Skepticism – a Weapon to Fight Fraud

What is wanted is not the will to believe, but the will to find out, which is the exact opposite.” – Bertrand Russell, “Skeptical Essays,” 1928

Questions about professional skepticism – how to define it, how much is enough, what policies support it, and what practices diminish it – are perennial topics of concern among auditors and accountants. These topics also should be of concern to all stakeholders, including a company’s management, board of directors, and audit committee.

In any discussion of fraud detection and prevention, the phrase “trust but verify” is almost certain to come up.
Regardless of how apt that concept might have been in the context of Cold War diplomacy, it could be argued that “trust but verify” is actually bad advice when it comes to deterring fraud in general.
In fact, “trust but verify” could be a downright dangerous approach when applied to audit procedures in particular. A much better slogan for fraud deterrence would be, “Trust is a professional hazard.”

It is not just auditors who must be concerned with maintaining appropriate professional skepticism. This point was stressed during a roundtable convened in April 2013 by the  Anti-Fraud Collaboration, which comprises the Center for Audit Quality (CAQ), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National  Association of Corporate Directors (NACD). The author participated in this program,  which had the objective of bringing together some key players – corporate directors, financial executives, external auditors, and internal auditors – from all along the financial reporting supply chain to discuss each group’s expectations and understanding of the
various players’ roles in deterring and detecting financial reporting fraud.

A portion of the discussion focused on an initial survey of the four organizations’ members, which produced a number of surprising findings about the attitudes and opinions of the various stakeholders. The roundtable’s summary concluded, “A large majority of survey respondents believe that financial management has primary responsibility in deterring financial reporting fraud, with a smaller majority believing financial management is responsible for detecting financial statement reporting fraud.” The implication is that because financial management plays a leading role in detecting financial fraud, it is incumbent on executives – not just auditors – to exercise appropriate levels of professional skepticism. Board members and particularly audit committee members also must take care to exercise a skeptical approach to financial reports and supporting information.

The Anti-Fraud Collaboration’s survey also revealed that the various stakeholders’ expectations and opinions about their organizations’ effectiveness in deterring and detecting fraud vary widely. When asked to rate his or her organization’s overall performance, an internal auditor was much less likely to say that his or her organization exhibits the appropriate balance between trust and skepticism. As shown in Exhibit 1, only 46 percent of those affiliated with the IIA said that their organization exhibits the appropriate balance of trust versus skepticism, compared to 58 percent of the financial executives (members of FEI), 70 percent of the external auditors (CAQ members), and 79 percent of the board members (affiliates of NACD) who responded.

Tellingly, 42 percent of the internal auditors said that their organization exhibits more trust than skepticism. This is a particularly troubling admission considering the paramount role that professional skepticism – not trust – must play in auditors’ performance of duties.

Read more by downloading the complete thought leadership piece here.

Thank you and have a safe holiday season!




Board of Directors Oversight and Cyber Strategy


In a recent article by the Wall Street Journal states that “Corporate boards are seeking greater insight into cyber security risks in the aftermath of the recent breach at Equifax Inc.  The hacking attack on the credit-reporting firm last summer was a defining moment for directors, say technology and corporate-governance experts.

As cybercriminals damage company reputations and cause tens of millions in remediation and legal costs, some boards are increasing cyber security oversight and weighing how to delegate responsibilities among directors. Others are pushing for more meetings with corporate security chiefs.”

All of the above seems to be true, but many board members seem to be “silently” struggling with oversight, which is one of the board’s most important responsibilities.

A sound Cyber Strategy or compliance plan should be designed from the risks identified to deter and resolve cyber attacks as well as to address any possible repercussions, such as damage to the reputation of the enterprise.

Here are some key elements and things to consider when developing a Cyber Strategy, which can also be used by board members in their oversight role.


  • Board level engagement.
    • Monitor the news for other cyber incidents or perceived threats.
    • Challenge management assumptions related to cyber security and the strategy.
  • Management should engage the board.
    • Provide the board with highlights of worthy news around cyber.
    • Let the board know about the challenges; and most importantly,
    • Communicate successes.
  • The strategy should be business driven and consider the extended enterprise.
  • Ensure there is good tone from the top. Does the messaging and conduct convey the importance of good cyber hygiene?
  • Have a sound and defined communication plan.
    • Internal and external communications.
  • Don’t boil the ocean!  Ensure a risk based approach is used to identify threats or vulnerabilities. Some key components include…
    • What are the most valuable intellectual property and customer-based informational assets that need to be protected; and on a scale of 1-10, how do we categorize and rate these assets in terms of importance to the business that we are in?
    • Where are these assets housed (in-house, in the US, in another country, or in “the cloud,”)?
    • Are all assets (despite differing values or classification) housed on the same network server, thus rendering them subject to a cyber attacker laterally moving within our network?
    • Are we conducting due diligence of our third-party or outsourced vendors to make sure they cannot be a source of a cyber attack against our firm by having too much access to our network, or can respond to and recover from a cyber-attack against their own network?
    • Do the vendors with whom you have indemnity agreements have cyber insurance with sufficient limits of liability in place and in effect?
  • Keep in mind that as technology advances, and today it does advance fast, so do the threats; it is harder than ever to protect business processes and information – so this is not a “set it and forget it” exercise.
  • Understand the internal controls in place and ensure they are designed appropriately.
    • Consider the human element.
  • Don’t ignore physical security threats – Access!
  • Training must be a process.
    • Have targeted follow-up to reinforce the learning objectives.
  • Have documented incident response (investigation) and crisis management plans.
    • Walk through these plans frequently and tweak them as necessary.
  • If there is an incident, and there will be one – use root cause analysis to get to the origin of the incident and remediate accordingly.
  • Consider compliance and regulatory requirements.
  • Have cyber and other insurance coverage’s reviewed by a competent professional – if you have no coverage I strongly encourage getting some.
  • At the end, your strategy or plan must be consumable and scalable – said differently, it must be operationalized or embedded throughout the entire enterprise.

I welcome your thoughts and suggestions.

I also wanted to thank Theodore M. Schaer, who is a partner and the Chairman of the Cyber Liability, Privacy and Data Security Department at Zarwin Baum Devito Kaplan Schaer Toddy P.C. located in the Philadelphia office for his contribution to this writing.

Have a great weekend!


Jonathan T. Marks, CPA, CFF, CFE

Root Cause Analysis

Tom Fox podcast visits with Jonathan T Marks, CPA, CFE, on how to perform a root cause analysis and its uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action.

Click here for the PODCAST

One Prong of the Evaluation of Corporate Compliance Programs (Evaluation) which was not present in the Ten Hallmarks of an Effective Compliance Program, is root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s (DOJ’s) new FCPA Corporate Enforcement Policy (Policy).

Tom Fox discusses using the results of a root cause analysis in remediating a compliance program.

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:

Remediation –What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”.

I begin with who should perform the remediation; should it be someone or a team which were or were not a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP, who believes the key is both “independence and objectivity”. It may be that an investigator is a subject matter expert (SME) and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks also noted if “the errors require some type of financial restatement the company may also have deficiencies in internal controls. More importantly the failure to remediate gaps in internal controls provides the opportunity for additional errors or misconduct to occur, and could damage the company’s credibility with regulators” and allow the same or similar conduct to reoccur. Finally, with both the Evaluation and Policy, the DOJ has added its voice to prior Securities and Exchange Commission (SEC) statements that it “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply “cataloguing” and “assigning cause” to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting “human error” from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect.” This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.

Locwin concludes by noting, “Stop blaming people for bad systems and processes. The people are the human capital that is actually doing the thinking and processing to generate profits for your company — unless there is data to suggest willful negligence or gross incompetence, then in that case address the talent development gap or termination. A nicely documented retraining of Alice or Bob isn’t going to improve successive outcomes on future iterations of the same work. Guaranteed. And I have plenty of data showing these sorts of human error interventions [retraining] are less than 5 percent effective at preventing recurrence of the problem.”

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the inform you developed in the root cause analysis? Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis you can bring real value and real solutions to your compliance program.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and will aid in having a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its Evaluation, it becomes clearer what they expect from the compliance professional. Hui Chen, in an interview on the Radical Compliance podcast, made clear she desired that the Evaluation would cause Chief Compliance Officers (CCOs) and compliance practitioners to consider the structure of their compliance program and how it inter-relates to the company’s risk profile. When you have a compliance failure, you should use the root cause analysis to think about how each of the structural elements of your compliance program could impact on how you manage and deal with that risk. Chen stated, “I would use the approach that I hope is consistently clear through the document is that the quest for thinking through what you want to accomplish, how you are gonna do it, who are you going to work with to accomplish those things, and how you measure the results, what data are you getting need to collect to inform your decisions along the way.”

You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.

Doing Compliance Master Training Miami, February 12 and 13, 2018

Tom Fox is partnering with Marcum LLP to put on a two-day Doing Compliance Master Class, which will be unlike any other class currently being offered.

It will be held in Miami, FL on February 12 & 13, 2018. This Doing Compliance Master Class is not theory or analytical underpinnings of the FCPA. The focus of the Doing Compliance Master Class will be on the operationalizing of compliance. For it is only in the doing of compliance that companies have a real chance of avoiding FCPA liability.

The Doing Compliance Master Class provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) to the practitioner who is new to the compliance profession. If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class size to 10 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs.

As one of the leading commentators in the compliance space for several years, I will bring a unique insight of what many companies have done right and many have done not so well over the years. I will be joined by Jonathan T. Marks, CPA, CFE, who has extensive experience in the GRC space and is an expert in board and fraud related matters, including bribery and corruption.

This professional experience has enabled me to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, the questions posed from the Evaluation of Corporate Compliance Programs and the information from the new Justice Department FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the will include:

• Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;

• What are the best practices of an effective compliance program;

• Why internal controls are the compliance practitioners best friend;

• How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;

• Your ethical requirements as a compliance practitioner;

• How to document what you have accomplished;

• Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the Doing Compliance Master Class with a clear understanding of what the anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance.

You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

The Doing Compliance Master Class will be based around my book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which focuses on the creation, implementation and enhancement of a best practices compliance program. I will also use the text of my upcoming book The Complete Compliance Handbook which will published in early 2018.

The FCPA Master Class will be held on February 12 & 13, 2017 at the offices of Marcum LLP, located at the SunTrust International Center, 1 SE 3rd Ave #1100, Miami, FL 33131.

A Certificate of Completion will be provided to all who attend in addition to the continuing education credits that each state approves. The cost to attend is $1,495 per person. Breakfast, lunch and refreshments will be provided both days.

For more information or a copy of the agenda, contact Tom Fox via email at tfox@tfoxlaw.com or telephone at 1-832-744-0264. Click here to Register, or go to my website, FCPA Compliance Report.

Space is limited so register today.

Board and Fraud: Understanding the Mind Behind the White-Collar Criminal

In one of his early short stories, F. Scott Fitzgerald famously wrote: “Let me tell you about the very rich. They are different from you and me.” Years later, when he recounted the line in a short story of his own, Ernest Hemingway added the equally famous reply, “Yes, they have more money.”

Hemingway’s retort playfully ignored Fitzgerald’s point, which was that the wealthy tycoons of the Jazz Age viewed the world in a way that was fundamentally different from their contemporaries’ view.

Today, a similar point can be made about another group of individuals who are much more sinister and even less understood: white-collar criminals. It’s not that they simply have (or want) more money — they actually think in ways that differ from their more trustworthy peers.

All too often, boards and management fail to grasp this fundamentally different world view as they carry out anti-fraud efforts. Most board members and executives do not think as fraudsters do — which is a good thing, of course. Unfortunately, this can also make it difficult for them to develop controls that reduce their organizations’ exposure to fraud risk.

The challenge has been summed up succinctly by Sam Antar, onetime chief financial officer for the electronics chain Crazy Eddie, who was convicted of fraud and served time in prison in the 1980s. Today, he lectures regularly to the government, law enforcement, corporate groups and students about how to prevent white-collar fraud, Antar often points out, “My normal at Crazy Eddie was not your normal.”

By understanding how a fraudster’s normal differs from theirs, executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime.

Behavioral Elements

What type of person commits fraud on a large scale? By taking a closer look at executives who perpetrated massive fraud at corporations like Enron Corp. and Worldcom Inc., it is possible to identify a pattern of behavioral elements that are common to white-collar criminals. They include:

Lack of a Moral Compass

All organizations rely to some extent on individuals’ moral compasses to guide behavior in the workplace. Moreover, as much as corporations would like to maintain a separation between the personal and professional lives of their employees, the two are linked when it comes to ethical behavior. A pattern of questionable personal lifestyle choices — in areas such as spending or salacious conduct, for example — can indicate an individual’s lack of moral compass.

Troubling Friends, Family and Relationships

To help them in their crimes, fraudsters often look for people who share the same social background or ambitions or who are gullible and easily manipulated. In his 2005 book, Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance, Scott Green notes: “Those who are willing to commit fraud recruit from the corporate employee pool weak or needy personalities, and go to lengths to reward and protect them.”


Deception and cover-up (concealment) are the hallmarks of white-collar crime. A 2010 working paper by the Rock Center for Corporate Governance at Stanford University found that the language used by executives often contains clues to deception. Researchers studied the words of executives at companies that later had to restate earnings, a frequent occurrence after fraud detection, and identified some key indicators of possible deception.

For example, they found that deceptive executives tend to disavow ownership by using words like “the company” or “the team” when they talk about their company, rather than saying “I.” Such executives also emphasize extreme positive emotions, using words such as “fantastic” instead of merely “good” or “solid” to mask mediocre performance, and often answer questions indirectly with short, prepared statements before redirecting conversation.


After interviewing former Enron CEO Jeffrey Skilling, Dr. Archelle Georgiou summed up the man in a 2010 Fortune magazine article: “Was he arrogant? Yes. But that’s not a surprise. After all, arrogance springs from the same well of confidence that led him to the big chair at Enron.”

When confidence and pride grow into true arrogance, it can indicate an attitude of superiority and entitlement — and the sense that corporate policies and procedures simply do not personally apply.

Cleverness and Creativity

Businesses naturally seek out clever and creative people. Unfortunately, like confidence, these traits that make executives successful can also be associated with dishonesty and unethical behavior.

The authors of a recent Harvard Business School working paper concluded that creative people are motivated to think outside the box and are well-suited to change — two characteristics that also allow them to reinterpret their behavior and rationalize their moral transgressions. While companies need smart, savvy people on the payroll, appropriate controls must be in place to keep creativity flowing in a positive direction.

Environmental Elements of White-Collar Crime

In addition to identifying individuals who may be more likely to commit fraud, it is also important to identify the settings in which fraud is more likely to occur. In his white-collar fraud presentations these days, Antar recounts the Crazy Eddie corporate culture, infused by tight family ties that aided and abetted his illicit activities.

It was, according to the former CFO, an environment that promoted fraud from within and tried to keep as much money as possible within the family (as opposed to going to the government or investors who weren’t family members).

An organization does not need to be as free-wheeling as Crazy Eddie to be vulnerable to white-collar fraud. The cultural or environmental characteristics that increase fraud risk are not always so blatant. They include:

Weak Tone and Conduct From the Top

“Tone from the top” refers to a collective message from senior management that enhances the ethical fiber of the organization and the moral backbone of staff members. Leadership that doesn’t support a rock-hard ethical and moral ideal — and doesn’t lead by example with strong character and evident values — can leave the organization exposed to fraudulent behavior. Interacting and regularly listening to and testing senior management, management and employees by asking probing questions can help to determine whether the tone from the top is resonating throughout the organization at all levels.

Conduct from the Top, as the DOJ has put forth, refers to how senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?

Vulnerable Culture

Although criminals are unlikely to be deterred by moral constructs or an ethical corporate culture, such an environment can help encourage co-workers to blow the whistle on crime rather than allow criminal activities to go unreported.

An ethical culture is also the foundation of good corporate governance and arguably the most powerful control in any organization. Proper training, coupled with regular surveys of employees, can help management determine whether the culture of the organization is bedrock or sand.

Loose Links Between Ethics and Compensation

Compensation structures can have direct social and moral effects, which is why executive compensation is a critical corporate governance issue that must be overseen closely. Compensation structures that do not include an ethics component can encourage the wrong types of behavior.

For example, a large pay increase that is tied to unreasonable performance targets could help an individual to rationalize unethical and excessive risk-taking. Stock options, profit sharing, bonuses, executive retirement benefits, severance policies and other perks should be aligned with a corporate commitment to ethical behavior.

It is important to note that the existence of any or all of these elements does not necessarily mean fraud is occurring. It does mean, however, that management needs sound internal controls to deter any inappropriate behavior and detect patterns of inconsistencies in order to get at the truth if the controls are overridden.

Formal Risk or Vulnerability Assessment

In addition to establishing an ethical environment, board members and management must also take the lead in implementing and maintaining a formal fraud risk management program. One key element of such a program is a fraud risk assessment, which should be updated annually at a minimum or more frequently if conditions warrant.

The risk assessment, which some say is easy and I disagree, should identify fraud schemes and the acts that could potentially occur, possible concealment strategies that could be used by the fraudster to avoid detection, possible conversion tactics, the individuals or gatekeepers who pose the highest risk of committing fraud, controls that are in place to deter or detect fraud and a list of warning signals or “red flags” that can be used to educate the organization and assist internal audit and compliance in designing risk assessment procedures.

These “red flags” can be organized into four general categories:


• Transactions conducted at unusual times of day, on weekends or holidays or during a season when such transactions normally do not occur;

• Transactions that occur more frequently than expected — or not frequently enough;

• Accounts with many large, round numbers or transactions that are unusually large or small; and

• Transactions with questionable parties, including related parties or unrecognized vendors.


• Missing or altered documents;

• Evidence of backdated documents;

• Missing or unavailable originals;

• Documents that conflict with one another; and

• Questionable or missing signatures.

Lack of Controls

• Unwillingness to remediate gaps;

• Inconsistent or nonexistent monitoring controls;

• Lack of clear management position about conflicts of interest;

• Inadequate segregation of duties;

• Lax rules regarding transaction authorization; and

• Failure to reconcile accounts in a timely manner.


• Rationalization, changes in behavior, contradictory behavior or recurring negative behavior patterns;

• Lack of stability;

• Inadequate income for the individual’s lifestyle;

• Resentment of superiors and frustration with job;

• Emotional trauma in home or work life; and

• Undue expectations from family, company or community.

Implementing Controls

In meeting its responsibility to identify gaps and develop fraud controls, management must take special care to avoid complacency. Don’t assume that if fraud is occurring“the auditors will catch it.” Using the external auditor as a control is not acceptable. By the time the external auditor uncovers fraud it is usually too late to prevent significant financial damage, and almost always too late to prevent the reputational damage that will follow.

Following are some important principles to keep when developing more proactive anti-fraud control policies:

An Effective and Empowered Audit Committee is Essential

The committee should be completely independent from management and authorized to hire outside counsel and other advisers. At least one audit committee member should be a financial expert, but individuals with nonfinancial skills and expertise are also needed to provide different perspectives.

The audit committee needs to be proactive. They should require (emphasis added) a root cause analysis after something fails, in an attempt to prevent a reoccurrence. They should have regular dialogue with the COO and CAE, discussing findings and trends. Lastly, they should communicate with the other board members and committees.

Establish and Enforce a System of Effective Controls, Both Internal and External.

Internal controls limit opportunities to hide the fraud trail and can discourage all but the most arrogant fraudsters. Common tools include security and access controls, such as dual authority or monetary authorization limits, as well as audits, inspections and transaction monitoring.

Establish the Right Tone and Conduct From the Top

Although mentioned before, this principle bears repeating. Mere mechanical compliance with internal controls can still leave the organization vulnerable, which is why the attitudes and actions of management are so important.

Actively and visibly promoting an ethical environment that resonates throughout all levels of the organization will embolden honest employees and encourage self-policing.

Provide a Clear Process for Reporting Suspicious Behavior

In its Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, the Association of Certified Fraud Examiners found that tips were responsible for uncovering nearly three times as many frauds as any other form of detection, including management reviews, surprise inspections, audits and surveillance devices.

Even without a formal whistle-blower program or ethics hotline, employees should be familiar with corporate protocol so they know where to turn if they suspect fraud.

Document Ethics Initiatives at All Levels

Informal conversations, even frequent ones, are not enough. Boards and executives should schedule and fully document discussions related to ethical issues, while also implementing effective internal controls and a proactive risk assessment policy. Board members should also be required to complete a conflict-of-interest statement annually.

Develop a Response Plan in Case Deterrence Fails

In spite of everyone’s best efforts, fraud still can occur. Often the initial reaction of executives or board members is to confront the suspected fraudster outright or, if there is doubt, to begin collecting paper or electronic evidence. Perhaps the most common impulse is to dismiss the offender, limit the damage and hope the story can be kept quiet.

All too often, these are exactly the wrong things to do and could compromise an organization’s in many ways. Including regulatory scrutiny and possibly discipline.

What’s more, the protocol for dealing with an employee suspected of cheating on an expense report is different from that for an executive involved in falsifying financial statements. To avoid various unintended consequences, every organization should develop appropriate strategies — in advance — for dealing with specific types of fraud or other misconduct.

A Matter of Ethics

Ultimately, strong ethics is also good business. An ethical climate can improve employee morale, recruitment and retention, as well as instill a more positive environment that fosters creativity and innovation. Companies with a reputation for fairness and integrity also are more likely to have loyal customers and suppliers — and to attract investors as well.

By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

I welcome your thoughts and opinions.

Jonathan Marks, CPA, CFF, CFE

This article originally appeared at http://daily.financialexecutives.org/understanding-the-mind-of-a-white-collar-criminal/ and has been modified.

Training or Draining? Mitigating Disremember Risk!

We seem to forget things that don’t interest us or are no longer useful. The problem, however, is that in the process of forgetting, our brain often purges important information.

I have been to many training sessions over my career and I know what I like and what I don’t like. I also have a good nose for what is effective and will more likely than not be retained long after the training ends – you probably do too!

Training and educational programs should be designed to teach employees, agents, and others periodically and in a practical manner on the requirements applicable to their jobs or duties and to update them on any regulatory changes and trends.

Usually it’s not the design of the training that’s problematic. It’s the delivery or approach that fails us, but will the methodology or approach of delivering training ever evolve? Or, will 2018 just provide us with another chorus of empty responses.

What organizations consistently fail to recognize is that training is not an event, it’s a process. A process which requires identification of critical learning objectives (based on needs), development of the program, facilitation by an experienced practitioner, and targeted follow-up to reinforce the learning objectives.

The traditional practice of training is unfortunately dead on arrival. Whether it is bringing the training on site, sending your team offsite, or participating in webinars, these training techniques are antiquated and do absolutely nothing to mitigate the disremember risk.

The amount a learner will forget varies depending on many things, but some say that within one hour, attendees will have forgotten an average about 50% of the information presented during training; within 24 hours, attendees will have forgotten an average 75%; and within a week, attendees will have forgotten more than 90% of the information presented.

Regardless, it’s fair to say that we all forget some things presented during training, but in general, the possibility your training is ineffective, should cause you to pause, and prompt you to think about the entire training process. Because in the worst case, no matter how much you invest into training, it is possible that nearly everything you teach to your employees and others could soon be forgotten. Staggering, is that very few organizations can speak confidently about learning retention.

That’s why I really like Robert Mainardi’s (Mainardi & Associates) methodology, which utilizes a Blended Training (“BT”) approach. Mainardi’s approach combines the traditional training process mentioned previously with custom video summaries (usually 3-6 minutes in length) delivered to attendees simultaneously via e-mail and text. These summaries are unique to each session based on discussions held during a training event and helps to reinforce the critical learning objectives. The number of summaries and the timing of the distribution are based on the length of the course presented. Additionally, the distribution and viewership are tracked and custom reporting is generated to determine compliance with the learning process and provide the organization with feedback on what is working and what might require more attention.

Behavior change, also known as learning, requires a level of commitment from all concerned and should endure long after a training event. The BT approach in my opinion is a leading practice that not only addresses disremember risk, but also proactively identifies future training needs.

I welcome your thoughts and ideas. Unless you lost that clever thought or forgot your awesome idea?

Have a nice weekend.


Jonathan T. Marks, CPA, CFF, CFE

Brain Science: Art Kohn
Work Learning Research

Calculating the Correct Tax Loss: Are You Looking ‘Outside the Box?’

Forensic accountants are routinely engaged to assist in the calculation of lost profits and economic damages in various types of litigation. One such engagement is assisting attorneys in calculating and/or reviewing calculations of tax loss attributable to alleged fraud committed by a defendant. These tax loss calculations are relevant when a court is determining the length of sentence for a defendant in criminal tax litigation.

Government agents investigating tax offenses often work within well-defined parameters including the time period (i.e., frequently a six-year range) for an investigation without fully assessing the origins of financial transactions that contribute to an ultimate tax loss. This concept of “remaining in the box” can cause the tax loss attributable to fraud to be overstated, thereby contributing to an inflated “guideline sentence” for an individual defendant convicted of tax offense(s).


Forensic accountants are routinely engaged to assist in the calculation of lost profits and economic damages in various types of litigation. One such engagement is assisting attorneys in calculating and/or reviewing calculations of tax loss attributable to alleged fraud committed by a defendant. These tax loss calculations are relevant when a court is determining the length of sentence for a defendant in criminal tax litigation.

Income tax returns represent the end result of a process involving a myriad of transactions, persons and documents. Our role is understanding this process, and in some cases reverse- engineering the process, to extract critical pieces of information that have swayed the outcome of an IRS investigation.

In many loss analyses, accountants have wide latitude in determining the method appropriate to calculate damages incurred. However, Part 2T1.1 of the US Sentencing Guidelines Manual provides certain parameters for calculating tax loss for the purpose of determining the “guideline range” of sentence for the tax crime defendant(s).

This article provides an accountant’s perspective of an engagement to assist in criminal tax or other matters in which a guideline sentence is based upon some measure of financial loss. The authors of this article are not attorneys. This article is not intended to provide legal guidance.

Tax Loss

At this writing, federal sentencing guidelines have been in place for approximately 30 years, having been implemented in the late 1980s. An objective of the guidelines is to achieve perceived consistency between sentences for specific offenses. Throughout their history, the sentencing guidelines have been challenged and revised to the point of becoming advisory, rather than mandatory. Loss ranges relevant to sentencing levels have been adjusted for economic conditions (i.e., inflation) and changing views on sentencing. That said, attention must be given to where an alleged loss is positioned within a “range.” The feasibility of effectively moving a loss from one range to another should be considered.

Calculation of Losses

For criminal tax matters, accountants operate within the context of the Internal Revenue Code and its attendant rules and regulations. Additionally, accountants must be mindful of distinctions between willful violations and negligent violations. This requires the accountant to consider causal factors that may be minimized in other types of loss analyses. This mental framework/approach is potentially relevant to any IRS investigation as the agents may attempt to include negligent omissions as part of the tax loss. This is a facts-and-circumstances analysis which, as illustrated below, may necessitate consideration of factors outside the identified years of investigation.

Part 2T1.1 paragraph C (1) of the sentencing guidelines define tax loss as “the total amount of loss that was the object of the offenses (i.e., the loss that would have resulted had the offenses been successfully completed).” If the amount of the tax loss is uncertain, the accompanying application notes allow the courts to make a reasonable estimate of the tax loss based on the available facts. So, if the only facts presented to the court are those “within the box,” the court can potentially decide on a reasonable estimate that is not a true representation of the underlying financial transactions.

Case Example I: IRS initiated an audit and determined that a physician had underreported credit card sales processed through a merchant account (credit card payments) for a three-year period. The matter was referred to the Criminal Investigation Division (CID), which launched an investigation. The CID agent interviewed the doctor’s long-time accountant and tax return preparer. When interviewed, the accountant disavowed knowledge of the merchant account, stating the physician failed to disclose to him the existence of the account. The CID investigation identified in excess of $300,000 of unreported income.

Looking back further, we determined that the tax return preparer had included interest income from the merchant account on tax returns in prior years, seemingly contradicting his statement to the IRS that the existence of the account had been concealed.

The accounting records also indicated the doctor was routinely making capital contributions to the practice throughout the years investigated by the IRS. Ultimately, we were able to establish to the satisfaction of CID that the tax return preparer misclassified transfers from the merchant account to the operating account as non-revenue capital contributions rather than patient revenue.

In this instance, the successful defense against criminal tax violations was based upon understanding the process from inception through the years questioned by the IRS. The proposed tax loss related to the merchant account were finalized on the civil, not criminal, side of the IRS.

Case Example II: IRS initiated a CID investigation of a small business owner for a five-year time period. CID compared the deposits to all known business accounts to the gross receipts reported on the business tax returns, and determined that the business owner had understated gross receipts by more than $2.2 million, for an estimated $616,000 tax loss.

The question is whether the understatement constitutes an appropriate base from which to calculate a tax loss. In many instances, the answer is no, especially in a small business environment with less formal accounting procedures. Not surprisingly, the comparison of reported gross receipts to bank account deposits did not fully address the situation.

Inspection of available business records, including supporting documentation for the tax returns, established that in addition to gross receipts being understated, 80 percent of the expense line items were also understated. We analyzed the bank deposits, included transfers between accounts, and detailed the additional expense items to present a more accurate view of the defendant’s taxable income for the relevant periods.

Our analysis demonstrated to the satisfaction of CID that the actual unreported income was approximately $700,000 and the tax loss was approximately $235,000—significantly lower than the original amounts presented by CID.

Final Thoughts

As forensic accountants, we are expected to go beyond the mathematical process and thoroughly assess a situation by taking into consideration the how, where, what, why and who, which requires thinking “outside the box.”

Therefore, it is imperative that these calculations be prepared with the utmost accuracy and understanding of the fraud perpetrated. Merely calculating the difference between the value of assets or net worth does not result in actual or intended loss suffered due to fraudulent offenses. In fact, such calculations may include mistakes, such as double counting of the amount of loss or impact on the victims. This results in erroneous calculations and sentences that could have an adverse impact on the sentences of the individual(s).


John D. Bullock, CPA, CVA, is a director in Marcum’s Philadelphia office and a member of the firm’s advisory services division.

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE, is a partner in Marcum’s Philadelphia office and the leader of Regulatory Investigations and Compliance services and solutions. Marcum LLP is a top national accounting and advisory firm with offices throughout the United States, as well as Grand Cayman, China, and Ireland. For more information, visit http://www.marcumllp.com.

Article originally appeared in the Legal Intelligencer.

Marks’ Five Steps to Fighting Fraud with Professional Skepticisim

A healthy dose of professional skepticism is essential in fighting fraud, even if it goes against human nature to be skeptical of people we’ve come to trust. It’s important because someone interested in committing fraud will prey on trust.

One of the key drivers is that we get comfortable with people. We give people the benefit of the doubt instead of resetting that level of skepticism.

Informed skepticism is important for a variety of stakeholders. If board members, finance executives and others challenge their own assumptions, organizations will not only deter fraud but also make detection more likely.

Recent research details some of the obstacles that prevent organizations from effectively fighting fraud. Companies are aware of the potential of data analytics as an anti-fraud tool but have not taken full advantage yet. Companies are suffering from “compliance fatigue” as they attempt to alleviate fraud risk.

Here are my five key steps to fighting fraud with professional skepticism:

  1. Play the role of the independent reviewer or inspector, particularly of your own assumptions. A professional skeptic continually challenges beliefs and belief-based risk assessments. Critical self-assessment is necessary to demonstrate to others why and how beliefs and assessments are justified.
  2. Resist complacency. Question whether you are placing undue weight on previous risk assessments or discounting evidence inconsistent with your expectations.
  3. Be alert to pressure. Pay particular attention to pressure to truncate risk-assessment procedures or investigations. Also, look out for unwarranted assumptions for the sake of meeting a deadline or goal.
  4. Understand the sources of evidence. Identify and assess risks from multiple perspectives, using multiple sources of evidence. Ensure your conclusions are grounded in that evidence.
  5. Be aware of the relative reliability of evidence types. In general, documentation from internally generated documents – particularly those generated manually or not linked to other reporting systems – is less reliable as evidence than documents generated by external sources such as banks or suppliers.

I welcome your thoughts and suggestions.

Jonathan @jtmarkscpa

Adapted from a previous article written when Marks was with Crowe.