Fraud in Focus | Emerging Risks and Real-World Insights from EisnerAmper

So for example, if you are in a cash intensive industry, you might have a greater incident rate of cash on hand or certain types of cash larceny. If you are dealing with a lot of government industries or bidding on work, you may have more corruption incidents or risks. And so these are the types of things that if you or your organization are looking to improve your knowledge, lower your fraud risk. These are the types of things that I would think that you should start with in order to make sure that your anti-fraud program is tailored to not only your business but your industry and also what are the larger risks that may be at hand.

Similar to the previous slide, these are broken out into the different industry groupings. But what's interesting here in this graphic is it's showing you what the median loss is and what this is telling you is what is the true risk of your industry or it's not the truest, but it is something to give you an idea where you're looking at. On the upper right hand portion of this slide, you'll see that in education, the median loss is 50,000 for 70 cases, but in the construction business for a very similar number amount of cases, you'll see that the median losses is at $250,000. And that kind of gives you an idea of where these schemes are headed in terms of the risk that you have in your own industry.

The next slide here, and these are all from the A CFE report to the nation, is that this is listing out in those instances where there was fraud, what are the most common type of anti-fraud controls? And what I want to point out here is just because something exists doesn't mean it's the most effective. You'll see that a lot of these organizations did have a code of conduct, and I'm not saying that code of conducts are not important, they're a part of an anti-fraud program, but as you can see, a lot of these, 85% of the organizations that did experience fraud did have a code of conduct. A code of conduct is a guiding document. It's not a preventative, nor is it a detective control regarding fraud. And so it's important to understand that it's maybe part of your anti-fraud suite. What you need to understand is that there are many other tools that you can use that are at hand for you to use to try to combat the incidents of fraud.

One of the things that we're looking at here is that even though there are lots of instances of management review on the previous slide, there was internal audit, there was external audits, all of those things, hotlines, all of those things were in existence. But what's important to understand is that it still occurred and when it was occurring, the most prevalent way that items were found that a fraudulent scheme was uncovered is tip. And I'm hoping that this isn't a surprise because to most people, and if it is, this is something that's very important for you to consider because when you see on the screen there, internal audit management review, document, examination, account recs, external audit, all of those things, a lot of companies and organizations on this call probably have, but tip is the most prevalent way that frauds are uncovered. And I want to highlight something.

A lot of people think that an external audit is one of your safeguards against fraud. That's just not the case. As you can see there, that actually by accident is 5%. So you have a greater chance of finding a fraud by accident than your external auditor helping you with that. And that's not a dig on. External auditors, an external audit, an external financial statement audit has a different objective. Think about what that opinion letter, those of you that are familiar with it is saying, and they're talking about whether or not when you're looking at the financial statements as on a whole are true and accurate, and they also talk about materiality. And a lot of times fraud may go underneath that materiality threshold. And so what I would want people to take away from this slide and the previous ones, that fraud occurs in every industry, but despite all of the different internal controls that are preventative and detective, a tip is your best way. And so I'll be talking about this perhaps in some other instances, education in your organization and the culture of your organization is going to be very important in your anti-fraud toolkit.

Hubert Klein: So with that, we have our second polling question. Please answer the polling questions as we go along with that. David, with everything you just spoke about and those slides, which are incredible wealth of knowledge, there's studies done on it, we know it exists, we know where it's happening. We have stats and quantification. So my question is, it's a big topic that everybody knows about. Why is it still occurring?

David Sumner: I wish I had the great answer there, but I think if you go back in time, I think fraud may be just a component of human civilization. Maybe that's a glass half empty versus a glass half full approach. I think that the earliest recorded record of a fraud incident is 300 bc. So people have been in civilization as we banded together, we've created rules and laws and structure. You will find that not everyone agrees with those rules or structures or sometimes people are exposed to certain pressures that could be financial difficulties, could be addiction. There are a lot of instances where people become, let's say their morals become a little bit more elastic or there's some ethical blindness that still occurs. And from that, things still happen. And that's why we always have to be vigilant in trying to make sure that we either catch it really early or that we are detecting it an important time so that we can minimize that damage.

Hubert Klein: Okay, thank you David. And with that, I'm going to move on to Dana. Dana, we heard about the stats, we saw why it's happening. David told us a good reason. And within the space that you work in primarily, where are you seeing the risks and what are you helping clients with and what are clients trying to do and the risk in payment area?

Dana Daigle: Yeah, absolutely. Thank you, Hubert. As you mentioned, I'm in the payment space. I largely work in the governmental programs environment. I also help with our settlement fund, our class action mass torts with the payments on that side as well, as well as other larger payments that go out the door for other companies as well. And whether it's any of those industries or just really any industry payment fraud occurs all around every organization. They send payments or receive payments. So it's very important to talk about the fraud risk around those. In fact, I have some other stats here as well. 79% of organizations are victim to payment fraud, which is alarming. Checks are the payment method that's most subjected to fraud. Yes, checks are still out there and no matter what they say, they're not going away. And then also payment fraud is committed 65% of the time outside of your organization.

So it's always important to understand the types of payment fraud, which is ever changing. Fraudsters are, they're good at their job unfortunately, and we have to try to keep up with them. So some of the most common ones we are seeing in our space and our clients are seeing are stolen checks. As I mentioned, the checks are the most commonly subjected to fraud, email, phishing schemes, I'm sure you all have received some sort of email scheme. In fact, the next one, the BEC business email compromise has become very popular where you receive emails that look like it's from a legitimate business. They tell you don't click on the link unless you know it's from a legitimate source. That is one of the biggest frauds that are out there right now. The highest up coming, I guess you can say. We see in our government space anything from identity theft to falsifying information and documentation, fictitious entities and duplication of benefits, and that's where they may have received some sort of payments from a different program and they're not allowed to apply or receive payments from this program, but they still do.

So there's a lot of fraud out there when it comes to payments, and it's very important that we keep an eye out on those. So we do have what we're helping our clients with some preventative techniques, and this is not all of them by any means, but obviously strong internal controls are important, especially when it comes to payment and money. Large sums of money banking and disbursement system controls. So when we talk about banking, it's making sure you have access controls and you have something like positive pay or debit block, and you're paying attention to those banking controls and your system controls. Pay identification verification is something we help a lot with on the government side, and that's making sure the payee is a legitimate payee. So one of the things we actually do a lot for clients is 10 matching. It's called tax identification number matching with the IRS, it's going to tell us if they're a legitimate payee.

It's also going to make sure we're able to issue 10 90 nines correctly. It just really helps with making sure before the payments go out that we're sending it to a legitimate source. Other ways frequent reconciliation. I'm an accountant, so I live in the reconciliation world. I love a good reconciliation. It's not just a bank rec. It's reconciling all of our sources. So we help our clients there with large reconciliations, whether it's system of record, disbursement, system reconciliation. We live in that world a lot and supporting, of course, employee education on those fraud schemes and then leveraging technology. So Jen will talk about that in a second When it comes to ai, AI is a great tool in preventing fraud and helping us with some analysis on who we're paying, what we're paying, identifying limits and thresholds and maybe things that might pop out to us that look like fraud and security of sensitive data is very important in the payment world, especially if you're receiving bank information. Making sure you keep that locked down on whatever system you're using on your computer. Just making sure we understand that PI is important to remain secure and of course ask a question

Hubert Klein: Because we're nerds and accountants, you just use an acronym PI. Could you just explain to the audience what PII is?

Dana Daigle: Yeah, absolutely. Personal identification information. So that's anything that can tie that person to their information. Social security, of course, EINs numbers, even addresses could be considered. I I. So it's their personal information that somebody can intercept that potentially could duplicate and try to receive a payment for. So thank you for that. Yeah, I'm used to talking in the acronym world, so appreciate that.

Hubert Klein: No, I agree. But in your experience, do you think that the average person takes PII for granted and doesn't realize how powerful it is in the context of what you're talking about?

Dana Daigle: Absolutely. Absolutely. And I think people are getting better about it because fraud has unfortunately increased when it comes to the payment space. So they are taking a little bit more precaution before they click that link or provide their personal information, but there is a long way to go. And then we see also people just, they're trusting by nature and they trust that when they provide this information, it's going to be safe. So it's making sure we educate our, like we said, our employees, the people that are sending us the information, that we safeguard that information for the people that trust us with it.

Hubert Klein: Thank you very much for that clarification. Yeah,

Dana Daigle: Absolutely.

Hubert Klein: Okay, so we now have another polling question. It's going to be open for about a minute or so. So please answer the question and I'll give you a warning before we close it. I know I've gotten a few messages that certain people have missed polling questions the first couple, so let's just send me a notice in the chat and I will talk with Astrid afterwards to see what may have happened. With that said on the payment side, does anybody else have anything to add to that? I know David and Jeff, we see a lot in the world that we work in. We are more on the quantification side. So you guys want to just talk about a couple of war stories of what we've seen happen in that space.

David Sumner: Sure. I'll add in that certainly cash is one of the most frequently diverted assets because it's easy to convert, it's fungible when you put it into an account, it's hard to trace back any particular funds or sources. And so the other thing that I would like to say, and along with while checks are very important, this isn't for a big topic here today, but certainly the use of cryptocurrencies for use in fraud, just because someone uses a cryptocurrency to exit funds or to try to disguise it, I think a lot of people think that they're safe, but there are methods along the blockchain to trace where things go and we are able to trace those funds. And so that's just another consideration that I think that those that are committing fraud, the use of cryptocurrency does not hide your activity as much as you think it does.

Hubert Klein: Okay, we're going to close the poll in 10 seconds, so if you haven't answered yet, you got 10 seconds to respond, and then we're going to move on to the next slide. Poll's closing at 4, 3, 2, 1. There's a results of the poll. Good job Dana. People are listening about check, send the problem with payment. Good. Okay. So we're going to talk about what happens in the financial advisory service world, particularly Jeff Grinnell is going to talk about what we see or what he sees in the bankruptcy world and what happens and what leads to distressed companies and problems. So Jeff, you're up.

Jeffrey Granell: Thank you, Hubert. And thank you to everyone that's attending the webinar today. As Hubert mentioned, I'm going to be discussing what fraudulent conveyance is, why individuals may inadvertently fall into fraudulent conveyance issues and some key provisions surrounding this topic. Fraudulent conveyance refers to a debtor transferring property or incurring an obligation shortly before bankruptcy that happened. Debtors can fall into conveyance issues when they're attempting to shield their assets from lawsuits or from potential creditors. So say one example is an individual concerned about a personal guarantee making them liable for a business that is not performing well. So in anticipation that the business may file for bankruptcy, they move assets or property outside of that entity, and this is an attempt to shield those entities from creditors that may look to their personal guarantee for recoveries. The overall issue with this is that judges can unwind these transfers if it's determined they act was to defraud creditors. The goal of the courts is, in essence in these situations, is to preserve the debtors' estate enable recovery actions and support transparency.

So fraudulent conveyance or fraudulent transfers can either be a result of actual fraud or constructive fraud. In the example I used earlier of a personal guarantee, actual fraud may exist if the debtor transferred a personal condo to a family member for less than the value of the real estate, while knowing that their business had the potential to become insolvent. And this was in order to conceal the condo from creditors and maintain control of that asset, maintain control through another family member. Whereas constructive fraud does not require intent. It may exist when a debtor transfers assets below the fair market value and then the debtor later becomes insolvent.

In a bankruptcy, a trustee is appointed to manage and oversee the asset distribution process. Part of this process includes reviewing transactions on whether they were determined to be made in fair market value. The bankruptcy code provides that there's a two year lookback period from the bankruptcy petition filing date for fraudulent transfers and a 90 day lookback period for preferential transfers. This aligns with the question that was put earlier about payment transfers. So preferential transfers are payments or transfer assets made to creditors shortly before the bankruptcy. A real world example would be the FTX bankruptcy case where the trustee has been actively pursuing clawbacks of alleged family members receiving over $700 million of transfers shortly before FTX filed for bankruptcy. In the event that is determined that the transfers were made to hinder, delay or defraud creditors, those assets will be recovered and become part of the bankruptcy estate. The bottom line here is that fraudulent conveyance laws are there to protect creditors and ensure fairness in all bankruptcy.

Hubert Klein: Alright. Alright. So we're not good. So based on that, we've talked about a lot and we've covered a lot in roughly the last half hour on fraud, what are the stats, what happens in the payment arena and in bankruptcy arena? So with that, there is a question here that I just want to pose to the panel, but basically want to discuss in addition to the services that everybody on this panel provides, are there other things that companies can do specifically to help recover losses or protect against losses dealing with insurance products or getting some coverage to cover if something goes wrong? And what have we seen in that space with success in recovering if there's an insurance policy that covers outright theft of funds? So David, do you want to talk about it from your perspective and what you've seen?

David Sumner: Sure. Yeah, no, there's a lot of times that companies, that's one of the first questions we'll ask when we're being engaged with a client, whether or not there are, whether they have insurance coverage for a potential fraud. And that's something that a lot of times companies will say, oh yes, we do. But then after they have a conversation with their carrier, sometimes that falls through or, and I think it would happen probably more often is that even though they do have some fraud coverage, it's very limited. And so that's something that you should consider. I know that most companies will do an annual review of their policies and everyone should be asking about their fraud coverage. I know that probably it's human nature to probably sit there and say, I don't think I have any fraud issue in my company, so therefore I don't need to pay extra money for maybe some extra coverage or either lowering that deductible or increasing the actual total coverage. But I think that that's one of the traps that people fall into is that they don't think that fraud can occur with them. I think when we were seeing there on one of the earlier slides that 79% of entities had some degree of payment fraud with checks. And so that's something I think you should very much consider is there is coverage, but make sure it's right sized.

Hubert Klein: Does anybody else have anything they'd like to add along those lines? I

Louise Gannuch: Would. That too, when we sometimes work with clients, it is making sure, like David said, the provisions too in your insurance. So reviewing your policies but also understanding do you have to file something within 30 days, 60 days, 90 days, because that can make it void as well. And so being prepared with that information when fraud happens, it's so chaotic, right? And so you want to make sure you're in a position where you know your coverage, your filing requirements so that you have that coverage. And I would just add that that's an important component of it as well.

Hubert Klein: And I think the next question I have for everybody on here is generally, what is one of the most important things that a business has to do to recover on that insurance policy for their coverage? If you know who the individual is, what do you have to do? You generally have to file a lawsuit or you have to file a complaint with law enforcement. And I think if you guys could all talk about why people would choose to or not to file a complaint with law enforcement,

David Sumner: I'll go real quickly there and leave some extra time for others when you're filing a lawsuit or filing a police report, those can be public knowledge. And there's a lot of instances where, I'll be honest, when sometimes our clients are nonprofits, they are reluctant to take that next step because that will, for those organizations that are reliant upon community or donations from individuals or organizations, having a publicized internal fraud may inhibit or reduce further donations in the future. So in my experience, I've seen that those nonprofits are probably the most reluctant to take that next step.

Hubert Klein: So is it reputational risk if something like this happens important across the spectrum of industries for profit, nonprofit and other entities? And

David Sumner: Yeah, I mean a really brief story here and that is I was working with a multinational company, one of the largest in the world, and they had a very large corruption scandal. And while it cost them, they had a billion dollar fine, they had several hundred million dollars of attorney fees and accounting fees, they were most worried about the reputational damage that was their biggest, while the money going out the door for all those services was large, even in all, but they were most concerned about the reputational damage. They went from the number one employer of choice in their home country to off the top 10. And they knew that from that point on, they had a brain drain problem going forward, not just the next five years, but probably the next 30 years. So reputational damage can be beyond the dollars and cents that were lost for fraud and its detection and remediation, the reputational can be far exceed the actual amount lost.

Hubert Klein: And Dana, in your payment area, have you experienced similar situations where once you've put in the controls or somebody found somebody's overridden them and you've come in and you're in there to help fix the problem, that issue come up too. Companies are, they're worried about the reputational risk and need you to fix it. ASAP?

Dana Daigle: Yes, that has come up. We work with clients and we actually hope to get in on the front end actually with the clients and we say, please bring in your financial people when you're making your policies and procedures because prevention is the best here when it comes to fraud. So a lot of what we do is establishing the financial management policies and procedures on the front end to hopefully prevent some of this. Now you can't prevent everything. So we do see where on the back end there has been some sort of fraud committed or actually we see where potentially payees or applicants say, I didn't receive my money, but they actually did. And so we have to then show proof of that too. And actually a technique too to use is, okay, well can you fill out this affidavit, get it notarized, and we can either look into it with the bank or by the way, here's the signed check, a copy of the signed check that you actually did deposit. So there's some things that we can use to show proof that payment actually occurred. And then sometimes you have where the applicants will not want to fill out that affidavit and it's because they did receive payment. But on the company side, yes, it's definitely the risk of reputational harm too that they want to avoid. So one of the things we say is please get your financial people involved from the beginning to help prevent some of this.

Hubert Klein: It's fair to say it's a continual process from beginning to end training, helping with the culture and the end when something happens, helping minimize the damage financially and reputationally.

Dana Daigle: That's right.

Hubert Klein: Thank you. Okay,

Jeffrey Granell: I'd like to add there.

Hubert Klein: Go ahead Jeff.

Jeffrey Granell: I'd just like to add that broad can be prevalent in small family owned businesses as well or closely held businesses, and they may lack the checks and controls or documentation that should be in place. And they're probably the least likely to report this given the relationships amongst the group to authorities in order to make the claim.

Hubert Klein: Right. So I guess my question to everybody, there's really no borders on where fraud can permeate and how it can get there and who will commit it. Basically all industries and all sectors are pretty much have a level of risk. It just depends on the level of risk. And that's why we're all on this panel today. You were on.

Jeffrey Granell: Yeah, when people have access to information that others don't and they have the ability to better themselves, it's sometimes easy for them to take that bait.

Hubert Klein: Got it. Thank you. All right. So the next polling question is open. What is the goal of identity and identifying fraudulent transfers? So take your time to answer that. I will keep the poll open for a minute and I'll give you a 15 second warning for the close. And Jeff, in the bankruptcy area is fraud. One of the main reasons that companies get into a distressed situation?

Jeffrey Granell: Sorry, Hubert, you broke up there. It might've been on my side or

Hubert Klein: Yours. Bankruptcy situation. It's fraud. One of the causes that most companies get into a distress situation.

Jeffrey Granell: It is one of the causes. It's certainly not the only cause,

Hubert Klein: No bed management bed model, but fraud is also another factor, correct?

Jeffrey Granell: Yes it is.

Hubert Klein: Yes. Poll's closing in five seconds everyone. We got five seconds to answer the polling question and it's closing. Here are the results. People are paying attention. So good job, all the above. Now we're going to move into the next section on shared responsibility.

Louise Gannuch: I guess Hubert, I will jump in here. So wanted to talk about how fraud is the responsibility of or preventing fraud rather and detecting it and responding to it. It just is the responsibility of everyone. There's no one person, one department that's going to tackle this. Sometimes I hear internal audit, you're responsible, but that's just not the case. You're really just going to see collaboration. And so depending on the industry might have different terminology, but included this matrix here to talk through the different structures that we see from this organizational component. And then fraud risk role. This isn't the end all be all different organizations vary, but generally you're going to see you have your board or the equivalent, they're going to be responsible for overall governance related to proper management. Here we see setting the tone at the top, the risk appetite. And then from there management's kind of divided in what we call a first line role and a second line role.

And this is based on the Institute of Internal Auditors, the I A A. So your first line is implementing the anti-fraud controls. Maybe they're supporting investigations, they're escalating potential fraud. And then your second line is where you have your specialists. So maybe they're the ones leading investigations, they're designing your policies and procedures, doing that, monitoring for threats, internal external threats. And then you have the third line role, which could be internal audit. And so that's where they're performing ad hoc or periodic assessments, assessing adequacy effectiveness of that fraud risk management framework and actually a part of the global internal audit standards. So for auditors, when they're doing their engagement level risk assessment, they should be considering fraud risks. That's part of it as well. Like I mentioned, this isn't the end all be all. There's no specific one way to structure this. I think what's really important and what we're all talking about here is that you're actually doing something, you're being proactive, important in collaboration is kind of the theme that we see.

Hubert Klein: Louise, the first thing up there on board and audit committee stuff, you still talked about tone at the top. I think we need to talk more about the tone at the top and what that really means and what the rest of the panelists see on the tone at the top because it sounds great, but in practice sometimes it's just four words and it's not really practice even though companies say they have a good culture and tone at the top. So let's talk a little bit more what is tone at the top mean to everybody on this panel? What we've seen, what you've seen in your respective practice areas.

Louise Gannuch: So really the board is going to make up your tone at the top. They're modeling integrity and also holding people accountable. And all these fraud efforts to some degree have to be visible. If we all say fraud's super important or anti-fraud, but we don't have any sort of hotline, those messages don't jive. There's also the mood in the middle, which is a fun one. That one's also important I think about if an organization has annual fraud training, right, that's great. But when your managers are checking on your team members and they're like, oh, well I was just listening to a new album drop while I was clicking through slides. That messaging detracts from how people are perceiving the organization. I hear a lot people say we have a zero tolerance for fraud, but don't actually do anything with that. Culture is just a huge part of anti-fraud efforts and just a really can be a big detractor but also a great thing if it's done.

Hubert Klein: So you mentioned the word accountability, which I think is an important part of all this. So the tone at the top and accountability, if the people at the top want to hold the people below them accountable, they need to behave with under the same standards, that's generally how it should work to change the culture, right?

Louise Gannuch: Absolutely. And I think with that, people want to know that if they are reporting something that something's happening with it, obviously the board's not going to put out a memo and say, Hey, we looked at Louise and here's what we found within the guardrails of reality. But just having that again goes back to the culture that you're building at your organization.

Hubert Klein: Alright, so Jeff, David, Jen, and Dana. You guys have anything you want to add on that about culture and how that permeates different organizations for-profit, nonprofit, governmental, because I think everybody strives for the same thing.

Jen Clark: Yeah, absolutely. I'll add just kind of building on what Louise was saying is that from a technology perspective was really around having your technology folks be your partners in fraud is making sure your ciso, your CIO or your CTO really lean in with you and make sure that you can have prevention from them as well. And really as Louise was kind of talking about tone at the top is there are automated ways to prevent some of this. If it's not a hundred percent, we'll never be a hundred percent, but really having that strong partnership across your leadership team will really ensure better success.

Hubert Klein: Alright, so I think you hit the nail on the head there. It's not just isolated to the financial or accounting team. Is that correct? Is that what you're telling?

Jen Clark: That's correct, yes, exactly.

Hubert Klein: Alright, and then the next thing, and I think Louise, you did a good job, but let's just talk about, because I like the phrase setting the risk appetite for fraud. David, you want to talk about fraud risk assessments and why that's important and understanding. Listen, I don't think anybody in an organization of any kind has an appetite for fraud, but sometimes crow you have to eat when it happens, so you better figure out what you need to do so you never have to eat that dish.

David Sumner: Yeah, I think annual risk assessments occur in a lot of the larger companies and to some extent the medium sized companies. But I think that a fraud risk assessment is usually either ignored or it's just sort of a, yeah, we kind of looked at it a little bit. We considered some fraud. A fraud risk assessment is a little bit more detailed than a half an hour discussion of a two days of meetings. In order for it to be effective, it needs to be purposeful, you need to have the right people in the room and those individuals need to come into it with an open mind. What you're looking for is people to participate and not feel like they should harness or restrict their comments. What you're looking for out of an annual fraud risk assessment in a brainstorming session or anything there, you really need input from all levels of the company in order to fully evaluate your fraud risk. There may be one view at the board, but they have no idea what the inner workings are of the controls around a bank reconciliation are. And so that's why it's important that you have voices up and down the organization to make sure that that broad risk assessment is actually considering all the different possibilities.

Hubert Klein: So that kind of filters into what Jen talked about. It's not just restricted to accounting and finance. So Louise, following up on that, that really fits into your management second line roles when you just talk about we know that fraud risk assessments are done and what is the process when we get into designing policies and procedures based on the fraud risk assessments and the analysis of different areas.

Louise Gannuch: So I think for designing policy procedures, having people that are familiar, again, like David mentioned with fraud schemes, you also want to have people that are familiar with controls. So you want to embed those into your policies and procedures. And those are a very important part of just that overall risk management framework that you're building.

Hubert Klein: And for those of you on the prevention and upfront side, but also if a breach happens at detection site is one of the areas that you see some weaknesses happening on the active monitoring of the controls or changing the controls as technology or industry changes are out there.

Louise Gannuch: Yeah, I think that's a good segue too into what is verification and how important that is. So anytime we are moving money or we are changing access, we're elevating access or we are changing records, we really want to make sure people are pausing and verifying. And again, that goes back to culture. Do you have a culture where people can feel like they can take the time to pause and verify? If we think about, if you get a team's message and someone says, Hey, can you change Louise's rights so that it's elevated, she has some admin rights, does that person pause and think, is that normal? Right? Is that a normal request, the normal avenue, and do I have an independent channel to go through? Can I go in my private firm directory and find Louise's manager and say, Hey, I got this request. Does that right?

Moving, we talk about moving money too. I think about wires and I'm sure Dana could talk a lot about this as well as first time payments. Those are generally higher risk for data changes. We think about if we're changing bank accounts, if we're changing addresses, vendor or employee information. Those are all the things where we kind of want everyone's little spider sense to go off and take that time. And I would say certainly with all of that, don't want to create an environment though where people can't get anything done. So I think that comes back to when I was talking about risk appetite. It's that balance between verifying and delaying some organizations. With that, they will create tiered guardrails if you will. So if X, y, Z scenario happens, then we follow this protocol. If this lower risk transaction happens or this scenario, we follow this protocol. I as a internal auditor background, I'm always thinking about internal controls. So what reliance can we place on controls that might impact your verification procedures? Like Jen was talking about automated controls that can kind of bridge that time, that can be part of those delays as well.

Hubert Klein: Okay,

Jeffrey Granell: Moving back to that verification, at least in the bankruptcy state, all items are influx and the issue we run into is that you're dealing with incomplete or insufficient information. Your company you're working at may have had a reduction in staff, so now you have your controller having the ability to issue and approve wires. You have bank reconciliations that may be a few months late and it really paints a picture that we can't always identify that fraud as it's occurring. So I think getting those processes in place when we first come onto an engagement and at least checks and balances, at least on the verification stage is very important.

Hubert Klein: David, you had a question you wanted to pose to everybody here.

David Sumner: So one of the things that I see in my line of work is when we're doing the investigation is there's a difference between different size organizations and when we're thinking about a medium to large size business where we have a lot of, you may have an internal audit department, you may have sufficient financial staff in order to have a lot of segregation of duties. If we're talking about the sophistication of an organization, you have that ability to separate those duties around. For the smaller organizations, something that Hubert and I worked a lot with is family offices and some other smaller nonprofits. There is a challenge in terms of the number of people that are even available in order to properly segregate certain processes. And so the smaller organizations certainly have some greater risks in that area. And I was wondering, when I see it, I have a couple of ideas. One of the things that I recommend to those entities is number one training, which I know Louise just mentioned as well as trying to enforce some rotation if possible, but I was wondering if any of the other people on the panel had any thoughts on those smaller organizations that don't have that large infrastructure to pull from in order to still be a pretty good environment to deter fraud.

Louise Gannuch: I speak

Dana Daigle: From, sorry, go ahead Dana. That's okay. That's okay. I can speak to that from just the governmental program space where we see maybe agencies don't have the bandwidth to run a program themselves. And I would say a lot of times they bring in a third party such as ourselves to help manage that. Even on our side where maybe our team is limited, we can work with third parties such as a bank, we have limits within that bank to be able to send a wire. Whenever we're above the limits, the bank actually calls us. So that's utilizing a third party to help with those controls in place. So we see that a lot. Proper planning and budgeting is very important and as we've all mentioned, it's bringing in those finance experts on my side or the experts in whatever, if it's the technology people we need to bring in, it's making sure you bring all of those people in to establish good sound policies on the front end and making sure that people understand the policies like you mentioned through the training and they're adhering to those.

Hubert Klein: So what I'm getting from you, Dana, is the tone at the top is a team effort, not an individual effort.

Dana Daigle: That's right. Lot

Hubert Klein: Of times the team has to be rowing the boat in the same direction.

Dana Daigle: That's right.

Hubert Klein: Alright, well the question did pop up and now I'll throw it out to you, but I guess the issue here is other situations where businesses have to self-report if they're getting governmental money and a fraud has occurred on them and what is their obligation to report and what are the practical considerations? Has anybody had experience in that area, not just in the government side, but if you're actually using government funds to work on your projects? I mean from David, I mean from our experience, I believe a lot of the contracts include that obligation.

David Sumner: I think that there are certain obligations and they're very specific to certain industries that if you're in a regulated industry, you need to understand that it is very important that right now we're restrained close to legal advice a little bit there. It's an important question and I don't want to annoy or get the bar association angry at us because this is, I've certainly been involved in a lot of frauds in which there was some pretty heavy emotional discussions regarding whether or not they were required. I

Hubert Klein: Just want to clarify for the audience. David has been involved in a lot of fraud detection and quantification engagements. He hasn't been involved in a lot of frauds.

David Sumner: Yes, thank you. But during the investigation of those frauds, we were certainly talking with council for the company and the organization and the board and it's a big decision if you don't think you are required to, there certainly is, or there are incentives that the government has put out there that say if you're cooperative, if you are self-reporting in theory, you are supposed to get a lighter penalty or no penalty at all. But it is a conversation that you should have. You should involve your council and you should have a good understanding of the regulations in your industry and it can be a difficult one because it's almost a no win. There's going to be pluses and minuses with both decisions.

Hubert Klein: Right. Great advice. David in-house and outside counsel, the best ones to answer that question. We get asked those questions and like David said, call counsel, where are your accountants? We're going to help you prevent, detect and quantify. We're not providing legal advice. With that said, we're going to our next polling question, who is responsible preventing detecting and responding to fraud in an organization? So we're going to keep that open for about a little over a minute and I'll give you a ten second warning before we close the poll. There was a question here about reputational risk and ensuring it under a cyber insurance policy. Again, that's something best left. Discussing with your insurance producer as to what kind of coverage and discussing with your outside or in-house counsel as to what the adequate level is and what's the right product for your organization. We don't make recommendations on those topics, but yes, there are ways to insure against it. However, everybody should talk to their respective advisor, find out what's best for them. We have 10 seconds left before the poll closes. We have good response rate. Just remember you need to answer these in order to get the credit. Alright, polls closing. So here's the results and we're going to go into the next session.

Jen Clark: Thanks Hubert. Alright, so now I'm going to get to talk about AI and technology both helps and complicates everything that my colleagues just talked about. AI is making, this space is helping in some cases, but we'll talk about the complexities of how it can help, but it is also what I'll call supercharging in some cases. So AI has really made fraud faster, more adaptable, scalable, really think about speed and scale of what's available today, but it's also kind of able to give teams tools, means of detection. And again, as we've been talking about really setting that tone from the top and developing that culture and awareness. Your technology partners should be at the table to help you figure this out as the cybersecurity and fraud are heavy overlap and really making sure that you have all tools in your toolkit to prevent and not just respond.

So hitting on both points, two sides of the same coin. Your fraud detection can help with things like machine learning and real-time analytics, helping you spot those anomalies. Human oversight is still essential. I cannot emphasize enough human in the loop that's always going to be your best control. But on the other side, like I said, these tools are just in the hands of everyone today. Well, I'll show you some shocking examples in a second of how easy it is to create fake documents. And so this is really a case where you kind of have to be aware and kind of have a full robust program. So Dana actually mentioned some of these about how these fraudsters are taking more elaborate methods, I'll say to commit fraud both from what we think kind of in traditional cybersecurity aspects, but really that phishing, social engineering spoofing, that's becoming easier by the day just because the generative tools are so readily available.

But now you can also, like I said, create things like invoices. You can create fake documents. You can also create voice and identity fakes as kind of in the deep fake space. I promise that I am a real live human right now. I am not a deep fake, but it is that easy to create a video. You would not be able to detect and see if I was actually a fake on this call or not. So that is something that, and I haven't actually worked with any clients who've experienced this, but I have heard stories of someone getting a zoom call with a deep fake of a person and people not really being aware that they were not interacting with that person in real life. So that's how good this is getting. And so that synthetic identity creation is really something that I think we're going to all have to keep out for, especially when it comes to audio because video can get a little blurry.

It might be blippy, you might be able to kind of tell, but with audio it really is kind of very sophisticated and so you have to be very cautious. Again, when you think about not just human controls, but how are you having backup controls? It is like you really want to make sure that you have multiple controls in place. So I used to do this with faces, but now the tools have gotten so sophisticated that it's easy to create these fake documents. Here is just a receipt. You can kind of see the differences between a real receipt and just marking up that receipt for more money. That's just an easy example. But in some cases it can be, you can create an entire, and of course I don't encourage anyone to do so, but the tools are so sophisticated that someone can create a whole bank statement or a whole fake driver's license or an entire fake birth certificate.

It is like these are tools that you can find readily available on the web and fraudsters are using the same things that we use for our own productivity. In some cases, your generative chat systems like your chat GPTs or your copilots, they will mostly block you if you try to do this activity. But people are always trying to hack and find their ways around it. And so just something to be very aware of that even in some of the methods that my colleagues have talked about, you do have to have backups to that now is you really have to have a really robust fraud detection system in place to be able to find some of these things. Going back to David's thing that it's most likely a tip that's going to help you find fraud. This is really a case where you have to have all tools in your toolkit.

And that was really my last point here is automation AI can help you find those anomalies. I will say implementing some of these systems or maybe building some of these systems can be complex. The data as all of us know, isn't easy to get to. It's very messy. And so sometimes automation can seem complex and be actually a long-term investment, but really having that multi-pronged approach where you have your humans in the loop, you have your human controls, you have all the things that Louise talked about, and then you add AI or automation in places where you can really get additional scale can help with some of these more sophisticated methods that fraudsters are using today.

Hubert Klein: So Jen, is it fair to say that AI is a double-edged sword in this space?

Jen Clark: Yes, very much so. That is very, yeah, I usually mean that's exactly how I think about it. The thing that I always like to leave people with is that what I never want people to think is that any of these deep fakes or synthetic documents can be easily detected. They cannot, any tool that is saying that they can easily detected or find it is usually not the case. It's really, really hard to tell an actual document, video, et cetera from a fake one when they're generated by these tools. And so anybody kind of giving you the false kind of hope that they're easily detected is usually overselling their capabilities.

Hubert Klein: So I'm going to put you on the spot because I know you're well versed in this area, but just for the attendees, where do you see all this going in the next two, five years? People always ask me about AI and I said, well, it used to be an infant. Now it's really a toddler, it's still learning, but it's a lot smarter than it was, but it's not quite an adult. So where are you seeing this industry going?

Jen Clark: Yeah, that's a big question. I'll say a couple of things that I am noticing and hearing is that everybody is experiencing that crawling to walking kind of awkward stage right now. They're kind of fumbling a little bit around with the technology that is not, there's a lot of hype out in the market really that can oversell where people are with the capabilities. And so just getting started with it, nobody has really kind of unlocked at a true kind of big scale. Some folks have, but really, really everyone is on that journey. The other thing that I hear this AI bubble, it's been in the news a lot recently and the thing that I'll say about the bubble is that there's a lot of complexity to that. There's a lot of investment money, there's a lot of very large players in the market, but this technology is extremely capable. And the thing that I don't be lost, even if there is some type of bubble, is additional kind of technology and capability that we all have now. It's just going to take humans, I think a lot longer than the big players to admit to actually implement and figure out how to make it useful. But it really is, it's a mind shift.

This is a generational kind of technology overnight. And so I think it's a little bit of patience and understanding change.

Hubert Klein: So I guess it's fair to say for a business as part of their fraud risk assessment, the evaluation and utilization and threats from AI is something they need to consider as part of their ongoing fraud risk assessments.

Dana Daigle: Hubert, I would also like to add just a little bit here is that while AI is great and technology is great, we still need that human aspect. Humans are very important. So that part will never go away. While we can help the processes with the technology, we still need the people. And I want to give an example of that is on a very large settlement case that I was working on, part of that was providing documentation to show your income or to show your income loss in this situation. And I'm looking at this pay stub that someone actually submitted and it looked like a legitimate pay stub, but something just didn't feel right and technology can't feel that. And so I'm looking at it a little more and I realized that it's the pay period was through February 30th, 2000, whatever. And I was like, huh, well that's not possible in any year. So something this was made up. So it's still, you need that human aspect to go along with the technology to apply to help detect fraud.

Hubert Klein: And I think that's a great point, Dana, because really we didn't get into what is fraud. We kind of take it for granted else, but generally fraud is a willful intent to deceive from monetary gain. And AI is not trying to make a monetary gain. It's usually a human aspect or an individual who's utilizing AI committed. So that brings it right back to, you still need the human element, somebody has to look at it. There's things that the technology won't catch and we still are the service providers who need to use informed judgment and make decisions. So that's a very, very good point. And that would be a nice training thing to put a bunch of documents in front of people with that date and say, what's wrong? These documents, and everybody's going to tell you the address the name, the social security number. I bet you that's a good one on the date. So don't take anything for granted. Great example, Dana.

Okay, so now we're going to come up with another polling question. We're getting close to the end. How is AI impacting fraud trends? And then we're going to go over some questions and some stories of actual real life examples of what everybody on here is seen. I refer to us as the PD Q group, and it's not. It's the prevention, detection and quantification group that's amongst all of us. That's kind of what we help clients with. We help put in preventative controls and detection controls to minimize some damage or the slides that David showed early on, and David, Jeff and I get involved in the quantification. If something happens, one triage, what happened? How bad was it monetarily, what can be done to fix it? And then we reach out to the rest of the people on the panel. There's a need for a client or they have a client who they're working with and putting the prevention and detection controls. And if there's collusion or something, sometimes things happen. How do we help? And that's kind of how we're going to end this session today. So with that, if anybody has any additional questions, let's put 'em up now, if somebody has a question. And listen, Jen, this is for you. I think it's actually kind of funny. Did AI actually crumble that receipt for $197 and 57 cents?

Jen Clark: It did. That's one of the reasons why I use it as an example, because it is so scary and so lifelike. I'll share, I do these trainings quite a bit, and exactly like Hubert and Dana were just talking about where I encourage people to find the fake. Sometimes they use faces, sometimes they use receipts. And in most cases, I have a hundred percent fail rate on faces of what's fake and what's not. And so again, just, yeah,

Hubert Klein: Keep going. That's a great topic.

Jen Clark: Yeah, no, again, just to reiterate, just how sophisticated these tools are and it's just something that you can't detect. So really having that human in the loop, like Dana was talking about, is really important

Jeffrey Granell: On a bankruptcy front. You bring up trigger something in the back of my mind here. As part of the claims process in bankruptcy, individuals or creditors have to submit what's called a proof of claim. And on that proof of claim, they have to include whether it's secured or unsecured, but also documentation that indicates that a claim exists. And that could be an invoice, right? It could be an AI generated invoice. And you noted the human element. Well, what we do in bankruptcy is that we have a claims reconciliation process, and in that process we have certain steps that we take on our own and with technology or data analytics to review all the claims, this isn't as difficult in a small case, but when you're dealing with the larger call them award winning cases, you may have claims that exceed, you may have a thousand claims or 5,000 claims. So I think AI and technology can review those claims at least to look for duplicative claims, to see if a vendor may or may not have provided materials to the individual or to the company. But we definitely, we see this quite a bit in the bankruptcy and the claims process.

Jen Clark: Jeff, oh, sorry, Hubert, go ahead.

Hubert Klein: I think that's important, and I think, Jen, finish your thought and then I'll let you know what I want to ask everybody else on that very issue.

Jen Clark: Yeah, I was just going to say, Jeff, that's an excellent example of that double-edged sword, right, is in the large cases, AI can certainly help you detect, especially in reconciliations where there might be anomalies. And even though it can't tell you that the receipt is fake, it can tell you that the amount that came from the bank account, the source of truth is different than on the receipt. And so again, that multi-pronged approach is really important.

Hubert Klein: So let's just take that thing forward, Jeff, Dana and Louise, if there's, whether it's in the claims administrative space, the governmental space, working with for-profit, nonprofit clients, we all see that sometimes in order for people to get a benefit, they have to submit information. And a lot of times, not everybody's truthful, right? David, with the information they submit, even in a royalty type engagement, somebody has to provide proof of level of units sold or something. And sometimes people manipulate to actually get a financial benefit. Has anybody seen that in the respective spaces that you're in? Can talk a little bit about it. We'll start with you, Dana.

Dana Daigle: Yeah, absolutely. We unfortunately see it all the time, and it goes back to training the people that are reviewing those claims to make sure they're applying proper judgment, but also following standard procedures. One of the things we see a lot on different programs is attestations, and it's where they sign and say that what they sent was they attest to what they sent through or they're able to put in their income. And while that can help move claims or applications along faster, it is important too to also receive documentation as backup. So we do advise a lot of our clients on what proper documentation that is, whether it's a W nine or a tax return or whatnot, but it helps a lot to prevent that fraud on the front end. So we're not ultimately making payments and money is not going out the door to these people. But yes, we see that all the time, unfortunately, and we have to build in the proper controls for that.

Hubert Klein: And Louise, what are you seeing?

Louise Gannuch: Yeah, I completely agree. I mean, I would think if you have any program where you can manipulate something so that you get a better outcome for an individual or a group, it's going to happen. Fraud is never an if. It's when, and I think that's regardless of industry size, any of that, we often see that it happens. It's unfortunate, but as Dana said, really looking at what prevention you have, how you're training your people, that environment, you're creating, the culture, all of those kind of things that we've been talking about that all kind of ties into having a well rounded thought through fraud progress management process.

Hubert Klein: Along those lines, Louise, you just mentioned something a lot and all those things that you mentioned involve people, and I think that's the important part about, Jen talked about AI and technology, but there's still a lot of people involved, and I think that's the important factor for everybody to remember is a takeaway training and educating your team of people and creating that awareness. The big thing here, David, you said early on, David, it's tips, right? It's the old, we're going to go back ways, but if you see something, say something, that's kind of how you create a better environment with the culture and the training of the people. So David, you want to talk about what you're seeing, and we've seen on people who actually have to submit information in order to get a reimbursement, whether it's a royalty or a unit fee. And we see a lot going on in that world as well.

David Sumner: Yeah, I'll go back to weaving in Dana's point there of looking at that paycheck and thinking that something wasn't right. I was involved in a process that was distributing funds for a manmade disaster, an oil spill, and a restaurant had submitted a claim and they had provided all of the tax returns and all of those things, and it all looked fine, but the individual, I'm not going to take all the credit, but the individual who's working for me, something just didn't smell right for them. And in that instance, they did a little extra digging and found on YouTube that the restaurant had burned down and it had burned down a couple months prior to the claims period. And so that was an instance where an AI review of the documents that were provided would never have caught that scenario. You needed to have that human being who has sometimes a hunch who sees something that's just a little bit off.

And that's why the human element here is so very important because the human element is also taking into account experience. And for many years that have been learned, and that is something that AI can't do. AI right now is simply working off of what has been trained on. And if that aspect hasn't been trained, it's going to miss it. And so you're always going to need to have, well, until it's at the sky net level or whatever, many years in the future, but right now, the humans are still better. They're not as fast. We're not as fast as ai, but we're more accurate.

Hubert Klein: I love the Terminator reference, David.

David Sumner: Yeah.

Hubert Klein: Okay, so here's the last question. I'm going to post everybody here. I think this is important, and Louise, this came from you, but when a potential fraud happens, who leads? What is the process? Because I think this is the important part on the quantification side. So you don't mess up your claim with an insurance carrier or even law enforcement. So who wants to start with that one? Since Luis, it's yours. Why don't you start with it? Who leads when something goes wrong?

Louise Gannuch: So I think the important thing is having someone who's knowledgeable and experienced leading, and I talked a little bit about when fraud happens, it's so chaotic. So having a fraud response plan, like knowing who's doing what is really important and having that plan figured out before fraud happens. So it could be very well that you hire an external firm to help you with an investigation. Okay, great. They're probably working with legal, they're probably working with your information systems team to see what access is getting shut down or what is HR doing, going back to what did you file with your insurance carriers. All of those things are kind of swirling around at the exact same time. And so it's not necessarily always, you might have one person leading it, but there's a lot of people that are involved in that whole process,

Hubert Klein: Right? And internal in-house counsel is probably one of the lead quarterbacks of that whole effort as well.

Louise Gannuch: Absolutely. You want to make sure that you always have counsel involved in all of these types of discussions and decisions that you make for your organization.

Hubert Klein: Okay. An important topic of who leads and what gets done.

David Sumner: I was just going to say that what's important there, as Luis said, is having a playbook and understanding also that what you shouldn't do is perhaps react too quickly. One of the things that we experience is quantifiers when Hubert and I are looking to quantify is sometimes mistakes are made or actions are taken early on that really restrict or inhibit our ability to do a fulsome investigation. And some of those mistakes are terminating a person too quickly, not preserving evidence like the emails and things of that nature. And then also, one of the things that happens a lot is confronting the suspect too early, conducting an admission seeking interview is an art versus a science. And sometimes if you confront that individual too soon without enough evidence or enough knowledge, they will have some ability to perhaps either get rid of evidence or collaborate with other individuals to get stories straight. So it's very important that if you suspect fraud to get the right people in the room early,

Hubert Klein: Right? And the bottom line is if you suspect it, you're accusing somebody of a potential crime, they have rights. So you have to be respectful, work with inside counsel, outside counsel, hr. The quantification is not going to go away, but preserving and not tainting the process I think is most important. Jeff, I know you had something you wanted to add.

Jeffrey Granell: Yeah, it may have passed now, but it was just an add-on, and that's bringing in an independent or third party or outside resource. When you're dealing with a closely held family organization and you have other stakeholders such as lenders that also will become aware of such fraud is a really good lever to pull because it will bring back credibility to the business or can bring back credibility to the business, bringing reassurance to those lenders that you're taking corrective actions and willing to put in checks and balances that are outside of just your organization.

Hubert Klein: Louise and Jen, you have anything you want to add before we wrap this up?

Jen Clark: I'll just say that your technology colleagues or your partners, and I think in a lot of cases there's a lot of oversight that happens in your IT teams and can see a lot of different places in your organization and really making them a part of that culture of prevention is important.

Hubert Klein: Luis?

Louise Gannuch: Yeah, I think sharing the same sentiment. I think we're talking a lot about collaboration. We've brought a lot of people here today to talk about this topic that is never going to go away. As David started, what was it, 300 bc, right? So we're going strong in this area as a collective. So just collaborate, bringing the people fraud. I think people shy away from talking about it, but it's there. Get in front of it, be proactive. Don't be reactive. It's a continuum. You can start somewhere if you haven't done anything before and just get in the fight.

Hubert Klein: And I think that's a great place to close. Pretty much. I talked about the PDQ prevention, detection and quantification, Jen, Louise and Dana or their prevention detection side. And if they need us on the quantification side, we're here to help. But everybody on here has a wealth of knowledge. We shared it with you today. You can reach out to everybody on this panel if you have any additional questions, a thing that you might want to ask. But I want to thank all the attendees for giving up their time today, and I want to thank all the panelists for sharing your time and your talent and knowledge with us today. So thank you very much, everybody.

^{Transcribed by Rev.com AI}