Fraud

 

 

Internal Audit and Fraud Riskhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Internal-audit-and-fraud-risk.aspxInternal Audit and Fraud Risk<p>​Are internal au​ditors obsessed with fraud?</p><p>Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"</p><p>There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?</p><p>Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?</p><p>In fact, few organizations are brought down or even materially impacted by fraud.</p><p>Let's consider some sources of risk that may be found at many, if not most, organizations:</p><ul><li>The effectiveness of risk management.</li><li>The quality of information used in decision-making.</li><li>Strategy-setting.</li><li>The decision to acquire or divest a business.</li><li>The ability to develop and introduce successfully new products and services.</li><li>The ability to identify the value of and then deploy new technology.</li><li>Cybersecurity.</li><li>Customer satisfaction and product/service quality.</li><li>Marketing.</li><li>Hiring, retention, and development of people.</li><li>The effectiveness of the management team.</li><li>The effectiveness of the board.</li><li>The ability of IT to meet the needs of the business.</li><li>The completion of major projects on time and within budget.</li><li>Efficient procurement.</li><li>Management of the sales pipeline.</li><li>Sales contracting.</li><li>Revenue recognition.</li><li>Tax.</li></ul><p> <br> </p><p>Now where would fraud risk rank among these <span style="font-size:12pt;line-height:115%;font-family:"times new roman", serif;">—</span>​ and I am sure your organization would have other high-risk areas?</p><p>Have a look at the following from The IIA:</p><ul><li> <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx" target="_blank">The Definition of Internal Auditing</a>.</li><li> <a href="https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx" target="_blank">The Mission of Internal Audit</a>.</li><li> <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">The Core Principles for the Professional Practices of Internal Auditing</a>.</li></ul><p> <br> </p><p>Can you find the word​ "fraud" in any of the above?</p><p>Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.</p><p>If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.</p><p>I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.</p><p>Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"> <em>Auditing That Matters</em></a>, as enterprise risk-based auditing.</p><p>Do you agree or disagree?</p><p>I welcome your comments.​</p><p> <br> </p><p>If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.</p><p> <br> </p>Norman Marks0
The Corporate Impostorhttps://iaonline.theiia.org/2017/Pages/The-Corporate-Impostor.aspxThe Corporate Impostor<p>​A Lithuanian man has been arrested on charges of impersonating a Taiwan-based electronics manufacturer to carry out a $100 million fraud scheme, <a href="http://fortune.com/2017/03/27/taiwan-quanta-fraud-impersonation/" target="_blank" style="background-color:#ffffff;"> <em>Fortune</em> reports</a>. According to U.S. federal prosecutors, Evaldas Rimasauskas impersonated Quanta Computer to trick two U.S. tech companies into wiring money to accounts he controlled, under the company's name, in Cyprus and Latvia. He allegedly sent the U.S. companies forged invoices, contracts, and letters signed by executives from their companies. Quanta Computer acknowledged that its name had been used in the crimes, but says it did not suffer financial harm. U.S. federal prosecutors say much of the money has been recovered, and Rimasauskas is in jail in Lithuania awaiting extradition to the U.S. for trial.</p><h2>Lessons Learned</h2><p>Spoofing — impersonating an email sender's identity — is forgery. It is now a common way to perpetuate fraud, and such attacks are becoming increasingly sophisticated and credible-looking. Spoofing involves four main strategies: impersonation (as in this story), infecting computers by hackers, phishing, and spamming. In cases of impersonation, typically the headers of these emails show that the message was sent from an account owner's email server or another trusted source, rather than the email server of the spoofer. Simple Mail Transfer Protocol (SMTP) is the most frequently used method to send outgoing email. But SMTP does not require authentication of the sender. While there is no foolproof method, here are some suggestions for better preventing and combating this kind of fraud:</p><ul><li><p> <strong>One</strong><strong> of the most ​​effective ways to prevent spoofers from forging email addresses is to use combinations of various encryption and authentication measures to strengthen email security. </strong>It's surprising that more organizations don't use strategies such as encryption software, digital signatures, two-step verification and message origin authentications, proof of submission and delivery, and secure access management. Encryption verifies that the email hasn't been altered or tampered with in transit. It also verifies that the sender of the email can be identified in the message. The most commonly used approaches include use of Secure Sockets Layer (SSL), which uses a private key to encrypt data being transmitted over a SSL connection; Secure HTTP, a complementary approach to SSL that is designed to transmit individual messages securely; and Secure Multipurpose Internet Mail Extensions, which supports public key encryption-based secure email. These approaches ensure a secure connection that can send and receive any amount of data, once established. Organizations should demand that those they deal with use the same kinds of measures as a way to ensure mutual protection. Small and mid-sized organizations can also purchase affordable email encryption software.</p></li><li><p> <strong>Equally important, educate, equip, and empower employees.</strong> Conduct training sessions with mock spoofing scenarios. Establish policies and procedures that require employees to act to prevent spoofing. In today's technology-driven world, organizations should make sure employees are technically equipped. Make sure employees understand the types of attacks they may face, the risks, and how to address them. The organization should share intelligence and knowledge about the spoofers, who are increasingly informed about the organizations, roles, employees, and key data they seek to defraud. Informed employees and appropriately secured systems are key when protecting the organization from attacks. Recipients must consider context, content, and sender, particularly if monetary transactions are involved. Concerted coaching to teach employees to be vigilant by not clicking suspicious links or downloading attachments is critical. To verify authenticity, employees should cross-check by sending a separate follow-up email, texting the alleged sender, or calling to validate that the email is from the correct source. That might mean that corporate culture needs to change to reflect a degree of empowerment of employees to resist authoritative sounding orders, if they are bogus.​</p></li></ul><p>There are additional steps an organization can take to protect itself against these kinds of fraud:</p><ul><li>Encrypt all sensitive company information and ensure all employees and contractors are required to use encryption routines for that kind of sensitive information.</li><li>Develop an in-house capacity or acquire advice to keep a pulse on the most current phishing strategies. Confirm that the organization's security policies and solutions can eliminate threats as they evolve.</li><li>Consider using newer technological approaches. One example is to use a heuristics product to determine whether an email is fraudulent. However, the success rate of these solutions can be mixed, particularly where more cleverly designed emails are involved.</li><li>Consider investing in cybersecurity liability insurance. However, the return on investment for this type of insurance should be weighed against the business model, the data stored, and the potential damages that could be incurred in the event of a data breach.​</li></ul><p><br></p>Art Stewart0
Culture May Be the Wrong Questionhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Culture-may-be-the-wrong-question.aspxCulture May Be the Wrong Question<p>​As a member of the boards of several professional publications, I get to review and comment on a number of articles.​</p><p>One that recently crossed my desk was about the need to recognize that the root cause of pretty much every business failure and incident in at least recent times was a defect in that organization's culture. It advised that internal auditors can help an organization identify such defects and take remedial action.</p><p>That sounds good. But is it on or off the mark?</p><p>I agree that poisonous cultures (and I've experienced a few) can have a negative influence on individual and group behavior. But, in my opinion, it still comes down to people: their behavior, actions, and decisions.</p><p>Consider the culture across much of Europe during World War II. It is fair to say that the Nazis and their leaders created an environment in which it was easy to participate in acts of genocide. But many stood up to those pressures and acted bravely in accordance with their morals and ethics. Arguably, if more people had stood up for what was right, many awful acts might have been prevented.</p><p>Defects in culture can increase the likelihood of poor behavior, but it still comes down to people. Even when the culture seems ideal (strong ethical leadership, a shared commitment to organizational and societal values, and so on), some people will always act inappropriately.</p><p>But what is an ideal culture anyway? Is it about one or more of these?</p><ul><li>Ethical and moral behavior, including but not limited to compliance with applicable laws and regulations.</li><li>Managers and staff taking the desired level of risk.</li><li>A shared commitment to achieving the goals of the organization, putting them ahead of personal goals.</li><li>Collaboration and sharing of information.</li><li>Teamwork.</li><li>Innovation and agility.</li><li>A willingness to work long and hard when needed.</li><li>Treating all others with respect, honoring differences, and so on.</li><li>Openness and transparency.</li><li>A commitment to safety.</li><li>The ability to report undesired behavior without retribution.</li></ul><p><br></p><p>Culture is not, in my opinion, something simple. It has multiple dimensions.</p><p>In addition, no organization (unless it's a business with a single employee) has a single culture. There are differences between teams, locations, and so on — and the differences change over time.</p><p>Should we worry about culture?</p><p>Sure. But perhaps it is better to worry about behavior.</p><p>First, define the behaviors you want your organization and its people to demonstrate every day.</p><p>Now, what are the risks to achieving the objective you just defined?</p><p>What actions (i.e., controls) are you taking to provide reasonable assurance of appropriate behavior?</p><p>Is there reasonable assurance, or are the risks to behavior outside desired levels?</p><p>How are you monitoring both the level of risk and the incidence of undesired behavior? The latter is not easy, as many behaviors (such as lack of teamwork) don't show up in HR reports, loss investigations, and so on. In fact, defects in culture tend to make surveys useless as people won't be honest.</p><p>If you focus too much on one dimension of culture, such as compliance or ethics, you may drive the culture away from what is needed to deliver on another dimension, such as performance and agility.</p><p>Yes, defects in culture (if we can find them all and — very important — acknowledge their existence) are important to fix. But that is not enough.</p><p>We need to worry about behavior and what needs to be done to provide reasonable assurance that people, both individuals and groups, will behave the way we need them to behave.</p><p>Why don't you start by taking my list, upgrading it to fit your organization, then assessing each attribute for your team, your department, your location, and the organization as a whole?</p><p>Don't use a survey. If you know your company, you can answer these questions about its culture. </p><p>I think you will immediately find areas of weakness.</p><p>But how do you go about discussing them with senior management and obtaining agreement on the facts, the assessment, and the actions needed? You may feel the need for additional steps, such as surveys, to support your assessment — but very often you will find management in agreement. The issue then becomes what these defects mean, the risks they represent to the operation and success of the organization.</p><p>How do you approach senior management with insights about teamwork, the way people are treated, and whether the organization's goals are put ahead of individual or group goals?</p><p>That will not be easy. </p><p>I would love to hear your stories and I welcome your comments.</p><p> </p>Norman Marks0
In the Wronghttps://iaonline.theiia.org/2017/Pages/In-the-Wrong.aspxIn the Wrong<p>​Morgan Stanley has admitted to selling clients a risky product without disclosing that it was likely to lose money and has agreed to pay the U.S. Securities and Exchange Commission (SEC) US$8 ​million to settle the case, <a href="http://fortune.com/2017/02/14/morgan-stanley-smith-barney-sec/" target="_blank"> <em>Fortune</em> magazine reports</a>. According to the SEC, Morgan Stanley's wealth management division marketed single inverse exchange traded funds (ETFs) in retirement and other accounts to several hundred clients between 2010 and 2015. This type of fund is typically used as a hedge against fallin​g prices because it profits when its benchmark price decreases. As such, it is not used as a long-term investment, as the firm acknowledged it had marketed the product. This is a rare case in which an investment firm has admitted to wrongdoing in an SEC enforcement case, <em>Fortune</em> notes.</p><h2>Lessons Learned</h2><p>At least part of the root source of this story can be traced back to the 2008 world financial crisis. ETFs have been available as investment instruments in the U.S. since the early 1990s (earlier in Canada), and have become increasingly attractive to investors. As of December 2014, more than US$2 trillion was invested in various forms of ETFs in the U.S. alone. Inverse ETFs rapidly became more popular as a strategy to cope with high market volatility. And, even though many inverse ETFs carry expense ratios of 1 percent or more or use daily futures contracts to produce their returns — in which f​requent trading often increases fund expenses — they appeal to investors as easier and less costly than short selling stocks, which require a margin account and stock loan fees paid to a broker for borrowing the shares necessary to sell short. These inverse ETFs are nonetheless likely to be as risky as short-selling, particularly where an investor can be misled into holding on to them for too long, as Morgan Stanley admits to doing. In 2008, the SEC changed the rules for creating inverse ETFs, expanding the definition from an index basis only to include actively managed groups of funds. The latter category can increase risks significantly, both as a result of the discretion given to fund managers and because their investment strategy may become discernible to others.</p><p>Both the SEC and the investment industry would be well-advised to review their rules and procedures governing the use of high-risk, short-term investment instruments such as inverse ETFs (and leveraged ETFs). Automatic cut-offs of inverse ETF agreements after a maximum of 30 days — or a similar short, specified time limit — could help. Greater requirements and monitoring on the part of investment companies to actively disclose the strengths, weaknesses, and risks of such investment vehicles is another mitigating strategy against fraud. At a minimum, that disclosure should include:</p><ul><li>A leveraged and inverse ETF advertised as having three times the gain could also have three times the loss.<br></li><li>Pricing is adjusted every day at close of market so that price swings can be excessive.<br></li><li>The high risk of holding leveraged and inverse ETFs for longer periods of time make them unsuitable for long-term investors.<br>​</li></ul><p>Of course, investors themselves should be better educated about these risks. In general, ETFs can convey a false sense of stability in profit-making, given their structure being based on an underlying group of stocks or other investment forms. The U.S. Financial Industry Regulatory Authority's (FINRA's) view is that inverse and leveraged ETFs are unsuitable for retail customers. FINRA also has stated that the added complexity of leveraged and inverse exchange-traded products makes it essential that brokerage firms have an adequate understanding of the products and sufficiently train their sales forces before the products are offered to retail customers. An educated investor should ask his or her advisor or broker about this. Also, if an advisor or broker recommended the purchase of leveraged and inverse ETFs without fully conveying their risks and the investor lost money, the investor may want to discuss his or her legal rights to a recovery with a law firm.</p><p>Finally, internal audit units within the investment industry should include these kinds of higher risk investment vehicles as part of their fraud risk assessments and audit plans. Moreover, they should ensure that the results of their ensuing audit work, including recommendations, are heard by senior management.​</p><p> <br> </p>Art Stewart0
Medicare Fraud Gets Messierhttps://iaonline.theiia.org/2017/Pages/Medicare-Fraud-Gets-Messier.aspxMedicare Fraud Gets Messier<p></p><p>The U.S. Justice Department has filed new charges in what prosecutors are calling the biggest Medicare fraud case in U.S. history, the <a href="http://www.miamiherald.com/news/local/article132038739.html?utm_campaign=news&utm_medium=social&utm_postdate=02/13/17&utm_source=twitter"><em>Miami Herald</em> reports</a>. Prosecutors say health-care executive Philip Esfor​mes' network of skilled-nursing and assisted-living facilities, and co-conspirators billed Medicare US$1 billion for services that were either unnecessary or not provided to about 14,000 patients between 2009 and 2016. According to the indictment, physicians and other medical professionals at Larkin Community Hospital referred many of the Medicare patients to Esformes' facilities in exchange for kickback payments. Later, the facilities would send the patients back to the hospital. The latest charges allege Esformes gave an associate US$5,000 to bribe an employee of Florida's Agency for Health Care Administration to find out what evidence the regulator had on Esformes' health-care network. That associate, Gabriel Delgado, secretly videotaped the exchange to receive a lesser sentence from federal prosecutors. The details of this case are similar to a 2006 civil dispute over kickback allegations that Esformes, his father, Delgado, and Delgado's brother settled for US$15.4 million. If convicted, the Justice Department could seize most of Esformes' assets and send him to prison for the rest of his life. </p><h2>Lessons Learned</h2><p>In 2015, U.S. health-care spending was about US$3.2 trillion, with more than 4 billion insurance claims processed. The National Health Care Anti-Fraud Association estimates that the financial losses from health care fraud are in the tens of billions of dollars each year. Whether it impacts employers, governments, or individuals, this level of fraud inevitably translates into higher premiums, expenses, costs of providing benefits, and reduced benefits or coverage. It may even make the difference between whether or not some Americans can afford health insurance. </p><p>There are two particularly troubling aspects of this story. First is the length of time it took officials to catch the alleged perpetrators, along with the lack or ineffectiveness of scrutiny of a vast number of false or overbilled claims for medical services. Second is the use of bribery techniques to circumvent inspections and investigations of com​plaints that might have helped detect this fraud earlier. </p><p><strong>Weaknesses in the internal controls over the approval of health-care billing and claims must continuously be monitored and addressed. </strong>Recent audits conducted by the U.S. Government Accountability Office (GAO) reveal that the nation's Patient Protection and Affordable Care Act marketplaces remain "vulnerable to fraud." The audits, which looked at the 2015 and 2016 coverage years, echo previous findings about the potential for fraud, and the failure to detect it, within organizations that are part of health-care delivery systems and government-run exchanges that sell individual health plans. The investigations looked at how well the U.S. Department of Health and Human Services (HHS) did at verifying whether claims filed were eligible for reimbursement. They also looked at whether people with dubious documentation could actually enroll in coverage, particularly for coverage that was subsidized by the federal government for applicants with low or moderate incomes. For both sets of testing, the GAO submitted fictitious or incomplete documentation as part of the application and enrollment processes. As one example of an area for improvement, the GAO found that HHS inspections focused on supporting documentation that had obviously been altered. If the documentation submitted did not show such signs, inspectors were not likely to question its authenticity.</p><p><strong>Strong internal controls are essential to prevent bribery of government officials.</strong> A fraud risk assessment is one good way to assess the degree and focus of measures to counter this kind of corruption. The GAO has noted that bribery, along with infiltration by organized crime elements, is prevalent in South Florida. Key internal controls over this area include:</p><ul><li><strong>Policies. </strong>Organizations must have in place clear, robust, and readily understood conflict-of-interest and code-of-conduct policies that include a practical level of prohibition of the kinds of behaviors that must be avoided by employees, backed by senior leadership endorsement and reinforcement.<br><br> </li><li><strong>Practices and procedures</strong><strong>.</strong> Each policy should have a corresponding practice and documentation procedure. This could include a requirement that no one employee may have sole contact with a medical services biller that has a history of claims exceeding a particular value. Regulators also could implement electronic security measures that monitor communications between staff members performing approval and regulatory functions over billers.<br><br><strong> </strong></li><li><strong>Enforcement. </strong>While most organizations with conflict/code-of-conduct policies may also have enforcement provisions for noncompliance, exceptions made to enforcement actions can occur frequently — for valid reasons in some cases. However, such exceptions can signal to potential noncompliant billers that the chances of being prosecuted may be low. In addition, an active and robust internal audit function is an essential tool.<br><br> </li><li><strong>Whistleblowing.</strong> Where supported by senior management and established in collaboration with regulators and law enforcement officials, whistleblower programs can be one of the most effective measures in deterring and detecting bribery schemes.<br><br> </li></ul><p>It should be noted that the HHS has acknowledged it has room to improve and intends to take action, as indicated by this statement: "As recommended by the GAO, we are applying their marketplace fraud risk assessment to areas of eligibility and enrollment to identify and prioritize key areas for potential risk in the marketplace." The statement goes on to say, "We are also working closely with issuers through the Healthcare Fraud Prevention Partnership to identify trends, schemes, and specific bad actors."</p>Art Stewart0
The Out of Control Contractorhttps://iaonline.theiia.org/2017/Pages/The-Out-of-Control-Contractor.aspxThe Out of Control Contractor<p>Government technology provider NCI Inc. has fired its controller, who allegedly embezzled approximately US$18 million over the last six years, <a href="https://washingtontechnology.com/articles/2017/01/23/nci-embezzlement.aspx" target="_blank"> <em>Washington Technology</em> reports</a>. In a press release, the company said the stolen amounts were reflected as expenses in its unaudited financial statements for the first three quarters of 2016. NCI has launched an internal investigation to determine whether there were misstatements related to the embezzled funds in its financial statements during the period from 2013 to 2015. In addition, investigators are evaluating whether material weaknesses in the company's financial controls over financial reporting were exploited to carry out the embezzlement. </p><h2>Lessons Learned</h2><p>At one point in this story, the report says, "The company is also reviewing its internal controls over financial reporting. The company believes that material weaknesses existed in its internal controls during the periods that the embezzlement was occurring." This may turn out to be an understatement, given NCI's involvement with contracting with the U.S. federal government and the requirements imposed on companies, which are not commonly found in the commercial market. And, there may be just as large a problem with gaps in oversight, both within NCI and by government regulators.</p><ul><li> <strong>Internal Controls. </strong>While NCI's statement focuses on internal controls over financial reporting, the company needs to take a much broader look at its internal controls. One example is those relating to accounting procedures. U.S. federal government contractors must adhere to an additional layer of regulations and accounting procedures. The federal procurement process is governed by the Federal Acquisition Regulation, and the classification and allocation of contractor expenses are governed by the Cost Accounting Standards. In addition, several labor laws may apply. Failure to comply with these rules could lead to debarment.<br><br>There are three general types of government contracts: cost-reimbursable, time-and-materials, and fixed-price. Large companies are likely to be involved with all three types. While there are no unique accounting requirements imposed on contractors who sell commercial products or services to the government on a firm fixed-price basis, almost all other contractors must have an accounting system that the government deems acceptable. This includes contractors that are required to submit supporting cost data with their cost/price proposals as well as any contractor who is awarded a time-and-materials, cost-plus-fee, or fixed-price-incentive contract. Other than pure-play commercial product companies, most government contractors will sooner or later be required to have an acceptable accounting system, with the following attributes, supported by written documentation:​​</li><ol><li>Compliance with generally accepted accounting principles. </li><li>Appropriate segregation of direct costs from indirect costs. </li><li>Identification and accumulation of direct costs by contract. </li><li>A logical and consistent method for allocating indirect costs to intermediate and final cost objectives. </li><li>Accumulation of costs under general ledger control. </li><li>A timekeeping system that identifies employees' labor by intermediate or final cost objectives. </li><li>Interim (at least monthly) determination of costs charged to a contract through routine posting to books of account. </li><li>Exclusion of "unallowable" costs. </li></ol>​There are two points of note here. First, most commercial companies do not routinely perform these functions as part of their financial accounting. More significantly, many commercial companies — especially smaller ones — do not have the staff, knowledge, skills, and software necessary to perform these functions. Secondly, while it is not known how NCI's ex-controller perpetrated fraud over a multi-year period, its financial accounting systems may have been compromised. If it was, the company would need to review each contract of significance to determine whether there are errors and, where overbilling is found, potentially refund already billed amounts. ​​</ul>​​​ <ul><li> <strong>Oversight. </strong>It is surprising that this story deals with the question of material misstatements within NCI's unaudited financial statements. Many companies that contract with the government are required to have their financial statements audited annually, and one would think that should have included NCI. Unaudited financial statements differ significantly from audited ones. Some procedures that external auditors are required to perform may have helped NCI, its board of directors, and its senior management detect its controller's alleged fraudulent activities at an earlier stage. Among the most pertinent review procedures are:</li><ul><li>Procedures for recording and accumulating financial information.</li><li>Actions taken at owners' or directors' meetings.</li><li>Written representations from management regarding the accuracy of all information given to the auditor and for inclusion in financial statements.  </li><li>Management's responsibility for internal control.</li><li>Management's responsibility — and knowledge — to prevent and detect fraud.</li></ul> ​​There is also the question of the strength of oversight by government regulators. U.S. government contractors that work on defense-related contracts are audited by the Defense Contract Audit Agency (DCAA). The DCAA audits internal contractor systems — including accounting systems — for acceptability. The agency also audits the actual cost data produced by the accounting system. Surveys published by Grant Thornton indicate that the cost most frequently challenged by the DCAA is executive compensation, including the compensation of company controllers. Other costs the DCAA commonly challenges include consulting fees and indirect cost allocations. However, reports issued by the Government Accountability Office (GAO) have criticized the DCAA for being more committed to its "hours per audit" metrics than to audit quality, and say that it has become too "friendly" with contractors and government program managers. In response to the GAO reports, the DCAA has committed to being a thorough, independent guardian of taxpayer money. <br> <br>In NCI's case, it may be advisable for the federal government to put any future contract awards on hold until such time that the company can demonstrate that it has completed a thorough assessment and action plan to address serious weaknesses in its internal control.<br></ul>​Art Stewart0
The Spy and the Construction Scamhttps://iaonline.theiia.org/2017/Pages/The-Spy-and-the-Construction-Scam.aspxThe Spy and the Construction Scam<p>​A Canadian Superior Court judge has sentenced a former construction company executive and informant for the country's intelligence service to seven years in prison for perpetrating Ottawa's "biggest commercial fraud" through his now-bankrupt company, <a href="http://ottawacitizen.com/news/local-news/former-spy-roland-eid-gets-seven-years-for-construction-fraud-it-was-a-gigantic-con" target="_blank" style="background-color:#ffffff;">the <em>Ottawa Citizen</em></a> reports. According to prosecutors, Roland Eid hid payables from outside accountants that made ICI Construction appear to be profitable when it was actually losing money. Moreover, Eid shifted CAN$1.7 million in funds from ICI to a personal account in Lebanon, which had been held in trust to pay tradesmen and construction material suppliers. Soon after, Eid fled to Lebanon. In court testimony, Eid claimed his handlers at the Canadian Security and Intelligence Service (CSIS) had directed him to start ICI and encouraged him to use the proceeds from its construction contracts to gather intelligence against Hezbollah, which is linked to terrorism. ICI's 2011 bankruptcy had a cascading effect on Ottawa's construction industry and resulted in the company's financial backer filing for bankruptcy, itself.</p><h2>Lessons Learned</h2><p>This is a complex case in terms of the circumstances of the fraud, its perpetrator, and the various twists and turns of the court proceedings. However, from a fraud and audit perspective, the main lesson learned can be summarized with a venerable piece of advice: Follow the money trail. In that path, there were numerous regulatory, financial, and corporate control failures.</p><p>Fundamentally, Eid abused his CEO position at ICI Construction to deceive his co-workers and employees, suppliers, other contractors, and the Canadian government in order to move CAN$1.7 million from ICI's bank account to his personal account in Lebanon. Here, the list of missing or underused controls that might have detected or even prevented fraud include:</p><ul><li>Strong financial controls within ICI, such as requiring board of directors approval or chief financial officer sign-off for such a significant money transfer. Controls include specific documentation of where the money would go, to whom, the related contractual arrangements, and evidence of any legal/regulatory approvals needed at the receiving end — in this case from the government of Lebanon. Auditors and accountants should have been vigilant and recommended measures to keep funds intact, or even frozen, that should have been held in trust to pay for wages and materials of ICI's ongoing projects (regulatory rules need to do this, too). A lack of transparency around the activities of a primary financier of ICI also was a factor. And fundamentally, a demand of proof from Eid's claim to have secured a housing project contract in Lebanon could have revealed much about his plot at an early stage. Also revealing would be proof of his claim to have sold ICI to the company's controller in order to justify keeping the CAN$1.7 million.<br><br></li><li>Clear contracting industry rules and monitoring — even if self-imposed — of potentially unusual international transactions. This includes the same kinds of documentation requirements mentioned above as well as requirements for regular, transparent financial reporting.<br><br></li><li>A regular review by financial lenders, insurance institutions, and their regulators of their controls over and risk assessments of potential loans to small construction companies. This would exercise a higher degree of caution and scrutiny in their decision-making.<br><br></li><li>Tighter government rules for the movement of money outside the country. In Canada, a federal financial-tracking organization, FINTRAC, scrutinizes international monetary transactions. However, FINTRAC focuses on money laundering and terrorist financing, along with cash transactions coming into Canada valued at more than CAN$10,000. There is a process for filing a suspicious transaction report, but it is voluntary and no one did so in this case. Lebanon does not have equivalent rules, and it does not have an extradition treaty with Canada.</li></ul><p> </p><p>In closing, while Eid's history as a CSIS informant played next to no role during the proceedings before the judge, there may be lessons for national security agencies and large departments that enter into a myriad of construction contracts. Although we may never know what exact role these organizations may have played in aiding Eid and ICI Construction in the pursuance of gathering intelligence on Hezbollah, this objective could have played a part in the awarding of construction contracts. In that sense, they unknowingly may have assisted Eid in his fraudulent aims. Those organizations should be vigilant in balancing national security interests with crime and fraud prevention interests, including through robust vetting of planned intelligence operations and those to be involved.</p><p>​ </p>Art Stewart0
Champions of Trusthttps://iaonline.theiia.org/2017/Pages/Champions-of-Trust.aspxChampions of Trust<p><em>​Public trust in government and​ big business is dropping at an alarming rate. Whether viewed through a political lens in the surprising Brexit and U.S. presidential votes, or the consumer and regulatory backlash against a corporation embroiled in scandal, the repercussions of those misgivings can be profound.</em></p><p><em>This growing distrust reflects a fundamental erosion of faith in the institutions that are the bedrock of modern civilizations. As internal auditors, we are guardians of trust in the organizations we serve, and to be effective, our stakeholders must be confident that we will do the right thing, speak the truth, and be courageous. I gave a great deal of thought to what makes a trusted leader while researching my new book, Trusted Advisors: Key Attributes of Outstanding​​ Internal Auditors. My research, assisted by The IIA’s Audit Executive Center (AEC), included surveying some of the top professionals in internal auditing about what attributes they believe are essential to becoming a trusted advisor. Toward the top of the list is ethical commitment. An excerpt from the book (below) focuses on this trait and discusses why internal auditors must go beyond commitment and demonstrate ethical resilience.</em></p><div><br></div><p>I enjoy watching football (that is, American football, not soccer). Sometimes during the game, when an infraction is committed before the play begins, the referee will throw a penalty flag. The flag often signifies a false start if certain players on the offensive team move before they’re supposed to. At times, there are referees who either ignore the infraction or are passive about making the judgment call.<br></p><p>Internal auditors who sit on the sidelines and fail to call out inefficiency, waste, fraud, or mismanagement are spectators. More commonly, internal auditors are referees, observing the plays that make up the normal course of business operations and blowing a whistle or throwing a yellow flag when circumstances warrant. They are objective in assessing whether a foul or infraction has occurred, but they are in reactive mode — responding to what took place in the past.<br></p><p>The most effective internal auditors are those with enough fortitude to blow the whistle before trouble ensues. They see troubling issues in the formation stage, raise a concern, and take a stand to ensure things are done right.<br></p><p>But, as I discovered years ago, there has to be a high degree of trust between internal auditors and those whom they are cautioning about pending wrongdoing or calamity. Without trust as a basis for engagement, the conversation can become awkward or even polarizing.<br></p><p>Ethics is an area that plays a significant role in my view of outstanding internal audit performance; so much so that I decided to feature ethical resilience as my first area of focus. I’ve been known to characterize ethics as “table stakes” for those wishing to engage in internal auditing. It’s a strong statement, but I stand by it. Internal auditors can’t accomplish their mission without a diligent, unceasing commitment to ethical behavior.<br></p><p>Larry Sawyer, an iconic internal audit author, wrote about the importance of trust in ethical behavior. He wrote, the “key to any profession is the trust placed in it by its clients.” Everyone knows how important ethics are; that’s a foregone conclusion. But I believe that, for internal auditors, ethical behavior is so critical, it goes beyond just a commitment. Outstanding internal auditors do more than just commit to ethics; they model ethical conduct in everything they do by being resilient, even when it may not be a popular stance. They may be tested ethically, but they withstand the challenges to their ethical convictions and bounce back stronger than ever. <br>Obviously, the CAEs who responded to the AEC survey agreed with this view. More than half of them selected ethical commitment as one of the top three traits shared by successful internal auditors.<br></p><p>Reinforcing that viewpoint, the Internal Audit Foundation’s Common Body of Knowledge (CBOK) 2015 Global Internal Audit Practitioner Survey asked CAEs around the world to rate themselves on their perceived level of competency on 10 core competencies, with 1 being “novice” to 5 being “expert.” The survey data indicated that CAEs rated themselves highest in ethics (4.3 overall), which validates my point that ethical resilience is a top attribute for outstanding internal auditors.<br></p><p>Paul Sobel, vice president/CAE for Georgia-Pacific LLC, states it very simply and powerfully: “In our role as auditors, ethics and integrity are the foundation for our ability to provide objective assurance, advice, and insights. In essence, it’s the foundation for our credibility.”</p><p style="text-align:center;">​...<br></p><h2>Committing to Ethics</h2><p>As the leader of a global organization that requires compliance with a formal Code of Ethics to serve as a member or hold a certification, I have an unwavering commitment to behaving ethically. At The IIA, we don’t skirt the issue; we believe internal auditors must stand for what is right, adhere to the highest ethical code, and never yield to pressures to bend the rules. An ethical lapse by one internal auditor can undermine trust not only in that individual but also in those around him or her. The higher in the organizational chart the transgression occurs, the more damaging the potential impact. We in the profession must share a commitment to ethics. For the most part, I believe we do.<br></p><p>In most organizations, the internal auditors are perceived as being far more likely to disclose ethical misconduct than to act unethically themselves. But we are human. I will never forget my surprise and disappointment when I viewed the results of a survey of 70 CAEs attending an IIA event a few years ago. One-third of the respondents acknowledged that they had “discovered or witnessed unethical actions” within their own internal audit functions.<br></p><p>Making the effort to clean our own ethical house is important not only in the context of what internal auditors do in their everyday jobs, but also in their role as business leaders. In her book, <em>7 Lenses: Learning the Principles and Practices of Ethical Leadership</em>, Linda Fisher Thornton says getting employees to act ethically is largely driven by their desire to “follow the leader.” If they see top management behaving ethically, desiring to serve others, and making a positive difference, they are inclined to respond in kind.<br></p><p>Organizational commitment to ethical behavior is not just a matter of hosting an “ethics day” or showing a slide presentation during new-hire orientation, although all efforts at communicating expectations relative to ethics are valuable. The most impactful things leaders can do to influence employees are subtler: openly discussing ethical gray areas, acknowledging the complexities that can arise in work situations, treating ethics as an engrained way of behaving, celebrating displays of ethical conduct, showing respect for those with different opinions and difficult personalities, and expecting everyone to meet ethical standards.<br></p><p>These behaviors (at any rank in the organizational chart) should not be difficult. If we think of ethics as a way we interact, collaborate, and create synergies with others, it should be natural to act ethically and expect the same behavior from others.<br></p><p>The results of such behavior can yield unexpected results. Early in my career as a CAE, the chief financial officer (CFO) asked my internal audit team to perform an audit. He had a strong personality and was sure the company was being billed for purchases it didn’t make. He wanted my team to find evidence to support his belief. I sent the internal auditors to conduct the audit and they found no evidence of transgression, which put me in a bit of a tight situation. The support from the CFO and other executives was important and necessary to me, yet I knew that our audit results weren’t what he wanted to hear. By telling him he was wrong, I risked losing both his fledgling trust in the internal audit department and his willingness to use us for future projects, but I knew I had to be straightforward with him. As expected, he did express some disappointment that we didn’t validate his concerns.<br></p><p>Not long after that, he called me to ask my team to do some work in another of his functional areas. After I expressed our willingness to do so, I told him I was surprised he had contacted me for an additional project since I didn’t give him the news he wanted to hear the last time. He responded that my honesty in those circumstances proved to him that my team and I would be fair and objective and he could rely on our work. I don’t think he intended our first encounter to be a litmus test, but it was. Once your stakeholders have a chance to check your ethical compass and confirm that it’s pointing true north, they know they can follow you because you won’t lead them in the wrong direction.<br></p><h2>Ethical Behaviors</h2><p>No one is saying that exercising ethical behavior is easy, but maybe half the challenge is in agreeing on exactly what constitutes ethical resilience. In the AEC survey, we used the following terms to elaborate on what we meant by ethical commitment, and I suspect few would argue with their inclusion:<br></p><ul><li>Integrity — being known for strict adherence to high moral principles.</li><li>Courage — being brave enough, even in the face of professional or personal danger, to do the right thing.</li><li>Honesty — displaying unwavering commitment to dealing in truth.</li><li>Accountability — taking responsibility for our actions and the resulting perceptions.</li><li>Trustworthiness — building a history of ethical behavior that forms a foundation upon which </li><li>people can place their trust.</li></ul><p><br></p><p>Courage especially seems to be a factor in ethical behavior. A number of the survey respondents ruminated on the importance of courage. Take the following comments, for example:<br><br><em>“Inner courage: to follow leads, to follow your gut belief, to professionally confront management and the board, to raise the questions few people want you to raise, to put it all on the line (in terms of taking the risk to do what is right).”</em><br><br><em>“Courage: the ability to express one’s opinion and give advice even when the ideas are not popular or wanted.”</em><br><br><em>“Courage to stand alone, if needed, when tough issues need to be raised to management and the board.”</em><br><br>Courage is what drove Bethmara Kessler, senior vice president, integrated global services, and former CAE of Campbell Soup Co., to select ethical commitment as one of her top two choices in the AEC survey. She explains that courage is a particular challenge for auditors because in her long experience of managing audit teams, she has seen internal auditors sometimes waver in their defense of difficult findings for a variety of reasons: They, like most humans, want to be liked; they want to avoid difficult conversations; they feel the pressure to serve too many masters with competing needs; and they fear their actions may hinder their future career opportunities in the business. But, she remarks, “We have to remind internal auditors that courage is important and they should step forward when they see something. Look at Harry Markopolos, who tried multiple times to break open the Madoff scandal. He just kept going back to the [U.S. Securities and Exchange Commission] over and over to make his point. I’m sure it was not an easy thing to do. It took a lot of courage. In my view, he’s a hero.”<br></p><p>Another internal audit hero who deserves notice is Heidi Lloce-Mendoza, currently undersecretary general for the United Nations Office of Internal Oversight Services, and before that, commissioner and officer-in-charge of the Commission on Audit (COA) of the Philippines. Mendoza came to the world’s attention as a result of a 2002 audit her team conducted that uncovered massive bid rigging by former Makati City Mayor Elenita Binay. Mendoza served as a government witness in some of the antigraft cases filed against the former mayor. In response to her speaking out against the former mayor’s corruption, Mendoza’s home was broken into multiple times and she was the target of threats that required special security protection. Yet, despite her admission that she was still being harassed about her role in the corruption trials 13 years after the fact, when she resigned from the COA in 2015 she indicated that her passion for her work had not abated and she felt “no pain, no trace of regret” for her experiences.</p><p style="text-align:center;">...</p><p><br>Ethical resilience is a trait that not only provides value in and of itself, it also supports the other traits mentioned in this book. Having a firm grip on our own ethical beliefs clears away some of the clutter that can distract us from focusing on desired results.  <br><br><em>Trusted Advisors: Key Attributes of Outstanding Internal Auditors</em> is available at The IIA’s Bookstore.</p>Richard Chambers0
Gifts From Momhttps://iaonline.theiia.org/2017/Pages/Gifts-From-Mom.aspxGifts From Mom<p>​The former office manager of a Charleston, W.Va. law firm has agreed to plead guilty to charges of embezzling from her employer over a 12-year period, according to <a href="http://oak.ctx.ly/r/5d6ix"><em>West Virginia Record</em></a>. Kim Cooper admitted that she deposited checks for attorneys' fees into her own account and used the proceeds to make rent, car, and credit card payments, and to help her children pay for their homes and college expenses. Cooper has cooperated with U.S. federal prosecutors, who filed charges against her in December. She asked a judge to dismiss a lawsuit filed by her former employer against her two adult children, Erin Burkhill and Jeremy Cooper. The suit alleges that the children should have known about their mother's fraud scheme when they accepted money from her.</p><h3>Lessons Le​​arned​</h3><p>Over the time I've been writing about fraud cases for InternalAuditor.org, I've provided lessons learned regarding many variations on the "trusted employee steals money from his or her employer over a period of several years" type of fraud. (For examples, see "<a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx"><strong>The Tech Know-how for Fraud</strong></a>,<strong>" and "</strong><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=e720a24b-dd30-4650-914e-a7bc6c4a34a6"><strong>The School Embezzler</strong></a>.<strong>")</strong></p><p>What caught my eye in this latest fraud news story is this statement: ​</p><p><span class="ms-rteStyle-BQ">"Mountain State Justice's (MSJ) lawsuit alleges that Burkhill and Jeremy Cooper knew or should have known of their mother's embezzlement scheme. Kim Cooper used som​​​e of the embezzled money for homes for herself and her children, as well as college and graduate school for Burkhill, according to the suit." ​</span></p><p>In other words, the two children of the alleged fraudster may have been complicit in the perpetration of fraud.</p><p>We do not have access to the investigative documents in this case, but one would expect the fraud investigation process to have disclosed definitive evidence that substantiates the allegations of family involvement in fraud. This case presents a good opportunity to review the components of a leading practice approach to determining who is involved in fraud. Much of the advice is taken from materials available from The IIA and the Association of Certified Fraud Examiners.</p><ul><li><strong>Use the "Case Theory" approach to investigations. </strong>It is essential that every investigator or prosecutor develop and follow a "theory of the case" when investigating complex corruption and fraud offenses. The Case Theory approach to complex investigations is similar to the scientific method of experimentation. It involves three steps: 1) analyze the available data to create an hypothesis; 2) test the hypothesis against the available facts; and 3) refine and amend the hypothesis until reasonably certain conclusions can be drawn. Expressed differently, the approach begins with an informed assumption, based on the available evidence, of what the investigator thinks may have happened. The investigator then generates an investigative plan to test — prove or disprove — the assumption. The reasoning behind this approach is that both sides of fraud must be examined because under the law, proof of fraud must preclude any explanation other than guilt.</li></ul><ul><li><strong>Move from the general to the specific. </strong>Fraud examinations commence when the full facts are unknown or unclear. Therefore, fraud examinations should begin with general information that is known, starting at the periphery, and then move to the more specific details. Typically, fraud examiners will start by interviewing the complainants or victims. From there, they should order their interviews by moving from the periphery toward those who appear to be more involved in the subject of the examination. For example: neutral third-party witnesses, starting with the least knowledgeable and moving to those who are more knowledgeable about the matters at issue; parties suspected of complicity, starting with the least culpable and moving to the most culpable, based on hypothesis and available information; and the primary suspects of the examination.​</li><li><strong style="font-size:inherit;">Use the fraud theory approach to assess parties suspected of complicity. </strong><span style="font-size:inherit;">Investigators should</span><span style="font-size:inherit;"> focus on acquiring new information — or correcting and integrating known information — to determine whether the hypothesis is provable. If, as in this story, the hypothesis is that family members knew, should have known, or were actively involved in the fraud, the fraud examiner would need to assemble a comprehensive, evidence-based picture of family relationships, particularly concerning financial matters. In asserting that family members "should have known" that money being given to them originated from fraudulent activities, investigators will need evidence that the children had good knowledge of their mother's income, expenses, and lifestyle to support the hypothesis of complicity. If such evidence is available, this would then position investigators to better question the primary suspect, Kim Cooper, about what she knew and did for her children and their knowledge of it. Hopefully, the investigators in this case have done their fraud homework.</span><span style="font-size:inherit;">​</span><br></li></ul><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><br></p></blockquote>Art Stewart0
On the Hook for Fraudhttps://iaonline.theiia.org/2017/Pages/On-the-Hook-for-Fraud.aspxOn the Hook for Fraud<p>​A Montreal-based online retailer has gone out of business after losing an estimated CAN$50,000 from credit card fraud in only three months in operation, <a href="http://www.cbc.ca/news/canada/montreal/vincenzo-lingordo-credit-card-fraud-bank-1.3900001?adbsc=IAO68836316&adbid=810908384249556993&adbpl=tw&adbpr=390782790" target="_blank">CBC News reports</a>. Business owner Vincenzo Lingordo says the company's bank approved the fraudulent purchases, which were missing information such as billing addresses and security codes. Based on the approvals, his company shipped goods to the purchasers' shipping addresses. Even after he had complained to the bank and implemented its recommended fixes to secure his website, the system continued to approve fraudulent transactions and only reported them as fraudulent several weeks later. Lingordo's subsequent tests revealed that the bank's software approved transactions even when he deliberately entered incorrect credit card information or left mandatory fields empty. </p><h2>Lessons Learned</h2><p>This news story represents the battleground between e-commerce technology, consumer convenience, and bank profitability. Squeezed into the middle are small business owners facing an ever-growing threat of credit card fraud. In 2015, in Canada alone, an estimated CAN$500 million was lost to various forms of credit card fraud.</p><p>In Canada and the U.S., banks are pushing merchants to adopt EMV (Europay, MasterCard, and Visa) technology and chip and PIN credit cards, instead of or in addition to signatures. But even where card issuers require PINs instead of signatures, this has not stopped fraud; it has just shifted where fraud takes place. For example, in the U.K., where chip and PIN cards have been used since 2003, card-present fraud — transactions done in person with a card — has declined because thieves are unable to use counterfeit cards with stolen data embossed on them anymore. However, fraud involving card-not-present transactions — that is, transactions by phone or online — has increased. Neither a PIN nor a signature is required when customers use their cards online, so simply stealing card numbers is sufficient to use them for fraud.</p><p>That's bad news for merchants, especially small businesses like Lingordo's, because they — not card issuers such as banks — take the losses for this kind of fraud. Merchants are learning the hard way that credit card authorization by a lender does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card had not been reported stolen or lost, and that the card credit limit had not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the "approved" charges. </p><p>Although merchants are footing the bill for 75 percent of the costs of converting to chip and PIN credit cards, they are not getting any relief from counterfeit fraud expenses. One might think that merchants can thwart card-not-present fraud by requiring cardholders to provide the three-digit security code — the card verification value (CVV) — printed on the back of their card. However, fraudsters can defeat this requirement by obtaining the security codes through phishing attacks that trick users into relinquishing the codes, or by installing malware on a victim's computer or on less secure e-commerce sites and recording the security codes as consumers type them into web forms. It should not be surprising that every market where chip and PIN technology has been adopted has seen a dramatic increase in card-not-present e-commerce fraud despite the use of CVVs. </p><p>Additionally, merchants are responsible for more fraud than ever, including the consequences of having their bank fee rates increased, or losing their accounts with the card companies if their fraud rate gets too high. On the other hand, banks will not take on increased responsibilities for the problem because they have no real solution to prevent this kind of e-commerce fraud and want to guard against increased costs.</p><p>What other preventive methods and procedures can merchants perform to prevent and detect credit card fraud — or limit its impact — especially of the card-not-present variety? It is clear that a merchant should not depend on the credit card company, to prevent fraudulent orders. While not an exhaustive list, using a combination of these methods and techniques may be the best possible defense against credit card fraud:</p><ul><li><p> <strong>Follow the procedures recommended by the merchant's payment processor and the credit card companies.</strong> A merchant can lose its account for failing to follow the payment processor's rules. If a merchant suspects a fraudulent order, it should contact the registration service promptly, so it can reduce the total number of charge-backs. Payment processors are likely to charge merchants higher services fees for a large number of charge-backs.</p></li><li><p> <strong>Use the Address Verification Service (AVS), if available to the merchant.</strong> In the U.S., AVS checks whether the cardholder's address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address, and it may fail to reveal a problem such as a recent address change or AVS computers being down. If it does fail, the merchant may decline the transaction. If the company's current merchant account for authorization approval cannot provide AVS, then it can get address verification from the cardholder's issuing bank for most credit card types.</p></li><li><p> <strong>Use card verification methods.</strong> Although these methods are imperfect, they can help prevent fraud, especially in combination with AVS methods. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer who supplies this number is much more likely to be in possession of the credit card. For example, Visa claims that the use of AVS with CVV validation for card-not-present transactions can reduce charge-backs by as much as 26 percent.</p></li><li><p> <strong>Enroll in payer authentication programs. </strong>Programs such as Verified by Visa and MasterCard's SecureCode require use of personal passwords to ensure the identity of the online card user. Additionally, if merchants use these programs, card issuers may incur some of the losses for online fraud that were borne entirely by merchants previously. </p></li><li><p> <strong>Implement real-time authorization.</strong> Real-time authorization sends credit card information to the processor for immediate approval — usually within five seconds. This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. However, there is an additional cost for real-time authorization, and it does not tell merchants whether the person using the card is authorized to use that card.</p></li><li><p> <strong>Use the Bank Identification Number (BIN) to determine whether the cardholder and the issuing bank are located in the same country.</strong> Illegitimate users sometimes use a credit card from another country. Merchants can enter the BIN of a credit card number at <a href="https://www.exactbins.com/bin-lookup" target="_blank">https://www.exactbins.com/bin-lookup</a>. The site provides the bank name, card type, and a three-character code for the country.</p></li><li><p> <strong>Keep negative and positive historical files</strong><strong>.</strong> Merchants should keep a database of previous fraud attempts, problem customers, charge-back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, email addresses, and merchant comments. This can reduce the incidence of repeat offenders at a relatively low cost. Data potentially can be shared among multiple merchants. Conversely a positive historical file contains a list of good customers such as customers who are eligible for upgrade purchases. Customers who purchased successfully in the past probably will not commit fraud. </p></li><li><p> <strong>Enact fraud scoring and pattern detection.</strong> While a targeted model should catch more fraud, it requires additional time and money to analyze a business and implement the approach, and it may require new software. With fraud scoring, a merchant assigns points for different elements of a transaction (e.g., IP address, free email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, and certain zip codes) to generate a fraud score to indicate the likelihood of fraud. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year. </p><p>With pattern detection, merchants can check multiple orders that ship to the same address but use different credit cards. It also can check orders that are placed for an unusually high quantity of a single item. These may indicate that thieves have access to several stolen card numbers. Check whether multiple orders are being sent from the same IP address. If the credit card numbers vary by only a few digits, it is likely these numbers were generated by software. Users who repeatedly submit the same credit card number with different expiration dates often have the card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination. And speaking of patterns, most fraudulent orders in the U.S. are made between midnight and 2 a.m. </p></li></ul><p> <br> </p>Art Stewart0

  • MNP_Tech-Consulting_Apr2017_Prem 1
  • ITACS_Temple_Apr2017_Prem2_Apr15-30
  • 2017 Emerging Leaders_Apr2017_Prem 3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z