Fraud

 

 

The Benefits Swindlershttps://iaonline.theiia.org/2019/Pages/The-Benefits-Swindlers.aspxThe Benefits Swindlers<p>​A Toronto hospital has fired about 150 employees accused of falsely claiming benefits in one of Canada's largest benefits fraud schemes, <a href="https://nationalpost.com/news/torontos-baycrest-hospital-fires-around-150-employees-after-uncovering-multimillion-dollar-fraud-scheme" target="_blank"> <em>The National Post</em> reports</a>. Baycrest Health Services acknowledged that $5 million in fraudulent claims occurred over an eight-year period at its Baycrest Hospital. </p><p>Consultants first discovered the fraud several months ago while they were vetting a potential partnership between Baycrest and other hospitals. A third-party internal investigation revealed that hospital employees submitted invoices for services they never received and paid a kickback to providers. Another scheme involved accepting products unrelated to the medical device that had been prescribed and paying the provider the difference in price between the two products. </p><p>Baycrest has opted not to press charges against the individuals who were allegedly involved. </p><h2>Lessons Learned</h2><p>Workplace benefits fraud is on the rise in Canada, costing insurance companies hundreds of millions of dollars each year, according to the <a href="https://www.clhia.ca/web/CLHIA_LP4W_LND_Webstation.nsf/page/4ABC3507651CE9C8852583B40071BBB6%21OpenDocument" target="_blank">Canadian Life and Health Insurance Association</a> (CLHIA). For example, in 2018, employees at the Toronto Transit Commission were found to be engaging in similar benefits fraud activities worth as much as $5 million.</p><p>Baycrest's benefits administrator has said his company has "rigorous standards and protocols in place to defend against and detect such activities." He said the company is committed to becoming more vigilant about benefits fraud and has implemented measures "to further guard against similar misuse." Here are some additional measures that employers and regulators need to consider to combat this increasing problem:</p><ul><li> <strong>Increase regulatory audits.</strong> From a regulatory and compliance standpoint, the Canada Revenue Agency (CRA) could step up audits within the benefits service provider industry. The CRA requires that a service must actually be provided where there is an invoice.<br> <br>In Canada, insurance and service providers are both federally and provincially regulated in specific ways. Regulators should review whether these regulations are adequate to prevent benefits fraud. In particular, new provincial regulations may be needed to monitor service providers and levy fines on noncompliant providers. <br> <br>As part of this effort, the benefits insurance industry should take more comprehensive actions such as delisting unscrupulous providers. This has been effective for the biggest providers. For example, in 2018, Sun Life delisted 1,500 providers from across Canada — no longer accepting their claims — after proving their involvement in false claims. Benefits insurers also should carefully weigh the use of up-selling of services and related performance rewards, which can further contribute to benefits fraud.<br><br></li><li> <strong>Apply technology to fraud management.</strong> Insurance carriers should invest in fraud management and business-process solutions that can also support efficient operations. Sun Life, for example, uses data analytics and machine learning to identify suspicious behavior, intelligence analysis to identify players in complex schemes, and investigative skills to monitor a facility's member-claim activity. <br> <br>From the business-process perspective, a direct billing system can deter both providers and employers from attempting benefits fraud. Such systems require service providers to submit electronic documentation at the time the service is provided. <br> <br>Increased scrutiny of frequent and higher-value claims through monitoring and audits is another technique. Additionally, both insurance carriers and employers should have strong whistleblower programs in place to encourage people to come forward with cases of suspected benefits fraud.<br><br></li><li> <strong>Educate the public.</strong> Employers and regulators should educate both employees and the public that benefits fraud is not a victimless crime. From the fraudster's perspective, the Fraud Triangle applies: Fraud typically occurs when three elements are present — opportunity, rationalization, and pressure. People take advantage of opportunity with the perception that there is little chance of detection, penalty, or consequence. They rationalize their actions by feeling entitled to the benefits, even though their employer pays directly for claims.<br> <br>Moreover, many Canadians feel workplace benefits fraud is not a significant problem. According to an Environics Research survey conducted for the CLHIA, 75% of respondents believe the consequences of benefits fraud are simply paying higher premiums or paying back wrong claim payments when uncovered. The insurance industry and regulators need to counteract these false perceptions.</li></ul>Art Stewart0
Elder Fraudhttps://iaonline.theiia.org/2019/Pages/Elder-Fraud.aspxElder Fraud<p>​The U.S. Justice Department has charged four executives of a Vancouver, B.C. payment processing firm with assisting fraud schemes that preyed on the elderly and other "vulnerable victims," <a href="https://nationalpost.com/pmn/news-pmn/canada-news-pmn/u-s-justice-department-alleges-fraud-money-laundering-against-4-from-b-c-firm" target="_blank"> <em>The National Post</em> reports</a>. Prosecutors allege that executives of PacNet Services Ltd. were aware that some of its mass-mail clients were sending misleading notifications to consumers and were profiting from the scheme. The notifications promised cash, prizes, or psychic services to recipients, but required them to pay a fee to obtain those awards.</p><p>Prosecutors say PacNet functioned as a middleman between its clients and banks, including aggregating payments collected by its clients, depositing funds into the company's accounts, and distributing funds. The accused individuals include two owners of PacNet, along with managers from the company's marketing and compliance departments. Each allegedly made $15 million from the scheme between 2013 and 2015. They now face conspiracy, money laundering, and mail and wire fraud charges.</p><h2>Lessons Learned</h2><p>In 2016, this column <a href="/2016/Pages/Following-the-Money.aspx">first covered the alleged fraud case</a> involving PacNet when the U.S. Treasury Department designated the company as a significant criminal activity organization. Now those individuals accused of facilitating the scam will face justice. </p><p>It is common to hear about the dangers of losing money to scam artists and money launderers, but this case involving fraudulent transactions within a large payment-processing company is no longer surprising. Recently, MoneyGram agents were found guilty of using tactics such as contacting unsuspecting people and posing as relatives who had an immediate need for money. These were schemes that the agents were supposed to protect their customers from.</p><p>The PacNet story demonstrates that individuals, companies, and institutions are at risk of mail fraud and must take steps to protect themselves as best they can. Even worse, not only are third-party scammers at work, payment-processing company owners and executives can be in on the take, as well. Two actions are particularly needed:</p><ul><li> <strong>More investigations.</strong> Regulators and enforcement agencies worldwide need to step up their investigations and enforcement actions against payment processors that are implicated in facilitating mail fraud schemes. These actions should include more severe penalties for individuals and companies that are found guilty of fraud. The payment-processing industry has relationships with banks around the world. Strengthened international cooperation and greater regulation of this industry — including registration, licensing, and background checks — would be appropriate.<br><br></li><li> <strong>Self-regulation and control.</strong> The payment-processing industry needs greater self-regulation, with a focus on fraud perpetrated by sellers and providers, including the processors' employees. Processors should educate consumers and businesses about the risks of mail fraud committed by sellers. They also need to strengthen their knowledge and controls over potential seller fraud. They can start by ensuring that account-opening procedures are adequate to verify the identity of account holders.<br> <br>Analytics, such as velocity checks and pattern-recognition checks, can enable companies to detect potential fraud in high-risk countries as well as high-risk products and services such as lottery sales and solicitations of money for causes. Processors should follow the example of banks and other financial institutions by focusing on the probability of a transaction being fraudulent — for example, by scoring transactions — and referring suspicious transactions to the company's anti-fraud unit.</li></ul><p><br></p><p>Of course, in a case where owners, partners, and managers collude to commit this kind of mail fraud, strong internal controls may not do much good. However, legitimate payment-processing companies also can benefit from:</p> <ul><li>Establishing an executive-level position to combat fraud, and creating an independent compliance and ethics committee on their boards. </li><li>Assessing the adequacy of the risks and risk mitigations around fraud and anti-money laundering activities that impact the organization.</li><li>Establishing and regularly monitoring the organization's anti-money laundering and fraud policies, procedures, and processes, as well as checking whether employees are complying with them. </li></ul><p><br></p><p>This last employee fraud concern is key to deterring and detecting the kind of behavior reported in this case. Along with fraud detection, employee and third-party human resources policies, processes, and compliance are needed. These should include reviewing and strengthening processes around recruitment, security and background checks, training, the code of conduct, and discipline. </p>Tim McCollum0
The Opportunistic CFOhttps://iaonline.theiia.org/2019/Pages/The-Opportunistic-CFO.aspxThe Opportunistic CFO<p>In 2009, LeBarge Inc., an oil rig company, was growing beyond the size of a typical small business. The owner and CEO, Lou Smith, decided to hire an accounting firm, which recommended that he add an internal auditor to the team to ensure his control environment kept up with the expanding needs of the business. Concerned about the cost of hiring a full-time person with salary and benefits, Smith decided to forgo the recommendation. </p><p>Each year for the next five years, the accounting firm again recommended that Smith hire an internal auditor. LeBarge continued to grow, but profits were shrinking. Smith could not understand why. Costs should be going up, but they were growing faster than revenues. The company’s chief financial officer (CFO) and Smith’s longtime friend, Jennifer Hagan, offered reports showing increased vendor costs and evidence of inflation. None of this made sense to Smith, as his intuition suggested profits should be up $200,000 annually. In 2014, Smith reluctantly agreed to hire veteran internal auditor Corey Ortiz.</p><p>Ortiz joined the company and quickly scoped out his first review of the highest risk area, the financial ledger, which was in QuickBooks. Ortiz prepared a standard audit program that focused on journal entry and reconciliation controls, system access rights, and segregation of duties. The program included walkthroughs of journal entries to evidence support and authority for the recording processes. Bank reconciliation testing was included to understand the process and follow transactions from the ledger to the reconciliation. The program included pulling and reviewing samples of journal entries and reconciliations to check for completeness, timeliness, support, and authorization. And finally, the plan included getting administrative access to QuickBooks through IT and viewing roles and rights within the system. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Lessons Learned</strong><br> </p><p></p><ul><li><p>Companies that expand, whether large or small, are exposed to new risks. Controls designed for the business often stretch and break. In small companies, daily supervision and involvement by the owners often provides significant control value. Decreased supervision in a growing business causes normal control weaknesses, such as segregation of duties, to become glaring opportunities for waste or abuse. </p></li><li><p>Owners of small companies are not risk professionals. Growing companies are rarely prepared to identify and mitigate the expensive risks associated with their new success. Internal auditors are trained risk professionals and provide organizations with resources focused on identifying, preventing, and managing these risks. <br></p></li><li><p>Start with the ledger and work outward. Access controls and segregation of duties within the financial systems are the cause of many frauds. Trusting one person to manage the financial resources of any company is a dangerous strategy and should always be top of mind for any internal auditor and the first place to look. </p></li><li><p>Know the financial system’s logging and reporting features, as small systems sometimes don’t have robust controls. Reviewing reports on various changes, such as mailing addresses, employee name, and vendor name, can lead to early fraud detection. <br></p></li></ul></td></tr></tbody></table><p>Ortiz wanted to get off to a strong start and help the organization understand the internal audit process. He spent two weeks creating an audit program, scoping memos and other official communications. He communicated with his stakeholders in polite and professional emails, requesting samples and employee interviews.</p><p>The fieldwork began on the first day of week three. Samples were pulled and Ortiz started with the IT manager, who was prepared to show him around the QuickBooks program. At 11:00 a.m., Ortiz stopped the audit and contacted the CEO for an immediate meeting. </p><p>Ortiz explained to Smith that while reviewing the system administrative rights in QuickBooks, he found that the CFO, Hagan, was the only person with access to the system. This meant that she could create entries, make payments, and edit all data within the system with no checks and balances. It was not surprising to Ortiz that a small company with recent growth had such glaring segregation of duties issues within its ledger. However, a quick review of the system audit logs for the previous month showed numerous changes to payment fields, which is unusual in the normal course of business. He then checked the names of the vendors before they were changed in QuickBooks.</p><p>After the meeting with Smith, Ortiz spent the rest of the day working with the IT manager to identify vendor name changes that occurred over the past year. The next morning, Ortiz and Smith called a meeting with Hagan. Ortiz asked her to explain each vendor name change. Hagan was clearly uncomfortable, but offered an excuse about how the system has errors that need to be fixed sometimes. </p><p>Skeptical about the explanation, Ortiz started the next day by requesting a vendor spending report for the previous year. He then contacted each vendor and asked them to provide an updated billing summary for that time period. When Ortiz compared the reports, he found a $250,000 discrepancy for the past 12 months. </p><p>By the end of the day, Ortiz, Smith, and the human resources manager confronted Hagan with this information. For 15 minutes, she acted surprised and hurt at the accusation. Smith suspended Hagan without pay while the investigation continued. Law enforcement was notified the next day. </p><p>In 2017, Hagan was tried and convicted of embezzling more than $800,000. For five years, she used the company’s financial ledger as her personal checkbook to pay bills and purchase items. She would later change the vendor name in the payment information fields to a business-related vendor. By slowly increasing her theft as the business grew, she was able to convince management that the expenses were related to challenges associated with normal business growth. </p><p>Hagan pleaded guilty to a felony charge of aggregated theft. Before her plea agreement, she paid back half of the money she stole and agreed to pay the rest when her six-month jail sentence concluded. LeBarge has recovered its status of profitability.  <br></p>Bryant Richards1
The Cover-uphttps://iaonline.theiia.org/2019/Pages/The-Cover-up.aspxThe Cover-up<p>​Detectives in New South Wales, Australia allege that a senior manager at Commonwealth Bank covered up an employee's theft so that his own fraud wouldn't be detected, <a href="https://www.smh.com.au/national/nsw/bank-manager-hid-employee-s-fraud-to-hide-his-own-500-000-fraud-police-say-20190522-p51pzu.html" target="_blank"> <em>The Sydney Morning Herald</em> reports</a>. Police say Lee Zaragoza discovered that the employee had made 107 fraudulent transactions totaling AU $64,000 ($43,980) from the bank's internal accounts in 2015 and 2016. </p><p>Rather than reporting the fraud, Zaragoza encouraged the employee to repay the money. That was because an investigation might have discovered that Zaragoza had redirected AU $463,240 ($318,327) into his own personal account over a five-year period in a separate fraud, police allege. An internal investigation by Commonwealth Bank uncovered both frauds in December, and the bank reported Zaragoza to the police.</p><h2>Lessons Learned</h2><p>This story highlights the negative impact when fraudsters in the same organization can coexist and multiply the financial harm caused. It also demonstrates the need for organizations to regularly audit their internal controls over cash disbursements as well as human resource controls.</p><p>Cash disbursement schemes can be difficult to detect, even when the organization has traditional segregation of duties controls in place in the cash disbursement process and performs monthly reconciliations. A recurring theme in many of these schemes is inappropriate payments to fictitious or disguised recipients.  </p><p>In some cases, all fraudsters need to do is create a duplicate name in the listing of regular recipients of legitimate disbursements that is similar to a legitimate one. For example, the name may be misspelled with extra letters or add "Inc." or "Co." to the name. Other methods to perpetrate this kind of fraud include altering payment processing data such as account and wire routing numbers. </p><p>Here are some of the basic strategies organizations need in place:</p><ul><li> <strong>Regularly review and verify the listing of disbursements. </strong>When was the last time someone not directly involved in the cash disbursements process reviewed the listing of transactions to look for unusual items? If the organization is not conducting this review at least semi-annually, it may be leaving the door open for fraud or errors to occur. <br><br> This review may be time-consuming at first. However, subsequent reviews should be shorter once the initial clean-up has occurred and the reviewer has become familiar with the names and types of legitimate recipients. <br><br> Internal auditors should examine the listing with names, addresses, and any other identifying information as well as the history of invoices and payment amounts made to each over a specified period. Auditors should look for multiple recipients with similar names but with slight variations, multiple payments of the same invoice number or same dollar amount, and unfamiliar recipient names that cannot be found in an internet search. <br><br>In addition, auditors should seek out addresses that appear to be personal home addresses and employees with significant payment activity outside the usual approved expense reimbursements. Reviewers should contact suspicious recipients — or at least a sample of them — to confirm their validity.<br> </li><li> <strong>Review the transaction approval limit controls. </strong>In the story, the bank manager allegedly stole almost AU$500,000 in 90 transactions between 2013 and 2018, averaging about AU $5,000 per theft. If he was doing this on his own authority, that kind of delegation of power should be reviewed. A second level of required approval, coupled with a lower dollar authority limit, even if temporary, might help to deter and detect this kind of fraud. <br> </li><li> <strong>Review listing controls over disbursements. </strong>Who has access to make changes in the vendor listing? Is there an approval process for making changes to the system? <br><br> The person updating the listing should be different from the person who inputs the payments to be made. Before adding new recipients to the listing, particularly recurring ones, someone outside of the payments area, such as management, should review them. If the accounting system has reporting capability, the report of monthly additions and edits to the list should be reviewed.<br> </li><li> <strong>Review the electronic payments process. </strong>Although this story does not detail how the two Commonwealth Bank employees allegedly stole funds, the electronic payments process would be a likely target for them to exploit. That is why appropriate segregation of duties in the electronic payments process is essential to restrict last-minute or unusual changes to redirect disbursement funds. <br><br> Internal auditors should walk through the electronic payment process and examine whether the person who enters the data is different from the person who approves it before submission. Additionally, the organization should implement a feature that automatically generates an email after each payment showing the amount and recipient. The email should go to someone in management, central accounting, or internal audit who is not involved in generating electronic payments.<br> </li><li> <strong>Review and strengthen human resource controls over employee background checks and job transfers. </strong>Regular background checks and updates can help uncover lifestyle changes due to fraudulent activity. Requiring employees to routinely transfer out of areas that handle large financial transactions after a minimum number of years also can help prevent temptation, if not motivation, for fraud. </li></ul>Art Stewart0
The Digital Land Grabhttps://iaonline.theiia.org/2019/Pages/The-Digital-Land-Grab.aspxThe Digital Land Grab<p>​A South Carolina technology company faces charges of fraudulently obtaining more than 750,000 Internet Protocol addresses, <a href="https://www.postandcourier.com/business/alleged-sc-tech-fraud-was-all-about-making-the-numbers/article_9e5cefda-767e-11e9-8814-832e9b3aa499.html" target="_blank"> <em>The Post and Courier</em> reports</a>. U.S. federal prosecutors accuse Charleston, S.C.-based Micfo LLC and its CEO Amir Golestan of using at least 11 businesses to acquire the routing numbers from the American Registry for Internet Numbers (ARIN) Ltd. </p><p>The 32-digit addresses allow computers, mobile phones, and other devices to connect to Internet sites. However, the supply of numbers ran out four years ago, making unused numbers a hot commodity. ARIN said Micfo's businesses sent legitimate-looking requests, complete with notarized documents and links to "sophisticated" websites. </p><h2>Lessons Learned </h2><p>The topic of this story may seem technical, but what happened in this case is a significant contributor to the worldwide increase in internet scams. In the early days of the internet, Internet Protocol version 4 (IPv4) addresses (e.g., 4.4.4.4) were given out to essentially anyone who asked. At that time, there were 4 billion possible numbers that were 32-bit combination numbers. </p><p>More recently, Internet Protocol version 6 (IPv6) has been introduced to alleviate the shortage, but in this interregnum period where people are switching from IPv4 to IPv6, the v4 addresses have monetary value. ARIN was created to oversee IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean. The nonprofit now is fighting a wave of shady brokers who secure new IP address blocks under false pretenses and then resell them to spammers.</p><p>It is commendable that ARIN personnel eventually detected the 11 phony companies and sales of thousands of illegally obtained IPv4 numbers. And the registry's website contains references to fraud detection and prevention as well as its due diligence processes. For example, ARIN's Registration Services Department staff reviews all requests for resources and address transfers. Ultimately, it was ARIN's practice of requiring notarized documents for allocation and transfer that gave a factual device to demonstrate fraud and intent to authorities.</p><p>However, industry experts such as John Levine, author of <em>The Internet for Dummies</em> and a member of the security and stability advisory committee at the Internet Corporation for Assigned Names and Numbers, say ARIN does not have a reputation for going after IP address scammers. Given how valuable IPv4 space is, ARIN has to be more vigilant because the incentive for crooks to defraud is very high. </p><p>This is a challenge ARIN did not originally have to face. It was created in the context of the move to open up the internet to many more institutions and people, and away from its origins with the U.S. Defense Advanced Research Projects Agency. To check the validity of every IP address application and transfer may require much greater use of data analytics to detect flags. Perhaps ARIN may need to move away from its nonprofit orientation toward a more regulatory position, supported by government and businesses together. </p><p>One specific example of what a more regulatory stance could help improve is ARIN's annual validation exercise. Criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. The registry has more than 30,000 legacy network records but only a validated point of contact for 54 percent of those networks. The remaining networks are ripe for targeting by hijackers who are interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks. Requiring a prompt response to validate contact information could help here, particularly where it is coupled with a delisting consequence for a nonresponse. </p>Art Stewart0
Fuel for Fraudhttps://iaonline.theiia.org/2019/Pages/Fuel-for-Fraud.aspxFuel for Fraud<p>​A U.S. federal court has convicted a Pennsylvania biofuel entrepreneur of fraudulently receiving $5 million in government subsidies and claiming $9 million in environmental tax credits, <a href="https://www.mcall.com/news/police/mc-nws-bethlehem-renewable-energy-entrepreneur-fraud-trial-verdict-20190501-3tuewlsjcjempi4c62vfmzvtwy-story.html" target="_blank"> <em>The Morning Call</em> reports</a>. Greenworks Holdings, owned by David Dunham Jr. and his business partner Ralph Tommaso, collected used cooking oil to produce fuel for vehicles and buildings. </p><p>Witnesses at Dunham's U.S. federal court trial testified that Dunham and Tommaso inflated the amount of fuel the company produced in reports to the Department of Agriculture, Environmental Protection Agency (EPA), and Internal Revenue Service. Moreover, witnesses alleged that the two men claimed environmental credits for wastewater from the refining process and claimed loads of fuel that Greenworks did not process. Tommaso, who pleaded guilty in 2017 to a conspiracy charge, testified against Dunham.</p><h2>Lessons Learned</h2><p>Whenever a new technology, process, or program emerges, fraudsters are never far behind in finding ways to illegally profit. In this case, government-funded biofuel subsidy programs already have a lengthy history of fraudulent activity. </p><p>One does not need to look much farther than the <a href="https://advancedbiofuelsusa.info/tag/fraud/page/2/" target="_blank">Advanced Biofuels Association's website</a> to find more than 100 cases of fraud. There is even a case where a Canadian company used railway cars to ship biofuels multiple times back and forth across the U.S. border. Each time the company illegally claimed the biofuel subsidy for the same shipment.</p><p>The overall design and controls over the U.S. subsidy program are not working well. Recent news stories report that the EPA will reduce ambitious biofuel targets for oil refiners that were set in 2007. Part of the reasoning behind the revised targets is that the biofuel industry is lagging in meeting them. </p><p>However, the EPA also has recognized that there are insufficient program controls over the $9 billion market in biofuel compliance credits, particularly a lack of transparency and the potential for manipulation. Fixes involve imposing stricter limits on a key program eligibility control — who can trade renewable identification numbers (RINs). RINs are the credits refiners use to prove they have satisfied the U.S. biofuel mandate.</p><p>Increased reliance on audit work to verify biofuel subsidies also is needed. Commendably, the biofuel industry is now taking steps toward self-policing and regulation. Small biodiesel producers, who comprise a large proportion of producers, have brought in an outside audit firm to authenticate fuel production in hopes of reducing the amount of fraud occurring in the RIN market. </p><p>This RIN integrity program offers a subscription service to biodiesel producers and buyers to verify that RINs come from biofuel plants that actually produce the alternative fuel. Among the control measures, producers must sign up for independent verification of their RINs and consent to a site visit by an outside auditor to verify the producer is capable of generating the biofuel it reports. Voltage monitors and camera surveillance techniques also are used to verify biofuel production. These results are published to a website where buyers can access information on the producer of prospective RINs.</p><p>These measures may help turn around the fraud problem. It is worth noting that Canada's Natural Resources department cancelled a similar biofuel subsidy program in 2017, citing some of the same fraud issues the U.S. has experienced. The department's assessment of the program may yield lessons that could help the U.S. program prevent further fraud, including:</p><ul><li> <em>Risk:</em> Programs should strengthen risk identification and mitigation regularly to assess emerging risk areas. In managing grants and subsidies, they should ensure that project-level risk assessments reflect changes attributable to the performance of those being subsidized.<br><br></li><li> <em>Program design:</em> When designing a program in support of a nascent industry, where market determinants are difficult to predict and control, officials should build in and clearly communicate periodic checkpoints and opportunities to make corrections. Agreements to fund projects should be specific, precise, and supported by verifiable information. Program officials also should formally update performance frameworks.<br><br></li><li> <em>Program monitoring:</em> Programs should customize their monitoring to the nature and type of organization that is being subsidized. </li></ul>Art Stewart0
The Social Engineering Fraudhttps://iaonline.theiia.org/2019/Pages/The-Social-Engineering-Fraud.aspxThe Social Engineering Fraud<p>​Kai Tang was working late on Dec. 25. It was year-end, so activity in the company was picking up, keeping the controller of the thriving Singapore distributor of a large U.S. manufacturer busy. Because it was a holiday in the U.S., Tang knew he would not be interrupted by inquiries and requests from corporate headquarters. Although the corporate controller and the chief financial officer (CFO) rarely visited him in person, they frequently emailed him with questions, but only called on urgent matters due to the time difference. Additionally, his subsidiary was visited by internal auditors the month before — which didn't raise issues — and they were due for a visit from external auditors in January.</p><p>Tang suddenly received an email from the company CEO notifying him of a building purchase for a new office location in Asia. The email expressed urgency in wiring money to close the deal. Tang rarely communicated with the CEO directly, but he knew he had a bad temper and did not tolerate being questioned or challenged. </p><p>As Tang contemplated how to contact his general manager — who was on a plane — and how and whether to reach the company's CFO at home on Christmas, his phone rang. The man introduced himself as a senior manager at the company's external audit firm. He stated that he was working with the CEO on this urgent purchase and that Tang's delay of the wire would jeopardize the whole deal. Though his head was spinning, and he had lingering questions, Tang hurriedly prepared the $100,000 wire, confirmed the account information, and clicked "send." This turned out to be a scam and the funds were never recovered by the company.</p><p>The next month in the boardroom, as the multinational company tried to understand how it became the victim of such a trite, albeit somewhat sophisticated, scam, board members asked, "What questions did we not ask that could have prevented this?" Several reasons were named in creating this perfect storm of a failure, including national culture, which was brought up more than once.</p><p>Dutch social psychologist Geert Hofstede found that six cultural dimensions are at play in the global marketplace. One of them is the Power Distance Index (PDI) that measures the distribution of power — and wealth — between individuals in a business, culture, or nation. In a country like Singapore, where a stronger hierarchy of authority exists, it is common for subordinates to follow the whims of an authoritative figure. As a general rule, in higher PDI cultures, subordinates are less likely to question their superiors than in low PDI cultures and organizations where authority figures work more closely with subordinates and it is more acceptable to challenge authority.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Following the letter of the control description is not enough. Ask questions regardless of whether the goal of the control is accomplished and revise the description, if necessary.</li><li>Company management should work with outside vendors, such as banks, to automate controls. </li><li>Employee training should be conducted by management or expert consultants to recognize and identify phishing schemes. The training should be comprehensive and frequent. </li><li>When working in a multinational environment, learn about national culture, identify traits that might facilitate fraud, design more robust controls, if needed, and provide additional coaching to employees.</li><li>Management should create a support structure and invest time to establish personal relationships with foreign employees to cultivate trust. </li></ul></td></tr></tbody></table><p>Dessalegn Getie Mihret of Deakin University in Australia conducted a study of 66 countries testing the association between national culture dimensions and exposure to fraud. His research suggests high fraud risk exposure in countries with high PDI. This was a case of external fraud but a fraud, nonetheless. In Tang's case, this cultural dimension had a double effect. Tang, being from Singapore, a high PDI culture, was uncomfortable challenging the request of the person he perceived to be the high authority. The CEO of the company was from Albania, another high PDI culture, and was infamous for not tolerating any challenge to his authority. This created a culture of fear within the company. Nobody wanted to be reprimanded by the CEO, who was known to yell and belittle his employees in public.</p><p>Another factor in this perfect storm of breakdowns was the absence of trusted advisors within the company with whom Tang could consult in the time of doubt. Because it was a holiday, Tang did not feel comfortable contacting any of his supervisors in the U.S. He did not have a close enough relationship with any of them and felt he'd be bothering them. Trust is paramount in relationships, especially in Asia, and it takes an investment of time to build it. None of the U.S. managers invested time in creating close connections with their Singaporean colleagues. </p><p>Whaling is a type of attack that uses email or website spoofing to trick the target into performing a specific action, which in this case was having the controller transfer money to an account. Cybercriminals pose as senior players within an organization targeting other important individuals at the organization with the goal of stealing money or sensitive information, or gaining access to the computer systems. Specifically, whaling targets key people with what appears to be communication from someone senior or influential — such as the CEO — with a request that staff are reluctant to refuse.</p><p>Internal controls help prevent such things from happening, but the existing system proved ineffective in overcoming such a strong cultural influence. In fact, the controls proved to be poorly designed for any kind of culture. The only control over bank wires was written as:</p><p><span class="ms-rteStyle-BQ">Wire transfers are submitted on the bank website. For wire payments, all the backup is given to an authorized signer, the controller/general manager/finance manager for electronic approval on the bank website.</span></p><p>Every time this control was tested during an internal audit, the controller was able to produce the documents of the secondary approval by the general manager. The letter of the control was followed. The internal auditors never asked, "Would it be theoretically possible for one person to approve and send the wire on the banking website?" Evidently, the bank website did not require a secondary approval, which allowed one person to send the wire out. </p><p>Additionally, there was a breakdown in IT security controls. The email was clear evidence of a successful phishing scheme where an attacker posed as a reputable person with the intent to defraud the organization. Adequate training to educate employees is critical to prevent these attacks and was obviously lacking in Tang's case. </p>Anna Howard1
Books Bring Down the Mayorhttps://iaonline.theiia.org/2019/Pages/Books-Bring-Down-the-Mayor.aspxBooks Bring Down the Mayor<p>​Baltimore Mayor Catherine Pugh resigned last week amid an investigation into deals involving her self-published children's books, <a href="https://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-pugh-resigns-20190502-story.html" target="_blank"> <em>The Baltimore Sun</em> reports</a>. The newspaper has published a series of articles detailing allegedly inappropriate deals. For example, Pugh sold tens of thousands of copies of books to the University of Maryland Medical System (UMMS) while she was a member of that organization's board. More recently, the paper found evidence that health insurer Kaiser Permanente had purchased Pugh's books at a time when the company was bidding for a $48 million city contract, which it eventually won. </p><p>Pugh is the second Baltimore mayor to resign from office following a scandal in this decade. In her rise to the office, Pugh was "once seen as a more ethical option in a city with a history of wrongdoing by politicians," <em>The Sun</em> noted.</p><h2>Lessons Learned</h2><p>In the wake of Mayor Pugh's resignation, Maryland's Office of the State Prosecutor has launched an investigation. In the meantime, the Baltimore City Council, UMMS, and those companies that bought copies of Pugh's books should review and strengthen policies and controls that may have contributed to the allegedly inappropriate sales. Internal auditors in  those organizations can assist and advise by reviewing these areas:</p><ul><li> <strong>Organizations should review and strengthen conflict of interest/code of conduct rules, processes, and compliance testing. </strong>How was it possible that a board member was able to sell copies of her book to UMMS without raising any red flags? How was the mayor able to sell books to companies that had contractual relationships with the City of Baltimore and UMMS? <br> <br>If such questions were asked, those two organizations should have thoroughly reviewed these situations in accordance with a clear ethics office/code of conduct regime, supported by audit work as necessary. Perhaps an additional question for the Maryland State Prosecutor's Office to consider is whether there may be similar situations within other state and municipal institutions where conflict of interest/ethics rules need strengthening.<br> </li><li> <strong>UMMS and the state prosecutor should review grants and contracting regimes and practices. </strong> <a href="https://nationalpost.com/pmn/news-pmn/secluded-baltimore-mayor-to-make-announcement-amid-scandal" target="_blank">An Associated Press article</a> reports that Pugh and UMMS did not have a contract in place for the $500,000 purchase of copies of her books. Also, some book purchases were classified as "grants" in filings to the federal government. <br> <br>Again, the question of whether other state institutions have similar control weaknesses is in need of review and investigation. Recognizing the systemic nature of the problem, the State of Maryland passed a new law in April that bars board members of state institutions from receiving contracts without a bidding process. That law also prohibits board members from leveraging their position on the board for personal gain.<br><br>Other companies reportedly purchased significant numbers of copies of Pugh's books. While no particular wrongdoing has been disclosed thus far, those companies should review their own ethics, conflict of interest, and contracting regimes for potentially inappropriate relationships, conduct, and "pay for play" schemes.<br></li> <br> <li> <strong>There need to be consequences for wrongdoing, including negligence and poor management, when and where it is found. </strong>Those consequences, where applied, also need public dissemination as a deterrent. Baltimore Mayor Pugh has already resigned and UMMS' CEO and President Robert Chrencik also has stepped down. Other individuals may face consequences as federal and state investigations are completed. These investigations may extend beyond the direct circumstances involving former Mayor Pugh. </li></ul>Art Stewart0
Diagnosing Health-care Fraudhttps://iaonline.theiia.org/2019/Pages/Diagnosing-Health-care-Fraud.aspxDiagnosing Health-care Fraud<p>​A U.S. federal court jury has convicted a Florida nursing home operator of carrying out the largest health-care fraud scheme prosecuted in the U.S., <a href="https://www.bloomberg.com/news/articles/2019-04-05/man-who-bribed-son-into-penn-guilty-in-1-3-billion-health-fraud" target="_blank">Bloomberg reports</a>. Federal prosecutors charged Philip Esformes with 20 counts of bribing doctors to admit patients to facilities he operated, laundering money, and receiving kickbacks. Prosecutors say Esformes' facilities fraudulently billed Medicare and Medicaid more than $1.3 billion between 1998 and 2016, with Esformes receiving at least $37 million.</p><h2>Lessons Learned</h2><p>Another attempt to reform the U.S. health-care regime appears to be on the horizon. Whatever system is adopted, it needs a strong focus on continuously strengthening controls over fraudulent activity, whether from physicians, health-care professionals, operators of health-care facilities, or patients.</p><p>The U.S. Department of Health and Human Services (HHS) and its Office of the Inspector General are taking a disciplined, systematic approach to the department's fraud risk assessment and detection activities. Here are some suggestions to strengthen these efforts.</p><ul><li> <strong>Enhanced Data Analysis and Data Quality.</strong> Medicare and Medicaid are making billing and claims data available more quickly and efficiently, providing law enforcement increased access to data — including real-time data. This data also helps focus enforcement resources on high-risk geographic, organizational, and individual cluster groups. <br> <br>Authorities perform risk scoring of Medicare claims billing and payment, and test predictive models. This kind of data needs to be assessed carefully to identify cases where clusters of physicians refer patients to the same health-care provider. <br> <br>Moreover, investigators, data analysts, clinicians, and subject-matter experts work on cases in a multidisciplinary environment. There also needs to be a continuing emphasis on enterprisewide improvements of the accuracy and availability of data for Medicaid program integrity and oversight.<br> </li><li> <strong>Whistleblower programs. </strong>While the HHS clearly has whistleblower programs in place, it is not clear to what extent these programs are contributing to its overall fraud prevention and detection effectiveness. It also is not apparent how the programs might be reviewed for improvements. Results from a recent pilot program to estimate the overall probable level of program fraud have been delayed.<br> </li><li> <strong>Enrollment and Payment Controls.</strong> HHS should continue to implement stronger measures to screen providers and suppliers on the basis of fraud risk, with three risk levels for providers (limited, moderate, and high). The department should add the target population to this determination of risk level. For example, elderly and infirm individuals are typically more susceptible to fraudulent exploitation. <br> <br>One goal of such assessments is to identify ineligible providers or suppliers before they are enrolled or revalidated by conducting provider site visits. HHS can do this by increasing the scope and coverage of high-risk providers and suppliers such as nursing home and assisted-living facilities, independent diagnostic testing facilities, and outpatient rehabilitation providers. <br> <br>Matching billing data to payment data also is important. Increasing the frequency of surprise out-of-cycle site visits will enhance the effectiveness of this element in detecting potential fraud. And, more than just surprise visits need to happen. HHS should audit facilities and their records, particularly where the provider has been operating over a long time.<br> </li><li> <strong>Human Resources Management. </strong>Related to inspections, surprise or not, there should be policies and processes in place to review the placement and rotation of inspectors according to a risk-based assessment. In addition, HHS should regularly update background checks of inspectors to uncover suspicious lifestyle changes. </li><ul></ul></ul>Art Stewart0
Whistleblower Shines Light on Fake Datahttps://iaonline.theiia.org/2019/Pages/Whistleblower-Shines-Light-on-Fake-Data.aspxWhistleblower Shines Light on Fake Data<p>​Duke University has settled a whistleblower lawsuit alleging that university researchers falsified data to win U.S. government research grants, <a href="https://www.google.com/url?rct=j&sa=t&url=https://www.npr.org/2019/03/25/706604033/duke-whistleblower-gets-more-than-33-million-in-research-fraud-settlement&ct=ga&cd=CAEYACoUMTEzMTI0Mzk0NTk4MDE0NjU1NTIyGjQ1MjMzMmM0OTY2YTZiMTc6Y29tOmVuOlVT&usg=AFQjCNFfjJujQI5EO-VX29e5Qym2pRGs7g" target="_blank">National Public Radio reports</a>. The lawsuit brought by researcher Joseph Thomas accused a Duke University Health Services clinical director of faking data from a lung function study between 2006 and 2018. That data enabled the university to win and retain grants from the Environmental Protection Agency and the National Institutes of Health (NIH). Further, the lawsuit alleged that university officials ignored signs of possible fraud. To settle the suit, Duke will pay the federal government $112.5 million, with Thomas receiving $33.75 million. </p><h2>Lessons Learned</h2><p>Whistleblower programs are among the most effective fraud-detection methods, but a $33 million payout to one individual is a steep price to discover research and data fraud. Here are some other measures that research organizations and grant providers could take to reduce fraud risk.</p><ul><li> <strong>Increasing understanding of how statistics and methodologies can be misused. </strong> <strong> </strong>Combining this understanding with random audits of research labs could be an affordable way to help deter data fraud and improve research quality.<strong> </strong>An October 2018 article, <a href="/2018/Pages/The-Fall-of-the-Food-Researcher.aspx">"The Fall of the Food Researcher,"</a> discussed how internal auditors can better equip themselves to detect the misuse of research data and methodology.<br><br>Further insight into this risk comes from a 2018 <a href="https://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0195613&type=printable" target="_blank">study</a> by the Queensland University of Technology School of Public Health and Social Work, in Brisbane, Australia. The study discusses how the "publish or perish" incentive drives many researchers to increase the quantity of their papers at the cost of quality. That, in turn, increases the number of false positive errors that make it challenging for other researchers to reproduce those findings. The study, using simulation techniques, found that auditing just 1.35% of papers avoided the competitive spiral of false positives in 71% of cases. While fraud was not the primary focus of the research, this type of audit could be a worthwhile investment in fraud deterrence. <br> </li><li> <strong>Regulators, overseers, and professional organizations should continuously update their guidance, enforce laws, and promote awareness of the false research problem. </strong>In March 2018, the NIH began subjecting Duke's grants to stricter oversight, including requiring Duke researchers to obtain prior approval for any modifications to new and existing grants. Moreover, any application for a grant worth less than $250,000 per year must include detailed budgets justifying the costs. <br> <br>University organizations, themselves, could do more to highlight and take action against false research. For example, the Association of College & University Auditors' website currently does not have information about the research fraud issues of the Duke case.<br><br></li> <li><strong>The consolidation of research and knowledge-sharing capacity about academic fraud must be strengthened continually. </strong>One useful resource for internal auditors is the <a href="http://auditingresearchsummaries.org/" target="_blank">Audit Research Summary<em> </em>(ARS) Database</a>, developed and maintained by the American Accounting Association. ARS contains executive summaries of approximately 700 academic audit research studies that have been published in peer-reviewed academic journals since 2005. The free database is intended to disseminate research findings to audit stakeholders timely and foster a productive dialogue about issues facing the academic and audit professions. Additionally, it can help identify new and persistent issues that need further investigation.<br><br> ARS is organized topically and can be searched using keywords. The summaries are written to facilitate quick and easy consumption, and avoid academic jargon and statistical analyses. The database is available via Facebook, LinkedIn, and Twitter. </li></ul>Art Stewart0

  • IIA Global 3LOD Exposure_July 2019_Premium 1
  • IIA_Sawyer_July 2019_Premium 2
  • IIA Sepcialty Centers_July 2091_Premium 3