After Greg Kane was promoted to director of internal audit at State Elder Care Co., a management firm for 54 long-term senior citizen care centers in Florida, his first objective was to refresh the risk assessment process. In his opinion, the previous director was too loose with his approach.
Kane met with department leaders as part of the risk assessment, including Tom Anderson, the director of purchasing. Purchasing was identified as an increasingly high-risk area because of the volume of spending and the absence of an internal audit in the last five years. According to Anderson, the department was deeply focused on a cost-savings initiative led by the chief operating officer, Dianna Foster. When asked how the initiative was going, Anderson eagerly expressed how 80% of spending from the 54 centers was consolidated to better leverage purchasing's buying power and reduce expenses and costs.
Kane presented his risk assessment and internal audit plan to the audit committee, which included a review of the purchasing department. Foster resisted the inclusion of purchasing, insisting that the cost-savings initiative was not complete and that an audit would halt improvements. The audit committee agreed to the review primarily based on Kane's insistence that a high-risk area should not be ignored for more than five years.
Internal auditors started the review by testing purchasing controls and performing a high-level analysis of purchasing data, which included looking at overall spending trends by year. They also conducted walk-throughs of purchase order approvals, vendor master file additions, and the bid process. Satisfied with well-documented and performed controls, the auditors chose a sample of 30 purchased items and services and tested them through all purchasing controls. Each test was perfect with three bids for each product, the best bid selected, approvals documented, and authorization levels followed.
When Kane met with his team, one auditor had an unusual comment about one of the samples — the 900 flags purchased the previous year for $150 each for the centers. Having never considered the cost and durability of a flag before, the auditor thought this seemed like a large expense. A quick Google search found that reasonable, quality flags last approximately 90 days and cost around $40. This resulted in a potential overspend of ($150 – $40) x (900 – 200) = $77,000.
Kane double-checked all the workpapers. Everything was in accordance with the purchasing policy, and controls appeared to be in place. And then it hit him. The audit team had not looked into the vendors. He Googled the flag vendor but was unable to find a website. However, he learned that it was incorporated just two years before.
With this new insight, Kane and his team identified any items that increased in spending by 10% or more each year. Several items popped up, adding up to total expenditure of roughly $200 million. The data showed that the items with increased spending nearly doubled each year. Within this sample, they identified items being provided by new vendors, which was nearly half of the sample.
The team then investigated each vendor within the bid process. Each bid appeared legitimate, but many of the companies providing the bids were recently formed and had no website. A few companies were consistently part of the bid process, whether they won or lost. When reviewing past bids, the team noticed that, in many cases, previous vendors were not included in the bid process. Kane's team documented its findings in preparation for a meeting with Anderson.
Kane explained that because of what he found with the flags, he decided to look at more data. Anderson turned pale. Kane asked how procurement chose the flag vendor and how often the flags need to be replaced. After a long silence, Anderson explained in a quivering voice how he and his team worked hard on cost savings and made great progress each year. Because he was short staffed, Foster helped administer bids for some of the items. It seemed like a great idea at first, but the number of items Foster managed grew each year.
Anderson admitted to rubber stamping many of the bids and approvals, assuming everything was above board. They were getting the same quality items they needed and cost savings were going up each year, so he did not think much of it. But he became concerned two years earlier, after one of his long-term vendors contacted him about being excluded from the bid process. Anderson looked into the bid and was surprised to see that it came in higher than expected.
Kane and his team then looked into all the bids to identify the vendors. Twenty-one recently formed companies were new vendors to the company. Further investigation revealed that many of them were registered to Erin Foster, Dianna's sister. Kane and the vice president of legal went directly to the audit committee with their concerns.
For five years, Dianna Foster hid a $15 million fraud behind the purchasing department's cost-savings initiative. She threatened to take business away from vendors if they did not agree to increase their costs by 20% to 30% and give her 80% of the increase as a kickback. One vendor, a hospice provider, agreed to pay Foster a personal referral fee for every senior referred from one of the elder care facilities. By year two, she realized that it would be easier to create companies and include them in the bidding process. The companies, run by her sister, would act as the pass-through for the business — buying the items from the prior vendor, marking up the prices, and splitting the money.
Dianna Foster was eventually arrested and sentenced to six years in jail and restitution. The organization of vendors Erin Foster created included 16 different companies and 87 unique bank accounts. Erin Foster was sentenced to three years in jail and restitution.
- Assume every unanswered question is important. In this case, the fraud would have gone undetected if not for the question about the flags. These unanswered questions do not always lead to fraud, but they will always add context to the state of the business and help demonstrate an understanding of the process reviewed by internal audit.
- Analyzing data can be a powerful tool. However, it is always significantly more powerful when internal auditors know what questions to ask. Running ad hoc analytics midway through an internal audit is a great supplement to running a standard set of analytics at the start.
- Adjust procedures based on risk. Plans are based on assumptions and should be adjusted once new information is discovered. The value of internal audit is not in meeting deadlines, but in helping to identify areas of improvement. As the risk of a process increases with new information, the potential value of audit procedures also increases.
- High-risk areas should always be reviewed regularly. The possibility of a review each year would have prevented this fraud, as Foster would have been more fearful of getting caught. Each year after the first incident, the fraud nearly doubled in size. Catching the perpetrator in year three would have saved the company nearly $10 million. Comparing this to the 300 hours of internal audit time and about 40 hours of purchasing employee time seems like a high return on investment.