Posted on 1 Comment

Speaking and Training on Fraud, Compliance, Ethics, and More…

Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.

“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive 

If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.

I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.

I will do my best to get back to you quickly.

Thank you!

 

Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Selected Training Programs

Management Override of Internal Controls

The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:

  • Identify red flags of management overriding controls
  • Ascertain an approach to auditing for management override
  • Assess the latest trends and research regarding management override of controls
  • Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.

Operationalizing Compliance – Master Class with Tom Fox, Esquire

The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.

If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.

Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the training include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

Ethics and Governance Training

This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.

Corporate Governance During a Crisis

We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:

  • What type of crisis plan do you have, if any?
  • What to do and how to formulate a plan of action?
  • Who to call first, how to prioritize tasks, and where to prioritize resources?
  • Who (internal and external players) to get involved and when to get them involved
  • What data is needed when a crisis hits?
  • How to prepare for the media and when to reach out?
  • How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?

Fraud Risk Assessment Process and Guidance

Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.

FCPA (Bribery and Corruption): Building a Culture of Compliance

This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.

Fraud Investigations

Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.

Third Party Risk Management and Oversight

Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.

Putting the Freud in Fraud: The Mind Behind the White Collar Criminal

To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.

  • Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
  • Discover what role company culture plays in the commission of fraud.
  • Hear cutting-edge ideas and methods to help detect and deter fraud.

Fraud Overview

This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.

Triaging a Whistleblower Allegation

As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.

Skepticism: A Primary Weapon in the Fight Against Fraud

What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.

Root Cause Analysis 

The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).

Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.

This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.

Posted on

Jonathan T. Marks, Baker Tilly Partner, is Speaking Today at the First Chair Event in Chicago on Triaging Whistleblower Allegations

frm

As the use of whistleblower programs continues to grow, many organizations find themselves struggling to manage burgeoning caseloads. As a result, serious fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips that contain allegations of ethical breaches can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, the most effective approaches often resemble the medical triage programs that hospitals and first responders use to allocate limited resources during emergencies, or a crisis situation. Here are some useful guidelines for designing and implementing a fraud triage system.

The Growing Use of Whistleblower Programs

Despite extensive fraud detection measures, closer management scrutiny, and increasingly sophisticated technology, the most common fraud detection method is still the simplest: somebody notices something suspicious and decides to speak up. According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, 40.0% of the cases reported in their study were uncovered as the result of tips (usually from an employee, supplier, or customer) —more than internal audit 15% and management review 13% combined. The ACFE study also demonstrates that dedicated reporting hotlines are particularly effective. In organizations where such hotlines were in place, 46.0 % of the cases reported were uncovered through tips, compared with only 30.0% percent of the cases in organizations without hotlines. These results are consistent with patterns that have been recorded in the ACFE’s biennial survey since its inception 20 years ago. On a broader scale, as a matter of best practice, the COSO Internal Control–Integrated Framework, along with various other enterprise risk management (ERM) frameworks and guidance from Institute of Internal Auditors (IIA), also emphasize the importance of establishing and maintaining effective whistleblower programs.

In addition to their demonstrated effectiveness, whistleblower programs have also been promoted through recent regulatory actions. For example, one section of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission to make monetary awards to individuals who voluntarily provide information leading to successful enforcement actions that result in monetary sanctions over $1 million. A few years earlier, the Sarbanes-Oxley Act of 2002 required the audit committees of publicly traded companies to establish procedures to enable employees to submit confidential, anonymous information regarding fraudulent financial reporting activities. Dodd-Frank and Sarbanes-Oxley are only two examples out of a broad range of laws that encourage – and often mandate – whistleblower programs. A 2013 study by the Congressional Research Service found no fewer than 40 federal whistleblower and anti-retaliation laws, designed to protect employees who report misconduct. Eleven of those 40 laws were enacted after 1999. On February 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers, a long-anticipated case that clarifies who is protected as a “whistleblower” under the Dodd-Frank Act’s anti-retaliation provisions. It states that to qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. Now under Dodd-Frank an individual is only protected from retaliation if he or she has reported a potential violations to the SEC before he or she separates from the company. Such laws not only make whistleblower programs more common, they also make the timely resolution of tips even more critical, as we are about to explain.

There is momentum today to correct Dodd-Frank.

On July 9, 2019, the U.S. House of Representatives passed H.R. 2515, also known as the Whistleblower Protection Reform Act of 2019 (“WPRA”). The WPRA is designed to address a gap in the whistleblower protections afforded under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010 (“Dodd-Frank”), as interpreted by the Supreme Court in Digital Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). Specifically, the Supreme Court in Digital Realty Trust ruled that the anti-retaliation provision of Dodd-Frank does not extend to protect employees who only make reports concerning violations of securities laws internally, as opposed to individuals who made a report to the U.S. Securities and Exchange Commission (“SEC”). The WPRA is designed to amend Dodd-Frank to ensure the statute’s protections extend to individuals who make internal reports of securities violations.

Responding to Tips – Why Timeliness Matters Dodd-Frank, Sarbanes-Oxley, and the various regulatory structures that were established to implement them are helping to mold a corporate environment where undervalued and underappreciated compliance professionals and in-house counsel are incentivized to “blow the whistle.” Such incentives can be helpful in creating a self-regulating environment, but they also make it essential that corporations establish a timely and effective process for remediating complaints. For example, to carry out its mandate under Dodd-Frank, the SEC established a separate Office of the Whistleblower, which has paid out more than $160 million to 46 whistleblowers in connection with 37 covered actions, as well as in connection with several related actions since it was founded in 2011. Three of the ten largest whistleblower awards were made by the SEC during FY 2017.

Under this program, there are exceptions if at least 120 days have passed either since the auditor (excluding external auditors who obtained the information during the audit of an issuer) or accountant properly disclosed the information internally (to their supervisor or to another person in the organization who is responsible for remedying the violation (i.e., the audit committee, chief legal officer, chief compliance officer, or their equivalents), or since they obtained the information under circumstances indicating that the entity’s officers already knew of the information. Then they can report the lapse directly to the SEC and be eligible for a sizable whistleblower award – from 10 percent to 30 percent of any fines or sanctions that are collected. The program’s website prominently features headlines such as “SEC Issues $17 Million Whistleblower Award” and “SEC Awards More Than $5 Million to Whistleblower,” to cite only two of many recent examples.Since the program’s inception, the SEC has ordered wrongdoers in enforcement matters involving whistleblower information to pay over $975 million in total monetary sanctions, including more than $671 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors .With incentives like that, it should be no surprise that whistleblower complaints are on the rise. Yet in most cases, such awards would not have been available if the companies involved had resolved the initial fraud complaints within 120 days.Unfortunately, our experience indicates that, while many companies invest in tips hotlines and similar whistleblower programs, a large portion of them fail to invest adequately in an allegation review process for promptly evaluating, prioritizing, and responding to the whistleblowers’ tips in a systematic, repeatable, and defensible manner. As the number of tips grows and investigators’ caseloads expand, complaints end up sitting in a queue waiting to be investigated, while the company remains vulnerable to the risks the tipsters were warning about, and the SEC timeline is running.

A 2018 study of customers of the compliance software company NAVEX Global found that case closure times have blipped to 44 days and has dropped to 40 days according to their 2019 study. This metric is important given that, under certain agency whistleblower provisions, an organization will have limited time to complete an internal investigation.

Moreover, when the various categories of fraud are compared, cases involving suspected accounting, auditing, and financial reporting fraud took the longest to resolve by far – 55 days! In other words, the average case closure time for cases of suspected financial fraud was almost halfway to the 120-day deadline – the point at which employees are incentivized to report the case directly to the SEC and expose the company to additional, sizable sanctions.

Hidden and Direct Costs of Delayed Response Even setting aside potential SEC sanctions, delays in investigating whistleblower tips are costly in other ways. Delayed responses to tips can cause employees and other potential sources to lose confidence in the hotline or other whistleblower program, undermining the effectiveness of the the compliance and ethics program and adding further complexity to the risk management effort. Most companies expend considerable time, effort, and resources in creating compliance and ethics programs. Failing to establish a system for dealing with allegations or tips in a timely manner can mean those expenditures are probably wasted. There are also direct costs associated with delays in handling tips. The losses resulting from a fraud scheme are directly related to how long the scheme goes on. The ACFE’s 2018 Report to the Nations found that the median losses for frauds that were uncovered in six months or less was $30,000. But at the other end of the scale, schemes lasting more than five years caused a median loss of $715,000. Simply put, the longer perpetrators are able to continue, the more financial harm they are able to cause. Clearly, the absence of an effective program for handling whistleblower complaints promptly and effectively can have a significant and direct financial impact – in addition to the regulatory, employee relations, and reputational risks such a shortcoming entails.

A Triage Approach While there is no single, one-size-fits-all method for following up on whistleblower complaints, the most effective approaches are similar in many ways to medical triage programs, such as those implemented by hospitals and first responders during emergencies to help medical professionals prioritize the treatment of patients. In medical triage, those with serious, life-threatening injuries are treated ahead of those whose conditions are less severe. In the same way, a fraud triage program helps risk, audit, and fraud professionals prioritize the investigation of tips and whistleblower complaints. Those that indicate serious, material risks are addressed differently and more aggressively than those that reflect mere misunderstandings, minor errors, personal grievances, or false tips, all of which could tie up investigators unnecessarily. Under a fraud triage program, the same principles apply. Hotline tips or complaints that do not indicate fraudulent behavior can be delegated to human resources, IT, or other line or support functions that are capable of handling them more efficiently. Meanwhile, complaints that involve suspected fraud, but which are less significant in terms of financial losses, control failures or other risks, may be set aside temporarily while larger, more material cases receive immediate attention.

Proper Staging of the Allegation – the Critical First Step A swift and thorough triage process leads directly to a more appropriate and timely response. The specifics of that response will vary, of course depending on the nature and severity of the case, but the fundamental elements of the treatment include forming the right team to investigate, understanding root causes, and providing timely disclosure to all constituencies. Before such a response can be planned and executed, however, the tip or allegation must be evaluated or “staged” based on a consistent set of criteria. Navigant’s fraud governance framework identifies five such stages:

Stage 1 Stage1 allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. These may include employee-to-employee disputes, isolated cases of small-scale employee theft, and the normal policy complaints, misunderstandings, and personal disagreements that are often raised through a whistleblower program. In most cases, these complaints are best handled by human resources or management personnel.

Note: Human Resources and management should be trained on proper investigation protocols, including the escalation process. A basic level of review should be performed and documented to corroborate that no further investigation is warranted. This review and documentation could be performed by a branch or office manager. For an employee who is the target of such a complaint, management should consider placing such employee on a temporary legal hold which triggers the retention of email and other documents until the risk of retaliatory litigation has passed.

Stage 2 These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. If the allegation is substantiated, then the result of the remediation process is a change to a business process or business rule, followed by an enhancement of the company’s preventive or detective internal controls. Because they indicate a deficiency in internal controls, such allegations are escalated to the internal audit function in order to obtain a deeper understanding of the control environment. Internal audit should evaluate what controls are currently in place, and determine where the breakdown in internal controls occurred. It is also important to assess if the allegations are signs of a bigger problem or if they could have an impact on financial reporting. If financial reporting is affected, sensitivity testing must be performed to calculate the low case, medium case, and worst case financial impact. Internal audit’s review also might identify multiple violations. Again, the employees affected should be put into a legal hold which triggers the retention of email and other documents until the risk of litigation passes. In some cases, employee termination may be warranted.

Stage 3 These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. Such cases require the same level of investigation as Stage 2 cases, along with an internal investigation that usually is conducted under the direction of the general counsel, involving compliance and internal audit as well. In some instances, the investigation might need to be performed independently by a function or person who is not directly involved in the control environment.

Stage 4 These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. Such cases are generally addressed through an internal investigation, usually under the direction of outside counsel operating under privilege. The investigation often involves the use of independent, outside experts as well.

Stage 5 These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. In such instances, the board generally should engage outside counsel and forensic investigation experts to initiate a privileged and confidential fact-based investigation. The external auditors may also be involved and a disclosure to the SEC may be required. It’s important to note that, in both Stage 4 and Stage 5, engaging outside experts is generally necessary. Other critical elements of the Stage 4 and Stage 5 responses include having a qualified and experienced investigation team, along with a time-phased work plan that is minimizes disruptions to the organization’s day-to-day business as much as possible. The investigators will begin with fact-finding interviews to help them evaluate who else to interview and when. The investigators will also help the company identify a list of custodians who will be interviewed to understand where their data was being saved (for example, on email servers, mobile phones or other devices, flash drives, cloud servers, and network folders). Generally, a large-scale data collection effort will then ensue in order to search and preserve all potentially relevant information. The goal is to determine who knew what and when, and how high up the chain the knowledge went. The investigation will also assess if the audited financial statements be relied upon, so that counsel and board members can determine what disclosure requirements might apply. In addition, where internal control issues are noted, outside counsel can also recommend and assist in recommending new or enhanced policies, procedures, and controls.

Ownership, Responsibility and Follow-Up Obviously, the triage staging system described here is not the only plausible methodology an organization can use for evaluating allegations of wrongdoing and planning appropriate responses. Other thought leaders in the field have proposed evaluating tips according to various other criteria such as the severity of the allegation, the specificity of the information it contains, and similar factors. Ultimately, whatever triage process and framework is chosen it will need to be customized to reflect the company’s particular situation and its particular industry. In many instances, boards may choose to combine elements from several approaches.

Regardless of the specific criteria upon which the system is based, the importance of maintaining written policies and procedures cannot be overstated. Moreover, but in all cases it is important in all cases that the responsibility for developing, implementing, and maintaining the triage response system be clearly defined. The assignment of this responsibility will vary as well, depending on the size and nature of the organization, its governance structure, the volume of whistleblower complaints and other factors. It could fall to internal audit, the corporate general counsel, a board committee, a designee of the CFO, or some other person or group – but in all cases it’s essential to have a designated individual or business function that is responsible for initially capturing complaints and performing the triage o the allegation(s). Once the framework is set and data is being collected, it’s also important to step back and periodically assess what the data is saying. For example, if the complaint hotline is bombarded with a high frequency of inconsequential complaints related to minor personnel disputes uniform violations or employees complaining about having to work a holiday, then it may be time to provide additional training on how the complaint hotline is to be used. An increase in sexual harassment complaints or complaints related to substandard working conditions could be provide an early warning of a potential leading indicator for a class action lawsuit. Similarly, an increasing number reports of low dollar employee theft are usually signs of a larger cultural problem. Evaluating the data and trends captured in your complaint system can help you make decisions that could prevent the next “big event.” In that sense, an effective, well-designed, and consistently executed fraud triage effort can pay even bigger dividends that go beyond the direct benefit of helping you evaluate and prioritize tips and complaints more efficiently.

Lastly, as facts come to light, there might be a need to escalate the allegation. If an investigation starts with human resources or internal audit, they should be trained on what to do if the matter intensifies!

escalation process.jpg

Matters that generally require escalation include, but are not limited to:

  • Violation of law – antitrust and competition, anti-bribery and corruption, employment discrimination and harassment, fraud against third parties by employees
  • Accounting, books and records – public financial reporting, internal financial reporting and disclosure, insider trading, SOx, Dodd-Frank
  • Environmental, healthy, safety
  • Any employee theft, misappropriation, or fraud against the organization in excess of $$$$$$$ 
  • Code of Conduct Violations of the Executive Leadership team
  • Misconduct by Legal, Ethics and Compliance employees – failing to investigate or stopping an investigation
  • Third party frauds against, or thefts from, the organization

Care should be taken and consultation with legal counsel and compliance is wise move, unless they are or appear to be involved, then go directly to the Board of Directors

Board members, I would seek to understand the escalation process and I would review the allegation log to ensure investigations are being done timely, you are being briefed on all serious matters, proper discipline has been applied, and  internal controls are installed or enhanced to try to prevent and detect possible future bad or “carryover” behavior! 

I welcome your comments and suggestions.

Jonathan T. Marks

Attribution:

  • Buckley
  • NAVEX
  • ACFE
  • SEC

 

This material is protected by Copyright Laws and may not be reproduced in any form without my express written permission.

Posted on 1 Comment

New DOJ Guidance Addresses ‘Effectiveness’ of Compliance Programs

Background

The DOJ issued New April 2019 Guidance  (“Guidance”, or “2019 Guidance”) detailing how prosecutors will evaluate the effectiveness of corporate programs to prevent fraud and other misconduct, a key consideration in determining the penalties imposed against companies.  This is an update from the On February 8, 2017, the DOJ published Guidance entitled, “Evaluation of Corporate Compliance Programs”.

Brian Benczkowski, the head of the Justice Department’s criminal division, said the revised guidance is intended to aid not only prosecutors but also companies, giving them deeper insight into what the government will demand of compliance programs.

The 2019 Guidance contains 12 high-level topics (below) that are grouped to track the Three Core Questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual and candidly are the key questions the board of directors should be asking.  After all it’s expected the organization’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it (See U.S.S.G. § 8B2.1(b)(2)(A)-(C)).

core image

Three Core Questions

  1. Is the Corporation’s Compliance Program Well Designed?
  2. Is the Corporation’s Compliance Program Being Implemented Effectively?
  3. Does the Corporation’s Compliance Program Work in Practice?

“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process,” according to the Guidance. “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant federal laws that is accessible and applicable to all company employees.”

Prosecutors, according to the guidance, “should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.”

looking down.jpg

The High-level Topics

  1. Risk Assessment
  2. Policies and Procedures
  3. Training and Communications
  4. Confidential Reporting Structure and Investigation Process
  5. Third Party Management
  6. Mergers and Acquisitions (M&A)
  7. Commitment by Senior and Middle Management
  8. Autonomy and Resources
  9. Incentives and Disciplinary Measures
  10. Continuous Improvement, Periodic Testing, and Review
  11. Investigation of Misconduct
  12. Analysis and Remediation of Any Underlying Misconduct

The 2019 Guidance has a twelfth topic because it split the 2017 Guidance’ topic of “Confidential Reporting and Investigation” into two separate sections—”Confidential Reporting Structure and Investigation Process” (4)  and “Investigation of Misconduct (11).”

Under each of the above topics, the 2019 Guidance sets forth multiple sample questions that prosecutors are likely to ask during an investigation. A few examples are:

  • Risk Assessment: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?
  • Training and Communications: Risk Based Training What training have employees in relevant control functions received?
    • Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
  • Confidential Reporting Structure and Investigation Process: Effectiveness of the Reporting MechanismDoes the company have an anonymous reporting mechanism, and, if not, why not?
    • How is the reporting mechanism publicized to the company’s employees?
    • Has it been used?
    • How has the company assessed the seriousness of the allegations it received
    • Has the compliance function had full access to reporting and investigative information?
  • Mergers and Acquisitions (M&A): Process Connecting Due Diligence to Implementation What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process
    • What has been the company’s process for implementing compliance policies and procedures at new entities?
  • Commitment by Senior and Middle Management: Conduct at the Top How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation?
    • What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
    • How have they modelled proper behavior to subordinates?
    • Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
    • Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
  • Continuous Improvement, Periodic Testing, and Review: Internal AuditWhat is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process?
    • How are audits carried out?
    • What types of audits would have identified issues relevant to the misconduct
    • Did those audits occur and what were the findings?
    • What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
    • How have management and the board followed up?
    • How often does internal audit conduct assessments in high-risk areas?
  • Continuous Improvement, Periodic Testing, and Review: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

Some Other Points of Focus

  • Compliance must adopt a risk-based approach (See Closing Thoughts below).
  • Compliance must have appropriate processes for the submission of complaints, and processes to protect whistleblowers.
  • The word “resource” appears twenty one (21) times in the Guidance, so I am certain that if your organization is not properly resourced that will more likely than not be a problem.
  • Compliance must have independent access to the Board and Audit Committee.
  • Compliance needs to be integrated with other functions like internal audit, and depending on structure, the legal function. See discussion on whether the compliance should be a separate function!
  • Compliance must adopt strong third-party controls.
  • Root cause was mentioned nine (9) times in the Guidance! Treating symptoms and the not the root cause could at some point result in recidivism, which will more likely than not be problematic!

Closing Thoughts

The 2019 Guidance seeks to understand how the organization approaches compliance and then what worked and what didn’t.  So, one might consider reading both the old and new Guidance to understand how the evaluation of an organization’s compliance programs has changed.

If you are going to have your organization’s compliance program evaluated and you should!

Why? Prosecutors must evaluate if the organization has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.

Then you might want to first make sure your risk profile is up to date as well as your fraud or misconduct risk assessment!  Why?  The section within the Guidance on “Risk Assessment” was moved to be first of the 12 topics addressed in the 2019 Updated Guidance (Note: It was the fifth topic addressed in the 2017 Evaluation Guidance) and just maybe the DOJ is sending a subliminal message here, which some of us have already picked up and that is the risk assessment drives the compliance program!

By the way if you’re already a client don’t worry. We have been doing all of this for some time and this is not a best practice guide!  This doesn’t mean the writing should be ignored, I use it as a tool to help me think through compliance programs strategically and evaluate risk.  Boards and senior management should use the guidance for the same.

I welcome your comments.

Best!

img_7798-2

Jonathan T. Marks, CPA, CFE

Attribution
DOJ

 

Posted on

Baker Tilly’s 2019 Effective Governance and Compliance Roundtable Series – May 1, 2019 – CPE Event in Philadelphia -Using Continuous Auditing and Monitoring in the Fight Against Fraud

Register here! See below for details!

On May 1st, join Baker Tilly for our next topic: Using Continuous Auditing and Monitoring in the Fight Against Fraud with our discussion leader, Robert Mainardi.

Organizations are under increasing scrutiny regarding ethical lapses and allegations of fraud. Fiscal year 2018 was a record-breaking year for the U.S. Securities and Exchange Commission’s whistleblower program, as more and more individuals have been coming forward with allegations of impropriety.

It is critical for organizations to have processes in place to triage an allegation, investigate, remediate, evaluate and then enhance their governance, risk management, compliance and internal audit programs. Failure to conduct an appropriate investigation may lead to significant exposure and disruption to the organization.

Event information

Wednesday, May 1

Baker Tilly Philadelphia Office

1650 Market St., Suite 4500

Register here!

Agenda

Registration/Breakfast: 8 – 9 a.m.

Program: 9 – 11 a.m.

Who should attend?

Chief audit executives, chief risk officers, general counsel, chief legal officers, controllers, CFOs, COOs, CEOs, board members, VPs of audit, internal auditors, compliance practitioners, anti-fraud specialists.k

Discussion Leader – Robert Mainardi, CIA, CRMA, CFSA – Author of “Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology”, will be presenting at Baker Tilly’s Philadelphia Office on May 1, 2019.

Host and ModeratorJonathan T. Marks, Partner

With the focus on internal controls and monitoring today many are being scrutinized and judged by regulators and others whenever results are presented. Regulators have used the failure to institute appropriate internal controls alone as the basis of the enforcement actions.

One of the significant challenges facing internal audit, compliance, enterprise risk management teams, and management is being able to understand what continuous auditing and continuous monitoring is and how the approach can be used effectively to mitigate risk, including fraud.

This two-hour session will explore what an internal control is and the best practices for using both continuous auditing and continuous monitoring, which are different, and how to transcend that knowledge in the fight against fraud. Specifically, we will provide an executive overview of the differences, keys to the methodologies, and practical guidance on how to operationalize both.

We will also facilitate a discussion around the obstacles attendees may be facing and provide suggested solutions on how to overcome those challenges. Your investment in this session will help ensure you’re developing proper methodologies that will save numerous hours of potential rework, stand scrutiny, and possibly improve the overall governance, risk management, and compliance processes.

Information about CPE eligibility

There are no prerequisites for this seminar, and advance preparation is not required. There is no cost to attend this seminar.

CPE credit: Two (2) hours total credit

Field of study: Regulatory Ethics

CPE host: Kendra Bergin

A certificate of completion will be emailed to you four to six weeks following the event.

For more information regarding administrative policies such as complaint and refund policies, please contact Heather Eggers at 608 240 2522.

NASBA

Baker Tilly Virchow Krause, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: learningmarket.org.

Posted on 1 Comment

Combating Fraud Through Effective Internal Controls

“Fraud is not an accounting problem; it is a social phenomenon.” Joe Wells

Who Commits Fraud

The cultural and environmental characteristics that increase fraud risk are not always so blatant.  Research shows that anyone can commit fraud. Fraud perpetrators usually can’t be distinguished from other people on the basis of demographic or psychological characteristics. According to Jonathan T. Marks (“Marks”), a partner at Baker Tilly, practicing in the global forensic investigation and governance space, “most fraudsters have profiles that look like those of other honest people; however, fraudsters play you against humanity and build a false wall of integrity around themselves with the hope that your level of skepticism is reduced enough to be manipulated and fooled.”

Among the various kinds of fraud that organizations might be faced with, occupational fraud is likely the largest and most prevalent threat today, with bribery and corruption enforcement actions that allege violations of the Foreign Corrupt Practices Act (“FCPA”) causing organizations of all types and sizes to rethink their approach to governance, risk management, compliance, internal audit, and the design of their internal controls. The regulators have sent a clear message that simply maintaining a compliance program is not enough. Compliance programs and internal controls must be adequate and effective at preventing and detecting fraud.  Moreover, recent enforcement actions highlight the importance to organizations that internal controls must be continuously monitored to ensure they are effective.  Although there is little case law, these enforcement actions have become non-binding guidance in cases that do not involve FCPA violations.

Although most companies will not readily admit that their organizations may be vulnerable to fraud, according to the 2018 Report to the Nations published by the Association of Certified Fraud Examiners (“ACFE”), which contains an analysis of 2,690 cases of occupational fraud that were investigated between January 2016 and October 2017, organizations lose 5% of their annual revenues to fraud. While this number is only a general estimate based on the opinion, it represents the collective observations of more than 2,000 anti-fraud experts who together have investigated hundreds of thousands of fraud cases. Based on the ACFE’s study, the median loss caused by frauds was $130,000, with 22.0% of the cases resulting in losses of at least $1 million.

Because fraud inherently involves deception, deflection, distraction, and concealment, many frauds will never be detected. Therefore, organizations are encouraged to implement certain anti-fraud internal controls, in order to help minimize the opportunities to commit fraud, or at least catch any fraudulent activity sooner.

In practice, it’s been our experience that most professionals don’t really understand the definition of an internal control. Marks recently developed a definition (see below) that has become what is believed to be today’s standard that should be reviewed along with the enemies of internal controls and other factors when designing an internal control. Marks emphasizes that internal controls are a process. They do something!  When it comes to designing anti-fraud internal controls to detect and deter fraudulent activity, those individuals assigned to this task must have the necessary skills and experience.

A good system of internal controls, with the right balance of preventive, deterrent, and detective controls, can greatly reduce an organization’s vulnerability to fraud.

Preventive controls are those manual or automated processes designed to stop fraudulent activity from occurring. Deterrent controls are designed to proactively identify and remove the causal and enabling factors of fraud. Detective controls can also be manual or automated but are designed to identify an undesirable event that has already occurred. No system of internal controls can fully eliminate the risk of fraud, but well-designed and effective internal controls can deter the average fraudster by reducing the opportunity to commit the fraud and increasing the perception of detection.

enemies of control.png

While the Fraud Pentagon, which is an enhancement to the three elements of fraud, identifies the conditions under which fraud may occur, the Triangle of Fraud Action describes the activities an individual must perform to perpetrate the fraud. Thus, understanding the Enhanced Meta-Model of Fraud (Model) is imperative.  The model includes two key elements: The Perpetrator, or the “why based” Fraud Pentagon and the alleged Crime or the “what based” Triangle of Fraud Action that includes the act, concealment strategy, and conversion tactics, should be part of the process when considering what internal controls to implement and how they should be designed.

Advanced Meta Model of Fraud Marks

Based on the ACFE’s study, occupational fraud schemes are typically classified into three categories:

  • Asset misappropriation (theft of cash, data, property, etc.);
  • Corruption (bribes, kickbacks bid-rigging, economic extortion, illegal gratuities, etc.); and
  • Financial statement fraud schemes (deliberate misstatement, misrepresentation, omission of financial statement data, etc.).

When assessing an organization’s fraud risks and designing anti-fraud controls, it is important to remember that fraudsters typically seize whatever opportunity arises when committing their schemes. Thus, many frauds, including nearly one-third of the cases involve more than one form of occupational fraud. For example: Corruption represents one of the most significant fraud risks for many organizations today and would obviously involve corruption and because in most cases would need to be concealed, the books and records or financial statements could be impacted too. In fact, of the top eight concealment methods (create, alter, and destroy) noted, fraudulent journal entries made the list.

three-fraud-trees-3567769231-1546959364746.jpg

Historically, although theft of assets has produced the lowest average losses, these schemes have accounted for the vast majority of reported fraud activity. Within this category, there are various techniques which an employee may utilize to steal company assets and resources, including theft of cash receipts and fraudulent disbursements of cash such as through billing schemes, fictitious vendors, fraudulent expense reimbursements, or check tampering. Understanding and analyzing each of these categories is a critical first step in designing an effective control environment throughout the organization which may aid in preventing and detecting fraudulent activity.

Based on the ACFE’s study, victim organizations that had implemented certain common anti-fraud controls such as the following experienced considerably lower losses than organizations lacking these controls, and some reduced the fraud duration.  Here are some anti-fraud controls to strongly consider:

  • Conduct a Formal Enterprise-Wide Fraud Risk Assessment aimed at proactively identifying and addressing an organization’s vulnerabilities to both internal and external fraud. As every organization is different, the fraud risk assessment process is often more an art than a science. What gets evaluated and how it gets assessed should be tailored to the organization—there is no one-size-fits-all approach. Additionally, organizational fraud risks continually change. It is therefore important to think about a fraud risk assessment as an ongoing, continuous process rather than just an activity. A fraud risk assessment starts with an identification and prioritization of fraud risks that exist in the business. The process evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge. The fraud risk assessment should be reviewed periodically, but no less than annually and there should be a heightened focus on the scenarios where management could override of internal controls.
  • Implementation of an independent Whistleblower or Ethics hotline and web portal whereby internal and external sources (see graphic below) may anonymously and confidentially report fraudulent, suspicious, or other behavior. Historically, the receipt of internal or external tips has represented the most common detection method for each of the three categories of fraud schemes listed herein. Proper and on-going training along with clearly articulated policies and procedures related to the hotline should be supported by management. Implementation of a whistleblower hotline, especially when accompanied with an anti-retaliation policy and/or reward program, will effectively improve an organization’s overall control environment through increasing the perception of detection. Lastly, a hotline is not enough. Organizations need to have a process that appropriately captures, triages, assesses, investigates, and reports potential misconduct.

sources-of-fraud.png

  • Segregation of duties involving the custody of assets, authorization of transactions affecting those assets and recording/reporting of related transactions. Segregation of duties is a basic building block of sustainable risk management and internal controls for an organization. The underlying theory of separation of duties is that a single employee should not be in a position to both perpetrate and then conceal errors or fraud in the normal course of their duties. For example, the Institute of Internal Auditors[ii] suggests there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities (authorization/recording) and those who handle the assets (custody). In general, the flow of internal processes should be designed in such a manner that one individual’s roles and responsibilities serve, in part, as a check and balance of another individual’s work. Such a system would serve to reduce the risk of undetected errors and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.
  • Timely reconciliation of bank accounts and management review of the reconciliations (bank reconciliations, petty cash, etc.) and bank statements. Bank reconciliations provide insight into the differences between an organization’s cash balance per the balance sheet and per the bank statement, while also proving the completeness and accuracy of the data recorded in the organization’s cash ledger. Depending on the size of the organization and the volume of cash transactions, bank reconciliations may be performed anywhere from a daily to monthly basis. Adequate segregation of duties should also be implemented in the bank reconciliation process, in that the cash bookkeeping, bank reconciliation, and check signer/wire authorization functions should be separated.
  • Review and authorization of expense reimbursements by supervisors and management in a timely fashion.  Some expense reimbursement schemes include: mischaracterized expenses, overstated expenses, fictitious expense, and multiple reimbursements and last for approximately twenty-four months before being detected.  The ACFE’s study states that a significant portion of asset misappropriation schemes involve situations in which an employee makes a claim for reimbursement of fictitious or inflated business expenses. Management should first ensure all policies and procedures, including those related to expense and travel reimbursements, are communicated to all employees, along with timely notifications of any relevant updates. Furthermore, expense reports submitted by employees, including any underlying support, such as credit card bills, receipts, telephone bills, etc., should be reviewed and signed-off by the employee’s immediate supervisor and the organization’s payroll department. Expense reports submitted by members of management should be reviewed by other members of management.
  • Safeguarding and reconciliation of petty cash funds on a periodic basis by authorized employees.  Although petty cash funds typically represent an insignificant amount of cash held by an organization, primarily used for small day-to-day expenses, petty cash improprieties may be a signal of broader issues regarding management’s approach to internal controls and the organization’s control environment. To help strengthen the processes surrounding petty cash, sequentially numbered vouchers should be kept as well as disbursement receipts with the disbursement date, amount, purpose, and employee name. Further, the petty cash custodian should maintain a reconciliation of the petty cash fund, reconciling total cash on hand plus outstanding receipts to the total petty cash maximum. Access to the petty cash fund should also be limited to a small number of employees, with the funds kept in a locked box.  Lastly, to test compliance with organizational policies and further increase the perception of detection, management may order an independent audit of the petty cash fund on a periodic basis.
  • Proactive Monitoring Using Data-Driven Fraud Detection and Technology, including robotic process automation, can be an effective way to identify “red flags” and other anomalies that were once difficult to detect. Today we are able to link together different legacy systems with minimal disruption and create dashboards that could provide management with the “visual guilt” necessary to investigate into the most promising indicators. According to the ACFE study, the use of proactive data monitoring and analysis and surprise audits was associated with a more than 50% reduction in fraud losses.

Closing

Today’s environment requires the board and management to maintain a proactive approach to identifying vulnerabilities unique to their organization and implement properly designed or sound internal controls to help prevent, deter, and detect fraudulent activities. Demonstrating a genuine interest and concern in the implementation of sound internal controls will aid management in minimizing future potential losses or worse reputational harm.

For more information on fraud, internal controls, risk assessments, investigations, or something other, kindly reach out to me directly.

Best!
img_7798-2

 

 

Jonathan T. Marks, CPA, CFE

 

 

Attribution:
ACFE 2018 Report to the Nations
Albrecht, W. Steve. Fraud Examination, 4th Edition. Cengage Learning.
Marks, Jonathan T., Fraud Pentagon and Enhancement to the Three Elements of Fraud https://boardandfraud.com/2018/09/21/the-fraud-pentagon-an-enhancement-to-the-fraud-triangle/
Getty Images
The Institute of Internal Auditors.  Simplifying Segregation of Duties.  2009.
A meta-model of fraud and white-collar crime (adapted from The Evolution of Fraud Theory, by Jack Dominey, A. Scott Fleming, Mary-Jo Kranacher and Richard A. Riley Jr., “Issues in Accounting Education,” Volume 27, Issue 2, May 2012.
Wells, Joseph T. Principles of Fraud Examination, 4th Edition. Wiley.
Posted on

2019 IIA Philadelphia Fraud Symposium – Update

The IIA Philadlephia is proud to announce the addition of Chelsea Binns, PhD, Assistant Professor at John Jay College of Criminal Justice, to its line up of presenters at the 2019 Fraud Symposium on March 22, 2019, at Exelon’s Energy Hall.

Chelsea plans on speaking about her book “Fraud Hotlines – Design, Performance, and Assessment”.

We will continue to update you as we fill out the day. Keep alert for registration information coming soon.

Thank you-

Jonathan Marks, Moderator

BIOGRAPHY

Chelsea Binns is an Assistant Professor in the Department of Security, Fire and Emergency Management at John Jay College of Criminal Justice. Her first book, Fraud Hotlines: Design, Performance & Assessment, was published by Taylor & Francis/CRC Press in 2017. She is a licensed Private Investigator and Certified Fraud Examiner, and is president of the New York Chapter of the Association of Certified Fraud Examiners. She is the recipient of several teaching and employee recognition awards. Her research interests are focused on corporate security matters, including background checks, corporate crime, cybercrime, investigations, and organizational fraud. She has been studying fraud hotlines since 2007. She has extensive corporate security, management and investigative experience, having worked for prestigious organizations such as Citibank, Morgan Stanley, New York City’s Department of Investigation (DOI) and the New York State Office of the Attorney General. Before joining John Jay College, she was a Senior Vice President in Citibank’s Fraud Surveillance Unit in New York City.

EDUCATION

PhD, Criminal Justice, CUNY Graduate Center/John Jay College of Criminal Justice

MPhil, Criminal Justice, CUNY Graduate Center

MA, Criminal Justice, John Jay College of Criminal Justice

BA, Law & Society, Cum Laude,

Ramapo College of New Jersey

AS, Criminal Justice, Morris County College

Certificate, Forensic Accounting, New York University