Fraud Incident Response Planning Essentials

6/20/2014
1
Copyright © FraudResourceNet LLC
Fraud Incident Response
Planning Essentials
June 11, 2014
Richard Cascarino, CFE
Richard Cascarino & Associates
President and Founder of White Collar Crime 101
• Publisher of White-Collar Crime Fighter
• Developer of FraudAware® Anti-Fraud Training
• Monthly Columnist, The Fraud Examiner, ACFE Newsletter
Member of Editorial Advisory Board, ACFE
Author of “Fraud in the Markets”
• Explains how fraud fueled the financial crisis.
About Peter Goldmann, MSc., CFE

6/20/2014
2
About Richard Cascarino, MBA, CIA, CISM,
CFE, CRSA
Principal of Richard Cascarino &
Associates based in Colorado
USA
Over 30 years experience in IT
audit training and consultancy
Past President of the Institute of
Internal Auditors in South Africa
Member of ISACA
Member of ACFE Board of
Regents (Higher Education)
This webinar and its material are the property of FraudResourceNet LLC.
Unauthorized usage or recording of this webinar or any of its material is strictly
forbidden. We are recording the webinar and you will be provided with a link
access to that recording as detailed below. Downloading or otherwise
duplicating the webinar recording is expressly prohibited.
Webinar recording link will be sent via email within 5-7 business days.
NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions
The CPE certificates and link to the recording will be sent to the email address
you registered with in GTW. We are not responsible for delivery problems due to
spam filters, attachment restrictions or other controls in place for your email
client.
Submit questions via the chat box on your screen and we will answer them
either during or at the conclusion.
After the Webinar is over you will have an opportunity to provide feedback.
Please complete the feedback questionnaire to help us continuously improve
our Webinars
If GTW stops working you may need to close and restart. You can always dial in
and listen and follow along with the handout.
Webinar Housekeeping

6/20/2014
3
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of FraudResourceNet LLC (FRN) or the presenters’
respective organizations. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant‐client relationship.
While FRN makes every effort to ensure information is accurate and complete,
FRN makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. FRN
specifically disclaims all liability for any claims or damages that may result from
the information contained in this presentation, including any websites
maintained by third parties and linked to the FRN website
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by FraudResourceNet LLC
5
Disclaimers
Today’s Agenda
 Introduction Statistics on the “Fraud Problem”
 Incident Response Plan
 Incident Response Team
 Why Conduct an Investigation?
 Planning the Investigation
 Investigative Teams and Resources
 Collecting & Preserving Evidence
 Witness Interviews
 Forensic Procedures
 Findings of the Investigation
 Conclusions and Questions6

6/20/2014
4
Fraud: The Big Picture
According to major accounting firms, professional fraud examiners
and law enforcement:
 Fraud costs the world $1 TRILLION per year. (5%) (ACFE)
 Business losses due to fraud increased 20% in last 12 months, from
$1.4 million to $1.7 million per billion dollars of sales. (Kroll
2010/2011 Global Fraud Report)
 75% of the companies surveyed experienced at least one incident of
fraud in the last 12 months (KPMG)
 Average cost for each incident of fraud is $160K (ACFE)
 Approximately 67% of corporate fraud committed by insiders (Kroll)
The Worst Can Happen
"Don't look at the past and assume that's the future.
Look at the enemy's strengths and your vulnerability.
You've got to realize that the worst case does
sometimes happen."
--Richard Clarke
Former Special Advisor for Cybersecurity

6/20/2014
5
Fraud – 3 Key Elements
9
Fraud – It’s Not A Question of
“If”
10
It is not a matter of if, but when.
Having an incident response plan puts
you in the best position to respond
quickly and effectively.
 Pre‐incident planning
 Ongoing incident management
 Post‐incident remediation

6/20/2014
6
Polling Question 1
The Three Elements of Fraud are:
a) Incentive, Rationalization and Opportunity
b)   Opportunity, Means and Method
c)   Rationalization Means and Opportunity
d)   Opportunity, Incentive and Means
Goals of Incident Response
 Confirm or dispel incident
 Promote accurate info accumulation
 Establish controls for evidence
 Protects privacy rights
 Minimize disruption to operations
 Allow for legal/civil recriminations
 Provide accurate reports/recommendations

6/20/2014
7
Incident Response Team
Leader
 Senior internal auditor
 Legal counsel
 Investigation department head
 Sr. audit committee member
 Risk management director
 Corporate security director
 External auditor?
 External investigative firm?
13
Fraud Incident Response
Team
 Legal resources: In‐house &
outside counsel
 Regular vs. indep. external counsel
 HR
 Internal audit
 External audit
 Internal or external investigator(s)
 Audit committee representative
14

6/20/2014
8
Incident Response Methodology
 Pre‐incident preparation
 Detection
 Initial Response
 Strategy formulation
 Duplication
 Investigation
UTSA IS 6353 Security Incident
Response
 Security measure
implementation
 Network monitoring
 Recovery
 Reporting
 Follow-up
Incident Response Plan –
Pre‐incident Planning
 Create a team & a plan
 Define roles & responsibilities
 Train staff on plan details and
responsibilities
 Process for escalation:
‐‐ allegation > incident >
investigation
 Document retention policies
 Internal vs. external
legal/investigative
professionals
 Fraud risk assessment:
Prioritize risks and develop
response plans for each
 Standardize evidence collection
protocols
 Restrict access to incident
details to “need‐to‐know” basis
 Formalize regulatory
compliance procedures for
response and notification
16

6/20/2014
9
Polling Question 2
Pre‐incident Preparation includes:
a)   Identifying the scope of suspected fraud
b)   Determining time‐frames for legal experts
c)   Defining roles and responsibilities
d)   Identifying failed business processes
After It Has Occurred
 Identify scope of suspected
fraud (individual or collusion?)
 Seek expert advice (external
auditor, counsel, etc)
 Secure & preserve financial
and non‐financial information
 Determine time frame for who
(LE/regulators) needs to know
what/when
 Adhere to relevant
legal/regulatory
notification mandates &
time frames
 Ongoing & appropriate
communication
 Consider notifying law
enforcement if suspect
criminal activity
 Identify weak/failed ICs &
business processes
18

6/20/2014
10
 Alert your fraud incident manager
that an allegation or suspicion exists
 Document date, time and details of
initial tip/discovery
 Take notes on all observations and
actions – if something is worth
taking a mental note, it is worth a
written note)
 Maintain confidentiality (enforce
“need‐ to‐know rule about the
suspected act). Unwarranted
disclosure can seriously damage
potential successful investigations.
 Do not immediately confront the
suspect.
 Write out in full the suspected act
or wrongdoing including:
 What is alleged to have
occurred
 Who is alleged to have
committed the act
 Is the activity continuing
 Where did it occur
 What is the value of the loss
or potential loss
 Who knows of the activity
(Continued…)
19
 Identify all documentary and other
evidence connected to the incident:
 Invoices
 Contracts
 Purchase orders
 Checks
 Computers/mobile devices
(Email)
 • Credit/P‐card statements
 Obtain evidence and place in a
secure area. (Whenever possible
without alerting any suspects)
 Protect evidence from damage or
contamination
 List each item individually taking
note of acquisition (incl. time, date
and location) and where the item
was securely stored
 Identify all potential witnesses
 Unless electronic evidence is in the
process of being destroyed do not
go into the suspect/target
computer systems
 If possible, secure and/or remove
suspect’s access to relevant
computers/systems. Do not allow
IT department to examine
computer (s)
 Consider other potential suspects
20
Source: Deloitte

6/20/2014
11
Polling Question 3
Response after an incident includes:
a)   Standardizing evidence collection procedures
b)   Protecting evidence from damage or contamination
c)   Formalizing regulatory compliance procedures for
response and notification
d)   Prioritizing risks and develop response plans for each
What Prompts an Investigation?
Internal events
 Accounting irregularity
 Employee allegation/whistleblower
 Company compliance audit
 External events
 Government audit, investigation,
subpoena, search warrant
 Competitor complaint
 Information security breach
22

6/20/2014
12
Why Conduct an Investigation?
 Part of an effective compliance
program
 Limits harm to the company
 Formulate a defense to possible
allegations
 May have an obligation under
certain laws (SOX) and regulations
to investigate or self‐disclose
 Credit for cooperation from govt.
(FCPA)
23
Polling Question 4
Reasons for conducting an investigation include:
a)   It can limit harm to the company
b)   Fraud risk assessment may suggest one be carried
out
c)   Restrict access to incident details to “need‐to‐
know” basis
d)   You can standardize evidence collection protocols

6/20/2014
13
Planning the Investigation
 Stop suspect conduct immediately
 What are the immediate
concerns/uncertainty?
 Asset protection/evidence preservation (Image
suspect’s hard drive IMMEDIATELY…or wait?)
What information/evidence do you need to
collect?
 Are there legal constraints concerning the
collection of the required information/evidence?
25
Planning the Investigation
 What is the appropriate scope of the
investigation?
 Considerations should include:
 What is.are the ultimate objective(s) of
the investigation?
 What level of discretion is required?
 What are the time constraints, if any?
 What are the resource constraints, if any?
 Do you want the investigation to be
privileged?
Avoid artificially narrow scope

6/20/2014
14
Internal vs. External
Resources
Investigative resources: Internal or
external. Depends on…
 Resource availability & time
constraints
 Knowledge & experience
 Technology requirements
 Target(s) of the investigation
 Financial loss amount
 Potential for
criminal/regulatory violation(s)
 Needs of your external auditor
 Cost
Preserving Evidence
Information preservation:
 Time urgency – is essential to prevent suspect(s) from
destroying/deleting evidence before collection
 Distribute a preservation notice to key staff
 Ensure proper backup tape rotation (stop if need to
preserve relevant evidence)
 Dumpster/Recoverable Items

6/20/2014
15
Collecting Evidence
Information collection:
 What is available?
 Don’t forget mobile
communication/computing devices
& other mobile storage devices
(thumb drives, etc.)
 Chain‐of‐custody
 Generally, more is better…
Where the Evidence Resides
Volatile data in kernel structures
Slack space
Free or unallocated space
The logical file system
events log
application logs
the registry
the swap file
special application files
temporary files
the recycle bin
the printer spool
email sent or received

6/20/2014
16
Forensic Procedures for Data
Collection/Preservation/Review
Use forensic technology:
 Digital Evidence Forensics/Disk Imaging
 Forensic Data Analytics
 eDiscovery tools/techniques (E‐mails, business
docs—to be done by an expert)
eDiscovery Tools/Techniques
eDiscovery workflow/process (should be
formalized in advance– who will review docs
for relevance, preservation procedures, etc.)
Apply Predictive Coding (Legal tool for
streamlining document review using a
document review platform)

6/20/2014
17
Polling Question 5
A critical aspect of obtaining evidence is:
a)   Ensuring tape retention policies are adhered to
b)   Generally, less is better
c)   Ensuring swap files are deleted
d)   Maintaining the Chain of Custody
Witness Interviews
 Preparation
 Review documents
 Who ‐When ‐Where ‐What order
 Conducting the interview
 Neutral/objective finder of fact
 Never alone—someone takes notes
 Limit information sharing
 Right kinds of questions when
 Legal considerations
 Upjohn warning: Lawyer reps
company
 Preserving privilege
 Providing counsel to the witness

6/20/2014
18
When NOT to Investigate … Maybe
 Amount stolen is minimal
 Nothing more than a red flag (need additional
evidence)
 Want to avoid negative publicity
 Perpetrator resigns/departs on own
 Confession
 Law enforcement takes over
Findings of the Investigation
 Written or oral report? (Written may not be nec.
If you don’t prosecute and just reprimand)
 Determine what to do with current employees
involved in conduct at issue
 Consult with counsel to determine if mandatory
disclosure is required
 Consider implementing stronger controls or
company policies

6/20/2014
19
Post‐Incident Remediation
 Assess gaps and evaluate effectiveness of plan, procedures, and
training
 Adjust incident response plan & protocols; communicate and train
 Test incident response plan periodically and stay aware of internal
& external risks
 Maintain an incident report in accordance with relevant legal &
regulatory standards
 Improve weak & failed ICs and business processes
 Restore customer/client relations as necessary
Information Security Breach
 Prompt notification of appropriate regulators (esp. financial
institutions)
 Prompt notification of law enforcement (Usually federal)
 Mobilize efforts to contain the incident—prevent further
breaches/damage
 Notify customers immediately
 Activate remediation measures—card replacement, credit
monitoring services, etc.
 Train employees to recognize breach red flags quickly.

6/20/2014
20
Common Mistakes
Failure to maintain proper documentation
Failure to notify decision makers
Failure to control digital evidence
Failure to report the incident in a timely manner
Underestimating the scope of the incident
No incident response plan in place
Technical mistakes
• Altering date and time stampson evidence systems before recording them
• Killing rogue processes
• Patching the system back together before investigation
• Not recording commands used
• Using untrusted commands and tools
• Overwriting evidence by installing tools
Incident Response Checklist
Question
Have you developed and implemented a written data security breach disclosure and notification process?
Do you have in place a manual or automated system for tracking privacy incidents to ensure all are detected,
reported and responded to in a consistent way?
Are you aware of Federal and state privacy regulations?
Do you have an incident response process that includes:
Who to contact when they suspect a loss or compromise of PII data?
An evaluation of the scope, the amount of damage and the number of individuals affected by the data breach.
Notification of the individuals whose data has been compromised.
Public relations management.
Mitigation and forensics.
Regulatory reporting.
Do you have a help desk and call procedure for all individuals whose data may have been compromised?
Have you ensured the enterprise breach disclosure effort is scalable to address the scope of the breach?
Are you prepared to offer appropriate remediation measures that are timely and effective? Examples include
free credit monitoring services, fraud alert services, identity monitoring and personalized remediation
services.

6/20/2014
21
Questions?
Any Questions?
Don’t be Shy!
Peter Goldmann
FraudResourceNet LLC
800-440-2261
www.fraudresourcenet.com
pgoldmann@fraudresourcenet.com
Richard Cascarino, MBA, CIA, CRMA, CFE, CISM
Cell: +1 970 291 1497 ‐ South Africa +27 (0)78 980 7685
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
Thank You!

Fraud Incident Response Planning Essentials

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Fraud Incident Response Planning Essentials

Similar to Fraud Incident Response Planning Essentials (20)

More from FraudBusters

More from FraudBusters (14)

Recently uploaded

Recently uploaded (20)

Fraud Incident Response Planning Essentials