Inside a Fraud Investigation
Expert Details Best Practices - And Common Traps"I think I pretty much have a job guaranteed for life in this area because we're seeing more and more fraud," Legault says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Today's fraud investigators need to have both a strong technical and business background as banking systems and fraud schemes continue to become more complex. "If you look at mobile devices, personal computers, laptops and all the complexities of evidence, organizations are looking for people who can in fact analyze this and understand what this means in the context of a fraud investigation," he says.
Coming at fraud from a technical standpoint, investigators are needed to understand when files were written, what certain registry keys mean and what certain files on the system mean, to give a few examples. And those same pros need to see incidents from the business side as well, being able to understand and translate that meaning to the technical side.
Interested job seekers should look into the Certified Fraud Examiner certification offered by the Association of Certified Fraud Examiners [ACFE]. "It covers ... bodies of knowledge which are not necessarily technical but will give them the business side, the legal side and the investigative mindset that they need to transition their information security skill set into a fraud investigation skill set," Legault says.
In an exclusive interview about conducting fraud investigations, Legault discusses:
- The stages of a fraud investigation;
- What happens when investigations go badly;
- Today's best career opportunities for fraud examiners.
Legault specializes in computer forensics, investigatory data analytics as well as the prevention and detection of technology-based fraud.
He has assisted clients in various industry sectors with the identification, preservation, preparation and review of electronic evidence in relation to fraud investigations, civil litigation, arbitration and regulatory compliance reviews. He has been recognized as an expert witness in both civil proceedings and in labor arbitration cases.
Legault is a member of the Association of Certified Fraud Examiners' Faculty, where he leads seminars and conferences on topics relating to computer crime and fraud. He is regularly invited to speak internationally at fraud and information security conferences.
TOM FIELD: To start out with, why don't you tell us a little bit about yourself and your experience with fraud investigations please?
JEAN-FRANCOIS LEGAULT: I have a distinct background in law of being able to do fraud investigations. I came up through the world of information security and then got into fraud investigations. I started off doing work in the field of information security and network security for about nine years, prior to focusing on fraud investigations. I spent quite a bit of time supporting investigations, supporting fraud investigations and supporting internal investigations. That's really where I got interested in the world of fraud investigations. I found it extremely challenging and started to focus a lot of the work that I did on fraud investigations.
I was lucky enough with my graduate degree. I had a graduate degree in information systems specializing in information security, so I had both the business background, because it was a business degree, and the technical degree that I gathered through the work I did in information security. Now when I'm faced with a fraud investigation, I not only look at them from the business side but also the technical side to get an idea of how we can utilize technology in supporting fraud investigations and facilitating the investigations, and also where we can actually find evidence where people who focus on the financial side of things might not think to look.
Stages of a Fraud Investigation
FIELD: This is fascinating and I really want to walk through the different stages of a fraud investigation. To get started, give us a sense of when you typically get called into a case?LEGAULT: We get called in at various points in time. Sometimes it's an organization that calls us and says they've been a victim. They need our assistance in figuring out how it happened. In other cases, they've actually gone through the entire scheme, but they want an outside party to help them quantify the loss. In other cases, we get calls where we are told they think they have a problem with their system. And this happens a lot in system conversions, where they are moving from one system to another and then something comes up. They don't really understand what the situation is. We get brought in and we start having a look, and at the same time when we're examining system conversions you can also think that it might be a human error; or in other cases, its fraud. Sometimes it just turns out that it's fraud. We help these organizations walk through the paces. A lot of time our work is done in assistance to the organization. They really call us in whenever they feel that outside assistance is required.
One of the things that come up, and one of the dangers, is that organizations call us up and say, "We've already done a lot of the work and we couldn't find anything. Can you come back and examine what we've already reviewed?" Sometimes the evidence, when we're talking about electronic evidence, has been altered because the organization hasn't necessarily relied on the proper mechanisms to analyze this evidence.
FIELD: Well you make a good point there. Now at whatever point you get brought into an investigation, what are your immediate tasks?
LEGAULT: Let me split this in two. There are two things we really need to think about. The first one is how do we stop this or do we stop this? In certain cases, you might want to accumulate evidence and see how things go. The first step is actually understanding the scheme. What's going on? What evidence do I have? What's been going on? What are the facts surrounding this? It's a little bit like if you watch CSI. They look at the entire crime scene. Well that's the same thing we do at a different level. I don't necessarily like using the CSI analogy because the way they handle evidence is not what we really do in the real world sometimes, but getting the big picture of what's going on is what we do the first time around.
FIELD: Now what are the potential obstacles that you might encounter when you initiate an investigation?
LEGAULT: One of the biggest obstacles is gaining access to the information that we need, and sometimes it's not necessarily an obstacle. It's just the complexity of the systems. Just think of how organizations manage their accounting systems, their payroll and their accounts payable. What information is available to us for review? It is a challenge in the beginning to get a grasp on all of the information that you can use, how you can use it and then converting this information. That's where I'd say people with a strong information security and information systems background come into play in fraud investigations now, where I regularly get brought in by my forensic accounting colleagues who are looking at a fraud and going, "What information can we use and how can we use it?" They bring me in to understand the systems, where the electronic evidence resides, where the information is and how we can process it into a usable format. You can imagine that manually reviewing millions of transactions is not something most people look forward to, and that's why we usually take this information and process it in an effort to identify the patterns, the schemes and the fraud itself.
FIELD: If things go well in an investigation, what typically happens?
LEGAULT: If things go well, we quickly have a good picture of what happened, how much was diverted or embezzled and we can tell the organization this is how it happened. The "this is how it happened" is very important to them because they don't want it to happen again. That's sometimes why we get brought into very small fraud investigations, and it's not necessarily because of the amount. It's because of the potential amount. The organization does realize that even though it was a small fraud, somebody could have taken advantage of that loop hole in the controls and went and embezzled a lot more money. They want to know how it happened and what do we do so it doesn't happen again. And the big question is usually, how much?
Problems in Fraud Examinations
FIELD: Now the flip side of that. If things don't go well in an investigation, where does it typically go badly?LEGAULT: It can be a number of things. It could be an extremely complex environment. It could be an extremely complex fraud. It doesn't mean it can go badly, it just means that we have more challenges in understanding what happened. If we look at it from a technology side, some of the big surprises that you get are older database systems and older applications where getting the data out is extremely complex. It doesn't go badly, but it does slow us down in the work that we need to do. We've recently had an investigation where the information did not reside in database form anymore. It was all PDF reports. We had to convert 325,000 page reports back into electronic format for us to be able to analyze the information, to be able to tell the client exactly how much was embezzled and how the embezzlement occurred. It's not necessarily going badly, it's just that it's difficult or it takes more time for us to get the results that we wish we could get to.
Successful Examinations
FIELD: That was a great illustration you used. Could you perhaps describe to us a successful investigation or two?LEGAULT: I'll just take two distinct examples. Since I work on two sides, one of them is supporting financial fraud investigations and the other one is actually leading the technical fraud investigations. I'll start with the technical. One of the things that we see a lot of today is intellectual property theft. Organizations have a lot of information that is of extremely large value to them. It can be client lists. It can be documents. It can be formulas. It can be source code. It can be just about anything that gives value to an organization. In one specific instance, we were called in by an organization telling us that they suspected that an employee had in fact stolen a copy of all the source code that was developed by the organization; and this organization was a software developer. This code was all that they had as value for the organization. What we did is we actually seized this person's computer at work. We performed forensics, examining bit-by-bit copy of the person's hard drive. We maintained a chain of custody throughout this entire process and then we went on to analyze the forensic image of this computer to find that the person had uploaded all of the company's source code using automated scripts. He was doing it on a regular basis. He uploaded all this information online so that he could download it from home. We were able to, extremely quickly, within about 24 hours, establish how the information was transferred out of the organization, where the information went and we were able to identify what to do for this not to happen again. That was a successful one on the technical side.
On the financial fraud side, a lot of the work as I mentioned is in support of financial fraud investigations. So let's get back to the example I used earlier, where we had to convert these reports back to electronic format. That took quite a bit of time to get done, but once we had this information, we were able to identify using analytics. That is using statistical analysis of the data that we had. We were able to identify all of the regular transactions which had been performed by a part within the organization, and since this organization was processing hundreds of thousands of transactions a week, we really had to rely on electronic analysis. Had we not been able to do that, we would still have people flipping through reports right now. That was a successful one from the standpoint of taking a large set of data and bringing it down to results, which were easily presentable to the stakeholders involved.
Career Opportunities Today
FIELD: Maybe I have a skewed perspective because I see an awful lot of fraud incidents in the news. But it seems to me that there are great career opportunities today for fraud examiners. Is this so?LEGAULT: I'd have to say so. I think I pretty much have a job guaranteed for life in this area because we're seeing more and more fraud, and fraud is more and more complex from a technological standpoint. If you look at mobile devices, personal computers, laptops and all the complexities of evidence, organizations are looking for people who can in fact analyze this and understand what this means in the context of a fraud investigation. Examining the content of a hard drive is one thing, but when you look at the forensic analysis, it's about understanding when the files were written, what certain registry keys mean, and what certain files on the system mean. You are looking for people with a strong technical background, but at the same time can understand the business side, because fraud occurs on the business side. We need people, and I say "we need" because I'm doing quite a bit of recruiting these days. We need people that can actually understand what the business is, what the business angle is and translate that into the technical side of things and what they're looking for.
Yes, there are a lot of opportunities for people in this area. If people have a technical background they could look into things like the Certified Fraud Examiner certification, because it covers four bodies of knowledge which are not necessarily technical but will give them the business side, the legal side and the investigative mindset that they need to transition their information security skill set into a fraud investigation skill set.
FIELD: What advice would you offer to someone that is looking to either start or restart their career today in fraud examination?
LEGAULT: One of the things I touched on is the Certified Fraud Examiner designation, and I think that one plays a pretty big role. Anybody looking to get into fraud examinations should seriously look at the Certified Fraud Examiner designation because it covers such a vast body of knowledge for fraud. I would look at that and also work on understanding, if you're coming from the technical side, the business side. And if you're coming from more of a business side, have a look at the technical side because a lot of the people that we're going to be meeting are people who can actually translate as CFO to a team of analysts that are looking for evidence on a computer. There is sort of a path where the information needs to be translated from the business situation into the technical situation. These are really the people that are going to have a high value in the coming years.