Cyber Incident Response and Little League Baseball: It’s all about the Follow Through

Responding to a cyber incident isn’t just about getting the systems back up and running (very important) but rather performing in sequence a set of mechanisms that improve the overall cyber incident response effectiveness. The set of sequences or as they are known in the sporting world, the follow through, is key to the most successful incident response and might not be as straightforward as you assume. Read on for a follow-through formula designed for efficient incident response here.

CPA, CFF, CFE, CFI….say what?

If you get an email or a business card from a forensic accounting professional, you might see a bunch of credentials behind their name. But what do they all mean? Here is a brief description for some of the most common forensic accounting related professional credentials:

  • Certified Fraud Examiner (CFE) – CFEs resolve allegations of fraud, obtain evidence, conduct interviews, write reports, testify to findings and assist in the prevention and detection of fraud.


  • Certified Public Accountant (CPA) – CPAs are accounting professionals who have passed the CPA examination and have also met additional state certification and experience requirements.



  • Certified Forensic Interviewer (CFI) – CFIs conduct a variety of investigative interviews with victims, witnesses, suspects or other sources to determine the facts regarding suspicions, allegations or specific incidents.

Additional certifications that are common for forensic specialists include the following:


  • Certified Financial Crimes Investigator
  • Accredited in Business Valuation (ABV)
  • Certified Valuation Analyst (CVA)
  • Private Investigator
  • MBA in Fraud Management and Economic Crime
  • Seized Computer Evidence Recovery Specialist
  • Certified Handheld Forensic Examiner
  • Certified E-Discovery Specialist (CEDS)
  • Encase Certified Forensic Examiner (EnCE)
  • AccessData Certified Examiner (ACE)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information System Security Professional (CISSP)
  • Certified Information System Manager (CISM)

Why Your Business Needs a Whistleblower Hotline

What’s to Report? Financial fraud isn’t the only concern for businesses. Ethical violations of every sort imaginable can take place at any organization and within any department. According to a 2013 National Business Ethics Survey (NEBS) conducted by the Ethics Resource Center, 41 percent of the respondents indicated they witnessed some form of workplace misconduct, including conflicts of interest, discrimination and violations of health and safety regulations. With an anonymous whistleblower hotline in place for employees, tips can be submitted safely and securely for all manner of wrongdoing:

 Financial: Every business is at risk of financial abuses and errors. From inadequate accounting procedures to audit issues and simple billing errors, there are a plethora of opportunities for mistakes to be made or criminal activity to take place.

Ethical: Some business practices may not necessarily break any laws, but they would still be considered unethical if utilized improperly. Ethical breaches can include anything from code of conduct violations to outright theft, including intellectual property theft.

Privacy: In today’s digital world where everyone and everything is connected and online, privacy concerns have never been more pronounced. Identity theft can happen to anyone, and breaches can occur anywhere personal information is stored. The health care industry is particularly at risk for inadvertent confidentiality breaches.

 Security: Security goes hand-in-hand with privacy. Securing both physical and digital property is becoming harder and harder with the advancement of technology. Hackers target everything from electronic door locks to customer databases.

Safety: Businesses that don’t take safety seriously put their workers in jeopardy, as well as their customers. OSHA violations aside, an unsafe work environment is neither efficient nor profitable.

HR Violations: No department benefits more directly from the implementation of a reporting hotline than human resources. HR professionals constantly deal with ethical and workplace safety issues, from employee handbook violations to harassment and discrimination.

With an anonymous, easy-to-use reporting system, employees feel much more comfortable reporting wrongdoing. They know their name won’t be attached to the tip. They won’t fear retaliation. But they WILL report the issue that could end up saving the organization money and even lives thanks to early detection and correction. Having adequate controls that seek out fraud, rather than relying on external or passive detection methods, can dramatically reduce the cost and duration of illicit activity. Such controls also allow for more information to be gathered up front.

Conducting Dishonest Employee Investigations

When companies believe they have been taken advantage of by a potentially dishonest employee, many have no idea what to do next. Many times business owners or managers jump directly to what is perceived as being the easy solution; the employee in question is terminated. However, is that really the best action to take? Many forensic accountants and corporate investigators will say it is not.

The first thing the company needs do is verify that the employee in question is in fact dishonest. There are very few matters that can cause more unhappiness in a workplace, or amongst a workforce, than an employer targeting an employee that has done nothing wrong.

Companies often forget to determine if “predication” is present before any type of investigation begins or accusations of wrong doings are made. Predication is defined as being a set of circumstances that would lead a reasonable and professionally-trained person to believe that fraud has occurred, is occurring, or will occur in the future

Predication can be found to be present with the help of things such as tips, accounting anomalies, surveillance, etc. A fraud investigation should never be conducted without predication being present. In reality, the accused employee may have upset someone enough that false accusations are made to “get even” or to cause the employee suffering. The following are some of the questions the company’s management or company investigator can ask themselves and others before any accusations are made or an investigation begins:

  • Did someone tell you the employee was dishonest?
  • Is there evidence the employee is being dishonest?
  • If evidence is present, is the evidence being safe-guarded?
  • When and how should you talk with the employee?
  • If the employee is coming back from a Workers Compensation Claim, how should the interview be conducted?
  • Is the employee a female and does she happen to be pregnant?
  • If the employee is a female, should a male investigator interview her alone?
  • If a witness is to be involved in the interview, should the witness be male or female?
  • Is the employee under 18 years of age? If so, does one of their parents need to be present during the interview?
  • Are there any cultural issues that need to be taken into account before interviewing the individual?
  • Will the “opportunity” the employee took advantage of still exist after the employee in question is terminated, suspended, reassigned or resigns?
  • How do I keep this from happening again?
  • Will the matter be handled internally, through a civil proceeding, or in a criminal court?
  • If the matter is to be handled in a criminal court, when do the police need to be involved in the investigation?
  • Is the matter in question covered under the company’s insurance coverage and if so, what documentation or procedures need to be followed in order to file a timely claim?

Once predication is determined, it is best if the owners or managers bring in outside experts to assist with the investigation. Many fraud investigations handled “in-house” are not done correctly for many different reasons. Some of which are accusing or alerting the individual suspected of the fraud at the wrong time, mishandling evidence, assumptions of involvement, failure to obtain a verbal or written statement of involvement from the suspect(s) and/or personal emotions getting involved.

In fact, emotions may be the hardest aspect for the management to get over or deal with. The owners and/or managers may feel embarrassed that someone was allowed to steal from the company. They may feel they “should have known better” and if they had only done something differently, this matter would never have taken place.

Business owners and managers must work to move past the feeling of being embarrassed. Trusting their employees is not the reason they were taken advantage of or stolen from. People take advantage of situations for many different reasons. Some reasons make sense and actually seem like they may be justified but most make no sense at all.

People who steal from those who have entrusted them with the well-being of their company must be held accountable for their actions. If not, you are allowing this person to go somewhere else and potentially victimize another organization or individual. I would believe the majority of business owners and/or managers don’t wish to feel as if they could have done something to prevent another business and/or individual from suffering the same fate as they have. Hold dishonest employees accountable for their actions.

If something does not seem right in your business, contact your attorney, your banker, your local law enforcement agency, or a forensic accountant for expert assistance in determining if something dishonest took place. Make sure your internal controls work properly in order to avoid potential fraud and catastrophe. Remember: prevention is always cheaper than detection.

Use of investigative accounting to carve out financial exploitation


According to the National Adult Protective Services Association (NAPSA), financial exploitation is one of the fastest growing forms of abuse against vulnerable adults. As the population of the United States continues to age, it is an unfortunate reality that the attempts to exploit vulnerable adults will only rise. A conservator and/or guardian can prevent financial exploitation by closely managing the vulnerable adult’s accounts and how the accounts are accessed. If financial exploitation is suspected, a meticulous review of financial records will be necessary. Depending upon the complexity and volume of financial documents, the services of a forensic accountant should be considered.


Forensic accounting is actions taken in order to attempt to piece together or reconstruct a past event, or events, using financial information. In the context of vulnerable adults, forensic accounting is focused on following the money, and identifying cases of misuse of assets owned by the vulnerable adult. This process is done using bank records, credit card statements, tax returns, public records and other information obtained throughout the engagement.

Investigations typically begin with the examination of bank and investment account records, tax returns, loan files and credit card account statements. Through an examination of these records, forensic accountants will likely be able to identify all accounts held by the vulnerable adult. Examining these records will also allow the forensic accountants to determine if there are any expenses not associated with the vulnerable adult or if there is any missing income.

These misuses can be identified and documented using unique forensic investigative software and advanced spreadsheet tactics, such as pivot tables, charts, and graphs. After the investigation, work papers and/or a narrative report is published by the forensic accountants. The work product created by forensic accountants will provide you and legal authorities with the information they need to draw conclusions regarding whether or not financial exploitation has taken place.

Exploitation Case 101[1]

“Mrs. Ethel Crane” is an eight-one year old individual suffering from dementia. She has been in a relationship with fifty-eight year old “Mr. Smith” for the past few years. Mr. Smith is a construction worker in the area and visits Ethel on occasion. Taking advantage of his relationship with Ethel, and her vulnerability, Mr. Smith begins exploiting Ethel’s finances and using them for his own gain.

Dating back to the year prior to the beginning of Ethel and Mr. Smith’s relationship, over 4,250 financial transactions were examined. These transactions consisted of everything from checks and check card purchases to deposits and transfers. It was discovered that after gaining access to Ethel’s financial accounts, Mr. Smith began to use the money to support a lifestyle beyond his means. Mr. Smith used Ethel’s money to make payments on vehicle loans, including a snowmobile, and an ATV he bought after gaining access to Ethel’s funds. In addition to making payments on multiple vehicles, Mr. Smith took cash advances against Ethel’s account and used her assets to cover monthly bills for telecommunications, utilities, and insurance.

[1] Names have been changed to protect identities

In the year prior to the beginning of Ethel and Mr. Smith’s relationship, Ethel disbursed approximately $52,600 from her accounts. During the four years between the beginning of their relationship and the investigation of financial exploitation, Ethel’s accounts disbursed more than $410,000; three of the four years, amounts disbursed were more than double what Ethel was spending before the relationship began. In the third and fourth years in question, nearly half of the disbursements were flagged as suspicious. After the investigation was complete, it was determined that Mr. Smith had exploited Ethel of more than $199,000.


Due to the trusting nature created by the abuser and the nature of certain financial transactions, it can be difficult to identify financial exploitation. If it is suspected that financial exploitation of a vulnerable adult is taking place, there are a few steps that can be taken to ease the suspicions and help confirm them. Although you may be able to identify financial exploitation without having access to the vulnerable adult’s financial records, it is practically impossible to verify and document the totality of financial exploitation without examining financial records. Using financial records, no matter how voluminous they may be, will shed light on patterns of financial exploitation if it has been occurring.

One of the simplest actions to take when attempting to uncover exploitation is examining the purchases from the vulnerable adult’s accounts. For most vulnerable adults, spending is fairly consistent. One indication of possible exploitation is an increasing pattern of disbursements from financial accounts. This increase may be caused by multiple individuals using the assets, no longer just the vulnerable adult. Examining individual transactions rather than the sum of spending within the accounts will provide additional details on the nature of the transactions. For example, you may come across a purchase of rock concert tickets or gas purchases although the vulnerable adult has not driven in several years.

When examining financial records over a period of time, you will gain sense for the types of transactions made by the vulnerable adult on a monthly basis. This is especially true when examining transactions before the alleged exploitation began. This develops a baseline for the vulnerable adult’s “typical” spending habits. The transactions that do not appear to fit the baseline pattern when examining financial records during the period of potential exploitation, may be the exploitation items in question. Further investigating these items and other transactions will assist you in uncovering potential financial exploitation.


Conservators and/or guardians most likely do not specialize in forensic accounting nor might they get excited about spending hours documenting questionable financial transactions through the use of pivot tables and investigative software. Generally speaking, adult protection service workers, police and prosecutors do not specialize in forensic accounting either. The good news is that forensic accountants have the experience needed to document exploitation matters for the court of law. Forensic accountants are available to help during any step of the exploitation investigation process. Depending upon the complexity of the matter, the services provided by forensic accountants may range from consultation on how to locate financial records to assisting with the examination of financial records to creating a comprehensive forensic report for prosecution purposes.


The Value of Computer Forensics: Case Examples

  1. One computer forensic examination of a husband’s laptop revealed he was setting up bank accounts in his girlfriend’s name and sending her loaded credit cards to help hide his assets. The scheme was clearly documented in Skype chat logs and e-mails. His Internet searches for information on money transfers to foreign banks and his visits to an out of the country realtor’s web site were easily documented.
  2. On a non-compete case, the client assured his lawyer that nothing illegal or embarrassing would result in the examination of his computer. The subsequent forensic discovery of deleted movies the client had videotaped of his wife in sexual relations, and his subsequent posting of the videos on the internet, was enough for counsel to lose faith in the honesty of his client and seek a settlement
  3. In an embezzlement case, the offender was frequenting pornographic web sites and was stealing company funds to pay for prostitutes and expenses at gentleman’s clubs. Computer forensics assisted with documenting fraudulent 401k loan repayments, pictures and videos of the suspect with prostitutes, and internet posting reviews by the offender of erotic dance clubs and dancers
  4. In a child custody matter, an unemployed father wanted to have custody of the children and claimed to be a doting father. The computer forensic examination of a home computer, used by the father, showed hours of on-line poker activity each day while he was supposed to be watching the children.
  5. On a libel case, electronic discovery consulting was provided to the plaintiff’s attorney on preservation holds, Internet Service Provider contacts, third party subpoenas and e-mail. A subsequent court order resulted in the recovery of e-mails on a witness’s work account from the Respondent. The Respondent e-mails revealed an attempt to bribe the witness to commit perjury in Federal court. The Respondent’s attorney quit the case and the new counsel quickly reached a seven figure settlement with the Plaintiff. Computer forensics on the libelous electronic document revealed metadata leading directly to the Respondent’s home computer.

Computers have become the filing cabinet, the roll top desk, the newspaper subscription, the bank book, the postcards and letters, diary, library, movie theater, and the Montgomery Ward catalog of generations past. A computer forensic examination that locates a Google search for “hiding assets,”” nude teens,” or “casual encounters” can dramatically affect the outcome of any case. Could computer forensics be your “smoking gun?”