Police Entangled in Tow-truck Kickbacks Entangled in Tow-truck Kickbacks<p>​A 10-month investigation has uncovered an alleged kickback scheme involving Ottawa police officers and a tow-truck operator. According to the police investigation and reporting by the <a href="" target="_blank"> <em>Ottawa Citizen</em></a>, three officers solicited bribes from a towing service in exchange for information about the locations of vehicle crashes. </p><p>Other towing services had complained to the police about the alleged arrangement since 2018. Moreover, drivers involved in crashes said they had observed money changing hands between police officers and tow-truck drivers. The Royal Canadian Mounted Police (RCMP) has filed criminal charges against the officers, the owner of a tow-truck company, and two other individuals. </p><h2>Lessons Learned</h2><p>This news story and a <a href="" target="_blank">similar investigation involving sheriff's deputies in California</a> highlight two issues that internal auditors can help law enforcement agencies address: 1) establishing and enforcing a strong ethics and conflict-of-interest regime, and 2) implementing better controls over tow-truck operations involving police officers. </p><p>The City of Ottawa's police chief has expressed that the Ottawa Police Service's (OPS') code of conduct and ethics regime must be reviewed and strengthened. That exercise should be informed by the breadth and depth of the allegations against the three officers charged with several crimes by the RCMP, including:</p><ul><li>Giving out police information about vehicle collisions to one towing service and getting a financial kickback. Further, the officers allegedly gave that operator access to confidential OPS databases. Additionally, the RCMP has charged a family member of the towing operator with secret commissions.</li><li>Obstruction of justice and breach of trust.</li><li>Causing a false insurance claim to be made about a collision.</li><li>Using the position of a police officer for personal gain on a dating website.</li><li>Conspiring to break and enter to commit theft.</li></ul><p><br></p><p>From the standpoint of strengthening the OPS code of conduct and ethics regime, one step the department has undertaken is establishing a unit responsible for ethics and code of conduct issues, headed by a senior officer at the superintendent (executive equivalent) level. Other measures that should be in place include:</p><ul><li>A code of conduct and ethics compliance regime, policies, and processes that specifically prohibit the kinds of behaviors listed above, along with disciplinary consequences for noncompliance. The regime should include a "zero tolerance" policy as appropriate for law enforcement officials.</li><br> <li>Regular reporting of cases involving disciplinary, ethics, and conduct issues, such as in the OPS Annual Report. The OPS reports on some professional conduct issues, but this mainly is statistical information. As a deterrent, the OPS should publicize cases where officers are found guilty of inappropriate or fraudulent actions.</li></ul><p><br></p><p>Regarding the issue of controls over police forces and their interactions with towing services, the OPS and city officials should review the department's operations and policies, in part, to determine whether its processes need to change. That should include whether officers should have discretion about which towing service to call.</p> <p>Perhaps a "blind" dispatch system is needed to ensure a better distribution of work among the various tow-truck operators in Ottawa. Making such changes may be complex in cases in which vehicles are involved in possible criminal activities, or where drivers in an accident have their own towing service, such as through the Canadian Automobile Association or a credit card company. </p>Art Stewart0
Breaking Down the Fraud Policy Down the Fraud Policy<p>​Nearly half of all global organizations in PwC's 2018 Global Economic Crime and Fraud Survey admit to having been the victim of fraud and economic crime in the past two years, resulting in more than $7 billion in total losses and a median loss of $130,000 per case. Nearly half of those frauds were because of internal control weaknesses.</p><p>Internal audit plays several key roles in the prevention, detection, and monitoring of fraud risks. First, as internal audit has broad visibility into the different areas of the enterprise, it should be aware of potential red flags of fraud in all audit engagements and identify ones that may warrant further investigation. Also, internal audit should assess the effectiveness of controls designed to mitigate fraud risk. Finally, internal audit can lend valuable expertise in an advisory role to the development of the fraud policy. To do this, internal auditors need to understand the key elements of a strong policy, and who it should involve.</p><h2> The Building Blocks<br></h2><p>Any organization can be a victim of fraud, regardless of its size, industry, or location. The most effective recourse is to develop a strong and implementable fraud policy that defines unacceptable behavior and how the organization will respond to it. While policies can vary depending on the organization's number of employees, industry complexity, and operating environment, the fundamental elements remain the same:</p><ul><li>The policy has top-down support.</li><li>It includes clear, specific language and examples.</li><li>It accurately and effectively defines fraud.</li><li>There is policy ownership, so a specific person or group of people are charged with overseeing the development and implementation of the fraud policy.</li><li>It clearly spells out personnel roles and responsibilities.</li><li>It explains the disciplinary and legal actions the organization will take.</li><li>It makes anonymous hotlines and reporting options available.</li><li><p>There is an effective communication plan around the policy.<br></p></li></ul> <p>While no fraud policy can define every fraudulent action, a well-written policy uses clear language and relatable examples to help reduce uncertainty of what the organization considers illegal activity. It also provides clear instructions regarding the responsibilities and procedures to be followed by all involved when illegal activity is suspected or uncovered. </p><p>However, it doesn't matter how well the fraud policy is written if it sits in a three-ring binder gathering dust. The organization must ensure that the fraud policy is not only created, but also read and understood by all internal personnel and external parties with which it engages. The greater the importance the organization places on this document, the greater the likelihood employees will place an equal amount of importance to it. From regular manager/employee policy reviews to live training to role playing, the same message, stance, and emphasis on eliminating fraud can be reinforced. Regular communication not only promotes understanding, but also can deter potential fraudsters.<br></p><p>Occupational fraud is most efficiently organized into three categories, each of which companies must identify and communicate with personnel. </p><ul><li> <em>Asset misappropriation</em> is the stealing or misuse of enterprise resources by personnel. This occurred in more than 89% of all reported cases and resulted in a median loss of $114,000, according to the Association of Certified Fraud Examiner's (ACFE's) Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.</li><li> <em>Corruption schemes</em> occur when personnel misuse their influence during business transactions to obtain benefit and violate their duties to the employer. According to the ACFE study, this results in 38% of occupational fraud cases with a median loss of $250,000.</li><li><p> Financial statement fraud occurs when personnel intentionally cause misstatements or omit information in enterprise financial reports. It is the least common but most costly, averaging $800,000 per incident.</p></li></ul><h2> Prosecuting Fraud<br></h2><p>While fraud detection and prevention is an organizationwide effort, clearly defined roles must be instituted to promote responsibility and reduce confusion. For example, the board of directors is responsible for corporate fraud governance, and management must be engaged in executing these policies. Internal audit's role should be clearly defined, as well. Auditors must have the authority to ensure fraud controls are appropriate and effective, to investigate instances of possible fraud, and to support management in executing the fraud risk assessment.</p><p>Without the threat of prosecution, a fraud policy is little more than a toothless tiger. Therefore, it's critical that the policy conveys a plan of disciplinary action to all personnel. The fraud policy must include a statement that all appropriate measures to deter fraud will be taken and all instances of suspected fraud will be investigated and reported to the appropriate authorities. </p><p>Generally, organizations have four options when fraud is uncovered: criminal prosecution, civil fraud lawsuit, a mutually agreed upon termination of the perpetrator, or no action. There are varying schools of thought as to which of these actions should apply to different fraud situations. For example, it can be argued that taking no action is one of the surest ways to promote an organization's susceptibility to future fraud because of the perception of impunity. On the other hand, there also are cases when the cost of prosecution exceeds the cost of the fraud and other disciplinary actions may be preferred. Some organizations will prosecute all fraud regardless of monetary value. From the internal auditor's perspective, however, the key question is whether the organization has considered the risks of its disciplinary policy (reputational risk, cost, future fraud risk, etc.) and is comfortable with them.</p><p>The fraud policy must provide personnel with instructions regarding the steps to take when suspecting fraud. The policy should remind personnel that they are not prosecutors of the law and that their job is to report their findings to the organization's appropriate party. The fraud policy should provide anonymous avenues to give employees confidence that they can safely report potential fraud, such as a fraud hotline number. In addition to verifying the existence of a hotline, internal audit also may want to understand whether it is being used and how effectively the company has responded to these tips.</p><h2>A Preventive Measure</h2><p>In the end, a fraud policy is an inexpensive and effective method for reducing the threat of potentially crippling financial losses. Furthermore, all departments, including internal audit, can play major roles in its development. This stand-alone document should be seen by all personnel as playing an integral role in the organization's health and longevity.  <br></p>Chris Errington1
The Double Dipper Double Dipper<p>​Robert Shull and Alysa Cayden, the forensic audit team at Midnight Sun Inc. (MSI), sat with Justin Planter, a regional sales manager at the solar power company, as he rolled his eyes and made condescending faces. MSI’s procurement department forwarded Planter’s travel and expense (T&E) reports to Cathy Francis, the human resources manager, after an employee noted that spending was not consistent with the company’s T&E policy. Francis reviewed the reports and was concerned that there was a greater pattern of abuse, so she requested that Shull and Cayden examine his T&E reports.</p><p>Sitting next to Planter was his boss, Thomas Cooper, a veteran regional manager with more than 25 years of experience with MSI. During the interview, Planter admitted to purchasing a personal cell phone using his company credit card. In addition, he frequently used the card for alleged business meetings at establishments that bordered on adult entertainment. Much to his surprise, Planter’s employment was subsequently terminated. </p><p>After the interview, Shull and Cayden felt something was amiss. Cooper approved all of Planter’s T&E reports but was not suspicious of any of his spending. Also, they noticed that Cooper’s statements were inconsistent, requiring him to revise them on several occasions.</p><p>After his firing, Planter contacted MSI’s CEO, James Spicolli, and explained how Cooper allowed his management team members to use their corporate credit cards to dine out, make personal purchases, and charge mileage for business travel despite being reimbursed through another program. Planter also claimed that Cooper attended many of the dinners and instructed him to pay the bill so that he could approve the expenditure, thus avoiding the scrutiny of Cooper’s manager. He also alleged that Cooper coached him before the interview on what to say and promised that there would be no significant disciplinary action.</p><p>To review Planter’s allegations, Shull and Cayden obtained all T&E reports for Cooper and his management team. Data analytics compared the company policy against spending. One area of focus was cash reimbursements for expenses below $25, the minimum amount requiring receipts to be submitted.</p><p>The results were shocking. Cooper’s team members used their corporate credit cards for expenses well outside the T&E policy. Furthermore, Cooper approved every expense report submitted to him. They found numerous abuses of travel expenses:</p><p></p><ul><li>Managers split expenses to stay below the $25 internal control threshold. In one instance, two managers split unknown expenses at a liquor store. </li><li>One manager submitted for cash reimbursement for client meetings over lunch or dinner for $24.99 every other day for more than two years.</li><li>Multiple holiday parties and team meetings were reimbursed, including a substantial liquor bill at each.</li><li><p>Team members expensed mileage reimbursement twice. <br></p></li></ul><p>Shull and Cayden put together detailed profiles on Cooper and each manager, including their expense reports, supporting invoices, and the section of the T&E policy they violated. Additional evidence gathered during interviews resulted in the termination of Cooper and several other managers. Cooper justified the expenditures by explaining he was under budget for T&E expenses on his annual profit and loss statement.</p><p>Shull and Cayden then embarked on a companywide T&E audit. They obtained six months of data from MSI’s online T&E reporting program. The program allowed employees to book transportation and lodging, code expenditures by spending category, and submit expense reports for approval. Deviations from policy were flagged for the employee’s manager to review before approving the expense report. </p><p>Shull and Cayden organized and ranked all spending by employee and spending category. Their team selected T&E reports for detailed testing for the most egregious spending by category based on total spending and frequency of policy violation. Text analysis on words such as “gift card,” “baby shower,” and “party” identified miscoded or out-of-policy expenditures. They selected samples, reviewed receipts attached to the expense reports, and documented all policy violations. Finally, the investigation team interviewed the employees who submitted the expense reports. Policy violations included:</p><ul><li>A lack of review by managers of exceptions identified by the T&E program, which flagged millions of dollars of expenditures that were outside policy. </li><li>Abuse of cellphone reimbursement.</li><li>Abuse of meal reimbursement, first-class travel, and hotel lodgings.</li><li>Cash reimbursement where no invoice was submitted to support the expense.</li><li>Personal spending at online retailers.</li><li>Spending and funds transfers through money service providers, such as PayPal and Venmo, which have limited audit trails. </li><li>Purchases of gift cards. </li><li><p>Numerous spending violations in Las Vegas, including front row seats to shows and $1,000 dinners at four-star restaurants. <br></p></li></ul><p>Individual violations included:</p><ul><li>An employee transfered $7,000 from his corporate credit card to his personal business through a money service provider. </li><li>Employees shared their credit cards with one another when they reached their card limits.</li><li>A manager sponsored a “kids” event at a local bar. </li><li><p>A manager purchased gifts for his secretary at a popular women’s lingerie company.<br></p></li></ul><p>After the investigation, MSI invested in T&E audit software to review all reports in real time. When the software identifies T&E reports with excessive policy violations, the procurement department rejects them. In extreme cases, procurement forwards them to the forensic audit team. In addition, MSI started blocking spending on company credit cards by merchant category codes, which classify businesses by the products or services they provide. The T&E policy was updated to eliminate the use of money service providers. </p><p>In most cases of fraud, the employee was terminated. Employees who violated the T&E policy were reprimanded, and demand notices for repayment were sent to employees whose misdeeds were discovered after they left MSI. After one year, T&E spending was reduced by more than $5 million.  </p><p><br></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Periodically conduct a T&E audit to ensure employees are in compliance with the T&E policy. Review and update the T&E policy and educate employees as part of annual code of conduct training. Low-cost software can review all T&E reports in real time. </li><li>Management should review subordinates’ T&E assumptions during its annual budgeting period. In MSI’s investigation, a management team used the T&E budget as a slush fund for personal spending and out-of-policy entertainment. </li><li>T&E policies should not allow for the use of money service providers (e.g., PayPal). These providers allow for the purchase of goods and services or the transfer of funds for personal use. They also have limited audit trails, which enhances the risk of fraud. </li><li>The organization should block merchant category codes on corporate T&E cards for goods and services that would not be appropriate for its business or allowable under its T&E policy.</li></ul></td></tr></tbody></table><p></p>Grant Wahlstrom1
Beware the Coronavirus Scams the Coronavirus Scams<p>​As if sheltering in place during a pandemic wasn't bad enough, criminals are using the coronavirus (COVID-19) crisis to target people who are working from home, the <a href="" target="_blank">U.S. Federal Bureau of Investigation (FBI) warns</a>. According to the FBI's Internet Crime Complaint Center, these attacks are using email on two fronts. </p><p>First, attackers are sending email pretending to come from the U.S. Centers for Disease Control and Prevention (CDC), offering information on COVID-19. Instead, the links and attachments contain malware that steals personal information or ransomware that locks the user's computer until the person makes a payment.</p><p>Second, criminals are using phishing email to request personal information, claiming it is necessary for receiving a government economic stimulus check. Other phishing scams include requests for charitable contributions and offers for financial relief, airline refunds, and fake virus cures and testing kits. </p><h2>Lessons Learned</h2><p>Whenever an extraordinary event occurs that forces people to rapidly modify their behaviors from their normal routines, fraudsters exploit the situation. As the COVID-19 pandemic unfolds, the FBI's warning about fraud schemes is both timely and helpful. </p><p>Internal auditors should watch out for additional fraud threats not mentioned by the FBI. Inevitably, while the current pandemic is unique, as it progresses through its various stages of impact and ultimately fades, new forms of fraud will be on the march. Here, auditors can learn from what happened during the 2009 H1N1 swine flu pandemic.</p><p>During the H1N1 outbreak, the CDC had to address fraud related to falsification of testing, certification, distribution, and marketing irregularities involving influenza vaccines and related supplies. Some of the fraud and abuse schemes that are likely to arise once COVID-19 vaccines or treatments become available include:</p><ul><li> <strong>Investment scams and false claims about supposed COVID-19 vaccines and treatments.</strong> Already, authorities have arrested an individual in California who <a href="" target="_blank">allegedly had solicited investments</a> for a COVID-19 "miracle cure." Criminals are likely to market and advertise fraudulent product claims, bogus products, and implied endorsements by government agencies — including agency logos — through websites, email, and social media. Regulators, investors, and auditors need to be vigilant, do their investment research, and avoid being panicked or swayed by the current pandemic.<br><br></li><li> <strong>Health-care provider schemes.</strong> Likewise, internal auditors should watch out for schemes in which doctors, pharmacists, and other medical professionals collude to make false claims, get kickbacks, and seek reimbursement for unnecessary tests from Medicaid, Medicare, and insurance providers. Such fraud already is common, but may grow as the scope and scale of COVID-19 treatment activities expands. For example, the FBI recently charged a marketing company executive in Georgia with <a href="" target="_blank">allegedly receiving kickback payments</a> for steering patients to providers for COVID-19 testing and defrauding Medicare.<br><br></li><li> <strong>False or inflated billing for a COVID-19 </strong> <strong>vaccine</strong><strong>.</strong><strong> </strong>Governments have not determined how they will deal with the costs and pricing of a potential COVID-19 vaccine. In the U.S., the federal government provided H1N1 vaccine doses and related supplies at no cost to patients, although it charged administrative fees. Regardless of who pays for doses of a vaccine, authorities should be wary of schemes in which health-care providers seek an out-of-pocket fee directly from the patient that is above the maximum allowable charge from insurance or government-provided coverage.<br><br></li><li> <strong>Illegal or false manipulation of COVID-19 vaccine supplies. </strong>Given the global nature of this pandemic and of worldwide supply chains, fraudulent diversion schemes are likely. One example is selling or diverting vaccines or related supplies provided by the federal government. This activity may occur in combination with counterfeiting, adulterating, theft, or other consumer fraud schemes. <br> <br>Diversion schemes may include situations where criminals move legitimate prescription drugs or vaccines into illegal channels, such as the black market, illegal Internet sales, and sales without prescription. These treatments also may be acquired illegally through smuggling or via cargo, wholesale, manufacturer, and distributor theft.<br><br></li><li> <strong>Exploiting control weaknesses.</strong> Governments and health-care agencies have emphasized using computer-based modeling and analysis to, for example, attempt to predict the path of COVID-19 impacts, with and without mitigation strategies. This analysis was not as advanced in the era of H1N1. However, it could assist in identifying control weaknesses in regulatory, benefits delivery, and program management systems that are being developed and deployed rapidly to address COVID-19. Internal auditors should focus on ways to help identify these weaknesses and reduce the organization's susceptibility to fraud threats.</li> </ul><p><br></p><p>The CDC's website has much good <a href="" target="_blank">information</a> to educate the public about pandemic fraud. It should add information about where and how to report suspected COVID-19 fraud, including a hotline.</p>Art Stewart0
The Fraud Behind the Flags Fraud Behind the Flags<p>​After Greg Kane was promoted to director of internal audit at State Elder Care Co., a management firm for 54 long-term senior citizen care centers in Florida, his first objective was to refresh the risk assessment process. In his opinion, the previous director was too loose with his approach. </p><p>Kane met with department leaders as part of the risk assessment, including Tom Anderson, the director of purchasing. Purchasing was identified as an increasingly high-risk area because of the volume of spending and the absence of an internal audit in the last five years. According to Anderson, the department was deeply focused on a cost-savings initiative led by the chief operating officer, Dianna Foster. When asked how the initiative was going, Anderson eagerly expressed how 80% of spending from the 54 centers was consolidated to better leverage purchasing's buying power and reduce expenses and costs. </p><p>Kane presented his risk assessment and internal audit plan to the audit committee, which included a review of the purchasing department. Foster resisted the inclusion of purchasing, insisting that the cost-savings initiative was not complete and that an audit would halt improvements. The audit committee agreed to the review primarily based on Kane's insistence that a high-risk area should not be ignored for more than five years. </p><p>Internal auditors started the review by testing purchasing controls and performing a high-level analysis of purchasing data, which included looking at overall spending trends by year. They also conducted walk-throughs of purchase order approvals, vendor master file additions, and the bid process. Satisfied with well-documented and performed controls, the auditors chose a sample of 30 purchased items and services and tested them through all purchasing controls. Each test was perfect with three bids for each product, the best bid selected, approvals documented, and authorization levels followed. </p><p>When Kane met with his team, one auditor had an unusual comment about one of the samples — the 900 flags purchased the previous year for $150 each for the centers. Having never considered the cost and durability of a flag before, the auditor thought this seemed like a large expense. A quick Google search found that reasonable, quality flags last approximately 90 days and cost around $40. This resulted in a potential overspend of ($150 – $40) x (900 – 200) = $77,000.</p><p>Kane double-checked all the workpapers. Everything was in accordance with the purchasing policy, and controls appeared to be in place. And then it hit him. The audit team had not looked into the vendors. He Googled the flag vendor but was unable to find a website. However, he learned that it was incorporated just two years before. </p><p>With this new insight, Kane and his team identified any items that increased in spending by 10% or more each year. Several items popped up, adding up to total expenditure of roughly $200 million. The data showed that the items with increased spending nearly doubled each year. Within this sample, they identified items being provided by new vendors, which was nearly half of the sample. </p><p>The team then investigated each vendor within the bid process. Each bid appeared legitimate, but many of the companies providing the bids were recently formed and had no website. A few companies were consistently part of the bid process, whether they won or lost. When reviewing past bids, the team noticed that, in many cases, previous vendors were not included in the bid process. Kane's team documented its findings in preparation for a meeting with Anderson.</p><p>Kane explained that because of what he found with the flags, he decided to look at more data. Anderson turned pale. Kane asked how procurement chose the flag vendor and how often the flags need to be replaced. After a long silence, Anderson explained in a quivering voice how he and his team worked hard on cost savings and made great progress each year. Because he was short staffed, Foster helped administer bids for some of the items. It seemed like a great idea at first, but the number of items Foster managed grew each year. </p><p>Anderson admitted to rubber stamping many of the bids and approvals, assuming everything was above board. They were getting the same quality items they needed and cost savings were going up each year, so he did not think much of it. But he became concerned two years earlier, after one of his long-term vendors contacted him about being excluded from the bid process. Anderson looked into the bid and was surprised to see that it came in higher than expected. </p><p>Kane and his team then looked into all the bids to identify the vendors. Twenty-one recently formed companies were new vendors to the company. Further investigation revealed that many of them were registered to Erin Foster, Dianna's sister. Kane and the vice president of legal went directly to the audit committee with their concerns. </p><p>For five years, Dianna Foster hid a $15 million fraud behind the purchasing department's cost-savings initiative. She threatened to take business away from vendors if they did not agree to increase their costs by 20% to 30% and give her 80% of the increase as a kickback. One vendor, a hospice provider, agreed to pay Foster a personal referral fee for every senior referred from one of the elder care facilities. By year two, she realized that it would be easier to create companies and include them in the bidding process. The companies, run by her sister, would act as the pass-through for the business — buying the items from the prior vendor, marking up the prices, and splitting the money. </p><p>Dianna Foster was eventually arrested and sentenced to six years in jail and restitution. The organization of vendors Erin Foster created included 16 different companies and 87 unique bank accounts. Erin Foster was sentenced to three years in jail and restitution.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Assume every unanswered question is important. In this case, the fraud would have gone undetected if not for the question about the flags. These unanswered questions do not always lead to fraud, but they will always add context to the state of the business and help demonstrate an understanding of the process reviewed by internal audit. <br><br></li><li>Analyzing data can be a powerful tool. However, it is always significantly more powerful when internal auditors know what questions to ask. Running ad hoc analytics midway through an internal audit is a great supplement to running a standard set of analytics at the start. <br><br></li><li>Adjust procedures based on risk. Plans are based on assumptions and should be adjusted once new information is discovered. The value of internal audit is not in meeting deadlines, but in helping to identify areas of improvement. As the risk of a process increases with new information, the potential value of audit procedures also increases. <br><br></li><li>High-risk areas should always be reviewed regularly. The possibility of a review each year would have prevented this fraud, as Foster would have been more fearful of getting caught. Each year after the first incident, the fraud nearly doubled in size. Catching the perpetrator in year three would have saved the company nearly $10 million. Comparing this to the 300 hours of internal audit time and about 40 hours of purchasing employee time seems like a high return on investment. </li></ul><br></td></tr></tbody></table><p></p>Bryant Richards1
Building Scheme Is No Big Hit Scheme Is No Big Hit<p>It's like a country song where a bad deal has gone down. Federal prosecutors say Arizona businessman Frank Capri defrauded developers and contractors throughout the U.S. by entering deals for branded restaurants that were never built, <a href="" target="_blank">the <em>Arizona Republic</em> reports</a>. </p><p>According to a <em>Republic</em> investigation, Capri's company, Boomtown Entertainment, licensed the names of country music stars Toby Keith and Rascal Flatts to establish restaurants at malls. Boomtown built 20 Toby Keith restaurants and made deals to develop more restaurants, which were never built. </p><p>Instead, authorities say Capri and his associates funneled construction money into their own accounts and covered it up using fraudulent paperwork, fabricated contractors, and forged signatures. Nineteen Toby Keith restaurants have closed since 2013, and Boomtown became insolvent. Toby Keith and Rascal Flatts are not implicated in the alleged fraud.</p><p>Capri and his associates face wire fraud, money laundering, and conspiracy charges. Separately, civil court judges have ordered Capri to pay $65 million in civil judgments.</p><h2>Lessons Learned</h2><p>Global studies by the Association of Certified Fraud Examiners (ACFE) have consistently ranked real estate and construction fraud as the second or third most costly frauds in terms of median loss, with estimated average losses of more than $600,000. Construction companies can be both the victims of this type of fraud and the perpetrators. </p><p>ACFE's studies also note that most occupational frauds in all industries were committed by individuals at the employee or managerial level. Most often these individuals work in accounting, operations, sales, and executive management. Not surprisingly, the higher the fraudster's authority level, the greater the losses. Overall, more than half were with their firms or in business relationships for more than five years.</p><p>Capri's alleged fraud encompasses many of the most common types of construction fraud schemes, including:</p><ul><li>False representations.</li><li>Diverting money intended for construction purchases through money laundering and mail fraud.</li><li>Nonpayment of subcontractors and materials suppliers.</li><li>Falsifying payment applications.</li><li>Billing for unperformed work.</li></ul><p><br></p><p>Auditors should not overlook an additional group of fraudulent activities that does not appear as a central part of this story, such as:</p><ul><li>Diverting lump-sum cost to time-and-material costs.</li><li>Substituting or removing materials, usually for lower quality items.</li><li>Manipulating change orders.</li><li>Subcontractor collusion.</li><li>Theft of equipment or tools.</li></ul><p><br></p><p>The need to have a strategy to prevent and detect construction fraud extends to a broad range of individuals and businesses involved in construction projects. These include investors — especially wealthy, famous, and busy investors — lawyers, real estate companies, property developers, and property management companies.<br></p><p>Particularly in the somewhat unusual circumstances of this fraud involving individuals in the entertainment industry, the best way to prevent and detect fraud on a construction project is careful oversight by both the owner/investor and a trusted management team. There are three specific measures auditors and their organizations should take for such projects.<br></p><p><strong>Conduct Due Diligence</strong> When entering into a business relationship and hiring people for a project, especially larger scale national projects, perform research on the individuals' backgrounds, including reference checks. Where warranted, these can be conducted by private investigators. A "wheeler dealer" or anti-controls attitude can be a sign of future fraud trouble.</p><p>Local and established contractors can be better choices to reduce the possibility of fraud. Be well-informed about local market conditions, availability of competition, and bid pricing of comparable projects in the area.</p><p>Also, become familiar with their business structure and the people involved. Many times the people who appear to be primarily involved in the business will have relationships with others, such as subsidiary companies. They may have family members who are trying to conceal who the principal is.</p><p>If the primary investors don't have the time to perform due diligence, they should engage a manager, accountant, compliance officer, or similar professional to do it.</p><p><strong>Ensure Projects Are Monitored Effectively</strong> A designated person, such as a chief compliance officer, should be a communication point between contractors on the project and the investor/owner/management team. This compliance officer should conduct initial investigations as well as ongoing reviews. Continuous monitoring is a simple way to decrease the likelihood of fraud. The compliance officer also should be empowered to conduct periodic audits and be able to review payrolls, invoices, and contracts.</p> <p> <strong>Stay Alert </strong>Fraud occurs when people stop paying attention. Implementing some of these measures early on will help in the long run, but as a baseline action, staying alert can help ward off construction fraud. Litigation costs money, violations can lead to lawsuits and even criminal charges, and a history of fraud can destroy reputations. Always be vigilant! </p>Art Stewart0
The Shady Stockbroker Shady Stockbroker<p>​The stockbroker promised his clients a "no lose" investment, but now he is on trial for fraud, <a href="" target="_blank" style="background-color:#ffffff;">CBS News reports</a>. Prosecutors allege Anthony Diaz sold high-risk, high-fee alternative investments and filed false documents with the U.S. Securities and Exchange Commission (SEC) about clients' suitability to invest in those products. Additionally, the advertised guarantee rates of return were "highly speculative" and tied up clients' money for long periods, court documents allege.</p><p>Diaz is no stranger to controversy. Five brokerage firms have fired him, and he was permanently barred from trading in 2015. The Financial Industry Regulatory Authority (FINRA) ordered Diaz to pay $4 million in damages to former clients two years ago, but the organization says he has not complied.</p><h2>Lessons Learned</h2><p>The stockbroker's alleged illegal activities highlight the importance of investor self-education and awareness, as well as the role of FINRA, the U.S. financial industry's self-regulatory body. FINRA oversees more than 630,000 brokers across the U.S. Its BrokerCheck system — providing information on cases of broker misconduct and illegality — lists several thousand brokers, demonstrating the huge scale of broker misconduct. The cases go back a decade or more.</p><p>While BrokerCheck is a useful tool for investors, FINRA also provides other tools, such as investor education materials, an inventory of disciplinary actions against brokers, and a whistleblower hotline. Here are some suggestions that could help FINRA in its anti-fraud efforts.</p><ul><li>In its For Investors section, <a href="" target="_blank">FINRA's website</a> lists numerous reasons for filing a complaint, such as potential fraud and misrepresentation. However, there is only an "other" category for individuals who want to learn about how to file a complaint and the problems that FINRA may address versus those that the SEC handles. FINRA should make broker fraud and misrepresentation a more explicit category of complaint. Moreover, it should provide more detailed information about how investors can identify these activities.<br><br></li><li>Investors need to be aware of the types of prohibited conduct for brokers, including the kind of illegal activity Diaz is alleged to have committed. However, FINRA's Investor Complaint Center only references this information as "see definitions below." FINRA's website should display this information more prominently within its BrokerCheck, Investor Complaint Center, and Rules and Guidance sections.<br><br></li><li>Broker misrepresentations and falsification of investor credentials and approvals are among the prohibited conduct. FINRA requires brokers to submit this information for monitoring. However, it is less clear what FINRA's monitoring specifically consists of and whether it could be strengthened to help prevent broker fraud.<br><br></li><li>Any strategy to deter fraudulent activity should publicize cases where individuals have been found guilty of fraud. While BrokerCheck provides extensive information regarding individual cases of brokers' prohibited conduct or fraud, FINRA's media center does not mention these cases. FINRA should provide regular updates such as highlighting these cases quarterly or at least annually and linking readers to BrokerCheck for more information. These updates also would be an opportunity for FINRA to summarize trends, including cases where judgments and awards occurred, as well as cases that were settled, withdrawn, or denied.<br><br></li><li>The SEC should consider what it might do to strengthen rules and requirements over FINRA's self-regulatory efforts. Specifically, the SEC should require much greater transparency and disclosure of fraud cases, including names and details.<br><br></li><li>In 2017, FINRA launched FINRA 360, a "comprehensive self-evaluation and organizational improvement initiative." Part of that initiative brings together two distinct enforcement teams. The first team comprises the surveillance and examination programs that handle disciplinary actions related to trading-based matters. The second team deals with cases referred from other regulatory oversight divisions, including Advertising Regulation, Corporate Financing, Member Regulation, and the Office of Fraud Detection and Market Intelligence. Some of the previous suggestions may help this integration to better fight fraud.<br></li></ul>Art Stewart0
Running on Empty on Empty<p>​At the end of the third business quarter, Sten Lepp, the chief audit executive at NorthStar Energy Corp., received an email from the head of sales, Henry Klassen:</p><p><em>“For your information, on the 8th of July, we discovered that a salesperson, Andy Pine, used standard consumption graphs for certain customers instead of the customers’ actual consumption history. Thus, sales to those clients were made with wrong assumptions. As soon as we discovered the manipulation, I had Pine write an explanatory letter and sent him home. We are processing termination documents, and I intend to deduct sales bonuses from his last paycheck to recoup monies. I am truly sorry for the incident. As a manager, it is difficult when a team member breaches trust.”</em></p><p>After reading the email, Lepp wanted to better understand exactly how the salesperson manipulated sales. How had such a standardized business process become so trust-based? The email looked like an attempt to sweep the matter under the rug as quickly as possible, so Lepp initiated an internal investigation.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Lessons Learned</strong><br> <style> p.p1 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <ul><li>Don’t jump to conclusions. Just because the prime suspect was no longer with the company and Klassen assured everyone that the incident had been taken care of doesn’t mean there isn’t much to investigate. When beginning an investigation, avoid assessments and conclusions early on and keep an open mind.  </li><li>Use professional skepticism, instead of falling victim to truth bias, which is people wanting to believe what they see or hear. The investigators first interviewed Klassen, who was cooperative and ready to explain the sales process and fraud scheme. While the chief investigator then compiled a summary of Pine’s deeds, the effective resolution, and the incident’s low impact, the other investigation team member decided to talk to the portfolio analyst. By talking to the analyst, the investigator learned that Klassen was not telling the truth and that the loss from those contracts was more substantial than a single person’s bonuses. The analyst also revealed that Pine and Klassen were close friends. </li><li>Have a thorough investigation plan. List all employees to be interviewed and in what order. Never start with those who could potentially be main suspects. Had the auditor not decided on her own to talk to the portfolio analyst, he never would have discovered that Klassen was less than truthful. Make sure investigation steps and responsibilities are listed, as well as what evidence is most likely needed. Agree ahead of time on communication channels and frequency, where evidence is stored and how it is indexed, and set and monitor deadlines for each step of the investigation.</li><li>Understand business context. Klassen succeeded in undermining the impact of the fraud because he focused everybody’s attention on bonuses overpaid to a single salesperson rather than the lack of controls withinin the sales system. If you are not familiar with the business, step back to read through manuals and related procedures, and interview employees.  </li><li>Conduct due diligence by preserving evidence. The decision to turn the case over to law enforcement may be reached several months later, but the evidence should still be available and the chain of custody must be clear. </li></ul><br></td></tr></tbody></table><p>The pricing strategy for each customer was based on the customer’s profile. One of the inputs that shaped the profile was the customer’s historical energy consumption data, which was used to project future consumption patterns. The pricing model then calculated the minimum selling price, allowing the salesperson to add a margin to that price while maintaining customer relations. This margin was shared between the salesperson and the company, and the salesperson’s bonus was a percentage of the added margin. </p><p>In the previous year, energy market prices increased, resulting in a higher precalculated base selling price. Most of the sales team was struggling to add every cent to the sales margin without customers complaining about the cost increases. Pine, however, completed contracts and bragged about his bonuses. His colleagues grew curious, but no one dared to ask Klassen because of his close friendship with Pine. Their chance came when Klassen left for a scheduled vacation and Helina Saar, a recent hire, came in as his temporary replacement. </p><p>When the other salespeople approached Saar about the discrepancies in bonuses, she accessed Pine’s portfolio in the sales system and found that he used creative solutions to ensure his bonuses while his co-workers struggled. Specifically, he changed the presumably unchangeable — the customer’s profile. He manually changed inputs to the pricing model in the sales system. Instead of using the customer’s real historic consumption data, Pine entered the customer’s consumption as a single value, so the system disregarded real consumption patterns and distributed consumption equally, calculating lower base prices. Lower base prices allowed Pine to add the desired margin and receive a larger bonus from each sale. </p><p>Saar talked about her findings with the portfolio analyst responsible for monthly sales results reporting, who then approached her supervisor to confirm the findings. The supervisor waited until Klassen returned from his vacation and informed him about Pine’s contracts. Klassen had no choice but to fire Pine. </p><p>The investigation unveiled several key findings:</p><ul><li>The sales process manual had not been reviewed for more than five years, and actual practices deviated substantially. There were no controls or monitoring from the head of sales or anyone else.</li><li>No attention was paid to the development of the sales information system. As a result, IT controls were not performing as intended and could be easily overridden with no one noticing.</li><li>Bonuses were paid out immediately based on forecasted revenues, and actual execution of sales contracts were not monitored, which invited fraudulent behavior from sales personnel.</li><li>Klassen and Pine owned and ran an online retail business together. Though it was in an unrelated business sector and did not breach NorthStar’s code of conduct, the investigation found that they took care of their affairs during business hours. Therefore, Klassen was paying little attention to what was going on in the sales unit.</li></ul><p><br>NorthStar, of course, suffered losses from such deals as it will have to cover energy costs from the customers’ real consumption patterns.</p><p>As a result, the company completely restructured the sales process, supporting information system, and bonus principles; contacted law enforcement; reviewed whistleblowing channel effectiveness; and fired Klassen.  </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:-12.0px; line-height:12.0px; } p.p5 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p6 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Anna Kon1
An Education in Misleading Ads Education in Misleading Ads<p>​The University of Phoenix will pay $191 million to settle deceptive advertising charges, <a href="" target="_blank">National Public Radio reports</a>. According to the U.S. Federal Trade Commission (FTC), the for-profit university's ads "gave the false impression" that it could provide job opportunities with employers such as AT&T and Microsoft. The FTC says the ads targeted minorities, military veterans, and service members and their families. </p><p>The settlement requires the University of Phoenix to cancel $141 million in debt owed to the university by students who enrolled from October 2012 through the end of 2016. The university must pay $50 million to the FTC.</p><h2> Lessons Learned</h2><p>This story is yet another example of why educational institutions, especially for-profits, must strive to prevent and detect fraud on the behalf of students. The settlement in this case follows on the heels of last year's <a href="/2019/Pages/Big-Scam-on-Campus.aspx">college admissions bribery scandal</a>. In continuing fallout from that story, students have filed a class-action suit against eight universities.</p><p>The fraud involved in this story is neither new, nor does it address a bigger issue. In its complaint, the FTC notes the University of Phoenix has been the largest recipient of money from the Post-9/11 GI Bill Fund established to help veterans pursue education. </p><p>The FTC's settlement with the university puts pressure on the Veterans Administration to cut off GI Bill funds to schools that engage in deceptive recruiting and advertising, as required by federal law. Here are some strategies that could help deter false advertising by universities as well as address misleading and predatory marketing practices.</p><ul><li> <strong>Authorities must act against deceptive advertising.</strong> It helps to understand why the University of Phoenix is in trouble. The Federal Trade Commission Act allows the FTC to act in the interest of all consumers to prevent deceptive and unfair acts or practices. According to Section 5 of the act, a representation, omission, or practice is <em>deceptive</em> if it is likely to mislead consumers and affect their decisions about the product or service. In addition, an action or practice is unfair if the injury it causes, or is likely to cause, is substantial, not outweighed by other benefits, and not reasonably avoidable.  <br> </li><li> <strong>Claims must be substantiated, especially when they concern health, safety, or performance.</strong> The type of evidence required may depend on the product, the claims, and what experts consider necessary. If an ad specifies a certain level of support for a claim — "tests show X" — the advertiser must have at least that level of support. <br> <br>The University of Phoenix was not able to substantiate the connection between paying fees and obtaining jobs at major companies. Therefore, prospective students should be skeptical about this type of advertising. They should ask for evidence, in writing, that a course was developed with reputable partners, or that attending the school will lead to jobs at the companies mentioned in the ads. If the claims are true, the school should be able to produce signed partnership agreements or testimonials from individuals about jobs, without compromising privacy rules.<br> </li><li> <strong>Third parties can be accountable for deceptive claims by advertisers.</strong> Although in-house employees perform much of universities' advertising and online marketing work, third parties often are involved. The FTC's investigative framework allows the commission to hold advertising agencies, website designers, and catalog marketers liable for deceptive marketing practices. These groups can be accountable if they participate in preparing or distributing deceptive representations or know about the false claims.<br><br>All agencies working on ads are responsible for reviewing the information used to substantiate claims, rather than relying on the advertiser's assurance that they are true. In determining whether an ad agency should be held liable, the FTC looks at the extent of the agency's participation in preparing the challenged ad. The commission also considers whether the agency knew or should have known that the ad included false or deceptive claims. If the agency is aware of false claims, agencies should not perform the requested work and should notify authorities such as the FTC.</li> <br> <li> <strong>An effective whistleblower program is an important deterrent.</strong> In addition to in-house reporting, organizations should ensure employees can talk to authorities about potential wrongdoing. During the FTC's investigation of the University of Phoenix, an advocacy group for students who are military veterans connected the commission with six whistleblowers who served as recruiters for the university. Those whistleblowers in turn helped the FTC uncover deceptive advertising practices.<br> </li><li> <strong>The federal government should take a more vigilant stance regarding advertising fraud.</strong> In addition to the FTC, agencies should step up monitoring and auditing of schools that receive government money. This funding is a major, stable source of revenue at for-profit schools. <br> <br>The aggressive marketing and recruiting practices of some for-profit colleges has been well-documented. A 2012 Senate investigation found evidence of schools deploying teams at veterans hospitals and Wounded Warrior centers to enroll students. Veterans groups have long criticized federal agencies for not doing enough to keep education benefits out of the hands of colleges that they say prey on military members. One recent audit found lax oversight could result in $2.3 billion in tuition benefits going to predatory schools during the next five years.<br></li> <br> <li><strong>Authorities should consider significant sanctions against schools that commit major or protracted advertising fraud.</strong> Such sanctions are particularly needed when vulnerable segments of society, such as students and veterans, are involved. For example, the Defense Department has considered banning the University of Phoenix from participating in its tuition assistance program, citing the FTC's investigation and other government inquiries. <br> <br>The department also has suspended the university from recruiting on military bases and placed a six-month moratorium on access to education funding dedicated to service members. That decision stemmed from allegations that the university sponsored recruiting events in violation of an executive order preventing for-profit colleges from gaining preferential access to the military. </li></ul>Art Stewart0
Data Theft Aids Tech Support Scam Theft Aids Tech Support Scam<p>​An employee at Trend Micro allegedly stole information on 70,000 customers to help a fake IT support scam, <a href="" target="_blank"> <em>PC Magazine</em> reports</a>. The anti-virus company says the employee accessed a database and sent names, email addresses, phone numbers, and support ticket numbers to the alleged scammers. </p><p>The company says those individuals, in turn, contacted customers, posing as technical support staff. Typically, IT support scams try to charge victims for unnecessary services, <em>PC Magazin</em>e says. </p><p>Trend Micro says it hasn't found evidence that the employee exposed credit card or financial information, nor did the employee access information on government or corporate customers. It has since fired the employee.</p><h2>Lessons Learned</h2><p>Preventing employees from stealing data is a necessity. Customer data, employee records, software code, engineering designs, and business strategies are particularly vulnerable to data theft. </p><p>While the human resources (HR), IT, and legal functions all are vital for preventing data theft, it is not any one function's job. Instead, the best defense is an integrated approach involving all employees. Here are two areas where organizations need effective controls, along with some strategies that internal auditors can recommend and help implement.</p><p> <strong>1. Employee Recruitment, Onboarding, and Offboarding</strong></p><p>A variety of research indicates that employees commit data breaches unintentionally because they aren't aware of how the organization governs its data. But organizations can blame ineffective recruitment screening, onboarding, and offboarding processes, as well. </p><p> <strong>Recruitment</strong> Before hiring new employees, the organization should conduct thorough background checks, including reviewing their social media presence. It should look for signs of tolerance of theft, laxness in security protection, and similar traits. </p><p> <strong>Onboarding</strong> Upon hire, new employees should attend required sessions covering the organization's data sharing, ownership, and privacy policies. During these small group sessions, HR executives should ensure employees understand the data security, ethics, and conflict-of-interest sections of their employment agreements. Employees also should be aware of the organization's privacy and data security policies and procedures. </p><p>Additionally, the organization should conduct mandatory training on its data sharing, ownership, security, and privacy policies. This session should test new employees' comprehension and ability to document these processes.</p><p> <strong>Off-boarding</strong> When employees leave the organization, devices issued to them should be scanned and verified for organizational data. These devices should include laptops, tablets, smartphones, and removable media.</p><p>Because different employees have access to different types of data, the organization should maintain a record of each employee's access privileges. It should reset or delete all of an employee's accounts, access privileges, and passwords upon his or her departure. The organization also should hold former employees accountable for any data breach that is traced back to them. </p><p>These recruitment, onboarding, and offboarding policies should be implemented in combination with other measures designed to help detect and deter data theft such as a whistleblower program and providing information about the consequences of data theft.</p><p> <strong>2. Technology Measures Against Data Breaches </strong></p><p>IT measures that can help prevent data theft from happening include:</p><ul><li> <em>Role-base and access-based controls.</em> Limiting data access to only what is required for a particular job and logging user interactions with the data can reduce the chances of theft. For example, a junior-level software developer should have well-defined, limited, or even no access to a primary database. Tracking software can enable organizations to monitor activity within an intranet or network.<br> </li><li> <em>Separate devices for professional versus personal use.</em> Many organizations allow employees to use the same devices for personal and professional use. This blurred boundary between business and personal data can lead to incidental or intentional data breaches. If a single device is allowed for both purposes, the organization should monitor usage of the device and install software to keep each usage separate.<br> </li><li> <em>Establish strict controls over use of removable storage and cloud services. </em>Organizations should restrict employees' ability to access, copy, and move data, and limit access to all forms of removable storage and cloud services. The best solution is to prohibit data copying, whether by email, photocopy, screen shot, camera, or by hand — or even eliminate all the external storage ports of devices. Practically speaking, though, such restrictions can result in lost productivity and employee inconvenience. The next best method is to monitor all forms of data copying, movement, or exchange from the organization's systems. To this monitoring, organizations should add random, in-depth spot checks of employee behavior and audits of control measures. </li> </ul>Art Stewart0

  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3