Fraud Fliers Fliers<p>​Multiple employee fraud cases may cost Chinese drone manufacturer SZ DJI Technology Co. $150 million in losses, <a href="" target="_blank">Bloomberg reports</a>. An internal probe discovered extensive corruption and a lapse in internal controls at the company, which is the world's largest consumer drone maker. DJI says it has fired multiple employees as a result of the ongoing investigation by the company and Chinese authorities. Among its remedies, DJI says it has established channels for employees to confidentially report workplace conduct violations.  </p><h2>Lessons Learned</h2><p>A statement from DJI's management sums up the essential reason why this fraud may have occurred: "While mature companies have established the training, controls, and management protocols to limit these issues, DJI has in the past emphasized corporate growth over new internal processes." If so, this is a critical lesson for startup companies in rapidly developing business environments: balance speed with control.</p><p>DJI has acknowledged it needs to strengthen its internal controls, establish clear policies governing employee ethical behavior, and implement effective whistleblower programming. However, at the heart of the corrective measures needed may be those aimed at detecting and deterring purchasing price manipulations and outright theft. While DJI has not reported the specifics of the frauds committed, the company may need to address these apparent types of asset misappropriation and vendor fraud. Measures DJI should implement include:</p><ul><li>Train all employees on bribery and corruption prevention.</li><li>Reward employees for ethical behavior and discipline employees — including senior managers — who breach the company's code of ethics.</li><li>Conduct thorough background checks on new employees and renew those checks periodically.</li><li>Conduct a risk assessment, including fraud risk, to identify areas to watch more closely.</li><li>Implement checks and balances and use data mining to uncover anomalies and patterns in product purchasing and pricing. These areas should have strict financial and systems controls that specify purchase pricing and contract limits, and raise flags about pricing anomalies. For example, if invoices reflect significantly higher prices over negotiated contract prices, previous contracts, or industry standards, the invoices may not be legitimate. Running spending analysis reports also can help identify unusual or excessive spending.</li><li>Separate the functions of the company's purchasers and check signers, and rotate the duties of employees in these areas.</li><li>Conduct random audits of company purchasing accounts and vendor files.</li><li>Implement checks and balances on purchasers and payments to vendors. This includes not paying invoices unless goods or services have been delivered, and verifying invoices, including pricing — preferably using three-way matching and periodic audits. Look out for fake orders. While it may seem impossible for this type of fraud scheme to work, it can be accomplished easily in organizations with decentralized purchasing and a disorganized process. This is especially the case where there is no procurement software to verify orders from purchase order though delivery, invoice, and payment.</li><li>Conduct due diligence on vendors by verifying information such as business name, tax identification number, phone number, post office box and street address, and bank account.</li><li>Look for signs of vendor/employee conflicts of interest or collusion, including bid rigging, preferred supplier schemes, kickbacks, and bribes. Scrutinize unusual bid patterns and business relationships by comparing vendor addresses with employee addresses.</li><li>Implement a dual-review process for master vendor file management. Also review the master vendor file to check that the volume and pricing of billing is reasonable and consistent.</li></ul>Art Stewart0
Fleecing the Crowd the Crowd<p>​What started as a feel-good story has turned into accusations of fraud. An October 2017 story about a homeless veteran who gave his last $20 to a couple whose car had run out of gas prompted the couple to launch a crowdfunding campaign that raised $400,000 to help the man. The problem is he didn't receive the money. </p><p>In November 2018, prosecutors in Burlington County, N.J., charged the couple, Katelyn McClure and Mark D'Amico, and the homeless man, Johnny Bobbitt Jr., with fraud, <a href="" target="_blank"> <em>USA Today</em> reports</a>. Prosecutors say the couple made up the story and had actually met Bobbitt at a casino the month before they launched the campaign. McClure and D'Amico allegedly used the money raised from about 14,000 donations to buy luxury items and for casino trips. Although Bobbitt did not receive the money, prosecutors say he willingly participated in the alleged scheme. GoFundMe has refunded donations to everyone who contributed to the fund.</p><h2>Lessons Learned</h2><p>GoFundMe is one of several crowdfunding platforms that have emerged in recent years, alongside Indiegogo, Kickstarter, and Patreon. The crowdfunding industry is growing rapidly. Statistics research portal Statista estimates that more than 5 million crowdfunding campaigns raised close to $4 billion in donations worldwide in 2017. </p><p>GoFundMe has raised about $5 billion since 2005, with more than 2 million campaigns and 50 million donors. The platform primarily serves personal projects and donation pages, or other campaigns that otherwise don't fit the more common commercial model of companies such as Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief to education and medical care. </p><p>With so many campaigns, fraudulent activity is not surprising, although GoFundMe's website claims that fraud occurs in less than one-tenth of one percent of its campaigns. Indeed, although crowdsourced funding opportunities have removed many structural roadblocks for people to access capital quickly and conveniently, they also have lowered the barrier to entry for many old scams.</p><p>What can crowdfunding companies do to reduce the threat of fraud? One solution is establishing and consistently applying standards for evaluating funding campaigns for fraud before they are allowed to collect donations.<strong> </strong></p><p>GoFundMe's website has some warnings about fraudulent activity and lists several categories that it won't allow, such as hate speech. However, the company's terms of service effectively disclaim any responsibility for control over the conduct or information provided by a campaign organizer. Moreover, GoFundMe does not appear to significantly vet campaigns, which is the most obvious and potentially effective method of deterring the kind of fraud in this story. Even some form of random spot-checking would help. By comparison, Kickstarter has a vetting process before allowing campaigns to go live on its website. </p><p>Several types and sources of information about a campaign and its creators may raise red flags for both crowdfunding companies and potential donors. Internal auditors should consider several measures aimed at identifying fraudulent activity:</p><ul><li>Search the web and social media platforms for information about the campaign creators and the project to assess the creators' background and track record. Red flags include a new page, many recent followers, and pages with only a few posts or comments, especially by the same few people.</li><li>Find out how long the group's website has existed and learn the history of the group's accomplishments. If the campaign is similar to past campaigns, or is posted on several crowdfunding platforms, this is another red flag.</li><li>Beware of campaigns posted just after a tragedy, seemingly heroic events, or natural disasters. The classic example of this is the large number of people who have been prosecuted for raising money for illnesses such as cancer treatments when they were not ill. Examine how the organizer will distribute and account for the money donated. If the campaign is ongoing, the creators should be giving regular updates to donors. The fact that the campaign may have links to broader regional, national, or global campaigns — such as those that appear after tornadoes, floods, hurricanes, and earthquakes — does not necessarily protect against fraud. Actually, such campaigns can be hotbeds for fraud.</li><li>Always be skeptical. Visit websites devoted to crowdsourcing fraud, such as <a href="" target="_blank"></a> and <a href="" target="_blank"></a>. Be especially diligent in researching a campaign about an individual supporting a "worthy cause." </li></ul>Art Stewart0
Penalizing Corruption Corruption<p>Since its inception, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program has fined wrongdoers more than $1.7 billion. “Whistleblowers have played a crucial role in the progression of many investigations and the success of enforcement actions,” said Jane Norberg, SEC chief of the Whistleblower Program, following the $16 million payout to two whistleblowers in November 2017.<br></p><p>The SEC’s 2017 Annual Report to Congress on the Whistleblower Program provides insights for internal auditors and audit committees into the program’s scope, focus, and results. In 2017, the SEC awarded approximately $50 million to 12 individuals for various whistleblower actions. These reports included providing information about a fraud arrangement that was difficult to detect, disrupting investment schemes that targeted unsophisticated investors, and supplying industry-specific information. Norberg stressed the three key features of the program are monetary rewards for information that leads to successful enforced actions, anti-retaliation protections, and confidentiality safeguards. </p><p>Given the growing impact of the SEC Whistleblower Program, internal auditors should encourage executives and directors who oversee governance to understand the key elements of the program. Moreover, auditors should ensure internal processes and controls are in place to effectively resolve whistleblower concerns and build employee trust.</p><h2>Whistleblower Incentives</h2><p>The SEC Whistleblower Program was created in 2011, as directed by Section 922 of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, to provide incentives to whistleblowers to report federal securities law violations. Section 21F allows rewards for individuals who provide information that leads to a successful SEC enforcement action resulting in sanctions greater than $1 million. Whistleblowers may be an employee, an insider such as a consultant, or an outsider of the company. </p><p>Whistleblowers are eligible for payments of 10 percent to 30 percent of the monetary sanctions collected. To receive payment, the whistleblower must complete the award application within 90 days of when the SEC Notice of Covered Action is posted. Factors that could increase the payment amount include how vital the information is to the SEC action, higher level of cooperation, and evidence the violation was first reported through the company’s internal network. Inversely, factors that could decrease payment include the whistleblower’s involvement in the violation and significant delay in reporting the violation.</p><h2>Program Growth</h2><p><img src="/2018/PublishingImages/Gaydon-whistleblower-tips.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:320px;" />Since the whistleblower rules took effect in 2011, the SEC has received more than 22,000 tips, complaints, and referrals (TCRs). “Whistleblower Tips,” at right, shows that TCRs have risen 49 percent since 2012, reaching an all-time high in 2017. The categories that have remained the highest over the life of the program include corporate disclosure, offering fraud, and manipulation (see “Whistleblower Allegation Types” below). </p><p>Approximately 68 percent of TCRs submitted in 2017 came from the U.S., 20 percent from international locations, and 12 percent from a location not disclosed. The annual number of TCRs submitted internationally has grown 75 percent since 2012.</p><p>Although the Dodd-Frank Act prohibits the SEC from disclosing the identity of the whistleblower, the commission does publish the roles in which the whistleblowers served in aggregate. In 2017, most award recipients were current (30 percent) or former employees (25 percent). The remaining recipients included harmed investors (19 percent), outsiders (15 percent), other insiders (7 percent), and industry professionals (4 percent). </p><p>Not only are the TCRs up, the amount paid to whistleblowers from the Investor Protection Fund also has been increasing. The SEC has awarded more than $60 million to whistleblowers since 2012 (see “The Top Whistleblower Awards” at the end of this article). </p><h2>Protecting Whistleblowers<br></h2><p>With the monetary awards and payouts growing each year, the SEC has emphasized whistleblower protection since 2017. In separate instances, the SEC levied $2.4 million in penalties against publicly listed companies that retaliated against or hindered employees’ ability to report potential violations to the commission.</p><p><img src="/2018/PublishingImages/Gaydon-whistleblower-tips.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:320px;" />Specifically, Section 21F(h)(1) of the Dodd-Frank Act provides whistleblowers with protection against retaliation. In addition, Exchange Act Rule 21F-17(a) forbids employers from not allowing employees to report securities violations to the SEC. The act states that “no person may take any action to impede an individual from communicating directly with the commission staff about a possible securities violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.” The SEC can take legal action against employers that retaliate against employees for reporting federal securities law violations. </p><p>In 2017, the SEC found numerous violations of Rule 21F-17(a). For example, Washington, D.C.-based financial service firm Homestreet Inc. agreed to pay a $500,000 penalty for attempting to identify a whistleblower following an SEC inquiry into accounting violations. Moreover, the SEC found that Homestreet employees were only eligible for severance benefits if they signed an agreement waiving potential whistleblower rewards. </p><p>The SEC also brought actions against companies for implementing restrictive covenants in their severance and termination agreements. In January 2017, BlackRock Inc. agreed to pay a $340,000 penalty for including inappropriate language in its separation contracts. In exchange for monetary payments, more than 1,000 former employees signed agreements waiving “any right to recovery of incentives for reporting misconduct, including, without limitation, under the Dodd-Frank Wall Street Reform and Consumer Protection Act.” <br></p><p>In another example, the SEC found Oklahoma energy company SandRidge Energy Inc. had violated both Rule 21F-17(a) and the whistleblower anti-retaliation provisions of Section 21F(h). SandRidge terminated an employee after the whistleblower expressed concerns regarding a reserve calculation. In addition, more than 500 former SandRidge employees signed separation agreements from August 2011 to April 2015 that prevented them from disclosing information to any governmental agency regarding company investigations. SandRidge agreed to pay $1.4 million in penalties. </p><p>Internal auditors may help the organization define, monitor, and manage elements of the whistleblower process to ensure an effective and appropriate avenue is provided to report claims. Auditors also can review whether claims were resolved appropriately. </p><h2>Internal Audit Implications </h2><p>With more than $1 billion in penalties levied so far against companies, the SEC Whistleblower Program is having a significant impact in monetary terms. Moreover, these penalties could result in a scandal that causes reputational damage to the companies involved. In an August 2014 press release, former SEC Whistleblower Office Chief Sean McKessy stressed the importance of internal auditors. “Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption,” he said. “They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one.” </p><p>In some cases, internal auditors, themselves, may be whistleblowers. In 2014 and 2015, the SEC awarded whistleblower rewards to employees within compliance and internal audit functions. According to Section 21F-4, if internal auditors come across a violation, they should first report it internally to the appropriate officer or board member. If action is not taken within 120 days, the internal auditor becomes eligible for an award and may begin the whistleblower process by reporting either through the SEC’s online questionnaire or by completing a hard copy Form-TCR.</p><p>Because more than half of whistleblower reports come from company insiders, chief audit executives (CAEs) should work closely with the audit committee to ensure the appropriate tone, policies, and diligence are in place to support a whistleblower who first reports internally. In “Whistleblowers: What the Board Needs to Know,” The IIA’s Tone at the Top newsletter lists six steps that boards and CAEs should take to oversee a whistleblower program:</p><ul><li>Build employee trust of int-ernal policies.<br></li><li>Consider all sources, including hotlines, anonymous email, lawsuits, exit interviews, and social media.<br></li><li>Ensure adequate triage of the report based on understanding the legal and accounting implications.<br></li><li>Enlist internal audit in managing the whistleblower process, managing the investigative process, or reviewing whistleblower activities.<br></li><li>Understand the entire whistleblower program process.<br></li><li>Remain vigilant by continually reviewing and updating whistleblower policies.<br></li></ul><p><br>The SEC Whistleblower Program has resulted in increased tips, fines, awards, and whistleblower protections. With the monetary rewards increasing, reports to the SEC’s Whistleblower Program are likely to grow. Against this backdrop, internal auditors can help their organization’s whistleblower program through education, communication, and monitoring. Given their knowledge of the organization’s governance, policies, and procedures, internal audit’s involvement can add credibility to the whistleblower program. However, auditors should remain objective and leave decision-making responsibility about specific whistleblower cases to management. </p><p><img src="/2018/PublishingImages/Gaydon-top-whistleblower-awards.jpg" alt="" style="margin:5px;width:750px;height:935px;" /> <br></p>Daniel Gaydon1
A Case of Misplaced Trust Case of Misplaced Trust<p>Jane Dosh was the comptroller and a trusted employee at Smith Interior Design Co. (SID), a small and close-knit professional services firm catering to high net-worth families and individuals, for almost 15 years. As comptroller, she managed many aspects of SID’s financials — such as paying bills, managing payroll, and purchasing supplies for the company and clients — with oversight from Robert Smith, the company’s co-founder. Smith was responsible for monitoring the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload, which meant she handled every aspect of the company’s finances with no oversight. She continued in that role for the next few years until she unexpectedly resigned on Dec. 31, 2016. </p><p>Internal Audit Manager Heather Dittman was the sole internal auditor at SID and did not have the resources to provide a routine set of reviews aligned with a regular risk assessment. As part of her annual plan, Dittman performed a standard review of the accounts payable process. The audit program included sampling transactions, checking support, and ensuring appropriate authorizations. During her review in early 2017, she documented several unsupported and unexplained transactions. </p><p>During the validation process, Dittman interviewed several employees for supporting explanations and documents, but they were unaware of the expenses and could not retrieve the records. Having exceptions in the validation process was a typical event for Dittman, but a large number of unexplained exceptions was unusual — plus there was no supporting documentation. </p><p>Dittman reached out to Dosh, who insisted that the records must be misplaced and that she would find them and send them to Dittman. However, as days turned into weeks, Dosh did not send the records. Dittman sent numerous follow-up emails and voicemails, which went unanswered. After weeks of no response, Dittman went to the file room to search for the records, herself, but the room was empty. </p><p>Unable to obtain answers from Dosh and concerned about missing records, Dittman escalated her concerns to the CEO and chief financial officer and recommended a forensic review. Given Dosh’s control of the financial processes, it appeared possible that she had defrauded the company and was now covering it up. Management was concerned about the extent of the fraud and the company’s ability to recoup the money. As a result, management agreed to a forensic review. </p><p>The forensic review began with traditional surveillance of Dosh to uncover the facts necessary to figure out the fraud. During lunch on the second day of surveillance, Dosh went to a local boutique. This piece let the investigators assemble the rest of the puzzle. </p><p>Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, was granted a company credit card, and Dosh saw her chance. She had access to the new card’s information and knew nobody would be monitoring the credit card activity but her. Dosh then contacted Alexandra Johnson, an acquaintance who worked at a luxury clothing store nearby, and the two began a joint business venture. Dosh went to the store where Johnson worked, and they set up a store account using Brown’s company credit card. Johnson later quit her job at the boutique and got a job at another clothing store. There, she set up another account with Dosh using Brown’s credit card. Dosh also bought expensive jewelry and clothing from other boutiques on the card. She would pay off her purchases on the company card every month from SID’s checking accounts. </p><p>When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a boutique clothing and accessory business owned by Dosh and Johnson. Private investigators followed Dosh for weeks to locate where she was storing the fraudulent purchases. She also forged the signature of the second company co-founder on multiple fraudulent checks to purchase personal goods and services, including payments to family-owned businesses. Investigators went through years of company financial documents to find that she had embezzled more than $4 million from the company in just five years. </p><p>SID and the investigators turned the case over to federal law enforcement. Dosh pleaded guilty and is awaiting sentencing for charges related to identify theft and fraud. SID implemented several policies and procedures to prevent the company from getting defrauded again, including: </p><ul><li>Dispersing cash only after appropriate management authorization and only with dual approvals over certain threshold amounts to ensure company funds were being spent for approved business purposes. <br></li><li>Reviewing all cash receipts and disbursements as part of a monthly bank reconciliation.<br></li><li>Separating financial duties so no one person would handle all of the responsibilities. <br></li><li>Backing up all financial transaction source documents to multiple locations so the documents would not be lost if any one location was compromised. <br></li><li>Developing a risk assessment program to allow internal audit to review, assess, and identify weaknesses in the internal controls and point out areas of high risk concerning fraud. <br></li></ul><p>SID realized that internal controls do not have to be an impediment that slows down work processes. While there is no such thing as a one-size-fits-all system of internal controls, getting the focus of their internal controls right helped safeguard and develop their business. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>Lessons Learned</strong></p><ul><li>No company is immune to fraud. Internal audit needs to help the organization prevent and minimize fraud risks. Small companies that are reluctant to invest the money to provide more internal audit coverage should consider the return on investment in comparison to a $4 million embezzlement. It is imperative for companies to set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and counter all potential risk.<br></li><li>Internal audit should perform a fraud risk assessment to help leadership in small companies understand the extent of their vulnerability to fraud. Significant procedural or segregation of duties gaps can be identified during the process without requiring substantial investment in audit resources. Many of the control weaknesses in this case would have been uncovered during the assessment process. <br></li><li>Internal auditors should include a fraud risk assessment as a standard for their work plans. It applies to every company and is the most compelling method of educating management about fraud vulnerabilities. The act of communicating this tool throughout management is sometimes enough to prevent fraud. <br></li><li>Internal audit needs to know when to involve a forensic investigator. Forensic experts can provide different tools, such as recovering erased hard drives and surveillance, and will preserve the chain of evidence in a fraud case. <br><br></li></ul></td></tr></tbody></table>Frank Rudewicz1
The Case for Due Diligence Case for Due Diligence<p>​Two former executives of U.K.-based Autonomy have been indicted on criminal fraud charges stemming from the software company's 2011 acquisition by Hewlett Packard (HP), <a href="" target="_blank"><em></em></a> reports. U.S. prosecutors allege former CEO Mike Lynch and Stephen Chamberlain, former vice president of finance, used fraudulent accounting practices to inflate Autonomy's value. A year after completing the purchase, HP took a $8.8 billion write down of Autonomy's assets and later sold those assets to Micro Focus. Last April, a U.S. federal court jury found former Autonomy CFO Sushovan Hussain guilty of wire and securities fraud. Also, Hewlett Packard Enterprise, which spun off from HP in 2015, has sued Lynch and Hussain in the U.K. Lynch's attorneys claim HP made mistakes in integrating Autonomy's assets that reduced their value. </p><h2>Lessons Learned</h2><p>This story illustrates the need for a thorough due diligence process for a major acquisition. Internal auditors can view advice and resources about the due diligence process provided by organizations such as The IIA, the U.S. Securities and Exchange Commission (SEC), and the Association of Certified Fraud Examiners. Two key aspects of the process may have helped reveal the core issues in dispute in this alleged fraud: due diligence risk assessment and the potential impact of differing international accounting standards.</p><p> <strong>Due Diligence Risk Assessment</strong> A thorough risk assessment of the company targeted for acquisition is essential. Furthermore, the SEC and U.S. Department of Justice (DOJ) have issued A Resource Guide to the U.S. Foreign Corrupt Practices Act (the FCPA Guide), which recommends companies conduct<strong> </strong>pre-acquisition due diligence<strong> </strong>on merger and acquisition deals. Uncovering fraud after the deal is completed can have damaging consequences for an acquirer. Two key parts of this due diligence are:</p><ul><li> <em>Assessing the validity, accuracy, and integrity of the financial statements.</em> This assessment should include related internal and external financial reporting, significant estimates and accounting policies, regulatory changes and their impact on financial statements, past and recent findings of internal and external auditors, and staff competency and training.<br><br></li><li> <em>Examining the organization's internal controls, using a risk-based approach.</em> This examination should review internal control procedures and documentation, and analyze gaps in internal control structures and the adequacy of management's corrective action plans. Moreover, it should review related internal and external audit reports and findings on internal control deficiencies, along with remediation strategies. Depending on the results of these reviews in terms of risk, a further internal audit or external audit of internal controls may be warranted. <br><br>According to the DOJ/SEC FCPA Guide, companies do not examine the target company's internal control environment in detail before completing an acquisition. Consequently, internal control weaknesses that may exist are left to be identified during the post-acquisition integration process. These weaknesses may lead to an increase in the risk of fraud. <br><br></li><li> <em>Applying data mining techniques to uncover potential fraud.</em> At a minimum, the acquiring company should obtain as much transactional data as possible from the target company's accounting system. Analyzing this data using a data mining tool can identify potential anomalies in the operation of internal controls and unusual transactions that may be evidence of fraudulent activity.<br>  </li></ul><p>Other aspects of a risk assessment include a review of the target company's compliance and ethics program, its ethical culture, and background checks on key executives and employees.</p><p> <strong>Financial Accounting Standards</strong> In the Autonomy case, there is a potential issue around the differences among financial accounting standards that exist internationally. Lynch has stated that the claims of fraud come down to a dispute over the application of U.K. accounting standards. The U.K. and many other countries use International Financial Reporting Standards (IFRS) as their accounting method. IFRS has some key differences from the Generally Accepted Accounting Principles (GAAP) approach used in the U.S. Lynch and his attorneys argue that differences in interpretation between them could have contributed to the view that Autonomy inflated its value before its acquisition.</p><p></p><p>A major difference between IFRS and GAAP is the methodology used to assess the accounting process. GAAP focuses on research and is rules-based, whereas IFRS looks at the overall patterns and is based on principles. With an IFRS-based accounting method, potentially different interpretations could result in higher values being included in financial statements in five areas: </p><ul><li> <em>Inventory reversal</em><em>.</em> GAAP specifies that if the market value of the asset increases, the amount of the write down cannot be reversed. Under IFRS, however, the amount of the write down can be reversed. In other words, GAAP is cautious of inventory reversal and does not reflect any positive changes in the marketplace.<br> </li><li> <em>Development costs</em><em>.</em> A company can capitalize its development costs under IFRS, as long as certain criteria are met. This allows a business to leverage depreciation on fixed assets. Under GAAP, development costs must be expensed in the year they occur and are not allowed to be capitalized.<br> </li><li> <em>Intangible assets such as research and development or advertising costs.</em><strong> </strong>IFRS accounting takes into account whether an asset will have a future economic benefit as a way of assessing the value. Intangible assets measured under GAAP are recognized at the fair market value only.<br> </li><li> <em>Income statements</em><em>.</em><strong> </strong>Under IFRS, extraordinary or unusual items are included in the income statement and not segregated. Under GAAP, they are separated and shown below the net income portion of the income statement.<br> </li><li> <em>Fixed assets</em><em> </em><em>such as property, furniture, and equipment.</em><strong> </strong>Companies using GAAP accounting must value these assets using a cost model. This takes into account the historical value of an asset minus any accumulated depreciation. IFRS uses a different model, called the revaluation model, based on the fair value at the current date minus any accumulated depreciation and impairment losses. </li></ul>Art Stewart0
The Unscrupulous Advisor Unscrupulous Advisor<p>​A federal grand jury has indicted the CEO of an investment management firm on 23 counts of fraud, <a href="" target="_blank">the <em>Idaho State Journal</em> reports</a>. Federal prosecutors say David Hansen, majority owner of Yellowstone Partners LLC, headquartered in Idaho Falls, Idaho, overbilled client accounts by submitting false billing requests to a brokerage firm. Last year, former Yellowstone Partners employees told the <em>Post Register</em> newspaper they had found "significant irregularities" in some customer accounts in 2016. Prosecutors estimate Hansen's alleged scheme defrauded clients of more than $9 million. The indictment also charges Hansen with aiding in preparing false corporate and personal income tax returns that underreported the company's revenue and his own income in 2012 and 2013.</p><h2>Lessons Learned</h2><p>The CEO of the investment management firm in this story allegedly has run afoul of the U.S. Securities and Exchange Commission (SEC) and more particularly Section 206 of the Investment Advisers Act of 1940 (the "Advisers Act"). In part, Section 206: </p><p> <span class="ms-rteStyle-BQ">"prohibits misstatements or misleading omissions of material facts and other fraudulent acts and practices in connection with the conduct of an investment advisory business. As a fiduciary, an investment adviser owes its clients undivided loyalty, and may not engage in activity that conflicts with a client's interest without the client's consent."</span> </p><p>In addition to the general anti-fraud prohibition of Section 206, other sections of the act regulate several practices relevant to the alleged fraud in this story. These include disclosure of fees, investment advisor advertising, custody or possession of client funds or securities, and disclosure of investment advisors' financial and disciplinary backgrounds. All of these rules were allegedly broken in one way or another in this case. </p><p>Internal auditors should consider measures to help their organization prevent and detect the kind of fraud represented in this story. Two main areas of concern surround disclosure obligations:</p><ul><li>"The Brochure Rule" (Advisers Act Rule 204-3), requires every SEC-registered investment advisor to deliver to each client or prospective client a Form ADV Part 2A (brochure) and Part 2B (brochure supplement) describing the advisor's business practices, conflicts of interest, background, and its advisory personnel. Advisors must deliver these documents to a client before or at the time the advisor enters into an investment advisory contract with a client. In addition, advisors must provide them whenever there is a material change to the advisor's profile. <br> <br>Both investors and auditors need to be aware of how business practices and conflicts of interests can be hidden or manipulated. Hansen is a partner at Elite Advisor Institute, a company that trains and coaches investment advisors. Was this partnership disclosed, and were some of the people involved in the overbilling scheme at Yellowstone Partners trained there? <br> <br>A further step that needs to be taken is to cross-check an investment advisor's background with those who regulate and accredit them such as the SEC (registration information is available on <a href="" target="_blank">the SEC's website</a>). The Financial Industry Regulatory Authority also offers information about the professional designations used by advisors as well as measures that investors can take to avoid investment fraud. </li> <br> <li>The SEC mandates that an investment advisor disclose to clients all material information regarding its compensation such as whether the advisor's fee is higher than the fee typically charged by other advisors for similar services. In most cases, this disclosure is necessary if the annual fee is three percent of assets or higher. <br> <br>Investors and auditors should be proactive in regularly reviewing investment transactions to determine what fees are being incurred, as an early way to detect overbilling. The investment industry should continue to be obligated to regularly and transparently disclose fees to clients. A good practice would be to disclose such fees monthly, although often this is only done annually. <br> <br>A further part of this transparency is to carefully monitor the use of other mechanisms that incur fees such as performance fees and referral to third-party fees. Another mechanism susceptible to overbilling is a "wrap fee program" where advisory and brokerage services are provided for a single fee that is not based on the client's account transactions. </li></ul>Art Stewart0
Crimes of the Century of the Century<p>Fraud will flourish until human beings and money are removed from the mechanics of the international economy. In fact, all that separates a determined criminal and a company's cash flow is a control regime developed by imperfect human beings, often operating with insufficient manpower and limited technological assistance. So there's a decent chance that somebody will come up with a way to scam any new system. Indeed, most of the worst frauds ever have played out in the last 20 years, because the prize money is growing and the playing field is expanding. <br></p><p>"The fraud climate has greatly improved over the past few decades," says financial analyst Harry Markopolos, who battled unconvinced U.S. Securities and Exchange Commission (SEC) staffers in Boston and New York when he tried to disclose one of the biggest schemes in recent years. "Unfortunately, it's improved for the fraudsters, not the victims." Internal audit functions are doing their best — and they're sometimes the heroes when crimes are uncovered. But a look back at some of the biggest headline-grabbing scandals of the 21<sup>st</sup> century confirms his contention that fraud fighting is, increasingly, a 24/7 responsibility. <br></p><h2>Enron</h2><p>In 2001, former vice president of corporate development, Sherron Watkins blew the whistle on executives at once-giant energy company Enron Corp. for "inventing revenue and hiding losses via elaborate partnerships with dummy companies," as CBS News reported at the time. Enron went bankrupt, taking down Arthur Andersen, its main audit firm, with it. In all, 21 people pleaded or were found guilty in the $74 billion fraud; charges included insider trading, conspiracy, bank fraud, making false statements to auditors, and securities and wire fraud. Former chair and CEO Kenneth Lay, former CEO and chief operating officer Jeffrey Skilling, and former chief financial officer (CFO) Andy Fastow were among the convicted, but Lay died before serving any time. <br></p><p>Watkins played a key role in exposing the fraud, though it proved an uphill battle and took significant time for the scandal to fully come to light. Evidence that fighting fraud is an increasingly titanic endeavor is evident in the numbers, Markopolos says — the dollar amounts of the damage the criminals do keep going up. "You can see the growing problem by the size of the frauds," he says. "They're becoming increasingly larger decade by decade."<br></p><h2>WorldCom</h2><p>Early in the last decade, former CEO Bernie Ebbers' $180 billion WorldCom fraud included underreporting line costs by capitalizing rather than expensing them and inflating revenues with fake accounting entries. The monumental scheme was discovered by the company's then vice president of internal audit, Cynthia Cooper, who along with Watkins was named one of <em>Time</em> magazine's 2002 Persons of the Year for her efforts. WorldCom went bankrupt and is now part of Verizon Communications.<br></p><p>WorldCom's CFO was fired and the controller resigned. Ebbers was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents with regulators; he's still in jail, despite his widely reported "begging" for a presidential pardon. U.S. Congress passed the Sarbanes-Oxley Act of 2002 just weeks after news of the WorldCom scandal broke. <br></p><h2>Bernie Madoff<br></h2><p>A few years after Sarbanes-Oxley went into effect, the fraud case Markopolos tried to expose — involving now-80-year-old Bernie Madoff, the former Nasdaq chair who pleaded guilty in 2009 to federal felonies — racked up an estimated $65 billion price tag in the 10 years Markopolos attempted to convince the SEC that something didn't add up. Madoff's charges included securities, investment advisor, mail, and wire fraud; money laundering; perjury; making false filings with the SEC; and theft from an employee benefit plan. <br></p><p>He's still in prison, with an expected release date of 2139. The former head of Bernard L. Madoff Investment Securities LLC forfeited $17 billion before starting the 150-year sentence for running the largest Ponzi scheme in history — basically, investors' returns came from their own money, not from profits. The case, Markopolos points out, is a sad example of the outcome of most financial fraud scandals. "Unfortunately, when it comes to economic crimes," he explains, "usually only the top tier of planners and architects of the scheme end up serving significant prison sentences." In this instance, "no one at Madoff's hundreds of feeder funds was ever prosecuted, just like no bank executives went to jail for the global financial crises from 2007 to 2009."  <br></p><h2>Olympus</h2><p>In 2011, a low-level Olympus Corp. employee blew the whistle on executives concealing $1.5 billion in investment losses. The brand new CEO, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=1dde819e-8404-419b-88f7-e1c12fb86673">Michael Woodford</a>, exposed the scandal; he got fired and Olympus denied everything.<br></p><p>Ultimately, 11 executives were arrested, much of the board resigned, and the company lost 80 percent of its value. But just three got suspended sentences — two for three years, the other for 30 months. Within a couple years the company returned to profit, and its shares recovered most of their losses.<br></p><h2>FIFA</h2><p>Just three years ago, U.S. officials charged nine executives at the Fédération Internationale de Football Association (FIFA), four sports marketers, and an accused intermediary with racketeering, wire fraud, and money laundering, saying they conspired to solicit and receive $150 million in bribes and kickbacks for rights to televise the quadrennial World Cup and to sway FIFA's decisions on who hosts it. Charles Blazer, former executive committee member, pleaded guilty and forfeited $2 million; he faces a maximum of 10 years in prison. José Hawilla, head of the Traffic Group, a sports marketing conglomerate, and two of his companies, Traffic Sports International Inc. and Traffic Sports USA Inc., also pleaded guilty; he forfeited $151 million. The individuals face maximum terms of 20 years in prison; the corporate defendants face fines of $500,000 and one year of probation.<br></p><p>Since then, the organization has struggled to implement internal reforms — but reminders of the scandal keep surfacing. In 2017, former member Richard Lai pleaded guilty to FIFA-related charges, and this summer, a corporate defendant pleaded guilty to fraud in the case — and paid $25 million in fines and forfeitures.<br></p><h2>Little Restitution for Victims</h2><p>Those fines and forfeitures, unfortunately, rarely make victims whole. For example, in most Ponzi schemes, Markopolos points out, "recoveries range from 20 cents to 50 cents of every initial dollar invested, varying by geographical location, size and type of the scheme, and too many other variables that affect just how much investors will eventually get back." He also notes that it takes a long time to unwind such complex schemes — so when victims finally do receive partial restitution, it's often as much as five to 10 years after the scheme has collapsed. <br></p><p>Indeed, <em>The</em> <em>New York Times</em> reported in April that victims would receive another $504 million from Madoff assets the government seized a decade ago. "With that distribution," the <em>Times</em> reported, "21,000 victims have received more than $1.2 billion." But the theft tally ranged from a conservative $15 billion or so to the widely reported $65 billion; in the better case scenario, in other words, victims haven't yet gotten back 10 percent of their losses. Says Markopolos: "The one constant truth is there are no happy endings for victims."<br></p><p>He blames a regulatory and corporate culture that has its head in the sand, that struggles to take the threat of another shocking scandal seriously, and that gives finance industry titans too much credit for good behavior. Indeed, he famously complained to the SEC for a decade that the Madoff firm's returns weren't mathematically possible, but he was turned away more than once; two SEC executives ultimately resigned, but no one was fired and few were sanctioned. "Investor due diligence on Wall Street is very lax," Markopolos says, and "doesn't come close to The IIA's standards of what a real audit would entail. If financial due diligence professionals would join The IIA and attend chapter meetings, they'd learn enough to be much harder to fool." <br></p>Russell A. Jackson1
Cash-transfer Schemes Schemes<p>​Cash-transfer company MoneyGram International has agreed to pay $125 million to settle charges that it covered up weaknesses in its anti-fraud program, <a href="" target="_blank"><em>The Orange County Register</em> reports</a>. Those weaknesses resulted in $125 million in fraudulent transactions between April 2015 and October 2016. Moreover, MoneyGram violated a 2012 settlement with the U.S. Justice Department. It also violated a 2009 U.S. Federal Trade Commission (FTC) order that required the company to put anti-fraud measures in place. Both of those actions stemmed from a six-year investigation that found the company had been aware that its agents had tricked customers into sending money to fake accounts.  </p><h2>Lessons Learned</h2><p>MoneyGram's website compiles advice on how consumers can avoid being defrauded when sending money (see <a class="vglnk" href="" rel="nofollow" target="_blank"><span>https</span><span>://</span><span>bit</span><span>.</span><span>ly</span><span>/</span><span>1jR6xLu</span></a>). Although MoneyGram may provide this advice to meet regulatory compliance requirements, it also may offer the information because the company has been implicated in such fraud.<strong> </strong>However, none of these examples warn that the culprit of the attempted fraud could be a MoneyGram employee or agent.</p><p>What measures should MoneyGram and other cash-transfer companies consider to prevent and detect employees who try to perpetrate fraud on their clients? MoneyGram has more than 150,000 employees and agents around the world, so a comprehensive internal anti-fraud regime is essential. Here are three measures that could help:</p><ul><li> <strong>Increase the frequency and thoroughness of employee background checks before and after hiring. </strong>MoneyGram allegedly ignored thousands of complaints about a group of agents in the U.S. and Canada who handled hundreds of millions of dollars in transfers annually. Also, court findings in other fraud cases have alleged that many of MoneyGram's agents previously had been fired or suspended by competitor Western Union over fraud allegations. Yet, MoneyGram performed few background checks on those individuals.<br><br></li><li> <strong>Implement, monitor, and publicly report on the results of a complete whistleblower program for employees. </strong>In documenting its cases against MoneyGram going back many years, the FTC found that company managers often told employees to be quiet if they raised concerns about potential fraud by outsiders or employees. In some cases, employees who expressed concerns were disciplined or fired. <br><br>The FTC has alleged that MoneyGram "typically rejected or ignored employee concerns, claiming that they were too costly or that consumer fraud prevention was not the [company's] responsibility." The company operates a hotline through which employees and agents can report violations of its anti-fraud policies. MoneyGram should audit the program regularly to determine its effectiveness.<br><br></li><li> <strong>Institute a meaningful culture and practice of accountability.</strong> The FTC has repeatedly fined MoneyGram, saying the company knew its system was being used to defraud people but did nothing to stop it. As far back as 2009, U.S. investigators found that 131 of its 1,200 agents in Canada and the U.S had solicited consumers to send them deposits via MoneyGram for lottery entries, guaranteed loans, and other schemes. These deposits accounted for more than 95 percent of fraud complaints MoneyGram received in 2008 regarding money transfers to Canada. The FTC further alleged that the employees responsible were never terminated.<br><br>Real accountability calls for moving beyond financial fines to discipline and potentially termination of individuals who perpetuate this kind of fraud. These individuals could include employees, supervisors, managers, senior executives, or board directors. MoneyGram has instituted anti-fraud accountability measures such as creating an ethics and compliance committee reporting to its board, as well as establishing two related executive positions. However, these actions have not generated enough results. <br></li></ul>Art Stewart0
An Injection of Fraud Injection of Fraud<p>​The CEO of a Michigan-based health-care group has pleaded guilty to charges of paying doctors to administer medically unnecessary injections "that resulted in patient harm," according to <a href="" target="_blank">WXYZ</a> in Detroit. In the $300 million scheme, Mashiyat Rashid, CEO of pain clinic operator Tri-County Wellness Group, rewarded doctors based on the number of back pain injections Medicare paid for. Many of the patients were addicted to opioids and agreed to receive the shots to obtain pills. As part of his plea, Rashid will forfeit more than $51 million as well as commercial and residential property he owns.</p><h2>Lessons Learned</h2><p>Medicare fraud continues to grow in size and scope, and now encompasses the widespread opioid crisis. Since 2007, the U.S. Medicare Fraud Strike Force has charged more than 4,000 defendants with billing the Medicare program for more than $14 billion collectively. </p><p>Fraudsters such as Rashid aim to profit illegally from schemes that harm taxpayers and expose patients to the dangers of opioid drugs. Internal auditors and regulators can help prevent these abuses by focusing on controls in several areas.</p><ul><li> <strong>Always look out for the "shell game." </strong>Fraudsters often cover up fraud by operating a seemingly innocent activity. Rashid owned, controlled, and operated numerous pain clinics, laboratories, and other providers in Michigan and Ohio. For nine years until his arrest in 2017, Rashid conspired with physicians to require Medicare beneficiaries who wished to obtain controlled substances to submit to expensive, medically unnecessary, and painful back injections. <br> <br>While it isn't known how many of these injections were forced on patients, U.S. Justice Department officials say Rashid and the doctors associated with his clinics distributed more than 6 million doses. Medicare eventually determined that 100 percent of the injection claims were not eligible for reimbursement. Auditors could have detected these red flags earlier using data mining techniques.<br> </li><li> <strong>Establish</strong><strong> robust controls over Medicare enrollment by fake companies.</strong> Shifting and multiple corporate registrations that trace back to the same owners is another red flag that might have been detected and investigated earlier in this case. The fraudsters created new shell companies that they enrolled in Medicare to keep the fraudulent billing going. Often, they only changed the name of the company on the door and invented new suite numbers to conceal themselves. <br> </li><li> <strong>Enhance whistleblower programs and incentives. </strong>Many patients implicated in Rashid's scheme were motivated by gaining access to opioid drugs. Publicizing these Medicare frauds and providing ways for patients to report their concerns to authorities without fear of reprisal can help uncover these crimes. Financial incentives can motivate whistleblowers to come forward. But the fraudsters offer incentives, too. Rashid paid kickbacks to obtain patients and bribed physicians to refer Medicare beneficiaries to specific third-party home health agencies.<br> </li> <li> <strong>Pay attention to significant lifestyle changes of senior executives.</strong> Even in the medical industry, where many people are highly compensated, there are lifestyle clues that can lead the U.S. Internal Revenue Service and financial fraud trackers to illegal activities. Rashid pleaded guilty to money laundering in connection with a $6.6 million wire transfer. He used the money to live extravagantly, purchasing a mansion and other real estate, as well as luxury clothes, rare watches, and exotic automobiles </li></ul>Art Stewart0
The Fall of the Food Researcher Fall of the Food Researcher<p>​A well-known food researcher has stepped down from his university teaching and research posts following the retraction of six of his papers, the <a href="" target="_blank"><em>National Post</em> reports</a>. The JAMA medical journals retracted the papers published by Cornell University professor Brian Wansink, after the university could not produce original data to verify the results of his research on consumer behavior. Reviews of Wansink's previous work allege that he had cherry-picked data points in his research to make the findings more likely to be published. Those reviews resulted in seven other papers being retracted. </p><h2>Lessons Learned</h2><p>According to Cornell, Wansink's academic misconduct also included misreporting data, problematic statistical techniques, failure to appropriately document and preserve research results, and inappropriate authorship. Researchers are not the only ones who engage in such practices. This kind of deception can arise from any sector of society, including corporations, governments, journalists, and educators.  </p><p>Internal auditors need to know about the various inappropriate ways data can be collected and used. They should maintain a skeptical stance regarding what they see in their audit work, including financial statements, management reporting of results, assessments of program effectiveness/efficiency, and compliance with standards. Here are some observations about three of the most relevant issues to this story — misreporting data, methodology, and data quality and integrity — along with a few suggestions about how to fix the problems.</p><ul><li> <strong>Misreporting data.</strong> The practice of <a href="" target="_blank">"p-hacking,"</a> in which researchers slice and dice a data set until an impressive-looking pattern emerges, has become prevalent. Also common is publication bias, which is the tendency to favor publication of studies with positive results. The increased presence of the internet and social media has further accentuated the problem. <br><br>Misreporting data can take various forms, from tweaking variables to show a desired result, to pretending that a finding proves an original hypothesis — in other words, uncovering an answer to a question that was only asked after the fact. For example, in psychology research, a result usually is considered statistically significant when a calculation called a p-value is less than or equal to 0.05. But excessive data massaging can produce a p-value lower than 0.05 just by random chance, making a hypothesis seem valid when it's actually a chance result. An insightful paper on this topic can be found <a href="" target="_blank">here</a>. <br><br>Sample sizes also matter in survey data analysis. They always should be reported — or at least made available — along with confidence levels and the methodologies applied to the data. Additionally, sample design and the avoidance of sample bias are important considerations in judging the validity of survey sample results.<br></li> <br> <li> <strong>Weak statistical methods. </strong>A related issue is the choice of statistics to represent the findings, and the importance of having a baseline/benchmark for expected results. A basic but prime example of the former is the bell curve. If you read that "the average of a group's score was five out of 10," that does not necessarily mean most scored a 5 — an "upright" bell curve. But the actual range of scores may be quite different. For example, half the group may have scored zero or one out of 10, and the other half nine out of 10 — which means that an "inverted" bell best represents the result. On the latter, understanding the differences between correlation and causation, and the use of a relevant baseline are important. <br><br>Here is a famous example: There is a strong positive correlation between the number of Nobel prizes the people of a country have earned and the quantity of chocolate eaten annually in that country. But this does not show that eating more chocolate will earn you a Nobel prize. Correlation does not imply causation. The countries that eat the most chocolate are the wealthier ones where chocolate is inexpensive and that tend to have more money to invest in education and research — resulting in more Nobel prizes.<br></li> <br> <li> <strong>Poor data quality and documentation.</strong> In many instances, researchers do not do enough to appropriately identify and categorize the quality of data used. This is particularly true where data sets originate from disparate systems or sources, historical data is used, and data definitions have not been validated for comparability. A systematic measurement of data quality and a disclosure against a standard (even a scorecard green, red, yellow type) alongside the published results would help alleviate problems of misinterpretation. And as data increasingly is captured electronically, it should be retained, along with its documentation, coding, and methodological routines.<br> </li></ul><p>Overall, pre-approval and pre-registration, including publicly, of research plans can help to address these three problems. That is especially the case when the specifics are addressed by stating exactly what the hypothesis is and what plans there are to test it and how. When these requirements are in place, there is less room for cherry-picking the most eye-catching results after the study is completed.</p><p>Wherever possible, more efforts should be made to run larger studies or replications, which are less likely to produce spurious results that get published. Researchers should describe their methods in more detail, and upload any materials or code to open databases, making it easier to review the basis of their work. Declaring the quality of the data used against a standard or benchmark also would help. And, journal editors should collaborate to establish and enforce consistently high standards for accepting and publishing research results.</p>Art Stewart0

  • IIA Sawyer_Feb 2019_Premium 1
  • IIA AEC_Feb 2019_Premium 2
  • IIA Quality_Feb 2019_Premium 3