Card Abuse Runs Rampant Abuse Runs Rampant<p>​S​​ome of Australia's largest government agencies are plagued by credit card fraud and abuse, <a href="" target="_blank" style="background-color:#ffffff;"> <em>The Sydney Morning Herald</em></a> reports. According to analysis by Fairfax Media, the Australian Bureau of Statistics, Health Department, and Bureau of Meteorology had the highest rates of misspending with government-issued credit cards last year — each topped 20 percent of charges. Fairfax found staff members had used credit cards to pay for accounting courses, personal bills, and private travel.</p><h2>Lessons Learned</h2><p>The Association of Certified Fraud Examiners' (ACFE's) 2016 <a href="" target="_blank">Report to the Nations on Occupational Fraud and Abuse</a> estimates organizations around the world lose 5 percent of revenues to occupational fraud. Employee credit card fraud is one part of this problem. <em>Internal Auditor</em> magazine and have featured numerous articles on this subject, most recently <a href="/2017/Pages/On-the-Hook-for-Fraud.aspx">"On the Hook for Fraud"</a> and <a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx">"The Tech Know-how for Fraud."</a> These stories, the persistence of employee credit card fraud activity, and recent trends in online credit use are reminders to auditors of what comprises an effective approach to preventing employee credit card fraud. Recommendations auditors can make to address gaps they find during their audit work include:​</p><ul><li> <strong>Establish an employee credit card use policy. </strong>The policy should spell out appropriate and inappropriate card uses, how uses will be monitored, and consequences of policy noncompliance, including fraud. Policies should hold employees responsible for the activity on their card and for reviewing the statement for activity during each period. Those who violate the policy — especially fraudsters — should face zero tolerance consequences such as termination and prosecution. Moreover, there must be regular monitoring and auditing of policy compliance and uses, including surprise audits.<br><strong> </strong></li><li> <strong>Encourage a culture of trust, honesty, and awareness among employees</strong><strong>.</strong> This should include "open door" measures that facilitate employees coming forward with their concerns about suspicious behaviors. The most recent ACFE report notes that organizations most often detect fraud through tips (43.5 percent in large organizations). Internal audits (18.6 percent in large organizations) are a distant second. <br>Employees should know the organization's fraud prevention procedures. One of the biggest deterrents to employee credit card fraud is simply knowing that people are watching, are aware, and will report fraudulent activity, if necessary. <br>Organizations also should train employees on how to recognize signs of credit card fraud, such as how to tell whether a credit card terminal, ATM, or gas pump has been tampered with. Employees should know how to recognize a stolen card. The major credit card companies all have procedures for handling such situations, and these should be learned. Similarly, organizations should work with their suppliers and customers to ensure they are familiar with both legitimate and illegitimate kinds of purchases made by employees. Subscribe to credit card company alerts of significant or unusual transactions and investigate them immediately.<br> </li><li> <strong>Establish multiple controls over credit card use and authorizations.</strong> That includes obvious controls such as a limit to the number of credit cards and authorized card users, as well as using as few providers and cards as possible. Establish credit limits to reduce the organization's risk exposure. Establish low or no ability to obtain cash advances. All authorized users should have their own unique cards that they are responsible for, and cards should not be loaned or be available to others. Establish procedures for reimbursements, including to prevent double dipping — employees can submit expense receipts for reimbursement, or they can use the company card, but not both. Collect and cancel cards when employees leave the organization. Also, have the capacity to quickly report loss, theft, or unauthorized use. Maintain in a secure area a list of credit cards by issuers, account numbers, authorized users, and issuer phone numbers so that contact can be made quickly. Prompt notification can reduce or eliminate responsibility for fraudulent charges.<br><strong> </strong></li><li> <strong>Monitor credit card activity closely — and let employees know the organization is watching.</strong> Receive and review credit card statements intact because these can be altered, revised, or edited. Establish a credit card statement cut-off date for all cards that facilitates the organization's ability to obtain, review, and post credit card activity once a month and before month-end to facilitate accounting. Review credit card activity for the type of expenditure, the vendor, and the reasonableness of the amount. As the credit card is used, insist that original receipts be obtained as part of the documentation for the expenditure. Do not let the invoice, the credit card receipt, or the credit card statement be the only supporting piece of documentation. Review expense reimbursement claims and compare the expense report activity to the organization's credit card statement, scrutinizing for the same vendor and amounts. Be alert to altered amounts and claims, as well as expense report claims made months after the original charge was made. Analyze expenses, compare them to budget, and investigate variances.<br> </li><li> <strong>Keep up to date with technological advances, such as online payments, and the fraudulent activity that is occurring with them.</strong> There has been a massive increase in online credit card fraud, with transactions made using stolen card details estimated to have more than doubled since 2011. Card skimming, including via ghost terminals, is a particular example. Many organizations are now using chip technology that protects from incurring liability resulting from counterfeit fraud that occurs at their point of sale. Also, password protection (including regular changes to passwords) of accounting and point of sale software, and administrative controls to assign specific functions to only the employees who need them are common. Biometrics (Apple's iPhone X Face ID is a recent example), geolocation, and social media all are either being used or researched in the roll-out of risk-based customer authentication. Organizations need to learn and implement these technologies as they evolve.​<br></li></ul>Art Stewart0
The Script-boosting Bribery Scheme Script-boosting Bribery Scheme<p>​John Kapoor, the majority shareholder at pharmaceutical company Insys Theraputics who stepped down as chief executive in January, was arrested and charged with engaging in conspiracies to commit racketeering, mail fraud, and wire fraud. Kapoor and six other chief executives who have been charged participated in a scheme to bribe doctors to prescribe Subsys, an under-the-tongue spray cancer pain drug that contains fentanyl, an addictive synthetic opioid. The defendants also tried to defraud insurers who were reluctant to pay for Subsys when it was prescribed to patients who did not have cancer.</p><p><strong>Lessons Learned</strong></p><p><strong></strong>For fraudsters, the worldwide crisis related to opioid drugs is another opportunity to profit. Not only do we need to worry about drug cartels and dealers, but also drug companies, "bad apple" doctors, and even some hospitals. What can auditors learn from this story?</p><p>Regulators, enforcement agencies, and auditors need to keep the pressure on detecting and uncovering these kinds of fraud schemes, and shed light on the practices that support them. That includes:</p><ul><li><strong>Requiring and enforcing better monitoring and reporting from companies involved in the sale of higher risk drugs, such as fentanyl. </strong>Recent U.S. Department of Justice cases show that these companies knowingly and/or negligently supplied opioid drugs such as OxyContin to obviously suspicious physicians and pharmacies and enabled the illegal diversion of them into the black market, including to drug rings, pill mills, and other dealers. These companies are supposed to set up monitoring programs to make sure that opioid drugs do not get into the wrong hands, and to watch out for shady physicians and pharmacies, unusually large orders, or suspiciously frequent orders. Better scrutiny of these monitoring programs on a regular basis could help deter fraudulent practices. And bigger penalties for gaps in these programs could help prevent larger fraud schemes and a deeper crisis. </li><li><strong>Insurers need to take a tougher stand in questioning and rejecting payments to companies where prescriptions do not clearly meet established criteria.</strong> In our story, Insys executives pushed for approval of payment for Subsys when it was prescribed to patients who did not have cancer. </li><li><strong>By writing factual audit reports with balanced recommendations, auditors can help the medical profession improve its self-regulation against bribery. </strong>There are several key areas for improvement. Doctors often decide which medications to prescribe based on which drug is the most popular choice of their colleagues, and, in turn, the effectiveness of drug company's marketing and advertising efforts. Those efforts frequently constitute bribery, such as when pharmaceutical companies offer financial kickbacks for prescribing medicines and drugs (as in our story). The form of the bribe can be subtler though, such as schemes to pay doctors in the form of speaker fees and food and entertainment to medical practitioners. Or physicians will be sent on exotic vacations in exchange for listening to lectures about the companies' drugs for a few hours of the day. Also, hospitals can be involved — some entice physicians by offering special incentive deals that give doctors valuable gifts if they schedule surgeries when the hospitals are looking for business. All of these practices deserve better scrutiny and perhaps tighter regulation within the medical profession.</li></ul>Art Stewart0
The Bitcoin Pyramid Bitcoin Pyramid<p>​The U.S. Commodity Futures Trading Commission (CFTC) has filed a civil complaint alleging that a Bitcoin trading company CEO operated a Ponzi scheme that raised $600,000 from investors, <a href="" target="_blank"> <em>CFO</em> magazine reports</a>. According to the complaint, Nicholas Gelfman, CEO of Gelfman Blueprint Inc. (GBI), promised investors a high monthly return on investment on Bitcoin trades, but paid profits to some investors using funds from new customers. Gelfman allegedly told investors the fund used a high-frequency computerized trading program to conduct trades. However, the CFTC says his company only executed trades on 17 calendar days between 2014 and 2016. </p><h2>Lessons Learned</h2><p>With a single Bitcoin recently valued at $6,000, this best known form of cryptocurrency is a tempting target for both fraudsters and investors. Individual Bitcoins are created by computer code, with a maximum number that can exist of just under 21 million (there are currently around 16 million in circulation). Like all currencies, the value of Bitcoin is determined by how much people are willing to exchange it for. </p><p>To create Bitcoins, a procedure called mining must take place, which involves a computer solving a difficult mathematical problem with a 64-digit solution. For each problem solved, one block of Bitcoin is processed. To compensate for the growing power of computer chips, the difficulty of the puzzles is adjusted to ensure a steady stream of new Bitcoins are produced each day. To receive a Bitcoin, a user must have a Bitcoin address — a string of 27-34 letters and numbers — which acts as a kind of virtual post box. Since there is no register of these addresses, people can use them to protect their anonymity when making a transaction. Internal auditors are likely to see increased use of Bitcoin by institutions and companies (Microsoft now accepts them), as well as in fraud schemes, even if the currency becomes regulated by governments.</p><p>Nonetheless, the kind of comprehensive fraud strategy perpetrated in this story is a much more traditional, if bold, manipulation of unsuspecting investors. GBI allegedly misrepresented that investors would see an average 7 percent to 9 percent monthly increase in their Bitcoin balances, when in fact they did not. The company allegedly falsified individualized performance and balance reports to investors. In addition, GBI allegedly told investors its assets and performance were audited by a certified public accountant (CPA), when in fact they were not. Even a computer hack that supposedly caused the loss of nearly all GBI customer funds was faked, the CFTC claims.</p><p>Despite the "wild west" environment of cryptocurrency investment, this fraud may have been preventable, if investors had sought answers to some basic questions before parting with their money:</p><ul><li> <strong>How does the fund operate?</strong> Many acts of misrepresentation and falsification can be uncovered by asking questions and seeking information that investors should request with any investment activity. Perform reference checks of individuals and companies offering investment services, and check the credentials of any CPA or auditor. Take account statements to an independent advisor. Avoid long-term commitments to investment funds. Refer to regulatory sources about the risks and advisability of making investments. <br> <br>More particular to this story, it may be difficult to spot Bitcoin Ponzi scams that promise "double your bitcoin" overnight, or some similar outlandish claim. But the only way to double one's money is to first send it to them. These Ponzi schemes also typically have referral programs. For example, if an individual get others to sign up for the site by visiting an affiliate link, he or she may make a few cents. This is another red flag.<br> </li><li> <strong>How does cryptocurrency work?</strong> Understanding the underlying technology that powers cryptocurrency can help investors avoid falling into traps with Bitcoin investments and trades. These basics include how digital currencies are mined via blockchain, how they are transferred from one party to another, and how currency exchanges and digital wallets function. There is a growing number of useful educational resources that can be used to gain a better understanding of cryptocurrency. <br> </li><li> <strong>How is cryptocurrency regulated?</strong> In the face of increased examples of Bitcoin-related frauds, the Bitcoin industry is beginning to self-regulate, with rules around who can invest and how. For example, some Bitcoin exchanges put users through a vetting process with several layers of security checks to help weed out bad actors.</li></ul>Art Stewart0
Point of Weakness of Weakness<p>​Former Equifax Inc. CEO Richard Smith testified that the company's failure to implement a security patch led to the breach that compromised personally identifiable information of more than 145 million people, <a href="" target="_blank">The Verge reports</a>. The breach, disclosed in September, could expose those individuals to risk of identity theft and other frauds. Appearing before the U.S. House Energy and Commerce Committee, Smith acknowledged that the credit bureau had learned of the vulnerability in the Apache Struts web application software in March. Under questioning, Smith said the person responsible for communicating about security patches failed to do so in this instance and a security scan had not detected the vulnerability. Smith resigned following the incident, along with Equifax's chief information and security officers. The company is under investigation by the Federal Trade Commission and Department of Justice. </p><h2>Lessons Learned</h2><p>Many articles have covered the recent attack on Equifax, which compromised names, birth dates, and Social Security numbers, among other sensitive data. As one of the largest information security breaches in U.S. history, there is much internal auditors can learn to help regulators, companies, and individuals potentially avoid such harm in the future.</p><ul><li> <strong>Never rely on a single process or individual to implement a key anti-hacking measure. </strong>Equifax's former CEO testified that in March, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (U.S. CERT) notified Equifax and other companies of the need to patch a vulnerability in certain versions of Apache Struts. Equifax uses the software in its online disputes portal, a website where consumers can dispute items on their credit reports. Equifax's patching policy required patching to occur within a 48-hour time period. However, one employee was responsible for identifying the need to implement the patch and communicating that need to other applicable areas and staff within Equifax. Neither of those things happened. Just as there is a need for segregation of duties in financial controls, there should be parallel authority and processes in place to avoid such a lapse in information security controls.<br> </li><li> <strong>Security systems must be continuously updated and checked repeatedly for all potentially vulnerable systems and access points. </strong>Two weeks after Equifax received notice to patch its vulnerable software, its information security staff ran scans that should have identified any systems that were vulnerable to the Apache Struts issue, but the scans did not identify a problem. Hackers continually evolve their attack methods, and often that leaves internal security systems behind, meaning a threat will go undetected. Furthermore, the hackers accessed sensitive information for more than two months before Equifax's security controls detected the breach. <br> <br>These factors add another dimension to the need for specific security controls around the most sensitive information kept by companies. In this case, once hackers had gained access to Equifax's online dispute portal, they were able to access a database table containing the personal information of millions of people. There are no longer just traditional methods for anticipating these kinds of threats. For example, companies should be actively monitoring social media and the Dark Web to detect new trends and activities in threats such as hacking. Following the U.S. CERT request promptly would have been a more effective action.<br> </li><li> <strong>If the organization has been hacked — recover! </strong>On this point, Equifax seems to have done a somewhat better job once the security breach was detected, shutting down its consumer dispute website after suspicious network traffic was observed. And, following company policy, it retained a cybersecurity group to guide the investigation and provide legal and regulatory advice, engaged an independent cybersecurity forensic consulting firm to investigate the suspicious activity, and contacted the Federal Bureau of Investigation. The company made extensive efforts to analyze forensic data to identify and understand the unauthorized activity on the network. These efforts helped Equifax figure out what happened, what parts of its network were affected, how many consumers were affected, and what types of information was accessed or potentially acquired by the hackers.<br> </li> <li> <strong>Don't wait until the organization has the perfect plan to communicate to its customers and stakeholders. </strong>It took Equifax several weeks to create a list of consumers whose personal information had been stolen before it publicly announced that the breach had occurred. While it's positive that this included the rollout of a comprehensive support package for consumers, the delay created considerable public anger and misunderstanding. That outcry may have contributed to government scrutiny and the eventual resignation of Equifax's CEO. </li></ul>Art Stewart0
The Cashier Cash Thief Cashier Cash Thief<p>​James Audette was a cashier and warranty clerk for a car service repair shop. His main responsibilities were submitting warranty claims and accepting payments from customers in the form of cash, check, or credit card. Audette quickly learned the ins and outs of handling customer payments and discovered that no receipt of payment was generated for service tickets that were covered by the customer’s extended warranty. Instead, those tickets were closed to accounts receivable (warranty companies). In addition to submitting warranty claims and accepting customer payments, Audette also was responsible for creating the journal entries and posting to the general ledger. On a monthly basis, the controller would review the journal entries and general ledger account to ensure everything balanced. <br></p><p>It was known that money was tight for Audette and his family. In addition, his son struggled with drug addiction, and he and his wife were continually trying to help him. On several occasions, Audette had taken out personal loans from the company, but he always repaid them on time. Audette rarely missed work and was always eager to work overtime, often staying late and volunteering to work weekends to satisfy his debts.<br></p><p>Audette was a loyal employee. One day, however, mounting family pressures led Audette to pocket a customer’s cash payment and record the ticket as warranty work. By classifying the ticket this way and establishing the receivable, the customer would not be billed at a later date and the customer’s account balance would be accurate. Audette began to routinely close customer tickets as warranty work and pocket the money when customers paid in cash. To conceal the fraud, he would clean the schedules each month by crediting accounts receivable and debiting labor (a cost of sale account), but would provide no journal entries for these “write offs,” thus making the general ledger balance appear to reconcile with the journal entries provided to the controller for his review and reducing the physical audit trail. This activity continued for several months, with the thefts becoming larger over time until Audette was promoted to a new department within the company. <br></p><p>Lauren Simpson was hired to replace Audette as warranty clerk and cashier, but Audette maintained his old duties to conceal his previous thefts and continue to write off the receivables he created to avoid further detection. Simpson complained about Audette’s continued involvement in his old role so the controller restricted his access login and alerted Russell Perez, the company’s internal auditor. Perez requested that Simpson run the accounts receivable schedules older than 90 days that were not paid. She pulled the tickets, which were stamped “paid in cash.” To confirm, the general manager called the customers on those tickets and inquired about their service and ease of use of the “new credit card reader.” Each customer whose ticket was in question promptly responded by saying he or she had paid in cash and had not used the new credit card reader, thus confirming the theft of cash payments. Perez then examined the entire population of tickets closed out by Audette, going back several months, and uncovered additional tickets closed as warranty work that were actually paid in cash and later written off. Perez met with company management to discuss the likely magnitude and nature of the fraud. <br></p><p>Employees were alerted of the potential fraud and asked to come forward with information. Ironically, Audette came forward with his suspicions of a fellow employee. Consistent with company policy, employees were told they were going to be subject to a lie detector test. Audette never returned to work. When the company contacted him, he denied any knowledge of the fraud and stated that he did not want to work for a company that did not trust him and would accuse him of such actions.<br></p><p>Internal auditors worked closely with management following the detection of the fraud, performing a complete review of internal controls in the cash receipts function and other functions, as well. The comprehensive review served to not only decrease the perceived opportunity to engage in fraudulent activities among other employees, but also to detect any other abnormalities existing in other areas of the business. Internal auditors also emphasized the importance of more routine reviews of processes and key controls. <br></p><p>Audette’s employer did not want to consume company resources and effort with litigation so he was never prosecuted. The fraud totaled $5,000 but was likely much larger, as the audit only went back a few months to the beginning of the fiscal year and further investigation did not ensue.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned</strong><br><ul><li>Internal auditors must emphasize the importance of segregation of duties and closely monitor any possible exceptions. In this example, having one individual responsible for the collection of cash receipts and the subsequent recording (journalizing and posting) leaves an organization susceptible to the theft of cash.</li><li>Internal auditors must not assume that accounts that are in balance preclude the possibility of errors, omissions, or thefts.</li><li>Access controls should be immediately updated following an employee’s promotion, termination, or changing of job responsibilities. Internal audit should be at the forefront of ensuring policies and procedures are in place to limit logical access controls and that such policies are being enforced, including annual reviews. </li><li>Trend analysis would allow an organization to detect such fraud more timely, as the percentage of cash payments drastically increased, while the percentage of warranty service drastically decreased, over the period. Even basic analytics can aid in the foundation of an effective analytics program, while also limiting the perceived opportunity for fraud. </li><li>An audit of a small sample of warranty claims would have revealed those tickets had previously been paid in cash. </li><li>Routine audits are vital for all cash processes. Even the knowledge of a potential audit can help mitigate the perceived opportunity to engage in fraudulent activities. Routine execution of the audit enhances the ability to detect existing abnormalities quicker, thus mitigating the impact of any existing fraud. </li><li>Mandatory vacations and rotation of duties could have prevented the fraud from happening, or brought it to light sooner. Internal audit should be at the forefront of ensuring policies and procedures are in place that require mandatory vacations and that those policies and procedures are being enforced. Basic queries can easily identify employees not abiding by this policy, creating another simple, yet effective foundation to any data analytics/fraud detection program. </li><li>The most well-liked and loyal employees are capable of fraud, and often have the most opportunity to misappropriate assets. Internal auditors must continually exhibit objectivity and maintain professional skepticism through all aspects of their job. </li></ul></td></tr></tbody></table>Jamie L. Hoelscher1
The Building Tax Racket Building Tax Racket<p>The University of Houston and University of Texas systems have sued tax-credit consulting firm Alliantgroup, accusing it and architectural firm WHR of conspiring to obtain more than $1.6 million in unauthorized tax benefits from building construction projects at the two universities, <a href="" target="_blank">the <em>Houston Press</em> reports</a>. Alliantgroup and WHR applied for the credits under a provision of the U.S. federal tax code that allows building owners to obtain tax deductions for meeting energy-efficiency standards. Under Section 179D, government entities can allocate the tax deduction for their construction projects to private engineering and design firms that work on them. However, the universities allege that WHR misled unauthorized university representatives into signing the application forms.</p><h2>Lessons Learned</h2><p>Internal auditors likely will understand that a federal tax credit program aimed at increasing energy-efficient buildings is both laudable but also fraught with fraud risks. In this case, there seems to be a need to improve both the University of Texas' and University of Houston's controls as well as the U.S. Internal Revenue Service's (IRS') controls and monitoring of the Section 179D deduction.</p><p> <strong>Program monitoring, review, and audit officials need to ask specific questions and carefully examine documentation to uncover deceptive practices before the allocation. </strong>Individuals and organizations seeking to defraud governments to get access to grant or tax credit money frequently manipulate or falsify various details in the proposal or submission. Fraudsters can falsify any of the types of information required in support of an allocation of a Section 179D deduction from the owner of a government-owned building to the designer of a project:</p><ul><li>The name, address, and telephone number of an authorized representative of the owner of the government-owned building.</li><li>The name, address, and telephone number of an authorized representative of the designer receiving the allocation of the Section 179D deduction.</li><li>The address of the government-owned building on or in which the property is installed.</li><li>The cost of the property.</li><li>The date the property is placed in service.</li><li>The amount of the Section 179D deduction allocated to the designer. </li></ul><p><br></p><p>The previous three elements are especially susceptible to falsifications and exaggerations. Other elements include:</p><ul><li>The signatures of the authorized representatives of both the owner of the government-owned building and the designer or the designer's authorized representative. Changing a person's title or job description to match the requirements that qualify him or her for signing off on the allocation is the problem here.</li><li>A declaration, applicable to the allocation and any accompanying documents, signed by the authorized representative of the owner of the government-owned building, in this form:<br><br>"Under penalties of perjury, I declare that I have examined this allocation, including accompanying documents, and to the best of my knowledge and belief, the facts presented in support of this allocation are true, correct, and complete." </li></ul><p></p><p> <strong>Whistleblower programs can only work if there is unfettered access to the evidence given. </strong>A further issue compounding the IRS' ability to detect this kind of fraud would seem to be a significant gap in its whistleblowing program. According to news reports, some Alliantgroup employees allege the company helped its clients evade taxes. IRS agents wanted to impanel a grand jury to investigate the case, but IRS senior management overruled them without talking to the whistleblowers, according to a Bloomberg report. The IRS generally doesn't permit its most knowledgeable examiners — field agents handling audits — to speak to the whistleblowers at all, because of strict laws protecting taxpayer privacy and fears of accidentally sharing confidential information with whistleblowers. Perhaps that partially explains why out of 1,300 whistleblower cases in the past six years, only three have resulted in financial awards. </p><p><br></p><p></p>Art Stewart0
Aboard the Bribery Train the Bribery Train<p>​Prosecutors in Sweden have charged a Bombardier employee with aggregated bribery, <a href="" target="_blank"> <em>The Toronto Star</em> reports</a>. According to the charges, Evgeny Pavlov, a Russian national working for the Canadian plane and train manufacturer's Swedish branch, bribed a government official in Azerbaijan to help the company obtain a $340 million contract for a new railroad signaling system. Prosecutors are investigating other Bombardier employees in relation to the case.</p><h2>Lessons Learned</h2><p>Despite significant efforts by governments, regulators, and enforcement agencies in many countries around the world, corruption and bribery activities continue to be perpetrated by some of the world's largest companies and their employees. In addition to the allegations in this story, Bombardier is being investigated in Brazil, South Africa, and South Korea for various alleged bribery, corruption, and price-fixing activities. The amounts of money and potential negative reputational damage are staggering. What can internal auditors do to help?</p><p> <strong>Be prepared to follow the money, people, and goods wherever they lead. </strong>According to news reports, Swedish authorities were investigating a business structure in which equipment built by Bombardier's Swedish affiliate for the project allegedly was sold to a U.K.-based shell company called Multiserv Overseas. Multiserv is owned by a company based in Belize and has business interests in other tax havens and links to Russian businessmen. Multiserv then sold the same equipment to Bombardier's Russian affiliate at a steep markup. Costs were inflated by 400 percent in some cases. </p><p>In one example, Multiserv purchased signaling equipment for around $19 million. Multiserv then sold the same equipment to Bombardier's Russian affiliate for $104 million, a markup of $85 million. Multiserv allegedly kept some of the profits and passed the balance along to officials in Azerbaijan as bribes in exchange for favoring the Bombardier contract, even though that bid was ranked fifth. </p><p>These kinds of multistep, company and country transactions may be somewhat complex, but they are common for multinational corporations. Auditors need to ask questions and carefully examine all available documentation to obtain a clear picture of these transactions.</p><p> <strong>An anti-corruption policy and compliance regime is a necessary, but not always sufficient preventive measure. </strong>Bombardier officials said Multiserv had been verified and checked out, according to its internal compliance policies. They also said, "As always, we are committed to operating in full compliance with all legal rules and requirements and our own high ethical standards." What is missing is any evidence that the company had asked auditors to systematically assess and report on the effectiveness of its anti-corruption and compliance policies and processes. </p><p>Numerous companies have well-thought-out and articulate anti-corruption regimes (for one example, see <a href="" target="_blank"></a>). These regimes need to be regularly and systematically tested. Potential areas of weakness include:</p><ul><li>The role of the chief compliance officer and how well he or she executes, or is allowed to execute, his or her responsibilities. </li><li>The adequacy of records and controls over anti-corruption and compliance regimes. These must capture the movement of money and goods. </li><li>The scope and strength of sanctions. Sanctions frequently are disproportionately small in relation to the potential gains resulting from bribes and corruption. </li></ul><p> <br> </p><p>On this latter point, governments themselves need to self-examine their resolve to deal with the problem. The Canadian government recently pledged to lend Bombardier CAN$372 million and stated it did its due diligence in advance. Canada also said Bombardier is a significant economic contributor to the Canadian economy, and it would be premature for the government to consider suspending its agreement with the company. The balance in the equation between economic contribution and ethical behavior also is an important consideration when aiming to prevent fraud and corruption. </p><p> <br> </p>Art Stewart0
Overstating Profits Profits<p>Software company Globalscape announced it would be restating its fourth quarter earnings after an internal forensic audit discovered transactions that "circumvented the company's internal controls," according to the <a href="" target="_blank"> <em>San Antonio Express-News</em></a>. The audit found "improper arrangements" with customers that led the San Antonio-based company to overstate its year-end accounts receivable by $403,000 and its fourth-quarter license revenue by $396,000. Globalscape shares fell 23 percent on the day of the announcement.</p><h2>Lessons Learned</h2><p>Whether deliberate or not, misstatements of revenues and earnings by companies is a major concern for financial regulators and auditors. Within the last year, the U.S. Securities and Exchange Commission (SEC) alone has levied tens of millions of dollars in fines against large, diverse companies such as Ener1 Battery, Logitech, and Monsanto. This story is a good opportunity for internal auditors to refamiliarize themselves with why companies and their employees misrepresent earnings, and what auditors should be on the lookout for when auditing financial information.</p><p>The motivations for manipulations of revenues and earnings statements generally fall into four categories:</p><ol><li> <em>Bonuses (and jobs) depend on it.</em> Performance-based bonuses have now been around for a few decades, and an increasingly large portion of executive compensation is tied to hitting certain performance targets. In many cases, these are adjusted non-Generally Accepted Accounting Principles metrics that are designed to enable CEOs to always hit those incentive targets. Stock prices and shareholder interests also are involved.</li><li> <em>A desire to "lower the bar."</em> Many cases of earnings misrepresentation actually involve companies <em>decreasing</em> their earnings. While counterintuitive at first, hitting their objectives often is more important to executives than the amount by which they do so.</li><li> <em>Everyone else does it.</em> As soon as one company in an industry starts manipulating its numbers, other companies in the same region or industry are pressured to follow suit or get left behind.</li><li><em>There still is too little real accountability.</em> Despite efforts by the SEC, companies and executives — and sometimes auditors themselves — continue to manipulate financial information.</li></ol><p><strong>Auditors can never rely solely on the past when assessing whether misstatements or fraud may be involved.</strong> For example, an external audit firm may have had the same audit client for many years, and there have been no concerns about revenue misstatement in previous audits. But both internal and external auditors must always be aware of what is happening and changing, both in the broader environment, and for the company being audited. For example, in this story, Globalscape recently introduced a new product line. A common technique used in terms of sale is to provide special offers that allow potential buyers to pay later and even return goods, while revenues and earnings are counted up front. If such special offers exist, the auditor must complete different procedures than simply inspecting documents.<br></p><p><strong>Revenue and earnings manipulations can be hard to spot, even when manipulation turns to fraud.</strong> The financial operations and associated financial statements also may be complex. For some time, regulators and auditors have been turning to big data and analytical routines to examine patterns in financial information that may reveal misstatement or fraud. The SEC is using a quantitative analytic model that is econometric-based, called the Accounting Quality Model (AQM). AQM is designed to identify earnings management by, among other things, determining whether a registrant's financial statements stand out from other filers' in its industry. Some examples of the more specific indicators of risk examined and risk scored include total accruals versus discretionary accruals — the model classifies the estimated discretionary accruals as risk indicators that could be manipulated — or an accounting policy in which a high proportion of transactions are structured off-balance sheet. Of course, results of this kind of analytical work form the basis of further investigation, rather than "prima facie" evidence of wrongdoing.</p><p><strong>More generally, auditors must appreciate why it's important to understand the entity, its environment, and the assertions — along with the associated fraud risks.</strong> That includes how it earns and records revenue, and the types of revenue and revenue transactions. Auditors should analyze more qualitative elements such as the experience and credibility of the management team because they set the tone or culture under which the company's internal accounting function will operate. Moreover, they should bear in mind the four main motivations for financial manipulation. Professional skepticism and critical thinking are essential tools to apply. Once auditors have identified the risks, they must design audit procedures to respond specifically to those risks. These procedures may be different for each type of revenue or revenue transaction. For a helpful example of a specific methodology and guidance, as well as the auditor's responsibility related to fraud in financial statements, see Canadian Auditing Standard 240 and CPA Canada's Implementation Tool for Auditors at <a href="" target="_blank"></a>. </p><p><br></p>Art Stewart0
The Wrong Way to Battle Bad Press Wrong Way to Battle Bad Press<p>​A convicted fraudster was arrested by the FBI and charged with hacking into websites and threatening news outlets that had published news stories about crimes he committed in Canada, the <a href="" target="_blank"> <em>National Post</em> reports</a>. The FBI says Andrew Rakhshan contacted employees of news sites such as Canada's CBC network and offering them money to take down stories related to his 2014 fraud conviction and deportation from that country. When that didn't work, he allegedly threatened to carry out distributed denial of service (DDoS) attacks on those websites. In one case, he allegedly carried out a DDoS attack on the legal documents website The news stories covered a case in which Rakhshan was convicted of using counterfeit credit cards tied to banks in Australia, Brazil, France, the U.K., and other countries to purchase a yacht and several automobiles valued at CAN$500,000.</p><h2>Lessons Learned</h2><p>Not surprisingly, individuals, companies, and institutions not only have to prepare for, detect, investigate, and prosecute fraudsters, they also must be ready to defend themselves against threats and reprisals (including DDoS attacks) when those same fraudsters want to make the trail of their crimes disappear afterwards. DDoS attacks are being used more and more as a tool for any kind of exploit activity, including fraud and reprisals, and their sophistication and dynamic nature is increasing such that last year's solution may no longer work. Internal auditors therefore need to continuously update their knowledge and advice to help reduce the risks and impacts of these attacks.</p><p>To better fight DDoS attacks, auditors first must understand how they work. Simply put, a DDoS attack attempts to push a website off the internet by flooding it with data. There are increasingly powerful tools that anyone can download and use to trigger such attacks. The software allows attackers to direct overwhelming amounts of dummy traffic created by custom scripts at a website, then type in its URL and watch it generate fake user after fake user in an effort to overload the site's servers and bring it down. </p><p>Attacks on larger, more sophisticated networks are accomplished via a combination of DDoS tools that include botnets — collections of computer servers designed to connect and perform a unified action. Their job is often made easier because of the numerous Domain Name System (DNS) servers that exist to translate domain names into IP addresses. Freeware tools are available that contain a database of known vulnerable DNS servers on the internet. A very small data packet request to a vulnerable DNS server can request tens of thousands of bytes of information, and that server will respond as if it were to a legitimate site. These data packet requests can be efficiently generated and multiplied to overwhelm a large system. It also does not take much bandwidth to attack a login server and prevent access to services. And anyone can rent a botnet, even though it is illegal. (Just about everyone is vulnerable: To get a small idea of this, visit <a href="" target="_blank"></a> to see what other people can view from your connection.)</p><p>What can auditors assess and recommend to help their organization plan against and mitigate DDoS attacks?</p><ul><li> <strong>Organizations must not give in to fraudsters' demands</strong> that evidence of their crimes be taken down from websites. They should involve police and regulatory authorities immediately, and implement attack readiness measures, based on having already kept their DDoS risk mitigation up to date.<br> </li><li> <strong>Use cloud services or outsourcing.</strong> Organizations use cloud services that can offload excessive traffic while DDoS attacks are happening, therefore preventing those organizations' networks from having to deal with the overload. Some large providers specialize in scaling infrastructure to respond to attacks and can implement cloud scrubbing services for attack traffic to remove most of the problematic traffic before it ever hits a target's network. DDoS mitigation providers can, during an attack, reroute traffic destined for the target's network to a mitigation center, where it is scrubbed and legitimate traffic is then forwarded on. These kinds of services are scalable in affordability so that they are not just for large organizations. <br> </li><li> <strong>Fortify network architecture. </strong>Disperse organizational assets to avoid presenting a single rich target to an attacker. Locate servers in different data centers. Also ensure that data centers are located on different networks, with more than one pipe to the internet. Data centers also should have diverse paths. And data centers, or the networks they are connected to, should have no notable bottlenecks or single points of failure.<br> </li><li> <strong>Scale up network bandwidth.</strong> For high-volume attacks, many large organizations adopt a solution to scale bandwidth up to be able to absorb a large volume of traffic. However, other  organizations may not be able or willing to pay for the network bandwidth needed to handle some of the largest attacks. <br> </li> <li> <strong>Deploy and keep updating hardware</strong> that can handle known attack types and use the options that are in the hardware that protect network resources. This will lessen, but not eliminate the impact of an attack. There are many useful resources about these measures. A good starting point is the U.S. Department of Homeland Security's <a href="" target="_blank">DDoS Quick Guide</a> (PDF). </li></ul>Art Stewart0
The Costly Parking Lot Costly Parking Lot<p>​<span style="font-size:12px;">A 10-month audit investigation has questioned the CAN$12 million price tag for a proposed land purchase by the Toronto Parking Authority ​(TPA), as well as the process the authority used to put the deal together, the </span><a href="" style="font-size:12px;"><em>Toronto Star</em> reports</a><span style="font-size:12px;">. The Auditor General's report to the  city's audit committee noted that parking authority executives discussed the deal in secret, and there were possible conflicts of interest involving lobbyists and consultants with previous connections to the owner of the five-acre plot. An independent appraisal ordered by the TPA valued the land at CAN$7.5 million, but the audit report points out that one of the consultants who had helped determine the value of a digital sign located on the land had put together the original deal for that sign for the landowner. The Auditor General concluded that the TPA's actions created "unnecessary risk" of overpaying for the land, but that there was no evidence that TPA staff members or the sign consultant would directly benefit from the deal. The deal is currently on hold.</span></p><h2>Lessons Learned</h2><p>Since this story was written, an interim board overseeing the TPA has appointed an interim president, and Toronto's city council has voted to suspend TPA board members over the questionable land deal. An independent investigation is also underway, which could result in authorities filing fraud charges. </p><p>In any event, several systemic issues arising from this complex case need to be addressed — all of which fall into the broad subject of preventing fraud, bribery, and corruption in local governments. In outlining some of the key issues illustrated by this story, I've drawn upon a few resources. Although it is focused on Canadian examples, internal auditors may find one resource particularly useful, <a href="">Municipal Best Practices — Preventing Fraud, Bribery, and Corruption</a> (PDF), which was published by the International Centre for Criminal Law Reform and Criminal Justice Policy.</p><p>Organizations need to identify, assess, and implement measures, such as policies, system controls, monitoring, and disciplinary measures, to mitigate key risk issues. These measures include:</p><ul><li><strong>Review all procurement and contracting policies and processes for municipal services and infrastructure projects.</strong> Misconduct can take the form of kickback brokers, bid rigging, and the use of front or shell companies. Corrupt tendering practices, kickbacks from suppliers, unfair procurement (intervention within the municipality to ensure outcome), irregular municipal purchasing procedures, side payments to municipal purchasers, and procurement dealings based on insider links and arranged tender dealings are all variants of the kind of misconduct noted in this story.<br></li><li><strong style="font-size:12px;">​Look for potential conflicts of interest.</strong><span style="font-size:12px;"> Several forms of nepotism or cronyism may have been at play in this story, such as favoring family members, friends, and business contacts in municipal land deals. Hiring decisions and zoning regulation changes based on friendships among colleagues rather than disinterested analysis are additional risks. Where large sums of money are involved, strong conflict-of-interest policies need to be in place and followed strictly. The Toronto case is full of various conflicts of interest — several people had a personal interest in the land deal who might reasonably be expected to have influence over an elected official's performance of his or her duties. There were obvious close links between developers and city officials. Objective processes for establishing the fair value of property must be backed by requirements for detailed assessments, rather than informal estimates written on the backs of envelopes.</span><br></li><li><strong>Assess governance and accountability processes.</strong> There are numerous lapses in governance and accountability processes that need to be fixed. Local government officials appeared willing to ignore basic principles, if not legislation, that require land deals to be priced at fair market values through objective and independent decision making. There also are indications of misuse of authority and a lack of transparency such as inappropriate use of on-camera meetings by TPA officials. A governance review of the city's decision-making bodies and authorities with a view to identifying gaps may be necessary. ​</li></ul>Art Stewart0

  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z