1 00:00:00,000 --> 00:00:05,770 < Intro > 2 00:00:05,770 --> 00:00:07,500 – Welcome back to Count Me In. 3 00:00:07,500 --> 00:00:09,550 I'm your host, Adam Larson, 4 00:00:09,550 --> 00:00:14,000 and today we're diving deep into the world of fraud and internal control. 5 00:00:14,000 --> 00:00:17,167 Joining me is the incredible A.J. Coleman. 6 00:00:17,167 --> 00:00:19,167 He is an author, and serves as 7 00:00:19,167 --> 00:00:22,289 vice president and fraud manager at Byline Bank. 8 00:00:22,289 --> 00:00:25,109 Today, we'll be discussing the importance of strong internal controls, 9 00:00:25,109 --> 00:00:27,167 in detecting and preventing fraud, 10 00:00:27,167 --> 00:00:31,334 and how organizations can navigate through risks and vulnerabilities. 11 00:00:31,334 --> 00:00:34,500 A.J. will share some eye-opening examples of common fraud cases 12 00:00:34,540 --> 00:00:37,340 and explain how they are identified and dealt with. 13 00:00:37,340 --> 00:00:40,800 So if you want to learn more about the crucial role of internal control 14 00:00:40,800 --> 00:00:44,167 in combating fraud, you definitely don't want to miss this episode. 15 00:00:44,167 --> 00:00:50,667 < Music > 16 00:00:50,667 --> 00:00:53,050 Well, A.J., I want to thank you so much for coming on the podcast. 17 00:00:53,050 --> 00:00:56,380 Really excited to talk about internal control, and fraud, 18 00:00:56,380 --> 00:00:59,129 and just all the different things you have to do in that world. 19 00:00:59,129 --> 00:01:00,833 And I know you're an expert in this field, 20 00:01:00,833 --> 00:01:05,730 and I thought that, maybe, you could start by giving some examples of how things 21 00:01:05,730 --> 00:01:09,160 like strong internal controls can help by detecting fraud. 22 00:01:09,160 --> 00:01:10,667 Since I know you see this every day. 23 00:01:10,833 --> 00:01:11,833 – Well, great to be here 24 00:01:11,833 --> 00:01:15,500 and the opportunity to talk fraud is always rewarding. 25 00:01:15,500 --> 00:01:20,333 But, yes, internal controls are really the key, is to be able to identify 26 00:01:20,333 --> 00:01:25,833 where there are opportunities or gaps, for the fraudsters to expose an organization. 27 00:01:25,833 --> 00:01:30,000 And that's really where the first thing you have to look at is where are we exposed, 28 00:01:30,000 --> 00:01:32,170 and what risks that are out there. 29 00:01:32,170 --> 00:01:36,130 And from there, you then start crafting those internal controls. 30 00:01:36,130 --> 00:01:37,650 How do you want them set up? 31 00:01:37,650 --> 00:01:39,833 What do you want people's roles to be? 32 00:01:39,833 --> 00:01:41,833 How should things be escalated? 33 00:01:41,833 --> 00:01:45,150 And there's a lot that we can go into that aspect. 34 00:01:45,150 --> 00:01:48,500 But without internal controls, nobody understands 35 00:01:48,500 --> 00:01:53,333 what the proper steps are, and how do you get that message to the expert. 36 00:01:53,333 --> 00:01:57,666 And in terms of fraud, fraud happens everyday, and it happens in places 37 00:01:57,666 --> 00:01:59,200 that we least expect it. 38 00:01:59,200 --> 00:02:01,460 It could be anything from a personal thing, 39 00:02:01,460 --> 00:02:04,700 where somebody steals your information unknowingly. 40 00:02:04,700 --> 00:02:06,840 All the way up to somebody depositing 41 00:02:06,840 --> 00:02:12,310 a fictitious check in the ATM deposit, knowing that it's fictitious. 42 00:02:12,310 --> 00:02:15,760 And without internal controls, how do we detect this? 43 00:02:15,760 --> 00:02:18,830 How do we maneuver through those processes 44 00:02:18,830 --> 00:02:22,550 to, actually, review these transactions? 45 00:02:22,550 --> 00:02:27,880 And, then, at the end, do we need to escalate this up through leadership? 46 00:02:27,880 --> 00:02:32,166 Does it need to have a certain suspicious activity report filing? 47 00:02:32,166 --> 00:02:36,110 And without those internal controls in place is a free fall. 48 00:02:36,333 --> 00:02:40,499 – That makes a lot of sense, and it begs the question, chicken versus egg, 49 00:02:40,499 --> 00:02:44,110 do you have strong internal controls unless you've experienced fraud? 50 00:02:44,110 --> 00:02:47,832 Or can you have good internal controls, if you've never experienced fraud? 51 00:02:47,879 --> 00:02:49,666 What comes first in some cases? 52 00:02:49,832 --> 00:02:54,950 – Well, a lot of depends on the leaders, and the type of the organization 53 00:02:54,950 --> 00:02:57,880 and how they set up their infrastructure. 54 00:02:57,880 --> 00:03:02,540 Some organizations are very passive and they are reactive, 55 00:03:02,540 --> 00:03:05,239 in terms of waiting for things to happen. 56 00:03:05,239 --> 00:03:07,610 Other organizations are saying, "Well, you know what? 57 00:03:07,610 --> 00:03:10,666 We're going to be active in this. We're going to be proactive." 58 00:03:10,690 --> 00:03:14,810 And a lot of that has to do with that leadership quality. 59 00:03:14,810 --> 00:03:19,999 In my opinion, from a fraud expert, you always want to work on the preventive. 60 00:03:19,999 --> 00:03:22,666 Because you can always build something, 61 00:03:22,666 --> 00:03:27,999 and then do your own risk assessments to determine if there are gaps exposed. 62 00:03:27,999 --> 00:03:31,332 Then work together to figure out how to close up those gaps. 63 00:03:31,332 --> 00:03:35,499 Instead, of just leaving it open-ended and waiting for the fraud to happen. 64 00:03:35,499 --> 00:03:39,832 And a lot of times people just sit because it's easier to wait till something happen, 65 00:03:39,832 --> 00:03:41,999 rather than be proactive and build something. 66 00:03:42,165 --> 00:03:43,650 – Yes, that makes a lot of sense. 67 00:03:43,650 --> 00:03:45,999 Being proactive does seem like the better option, 68 00:03:45,999 --> 00:03:49,499 but it all comes down to leadership and those things. 69 00:03:49,499 --> 00:03:53,010 Maybe, we could circle back to 70 00:03:53,010 --> 00:03:55,665 what are some of the most common types of fraud that you see 71 00:03:55,665 --> 00:03:57,939 in your line of work, maybe, there are some examples. 72 00:03:57,939 --> 00:03:59,999 I know you can't name any names, but, maybe, there are some examples 73 00:04:00,000 --> 00:04:02,832 you can give and how it was identified and dealt with. 74 00:04:02,999 --> 00:04:04,909 – Check fraud, is number one on the list. 75 00:04:04,909 --> 00:04:07,165 I mean, you would think that in today's world, 76 00:04:07,165 --> 00:04:10,530 that we would be doing more electronic payments. 77 00:04:10,530 --> 00:04:14,165 But there are just amount of checks that go out on a daily basis. 78 00:04:14,165 --> 00:04:16,780 And, sometimes, people just it's easier to write checks, 79 00:04:16,780 --> 00:04:19,165 it's easier to send them through the system, 80 00:04:19,165 --> 00:04:22,498 but I will tell you the post office is compromised. 81 00:04:22,498 --> 00:04:27,100 We are seeing a lot of checks intercepted by third-party individuals. 82 00:04:27,100 --> 00:04:32,360 Whether it's the postal workers themselves or they're in a partnership, 83 00:04:32,360 --> 00:04:34,665 maybe, with the fraudster or they've been approached, 84 00:04:34,665 --> 00:04:38,832 and we read things on the news where postal workers are held at gunpoint, 85 00:04:38,832 --> 00:04:41,832 their keys are taken, for mailbox. 86 00:04:41,832 --> 00:04:44,789 And all these fraudsters are looking for is just checks, 87 00:04:44,789 --> 00:04:49,998 where they can either wash them or they can do a forged endorsement on the back 88 00:04:49,998 --> 00:04:52,190 hoping that nobody will notice that. 89 00:04:52,190 --> 00:04:56,831 Check fraud, is unfortunately not going away, and in the last two years 90 00:04:56,831 --> 00:04:59,229 I've seen a significant increase. 91 00:04:59,229 --> 00:05:02,190 And there are certain controls that you can put in place, 92 00:05:02,190 --> 00:05:06,665 not only for the banks, or the institutions, 93 00:05:06,665 --> 00:05:10,430 or the companies, but also for the customers themselves. 94 00:05:10,430 --> 00:05:14,331 Positive Pay is really important, where you can look to see 95 00:05:14,331 --> 00:05:16,998 if you can be protected and be notified, 96 00:05:16,998 --> 00:05:19,460 if there's a counterfeit check that gets presented. 97 00:05:19,460 --> 00:05:23,010 You can do a payee Positive Pay, that looks at the payee information 98 00:05:23,010 --> 00:05:25,289 to see if it's been washed. 99 00:05:25,289 --> 00:05:27,998 Alternatively, go with the electronic. 100 00:05:27,998 --> 00:05:30,165 It's a lot easier on the cash flow, 101 00:05:30,165 --> 00:05:32,998 but you also don't have to worry about a paper copy. 102 00:05:33,039 --> 00:05:35,419 So check fraud is definitely number one. 103 00:05:35,419 --> 00:05:36,831 The other thing we're seeing a lot 104 00:05:36,831 --> 00:05:42,660 is what we call Business Email Compromise, BEC, as it's known. 105 00:05:42,660 --> 00:05:47,164 And what this is, is with fraudsters, they penetrate into an organization. 106 00:05:47,164 --> 00:05:50,331 Whether it's through a phishing attack or other metrics, 107 00:05:50,331 --> 00:05:56,039 and what they do is they clone the server, once they're in the organization. 108 00:05:56,039 --> 00:06:00,998 And they operate as if they are an authoritative figure 109 00:06:00,998 --> 00:06:04,900 and emailing different groups, different business units, 110 00:06:04,900 --> 00:06:09,831 as well as, maybe, even the financial institution, changing payment information 111 00:06:09,831 --> 00:06:14,860 or making requests for ACHs or wires to go out. 112 00:06:14,860 --> 00:06:21,331 And what happens once the clone server is done, the primary customer 113 00:06:21,331 --> 00:06:23,200 or the vendor has no idea. 114 00:06:23,200 --> 00:06:24,660 And the fraudsters are the ones 115 00:06:24,660 --> 00:06:29,900 that are letting certain emails go through, intercepting other emails. 116 00:06:29,900 --> 00:06:32,430 So, a lot of times, these customers have no idea 117 00:06:32,430 --> 00:06:37,831 that they've been compromised, as well as they just quickly change that information 118 00:06:37,860 --> 00:06:42,497 and say, "Hey, we need to pay this person X amount of dollars." 119 00:06:42,497 --> 00:06:45,979 But nobody questions a lot like "Why did this payment information 120 00:06:45,979 --> 00:06:48,440 suddenly change from our vendor? 121 00:06:48,440 --> 00:06:51,997 We've been sending this to this bank, for the last five years, 122 00:06:51,997 --> 00:06:56,330 but now we're getting a payment request to send it to a different area." 123 00:06:56,330 --> 00:07:00,110 But we just hide behind emails all day long, 124 00:07:00,110 --> 00:07:02,497 instead of picking up a phone and calling. 125 00:07:02,497 --> 00:07:07,710 So, as a result, the fraudsters hedge on you not picking up that phone, 126 00:07:07,710 --> 00:07:09,669 and you're just trading emails, 127 00:07:09,669 --> 00:07:13,020 and you're going to just cycle through whatever the request is. 128 00:07:13,020 --> 00:07:15,630 And this goes from the customer, to the vendor, 129 00:07:15,630 --> 00:07:18,370 to the financial institution, all the way up. 130 00:07:18,370 --> 00:07:21,080 And this is where the second area, 131 00:07:21,080 --> 00:07:25,889 what we're seeing for fraud, is really significantly increased in recent years. 132 00:07:25,889 --> 00:07:28,840 And now with everybody remote, in many places, 133 00:07:28,840 --> 00:07:32,800 there are more interactions done on email as opposed to in person. 134 00:07:32,800 --> 00:07:34,790 Where somebody just doesn't get up from their desk 135 00:07:34,790 --> 00:07:37,259 and walk across to the accounting department, 136 00:07:37,259 --> 00:07:39,301 and say, "Hey, we've got a change here." 137 00:07:39,301 --> 00:07:40,950 And the accounting department looks at it 138 00:07:40,950 --> 00:07:43,250 and says, "Yes, this looks a little different." 139 00:07:43,250 --> 00:07:45,360 The third aspect is account takeovers. 140 00:07:45,360 --> 00:07:52,020 Where the fraudsters socially engineer themselves onto the victim, 141 00:07:52,020 --> 00:07:58,090 as to getting their credentials, in some cases logging in as their victim. 142 00:07:58,090 --> 00:08:00,240 In other cases, they'll socially engineer 143 00:08:00,240 --> 00:08:05,330 thinking the tech company that somebody has something wrong with their computer, 144 00:08:05,330 --> 00:08:09,090 and they will request remote access into the computer, 145 00:08:09,090 --> 00:08:14,997 and then do a lot of key logging to retrace some of the steps; passwords, websites. 146 00:08:14,997 --> 00:08:19,163 And many people, as we know, because it's hard to keep track of all the passwords, 147 00:08:19,163 --> 00:08:22,830 we use the same password for every website we can think of, 148 00:08:22,830 --> 00:08:24,860 and all they need is one. 149 00:08:24,860 --> 00:08:26,996 And they have sophisticated software 150 00:08:26,996 --> 00:08:31,330 to figure out what your passwords are and if they penetrate through, 151 00:08:31,330 --> 00:08:34,996 And, in many cases, a consumer is protected 152 00:08:34,996 --> 00:08:38,110 by their bank with the account takeovers. 153 00:08:38,110 --> 00:08:39,830 But in other cases they may not be, 154 00:08:39,830 --> 00:08:44,330 depending on how your financial institution controls, and procedures 155 00:08:44,330 --> 00:08:46,830 are designed and communicated. 156 00:08:46,830 --> 00:08:51,496 Very difficult to discover when you've been victimized. 157 00:08:51,496 --> 00:08:53,996 But a lot of people realize when they see money 158 00:08:53,996 --> 00:08:56,640 leaving the account that's not theirs. 159 00:08:56,640 --> 00:08:59,996 And I think today's generation, in my opinion, they don't do 160 00:08:59,996 --> 00:09:03,459 regular, bank reconciliations of their personal. 161 00:09:03,459 --> 00:09:06,700 They just look to see whatever balance they have in the account, 162 00:09:06,700 --> 00:09:11,700 and they just operate as they're, I think, that's another area that they hedge on. 163 00:09:11,700 --> 00:09:16,330 But the third aspect with account takeovers, is just to be very careful. 164 00:09:16,330 --> 00:09:20,163 You talk to most places will never come out 165 00:09:20,163 --> 00:09:25,829 and ask you for your online credentials, which includes your password, 166 00:09:25,940 --> 00:09:30,030 giving out the multifactor authentication numbers. 167 00:09:30,030 --> 00:09:32,329 And many times there's a little disclaimer that 168 00:09:32,329 --> 00:09:36,089 these institutions share with them, "We will never ask you." 169 00:09:36,089 --> 00:09:40,410 But people freak out when it comes time to fraud, 170 00:09:40,410 --> 00:09:43,790 and they feel like there's something really wrong with the account. 171 00:09:43,790 --> 00:09:45,329 So I would say those are the top three. 172 00:09:45,329 --> 00:09:48,329 I mean, we can go through debit cards, credit cards. 173 00:09:48,329 --> 00:09:52,690 We can go through the human trafficking and all those other aspects. 174 00:09:52,690 --> 00:09:54,329 But I would say those are the top three, 175 00:09:54,329 --> 00:09:58,550 at least, that I see today, that are impacting most people. 176 00:09:58,662 --> 00:10:02,459 – Yes, that is in line, and I thought it was very surprising 177 00:10:02,459 --> 00:10:05,209 to hear that checks were still the top one. 178 00:10:05,209 --> 00:10:09,850 And that goes back to the importance of organizations, 179 00:10:09,850 --> 00:10:14,996 to utilizing new technologies like the e-checks and online types of payments 180 00:10:14,996 --> 00:10:16,996 that are definitely more secure. 181 00:10:16,996 --> 00:10:19,330 Do you think that if more people 182 00:10:19,330 --> 00:10:21,279 were to adopt those things that that would come down? 183 00:10:21,279 --> 00:10:24,829 Or do you think there are some people just stuck on using checks forever? 184 00:10:24,829 --> 00:10:28,162 – I think it's mixed, there are organizations, 185 00:10:28,162 --> 00:10:31,940 and they're so used to writing checks and issuing checks, 186 00:10:31,940 --> 00:10:33,650 it's put in their procedures. 187 00:10:33,650 --> 00:10:35,995 And the bigger the organization, 188 00:10:35,995 --> 00:10:40,662 to change procedures, there are a lot more people that need to be involved. 189 00:10:40,662 --> 00:10:46,495 Processes have to be vetted out and then approved, by the senior leadership. 190 00:10:46,550 --> 00:10:51,829 So, sometimes, these processes just stay the same for many years to come. 191 00:10:51,850 --> 00:10:55,162 But there are organizations that are, actually, taking steps 192 00:10:55,162 --> 00:11:00,662 to properly try to combat check fraud and the intercepting of checks, 193 00:11:00,662 --> 00:11:03,920 that they'll, actually, start moving towards that electronic model. 194 00:11:03,920 --> 00:11:07,995 Now, just because you move to the electronic, it doesn't, necessarily, 195 00:11:07,995 --> 00:11:10,162 make you less fraud prone. 196 00:11:10,162 --> 00:11:16,440 It just means that you may be susceptible in other areas like account takeover. 197 00:11:16,440 --> 00:11:20,495 Where somebody may try to socially engineer to get into the company account, 198 00:11:20,580 --> 00:11:23,495 so they can certainly send out bill pays 199 00:11:23,495 --> 00:11:27,995 and all that other payment, through their systems. 200 00:11:27,995 --> 00:11:33,162 But, yes, checks, they're always here, people like to touch something. 201 00:11:33,162 --> 00:11:37,995 They like something that's tangible, they like giving something to somebody. 202 00:11:37,995 --> 00:11:40,495 I mean, if you think about back in the day, 203 00:11:40,495 --> 00:11:43,495 my grandparents used to love going to the bank. 204 00:11:43,495 --> 00:11:45,828 They got all dressed up, and they'd go to the bank 205 00:11:45,828 --> 00:11:48,700 and make whatever transactional activity 206 00:11:48,700 --> 00:11:53,030 that they're looking to do, and then they'd take it over to the post office, 207 00:11:53,030 --> 00:11:57,089 and they made a whole day of it because they like the tangible stuff. 208 00:11:57,089 --> 00:12:01,529 And I just think that, again, it goes where you believe, 209 00:12:01,529 --> 00:12:03,459 it's where you're comfortable with. 210 00:12:03,459 --> 00:12:06,180 If you're comfortable writing checks, you're going to write checks. 211 00:12:06,180 --> 00:12:09,495 If you're going to take preventive measures by going on Positive Pay, 212 00:12:09,495 --> 00:12:11,550 doing a bank reconciliation. 213 00:12:11,550 --> 00:12:15,390 Really understanding your institution disclosures 214 00:12:15,390 --> 00:12:19,290 that are, probably, how to report incidences of fraud. 215 00:12:19,290 --> 00:12:21,828 Then you can have that safeguard measurement to say, 216 00:12:21,828 --> 00:12:23,720 "Okay, I'm comfortable writing checks." 217 00:12:23,720 --> 00:12:25,995 Others are going to go the electronic route 218 00:12:25,995 --> 00:12:29,828 and, again, same process that I just described. 219 00:12:29,828 --> 00:12:32,699 So a lot of it is just the comfort level, 220 00:12:32,699 --> 00:12:38,730 but it also goes back to the strong internal controls each organization has. 221 00:12:38,730 --> 00:12:44,661 To enable that the process is being followed, each time a transaction is made. 222 00:12:44,661 --> 00:12:46,180 – Mh-hmm, yes, it makes a lot of sense. 223 00:12:46,180 --> 00:12:47,519 So no matter how big your business is 224 00:12:47,519 --> 00:12:51,661 because small business might not be able to afford to use some software company, 225 00:12:51,661 --> 00:12:55,161 and other ones may not be able to have the room or they don't want to move it. 226 00:12:55,320 --> 00:12:58,250 So having good internal controls is the most important thing, 227 00:12:58,250 --> 00:13:00,661 no matter how you make your payments. 228 00:13:00,828 --> 00:13:05,100 – Yes, that's really critical, and reviewing those internal controls, 229 00:13:05,100 --> 00:13:08,160 I think, on an annual basis is important 230 00:13:08,160 --> 00:13:12,661 because fraud changes, business models change. 231 00:13:12,661 --> 00:13:16,161 And, again, I understand the pain points of having to go through, 232 00:13:16,161 --> 00:13:18,880 and then getting all the proper sign offs. 233 00:13:18,880 --> 00:13:23,327 But if you really want to protect yourself and strengthen the organization, 234 00:13:23,327 --> 00:13:28,170 those internal control are really the key for success. 235 00:13:28,170 --> 00:13:32,827 – Yes, so we can't talk about fraud without, possibly, at least, a little bit mentioning 236 00:13:32,829 --> 00:13:37,661 the fraud triangle—Pressure, opportunity, and rationalization. 237 00:13:37,661 --> 00:13:40,994 How does having a good understanding of that help prevent fraud? 238 00:13:41,327 --> 00:13:47,327 – The fraud triangle, it's pretty straightforward, and to understand it 239 00:13:47,327 --> 00:13:51,660 you have to understand what each component represents. 240 00:13:51,660 --> 00:13:56,660 And a lot of times when there's fraud it, basically, is opportunity, 241 00:13:56,660 --> 00:14:00,660 "Is there an opportunity for somebody to commit this?" 242 00:14:00,660 --> 00:14:03,327 And it could be any type of fraud. 243 00:14:03,327 --> 00:14:08,660 But what happens is there are certain aspects that people try to go through 244 00:14:08,660 --> 00:14:12,827 this type of fraud and say, "I have an opportunity. 245 00:14:12,827 --> 00:14:14,827 I do not like that company. 246 00:14:14,827 --> 00:14:19,327 I can steal money from them, and they'll never know." 247 00:14:19,327 --> 00:14:23,010 The opportunity is there for them to take, and in real way, 248 00:14:23,010 --> 00:14:29,827 they can do misappropriation of the funds, to try to conceal what they've done. 249 00:14:29,910 --> 00:14:34,160 Now, the justification part, what I call the rationalization, 250 00:14:34,160 --> 00:14:38,160 it's really important because this is where they start thinking about, 251 00:14:38,160 --> 00:14:40,540 "Well, I'm justifying my action. 252 00:14:40,540 --> 00:14:41,327 You know what? 253 00:14:41,327 --> 00:14:44,493 My boss passed me up on a promotion. 254 00:14:44,493 --> 00:14:46,660 I missed out on some bonuses. 255 00:14:46,660 --> 00:14:47,510 You know what? 256 00:14:47,510 --> 00:14:52,160 I'm going to take some funds from the company because I'm owed that." 257 00:14:52,160 --> 00:14:54,399 A lot of times, also, during the pandemic, 258 00:14:54,399 --> 00:14:57,949 when it first started, we would see people looting stores 259 00:14:57,949 --> 00:15:00,220 and creating havoc on the street. 260 00:15:00,220 --> 00:15:03,570 And I remember watching the news, one night, 261 00:15:03,570 --> 00:15:06,827 and they interviewed one of the looters, and she said, "You know what? 262 00:15:06,827 --> 00:15:09,827 I lost my job, I have no financial means. 263 00:15:09,827 --> 00:15:14,993 I have a baby, I can't afford diapers, I need to get diapers for my baby." 264 00:15:15,139 --> 00:15:19,660 And what they did is she rationalized her situation, 265 00:15:19,660 --> 00:15:23,493 as a means of justifying why she was looting. 266 00:15:23,493 --> 00:15:25,209 Now, we can go into the whole ethics 267 00:15:25,209 --> 00:15:27,869 and talk about whether that's appropriate or not, 268 00:15:27,869 --> 00:15:31,326 but that's not for this discussion. 269 00:15:31,326 --> 00:15:36,180 Then, obviously, the motivation, the pressure, that comes through it. 270 00:15:36,180 --> 00:15:40,540 It's like, "What is the incentive for them to commit the fraud? 271 00:15:40,540 --> 00:15:42,220 What is the payoff?" 272 00:15:42,220 --> 00:15:43,920 And a lot of times people just say, 273 00:15:43,920 --> 00:15:47,160 "I'm just going to do it one time, no harm, no foul." 274 00:15:47,160 --> 00:15:50,993 But, then, like other aspects, you do it one time, 275 00:15:50,993 --> 00:15:53,949 you're like, "Hey, that wasn't so bad, I didn't get caught." 276 00:15:53,949 --> 00:15:58,493 Or, "Maybe I'll just increase my next attempt, 277 00:15:58,493 --> 00:16:01,993 maybe, from $100 to $200 dollars, see who notices?" 278 00:16:01,993 --> 00:16:02,993 And, then, you know what happens is 279 00:16:02,993 --> 00:16:06,993 it becomes almost like a game of, "Who can catch me?" 280 00:16:06,993 --> 00:16:11,993 Because we all think as kids, we're untouchable when we're outside, at recess, 281 00:16:11,993 --> 00:16:17,493 running around playing tag, "Nobody can catch me" and you start taunting. 282 00:16:17,493 --> 00:16:20,199 So the fraud triangle is really put into place, 283 00:16:20,199 --> 00:16:23,880 where it's just really just kind of think about from a fraud perspective. 284 00:16:23,880 --> 00:16:26,860 Like, why do people commit fraud? 285 00:16:26,860 --> 00:16:31,993 What is their intention and why? What's the rationale behind it? 286 00:16:32,070 --> 00:16:33,993 How can they live with themselves 287 00:16:33,993 --> 00:16:39,159 after doing something because we have been taught, from young age, 288 00:16:39,159 --> 00:16:43,519 "Thou shalt not steal, honor thy neighbor." 289 00:16:43,519 --> 00:16:46,826 But the fraud triangles just put things in different perspective. 290 00:16:46,992 --> 00:16:52,326 – It really does, and, I think, it goes back to that gray area, the rationalization, 291 00:16:52,326 --> 00:16:55,180 because everybody has a reason for the things that they do. 292 00:16:55,180 --> 00:16:59,159 And, you're right, you have to go back to personal ethics and just business ethics 293 00:16:59,159 --> 00:17:03,639 because a lot of things aren't so black and white, especially, in today's world. 294 00:17:03,639 --> 00:17:05,209 And, so, it's very difficult. 295 00:17:05,209 --> 00:17:10,000 And, so, how do you encourage your employees to avoid these things, 296 00:17:10,000 --> 00:17:13,326 and to look out for the pressures and the opportunities? 297 00:17:13,326 --> 00:17:16,826 Because if you tell them too much about it, maybe, some people will get ideas 298 00:17:16,880 --> 00:17:19,110 and say, "Oh, that's a really good idea, I should try that." 299 00:17:19,110 --> 00:17:21,325 How do you find that balance when you're trying to educate? 300 00:17:21,492 --> 00:17:24,939 – That's definitely spot on, that's something that I get concerned with. 301 00:17:24,939 --> 00:17:28,569 We build out some of these schemes and how we detect, 302 00:17:28,569 --> 00:17:32,970 and then we talk about how we can educate and train others. 303 00:17:32,970 --> 00:17:37,492 What information do we provide so it can't be used against us. 304 00:17:37,492 --> 00:17:42,325 Really, the first line of defense is hiring the right employees, 305 00:17:42,325 --> 00:17:46,010 that's part of where the internal control starts. 306 00:17:46,010 --> 00:17:49,360 If you hire the right employees, if you do their background checks. 307 00:17:49,360 --> 00:17:53,159 You set them up to manage expectations, 308 00:17:53,159 --> 00:17:57,030 understand what is acceptable, what is not acceptable, 309 00:17:57,030 --> 00:18:00,770 but also educate them on what they can tell others. 310 00:18:00,770 --> 00:18:05,492 We can never tell anybody, in our field, who are filing a suspicious activity reports. 311 00:18:05,600 --> 00:18:08,770 So that is instituted on day one, 312 00:18:08,770 --> 00:18:13,890 managing those expectations and reinforcing those ideas. 313 00:18:13,890 --> 00:18:18,825 The other aspect we have is we create different materials, 314 00:18:18,825 --> 00:18:22,760 and this is how we're able to distinguish 315 00:18:22,760 --> 00:18:30,325 what is more proprietary, internally, for us, and what can be shared outside our walls. 316 00:18:30,325 --> 00:18:35,992 That if it were to be released, yes, it's informative, but it can't come back 317 00:18:35,992 --> 00:18:38,658 and somebody can leverage that against us. 318 00:18:38,658 --> 00:18:43,158 Now, we're not going to be able to cover everything because it's just impossible. 319 00:18:43,158 --> 00:18:48,658 But, I think, it really starts with hiring the right people, doing ongoing training. 320 00:18:48,658 --> 00:18:53,658 Reinforcing some of these concepts that the organization has, 321 00:18:53,658 --> 00:18:57,020 and even, sometimes, putting it to a test 322 00:18:57,020 --> 00:19:01,325 and just having somebody call in and see if they can get information out 323 00:19:01,325 --> 00:19:03,158 that, maybe, necessarily, shouldn't be. 324 00:19:03,158 --> 00:19:07,991 And, again, use this as coaching opportunities. 325 00:19:07,991 --> 00:19:14,491 The last aspect of how you can also prevent it is, again, do an audit. 326 00:19:14,491 --> 00:19:18,840 Work backwards and say, "Okay, did we let anything slip? 327 00:19:18,840 --> 00:19:20,130 Is there something that's out there 328 00:19:20,130 --> 00:19:25,059 that maybe we couldn't disclose, that we should have, or vice versa?" 329 00:19:25,059 --> 00:19:29,409 And it's critical because you have to not only start somewhere, 330 00:19:29,409 --> 00:19:31,629 you got to end somewhere. 331 00:19:31,629 --> 00:19:36,590 And it's always good to re-evaluate the progress and then update. 332 00:19:36,590 --> 00:19:41,991 A lot of times what we use are standard operating procedures to outline, 333 00:19:41,991 --> 00:19:44,991 what can be shared, what cannot be shared. 334 00:19:44,991 --> 00:19:50,309 And we also have a separate guidelines that we call unwritten rule. 335 00:19:50,309 --> 00:19:56,324 Like, "We don't say this to this team, but we can say this to our team." 336 00:19:56,324 --> 00:20:01,159 And that's, again, where you set those expectations from day one. 337 00:20:01,159 --> 00:20:05,324 – Do you think the advent of great technology, that's coming down the road, 338 00:20:05,400 --> 00:20:09,110 do you think that will help with the ability to do the constant audit? 339 00:20:09,110 --> 00:20:11,657 Because when you were saying all those things about auditing 340 00:20:11,657 --> 00:20:14,824 and constantly checking, I'm thinking, "How do you progress, as an organization, 341 00:20:14,860 --> 00:20:16,950 if you're constantly monitoring auditing?" 342 00:20:16,950 --> 00:20:20,157 But do you think, in the advent of new technologies, will that help companies 343 00:20:20,157 --> 00:20:22,320 still be able to advance and become better. 344 00:20:22,320 --> 00:20:26,157 But also be able to still detect the fraud, as they're going along? 345 00:20:26,157 --> 00:20:28,700 – Technology is great when it's leveraged properly. 346 00:20:28,700 --> 00:20:33,270 It solves one problem but, sometimes, opens the door for another problem. 347 00:20:33,270 --> 00:20:38,991 But I do think that having the right team that understands the technology, 348 00:20:38,991 --> 00:20:44,657 understand how it's set up, from the beginning, is really critical in that audit 349 00:20:44,720 --> 00:20:48,990 Because a lot of times we're inheriting technology, when we start a new job, 350 00:20:48,990 --> 00:20:52,490 and we really don't have a true understanding of how decisions 351 00:20:52,490 --> 00:20:55,780 were made, at the beginning of implementation. 352 00:20:55,780 --> 00:20:59,324 To allow something to go through that, 353 00:20:59,324 --> 00:21:02,360 necessarily, we would not want to go through. 354 00:21:02,360 --> 00:21:05,660 So the technology aspect, at any point, 355 00:21:05,660 --> 00:21:10,890 in what I call the lifeline of it, is you really have to understand 356 00:21:10,890 --> 00:21:15,450 what is the full functionality of it, that can help you with those audits. 357 00:21:15,450 --> 00:21:18,010 And where there are gaps, that's when you might have to do 358 00:21:18,010 --> 00:21:21,990 some manual audit reviews and use different parties 359 00:21:21,990 --> 00:21:26,824 from different areas to review it, so you have that proper checks and balance. 360 00:21:26,824 --> 00:21:31,823 Technology is wonderful, it can really help improve efficiencies, 361 00:21:31,823 --> 00:21:36,190 point out, maybe, some areas that are exposed. 362 00:21:36,190 --> 00:21:40,823 And I think that's what we're moving more toward with AI technology, in the future, 363 00:21:40,823 --> 00:21:47,990 as they continue to craft it, and being able to use it appropriately. 364 00:21:47,990 --> 00:21:55,823 I'm a big fan of technology, it definitely beats, I would say, the manual process. 365 00:21:55,950 --> 00:21:58,809 But I will say this, if you don't understand 366 00:21:58,809 --> 00:22:01,770 and have the basic knowledge of something, 367 00:22:01,770 --> 00:22:05,440 it's hard to really challenge that technology. 368 00:22:05,440 --> 00:22:08,157 And if I may give a great example. 369 00:22:08,157 --> 00:22:12,490 Back in school, accounting, we learned all about T-accounts 370 00:22:12,490 --> 00:22:14,990 and we learned about what the debits 371 00:22:14,990 --> 00:22:20,323 and what the credits are, and how do you move, and post certain things, 372 00:22:20,323 --> 00:22:22,059 and what are the implications behind it 373 00:22:22,059 --> 00:22:25,490 because we're physically using these T-accounts. 374 00:22:25,490 --> 00:22:29,419 Today, a lot of the accounting is done by software. 375 00:22:29,419 --> 00:22:33,490 Where people aren't having that same understanding 376 00:22:33,490 --> 00:22:36,990 of where the debits and the credits go, what happened? 377 00:22:36,990 --> 00:22:38,990 They're just doing a lot of memorization. 378 00:22:38,990 --> 00:22:42,490 They're looking to see, and where technology helps, 379 00:22:42,490 --> 00:22:45,656 yes, it helps audit some of those mistakes 380 00:22:45,656 --> 00:22:48,323 but, sometimes, it doesn't provide the rationalization 381 00:22:48,323 --> 00:22:50,860 as to why it's done certain ways. 382 00:22:50,860 --> 00:22:54,380 And when you're looking in fraud, you have to go back to the basics 383 00:22:54,380 --> 00:22:56,970 to really understand, "How did we get here?" 384 00:22:56,970 --> 00:23:01,489 It's like the root-cause analysis type; in how did we get here? 385 00:23:01,489 --> 00:23:06,740 How do we look, and craft, and prevent something from happening? 386 00:23:06,740 --> 00:23:10,909 But technology can only get us there on the back end. 387 00:23:10,909 --> 00:23:16,156 And that's where you have to be able to create and build something from scratch. 388 00:23:16,656 --> 00:23:19,020 – I think you've really highlighted something really important there. 389 00:23:19,020 --> 00:23:21,100 That no matter how far technology advances, 390 00:23:21,100 --> 00:23:23,989 it's still important, for us, to understand the basics 391 00:23:23,989 --> 00:23:26,090 and the foundation of how things work. 392 00:23:26,090 --> 00:23:28,429 Because we can't utilize that technology, properly, 393 00:23:28,429 --> 00:23:30,730 unless we understand how it's supposed to work. 394 00:23:30,730 --> 00:23:35,322 And that's something that is being talked about in accounting education. 395 00:23:35,480 --> 00:23:38,489 And it's really important, especially, with the rise of things like Chat GPT, 396 00:23:38,489 --> 00:23:43,299 and the generative AI type, elements. 397 00:23:43,299 --> 00:23:45,390 If you don't know how to ask the questions properly, 398 00:23:45,390 --> 00:23:48,156 you won't get the proper answers to be able to utilize the technology right, 399 00:23:48,230 --> 00:23:51,340 so that's a really great point. 400 00:23:51,340 --> 00:23:53,220 And just speaking of generative AI, 401 00:23:53,220 --> 00:23:56,989 how do you think elements like that will affect your profession, 402 00:23:56,989 --> 00:23:58,322 especially, when it comes to fraud? 403 00:23:58,322 --> 00:24:01,322 I'm sure you can use it for good, but I'm sure that other people 404 00:24:01,330 --> 00:24:02,950 can use it for bad, just as well. 405 00:24:03,156 --> 00:24:08,340 – When it comes to fraud, it is definitely a confidence. 406 00:24:08,340 --> 00:24:12,200 It's also sort of a bragging right, who can do it better? 407 00:24:12,200 --> 00:24:16,500 Is the fraudster better than the catcher? 408 00:24:16,500 --> 00:24:20,590 What can they do differently to conceal their actions? 409 00:24:20,590 --> 00:24:24,655 So with AI, I think, eventually, what's going to help is 410 00:24:24,655 --> 00:24:26,740 you're using the machine learning, 411 00:24:26,740 --> 00:24:29,990 you're using some of the digital imaging, that's out there. 412 00:24:29,990 --> 00:24:34,489 And they can look at certain checks, for example, 413 00:24:34,489 --> 00:24:39,655 and compare different check stocks between the customers. 414 00:24:39,655 --> 00:24:42,340 If one customer uses a certain check stock 415 00:24:42,340 --> 00:24:44,600 and, all of a sudden, they see a check 416 00:24:44,600 --> 00:24:46,910 that's presented with a different check stock. 417 00:24:46,910 --> 00:24:52,655 The system is capable of flagging and saying, "Hey, this doesn't look right, 418 00:24:52,720 --> 00:24:54,570 somebody needs to review it." 419 00:24:54,570 --> 00:25:00,322 They can also look and learn at the behaviors that customers use. 420 00:25:00,322 --> 00:25:04,322 Most people get regular standard paychecks, usually, 421 00:25:04,322 --> 00:25:09,260 on certain days of the week, perhaps certain times of the month. 422 00:25:09,260 --> 00:25:12,322 And what happens there, it can flag for anything 423 00:25:12,322 --> 00:25:16,890 that might be out of scope and look for different algorithms, 424 00:25:16,890 --> 00:25:21,155 that are out there, to help flag and detect incidents of fraud. 425 00:25:21,155 --> 00:25:24,960 In terms of account takeover, Business Email Compromise, 426 00:25:24,960 --> 00:25:29,929 it can almost register where payments have always gone, 427 00:25:29,929 --> 00:25:34,322 and then flag it for when there is sudden change of payment information. 428 00:25:34,322 --> 00:25:39,750 And, again, it's not designed to, basically, be all and stop everything. 429 00:25:39,750 --> 00:25:44,590 What AI can leverage is to help us with the notification. 430 00:25:44,590 --> 00:25:47,890 Where it informs us that something doesn't look right, 431 00:25:47,890 --> 00:25:52,155 "Here's what doesn't look right, somebody needs to go and look at it." 432 00:25:52,155 --> 00:25:53,779 Now, some people may argue, 433 00:25:53,779 --> 00:25:56,655 "Well, we just want them to automatically do that." 434 00:25:56,655 --> 00:25:59,655 And that's, again, where you have to really understand 435 00:25:59,655 --> 00:26:03,010 the behavioral aspects of people. 436 00:26:03,010 --> 00:26:07,988 You have to understand how systems work and set things up. 437 00:26:07,988 --> 00:26:13,155 And, today's, day and age, we're always looking for the faster, the better, 438 00:26:13,155 --> 00:26:15,970 and the ease of working on something. 439 00:26:15,970 --> 00:26:21,154 But if you're in the fraud space, like myself, we like puzzles, we like challenges, 440 00:26:21,154 --> 00:26:23,900 but we look at things holistically. 441 00:26:23,900 --> 00:26:28,154 And that's really important because not only did one transaction 442 00:26:28,154 --> 00:26:30,029 may have triggered the fraud, 443 00:26:30,029 --> 00:26:33,321 but there may have been a whole series of other things. 444 00:26:33,321 --> 00:26:37,988 And that's where technology, like AI, can help leverage those changes 445 00:26:37,988 --> 00:26:40,821 and, at least, give us a jump start when they can look at, 446 00:26:40,821 --> 00:26:44,654 maybe, thousands of checks, instantaneously, and say, 447 00:26:44,654 --> 00:26:49,654 "Hey, here are five that doesn't quite meet the parameters that have been built." 448 00:26:49,654 --> 00:26:53,821 That's where, I think, there's going to be a tremendous amount of value. 449 00:26:53,821 --> 00:26:57,321 The downside, again, is that we become too reliant on it 450 00:26:57,321 --> 00:27:00,360 and not understand our true crowd, 451 00:27:00,360 --> 00:27:04,110 not understand the true behaviors behind something. 452 00:27:04,110 --> 00:27:09,321 – Yes, I really like that answer, and it's going to be a continuously evolving thing. 453 00:27:09,321 --> 00:27:11,654 And A.J., this has been a great conversation. 454 00:27:11,654 --> 00:27:13,700 It's hugely important to talk about fraud, 455 00:27:13,700 --> 00:27:16,154 and I just want to thank you so much for coming on the podcast, today. 456 00:27:16,154 --> 00:27:17,821 – Great, thank you for having me. 457 00:27:17,821 --> 00:27:19,987 < Outro > 458 00:27:19,987 --> 00:27:22,821 – This has been Count Me In, IMA's podcast, 459 00:27:22,821 --> 00:27:25,654 providing you with the latest perspectives of thought leaders 460 00:27:25,654 --> 00:27:27,654 from the accounting and finance profession. 461 00:27:27,654 --> 00:27:30,321 If you like what you heard and you'd like to be counted in, 462 00:27:30,321 --> 00:27:32,654 for more relevant accounting and finance education, 463 00:27:32,654 --> 00:27:38,654 visit IMA's website at www.imanet.org.