By Cheryl Hall
The Dallas Morning News
April 1, 2007
If you want to keep your business from being a victim of fraud, it helps
to think like a crook.
And if you aren't worried because you trust everyone you work with,
Those words of experience come from Jeff Matthews, forensic and
investigative services director at Grant Thornton LLP in Dallas.
And there's one thing more. "If you want to know what a fraudster looks
like," he says, "look to the person on your right, then to the one on
your left, and it will look like the person in the middle. White-collar
criminals look like you and me."
These days, Mr. Matthew is a busy guy thanks to Enron Corp., WorldCom
Inc. and the like.
"It's been an amazing ride for the past three years," says the
33-year-old certified fraud examiner, who's helped build Grant
Thornton's forensic practice from just him in 2004 to 14 accountants.
"We're seeing more fraud come to light. That doesn't necessarily mean
there's more or less fraud than before Sarbanes-Oxley. It's just that
more people are required to look for it."
Mr. Matthews, who earned his accounting degree at the University of
Louisiana at Monroe in 1995, received his "master's" in forensics as a
23-year-old investigating political corruption in Louisiana for the
state's legislative auditor's office.
"We had plenty to do," he says. "It's been an interesting transition for
my career from investigating political corruption to working with
companies to keep fraud from happening."
While the financial aspects of Sarbanes-Oxley have grabbed headlines,
C-level execs and audit committees are realizing an underlying
obligation: They must ferret out foxes in the henhouse.
Financial statements have to be certified as correct and that any fraud
and misconduct by management has been disclosed. Further, audit
committees must investigate allegations of misconduct brought to their
"You have more sanctions and structure," Mr. Matthews says. "They
realize they have real obligations to investigate things."
Kevin Mann, director of business conduct and compliance at Lennox
International Inc., agrees.
"With Sarbanes-Oxley, there's much more pressure to put these systems in
place. A lot of resources got thrown into this. It was like throwing
spaghetti against the wall," he says. "Now companies are starting to
focus on some of the real dangers."
And fraud isn't just a worry for the big guys.
The Association of Certified Fraud Examiners estimates that, on average,
every business in America loses 5 percent of its annual income to
employees illegally lining their pockets.
"Every company has been baited," Mr. Matthews says, using a fishing
analogy for a financial vulnerability that an employee or vendor may
"The cork bobs a little bit before it goes under. Fraud usually starts
small, with just a few nibbles. Then they take the bait, and the scam
The case that sticks out most in Mr. Matthews' mind started with $6.08
every two weeks taken by the controller of an oil and gas company.
Over the course of four years, this employee of 20-plus years ramped up
his pillaging to $300,000 and $400,000 a swipe, with a total take of $7
Why did he do it? He enjoyed the high life.
When the company finally took notice and went after him, it recovered
six automobiles and two homes worth roughly half what he stole. He went
to jail, and the company survived.
"It wasn't the size of the loss. It was such a breach of trust," says
Mr. Matthews. "The intangible damage that it wreaked upon that company
was devastating. They trusted him with the keys to the mansion, and he
looted the place."
There are heartbreaking cases in which people commit fraud because they
need money for a dying relative or a sick child, Mr. Matthew says. "It
wasn't a game or for personal gain. Those are tough cases to
Getting the accountants
But Mr. Matthews relishes cases that involve accountants.
"They document their fraud to the decimal point," he says. "The easiest
way to get an accountant to confess is to accuse him of taking a little
more than he took.
"You can say, 'Mr. Accountant, we have proof that you took $5 million.'
And he'll respond, 'Absolutely not, I took only $4.8 million, and I've
got records that show it.' "
Many companies make themselves vulnerable because they don't adhere to
the rules they've put in place. Both Mr. Matthews and Mr. Mann find that
"Many anti-fraud controls are manual in nature," says Mr. Matthews,
giving examples such as getting dual signatures on checks or having a
supervisor approve purchase orders. To save time and cut hassles,
executives sometimes pre-sign checks or use a rubber stamp.
"It's like latches on your cabinets when you're babyproofing," Mr.
Matthews says. "They work wonderfully when they're applied
appropriately. But if they're lying on your counter because they're a
pain to get undone, they're totally ineffective."
Mr. Mann says Lennox aims for an atmosphere that deals openly with fraud
and misconduct and the consequences.
"You want to create a culture where people aren't afraid to talk about
it," he says. "Fraud exists in every company. There are always going to
be employees, contractors or vendors who try to take advantage of the
"So you try to build in good controls and an awareness of how people
might try to do this."
And managers need to have trust, not faith, Mr. Mann says.
Take expense accounts, for example. "Faith is when you don't ask for
documentation because you assume people are following the rules. Trust
is when you're not afraid to ask."
Prevention Starts With Questions
What questions should executives and business owners ask themselves to
detect, prevent and deter fraud and misconduct in their companies?
Jeff Matthews, forensic and investigative services director of Grant
Thornton LLP, suggests the following:
* If you were to commit misdeeds against your company, how would you do
it? How would you get around measures that are in place? Ask senior
managers the same questions. "An honest employee will tell you where
the weaknesses are and what needs to be tightened."
* For C-level executives at publicly held companies: Would your
employees say they are under undue pressures to meet analyst
expectations or earnings forecasts? Would they think those
expectations are reasonable and realistic?
"Fear of failure may be so excessive that they'll skirt rules or play in
the gray areas to get ahead just a little bit," Mr. Matthews says.
* How much fraud is inevitable or acceptable in your organization?
Again, the executives' answers should be compared with midlevel
"The CEO or CFO may feel that that no level of fraud is tolerable," says
Mr. Matthews. "But when you get down to where the rubber meets the road
in the organization, they may have a different perspective."
* How confident are you that you would discover fraud within your
"Then flip that around and ask midlevel managers how comfortable are
they that if they brought fraud or misconduct to senior management's
attention, that it would be dealt with swiftly and appropriately."
Visit the InfoSec News Security Bookstore