from and in turn shape how the individual deals with other people⁵

From these studies of psychology, two general types of financial fraudster have been observed:

Calculating criminals who want to compete and to assert themselves

Situation-dependent criminals who are desperate to save themselves, their families, or their companies from a catastrophe⁶

Since these studies were published, a third type of criminal has emerged out of catastrophic business failures and embarrassments. We call them power brokers.

CALCULATING CRIMINALS

Calculating criminals are predators. They tend to be repeat offenders, they have higher-than-average intelligence, and they're relatively well educated. They usually begin their careers in crime later in life than other criminals.⁷ These predators are generally inclined to risk taking—no surprise there—and they lack feelings of anxiety and empathy.⁸ A related view, somewhat different in its emphasis, was offered in a 1993 study of Wall Street's insider-trading scandals by a team of psychologists who suggested that individuals willing to commit such crimes had an external locus of control—that is, they lacked inner direction, self-confidence, and self-esteem and were motivated by their desire to fit in and be accepted. Furthermore, the study found that they define success by others’ standards.⁹

Case 1: It Can't Be Bob

Bob Davies (not his real name) seemed to be a terrific employee as vice president of operations at a billion-dollar company that he had joined six years before. His résumé listed academic and business successes. He was well liked and a hard worker, always willing to pitch in and help break a logjam. When needed, he worked nights or weekends—whatever it took to get the job done. He remembered employees’ names, used them when giving out praise, and, even remembering their children's names, would often ask about their children. Then, one day, Davies wired $10 million of his company's money to a bank in Germany and took off after it, bringing along his secretary and abandoning his wife of 12 years and their three children.

There must be some mistake. It can't be Bob, echoed through the office. To Davies's friends and colleagues, this episode was a nightmare. To the forensic accounting investigators called in to investigate, the incident was in its main features unsurprising. Appearances notwithstanding, Davies was a predator—a con man whose life's work was to steal for personal gain. Predators develop considerable skills and make a career of deceiving people, as though it were just another career track to follow. Predators are dangerous and cause great harm. And once in place, they're hard to detect. The chances are good that a predator who wants access to company assets will accomplish that goal regardless of the controls established to prevent intrusion. Fraud deterrence and detection controls are often robust enough to stop other types of white collar criminals, but they may not stop the predator. The best defense against predators—somewhat sadly and disturbingly—is a thorough background check before hiring. This is a key