Red Card for Corruption Card for Corruption<p>​Global soccer governing body FIFA has suspended a member of its audit and compliance committee for 90 days following his guilty plea to U.S. charges of bribery, <a href="" target="_blank">Reuters reports</a>. Richard Lai, a U.S. citizen who is president of the Guam Football Association, admitted to taking almost $1 million in bribes to gain his influence with FIFA. Prosecutors noted that FIFA's audit and compliance committee should play an important role in combatting the corruption that has come to light since 2015. In a separate case, FIFA's ethics committee has launched an investigation into alleged conflict of interest and financial mismanagement by the president of the Caribbean Football Union. </p><h2>Lessons Learned          </h2><p>Behind the immediate headlines of this story are revelations of two decades of corruption in which FIFA officials rigged World Cup bids and steered marketing and broadcast contracts in exchange for bribes paid out through convoluted financial deals or briefcases full of cash. Globally, football officials have been accused of match-fixing and money laundering, as well.</p><p>In response to stakeholder pressure and corruption charges brought against many senior FIFA officials, the organization announced a series of reforms to its governance and decision-making processes. <a href="" target="_blank">The proposed reforms</a> (PDF) include limiting top officials to three four-year terms, a defined division of powers between FIFA's day-to-day operational division and its strategic leaders, and increased gender diversity rules to promote women in the game, such as a requirement that each of FIFA's confederations elect at least one woman to the confederation's governing board. Although there will be independent members on selected advisory committees, reforms do not include adding independent members to a new executive committee.</p><p>Here are a few suggestions FIFA could follow to address corruption:</p><ul><li><strong>Eliminate governance gaps.</strong> First and foremost, in an organization that has been subject to widespread corruption activities, there should be independent members on every committee, including the executive committee. Individuals from government, regulatory/oversight bodies, academia, and professional organizations are among examples of potential independent members. Criteria for independence should include background checks to ensure members or their families do not have connections (paid or not) to particular soccer or media organizations. Audit, ethics, and financial oversight committees must have the powers and resources to independently investigate and report on suspicious matters of any kind, and to turn over their results to regulators and lawmakers. The executive committee also must set a tone of "zero tolerance" of corruption through its words, actions, and policies. The executive committee should not have control over the release of investigative reports.<br><br> </li><li><strong>Implement measures to prevent bid rigging and vote buying. </strong>Expand the list of bidders and voters to make it more difficult for collusion to be effective. Buyers should solicit bids from as many suppliers as economically possible. Having more voters increases the chances that one party will not be able to control the outcome of the vote as easily as it was done in the past. Both bid and voting packages should require bidders and voters to sign and submit a noncollusion affidavit. The packages also should inform bidders and voters of the penalties both for violating laws such as the U.S. Sherman Antitrust Act and for signing a false noncollusion affidavit. These statements should be verified routinely through audit and review processes. <br><br>FIFA also should ensure that all purchasing department and voting oversight employees are familiar with the indicators of bid and vote rigging, price fixing, and other types of collusion. Employees also should be empowered to ask questions and raise flags when collusion is suspected. Voting and bidding processes should be well-documented and records should be maintained in the event they are needed for review when collusion is suspected.<br><br> </li></ul><ul><li><strong>Leverage the deterrence/detection effects of whistleblower mechanisms and tough sanctions for corrupt behaviors. </strong>The corruption in this story was in some significant ways<strong> </strong>uncovered by a whistleblower. FIFA should do more to support and protect whistleblowers. Moreover, its sanctions of proven perpetrators of corruption probably could be much<strong> </strong>stronger — a 90-day suspension from soccer sends a much less decisive message of deterrence than a ban of several years or a lifetime. </li></ul>Art Stewart0
Life of Luxury of Luxury<p>Candace Smith is a member of the internal audit staff at Ace Ltd., a large, diversified company with subsidiaries in numerous industries. While reviewing prior audit plans, Smith realized that one subsidiary, CRL Ltd., had not been subject to an internal audit since its acquisition five years before. When Smith was reviewing the financial results for CRL, she noted that actual expenditures were much higher than budgeted and historic figures. She met with the chief audit executive (CAE) and recommended that this subsidiary be included in the current-year audit plan. The CAE agreed with her assessment, and auditors began to look into CRL's history. </p><p>CRL was founded by Wayne Boyd when he was in his early 30s. Boyd had a larger-than-life personality and earned a reputation for lavishly entertaining customers and prospects. Seven years after founding CRL, he sold a majority interest to Ace for more than US$30 million. He remained president of the division, received a generous salary, and was given a US$500,000 annual st​ipend to cover his entertaining expenses at his various properties. He also had access to a corporate credit card and made frequent use of his expense account.</p><p>Accounting and other core business processes remained under Boyd's control and were performed by CRL personnel. Boyd was used to having total control over all aspects of CRL, which allowed him to play fast and loose with the accounting records. He regularly pushed his personal expenses through the company. When Ace took over, it implemented a budget, but day-to-day operations remained in the control of Boyd and his family. </p><p>When the internal auditors arrived, they identified many over-budget accounts and requested supporting documentation. Many of the supporting documents did not appear to relate to either CRL or Ace, but to Boyd's personal purchases. Internal audit began to interview CRL employees who were hesitant to speak with Ace representatives. While CRL's accounting personnel were not forthcoming, Boyd's personnel assistant, Mary White, was a wealth of information. She told Smith and the other internal auditors about Boyd and his personal financial habits. </p><p>After the acquisition, Boyd went on a spending spree, buying a plane, hunting lodges throughout the region, and a custom vehicle made for his daughter as a birthday present. Because CRL was located 750 miles away an​d its accounting staff was segregated from the rest of Ace, management at Ace was unaware of these extravagant purchases. </p><p>Boyd had numerous groundskeepers and housekeepers who worked at his personal properties on CRL's payroll. Over the course of two years, CRL paid its staff US$610,000. Boyd also charged a variety of additional personal property expenses to CRL for fish to fill his private lake, a grill for cooking for clients, and a taxidermist for stuffing animals killed on hunting trips with customers.</p><p>In addition to his wife and children, Boyd also had a girlfriend. She received an annual salary from CRL of US$175,000, though she didn't actually work for the company. In his attempts to conceal the relationship from his wife, Boyd used his corporate credit card to pay for their meals and travel. When his wife became wise to these tricks, Boyd began to use his assistant's credit card. </p><p>Boyd also used some of the proceeds from his windfall to flip condominiums. He jointly owned some of these properties with a CRL employee who wrote a check to Boyd every month for his portion of the mortgage. As Boyd became desperate for cash, he stopped remitting those checks to the mortgage company and pocketed the money. The employee's credit score declined dramatically. Later, Boyd refused to pay any portion of the outstanding mortgage. Instead, he arranged to have the employee's pay increased to provide additional funds to pay it. </p><p>When Boyd purchased the plane and hired a pilot who didn't know how to fly, he had CRL pay for the pilot's salary and training. He prepared invoices and billed CRL for all of the flights, including those that were personal in nature. Fictitious invoices were submitted for flights that never occurred and wages that were already being paid by CRL to generate additional cash flow for Boyd. </p><p>Within five years, Boyd spent almost all of the money that he received in the majority sale of his business, but he continued to live a lavish lifestyle. When a collection agency started calling his office and he was desperate for cash, he began to use his business credit card and his assistant's to cover even more personal expenses. Boyd also would submit duplicate reimbursement requests through an expense report, despite the fact that they were already on his corporate credit card. In an attempt to conceal his fraud, Boyd damaged his receipts to remove the credit card number listed on the bottom. In just two years, he charged more than US$700,000 of personal expenses on CRL's credit cards. </p><p>Thanks to the internal audit team, Ace realized that it had a major problem with Boyd and CRL. Ace sent one of its executives to CRL's headquarters to get things in order. When the forensic accounting team was done evaluating the records, it appeared that Boyd embezzled more than US$2.2 million from CRL. He was terminated from the company but no charges were filed.</p><h2>Lessons Learned</h2><ul><li>When designing the internal audit plan, it is important to ensure that riskier business units receive adequate attention. In CRL's case, there were many red flags that should have drawn the internal audit team's attention sooner, including its geographic distance from Ace, the recent acquisition, and the fact that many key processes remained in the hands of CRL and its former management. </li><li>When performing their work, internal auditors should consider interviewing employees and asking questions about their company's anonymous reporting hotline. Do employees know about the hotline and do they feel comfortable using it? Many employees at CRL knew about Boyd's fraud, but were unwilling to tell Ace until Boyd was terminated. </li><li>Internal audit should consider performing random checks between personnel files and payroll records. All employees receiving a paycheck should have a personnel file. It is also important to perform periodic audits to ensure that all employees are receiving the appropriate rates of pay. Internal audit should determine if policies exist that govern who is allowed to adjust compensation and if those policies are being followed. </li><li>Consider distributing paper paychecks (rather than direct deposit) randomly. This practice would have helped Ace identify ghost employees such as the girlfriend, pilot, housekeepers, and groundskeepers. </li><li>Internal audit should determine if employees with corporate credit cards are also permitted to submit expense reports. If so, it may be beneficial to test some credit card purchases to determine if they are also inappropriately included on expense reports.</li><li>Internal audit should review the acceptable use policy for all corporate-issued credit cards. This policy should clearly state the consequences for misuse of the card. Internal audit also should consider who was involved in designing this agreement — was legal counsel involved to ensure it is enforceable? If no such policy exists, internal audit should consider making a recommendation to management about its adoption and design. </li><li>When reviewing existing processes and procedures, internal audit should determine if the accounts payable staff has had adequate training to spot questionable invoices. Internal audit should also evaluate the processes for resolving unusual items.</li></ul>Jenell West1
Ecclesiastical Crime Crime<p>​U.S. federal prosecutors have charged the rector of the Villa St. Joseph nursing home for priests with embezzling more than $500,000 from the Philadelphia Archdiocese facility over a nine-year period, the <a href="" target="_blank" style="background-color:#ffffff;"><em>Philadelphia Inquirer</em> reports</a>. Prosecutors say the facility's bank discovered the theft last year when it flagged suspicious transactions at Harrah's Casino in Chester, Pa., from the private account that supports the nursing home. An investigation found that Monsignor William Dombrow had sole access to the private account and had used it for casinos, dinners, and tickets to Philadelphia Pops concerts. The account is funded from bequests from parishioners and life insurance payouts of priests who had resided at Villa St. Joseph. Dombrow remains rector at Villa St. Joseph, but the archdiocese says his administrative duties and handling of finances have been restricted since the theft was discovered.​</p><h2>Lessons Learned</h2><p>I've written about this kind of fraud before, both a specific case involving a Canadian priest, and more generally about the many ways nonprofit and charitable organizations could better protect themselves against fraud perpetrated by employees and volunteers. Not much has changed since the last time I wrote about "ecclesiastical crime" in 2013. This kind of crime amounted to more than $39 billion worldwide in 2014, more than the $35 billion spent on mission work to promote Christianity, according to the Center for the Study of Global Christianity. The center forecasts the amounts involved will balloon to $60 billion by 2025. </p><p>Culture change toward greater transparency — much of the fraud committed in church settings apparently goes unreported — and decisive action to redress weak or nonexistent financial controls are two fundamental improvements that need to be made. Here are nine more steps churches and other nonprofit organizations can take to help prevent and detect fraud from within. These steps are all about establishing and maintaining basic accounting, payroll, and finance functions, including oversight, monitoring, and auditing.​</p><ul><li><strong>Establish financial policy and procedures.</strong> Church organizations, particularly at the local level, should think about how the organization would like to control the handling of, and access to, church funds. These policies need not be elaborate, and can be adapted from available sources and resources. Basic policies covering matters such as cash handling, bank accounts, credit cards, security of money and financial records, two-person accountability, oversight and monitoring processes, and rotation of employees and volunteer roles should be starting points.<br></li></ul><p></p><p> </p><ul><li><strong>Put appropriate supervision and oversight in place.</strong> Church leaders are responsible for managing operations and practices. Whether that oversight is of employees or volunteers, it is critical to have good supervision of those who deal with church funds. The natural leadership tendency is to empower people with the freedom to work independently, but there always should be some form of accountability or check and balance to that freedom. A finance committee also should be established with authority to review documents and transactions, as well as ask questions of all employees and volunteers. That committee should meet regularly and review financials, including bank statements. If it is difficult to get a financial summary from a person who handles money, it is likely a red flag.<br></li></ul><p></p><p> </p><ul><li><strong>Train employees and volunteers who help with handling financial matters at least annually on the policies and procedures that relate to church funds. </strong>This training should cover the measures that the church takes to safeguard its financial resources. This step could make would-be perpetrators think twice because they will see that the organization is actively protecting its resources.<br></li></ul><p></p><p> </p><ul><li><strong>Control access to bank accounts, credit cards, and bank statements. </strong>Never allow an individual who has direct access to bank accounts, such as access to blank check stock, check-signing authorization, and reconciling the bank statement, to create a new account without authorization from above. This is one of the easiest ways for fraud to go undiscovered. All bank account statements at least should be copied to a financial official or a trusted individual such as a senior or administrative pastor, or better yet, a board member. This person should not have any access to the organization's bank accounts.<br></li></ul><p></p><p> </p><ul><li><strong>Establish authorization limits and require dual approvals on transactions for larger dollar amounts.</strong> For example, require that any purchase or transaction over $500 be signed by two people. Ideally, the two authorized signors of large checks should be the individual in charge of finance and accounting and a board member. Furthermore, the board member chosen to co-sign large checks should not be the same board member selected to review bank statements. The two people should not be related and should not have personal financial issues. Create a sign-off sheet that is submitted regularly to the same individual entrusted to receive the bank statements.<br></li></ul><p></p><p> </p><ul><li><strong>Conduct reviews and a</strong><strong>udits</strong><strong> where possible.</strong> Most frauds go on for 18 months or longer before they are detected. Although church audits are expensive, it is important that the church conduct thorough audits by an independent auditor regularly. Internal auditors also can help in less formal ways, as part of their participation in their church community, by volunteering their services to help ensure it runs smoothly and free of fraud. <br></li></ul><p></p><p> </p><ul><li><strong>Rotat</strong><strong>e employees and volunteers in their roles.</strong> According to U.S. insurance industry statistics, the average tenure of a church thief is eight years. Volunteers and employees who approve transactions and handle money should be rotated regularly. No one should stay in the role indefinitely, and the use of multiple, unrelated people will make it more difficult to steal.<br></li></ul><p></p><p> </p><ul><li><strong>Conduct periodic background and credit checks. </strong>In today's society, it is sensible to perform a background check periodically on all church employees and volunteers. Such checks should not be limited to just when individuals are first hired, because circumstances can and will change. In addition, people who have access to church funds should be subjected to a credit check. While this practice may seem invasive, it can provide information that can ultimately protect the church. Moreover, church officials should watch for warning signs of employee fraud, such as employees with access to money who are living beyond their means, have personal financial issues, or don't take vacations and guard against someone else doing their job.<br></li></ul><p></p><p> </p><ul><li><strong>​​Encourage people to report suspected behavior. </strong>As much as 40 percent of frauds are caught through a tip, according to the Association of Certified Fraud Examiners.​<br><br></li></ul>Art Stewart0
Powered Down by Fraud Down by Fraud<p>​Rural electric co-operative Naknek Electric Association (NEA) has filed suit against its former general manager, accusing her of using the company credit card for personal expenses ov​er more than 10 years, <a href="" target="_blank" style="background-color:#ffffff;">Alaska Public Radio reports</a>. The lawsuit alleges that as the only employee with oversight of the company's spending, Donna Vukich embezzled $970,359 between 2004 and 2016 by burying her spending under codes in various NEA business accounts. After being confronted by NEA's board last year, Vukich paid back $398,000, but negotiations to recover the remaining amount have fallen through, prompting NEA's lawsuit. NEA has spent $60,000 in auditing and attorney fees. The NEA board said it has put safeguards in place to guarantee spending accountability in the future. Vukich retired from her position in March 2016.</p><h2>Lessons Learned</h2><p>This story is the classic case of a trusted employee gone bad who exploits fundamental gaps and weaknesses of a small organization to steal for personal gain. NEA says new policies and controls are in place to better prevent this theft from occurring again. But what are those measures? They might not be a comprehensive solution to prevent and deter this kind of fraud. Here are three areas to act on:</p><ul><li><strong>Establish a strong governance and accountability regime that is "fraud smart."</strong> Even small organizations should be expected to have board directors who are equipped and required to identify and act upon early signs of fraudulent behavior. That includes integrating fraud competencies into the hiring framework for directors and director fraud prevention training. Another director competency is appropriate knowledge of accountability mechanisms and organizational roles and responsibilities — including segregation of duties requirements — financial controls, accounting systems, and the role of audit/fraud risk assessment. Directors also must be able to engage in independent, critical thinking, and actively challenge management with penetrating questions, when necessary. There also should be performance expectations set for directors that include consequences for failures to identify and address preventable fraud events, such as performance assessments, remuneration, and even director dismissal.<br><br></li><li><strong>Ensure basic gaps in financial controls, policies, and accounting processes are fixed.</strong> To start, it is fundamental to close the gap where there was no segregation of duties over purchasing. In this case, one person was authorized to approve an expense, rather than having a different person be responsible for overseeing that expense. Even the smallest organizations can set up such a system — and NEA was not that small. Additionally, expenditures must be monitored, reviewed, and periodically audited to ensure they are appropriate. This would include a requirement that original invoices be provided. Even online and telephone purchases can be required to be supported by documentation. Moreover, the money allegedly stolen in this case each year was material enough that scrutiny of budget versus actual expenditures would have revealed discrepancies. Regular audits of financial controls, policies, and systems also are essential in detecting signs of fraudulent activity. These three measures alone may have disclosed the fraudster's activities at an early stage.<br><br></li><li><strong>Adopt human resource management policies that balance trust with safeguarding organizational interests.</strong> Hiring, performance management, ethics, conflict of interest, training, compensation, and termination policies and systems all need to be aligned to be "fraud aware." It's nice to think that all long-term employees doing the same job can always be trusted, but for critical jobs where material assets are under their control, there should be safeguards in place such as job rotation policies and regular background checks to determine whether there have been lifestyle changes that were potentially driven by employee theft. Where fraudulent activity is suspected or discovered, it's possible that circumstances might warrant a negotiated settlement, such as in this case, but generally it's better to act decisively to discipline, terminate, and prosecute the employees found responsible. This sends a better message of deterrence and zero fraud tolerance both to employees and to clients and stakeholders.<br></li></ul><div><br></div>Art Stewart0
Internal Audit and Fraud Risk Audit and Fraud Risk<p>​Are internal au​ditors obsessed with fraud?</p><p>Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"</p><p>There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?</p><p>Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?</p><p>In fact, few organizations are brought down or even materially impacted by fraud.</p><p>Let's consider some sources of risk that may be found at many, if not most, organizations:</p><ul><li>The effectiveness of risk management.</li><li>The quality of information used in decision-making.</li><li>Strategy-setting.</li><li>The decision to acquire or divest a business.</li><li>The ability to develop and introduce successfully new products and services.</li><li>The ability to identify the value of and then deploy new technology.</li><li>Cybersecurity.</li><li>Customer satisfaction and product/service quality.</li><li>Marketing.</li><li>Hiring, retention, and development of people.</li><li>The effectiveness of the management team.</li><li>The effectiveness of the board.</li><li>The ability of IT to meet the needs of the business.</li><li>The completion of major projects on time and within budget.</li><li>Efficient procurement.</li><li>Management of the sales pipeline.</li><li>Sales contracting.</li><li>Revenue recognition.</li><li>Tax.</li></ul><p> <br> </p><p>Now where would fraud risk rank among these <span style="font-size:12pt;line-height:115%;font-family:"times new roman", serif;">—</span>​ and I am sure your organization would have other high-risk areas?</p><p>Have a look at the following from The IIA:</p><ul><li> <a href="" target="_blank">The Definition of Internal Auditing</a>.</li><li> <a href="" target="_blank">The Mission of Internal Audit</a>.</li><li> <a href="" target="_blank">The Core Principles for the Professional Practices of Internal Auditing</a>.</li></ul><p> <br> </p><p>Can you find the word​ "fraud" in any of the above?</p><p>Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.</p><p>If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.</p><p>I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.</p><p>Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, <a href="" target="_blank"> <em>Auditing That Matters</em></a>, as enterprise risk-based auditing.</p><p>Do you agree or disagree?</p><p>I welcome your comments.​</p><p> <br> </p><p>If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.</p><p> <br> </p>Norman Marks0
The Corporate Impostor Corporate Impostor<p>​A Lithuanian man has been arrested on charges of impersonating a Taiwan-based electronics manufacturer to carry out a $100 million fraud scheme, <a href="" target="_blank" style="background-color:#ffffff;"> <em>Fortune</em> reports</a>. According to U.S. federal prosecutors, Evaldas Rimasauskas impersonated Quanta Computer to trick two U.S. tech companies into wiring money to accounts he controlled, under the company's name, in Cyprus and Latvia. He allegedly sent the U.S. companies forged invoices, contracts, and letters signed by executives from their companies. Quanta Computer acknowledged that its name had been used in the crimes, but says it did not suffer financial harm. U.S. federal prosecutors say much of the money has been recovered, and Rimasauskas is in jail in Lithuania awaiting extradition to the U.S. for trial.</p><h2>Lessons Learned</h2><p>Spoofing — impersonating an email sender's identity — is forgery. It is now a common way to perpetuate fraud, and such attacks are becoming increasingly sophisticated and credible-looking. Spoofing involves four main strategies: impersonation (as in this story), infecting computers by hackers, phishing, and spamming. In cases of impersonation, typically the headers of these emails show that the message was sent from an account owner's email server or another trusted source, rather than the email server of the spoofer. Simple Mail Transfer Protocol (SMTP) is the most frequently used method to send outgoing email. But SMTP does not require authentication of the sender. While there is no foolproof method, here are some suggestions for better preventing and combating this kind of fraud:</p><ul><li><p> <strong>One</strong><strong> of the most ​​effective ways to prevent spoofers from forging email addresses is to use combinations of various encryption and authentication measures to strengthen email security. </strong>It's surprising that more organizations don't use strategies such as encryption software, digital signatures, two-step verification and message origin authentications, proof of submission and delivery, and secure access management. Encryption verifies that the email hasn't been altered or tampered with in transit. It also verifies that the sender of the email can be identified in the message. The most commonly used approaches include use of Secure Sockets Layer (SSL), which uses a private key to encrypt data being transmitted over a SSL connection; Secure HTTP, a complementary approach to SSL that is designed to transmit individual messages securely; and Secure Multipurpose Internet Mail Extensions, which supports public key encryption-based secure email. These approaches ensure a secure connection that can send and receive any amount of data, once established. Organizations should demand that those they deal with use the same kinds of measures as a way to ensure mutual protection. Small and mid-sized organizations can also purchase affordable email encryption software.</p></li><li><p> <strong>Equally important, educate, equip, and empower employees.</strong> Conduct training sessions with mock spoofing scenarios. Establish policies and procedures that require employees to act to prevent spoofing. In today's technology-driven world, organizations should make sure employees are technically equipped. Make sure employees understand the types of attacks they may face, the risks, and how to address them. The organization should share intelligence and knowledge about the spoofers, who are increasingly informed about the organizations, roles, employees, and key data they seek to defraud. Informed employees and appropriately secured systems are key when protecting the organization from attacks. Recipients must consider context, content, and sender, particularly if monetary transactions are involved. Concerted coaching to teach employees to be vigilant by not clicking suspicious links or downloading attachments is critical. To verify authenticity, employees should cross-check by sending a separate follow-up email, texting the alleged sender, or calling to validate that the email is from the correct source. That might mean that corporate culture needs to change to reflect a degree of empowerment of employees to resist authoritative sounding orders, if they are bogus.​</p></li></ul><p>There are additional steps an organization can take to protect itself against these kinds of fraud:</p><ul><li>Encrypt all sensitive company information and ensure all employees and contractors are required to use encryption routines for that kind of sensitive information.</li><li>Develop an in-house capacity or acquire advice to keep a pulse on the most current phishing strategies. Confirm that the organization's security policies and solutions can eliminate threats as they evolve.</li><li>Consider using newer technological approaches. One example is to use a heuristics product to determine whether an email is fraudulent. However, the success rate of these solutions can be mixed, particularly where more cleverly designed emails are involved.</li><li>Consider investing in cybersecurity liability insurance. However, the return on investment for this type of insurance should be weighed against the business model, the data stored, and the potential damages that could be incurred in the event of a data breach.​</li></ul><p><br></p>Art Stewart0
Culture May Be the Wrong Question May Be the Wrong Question<p>​As a member of the boards of several professional publications, I get to review and comment on a number of articles.​</p><p>One that recently crossed my desk was about the need to recognize that the root cause of pretty much every business failure and incident in at least recent times was a defect in that organization's culture. It advised that internal auditors can help an organization identify such defects and take remedial action.</p><p>That sounds good. But is it on or off the mark?</p><p>I agree that poisonous cultures (and I've experienced a few) can have a negative influence on individual and group behavior. But, in my opinion, it still comes down to people: their behavior, actions, and decisions.</p><p>Consider the culture across much of Europe during World War II. It is fair to say that the Nazis and their leaders created an environment in which it was easy to participate in acts of genocide. But many stood up to those pressures and acted bravely in accordance with their morals and ethics. Arguably, if more people had stood up for what was right, many awful acts might have been prevented.</p><p>Defects in culture can increase the likelihood of poor behavior, but it still comes down to people. Even when the culture seems ideal (strong ethical leadership, a shared commitment to organizational and societal values, and so on), some people will always act inappropriately.</p><p>But what is an ideal culture anyway? Is it about one or more of these?</p><ul><li>Ethical and moral behavior, including but not limited to compliance with applicable laws and regulations.</li><li>Managers and staff taking the desired level of risk.</li><li>A shared commitment to achieving the goals of the organization, putting them ahead of personal goals.</li><li>Collaboration and sharing of information.</li><li>Teamwork.</li><li>Innovation and agility.</li><li>A willingness to work long and hard when needed.</li><li>Treating all others with respect, honoring differences, and so on.</li><li>Openness and transparency.</li><li>A commitment to safety.</li><li>The ability to report undesired behavior without retribution.</li></ul><p><br></p><p>Culture is not, in my opinion, something simple. It has multiple dimensions.</p><p>In addition, no organization (unless it's a business with a single employee) has a single culture. There are differences between teams, locations, and so on — and the differences change over time.</p><p>Should we worry about culture?</p><p>Sure. But perhaps it is better to worry about behavior.</p><p>First, define the behaviors you want your organization and its people to demonstrate every day.</p><p>Now, what are the risks to achieving the objective you just defined?</p><p>What actions (i.e., controls) are you taking to provide reasonable assurance of appropriate behavior?</p><p>Is there reasonable assurance, or are the risks to behavior outside desired levels?</p><p>How are you monitoring both the level of risk and the incidence of undesired behavior? The latter is not easy, as many behaviors (such as lack of teamwork) don't show up in HR reports, loss investigations, and so on. In fact, defects in culture tend to make surveys useless as people won't be honest.</p><p>If you focus too much on one dimension of culture, such as compliance or ethics, you may drive the culture away from what is needed to deliver on another dimension, such as performance and agility.</p><p>Yes, defects in culture (if we can find them all and — very important — acknowledge their existence) are important to fix. But that is not enough.</p><p>We need to worry about behavior and what needs to be done to provide reasonable assurance that people, both individuals and groups, will behave the way we need them to behave.</p><p>Why don't you start by taking my list, upgrading it to fit your organization, then assessing each attribute for your team, your department, your location, and the organization as a whole?</p><p>Don't use a survey. If you know your company, you can answer these questions about its culture. </p><p>I think you will immediately find areas of weakness.</p><p>But how do you go about discussing them with senior management and obtaining agreement on the facts, the assessment, and the actions needed? You may feel the need for additional steps, such as surveys, to support your assessment — but very often you will find management in agreement. The issue then becomes what these defects mean, the risks they represent to the operation and success of the organization.</p><p>How do you approach senior management with insights about teamwork, the way people are treated, and whether the organization's goals are put ahead of individual or group goals?</p><p>That will not be easy. </p><p>I would love to hear your stories and I welcome your comments.</p><p> </p>Norman Marks0
In the Wrong the Wrong<p>​Morgan Stanley has admitted to selling clients a risky product without disclosing that it was likely to lose money and has agreed to pay the U.S. Securities and Exchange Commission (SEC) US$8 ​million to settle the case, <a href="" target="_blank"> <em>Fortune</em> magazine reports</a>. According to the SEC, Morgan Stanley's wealth management division marketed single inverse exchange traded funds (ETFs) in retirement and other accounts to several hundred clients between 2010 and 2015. This type of fund is typically used as a hedge against fallin​g prices because it profits when its benchmark price decreases. As such, it is not used as a long-term investment, as the firm acknowledged it had marketed the product. This is a rare case in which an investment firm has admitted to wrongdoing in an SEC enforcement case, <em>Fortune</em> notes.</p><h2>Lessons Learned</h2><p>At least part of the root source of this story can be traced back to the 2008 world financial crisis. ETFs have been available as investment instruments in the U.S. since the early 1990s (earlier in Canada), and have become increasingly attractive to investors. As of December 2014, more than US$2 trillion was invested in various forms of ETFs in the U.S. alone. Inverse ETFs rapidly became more popular as a strategy to cope with high market volatility. And, even though many inverse ETFs carry expense ratios of 1 percent or more or use daily futures contracts to produce their returns — in which f​requent trading often increases fund expenses — they appeal to investors as easier and less costly than short selling stocks, which require a margin account and stock loan fees paid to a broker for borrowing the shares necessary to sell short. These inverse ETFs are nonetheless likely to be as risky as short-selling, particularly where an investor can be misled into holding on to them for too long, as Morgan Stanley admits to doing. In 2008, the SEC changed the rules for creating inverse ETFs, expanding the definition from an index basis only to include actively managed groups of funds. The latter category can increase risks significantly, both as a result of the discretion given to fund managers and because their investment strategy may become discernible to others.</p><p>Both the SEC and the investment industry would be well-advised to review their rules and procedures governing the use of high-risk, short-term investment instruments such as inverse ETFs (and leveraged ETFs). Automatic cut-offs of inverse ETF agreements after a maximum of 30 days — or a similar short, specified time limit — could help. Greater requirements and monitoring on the part of investment companies to actively disclose the strengths, weaknesses, and risks of such investment vehicles is another mitigating strategy against fraud. At a minimum, that disclosure should include:</p><ul><li>A leveraged and inverse ETF advertised as having three times the gain could also have three times the loss.<br></li><li>Pricing is adjusted every day at close of market so that price swings can be excessive.<br></li><li>The high risk of holding leveraged and inverse ETFs for longer periods of time make them unsuitable for long-term investors.<br>​</li></ul><p>Of course, investors themselves should be better educated about these risks. In general, ETFs can convey a false sense of stability in profit-making, given their structure being based on an underlying group of stocks or other investment forms. The U.S. Financial Industry Regulatory Authority's (FINRA's) view is that inverse and leveraged ETFs are unsuitable for retail customers. FINRA also has stated that the added complexity of leveraged and inverse exchange-traded products makes it essential that brokerage firms have an adequate understanding of the products and sufficiently train their sales forces before the products are offered to retail customers. An educated investor should ask his or her advisor or broker about this. Also, if an advisor or broker recommended the purchase of leveraged and inverse ETFs without fully conveying their risks and the investor lost money, the investor may want to discuss his or her legal rights to a recovery with a law firm.</p><p>Finally, internal audit units within the investment industry should include these kinds of higher risk investment vehicles as part of their fraud risk assessments and audit plans. Moreover, they should ensure that the results of their ensuing audit work, including recommendations, are heard by senior management.​</p><p> <br> </p>Art Stewart0
Medicare Fraud Gets Messier Fraud Gets Messier<p></p><p>The U.S. Justice Department has filed new charges in what prosecutors are calling the biggest Medicare fraud case in U.S. history, the <a href=""><em>Miami Herald</em> reports</a>. Prosecutors say health-care executive Philip Esfor​mes' network of skilled-nursing and assisted-living facilities, and co-conspirators billed Medicare US$1 billion for services that were either unnecessary or not provided to about 14,000 patients between 2009 and 2016. According to the indictment, physicians and other medical professionals at Larkin Community Hospital referred many of the Medicare patients to Esformes' facilities in exchange for kickback payments. Later, the facilities would send the patients back to the hospital. The latest charges allege Esformes gave an associate US$5,000 to bribe an employee of Florida's Agency for Health Care Administration to find out what evidence the regulator had on Esformes' health-care network. That associate, Gabriel Delgado, secretly videotaped the exchange to receive a lesser sentence from federal prosecutors. The details of this case are similar to a 2006 civil dispute over kickback allegations that Esformes, his father, Delgado, and Delgado's brother settled for US$15.4 million. If convicted, the Justice Department could seize most of Esformes' assets and send him to prison for the rest of his life. </p><h2>Lessons Learned</h2><p>In 2015, U.S. health-care spending was about US$3.2 trillion, with more than 4 billion insurance claims processed. The National Health Care Anti-Fraud Association estimates that the financial losses from health care fraud are in the tens of billions of dollars each year. Whether it impacts employers, governments, or individuals, this level of fraud inevitably translates into higher premiums, expenses, costs of providing benefits, and reduced benefits or coverage. It may even make the difference between whether or not some Americans can afford health insurance. </p><p>There are two particularly troubling aspects of this story. First is the length of time it took officials to catch the alleged perpetrators, along with the lack or ineffectiveness of scrutiny of a vast number of false or overbilled claims for medical services. Second is the use of bribery techniques to circumvent inspections and investigations of com​plaints that might have helped detect this fraud earlier. </p><p><strong>Weaknesses in the internal controls over the approval of health-care billing and claims must continuously be monitored and addressed. </strong>Recent audits conducted by the U.S. Government Accountability Office (GAO) reveal that the nation's Patient Protection and Affordable Care Act marketplaces remain "vulnerable to fraud." The audits, which looked at the 2015 and 2016 coverage years, echo previous findings about the potential for fraud, and the failure to detect it, within organizations that are part of health-care delivery systems and government-run exchanges that sell individual health plans. The investigations looked at how well the U.S. Department of Health and Human Services (HHS) did at verifying whether claims filed were eligible for reimbursement. They also looked at whether people with dubious documentation could actually enroll in coverage, particularly for coverage that was subsidized by the federal government for applicants with low or moderate incomes. For both sets of testing, the GAO submitted fictitious or incomplete documentation as part of the application and enrollment processes. As one example of an area for improvement, the GAO found that HHS inspections focused on supporting documentation that had obviously been altered. If the documentation submitted did not show such signs, inspectors were not likely to question its authenticity.</p><p><strong>Strong internal controls are essential to prevent bribery of government officials.</strong> A fraud risk assessment is one good way to assess the degree and focus of measures to counter this kind of corruption. The GAO has noted that bribery, along with infiltration by organized crime elements, is prevalent in South Florida. Key internal controls over this area include:</p><ul><li><strong>Policies. </strong>Organizations must have in place clear, robust, and readily understood conflict-of-interest and code-of-conduct policies that include a practical level of prohibition of the kinds of behaviors that must be avoided by employees, backed by senior leadership endorsement and reinforcement.<br><br> </li><li><strong>Practices and procedures</strong><strong>.</strong> Each policy should have a corresponding practice and documentation procedure. This could include a requirement that no one employee may have sole contact with a medical services biller that has a history of claims exceeding a particular value. Regulators also could implement electronic security measures that monitor communications between staff members performing approval and regulatory functions over billers.<br><br><strong> </strong></li><li><strong>Enforcement. </strong>While most organizations with conflict/code-of-conduct policies may also have enforcement provisions for noncompliance, exceptions made to enforcement actions can occur frequently — for valid reasons in some cases. However, such exceptions can signal to potential noncompliant billers that the chances of being prosecuted may be low. In addition, an active and robust internal audit function is an essential tool.<br><br> </li><li><strong>Whistleblowing.</strong> Where supported by senior management and established in collaboration with regulators and law enforcement officials, whistleblower programs can be one of the most effective measures in deterring and detecting bribery schemes.<br><br> </li></ul><p>It should be noted that the HHS has acknowledged it has room to improve and intends to take action, as indicated by this statement: "As recommended by the GAO, we are applying their marketplace fraud risk assessment to areas of eligibility and enrollment to identify and prioritize key areas for potential risk in the marketplace." The statement goes on to say, "We are also working closely with issuers through the Healthcare Fraud Prevention Partnership to identify trends, schemes, and specific bad actors."</p>Art Stewart0
The Out of Control Contractor Out of Control Contractor<p>Government technology provider NCI Inc. has fired its controller, who allegedly embezzled approximately US$18 million over the last six years, <a href="" target="_blank"> <em>Washington Technology</em> reports</a>. In a press release, the company said the stolen amounts were reflected as expenses in its unaudited financial statements for the first three quarters of 2016. NCI has launched an internal investigation to determine whether there were misstatements related to the embezzled funds in its financial statements during the period from 2013 to 2015. In addition, investigators are evaluating whether material weaknesses in the company's financial controls over financial reporting were exploited to carry out the embezzlement. </p><h2>Lessons Learned</h2><p>At one point in this story, the report says, "The company is also reviewing its internal controls over financial reporting. The company believes that material weaknesses existed in its internal controls during the periods that the embezzlement was occurring." This may turn out to be an understatement, given NCI's involvement with contracting with the U.S. federal government and the requirements imposed on companies, which are not commonly found in the commercial market. And, there may be just as large a problem with gaps in oversight, both within NCI and by government regulators.</p><ul><li> <strong>Internal Controls. </strong>While NCI's statement focuses on internal controls over financial reporting, the company needs to take a much broader look at its internal controls. One example is those relating to accounting procedures. U.S. federal government contractors must adhere to an additional layer of regulations and accounting procedures. The federal procurement process is governed by the Federal Acquisition Regulation, and the classification and allocation of contractor expenses are governed by the Cost Accounting Standards. In addition, several labor laws may apply. Failure to comply with these rules could lead to debarment.<br><br>There are three general types of government contracts: cost-reimbursable, time-and-materials, and fixed-price. Large companies are likely to be involved with all three types. While there are no unique accounting requirements imposed on contractors who sell commercial products or services to the government on a firm fixed-price basis, almost all other contractors must have an accounting system that the government deems acceptable. This includes contractors that are required to submit supporting cost data with their cost/price proposals as well as any contractor who is awarded a time-and-materials, cost-plus-fee, or fixed-price-incentive contract. Other than pure-play commercial product companies, most government contractors will sooner or later be required to have an acceptable accounting system, with the following attributes, supported by written documentation:​​</li><ol><li>Compliance with generally accepted accounting principles. </li><li>Appropriate segregation of direct costs from indirect costs. </li><li>Identification and accumulation of direct costs by contract. </li><li>A logical and consistent method for allocating indirect costs to intermediate and final cost objectives. </li><li>Accumulation of costs under general ledger control. </li><li>A timekeeping system that identifies employees' labor by intermediate or final cost objectives. </li><li>Interim (at least monthly) determination of costs charged to a contract through routine posting to books of account. </li><li>Exclusion of "unallowable" costs. </li></ol>​There are two points of note here. First, most commercial companies do not routinely perform these functions as part of their financial accounting. More significantly, many commercial companies — especially smaller ones — do not have the staff, knowledge, skills, and software necessary to perform these functions. Secondly, while it is not known how NCI's ex-controller perpetrated fraud over a multi-year period, its financial accounting systems may have been compromised. If it was, the company would need to review each contract of significance to determine whether there are errors and, where overbilling is found, potentially refund already billed amounts. ​​</ul>​​​ <ul><li> <strong>Oversight. </strong>It is surprising that this story deals with the question of material misstatements within NCI's unaudited financial statements. Many companies that contract with the government are required to have their financial statements audited annually, and one would think that should have included NCI. Unaudited financial statements differ significantly from audited ones. Some procedures that external auditors are required to perform may have helped NCI, its board of directors, and its senior management detect its controller's alleged fraudulent activities at an earlier stage. Among the most pertinent review procedures are:</li><ul><li>Procedures for recording and accumulating financial information.</li><li>Actions taken at owners' or directors' meetings.</li><li>Written representations from management regarding the accuracy of all information given to the auditor and for inclusion in financial statements.  </li><li>Management's responsibility for internal control.</li><li>Management's responsibility — and knowledge — to prevent and detect fraud.</li></ul> ​​There is also the question of the strength of oversight by government regulators. U.S. government contractors that work on defense-related contracts are audited by the Defense Contract Audit Agency (DCAA). The DCAA audits internal contractor systems — including accounting systems — for acceptability. The agency also audits the actual cost data produced by the accounting system. Surveys published by Grant Thornton indicate that the cost most frequently challenged by the DCAA is executive compensation, including the compensation of company controllers. Other costs the DCAA commonly challenges include consulting fees and indirect cost allocations. However, reports issued by the Government Accountability Office (GAO) have criticized the DCAA for being more committed to its "hours per audit" metrics than to audit quality, and say that it has become too "friendly" with contractors and government program managers. In response to the GAO reports, the DCAA has committed to being a thorough, independent guardian of taxpayer money. <br> <br>In NCI's case, it may be advisable for the federal government to put any future contract awards on hold until such time that the company can demonstrate that it has completed a thorough assessment and action plan to address serious weaknesses in its internal control.<br></ul>​Art Stewart0

  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Five Classic Myths About Internal Auditing Classic Myths About Internal Auditing2012-06-20T04:00:00Z2012-06-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z