Programmed for Fraud for Fraud<p>The U.S. Federal Bureau of Investigation (FBI) alleges that an acclaimed robotics professor defrauded Michigan State University and the Institute of Electrical and Electronics Engineers of more than $400,000, <a href="" target="_blank"></a> reports. According to the criminal complaint, Ning Xi submitted false claims for travel and other expenses to the two organizations over a five-year period. The FBI alleges that Xi altered and fabricated receipts and used the money to pay off credit card debt. Investigators first started looking into Xi to determine whether he had fraudulently obtained National Science Foundation research grants by not disclosing foreign funding and affiliations. Xi had previously been in a dispute with Michigan State when he took a position with a Hong Kong university while he was on a sabbatical. He resigned from Michigan State in 2015 after the university learned he had accepted a second position with the University of Hong Kong.</p><h2> Lessons Learned</h2><p>Previous articles about expense reimbursement fraud have outlined red flags and what can be done about them (see <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=68ab66bc-fb2d-4543-b5d0-6453a087a684">"The Perils of Grant Fraud"</a> and <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=13404480-235f-4daa-9846-f819ac9aa6fe">"Traveling First Class"</a>). Management often overlooks this kind of fraud because it considers its employees to be trustworthy and the relatively small loss involved may not be worth the time and effort to track, detect, or deter. In reality, according to the Association of Certified Fraud Examiners' <a href="" target="_blank">2016 Report to the Nations on Occupational Fraud and Abuse</a> (PDF), expense reimbursement schemes account for nearly 14 percent of occupational frauds and result in a median loss of $30,000 per year. The report analyzed 2,410 occupational fraud cases from 114 countries.</p><p>This fraud story is even more complex, involving an alleged attempt to hide a serious conflict of interest with Chinese affiliations, research, and funding in U.S. federal grant applications. It also includes allegations that Xi exploited past connections and relationships to collude for a financial advantage. </p><p>Keeping the organization safe from thieving employees and their multifaceted fraud activities demands strong controls, tough actions against perpetrators, and management leading by example. This is particularly important for multinational corporations with employees throughout the world or institutions such as Michigan State with international ties and staff members who move among other institutions. Xi allegedly perpetrated three main fraud schemes: reimbursement fraud, conflict of interest, and collusion. Here is what internal auditors can do to help detect and prevent them:</p><p> <strong>Forensic accounting experts can help companies implement preventive measures against fictitious expenses, multiple reimbursements, and mischaracterized expenses</strong><strong>.</strong> Written expense reimbursement policies and procedures should require detailed expense reports that set forth amounts, times, places, people in attendance, and specific business purposes. The organization also should ask employees to use company credit cards; submit original, detailed receipts (no photocopies); and provide boarding passes for air travel. Periodic audits of travel and entertainment expense accounts also can be a powerful deterrent.</p><p> <strong>Forensic accountants also can help detect employee reimbursement fraud through a variety of audit and review </strong> <strong>techniques</strong><strong>.</strong> These techniques include examining reimbursement documentation for photocopies, duplicates, or fakes; comparing employees' expense reports and supporting documentation to check for multiple claims for the same expenses; and comparing the times and dates of claimed expenses to work schedules and calendars to look for inconsistencies. An example of the latter would be looking for expenses claimed that were actually incurred during vacations. </p><p>Other related red flags that may signal fraudulent activity or warrant further investigation include:</p><ul><li>Claims for disproportionately larger reimbursements than other employees in comparable positions.</li><li>Paying large expenses in cash despite access to a company credit card.</li><li>Submission of consecutively numbered receipts over long periods of time.</li><li>Consistently submitting expenses at or just under the company's reimbursement limit for undocumented claims.</li></ul><p><strong><br></strong></p><p><strong>Quantitative analytical and statistical methods also are important tools.</strong> One technique is to look for employees whose expense patterns violate Benford's Law, a statistical analysis tool that can reveal fabricated numbers. This law is an observation about the frequency distribution of leading digits in many real-life sets of numerical data. Specifically, it posits that in many naturally occurring collections of numbers, the leading digit is likely to be small.<sup> </sup>For example, in sets that obey the law, the numeral "1" appears as the most significant digit about 30 percent of the time, while "9" appears as the most significant digit less than 5 percent of the time. By contrast, if the digits were distributed uniformly, they would each occur about 11 percent of the time.</p><p>Benford's Law also makes predictions about the distribution of second or third digits, digit combinations, and so on. As far back as the 1970s, mathematicians suggested that the law could be useful in forensic accounting and auditing to indicate accounting and expenses fraud. Assuming that people who make up figures tend to distribute their digits fairly uniformly, comparing first-digit frequency distribution from the data with Benford Law's expected distribution should reveal any anomalous results.</p><p><strong>Technology can help prevent</strong><strong> the submission of fake expenses as well as spot problems with tracking and disclosure of inappropriate employee conflicts of interest.</strong> An intelligent expense management system will know the approval hierarchy. It will enforce a business rule requiring the expense to be submitted by the most senior attendee and approved by his or her boss, removing the chance for collusion. The system also can have in-line audit capabilities that automatically flag for audit an expense report that fits a set of criteria before approval.</p><p>In this case, Michigan State could tighten up scrutiny of disclosures of foreign relationships and double or conflicting employment through its fraud risk assessments. It also could risk-target particular countries and institutions for audits of employee activity. Computer-based collection of data and analysis of sources such as Xi's various institutional connections and social media presence might have revealed his employment in Hong Kong earlier. University officials also might have taken stronger actions when they first found that Xi was hiding his employment activity in 2014.</p><p><strong>Organizations must address deliberate collusion, whether between colleagues or with a supervisor, to knowingly approve funding, a grant, or a false claim</strong><strong>.</strong> In large, diverse organizations with lengthy histories and widespread operations, it is possible that two or more people with past relationships will occupy positions where decision-making authority might be abused. For example, one person could become a managing director and the other a sales director (or in this case, a professor and former student). Rigorous conflict-of-interest policies, background checks, and scrutiny of unusual patterns of behavior in work relationships are needed to combat fraud. </p>Art Stewart0
Kickbacks in the News in the News<p>​Investigators from the New York State Police and Manhattan district attorney allege that executives of media company Bloomberg L.P. and interior construction firm Turner Construction received bribes and kickbacks from subcontractors working on projects at Bloomberg's offices, <a href="" target="_blank"> <em>The New York Times</em> reports</a>. According to investigators, the "pay-to-play" scheme bypassed the two companies' computer and budget systems. Among those implicated in the scheme was Bloomberg's global head of construction, who has since been fired. Individuals close to the investigation say it is part of an ongoing probe of bribery and bid-rigging in New York's $9.4 billion-a-year industry of designing and building office interiors. Bloomberg is no stranger to such fraud. Its previous interior construction contractor, Structure Tone, pleaded guilty in 2014 to charges of encouraging subcontractors to inflate costs on invoices.</p><h2>Lessons Learned</h2><p>According to Kroll Corp.'s <a href="" target="_blank">2017/2018 Global Fraud & Risk Report</a>, fraud continued to climb in 2017. Overall, 84 percent of surveyed executives report their organization fell victim to at least one instance of fraud in the past 12 months, up from 82 percent in 2016. This represents a continuous, year-over-year rise since 2012, when the reported incidence was 61 percent. Furthermore, the construction, engineering, and infrastructure sector had the greatest year-over-year increase in fraud incidents. More than four in five (83 percent) respondents in that sector report some fraud, which is 13 percentage points higher than in 2016. While information theft, loss, or attack is the most reported type of fraud (33 percent), regulatory breaches and vendor/supplier fraud are close behind at 30 percent each.</p><p>Although investigators have not implicated Bloomberg, itself, of fraud in this case, the company's relationship with its general contractors may lack effective oversight and monitoring. In fact, Bloomberg may have overlooked several warning signs indicating potential fraud committed by internal personnel, including: </p><ul><li>Too close relationships with vendors. </li><li>A "wheeler-dealer" attitude among senior managers, who deliberately worked outside of control procedures to pursue their own interests.</li><li>Other broad control issues.</li></ul><p></p><p>What can be done? Here are some steps organizations can take to minimize fraud and its impact in construction contracting:</p><ul><li> <strong>Establish controls.</strong> Active controls that seek out fraud can significantly limit the losses incurred through illegal activity. Controls include a range of activities, from surveillance and monitoring to internal audits and management reviews. When selecting contractors through a noncompetitive bidding process, organizations should use an evaluation committee with objective members. They should segregate duties to ensure that access to sensitive information or the level of approval authority is limited, as appropriate. And, senior management of the parent company should regularly oversee and monitor compliance with contracting policy.<br> <br>Controls also should address appropriate corporate structures to separate different companies, their authorities, accountabilities, and actions. Corporate arrangements while working on multiple projects can cause contractors and owners to develop too close a relationship. These interactions can lead to agreements ― regardless of the intentions of any party involved ― that are executed outside of established controls or that lead to change orders that are not reviewed through a procurement process.<br> </li><li> <strong>Enforce controls.</strong> The most effective way to minimize fraud losses is to prevent them from occurring. An anti-fraud culture means communicating the importance of prevention, enforcing the procedures, and providing the support and training needed to do so. Management should test the company's internal control system regularly for possible holes. In addition to an external audit of controls and financial reporting, if a company suspects or becomes aware of potential fraudulent activity, management should launch an internal investigation or hire an outside firm to handle the task.<br> </li><li> <strong>Define the cost of work to limit the opportunity for abuse.</strong> Often, a fraudulent contractor invoices for costs that are not allowed in the contract. Agreements should include a provision that clearly defines all costs of work that will be compensated for by the owner, including what is allowable and what is not. These definitions should include benchmarking of costs across a comparable cross-section of potential bidders within the industry. <em>The New York Times</em> story notes that Bloomberg and Turner are defendants in a bid-rigging lawsuit filed by a subcontractor, Nastasi & Associates. The suit alleges that Bloomberg and Turner employees altered Nastasi's bid on a work contract — raising it by $100,000 — to prevent the firm from being selected as the low bidder. <br> </li><li> <strong>Audit contractors throughout the project.</strong> External audits may not detect irregularities, so management should make sure all negotiated costs and contracts include a right-to-audit clause to allow the organization to conduct internal audits. Internal audits should be conducted by experienced staff members or outsourced to auditors with backgrounds in construction audits. The scope of these audits should include information-management and record-keeping practices. <br><br>As this story points out, records for jobs were supposed to be kept at Turner's offices, as part of the company's compliance requirements. However, in this case, employees did not use Turner-issued devices and kept job records at Bloomberg work sites. The absence of records such as contracts, budgeting data, and related emails should have been a red flag to overseers at both Bloomberg and Turner that something was going on to avoid in-house rules and bypass the companies' computers and systems. <br><br>As past stories have shown, filtering software can help organizations scan seemingly massive amounts of email and other computer records to detect illegal activity. This software can ferret out irrelevant and duplicate information from much larger databases than the two computer hard drives involved in this story.<br> </li><li> <strong>Set up a hotline and pay close attention to credible complaints about contracting practices.</strong> Tips gathered through a hotline or similar method can have a substantial impact on fraud detection. Bloomberg's global head of real estate warned management about allegedly illegal actions by its head of construction and other executives, but the company apparently did not act on the information.</li> </ul>Art Stewart0
The Loyalty Program Swindle Loyalty Program Swindle<p>​Solarstar is a solar panel<strong><em> </em></strong>company with annual revenue of $4 billion and a rapidly growing promoter program. Its commissioned sales representatives were encouraged to sign up small businesses and sole practitioners as promoters. Promoters distributed company designed and authorized literature (a one-page description of Solarstar's products and services) to potential customers and clients, who would call a dedicated phone number on the flyer and use a unique code associated with the promoter to obtain a quote. If a purchase was made, the promoter got a referral fee and the sales representative received a commission. </p><p>The promoter program was growing fast, and field management was ecstatic as it was thought to be opening a new sales channel. One afternoon, one of the more successful promotors contacted a Solarstar online moderator with a request to be assigned to a new sales representative. The promoter alleged to be a 17-year-old girl, which caught the moderator's attention. Suspicions were raised and the transcript of the chat was sent to Solarstar's forensic audit manager, Robert Schull. After reviewing the transcript, Schull was determined to find out how a 17-year-old girl could have signed up as a promoter, let alone become one of the more successful promoters. </p><p>Schull first wanted to understand how the promoter program worked. He learned that it was outsourced to King Enterprises (KE), a small business run out of a strip mall in New Jersey. KE maintained a website that advertised the program and recruited potential promoters. The website had an online chat capability (that the alleged 17-year-old engaged) where current and potential promoters could ask questions or get help resolving concerns. Every week, Solarstar bulk paid KE for all closed promoter sales. KE then facilitated payment to the promoters. KE also was responsible for submitting 1099s to the U.S. Internal Revenue Service (IRS) and transferring funds to state agencies in the event a promoter did not cash the referral check timely. </p><p>Initially, Schull focused on the promoter registration process. He went to KE's website and signed up as a promoter by entering his name, address, phone number, and email address. Schull waited a few hours and received notification that he was now a registered promoter. Upon inquiry, he discovered there was no validation process to confirm the identity of the individuals registering as promoters. A review of the promoter database revealed names that were, in fact, companies. For example, multiple promoters alleged to be Comcast, Disney, Dominos, or Time Warner Cable. KE only required a Social Security number if the promoter exceeded $600 in referral commissions, which is the minimum requirement established by the IRS for submitting Form 1099. </p><p>Schull interviewed Mary St. Croix, the sales representative associated with the 17-year-old girl. She admitted that the promoter was her ex-boyfriend and not a 17-year-old girl. Allegedly, the ex-boyfriend was a married undocumented immigrant (purportedly with a criminal background) who used an alias and his son's Social Security number. He cashed his promoter referral checks at the local gas station. St. Croix provided a copy of a police report attesting to his violent nature, as well as the relationship. Her employment was soon terminated and the promoter was removed from the program.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>Lessons Learned</strong></p><ul><li>Promoter program terms and conditions should be reviewed to determine the criteria for becoming a promoter and how the employee and promoter earn a referral fee. Determine how the organization validates the authenticity of the promoter and the sale.<br></li><li>Contracts with vendors should be reviewed to verify that they have a right-to-audit clause. From time to time, the right-to-audit clause should be executed. An effective audit technique is to compare an employee database to the vendor database by name, address, and phone number. Phone numbers are particularly effective in finding duplicates. <br></li><li>Require all employees with the potential to interact with vendors to complete a conflict of interest form. Prompt employees to update their conflict of interest form annually. But remember, conflict of interest forms are useless unless someone reviews the disclosure of conflicts and follows up with the employees.<br></li><li>Pay promoters with gift cards instead of cash. This should help deter individuals from trying to turn your promoter program into a small business. ​<br></li></ul></td></tr></tbody></table><p>As the contract between Solarstar and KE was about to expire, Schull next examined the program, itself. In interviews with employees who worked closely with KE, one employee alleged KE was keeping the funds from uncashed checks for promoters rather than transferring the checks to the appropriate state authorities. Schull's request to audit KE's books was rejected on the grounds that there was no right-to-audit clause in the existing contract, which was confirmed after review. </p><p>Schull next turned his attention to the promoter network. Based on the initial investigation, he believed that if sales representatives could work with a fabricated promoter, then they must be able to sign up a spouse, relative, or co-worker. He used data analytics to compare employee names, addresses, and phone numbers to the promoter database. Much to his surprise, dozens of employee names were in the database. Some employees set up their spouses, fiancés, brothers, and sisters. </p><p>One entrepreneurial employee maximized the program's potential by signing up his not-for-profit company and his church, and then signed up subpromoters (his relatives) under the church. A promoter could sign up a subpromoter and generate a sales commission for the sales representative and a referral fee for the promoter and the subpromoter, who in this case were all the same person. Essentially, the sales representative created a Ponzi scheme generating commissions and referral fees for himself, his company, his church, and his family.</p><p>Joe Smith, Solarstar's finance director, requested a meeting with Schull when he learned that revenue from customers signing up through the promoter program had slowed considerably. At the rate it was going, Smith calculated that the program would lose approximately $7 million each year. Smith's analysis of sales and Schull's field investigations revealed that dozens of sales were being made to customers living in low-income apartment complexes and trailer parks by unscrupulous sales representatives and their promoter friends. In some cases, sales representatives signed up promoters who were unemployed and had them knocking on doors or placing flyers on cars in mall parking lots. </p><p>Schull and Smith took their findings to management. Ted Spicoli, the vice president of sales and in charge of the loyalty program, refused to believe that the fraud in the program was as prevalent or widespread as Schull and Smith stated. He challenged Schull's findings and Smith's analysis. During one contentious meeting, he even challenged Smith's ability to perform basic math. Months passed, and more money was lost until finally the program was shut down. KE's contract was not renewed, and Spicoli was fired. </p><p>The promoter program was redesigned and launched as a friends and family program encouraging existing customers in good standing to refer a sale. Compensation was changed so sales representatives received a commission and the existing and new customer would split the referral fee, which was no longer paid in cash, but in gift cards. After six months, the new program was generating good customer sales without a single incident of fraud detected. </p>Grant Wahlstrom1
The Ghost Immigrants Ghost Immigrants<p>​​​Wealthy foreign investors are using loopholes in Canadian immigration rules to acquire property and avoid taxes, <a href="" target="_blank" style="background-color:#ffffff;">CTV News reports</a>. In many cases, these "ghost immigrants" do not actually live in Canada and are using their properties to fraudulently claim residency status. This activity, in turn, circumvents the government's efforts to limit foreign real estate speculation, which has run up property values in Canada's largest cities, the report notes. In one case, a Chinese millionaire who had purchased multiple million-dollar homes in Canada claimed on his income tax form that he only had CAN$97 in worldwide income. In reality, he owned several large businesses in China. Between April 2015 and September 2017, the Canadian Revenue Agency (CRA) recovered CAN$331.2 million from more than 21,000 audits in Ontario and CAN$117.9 million from more than 4,000 audits in British Columbia.</p><h2>Lessons Learned</h2><p>Immigration is a widely debated topic. Much of the immigration debate involves individuals who have moved to another country. Yet, many countries, including Canada and the U.S., have experienced an influx of wealthy ghost immigrants who secure permanent residence, purchase properties, and then return to their home countries. The immigration and tax misrepresentations include falsifying rental and employment agreements and falsely reporting income on tax returns. Unfortunately, many of these individuals are not paying their worldwide tax obligations and are reaping other benefits of life in their "new" countries.</p><p>The CRA's statistics of the numbers of immigration-related audits conducted and their results indicate that the problem has become widespread in Canada. Yet, fraudulently claiming to be physically present in a country is a scam that dates back for decades. In today's social media world, these same methods still are being used to circumvent the physical presence requirements of maintaining permanent residence to qualify for citizenship.</p><p>The Canadian government and others can learn many lessons from this case. As the tax expert in this story points out, there should be a much greater emphasis on using audits to combat ghost immigration fraud. Here are some of the reasons and ways in which audits can be better used:</p><ul><li>Successful audits are revenue generators and are more feasible than ever to catch ghost immigration fraud. The audit statistics cited in this story might make it appear enough is being done, but it is unclear whether tax administrations' focus on this problem is keeping pace with the dramatic increase in immigration levels. For example, the CRA acknowledges that it does not have sufficient resources to tackle the problem satisfactorily. In the past, the CRA has stated that it was too difficult to audit these cases and collect the taxes owed. Foreign fraudsters know this, so increased scrutiny and a communications campaign could send a deterrence message to those engaging in fraudulent behavior.<br>​<br></li><li>Cost-effective and scalable data-mining techniques allow auditors to cross-reference employment/business and asset information that an immigrant supplies to immigration officials when applying for status with the worldwide income the individual claims after he or she is granted residency.<br><br></li><li>Signing tax treaties that include an exchange-of-information clause with countries that are major sources of immigrants can help pinpoint fraudster activity. Recent anti-corruption movements in countries such as China and India have enhanced the potential usefulness of these treaties for tax administrations in cases involving immigrants from countries where such information was previously not available.<br><br></li><li>Another important trend is the introduction of whistleblower programs by tax authorities in the mid 2000s. These programs recognize the increased importance whistleblowers have in tax evasion collections worldwide. As a result, there are now many potential informants — in banks, accounting firms, real estate brokers, etc. — who can supply financial information on tax evasion.<br><br></li><li>Social media and online information make lifestyle audits easier and more accurate, especially with today's computing power.<br><br></li><li>Assets, such as highly inflated real estate in Canada, have increased significantly in value. Consequently, there are now many seizable assets within the easy reach of tax agencies.<br></li></ul><p> </p><p>Given these methods and changes, it is in taxpayers' and tax administrations' best interests to increase tax audits in this area. In addition to audits, more needs to be done to combat this kind of fraud. Some advocates recommend replacing or adding to the current physical presence requirement in immigration and citizenship law, which is considered by many to be expensive and intrusive to enforce. For example, enhanced measures such as exit/entry controls are required that are beyond what is in place today for people traveling through airports. </p><p>Requiring immigrants to declare themselves "tax residents" of a nation, such as Canada or the U.S., could ensure individuals pay full tax on their worldwide income. This tax residency requirement could be another criteria for maintaining permanent residence and fulfilling naturalization requirements for citizenship. Increasing fines and penalties, including jail time, would be an additional disincentive to fraudsters.</p><p>March is Fraud Awareness Month in Canada, but every month should be similarly designated. Internal auditors should take time to talk to someone who would benefit from hearing about fraud risks and what auditors can do to deter and prevent fraudulent activity.</p>Art Stewart0
The Cross-border Cover-up Cross-border Cover-up<p>​The California subsidiary of Rabobank has pleaded guilty to conspiracy to defraud the U.S. and will pay $369 million to settle charges of accepting illegal proceeds from Mexican drug traffickers, <a href="" target="_blank" style="background-color:#ffffff;">the Associated Press reports</a>. According to U.S. regulators, drug traffickers deposited at least $369 million in Rabobank National Association branches in two towns on the Mexican border between 2009 and 2012. This was done to bypass Mexican government limits on the size of cash deposits in that country's banks. When deposits in those towns increased 20 percent, regulators say the bank should have known the money was tied to drug trafficking and organized crime. Instead, bank executives tried to cover up the suspicious activity after a whistleblower reported it to them. Rabobank National Association agreed to cooperate with U.S. officials to avoid additional criminal charges.</p><h2>Lessons Learned</h2><p>In attempting to explain how Rabobank covered up such a massive amount of money laundering, it is clear that the bank could have done more to detect and prevent those activities. That is despite the numerous regulations and guidance detailing what is expected of banks. Here are some considerations for internal auditors:</p><ul><li>All regulated U.S financial institutions are required to file periodic financial and other information with the Federal Deposit Insurance Corporation. One of the required reports is the quarterly Consolidated Report of Condition and Income<em>,</em> which reports<em> </em>financial data about a bank's financial condition and the results of its operations. However, the required categories for reporting do not include anything specifically related to anti-money laundering, although this might be covered under a broader category such as Income From Foreign Offices. There is a form that lists up to four bank officers responsible for anti-money laundering activities, but in the couple of publicly available, sample Rabobank reports I reviewed, these entries were labeled "confidential." <br> </li></ul><ul><li>In 2016, the U.S. Office of the Comptroller of the Currency (OCC) issued a 150-page Comptroller's Handbook booklet, Internal and External Audits, for use by OCC examiners in examining and supervising national banks and federal savings associations. This document contains useful information regarding the roles and procedures of external audit, management's responsibility for oversight, risk management and effective controls, and reporting matters. Surprisingly, given the increasingly international nature of bank ownership and operations, it contains little guidance specific to money laundering, either as a risk or audit practice focus.<br> </li><li>One might be skeptical of Rabobank's management declarations, such as on its website, that the OCC has recognized "the material improvements the bank has made to its [Bank Secrecy Act/anti-money laundering] compliance program." There appears to have been some systemic collusion among its senior management — including its vice president responsible for anti-money laundering investigations — to cover up this fraud for several years.<br> <br></li><li>​Finally, where were the internal and external auditors? Internal audit, while independent in its work and reporting, remains a part of an organization's management structure. Rabobank's senior management cover-up activities blocked information that could have revealed the problem earlier. It also is possible that the bank's information systems were exploited to help the cover up. For example, if the transaction was not completed using the bank's core banking system, internal auditors would have less of a chance to catch discrepancies, unless they scrutinized every aspect of the operations daily to find lesser-known or hidden systems. Moreover, there is the question of whether the bank's internal auditors possess the requisite training to detect money laundering activities.​<br></li></ul><p><br></p>Art Stewart0
The Runaway Threat of Identity Fraud Runaway Threat of Identity Fraud<p>​​​​Just a reminder: The European Union's Global Data Protection Regulation (GDPR) takes effect on May 25. The new regulation ​enacts strict rules requiring organizations to protect consumer data, and it applies to any organization worldwide that gathers data on EU consumers. The aim is to protect the privacy of consumers and to combat identity theft and fraud.</p><p>Now here's another reminder: Identity fraud is getting worse. In the U.S., 16.7 million consumers were victims of identity fraud in 2017, up 8 percent from 2016, according to Javelin Strategy & Research's <a href="" target="_blank">2018 Identity Fraud Study</a>. That's one out of every 15 U.S. consumers. Javelin surveyed 5,000 U.S. adults for the study.</p><p>What's the bottom line for internal auditors and their organizations? It's time to get serious about protecting consumer data. </p><p>"2017 was a runaway year for fraudsters, and with the amount of valid information they have on consumers, their attacks are just getting more complex," says Al Pascual, senior vice president and research director at San Francisco-based Javelin.</p><p>The Javelin report makes a distinction between identity theft and identity fraud. Identity theft is unauthorized access to personal information, such as through a data breach. Identity fraud happens when that personal information is used for financial gain.</p><h2>A New Target</h2><p>The nature of identity theft and fraud shifted in 2017, the report notes. For the first time, more Social Security numbers were stolen than credit card numbers. Last year's massive Equifax hack was the most glaring example. Those Social Security numbers make it easy for criminals to open accounts in a victim's name or to take over their existing accounts. </p><p>Javelin says account takeover was one of two drivers of identity fraud last year, along with existing noncard fraud. Account takeover tripled, with $5.1 billion in losses, a 120 percent increase over 2016. This type of fraud is particularly costly for consumers, who spend on average $290 and 16 hours to resolve incidents.</p><p>Small wonder then that consumers "shift the perceived responsibility for preventing fraud from themselves to other entities, such as their financial institution or the companies storing their data," as Javelin's press release notes. Respondents rate security breaches at companies as the top identity-related threat, with 63 percent saying they are "very" or "extremely" concerned about such incidents. Nearly two-thirds of victims say breach notifications don't protect them and are just a way for organizations to avoid legal trouble. </p><h2>Going Online</h2><p>Another trend is identity fraud has moved online in response to the introduction of EMV chip cards in the U.S. Credit and bank cards with these chips make it harder for fraudsters to use stolen cards in person, but they still can be used online, where many people shop. Indeed, card-not-present fraud is 81 percent more likely than point-of-sale fraud, Javelin reports.</p><p>These frauds are becoming more sophisticated, too, according to Javelin. For example, fraudsters opened intermediary accounts in the names of 1.5 million victims of existing card frauds. Such accounts include email payment services such as PayPal or accounts with online merchants.</p><h2>Protecting Consumers</h2><p>Javelin's recommendations for preventing identity fraud focus more on what consumers can do to protect themselves, including:</p><ul><li>Using two-factor authentication.</li><li>Securing devices.</li><li>Putting a security freeze on credit reports to prevent accounts from being opened.</li><li>Signing up for account alerts.</li><li>Setting controls to prevent unauthorized online transactions.</li></ul><p> <br> </p><p>Such vigilance can help, but consumers expect financial institutions, retailers, and others they do business with to protect their information. Now they have a powerful ally in the GDPR, which puts responsibility squarely on businesses.</p><p>The GDPR requires organizations to provide a reasonable level of protection for personal data and mandates that they notify data protection authorities within 72 hours when consumer records have been breached. Compare that with some recent U.S. breaches in which several weeks passed between when the incident was discovered and the time when the organization disclosed it. </p><p>GDPR regulators can punish organizations that don't comply harshly. Fines can run up to 4 percent of an organization's annual turnover up to €20 million ($24.6 million). If protecting customers' personal data isn't a priority in itself, the potential financial penalties should raise the stakes for organizations.​</p><p> <br> </p>Tim McCollum0
Rent a Vet a Vet<p>​A Kansas City-area construction company made false claims to obtain $13.8 million in government contracts through a program aimed at assisting businesses owned and operated by U.S. military veterans, the <a href="" target="_blank" style="background-color:#ffffff;"> <em>Kansas City Star</em> reports</a>. Patriot Construction Co. won 20 government contracts by claiming that it was partially owned by a veteran. However, although co-owner Paul Salavitch was a service-disabled veteran, he actually was not involved in its day-to-day operations, as required by the U.S. Veterans Administration's Service-Disabled Veteran-Owned Small Business (SDVOSB) program. Instead, he was a full-time U.S. Department of Defense employee. Jeffrey Wilson, the co-owner who ran the business, was not a veteran. Federal prosecutors say the scheme prevented legitimate veteran-owned businesses from winning those contracts. Wilson has pleaded guilty to government program fraud, while Salavitch pleaded guilty to making a false writing.</p><h2>Lessons Learned</h2><p>Front and center among the lessons learned from this news story is that both the design and controls over well-intended government programs for special groups must be robust, adapt to changing environments and threats, and verified regularly for effectiveness. The consequences of failing to assess the design and controls are substantial. According to a 2011 VA Office of the Inspector General (OIG) <a href="" target="_blank">report on the program</a> (PDF) — the most recent report I have found — "76 percent of businesses reviewed were ineligible for either the program and/or the specific [Veteran-Owned Small Business (VOSB)] or SDVOSB contract award, potentially resulting in $2.5 billion awarded to ineligible businesses over the next five years." </p><p>Here are the major kinds of issues and recommendations internal auditors should be thinking about when auditing these kinds of programs:</p><ul><li> <strong>Eligibility.</strong><strong> </strong>To be eligible to pursue contracts under the SDVOSB program, a service-disabled person has to own at least 51 percent of the business, control its management and daily operation, and hold its highest officer position. The application process and eligibility requirements for this VA program <a href="" target="_blank" style="background-color:#ffffff;">are available online</a>. However, verification of program eligibility relies heavily on the documentation applicants submit. According to the VA, this includes the resumes of all owners, directors, partners, officers, and other key personnel. The one- to two-page chronological resume should list the person's current and previous occupation, job description and duties, education, personally identifying information, dates, skills, and abilities. <br><br></li><li> <strong>Program Controls.</strong> Unfortunately, it does not appear that these documents are fully scrutinized and verified. The VA's OIG report found that the program's oversight and verification controls were inadequate. Relevant to this news story, the report noted that businesses were ineligible because the veteran owners subcontracted more work to nonveteran-owned businesses than allowed under regulations. In other cases, veterans did not really control or own the businesses. These program control problems have been longstanding issues for the VA. Tighter controls over verification of the status of subcontractors involved in SDVOSB applications is needed, along with better oversight and staff training, as noted by the VA's OIG.​<br><br></li><li> <strong>Remedies.</strong> The VA has taken steps to redress the program's control weaknesses, including making several changes to program controls, policies, and human resources competencies. It also conducts unannounced site visits to companies that have been awarded contracts to catch fraud. This is how Salavitch was found to be working 40 miles away at his full-time job as a federal employee. More recently, the VA announced it will launch the "Seek to Prevent Fraud, Waste, and Abuse (STOP FWA)" initiative, which will leverage departmental activities that prevent or identify FWA and ensure a consistent approach to FWA risk management. More relevant to this story, the VA's Office of Small and Disadvantaged Business Utilization will roll out a new system to more effectively manage all aspects of verification as well as provide a single entry point for information, resources, and online applications.<br><br>Given all these changes, it will be interesting to see what the next full audit of the SDVOSB program looks like compared to the 2011 report.​</li></ul><p> <br> </p>Art Stewart0
The Beef With the Accountant Beef With the Accountant<p>​A federal court has sentenced a former Oklahoma Beef Council (OBC) accountant who was found guilty of embezzling $2.68 million from the O​klahoma Beef Council to 57 months in prison, <a href="" target="_blank" style="background-color:#ffffff;"> <em>The Oklahoman</em> reports</a>. Prosecutors say Melissa Day Morton forged organization checks to steal from the nonprofit trade association from 2009 to 2016. The OBC has filed suit against a local accounting firm that had performed external audits of its finances. The organization alleges the firm's audit opinions were "incorrect and misleading" and did not comply with applicable audit standards.</p><h2>Lessons Learned</h2><p>The twin sides to this​ story illustrate that management and the auditor could have done more to prevent the theft of $2.68 million by a trusted employee.</p><p>For the OBC's management, it is telling that it now has taken steps to prevent this kind of fraud, including contracting with a third-party accounting firm, implementing a five-step financial review process, and instituting an audit/risk committee with an independent audit advisor to the committee. To that list, there are additional measures that the OBC could take, including:</p><ul><li>Human resource management policy and systems changes, including a clear conflict of interest code and anti-fraud policies that clearly communicate expectations of employees and consequences of noncompliance. Another change is stronger emphasis on rotation of staff members in sensitive or responsible positions. In this case, the fraudster had done the same job for at least seven years while she stole the OBC's money.<br></li><li>Rigorous background/security checks, at least for those in sensitive jobs, not only before hiring but also throughout their employment. These checks should ascertain whether significant unexplained employee lifestyle changes are occurring.<br></li><li>A tips/whistleblower program that encourages employees to come forward to identify suspicious and potentially fraudulent behaviors without fear of reprisal.<br></li></ul><p> ​<br> </p><p>For the auditor, we don't have all of the facts to judge whether the OBC's accounting firm failed to perform its audit work in compliance with audit standards. Moreover, it is debatable whether the OBC demonstrated "management's responsibility to design and implement programs and controls to prevent, deter, and detect fraud," as stated in the U.S. Public Company Accounting Oversight Board's (PCAOB's) Accounting Standard (AS) 2401: Consideration of Fraud in a Financial Statement Audit.</p><p>An interesting aspect of this issue, which is increasingly becoming part of large financial fraud cases following the 2008 financial crisis, is the role of the external auditor in finding fraud. PCAOB guidance, Responsibilities and Functions of the Independent Auditor, states in paragraph 2 that: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." </p><p>Much good advice for auditors can be found in the PCAOB's guidance. In particular, two key and balancing points from AS 2401 may be relevant for determining whether the OBC's auditor failed to perform its work within acceptable standards:</p><ul><li>"However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud." (paragraph 12)<br> </li><li>"Due professional care requires the auditor to exercise professional skepticism. <em>See</em> AS 1015.07 through .09. Because of the characteristics of fraud, the auditor's exercise of professional skepticism is important when considering the fraud risks. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest." (paragraph 13)</li></ul><p></p> <p>This second issue is a discussion for another article. What do readers think? ​​</p>Art Stewart0
When Good Accountants Go Bad, More Questions Are Raised Than Answered Good Accountants Go Bad, More Questions Are Raised Than Answered<p>​</p><p>I'm sure I visibly cringed when I read news accounts of criminal charges being brought against former U.S. Public Company Accounting Oversight Board (PCAOB) and KPMG employees, who are accused of using leaked PCAOB information to help the Big Four firm improve its audit results.</p><p>These charges are unproven in a court of law and all of those charged deserve the presumption of innocence at this point. However, the mere allegation that such a betrayal of ethics took place is painful, and it delivers a black eye on the accounting/auditing professions. Yet, it certainly is not without precedent. I've written many times that good people do bad things, and smart people do stupid things. It is part of the human condition — that imperfection that makes us who we are. However, what is alleged in this instance takes us a step beyond simple human error or irresponsibility. It actually raises more questions than it answers.</p><p>Details of the scandal came to light through federal criminal charges brought against three former PCAOB employees and three former KPMG employees. On his final day at work, one PCAOB employee is alleged to have copied a list of accounting firm audits scheduled to be inspected by the regulator in 2015. He then shared the list with employees of his new employer, KPMG. The two other PCAOB employees are accused of leaking PCAOB inspection plans through February 2017. KPMG hired the second PCAOB employee while the third allegedly courted the company by offering additional insider information.</p><p>If what is described is accurate, the extent of the ethical lapses exhibited by the accused is appalling. The KPMG employees, who include a national managing partner for audit quality, a partner-in-charge for inspections, and a banking and capital markets group co-leader, were allegedly willing to accept and use highly confidential information to avoid detection of audit deficiencies and the internal fallout (and public scrutiny) that comes with them. The alleged ethics violations by their PCAOB accomplices were, in my view, even more disturbing. One expects that regulatory employees have some personal commitment — if not genuine zeal — to make sure the rules they oversee are being followed. To actively work against the organization you represent for personal gain is despicable.</p><p>Despite the reputational damage to both organizations created by this evolving scandal, based on information disclosed thus far, there may be some encouraging lessons to be taken from it. KPMG's U.S. entity appears to have acted swiftly in notifying authorities when it discovered the issue last year. It hired outside legal counsel to investigate the incident and fired the employees involved. Having worked for and with Big Four firms for many years, this does not surprise me. I have personally seen their commitment at the most senior levels to promoting and supporting legal and ethical behavior. By the same token, the U.S. Securities and Exchange Commission has also brought charges against employees of the PCAOB, which resides under its jurisdiction. In other words, neither organization seems to be shrinking from responsibility at this point. </p><p>Overshadowing the encouraging lessons, however, the burgeoning scandal raises a number of troubling questions:</p><ul><li>Why would obviously gifted accountants who have risen to the pinnacle of their profession willingly risk it all to traffic in illicit information?</li><li>Has the PCAOB inspection process become so onerous and unforgiving that the schedule of upcoming inspections would be worth such risks on the part of accounting professionals?</li><li>Have the consequences of failed inspections become so dire that even national partners are willing to risk unthinkable consequences in order to mitigate the risks of failed inspections?</li><li>Why would the value of an upcoming PCAOB inspection schedule be worth a potential job in a Big Four firm?</li><li>Are the revolving doors between the PCAOB (and other federal regulators) too lax? </li><li>Should there be an extended cooling off period between assignments at the regulators and the regulated?</li><li>How does the accounting/auditing profession sustain public trust in the face of such serious allegations?</li></ul><p>I would encourage officials at the firms and the regulators to address these questions even as the wheels of justice turn on the charges.</p><p>One of the reasons I cringed upon hearing about this scandal is that I know many extraordinary professionals at both KPMG and the PCAOB. I do not for one minute believe that their reputations should be tarnished by the alleged behavior of these six individuals. One of the lessons to be taken from this scandal is that professional ethics live and die at the personal level. In other words, the moral compass is ultimately steered by the individual. Just as the medical profession should not be judged by the unspeakable behavior of the recently sentenced U.S. gymnastics doctor, neither should the accounting/auditing profession be judged overall by the alleged behavior of a few.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Internal Audit’s Role in Anti-money Laundering’s-Role-in-Anti-money-Laundering.aspxInternal Audit’s Role in Anti-money Laundering<p>​The cost of running a compliance function for anti-money laundering and countering<em> </em>the financing of terrorism (AML/CFT) in an organization is far less than the price it may pay for noncompliance. Because of increased regulatory focus, penalties levied affect the bottom line and become a going-concern issue with license suspensions or cancellations. Given the social, economic, and political ramifications of money laundering and terrorism financing, it is becoming more difficult for organizations to consciously ignore AML/CFT compliance. The next 10 years could witness enhanced regulatory compliance across jurisdictions, so internal audit's role in ensuring strict AML/CFT compliance assumes greater importance.</p><p>Money laundering is about channeling illegal, "dirty" money through a legitimate means to make it appear as "clean" money within the system. This can be explained in three phases: placement, layering, and integration. In the placement phase, illegal money physically enters into the financial system, such as huge bank account deposits via bank tellers or ATMs. The layering phase involves executing complex transactions with the sole intention of concealing the origin of the funds and diluting the audit trail for further investigations. In the integration phase, the proceeds re-enter the financial system as apparent legitimate funds. Money laundering is a derivative crime; in other words, it is a crime that derives out of another crime. Its nature as a crime depends on the genesis of the funds. </p><h2>Internal Audit's Role</h2><p>The money launderer's objective is to convert illegally obtained money into legal tender through inappropriate methods, and in the process avoid the attention of prosecutors or auditors. A clear understanding of AML/CFT helps internal auditors conduct reviews more effectively. At a minimum, internal audit should focus on these areas:</p><p><strong>Top management intent. </strong>Conduct interviews with key top management individuals. Internal control questionnaires, checklists, and management letters are commonly used in these interviews. However, also assess the willingness and commitment of top management to protect the organization from the threat of money laundering and terrorism financing. This critical exercise should become the basis for review and the depth of sample coverage.​</p><p><strong>Business operations. </strong>Understand the business operations of the organization in detail. Without a thorough understanding, auditors will not be able to identify a transaction that is abnormal to the course of business. </p><p><strong>Customers. </strong>In financial institutions, ensure that the organization is complying with know-your-customer procedures both in form and spirit. Policies and procedures should provide measures for updating know-your-customer forms annually, which establish the identity of the customer, the nature of the customer's activities, and money laundering risks, if any, associated with that customer. Check whether the declarations made by customers in their undertakings are being followed in reality. For example, a customer might declare that he may invest up to $25,000 per year in portfolio management. However, during the year he invests almost $50,000 from undisclosed income. The organization may not raise it as a red flag because of commissions on those transactions. </p><p><strong>Risk assessments.</strong> Ensure the organization has conducted a risk assessment of customers, geographic affiliations, company products, channels of product routing, etc. Review the nature and volume of transactions and types of products the organization deals with. </p><p><strong>Suspicious transactions. </strong>By nature, suspicious transactions are more complex and obscure. Internal auditors should get to the bottom of these transactions to ensure they are genuine and should not check them off their list unless they are completely convinced about their purpose. Enhanced due diligence measures should be taken for non-face-to-face business transactions when the customer has not been seen or the business site has not been visited.</p><p><strong>Reporting culture.</strong> Review the number of suspicious transaction reports raised by the compliance officer during the review period and assess which ones were not reported to the financial intelligent units in the respective countries. These could be false alarms, but scrutinizing those unreported suspicious transactions that could potentially be money laundering transactions may reveal suppression by management and whistleblower silencing.</p><p><strong>From and to.</strong> All transactions should have the required documentation, including originator and beneficiary details. Missing information in cross-border transactions has caused some of the largest money laundering cases to take a decade or more to resolve, so review all cross-border wire transfers in detail. AML systems also should be reviewed to ensure that the application does not have options to suppress data. </p><p><strong>Blacklisted names.</strong> Review the AML system and test its capability of capturing data on time, and identifying and red flagging the blacklisted and Specially Designated Persons lists provided by the United Nations and the U.S. Office of Foreign Assets Control, respectively. Determine whether the system is capable of correctly identifying blacklisted names in English and local languages.</p><p><strong>Politically exposed persons.</strong> People with diplomatic immunity, defined under the politically exposed persons category, are entrusted with a prominent public function and are at higher risk of getting involved in money laundering and terrorism financing transactions. Ensure the organization has mechanisms to identify customers of this category and conducts enhanced due diligence.</p><p><strong>Nonprofit organizations.</strong> In many countries, organizations with an exempt status become the front-end and most misused vehicles to launder money. Review the grants received, nature and origin of receipts, and ultimate beneficiaries of grants, if it is a recipient organization.<strong> </strong>In donor organizations, determine whether the donations are made to genuine and reliable nonprofits for a purpose and that those monies are not routed to terrorist networks.</p><p><strong>High-risk countries.</strong> Engaging with AML/CFT noncompliant countries (assigned as such by the intergovernmental Financial Action Task Force) poses a greater threat for noncompliance. Review how the organization is complying with procedures while dealing with subsidiaries or associates situated in such countries.​</p><p><strong>Employee protection.</strong> Review the whistleblower protection policy and protection to employees raising red flags. Internal sources are many times the strongest lead for an internal auditor in helping detect malpractices in money laundering.</p><h2>Think Outside the Box</h2><p>Detecting money laundering and terrorism financing transactions is a challenge for internal auditors because perpetrators bringing ill-gotten money into the system actively conceal the audit trail to avoid prosecution. Because of this, internal auditors conducting AML/CFT reviews should be more vigilant, attentive, and creative to find wrongdoing and ensure compliance. ​</p>K.V. Hari Prasad1

  • MNP_Apr 2018 IAO_Premium 1
  • ITACS_Spring18_sapr 2018 IAO_Premium 2 Apr15_Apr30
  • IIA CIA Cert_Apr2018 IAO_Premium 3