Fraud

 

 

The Empty Boxes Schemehttps://iaonline.theiia.org/2015/the-empty-boxes-schemeThe Empty Boxes Scheme<p>​A Nigerian man living in Canada has admitted to scamming more than a dozen individuals in the U.S. out of US$13 million between 2009 and 2013, the <a href="http://www.azcentral.com/story/money/business/consumer/call-12-for-action/2015/03/02/fraud-victims-paid-worthless-boxes/24228211/" target="_blank"> <em>Arizona Republic</em> reports</a>. According to a plea deal, Alex Sualim said he recruited the individuals to act as distributors between a Chinese supplier, AEG Global Contracting Ltd., and a Canadian company, Agmine International Ltd. Agmine instructed the distributors that the boxes containing the silicon germanium-based semiconductors — a real material used in microchips — could only be opened under laboratory conditions, so they didn't open the boxes they received. The distributors were asked to send wire transfers to AEG via banks in Cyprus, Greece, and China, which escalated as the supplier repeatedly increased its minimum order level. Agmine turned out to be a fictional company, while the shipping invoices from AEG were forgeries. When some of the distributors became suspicious, they finally opened the boxes to find only packing materials. Sualim was arrested in 2013 following an investigation by the U.S. Federal Bureau of Investigation and the Internal Revenue Service.</p><h2>Lessons Learned</h2><p>This case exemplifies how the perpetration of fraud continues to evolve to become increasingly more sophisticated and encompass multitactic and international dimensions. At its root however, this is one form of advance-fee fraud — when fraudsters target victims to make advance or upfront payments for goods, services, and financial gains that do not materialize. There are many variations on this scheme, including West African letter or 419 fraud (419 refers to the section of the Nigerian criminal code dealing with advance-fee fraud); career opportunity scams; clairvoyant or psychic scams; check overpayment fraud; dating or romance scams; impersonation of officials; inheritance fraud; loan scams; lottery, prize drawing, and sweepstake scams; rental fraud; and work from home and business opportunity scams. There are even fraud recovery schemes. These common frauds create significant monetary losses not only for individuals but also for businesses and other organizations that fall victim to them.</p><p>Here are some guidelines on how organizations and internal auditors can detect and avoid advance-fee schemes:</p><ul><li> <strong>Follow the saying, "If something seems too good to be true, then it probably is." </strong>Stick to common business practices. Never consider business being carried out on the street corner in cash as legitimate. Also, be aware that, as in this story, the apparent source, tone, grammar, and overall style of emails and other forms of communications may be as polished and professional as would be expected from a reputable, established company.<br> </li><li> <strong>Be sure the organization knows with whom and what it is dealing.</strong> If the organization isn't familiar with the person, company, or product it plans to get involved with, it should learn more about them. Ask a lot of questions. Visit the company's location if possible, research the organization and its products, and consult with family, friends, an attorney, and experts such as at universities. For example, silicon germanium is potentially harmful to humans at certain stages of its production, so it might be credible that those particular stages should be controlled within a laboratory clean room. But instead of accepting a shipment of empty boxes, the victims in this case could have demanded that a sample of silicon germanium be sent for analysis to an independent laboratory they selected, with the subsequent report sent directly to them. <br> </li><li> <strong>Get a contractual agreement in writing and signed by all parties.</strong> Also, money spent up front to pay an attorney to review complex business agreements can save an organization even more money in the long run. Consulting a knowledgeable attorney is especially important when the organization doesn't understand the terms of the business or the agreement completely.<br> </li><li> <strong>Be skeptical of businesses that operate at a distance. </strong>Organizations and their internal auditors should be wary of businesses that can only be contacted by phone<strong> </strong>or email, or that operate out of post office boxes, mail drops, or without a street address. They also should be cautious of businesses that don't have a direct phone line, can't be reached, and must always return calls at a later date and time. In this story, the fact that victims were contacted by supposed officials of the Agmine and AEG companies, rather than by a single company contact, also was a potential red flag. Moreover, a legitimate company likely would need to be registered within a particular country for regulatory or taxation purposes, so a potential investor should verify whether that company has been registered. </li></ul><p>Additionally, organizations and their internal auditors should be cautious of business deals requiring upfront or unexpected increases in cash outlays. Also, they should avoid signing nondisclosure or noncircumvention agreements, which could prevent the organization from verifying the legitimacy of those with whom it is doing business. Scammers use these agreements as a threat to file civil suits against victims if they report their losses and business activity to law enforcement agencies.</p>Art Stewart026
Tech Fraud and the Small Businesshttps://iaonline.theiia.org/2015/tech-fraud-and-the-small-businessTech Fraud and the Small Business<p>​Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. <em>The New York Times</em> recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.<br></p><p>When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.<br></p><p>Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.<br></p><h2>Small and Vulnerable</h2><p>Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) <em>2014 Report to the Nations</em>. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.<br></p><p>Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.<br></p><p>Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.<br></p><h2>Reducing Risk</h2><p>Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.<br></p><p>From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.<br></p><p>Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.<br><br><strong>Watch out for the top causes of technology-related fraud.</strong> Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.<br></p><p>Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.<br></p><p>Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.<br><br><strong>Plan regular and surprise audits in areas that may pose greater risk.</strong> Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.<br></p><ul><li>An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.<br></li><li>Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.<br></li><li>Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.<br></li></ul><h2>A Matter of Survival</h2><p>While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim. <br></p>Alisanne Gilmore-Allen1345
Fighting Welfare Fraudhttps://iaonline.theiia.org/2015/fighting-welfare-fraudFighting Welfare Fraud<p>​The hiring of a full-time investigator has led to more arrests in welfare fraud cases and has generated more than US$1 million in savings for the Schuyler County, N.Y., government, the <a href="http://www.stargazette.com/story/news/local/2015/02/26/schuyler-benefit-fraud/24068687/" target="_blank"> <em>Elmira</em> <em>Star Gazette</em></a> reports. County officials say the new investigator has worked with the Department of Social Services' welfare fraud unit to investigate more than 300 cases and make 23 arrests for welfare fraud, grand larceny, and other charges. The county averaged only four to eight arrests in previous years, and it had a reputation as a welfare haven. </p><h2> Lessons Learned</h2><p>Schuyler County officials should be commended for taking appropriate action, including the hiring of a fraud investigator, to address government benefits fraud, a problem faced by local, state, and national governments worldwide. One statement made by the Schuyler County district attorney is particularly intriguing: "When we catch people, they get punished. It creates a deterrent for other people considering welfare fraud."</p><p>In that context, the two questions worth asking are "How do we know if we have the right deterrence mechanisms in place and that they are working?" and "Is the audit profession taking full advantage of fraud deterrence methods and thinking in the practice of auditing?" If fraud deterrence is effective, there should be little or no fraud being committed, with significant financial savings. My perspective, however, is that organizations and their internal auditors still need to invest further in improved fraud deterrence as well as enhanced detective skills and resources.</p><p>The "fraud triangle" (motive-rationalization-opportunity) has underpinned much of ​the thinking about what fraud is and how to address it for about 50 years. Efforts to "break the fraud triangle" by removing one or more of its three elements to reduce the likelihood of fraudulent activities have focused on eliminating opportunity. In turn, the opportunity element is generally considered to be the factor that is most directly affected by the system of internal controls, which is where organizations and auditors have invested much of their time and efforts in deterring fraud. Motive and rationalization are considered less measurable and therefore less controllable.</p><p>Emphasizing strong internal controls is not enough. Organizations with adequate controls shouldn't experience significant fraud, but unfortunately they do time and time again. Of course, no control can provide absolute assurance against fraud. Fraudsters who are sufficiently motivated to override or circumvent controls usually can find a way. </p><p>Although controls are a vital part of fraud deterrence, they need to be considered in a larger context. Economic crime ultimately is perpetrated through either force or deception. Recent U.S. crime statistics indicate that force is declining as a cause, while deception is increasing. Robbery, theft, and other crimes of force are the bailiwick of the young and undereducated. On the other end of the demographic spectrum, both older and more educated individuals have come to understand a valuable proposition: The best way to rob a bank is to work in or own one. </p><p>Further complicating this trend is the fact that one of the most important factors in deterring fraud is the degree of certainty that those who are caught will be punished, as compared to other factors such as how quickly or severely they will be dealt with. Criminal justice systems in the U.S. and other nations frequently punish corporate fraudsters much more lightly than street criminals even though the financial and operational damage to organizations is much greater. </p><p>Here are three strategies that could help organizations:</p><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Organizations — particularly public-sector entities — and internal auditors should use the unique skills of anti-fraud specialists proactively.</strong> Many organizations employ such specialists, but they often are used reactively instead of proactively. Rather than using these specialists to solely investigate allegations of fraud once they have been reported, anti-fraud specialists also should be involved in fraud risk assessments to help identify key risk areas and help investigate them before fraud occurs. Moreover, awareness that the organization has anti-fraud specialists in place could increase the perception that illegal activity will be detected. </span><br><br> </li><li> <span style="line-height:1.6;"><strong>Ensure financial transparency where it counts.</strong> Since the Enron scandal, a distinct pattern has emerged: A growing number of corporate executives, insiders, and board members have lined their pockets at the expense of shareholders, customers, and taxpayers. Their methods vary and are often cloaked behind complex transactions that are not readily apparent to the organization's auditors. However, profits from illegal schemes nearly always find their way into the personal finances and spending habits of those involved, including large illegal profits being declared on personal tax returns. Corporate insiders have a fiduciary duty to act in their shareholders' best interests. Part of this duty should include their financial transparency. Auditors should be given full access to any financial information that bears on this issue, including personal tax returns and detailed banking records. Having such access makes financial transparency a significant and powerful deterrent, and it makes it more difficult for insiders to conceal ill-gotten gains.</span><br><br></li><li> <span style="line-height:1.6;"><strong>Auditors and their organizations need to better understand and adopt deterrence methods, including through research. </strong>There has been useful research into the psychological profiling related to human resources management decision-making and income tax compliance. Organizations have applied that research to better screen potential employees and target types of industries, groups, and individuals that are more likely to attempt income tax fraud. However, such research could never completely identify all of the factors involved in deterrence, and more research is needed into the many categories of occupational fraud. For example, when presented with seemingly identical opportunities and motives, why does one person or organization turn to fraud and another does not? More knowledge about fraud deterrence is likely to lead to different audit practices, compared to fraud detection, and it could encourage organizations to adopt better fraud-prevention strategies.</span>​​</li></ul>Art Stewart0357
The Fraud Responsehttps://iaonline.theiia.org/2015/the-fraud-responseThe Fraud Response<p>​Despite efforts by businesses in all industries to tighten security, occupational crime and fraud remain a significant and growing exposure. Today, prevention and timely detection of such crimes is critical.<br></p><p>Internal audit often assists with detecting, reporting, and remedying fraud, or helping with recovery. Given their skills and access to information, auditors can help their organization understand and manage occupational crime and fraud risks. Accordingly, some knowledge of how these risks are evolving and the best practices for dealing with them — as called for in Section 1210.A2: Proficiency of the <em>International Standards for the Professional Practice of Internal Auditing</em>  — will equip auditors to become more effective participants in their organization’s efforts to fight crime.<br></p><h2>A Culture of Integrity and Vigilance</h2><p>The U.S. Securities and Exchange Commission’s (SEC’s) Whistleblower Program has alerted U.S.-listed companies to their responsibility to strengthen their internal anti-crime initiatives. A good starting place is fostering vigilance among all employees and promoting a culture of honesty and transparency. Moreover, employees need assurance that they can report internally without fear of retaliation and that the organization will respond promptly and appropriately.<br></p><p>Instilling a culture based on integrity involves:<br></p><ul><li>Having senior leadership establish the overall tone by citing integrity as a core value in company meetings, employee discussions, town halls, memos, emails, videos, and presentations.</li><li>Having supervisors and team leaders remind employees they are partners in the firm’s success and integrity is a core value.</li><li>Requiring all employees to participate in ethics training.</li><li>Encouraging employees to be guardians of the firm’s integrity. As a result, employees may report wrongdoing to appropriate people internally before contacting outside agencies such as the SEC.</li><li>Establishing a tip line. Anonymous telephone tip lines account for nearly 40 percent of all fraud discoveries, according to the Association of Certified Fraud Examiners (ACFE).</li><li>Looking internally to assess, control, and correct wrongdoing. Robust discussions about the whistleblower program underscore the organization’s emphasis on transparency and can encourage internal remedies.</li><li>Recognizing that the company’s leadership may have to reinforce its focus on integrity following mergers or acquisitions to indoctrinate new employees or during significant workforce reductions.</li><li>Establishing and communicating a zero tolerance policy that applies to all fraudulent activity, including the organization’s intent to prosecute all perpetrators.</li></ul><p></p><h2>The Crime Insurance Market</h2><p>Insurance is a significant potential financial remedy for occupational crime and fraud. Although in many cases internal auditors may not be aware of their organization’s insurance coverage, they typically become involved in the event of a loss.<br></p><p>The best time to meet with those responsible for such insurance coverage — usually finance, treasury, and risk management — is before an event occurs. Auditors should learn about their organization’s crime or fidelity insurance policy or coverage under its cyberrisk or property insurance. This gives them the opportunity to strategize with the risk manager about what they can expect from internal audit.<br></p><p>In turn, the risk manager can brief internal audit on coverage and the potential for outside, independent forensic accounting support that may be included in coverage as “investigations or professional fee coverage.” This outside help can further investigate a crime and pursue recovery. The partnership between such external resources and internal audit staff can be both cost-effective and optimal for gathering required internal documentation of the loss.<br></p><h2>When Fraud Is Suspected</h2><p>Investigators and risk advisers typically prepare for the worst. If an occupational crime or fraud incident is suspected, absent of urgent issues or threats to life or property, organizations should take these steps, which can be completed simultaneously:<br></p><ul><li>Conduct a preliminary investigation before notifying their insurer. This typically is performed by internal audit alongside the organization’s security function and general counsel.</li><li>Ensure the risk management function analyzes the company’s crime or fidelity insurance policy.</li><li>Give appropriate notice to their crime and property insurance carriers.</li><li>Note the time on their insurance policy to file “proof of loss.”</li><li>Note the time to file suit against the insurance carrier for nonpayment of a loss.</li><li>Follow up the preliminary investigation by conducting a thorough internal investigation, including efforts to identify all perpetrators and any conspirators and their method, as well as to determine the full extent of the loss.</li><li>Work with human resources, communications, operations, and other internal functions, as well as employment attorneys and outside counsel, to take steps to deal with potential employee issues.</li><li>Consider civil litigation against the perpetrators.</li><li>Consider criminal prosecution.</li></ul><p></p><p>Typically, the risk manager is directly responsible for arranging and coordinating insurance coverage and helping to marshal internal and external resources to address exposures to crime.  Still, a fraudulent event leading to a loss may not be communicated promptly to the risk manager. Because any delays can compromise an organization’s ability to collect its insurance recovery, it’s critical that internal audit share its initial findings with the general counsel and appropriate executives in finance, and include the risk manager as soon as a crime or fraud event is suspected.<br></p><p>Along with internal audit and risk management, members of an organization’s “crime team” may include in-house and outside counsel, security, an investigative specialist and forensic accountant, a broker claims advocate, and representatives from different business units. The principal roles leading an internal investigation include:<br></p><ul><li>The risk manager, who oversees the process and communicates directly with the organization’s insurance broker and carriers.</li><li>The in-house counsel, who manages the internal audit, investigation, litigation, and law enforcement activities, and controls costs.</li><li>The investigator and forensic accountant, who conduct the investigation under the external counsel (i.e., privilege) umbrella, working with in-house resources such as internal audit.</li><li>All members of the crime team, especially internal audit and risk management, should recognize that the organization’s fidelity and crime insurer has its own claims team — including the insurer’s in-house adjuster, external counsel, and a forensic accountant — that represents the insurer’s interests.</li></ul><p></p><h2>Proof of Loss</h2><p>An organization’s insurance policy dictates — and its insurer expects — the organization’s full cooperation in gathering all information necessary with respect to its loss. This response is always subsequent to the organization having filed an appropriate proof of loss in support of a claim. The proof of loss is a series of documents describing what happened and who did what to whom. That is followed by a well-documented calculation of the loss, including supporting documentation.<br>The internal audit staff will be tasked to supply information, documents, and data during this phase. In putting together this documentation, auditors should consider how much evidence is sufficient. The insurer will incur considerable expense to validate and develop the facts. Moreover, any proof provided must be objective and credible.<br></p><h2>Working With Law Agencies</h2><p>If any of the circumstances of the organization’s loss is remotely dangerous, the local police should be contacted. If danger is not suspected, internal auditors should work with the organization’s in-house counsel, security, and risk management functions to discern what the organization needs to do before acting.<br></p><p>Often, leadership or senior executives want the police to investigate right away. While that may be the correct decision, it is not always in the organization’s best interest to involve law enforcement immediately. Nonetheless, the organization may be required to involve law enforcement earlier in the process if its crime insurance policy dictates it. Auditors should check whether the policy requires simple notice or whether the organization must file a report and refer the matter. These two actions are vastly different.<br></p><p>Once the organization decides to involve law enforcement, it sets in motion a series of activities likely to affect its internal investigation. Law enforcement investigators generally are more open to accepting a new matter when a great amount of information is provided. They may be receptive toward the victim’s internal audit team upon understanding its methodology and seeing documentation. In collaboration with the organization’s forensic accounting team and investigators, the law enforcement efforts likely will be accelerated.<br></p><p>Law enforcement involvement also can affect the organization’s ability to gather evidence, identify collaborators, and bring perpetrators to justice. The organization should take care about which employees it suspends or terminates, and when, because  valuable information is at risk. A mistake here could prevent the organization from uncovering critical evidence. Furthermore, the organization may not be able to ascertain the full extent of its loss or identify any individuals who may have participated in the fraudulent activity or helped facilitate the crime. This may complicate efforts to fully recover any losses incurred from the crime or to avoid a recurrence of the problem in the future. Often, law enforcement expects the organization has done all it can within its administrative constraints to gather evidence and conduct interviews. Internal audit should document everything and preserve all notes, which may prove to be critical.<br></p><p>Once the case has been referred to law enforcement, even though the organization may be the victim with certain rights, investigators will likely make communication a one-way street. Moreover, if the matter goes to a grand jury, the organization will not be able to learn about information obtained by law enforcement through the grand jury.<br></p><h2>Who to Call</h2><p>Two crucial decisions are determining the appropriate time to call law enforcement and, more importantly, determining which agency to call. Referring the organization’s investigation to the wrong law enforcement agency or prosecutorial office can cause significant frustration, so it’s critical to understand the complexity and reach of the loss to avoid a misstep. Calling the wrong agency not only could delay the resolution of the matter, but it may result in lost evidence, a compromised or stalled investigation, unanticipated and adverse news coverage, business disruption, and employee distress.<br></p><p>Any investigation or search for assets may be outside the jurisdiction of local and state police. In the United States, matters reaching across state lines or outside the country may require federal assistance from the Federal Bureau of Investigation, Internal Revenue Service, Secret Service, Immigration and Customs Enforcement, Marshals Service, or Postal Inspectors. Although internal auditors should understand the issues associated with reporting a crime, identifying the appropriate law enforcement agency or prosecutorial office requires expertise that goes beyond the scope of the general counsel and typically requires the involvement of an outside criminal attorney or investigator.<br></p><p>Regardless of which agency is involved, the organization’s forensic accounting and internal investigation will provide law enforcement with the amount of loss, witnesses, statements, evidence, and a road map. A solid forensic investigation also can provide law enforcement with leads toward assets that may be vital for alternative restitution, such as recovery of investments and purchases the perpetrators made with stolen funds.<br></p><h2>Civil Litigation</h2><p>As a practical matter, investigative firms and risk advisers generally do not advocate filing law suits. However, there may come a time when the organization’s investigators will need bank records and other documents. For example, internal audit may determine early in the investigation that it wants to see the credit card or bank records of a current or former employee. A civil filing is the only option the organization has to obtain financial records without the account holder’s cooperation. In a U.S. criminal investigation, law enforcement would be able to obtain such records using search warrants and grand jury subpoenas.<br></p><p>Typically, civil litigation follows the investigation in the form of a subrogation action by the insurance carrier, which will seek to recover stolen funds or related assets and properties from the perpetrators. If litigation is inevitable, getting the process started sooner may be in the organization’s best interest.<br></p><h2>Vital to Anti-fraud Efforts</h2><p>Although internal auditors may not be experts in crime and fraud detection, they should be aware of these issues and the resources needed to address them. Ultimately, auditors are critical to their organization’s overall crime prevention initiatives and response activities.<br></p><p>Preparation is as important as prevention. The internal audit function should align with the risk management and legal departments to understand and anticipate potential occupational crime risks. Effective crime prevention should include quantifying worst-case scenarios as they typically would do for physical damage and business interruption exposures. Quantification also can help determine appropriate insurance coverage limits.<br></p><p>Finally, internal audit should collaborate within the organization to create an incident-response team for instances when fraud is suspected or substantiated. Auditors should be well read, provide appropriate notice, and help their organization recover any crime loss to the fullest extent. <br></p>Christopher J. Giovino11136
Foreign Briberyhttps://iaonline.theiia.org/2015/foreign-briberyForeign Bribery<p>​Canadian engineering firm SNC-Lavalin faces charges of paying CA$47.7 million (US$38 million) to Libyan officials to influence government decisions as well as defrauding organizations in that country through two of its subsidiaries, according to a <a href="http://www.ctvnews.ca/business/snc-lavalin-subsidiaries-charged-with-fraud-corruption-1.2243424" target="_blank">Canadian Press report</a>. It is the latest corruption allegation involving the company's operations in Libya. The Royal Canadian Mounted Police (RCMP) previously had charged two former SNC-Lavalin executives as part of a corruption investigation that began in 2011. Also, the company's former construction vice president has testified that he bribed the son of former Libyan dictator Moammar Gadhafi to help the company earn contracts. If convicted in this latest case, the company could face a 10-year ban from bidding on government contracts. </p><h2>​Lessons Learned</h2><p>The prosecution of SNC-Lavalin is the third, and by far the most significant, fraud case the RCMP has pursued under Canada's foreign anti-bribery law, the Corruption of Foreign Public Officials Act (CFPOA). Most of Canada's key trading partners have similar anti-bribery legislation, including the United States (Foreign Corrupt Practices Act) and the United Kingdom (Bribery Act 2010). Nations have enacted such laws in response to a long-term trend toward a global economy and the need to cooperate and establish cross-national legal and regulatory frameworks to protect governments, companies, and their citizens against fraud and corruption.</p><p>The CFPOA makes it a serious criminal offense for Canadian companies and individuals to bribe foreign government officials. Moreover, it is one of the tougher anti-corruption laws because the prohibition against bribery is broadly worded. Under the law, the purpose of the person paying the bribe is defined as obtaining an advantage in the course of business; bribery includes both direct and indirect (third party) bribery activity as well as conspiracy to offer or give bribes; and a bribe is defined as "anything of value." Each offense is punishable by up to 14 years in prison, and companies are liable for fines set at the court's discretion. Thus far, the largest fine imposed on a company under the CFPOA was CA$10.3 million (US$8.2 million) — five times the amount of the bribery involved. Companies that breach the CFPOA also may be banned from bidding on public-sector contracts in Canada and potentially abroad.</p><p>Some of the specifics of Canadian legislation and enforcement actions may not be precisely applicable to U.S. or international circumstances. However, companies that operate abroad and their internal auditors, as well as foreign companies that employ citizens of countries that have such anti-corruption legislation, need to be aware of these laws and take steps to comply. Furthermore, businesses need to be aware of the precise requirements of the anti-corruption laws in all countries in which they operate. This is best done through a compliance program that is based on an assessment of the risks the company faces, supported and verified regularly by the company's leadership, and backed by audit work by internal audit or an equivalent function. </p><p>Particular compliance elements that need attention — and that are relevant to the SNC-Lavalin case — include:</p><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Good policies are a necessary but insufficient protection against bribery and corruption and their consequences.</strong> It's not enough to establish and globally monitor policies on ethics, conflict of interest, financial management — including accounting and reporting — and other areas. Criminal charges are not the only troubles faced by SNC-Lavalin. Class action lawsuits allege that SNC-Lavalin misled investors by claiming that it conducted itself as a "socially responsible citizen," and in compliance with a code of ethics, when it was actually paying bribes to Libyan government officials.</span> <br> <br>​<span style="line-height:1.6;">Cooperation with authorities also will not absolve or exonerate a company from the consequences of fraud and bribery. Although SNC-Lavalin cooperated with the RCMP investigation and strengthened its ethics and compliance policies along the way, the company still has been criminally charged.</span> <br> <br><span style="line-height:1.6;">Specific and detailed examination of on-the-ground practices needs to be conducted regularly. One of SNC-Lavalin's most senior executives already has been found guilty of making illegal payments totaling more than CA$56 million (US$44.7 million) to third-party agents in Libya, which were never appropriately recorded. The CFPOA makes it a criminal offense to falsify books and records for the purpose of bribing a foreign government official or of hiding bribery.</span> <br> <br><span style="line-height:1.6;">Internal auditors also should be looking for signs of other specific prohibitions, including:</span></li><ul><li><span style="line-height:1.6;">Noncompliance with authorized signatories delegations and limits on fees.</span></li><li><span style="line-height:1.6;">Maintaining off-books accounts.</span></li><li><span style="line-height:1.6;">Not recording or inadequately recording transactions, especially those involving large amounts paid to third-party agents on the company's behalf.</span></li><li><span style="line-height:1.6;">Recording nonexistent expenditures.</span></li><li><span style="line-height:1.6;">Inaccurately identifying liabilities.</span></li><li><span style="line-height:1.6;">Knowingly using false documents.</span></li><li><span style="line-height:1.6;">Destroying accounting books and records. </span></li></ul></ul><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Accountability — both intentions a​nd actions count.</strong><strong> </strong>While the prosecutor must prove that the accused intentionally committed the acts constituting the offense, willful blindness also  satisfies the intention element. This means companies, including their senior officers, that deal with agents cannot overlook suspicions that the agent might be paying bribes, and they need to perform due diligence on agents. Using the CFPOA as an example, a company would be guilty of an offense under the act if one of its senior officers, acting within the scope of his or her authority, commits the offense or, knowing that a representative of the company is about to commit the offense, fails to take all reasonable measures to stop the representative from doing so. The law defines <em>senior officer</em> as anyone who plays an important role in establishing the company's policies or who manages an important aspect of its activities. Performance/accountability contracts within companies need to be crystal clear on these elements.</span></li></ul><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Only in Canada, you say? </strong>Increasingly, bribery and corruption charges are being pursued outside the country that enacts legislation, and an anti-bribery compliance regime must address each location where a company operates. In Canada, the CFPOA was strengthened to include a provision for "nationality jurisdiction," which allows the law to apply to bribery offenses by Canadian companies and individuals in any part of the world in which the bribe is paid. This provision effectively creates a "you bring it along in your baggage" scenario for employees working abroad.</span> <br> <br><span style="line-height:1.6;">The crimes allegedly committed by SNC-Lavalin occurred before these provisions were enacted. As such, readers might think prosecutors face the potentially significant hurdle of proving the company committed the offenses in<em> </em>Cana​da — but guess again. In the only case to date dealing with whether bribing a foreign public official outside of Canada is an offense in Canada, the court convicted an Ottawa businessman of agreeing to bribe officials in India. The judge in that case took a broad view of jurisdiction, ruling that there was a real and substantial connection between the offense, its related transactions, and Canada, even though none of the elements of the offense had been committed in that country.​</span>​</li></ul>Art Stewart0555
When the Bill Doesn't Add Uphttps://iaonline.theiia.org/2015/when-the-bill-doesnt-add-upWhen the Bill Doesn't Add Up<p>​​B​ig Boy diner franchisee Frisch's Restaurants Inc. has filed suit against a former accounting executive for allegedly embezzling more than US$3.3 million from the company, the <a href="http://www.cincinnati.com/story/money/2015/01/20/frischs-top-exec-stole-millions/22038045/" target="_blank"> <em>Cincinnati Enquirer</em> reports</a>. An internal a​udit in December discovered cost discrepancies between the company's credit card transaction records and those of the company's assistant treasurer, Michael Hudson, who had worked at Frisch's for 32 years. Hudson then resigned a few minutes before a meeting to go over the discrepancies. Following an investigation in January, Hudson admitted to stealing the money. Although Hudson said he had lost all the money gambling, Frisch's investigation found that he had made large withdrawals from his personal accounts at a Cincinnati area ​casino and had purchased more than​ US$400,000 in land, vehicles, and jewelry.​ </p><h2>Lessons Learned</h2><p>It might be tempting to focus on the specific circumstances, severity of impact, and prospects for recovering losses from a multiyear fraud against a mid-sized local company. However, although I am not familiar with the corporate history of Frisch's, I suspect the bigger lessons may relate to those companies that start small then grow much bigger, but do not pay sufficient attention to implementing the internal controls and processes essential to protecting themselves from fraud. Such companies may be particularly susceptible to fraud by long-serving employees who have been granted unconditional trust.</p><p>Those controls, which frequently are referenced in the pages of <em>Internal Auditor</em>, include: </p><ul><li> <span style="line-height:1.6;">Ethics and financial management policies that state clear expectations for employee behavior.</span><br></li><li> <span style="line-height:1.6;">Appropriate segregation of authorities and duties, especially to limit senior officials from sole or unchecked control and access over large sums of money.</span><br></li><li> <span style="line-height:1.6;">Accounting systems that integrate monitoring and reporting routines to flag unusual, recurring, and large transactions for further scrutiny.</span><br></li></ul><p>Perhaps most importantly in the context of this story — and maybe unfortunately for what lies ahead for Frisch's board of directors, CEO, and chief financial officer — is the question of the strength of the company's governance and control regime. To be effective, that regime must include directors who regularly ask and get satisfactory answers to penetrating questions about the company's operations and financial health. It also requires a senior executive team that is rigorously focused on balancing business interests and profits with maintaining high standards of ethical corporate behavior. </p><p>One additional essential element of an effective corporate governance and control regime is a strong, independent internal audit function — or its equivalent — that systematically and objectively assesses and advises the board and management on what the organization's people and processes are doing against expectations. The IIA's practice guide, <a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-Organizational-Governance-in-the-Private-Sector-Practice-Guide.aspx" target="_blank">Assessing Organizational Governance in the Private Sector</a>, provides examples of what internal audit needs to examine. Without such a review, it is doubtful that an organization of any size could realistically expect to avoid the kinds of problems illustrated in the Frisch's case.</p>Art Stewart02025
An “F” for Fraudhttps://iaonline.theiia.org/2015/an-f-for-fraudAn “F” for Fraud<p>​​The Chicago Public Schools (CPS) inspector general alleges that a former employee stole more than US$870,000 from the district through a fraudulent billing scheme, <a href="http://www.chicagotribune.com/news/local/breaking/ct-cps-inspector-general-report-met-20150105-story.html" target="_blank"><em>The Chicago Tribune</em></a> reports. According to the inspector general's annual report, an employee at Clark High School conspired with co-workers and vendors to submit fake reimbursements for purchases and file fake purchase orders between 2009 and 2013. The employee also allegedly received kickbacks from vendors for fraudulent purchases from companies. The employee has since resigned, and CPS is moving to bar the companies involved in the scheme from doing business with the district. A criminal investigation is underway.</p><h2>Lessons Learned</h2><p>As this story and the related 2014 Annual Report of the CPS inspector general observe, a wide range of fraudulent activities occur in school systems on a regular basis. The latter report reveals that the top complaints — from about 1,300 filed in 2014 — related to residency, inattention to duty, contractor violations, tuition fraud, and misappropriation of funds. I have not found any report that quantifies the total impact, but if the level of malfeasance found in the CPS case were replicated across all the school boards throughout the United States, it could total more than US$1 billion a year — a significant waste of taxpayer dollars and an affront to trust in public institutions.</p><p>Typically, boards of education in the United States have some kind of fraud prevention and detection policy in place that requires all employees, school board members, consultants, vendors, contractors, and other parties maintaining any business relationship with the district to act ethically, with due diligence and in accordance with all applicable laws. Boards assign a superintendent or equivalent leadership position responsibility for developing internal controls, policies, and procedures to prevent and detect fraud, financial impropriety, or fiscal irregularities within the district. They also expect every member of the district's administrative team to be alert to any indication of fraud, financial impropriety, or irregularity within his or her areas of responsibility. Further, school boards usually have an accountability requirement: District employees who suspect fraud, impropriety, or irregularity in relation to fiscal or other resources are expected to report their suspicions immediately to their supervisor or the superintendent, who then is responsible for initiating necessary investigations, and taking appropriate action, if warranted.</p><p>However, an inevitable complex patchwork of state and district regulations, combined with ongoing budgetary constraints and governance regimes that often rely on local and volunteer resources, among other factors, make it difficult to consistently implement an effective fraud prevention and detection regime. Here are some targeted suggestions to help make these regimes more effective based on a review I conducted of several different state and school district oversight and audit reports:​</p><ul><li> <strong>More thorough school board governance. </strong>Increasing dissatisfaction with the governance of school boards can be found in numerous news stories and state/district inspection/audit reports, particularly related to significant fraudulent activities uncovered in many school districts across the United States. Despite the important role that school boards play in governing schools across the country, virtually no empirical research exists that examines the governance structure — and its effectiveness — with respect to the board's responsibility to address fraud issues. Although several school board inspection reports I found pointed out that external audit programs were legally mandated, few districts had internal auditors and audit committees. School district governance is a partnership between the school board, the school organization, and the community in which it serves. Two specific measures that should be considered are 1) more comprehensive board education on responsibilities and strategies related to fraud and auditing; and 2) more consistent structuring of board audit committees and related internal audit activities, even if they are part of a larger finance committee and supported by volunteer resources. Once these measures are in place, the board then should actively oversee implementation to ensure they are working well. <br></li></ul><ul><li> <strong>​​Consistent, mandatory codes of conduct and ethics training. </strong>Statewide oversight reports I examined often noted that ethics training for teaching and administrative personnel existed but was not applied consistently across districts. The adoption of a code of ethics for all school system staff was more rare. School leaders also should be educated concerning appropriate actions in common fraud prevention areas. They need to understand the importance of internal auditing, know the language in local policy, and rigorously follow up.​​​ </li></ul><ul><li>​<strong>Strengthen internal controls, especially over the most fraud-susceptible risk areas. </strong> Another consequence of budget stresses and a reliance on external auditing, complaints, and whistleblower-driven processes to deal with fraud is that schools are often behind the curve in preventing and detecting fraudulent activities. Inspection reports frequently provided recommendations, but typically only related to the disciplining of employees or contractors, and much less frequently in relation to systematic changes to controls or procedures that should be changed or improved. In addition to educational and accountability related measures, school districts should undertake regular assessment of risk-prioritized fraud activities and direct their targeted prevention and detection efforts to those areas. Given the kinds of fraud, such as employee theft, documented in the Chicago Public Schools case, some specific control measures to consider include: 1) increased segregation of financial approval authorities over more than two employees, and 2) increased monitoring and scrutiny of frequent bidders and contractors for school supplies and services. To help avoid the potential for "stringing" contract bids — falsely splitting an overall contract amount into smaller pieces to avoid limits on noncompetitive contracting — school boards should consider either lowering the dollar limit or eliminating it entirely.​<br></li></ul>Art Stewart013553
Too Good to Be Truehttps://iaonline.theiia.org/2015/too-good-to-be-trueToo Good to Be True<p>Investment fund company F-Squared ha​s admitted to defrauding its investors and will pay a US$35 million fine to the U.S. Securities and Exchange Commission (SEC), <a href="http://fortune.com/2014/12/22/sec-f-squared-fraud/" target="_blank"> <em>Fortune</em> reports</a>. F-Squared is the biggest exchange-traded fund (ETF) company, a class of fund traders that use computer models to forecast when their clients should buy and sell ETFs. The SEC says F-Squared had advertised its investment strategy as being based on historical returns, but those returns were actually based on a computer model devised in 2008. Moreover, the SEC says the company's founder, Howard Present, was aware that the computer model had an error that caused it to overinflate​ its performance, but he never investigated the error. Present stepped down as F-Squared's CEO in November.</p><h2>Lessons Learned</h2><p>Fraud has been an issue since the inception of online performance marketing, once labeled as "innovative business practices." In the past few years, as the ETF and performance marketing industry has grown by leaps and bounds, it has become the target of increasingly sophisticated fraudsters, both from within and outside of its firms. Fraud committed against investment companies, investors, and consumers arguably undermines the industry due to increased regulatory scrutiny and enforcement that ultimately chases off investment dollars and forces firms to redress financial losses.</p><p>There have been continuous calls for organizations and investors to implement a fraud protection system, greater regulations — including some who call for an outright ban on investment performance marketing — and auditor scrutiny. Beyond these demands, what can be done to prevent and mitigate this kind of fraud? Auditors should reinforce an overall need for a proactive, self-regulatory culture, covering both the investment industry and investors, that implements best practices and aggressive fraud-prevention solutions. There are three key elements to such a culture:</p><ul><li> <strong>A continuous improvement approach to the educational and professional requirements of and compliance by those working in the investment industry. </strong>There are many different standards in the advisory world, and some differentiation is needed. However, primary focus needs to be placed on the investors and their changing situation and requirements. The importance of asset mix and what is and what is not appropriate for any investor — including the need to address changing risk levels — is a dynamic process. Most small investors do not have regular reviews of their portfolios and their advisers often are not qualified to address this issue. Instead, advisers recommend funds on past performance — as in the F-Squared case — which statistics show is the worst thing one can do. Education and certification standards should include explicit requirements for investment disclosure and reporting. Auditors should have a role in examining whether standards are robust and being complied with across the industry.<br><br></li><li> <strong>Investor responsibility, supported by the investment industry.</strong> Investors should be responsible for ensuring they are dealing with a reputable financial adviser, just as they would ensure they are seeing a good dentist, doctor, or attorney. Education can help investors protect themselves from marketing abuses. This could include requiring investment institutions to provide essential investor training. Before being accepted as investors, individuals should sign off that they clearly understand the risk of absolute loss they are taking, or alternatively they should be encouraged to invest in products that are conservative and balanced. Investors also must understand investment returns and how they are measured, rather than equating annual returns with annualized returns, or subscribing to similar metrics used to market funds.<br><br> </li><li> <strong>Adequate and meaningful disclosure of investment risks and results.</strong> Certain key information regarding investment decisions, risks, and expected results should be available to investors in clear and concise language, rather than in fine print, footnotes, and thick, legal jargon-filled documents that aren't read, understood, or complied with. In the context of the F-Squared case, it is worthwhile to consider the Chartered Financial Analyst (CFA) Institute's <a href="http://www.cfapubs.org/page/ccb/codes-standards-guidelines#other" target="_blank">Principles for Investment Reporting</a>.<br></li> In particular, the CFA's principle 4 — clear and transparent presentation of investment risks and results — states that effective investment reporting reflects these qualities: </ul><ul><ol><li>​​​​​​​Historical information presented in the investment report is not changed without disclosure to the user. </li><li>The investment report is a fair representation of the investments made, results achieved, risks taken, and costs incurred. </li><li>The investment report is relevant and appropriate for the purpose stated and the assets and investment strategies being presented. </li><li>The investment report provides appropriate comparative data — such as index data, a customized benchmark, peer group data, or a Global Investment Performance Standards composite — to allow the report user to assess the relative performance of the investments. </li><li>The investment report provides information on investment risks that have been experienced and are expected, including changes to assumptions previously adopted. </li><li>The investment report reflects the impact of taxes in general and the impact of taxes on performance, where germane. <br> </li></ol> Before an investment is made, a joint sign-off by the investment company representative and the investor that both investments and investment reporting will reflect these clear principles could contribute to preventing and mitigating related fraud activity.​</ul> ​​​​​Art Stewart014167
Plot to Defraudhttps://iaonline.theiia.org/plot-to-defraudPlot to Defraud<p>​Sam Associates, a real estate development compay located in Pakistan, hired Shamool Khan as a receptionist/office assistant when the company was first established. He was hard working, educated, and had excellent communication skills. After successfully completing several assignments ahead of schedule, he came to earn the trust of the business owners and was eventually promoted to general manager. This gave him the opportunity to learn exactly where internal control weaknesses lied.<br></p><p>In winter 2011, Sam and Associates owners discovered, through an employee complaint, that Khan was abusing his power and embezzling funds from the firm with help from his co-workers. During his two years with the company, he had issued bogus cash installment receipts to customers and misappropriated firm funds to the amount of Rs4 million (the equivalent of US$47,000).<br></p><p>After climbing the company ranks, Khan’s first major project was a low-cost housing development that met strict quality standards and the needs of low-income households. Sam Associates acquired 1,500 kanals (approximately 188 acres) of land and planned to develop approximately 1,200 kanals (150 acres) of it. Several firm partners had made personal investments contributing to the project.<br></p><p>As a trusted employee, Khan was uniquely positioned to run an embezzlement scheme. Traditional business controls, such as separation of accounting duties, delegation of authority, system access, and administrative approvals, were not prescribed in the early phase of the business. Khan also wasn’t monitored by the firm owners, which enabled him to undertake enormous fraudulent activities by taking advantage of several internal control weaknesses:<br></p><ul><li>Lack of appropriate authorization for commission disbursements.</li><li>No clearly defined lines of authority, roles, or responsibilities.</li><li>No independent checks on performance.<br></li><li>Inadequate documentation policies.<br></li><li>Management override of internal controls.<br></li><li>A willingness among employees and third parties, and lower level employees and management, to collude to circumvent controls.<br></li><li>Insufficient written policies and procedures to direct department processing.<br></li></ul><p>To help sell the plots of land, Sam Associates used dealerships — loosely defined principal-agent relationships — which are an integral part of commercial real estate activity in Pakistan. Sam Associates did not follow consistent policies concerning commission, returned plots, and recovery of commission. The commission to dealers was supposed to be paid to the dealers in three stages: after initial deposits, after each monthly installment, and after the final lump-sum payment. But instead of commissions being paid in stages, they were paid in full upon the initial deposit.<br></p><p>Dealers were allowed to charge varying commission under each plot sale arrangement. This provided opportunity for dealers to defraud the firm by collusion with Khan. The records were made to appear as if the first dealer — who received a lower commission percentage — returned the plot to the firm. The plot was then sold by a second dealer, who usually charged a higher commission. In the process, accounting department employees colluded with dealers and received a percentage on the second sale. Because there was no policy to recover commissions already paid to dealers, the firm sustained significant commission loss on returned plots. As a part of the sale agreement, the dealers also took responsibility for helping collect payment from customers. But practically all monthly installment payments were collected late and, in many instances, initial deposits were not fully paid. Land plots were sometimes booked on partial deposits and commissions were then paid in full.<br></p><p>Accounting department employees also colluded with Khan to create fake dealer identities in the accounting system. Khan himself was selling plots to customers, channeling dealer commissions through these fake dealers, and keeping 100 percent of the commissions. A junior accountant was responsible for collecting, recording, communicating, and depositing funds for cash and credit collections. The application-level controls in place gave the accountant access rights that permitted him to enter, approve, and review transactions.<br></p><p>When a newly appointed accounting employee tipped off management to Khan’s scheme, an investigation determined that Khan abused his authority, organizational powers, and managerial control. He spent lavishly and lent company money to his co-workers. During his employment, two more obvious warning signs were overlooked within the company: unexplained margin erosion and cash flow problems. He extracted cash from the firm’s coffers by issuing phony receipts and counterfeiting documents, and then pocketed the money. The embezzlement and asset misappropriation schemes continued for almost two years, with the help of two of his colleagues. The owners were shocked and devastated to discover just how extensively their trust was violated by one of their key employees. By the time Khan’s scheme was exposed, it was too late. He and his accomplices had disappeared.<br></p><p>Sam Associates management took the matter to the authorities. During the civil and criminal proceedings against him in absentia, Khan and his accomplices were found guilty. Police are still looking for him.<br></p><h2>Lessons Learned</h2><ul><li>When an employee exhibits lifestyle changes, it should be a red flag. Going from a modest lifestyle to a lavish one can be an indication that the individual is stealing from the organization.</li><li>Absent or weak internal controls are an invitation for fraud. A set of internal control procedures can help safeguard company assets, ensure adherence to company policies, and promote efficiency and disclosure of reliable financial information. Many internal controls are neither time-consuming nor expensive to put in place, and their benefits can be significant. </li><li>Segregation of duties is an integral part of operational control and can deter collusion among employees. Because frauds with collusion are more difficult to detect, companies should have whistleblower hotlines for reporting indiscretions when employees see them. </li><li>Lack of management review weakens detection of employee misconduct. Management should maintain documentary evidence of its review and approval of all financial information to demonstrate that it has retained effective control over its financial information.</li><li>Regular disbursements, such as commissions, should not be allowed without applying regular authorization processes and closely watching all exception cases.<br></li><li>Customer control accounts should be regularly monitored and reconciled at least monthly. Any discrepancies should be investigated adequately.</li><li>A fraud policy gives the perception among employees that management is serious about deterring fraudulent behavior. It should make clear that violators will be terminated and prosecuted. <br></li></ul>Syed Zubair Ahmed11920
What Segregation of Duties?https://iaonline.theiia.org/what-segregation-of-dutiesWhat Segregation of Duties?<p>​​The former chief financial officer (CFO) of an Indiana township took advantage of his position to embezzle more than US$300,000, fueling a spending spree that included a new house, a pickup truck, Caribbean vacations, and jewelry, the <a href="http://www.indystar.com/story/news/crime/2014/11/30/audit-reveals-center-township-embezzlement-went-undetected/19619863/?sf34219303=%5b%271%27%5d" target="_blank"> <em>Indianapolis Star</em> reports</a>. Alan Mizen was the township's CFO from 2001 to 2011. According to an audit by Indiana's State Board of Accounts, Mizen had authority to write and sign checks, and also balanced the township's books and wrote its annual report. This enabled him to cut a check for US$343,541 to a fictitious attorney general's account, fake an invoice in the accounting system, and then deposit the check into a bank account he had created. Mizen has pleaded guilty to federal corruption charges.</p><h2>Lessons Learned</h2><p>The amount of money embezzled in this case (less than US$500,000) may seem relatively small compared to many other fraud incidents I have written about in previous columns, but the potential impact of fraud committed by local government public officials is enormous. U.S. census statistics indicate that there are more than 16,000 different civil townships, each with its own governance, authority, and accountability structure. At the heart of this case is an almost complete lack of controls over the activities of the Center Township government's CFO during a period of several years, as noted by an Indiana State Board of Accounts audit.</p><p>In numerous other articles, I have shed light on some of the main types of controls and measures that internal auditors should be aware of and use in their work to combat this kind of fraud, including those intended to address gaps in internal controls over financial management, a lack of segregation of duties, and inconsistent background checks on employees. Auditors also need to be vigilant about fraud "red flags" such as changes in an employee's lifestyle that involve significant increases in personal spending on luxury items. For cases involving local governments, it is important for auditors to periodically review the adequacy of the basic governance and authority regime intended to direct the behavior and activities of officials and employees, as well as how well they are being followed, particularly by the lead trustee and the treasurer. </p><ul style="list-style-type:disc;"><li> <strong>The Trustee</strong>: The duties and obligations of county/township officials vary widely from state to state and from one local government to another. For example, in some places, the county trustee has additional duties such as maintaining cemeteries and administering insulin to the sick. In many instances the most senior official, the trustee, has five major functions:</li><ul><ol><li>Collect all state and county taxes on property.</li><li>Keep a fair and regular account of all the money received.</li><li>Receive the county's bills and maintain a record of all bills received and related details.</li><li>Keep regular accounts of all payments made in relation to bills received.</li><li>On leaving office, deliver all books and papers of the office to his or her successor.</li></ol></ul></ul><ul><li> <strong>The Treasurer/CFO:</strong> Duties include the receipt and payment of county/township funds. Typical state legislation governing township/county governments specify at least three major treasurer duties/obligations that are central to this case: </li><ol><li>Monies that the treasurer receives must be allocated to one of the township's approved funds. Other special purpose funds may be established, but they must be authorized by the entire township/county government. </li><li>The treasurer must file a sworn, itemized financial accounting statement, typically monthly, with the county executive. </li><li>All officials, including the treasurer, are prohibited from requiring or allowing checks or other forms of payment to be payable to the official in his or her own name, rather than the name of the governmental entity, the office, or the official's name and title.  </li></ol></ul><p>It is apparent that the Center Township CFO was defrauding its government and citizens with regard to the above obligations. However, the problem may not have been limited to this. Auditors looking into similar cases should consider whether the trustee played a role in the fraud, and whether his or her activities were reviewed.</p>Art Stewart03238

  • CaseWareIDEASpecial_Mar2015
  • Ideagen_Pentana_Mar2015
  • IIA_CIA Practice Test_Mar2015

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
PwC Reviews the State of the Internal Audit Professionhttps://iaonline.theiia.org/blogs/marks/2015/pwc-reviews-the-state-of-the-internal-audit-professionPwC Reviews the State of the Internal Audit Profession2015-03-16T04:00:00Z2015-03-16T04:00:00Z
Simplifying Segregation of Dutieshttps://iaonline.theiia.org/simplifying-segregation-of-dutiesSimplifying Segregation of Duties2009-04-01T04:00:00Z2009-04-01T04:00:00Z