shutterstock_159960011Technology has led to significant changes in the way we work, substantial efficiencies in time savings, and increases in accuracy.  Technology has also become the principal tool of fraudsters.  We have evolved to a state where a computer is a required tool for the perpetration of fraud.  That same technology offers challenges for the examiners who gather evidence in support of a case.  This article discusses the effect of readily available technologies on the quality of engagement evidence, and practical approaches examiners can use to validate their evidence.

When I started in Public Accounting I spent a considerable amount of time looking at vendor invoices and a Companies’ cancelled checks.  The goal was to examine evidence to support management’s assertion that an amount was spent in a prescribed amount for a prescribed purpose.  Suppose an auditee or object, (the Object) of an audit or examination spent $50,000 for a new piece of equipment.  We would examine the vendor invoice.  At that time, vendor invoices were works of art.  They had the vendor’s logo embossed on them.  You could feel the serration on the sides where the zip strips were removed from the multipart form after it was completed by a dot matrix printer.  Could someone produce a fake invoice?  Sure, but they would have had to engage a printer willing to commit brand piracy for the logo and the printer would have required a large minimum order, maybe for ten thousand copies.  Having that invoice in your hand offered a level of assurance to the skeptical auditor that the equipment was actually purchased.  To complete the procedure we would then examine the cancelled check. The auditor/examiner would compare the magnetic imprint placed by the bank on the bottom of the check with the amount that was written or typed in the check to verify it was cashed for the amount intended.  I would then flip the check over and look at the endorsement and the cancellations on the back.  As the check physically moved from the vendor’s bank to the Object’s bank, a series of stamps or cancellations would mark the check’s process as it made its way back home.  The check told a story, similarly to that of a well-worn passport.  Could someone produce a fake cancelled check?  Sure, but again the effort would have been considerable.

I think the first step on the road to evidence degradation was the advent of the laser printer.  The vendor invoice we spoke of was now converted to a black and white document on an 8 ½ by 11 sheet of white paper.  Laser printers were faster, cheaper, and more reliable than their dot matrix predecessors.  The early models had one shortcoming, the ability to process color copies.  Almost overnight all business documents were converted to black and white and printed on an 8 ½ by 11 inch format.

The next step was the use of the photocopier.  Although photo copiers pre-date laser printers as standard office equipment, the ability to produce fraudulent documents on a photocopier was dependent on the original document being produced on the laser printer.  If someone were so inclined, they could take that invoice, white out a line or two, run it through the copier, and change the document.  At this point we have taken the level of documental assurance downward from that of the old days.

Adding fuel to the fire is computer software.  For about $200, I can buy a name brand accounting software.  With that software, a computer, and a laser printer I could produce a variety of documents that mimic the real thing.  Some of those documents could be invoices, pay stubs and even a second set of books.

For about $500, I can buy a graphic editing program.  This type of software was originally designed for editing photographs.  Typical tools include masks, transparency, text, and clipping tasks.  An electronic version of a document can be manipulated using these tools.  With this level of technology no original document is safe.  I had a case last year where a subject had altered a charge card statement. The document looked very close to perfect.

The Check Clearing for the 21st Century Act, (or Check 21) is a United States Public Law which took effect in late 2004.  The law allows the recipient of a check to create a digital version of a check.  The process is called Cheque truncation.  This process creates what is referred to as a substitute check.  The physical check stays in the possession of the payee or the payee’s bank.  The check recipient now can deposit incoming checks through a scanner or on a mobile device.  The data from the check scanner or picture of the check from their mobile device is transmitted to their bank creating a deposit for them and a withdrawal for the payee.  The recipient retains the physical checks for 90 days before shredding the check.  This is why nobody receives cancelled checks with their statements anymore.  To compensate consumers for this change a bank will either include a copy of substitute check in its statement or alternatively make a substitute check available online.

And in an effort to save the money, banks have been pushing the delivery of statements via e-mail.  To get a printed copy you are back at the Laser Printer.

I am certainly not advocating the return to days when I had to walk a mile, uphill both ways, to and from my office.  There are some smart things the savvy auditor/examiner can do in the digital environment.

The requirement for maintenance of the chain of custody for documents to be used as evidence has been around for a very long time.  If you suspect that the Object of your investigation has had access to your documentation prior to you becoming the custodian or has directly provided you the document, you really need to look closely at the document.  Get out the magnifying glass.  Literally, I mean a real magnifying glass and a ruler also.  Think of manipulated documents as you would counterfeit currency.  Things are discolored, do not line up properly and just do not look right.  For example, we will discuss a bank statement, although the same procedures will apply to all documents.  The typical bank statement will be on 8½ by 11 inch sheet of white paper, and have a portrait orientation.  With the ruler and the magnifying glass carefully follow the horizontal print lines from one side to the next.  You are looking for subtle variances in the print font, or the size of the print.  You are looking for variances in the background shading or pattern, or alignment of the print.  If the line for a check presents the amount of the check and the balance after posting, verify the addition and subtraction. Follow the margins and borders looking for breaks in the lines or misaligned items.  Pay particular attention to the bottom of the first page to assure it transitions to the second page properly.  Also at the bottom of the page, look for a copier ghost line.  A ghost line is a dull line which does not belong on the document you are examining. It may try to cover up the URL line provided when a document is printed from the internet.  The URL line shows the web address and the date and time of the printing.  The Object of your investigation will fold up the bottom of the page concealing the URL line, run it through a copier, and present the result (now with a ghost line) as an original document.  Do not overlook the obvious, such as account names, addresses, and corresponding dates.

It is paramount you carefully consider the source of your evidence.  If the document you are handed came from the Object or if some of the telltale signs of manipulation are present, more caution is necessary than if the same document is coming directly from a third party.  Third party sources are more reliable provided you follow some precautions.  We can confirm any financial transaction with the other party.  Typically we will draft a confirmation request and have it signed by the Object.  The Objects’ release is often necessary for reasons of law, such as the privacy rules placed upon banks.  Independently verify the mailing address of the recipient of the confirmation.  Unscrupulous Objects have been known to set up temporary fake addresses to receive these type of requests in order to manipulate the responses.  Make sure you have control of the mailing and the return address on the envelope for the request should be that of the examiner.  Should you be provided with an undeliverable address, that confirmation request will be returned directly to you.  Ask the respondent to complete the transaction.  Rather than asking to confirm the $50,000 paid, ask them to confirm the amount of purchase from a specific date.  Have them sign their response.  In some instances I have called the respondent to verify their response.  My colleague tells the story of an accounts receivable confirmation addressed to “Anon E. Mous”, and using the address of entity being audited.

If I was suspect of the bank statement in our previous example I would ask for temporary or read only access to the internet banking function.  I could download a fresh copy of the bank statement directly from the bank.

Although technology creates some challenges in document authenticity, they are not insurmountable. Keep your eyes open to possibilities of document manipulation in every document you are evaluating.  Keep track of the source of the documents, considering the possibility of ulterior motives of those providing documents.  Finally, I believe that a good dose of skepticism will keep you from accepting any wooden nickels.   To discuss further, please contact us at (908) 782-7900 or email