CFE's Passion is Also His Career

MEMBER PROFILE

Scott Moritz, CFE
Managing Director, Global Lead Investigations & Fraud Risk Management
Protiviti  

As a child of the 60s and 70s, Scott Moritz, CFE, global leader of Investigation & Fraud Risk Management at Protiviti, was enthralled by TV shows like “Mannix” and “Kojak.” These popular shows portrayed ‘white hat’ detectives breaking open their cases. Being prone to wearing the ‘white hat,’ Moritz considers himself fortunate that his passion is also his career. While advocating anti-fraud efforts, Moritz has learned that it is important to “recognize that things are not always black-and-white” – balance is key. Moritz quotes American psychologist, Abraham Maslow, “If all you have is a hammer, then everything will look like a nail.” To this Moritz replies, “In order to avoid becoming a hammer, you need to keep an open mind, follow the facts and accept that not every allegation is true or can be proven. Our job is to investigate the allegations, determine whether they have merit and report the results.”

How did you become passionate about fighting fraud or what sparked your interest to enter into the anti-fraud field?
From the time I was very young, I was fascinated with the notion of becoming a detective and getting my ‘gold shield.’ Wearing the white hat has always been my instinct, and I am fortunate that my passion for investigations took me in the direction that it did.

What steps led you to your current position?
After college I confided in one of my sisters that I was submitting applications to take several police department entrance exams. My sister asked me if I had considered the FBI. She encouraged me to pursue it and put me in touch with a friend who was an FBI Special Agent in New York City for advice.

Fifteen months after applying to the FBI, I was sworn in as a new agent through the FBI Academy and was assigned to the Memphis, Tennessee, division on a white-collar crime squad. After four years in Memphis, I transferred to the FBI’s largest field office in New York. When I was assigned to the Asset Forfeiture Money Laundering Squad, I was a little deflated. I had my heart set on working traditional organized crime since New York City is home to five major crime families. I quickly realized that I had landed on a great squad whose primary focus was conducting parallel financial investigations of major criminal cases to then identify, seize and forfeit criminally-derived assets in order to dismantle major criminal organizations. Hence, I got to work on the largest high profile cases in the New York area, which included major organized crime, narco-laundering and white-collar crime cases.

After making many of these cases, I was offered an opportunity to leave the FBI and work for a Big 6 accounting firm. I ended up working on more than 30 monitorships of private sanitation companies during the course of my early private sector career. I also worked on a wide variety of financial crime and corruption cases, and made several stops along the way at different accounting and consulting firms, including two start-ups, before assuming leadership of Protiviti’s Investigations & Fraud Risk Management practice three years ago.

What are the most challenging aspects of being a White-Collar Crime & Anti-Corruption Strategist?
I think the biggest challenge is to get our clients to view fraud and corruption risk management and compliance as a strategic imperative and a critical part of their overall strategic planning. In 30 years of investigating financial crime and corruption, including 20 years of advising companies on these subjects, I’ve seen very few organizations that include fraud and corruption risk in their strategic planning processes. Instead, they opt to wall them off, which often results in their failure to consider the full spectrum of weaknesses and threats that could inhibit them from realizing their strategic goals.

What position in your career do you feel has made the most impact in your professional growth and why?
I think it’s really two positions. As an FBI agent investigating white-collar crime and corruption, I had to develop the ability to ingest and analyze large amounts of information about companies, the industries in which they operated and how the financial crime occurred. Something else that made a significant impact on my professional growth was coming into contact with people across a broad spectrum of society, from drug addicts, organized crime members and bank robbers to CEOs, judges and U.S. Senators. I had to learn how to establish common ground with every type of person and build rapport. It’s something that has served me well both professionally and personally.

What activities or hobbies do you like to do outside of work?
I’ve got three sons, all of whom were very active in school sports and other activities. My youngest is now a freshman in college and suddenly the flurry of high school football, baseball, indoor track meets, hosting pasta parties and attending awards dinners have all come to an abrupt halt. My wife and I are now struggling with how to continue to be helicopter parents from 250 miles away. In responding to this question, it occurs to me that I need a hobby. I know my son would probably appreciate it being something other than him.

Read Scott's full profile in the Career Center on ACFE.com.

One Whistleblower's Story: Losing a job, but not losing hope

LETTER FROM THE PRESIDENT

James D. Ratley, CFE
ACFE President

You might eventually have to make a tough decision that could jeopardize your job and disrupt your life.

Let's say you find an accounting regulation violation that your organization might have ignored for years. You bring your concerns to your boss who agrees you've discovered a problem. Other accounting department staff members concur until they figure out the restatement costs. You stew over this and realize that your organization is breaking the law.

You secretly report the violation to the U.S. Securities and Exchange Commission (SEC) and the audit committee of your company's board. Somehow your boss finds out and sends an email to the accounting department's executives. The attorneys review and decide that the company is in compliance. The SEC decides not to investigate the case. You lose your job and your hope.

This is the story of Tony Menendez, CFE. Except he never lost his hope. "In 2005, I was asked to approve a bill-and-hold sale [at Halliburton], and it was at least six years after the SEC issued SAB 101," Menendez says during a recent Fraud Magazine interview. This Staff Accounting Bulletin describes regulations on revenue recognition in financial statements.

He says unassembled equipment wasn't even ready to be shipped to a customer. "Halliburton was holding the equipment in anticipation of performing future oil field services for its customer," he says. 

Menendez shared his findings with his bosses, and they initially agreed with him. But they later backpedaled when they realized that correcting the accounting would've required a costly and embarrassing restatement. Menendez went to the SEC, which eventually decided it wouldn't pursue the case. A Halliburton internal investigation cleared the company. Menendez's boss outed him to the company in an email. Halliburton stripped him of many of his duties and banned him from meetings. Colleagues ostracized him. Menendez left Halliburton in 2006 and brought a whistleblower claim under the anti-retaliation provisions of the Sarbanes-Oxley Act.

In September 2008, an administrative law judge determined that Halliburton hadn't retaliated against Menendez. Menendez then represented himself in appealing the case to the Administrative Review Board (ARB). In September 2011, the ARB overturned the original trial judge. Halliburton appealed to the Fifth Circuit Court of Appeals, but the panel ruled that the company had retaliated against Menendez for blowing the whistle. After almost nine years, he'd won his battle.

"The stigma of whistleblowers hasn't changed nearly enough," Menendez says. "As long as employers see whistleblowers as a rare breed to be feared instead of individuals who add great value to the working team as a whole, it can be hard for them to prevail, and society as a whole bears the greater risk."

The ACFE will award Menendez the 2016 Sentinel Award for "Choosing Truth Over Self" at the 27th Annual ACFE Global Fraud Conference. Read more about Menendez's story in the latest issue of Fraud Magazine.

Understanding and Mitigating Smartphone Risks

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.