A financial institution discovers that an employee has been facilitating unauthorized wire transfers. What is the most effective internal control measure to prevent this type of fraud in the future?
Increase employee bonuses for performance
Implement dual control for all wire transfers
Limit employee access to financial records
Conduct annual fraud risk assessments
Explanation: Implementing dual control for all wire transfers is an effective internal control measure that
requires two individuals to authorize transactions, thereby reducing the risk of unauthorized transfers and
enhancing accountability.
When preparing for an interview, what should be the investigator's primary focus regarding the interviewee's background?
Their personal relationships
Their potential motives for deception
Their social media presence
Their professional qualifications
Explanation: Understanding the interviewee's potential motives for deception is crucial in preparing for the
interview, as it can inform the investigator's approach and questioning strategy.
A jewelry manufacturer experiences shortages in precious metals. The smelting supervisor records higher scrap recovery rates than actual, allowing diversion of pure materials. Concealment involves:
Altering production yield reports
False vendor credits
Fictitious customer orders
Overstated labor hours
Explanation: Altering production yield reports inflates expected outputs or recoveries, concealing theft of
inputs by making records appear consistent with operations. This exploits technical processes where yields
vary, requiring expert verification for detection.
A logistics VP under immense targets rationalizes $5.6M fictitious sales as "creative accounting." This aligns with the fraud triangle component of:
Opportunity via weak segregation
Lack of rationalization
Capability to override controls
Pressure from performance goals
Explanation: The fraud triangle (Cressey) includes pressure (e.g., $5.6M targets), opportunity, and
rationalization. Here, targets drive the act, with "creative accounting" as rationalization.
In qualifying a digital forensics CFE for cryptocurrency tracing, the expert holds certifications in blockchain analysis and testified in 10 similar cases.
Multiple testimonies indicate bias disqualification
Qualification demands peer-reviewed publications
Certifications and testimony history support qualification
Digital expertise requires law enforcement background
Explanation: Relevant certifications, specialized training, and prior qualified testimony demonstrate
expertise for the proffered opinions.
EnerTech recognizes $28 million future contract revenue via long-term service agreements with 90% deferral ignored. Deferred revenue flatlines. Flag?
Revenue growth vs. bookings
Cash conversion cycle
Contract asset/liability net position
Margin stability
Explanation: Timing manipulation accelerates revenue vs. ASC 606 deferral; contract asset/liability
imbalance flags; CFEs map obligations, deferring $25M properly.
Contract: $1M invest, 20% promoter fee, pooled in LLC with advisory board. Security?
No; investor control
No; fixed fee
Yes; pooling prong
Yes; efforts prong
Explanation: Pooling satisfies commonality; advisory cosmetic per case law.
In a civil fraud suit alleging $10 million losses, the jury must find liability if evidence shows 51% likelihood. This reflects which burden?
Preponderance of the evidence
Probable cause
Beyond reasonable doubt
Clear and convincing for punitive
Explanation: Standard civil burden is preponderance (more likely than not), lower than criminal to balance
private dispute resolution in fraud recovery.
During a ransomware incident, the first response step is:
Restore without backups
Ignore the incident
Pay the ransom immediately
Isolate affected systems and notify stakeholders
Explanation: Containment via isolation prevents spread, followed by forensics, law enforcement
notification, and backup restoration (if clean), avoiding payment encouraging attacks.
A composite insurer offering both property‑casualty and health products wants to prioritize fraud prevention investments between vehicle insurance fraud and health care fraud. Its internal loss analysis shows that: (1) vehicle fraud results in fewer but higher‑severity staged accident and arson‑for‑profit cases, and (2) health care fraud produces many low‑to‑medium value claims through provider upcoding and unnecessary services. Which strategic approach to detection and prevention is most appropriate given
these differing fraud profiles?
Advise the client to pay the amount immediately to avoid penalties
Use the same detection rules and thresholds for both lines to simplify operations
Prioritize health care fraud exclusively because it has more claim events
Instruct the client to ignore the call and not provide any personal information
Explanation: Vehicle insurance fraud such as staged accidents and arson‑for‑profit tends to involve fewer
incidents with large individual losses, calling for specialized investigative capacity, scene analysis, and
collaboration with law enforcement. Health care fraud typically manifests as numerous lower‑value claims
across many providers and patients, making it more effectively addressed through high‑volume data
analytics, pattern recognition, and targeted provider reviews. A differentiated yet coordinated strategy that
tailors detection and prevention tools to the specific fraud characteristics of each line optimizes resource
allocation and impact. Applying identical rules and thresholds across fundamentally different fraud
environments would either miss significant risks or create excessive false positives, undermining control
effectiveness.
Question 1:
A financial advisor is approached by an elderly client who has received a phone call from someone
claiming to be from the IRS, demanding immediate payment for back taxes. Which of the following is the
most appropriate action for the advisor to take?
Develop specialized SIU expertise and analytics for both lines, with catastrophe‑focused investigations for vehicle fraud and high‑volume pattern analytics for health care fraud
Focus only on high‑severity vehicle fraud because large cases are more visible
Suggest the client contact the police to report the scam
Recommend the client seek a tax attorney to resolve the issue
Explanation: The scenario describes a common form of elder fraud where scammers impersonate
government officials to extract money. Advising the client to ignore the call and not provide personal
information is the best course of action, as legitimate government agencies typically communicate through
official channels and do not demand immediate payment over the phone.
Fraud response plan development for a tech firm prone to IP theft includes what advanced element?
Scenario-specific protocols with escalation matrices
Post-incident review exclusion
Employee-wide training mandates only
Generic template usage
Explanation: Advanced plans include tailored responses, decision trees, contact lists, and preservation steps
customized to risks like rapid digital evidence loss in IP cases.
Leverage Index (LVGI) >1 in Beneish model may indicate:
Increasing debt motivating fraud
Sales decline
Asset quality enhancement
Improving margins
Explanation: Rising leverage increases financial pressure, potentially driving earnings manipulation.
An employee who reported tax fraud is later demoted. What legal action can the employee take?
Breach of contract
Defamation
Whistleblower retaliation claim
Intentional infliction of emotional distress
Explanation: The employee can file a whistleblower retaliation claim, asserting that the demotion was a
direct result of their reporting of tax fraud. This claim is essential for protecting employees who expose
wrongdoing.
A registered representative sells away private securities without firm approval, defrauding clients. This highlights failure in which SRO supervisory responsibility?
Outside business activities monitoring
Arbitration procedures
Trade surveillance
Continuing education
Explanation: SROs require firms to supervise private securities transactions and outside activities to
prevent unauthorized, potentially fraudulent sales.
A multinational company discovers a suspected procurement kickback scheme involving a buyer in a European civil law jurisdiction and a vendor headquartered in a U.S. common law jurisdiction. The buyer allegedly steered contracts in exchange for bribes, causing inflated prices. The company asks a fraud examiner to explain how the structure of civil law systems may affect the investigation and litigation strategy compared with common law. Which characteristic of civil law systems is most relevant for planning the evidentiary and procedural approach?
Heavy reliance on judge-led investigation and written dossiers, with less emphasis on oral adversarial cross-examination at trial
Exclusive use of juries for all fraud cases, regardless of complexity
Inability to bring civil claims for fraud in civil law courts
Absence of any codified rules governing evidence and procedure
Explanation: Civil law systems typically feature comprehensive codes governing substantive law and procedure and tend to rely more heavily on judge-driven processes than adversarial party-driven models.
In many civil law jurisdictions, investigative judges or examining magistrates play an active role in
gathering evidence and compiling written case files, and trials may focus on reviewing these dossiers rather
than extensive live adversarial cross-examination. This structure can influence how a fraud examiner
coordinates with local counsel, particularly regarding timing of investigative steps, access to judicial files
and the role of expert evidence. Although civil law systems permit civil claims for fraud and have
structured evidentiary rules, the procedural emphasis differs markedly from common law’s adversarial,
trial-centered cross-examination model.
In a high-tech firm's server parts inventory ($1.2 million), cycle counts show consistent overages in low- value cables masking shortages in processors. The counter rotates items suspiciously, and access logs indicate after-hours RFID tag swaps. Shrinkage concealment relies on what method?
Phantom inventory creation through tag manipulation
Bid rigging with suppliers for inflated credits
Forced balancing by shifting counts across categories
Inventory lapping via rotated over/under statements
Explanation: Forced balancing by shifting counts across categories conceals processor theft by overstating
cables to offset shortages, creating a net-zero variance that evades shrinkage thresholds. RFID swaps
enable precise manipulation during rotations. Detection requires analytical review of item correlations and
mandatory blind counts with independent teams.
Tracing remailer services in a $8.5 million embezzlement, the CFE identifies sources: browser cache on suspect's phone, router ARP tables, ISP remailer logs via subpoena, and Tor exit node IPs. Which digital evidence source demands volatility prioritization during planning?
Tor node blacklists
Browser session cache
ISP remailer subpoena records
Router ARP cache tables
Explanation: Browser cache on the phone holds ephemeral session cookies and DOM storage linking to remailers, volatile upon power-off or clearing, requiring live acquisition before imaging. Router ARP is semi-persistent but less critical than active sessions tying to $8.5M transfers, per sources of digital evidence hierarchy in forensics planning.
AutoDealer books $11M unsold floorplan as inventory sales. GP% spikes 5%. Flag?
Margin anomaly
Inventory turns
Cash flow
AR days
Explanation: Concealed expenses; gross profit test reveals; physical count exposes.
Government auditors follow standards similar to private-sector for fraud. This ensures consistency in what?
No fraud responsibility
Fraud consideration in financial audits
Performance audits exclusively
Operational audits only
Explanation: INTOSAI standards apply fraud responsibilities akin to ISA 240 for public-sector financial
statement audits.
The role of self-regulatory organizations includes market surveillance to detect anomalies. In detecting spoofing where fake orders are placed and canceled to mislead, SROs primarily rely on which tool?
Audit trails
Trade reporting systems
Issuer filings
Customer complaints
Explanation: SROs use consolidated audit trails and surveillance systems to monitor order and trade data,
identifying manipulative patterns like spoofing that distort market perception.
In a scenario involving volatile resistance from a senior executive during a fraud interview, Amelia, a CFE, should prioritize techniques that:
Shift to written questionnaires only
Maintain professional neutrality and use diffusion strategies
Involve immediate involvement of law enforcement
Allow uncontrolled emotional outbursts
Explanation: Difficult interviewees require calm diffusion: acknowledging feelings, using silence, and
redirecting productively. Neutrality preserves control; escalation or avoidance forfeits information
potential.
An electronics retailer notes persistent shrinkage in high-demand items. Surveillance reveals employees concealing products in trash bins for later retrieval. To prevent detection during inventory counts, they manipulate count sheets by double-counting adjacent items. This concealment involves:
Falsification of physical inventory observations
Altered perpetual records post-theft
Overbilling to absorb losses
False credits from vendor returns
Explanation: Falsification of physical inventory observations includes tampering with count tags,
miscounting, or altering sheets during audits to hide shortages. Double-counting or skipping stolen sections
masks theft, particularly effective when counts are performed by involved employees without independent
oversight.
A defense contractor's CFE handles classified bid-rigging intel worth $15 million, bound by confidentiality. A subpoena demands disclosure. Per ethics, what governs release of privileged information?
Comply only if fraud exceeds $10M
Retain indefinitely for defense
Client consent overrides legal demands
Disclose per legal authority requirements
Explanation: Ethics allow confidential disclosure when legally required, as with subpoenas on $15M intel.
Consent secondary, thresholds irrelevant, retention breaches duty.
A laboratory performs comprehensive genetic testing panels on all patients regardless of medical necessity, billing payers for each component separately rather than as bundled tests. This results in significantly higher reimbursements. The scheme is which type?
Panel explosion
Unbundling
Overutilization
Fragmented billing
Explanation: Unbundling, or fragmented billing, separates integrated services into individual codes to
maximize payments, prohibited when bundles exist. This provider scheme contrasts overutilization of
needed tests; phantom services; or explosion via unnecessary panels.
During a fraud examination at a credit union, analysts identify red flags including frequent large cash deposits just under reporting thresholds, followed by immediate wire transfers abroad, from accounts opened with foreign passports. Which red flag combination suggests potential financial institution fraud?
Inconsistent employment history on loan applications
Overstated assets on personal financial statements
High-velocity transactions with structured deposits
Multiple loans with declining property values
Explanation: Structured deposits (below reporting thresholds) combined with rapid international transfers
are classic red flags for money laundering or new account fraud to move illicit funds. In financial institutions, this indicates exploitation of new accounts for layering. Other options relate more to loan fraud red flags like documentation inconsistencies or appraisal issues.