2010 Report to the Nations

The ACFE's 2010 Report to the Nations on Occupational Fraud and Abuse is based on data compiled from a study of 1,843 cases of occupational fraud that occurred worldwide between January 2008 and December 2009. All information was provided by the Certified Fraud Examiners (CFEs) who investigated those cases. The fraud cases in our study came from 106 nations - with more than 40% of cases occurring in countries outside the United States - providing a truly global view into the plague of occupational fraud.

Read more or request your own free copy of the report here:  2010 ACFE Report to the nation

ACFE Digital Forensic Committee Newsletter - No. 1


Purpose:   To provide IT digital forensic information and resources to members and member companies to help resolve client issues.


Mission:  To educate ACFE membership with timely topics on digital forensics; to identify competent IT resources; to promote the CFE designation and profession.


Definitions:  Digital forensics is a branch of computer science that focuses on developing evidence pertaining to digital files for use in civil or criminal court proceedings. Digital forensic evidence would relate to a computer document, email, text, digital photograph, software program, or other digital record which may be at issue in a legal case.



Demystifying Digital Forensics


John Sancenito


It is hard to imagine anything we do these days that does not involve a computer or other electronic device.  We rely on digital devices for storing our appointments, phone numbers, email, documents, and financial data. When a file is deleted from a computer, it is not wiped from the hard drive.  The computer simply registers the file as free space that is available to be overwritten the next time space is needed.  Bringing back files that have been deleted involves the science of digital forensics. 


Digital forensics is the collection, preservation, analysis, and presentation of electronic and computer-related evidence.  Digital forensics is one of many tools available to support an audit, investigation or inquiry.  Possible uses include identification of fraud or other criminal activity, conflicts of interest, violations of non-compete agreements, unknown or hidden assets and income, violations of Human Resource policies, and compromised system(s).


The types of information that can be retrieved from digital devices include, but are not limited to, the following types of data:


  • Deleted or hidden files
  • Encrypted or password protected documents
  • Identification of networks to which the computer was previously connected
  • Images (pornography)
  • Financial records
  • Email
  • Instant messages
  • Recently typed words or phrases
  • Internet history


There are five general phases to any digital forensic examination:  Consent, Acquisition, Authentication, Analysis, and Documentation.  We will briefly describe each phase:



The acquisition of digital evidence begins with consent being given by the computer's owner.  Establishing who has the authorization to grant access can sometimes be more complicated than it might appear.   


An employer has the right to access data on any company owned electronic device, but each employee should sign an Information Technology (IT) acceptable use policy when they are hired.  An ideal IT acceptable use policy puts an employee on notice that all company computers, cell phones, Personal Digital Assistants (PDAs), thumb drives, or other electronic devices are the property of the company, and the employee has no expectation of privacy while using them.  What if an employee brings a personally-owned electronic device into the workplace and uses it for company business?  Does the employee have an expectation of privacy regarding these devices?  Can an employer access and examine these devices?  The practice of personally owned electronic devices used for business purposes should be strictly prohibited by policy.  However, a thorough IT acceptable use policy should also include personally owned electronic devices that are brought into the workplace and are used for company related business.  


Generally, a spouse may provide consent to access a digital device if the device is marital property, even if the other spouse password protects it.  But what if the device used by the spouse is owned by his/her employer?  Can someone give consent to access data on a computer in their home that is owned by a third party?  The answer is "No."  The employer has an expectation of privacy that unauthorized parties will not access its information.


It is always best to have an individual sign a written consent form stating they are the owner of the device and authorize the forensic examiner to access the data stored on it. 



The acquisition of data residing on an electronic device begins with a mirroring of the device (i.e., a computer hard drive).  The mirroring process involves making an exact bit-by-bit copy of the device.  This goes beyond just copying the files and documents, but includes all data that is stored on the hard drive.  In a forensic environment, this is done with the assistance of a write blocker that prevents the examiner from accidently writing to the suspect drive.  An exact duplicate is made that can then be used to conduct the examination. 



The forensic examiner verifies the fact an exact copy was made by "Hashing" both the original and copy.  Hashing is performed by a software program that runs a mathematical logarithm against the dataset.  The result is string of numbers and letters that represent a digital fingerprint of the dataset.   If the hash of both the original drive and the copy drive match, the data sets are exactly the same. 


If one character or single letter on any document in the dataset has been altered, the hash signature will be a completely different number.  Any two documents, photographs, file folders or data sets can be hashed and compared to determine if they are identical.    



The examiner next pre-processes the working copy of the hard drive.  This pre-processing is completed by digital forensic software that indexes all data as it resides on the hard drive.  This allows for word and text strings to be searched across various types of media. 


The examiner first analyzes files that exist on the computer in their native form.  These files could be work processing files, email files, image files, spreadsheet files and just about any other file that was saved for later retrieval by the user looking at the file directory.  The examiner then reviews files that have been hidden or deleted.  A deleted file does not "go away."  Rather, the map to the location is changed.  This map can be recreated with special retrieval utilities to make the file visible again.  The third place the examiner looks is incomplete files or file remnants that are no longer retrievable with undelete utilities because the file table is unable to track them any longer.  The most common reason for this is space limitations.  The map is over written with new material. However, the files in their entirety or significant portions of them, are still resident on the drive.  The final place from which the examiner is able to retrieve data is in special files that were created without the user's knowledge.  The most common types of these files are created for printing a document or maintained by the operating system as temporary storage.

Software utilities allow the examiner to conduct searches for key words or phrases.  Pictures are also categorized for easy review by the examiner.  Files, photographs, documents, or folders can be flagged by the examiner for further review.  Forensic software utilities are also available to check the hash of photographs that have been listed by the Department of Justice as child pornography.



Documentation of a computer forensic examination is one of the most important aspects of the process.  The documentation should include the legal authorizing entity, IT acceptable use policy, the chain of evidence, and relevant documents recovered from the computer. 

Digital forensics is a powerful tool that can be used in almost any investigation or audit.  It is often misunderstood, however, and therefore not given its proper value.  Evidence or information can be obtained from any electronic device.  The collection, preservation and analysis of digital evidence should be conducted by qualified individuals to avoid damaging evidence and to withstand legal scrutiny. 

For further information contact John Sancenito at 1-800-443-0824 or [email protected] or


Tax shelter scheme lands Seattle businessmen prison terms

Tax shelter scheme lands Seattle businessmen prison terms

Prosecutor: 'Justice ought to be ... blind to the color of your collar'


Before sending the Seattle businessman to prison, the judge offered what would have been, on another day, high praise for a fraud who helped other rich Americans dodge $240 million in taxes.


To read more, click here.




Common Fraud Schemes and Avoidance Tips from the FBI

Common Fraud Schemes


The following are some of the most common scams that the FBI investigates and tips to help prevent you from being victimized. Visit our White-Collar Crime and Cyber webpages for more fraud schemes.

To report cases of fraud, use our online tips form or contact your nearest FBI office or overseas office.


To read the entire article, click here.




CA/CM as Preventive Care against Fraud

By James R. Littley and Andrew M. Costello, CPA, CFF, CFE

A challenging economic environment inevitably amplifies the risks and opportunities of fraudulent behavior.

Managers and employees are facing heightened pressure to meet revenue and cost targets, so some may resort to improper means of achieving those increased expectations-especially if they perceive their jobs to be in jeopardy if they do not meet their targets. In addition, common cost-cutting measures such as downsizing, outsourcing, and off-shoring can create vulnerabilities in internal control environments. These dynamics, and many more, challenge ethical behavior daily.

Along with preventive elements such as codes of conduct, due-diligence hotlines, and whistleblower mechanisms, continuous auditing and continuous monitoring (CA/CM) can be a key component of an effective fraud risk management process. In addition, CA/CM shifts management's and the internal audit department's focus and review from a traditional retrospective/detective approach to a proactive/preventive stance.

To read the entire article, please visit of the Pennsylvania Institute of Certified Public Accountants