Fraud

 

 

On the Hook for Fraudhttps://iaonline.theiia.org/2017/Pages/On-the-Hook-for-Fraud.aspxOn the Hook for Fraud<p>​A Montreal-based online retailer has gone out of business after losing an estimated CAN$50,000 from credit card fraud in only three months in operation, <a href="http://www.cbc.ca/news/canada/montreal/vincenzo-lingordo-credit-card-fraud-bank-1.3900001?adbsc=IAO68836316&adbid=810908384249556993&adbpl=tw&adbpr=390782790" target="_blank">CBC News reports</a>. Business owner Vincenzo Lingordo says the company's bank approved the fraudulent purchases, which were missing information such as billing addresses and security codes. Based on the approvals, his company shipped goods to the purchasers' shipping addresses. Even after he had complained to the bank and implemented its recommended fixes to secure his website, the system continued to approve fraudulent transactions and only reported them as fraudulent several weeks later. Lingordo's subsequent tests revealed that the bank's software approved transactions even when he deliberately entered incorrect credit card information or left mandatory fields empty. </p><h2>Lessons Learned</h2><p>This news story represents the battleground between e-commerce technology, consumer convenience, and bank profitability. Squeezed into the middle are small business owners facing an ever-growing threat of credit card fraud. In 2015, in Canada alone, an estimated CAN$500 million was lost to various forms of credit card fraud.</p><p>In Canada and the U.S., banks are pushing merchants to adopt EMV (Europay, MasterCard, and Visa) technology and chip and PIN credit cards, instead of or in addition to signatures. But even where card issuers require PINs instead of signatures, this has not stopped fraud; it has just shifted where fraud takes place. For example, in the U.K., where chip and PIN cards have been used since 2003, card-present fraud — transactions done in person with a card — has declined because thieves are unable to use counterfeit cards with stolen data embossed on them anymore. However, fraud involving card-not-present transactions — that is, transactions by phone or online — has increased. Neither a PIN nor a signature is required when customers use their cards online, so simply stealing card numbers is sufficient to use them for fraud.</p><p>That's bad news for merchants, especially small businesses like Lingordo's, because they — not card issuers such as banks — take the losses for this kind of fraud. Merchants are learning the hard way that credit card authorization by a lender does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card had not been reported stolen or lost, and that the card credit limit had not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the "approved" charges. </p><p>Although merchants are footing the bill for 75 percent of the costs of converting to chip and PIN credit cards, they are not getting any relief from counterfeit fraud expenses. One might think that merchants can thwart card-not-present fraud by requiring cardholders to provide the three-digit security code — the card verification value (CVV) — printed on the back of their card. However, fraudsters can defeat this requirement by obtaining the security codes through phishing attacks that trick users into relinquishing the codes, or by installing malware on a victim's computer or on less secure e-commerce sites and recording the security codes as consumers type them into web forms. It should not be surprising that every market where chip and PIN technology has been adopted has seen a dramatic increase in card-not-present e-commerce fraud despite the use of CVVs. </p><p>Additionally, merchants are responsible for more fraud than ever, including the consequences of having their bank fee rates increased, or losing their accounts with the card companies if their fraud rate gets too high. On the other hand, banks will not take on increased responsibilities for the problem because they have no real solution to prevent this kind of e-commerce fraud and want to guard against increased costs.</p><p>What other preventive methods and procedures can merchants perform to prevent and detect credit card fraud — or limit its impact — especially of the card-not-present variety? It is clear that a merchant should not depend on the credit card company, to prevent fraudulent orders. While not an exhaustive list, using a combination of these methods and techniques may be the best possible defense against credit card fraud:</p><ul><li><p> <strong>Follow the procedures recommended by the merchant's payment processor and the credit card companies.</strong> A merchant can lose its account for failing to follow the payment processor's rules. If a merchant suspects a fraudulent order, it should contact the registration service promptly, so it can reduce the total number of charge-backs. Payment processors are likely to charge merchants higher services fees for a large number of charge-backs.</p></li><li><p> <strong>Use the Address Verification Service (AVS), if available to the merchant.</strong> In the U.S., AVS checks whether the cardholder's address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address, and it may fail to reveal a problem such as a recent address change or AVS computers being down. If it does fail, the merchant may decline the transaction. If the company's current merchant account for authorization approval cannot provide AVS, then it can get address verification from the cardholder's issuing bank for most credit card types.</p></li><li><p> <strong>Use card verification methods.</strong> Although these methods are imperfect, they can help prevent fraud, especially in combination with AVS methods. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer who supplies this number is much more likely to be in possession of the credit card. For example, Visa claims that the use of AVS with CVV validation for card-not-present transactions can reduce charge-backs by as much as 26 percent.</p></li><li><p> <strong>Enroll in payer authentication programs. </strong>Programs such as Verified by Visa and MasterCard's SecureCode require use of personal passwords to ensure the identity of the online card user. Additionally, if merchants use these programs, card issuers may incur some of the losses for online fraud that were borne entirely by merchants previously. </p></li><li><p> <strong>Implement real-time authorization.</strong> Real-time authorization sends credit card information to the processor for immediate approval — usually within five seconds. This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. However, there is an additional cost for real-time authorization, and it does not tell merchants whether the person using the card is authorized to use that card.</p></li><li><p> <strong>Use the Bank Identification Number (BIN) to determine whether the cardholder and the issuing bank are located in the same country.</strong> Illegitimate users sometimes use a credit card from another country. Merchants can enter the BIN of a credit card number at <a href="https://www.exactbins.com/bin-lookup" target="_blank">https://www.exactbins.com/bin-lookup</a>. The site provides the bank name, card type, and a three-character code for the country.</p></li><li><p> <strong>Keep negative and positive historical files</strong><strong>.</strong> Merchants should keep a database of previous fraud attempts, problem customers, charge-back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, email addresses, and merchant comments. This can reduce the incidence of repeat offenders at a relatively low cost. Data potentially can be shared among multiple merchants. Conversely a positive historical file contains a list of good customers such as customers who are eligible for upgrade purchases. Customers who purchased successfully in the past probably will not commit fraud. </p></li><li><p> <strong>Enact fraud scoring and pattern detection.</strong> While a targeted model should catch more fraud, it requires additional time and money to analyze a business and implement the approach, and it may require new software. With fraud scoring, a merchant assigns points for different elements of a transaction (e.g., IP address, free email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, and certain zip codes) to generate a fraud score to indicate the likelihood of fraud. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year. </p><p>With pattern detection, merchants can check multiple orders that ship to the same address but use different credit cards. It also can check orders that are placed for an unusually high quantity of a single item. These may indicate that thieves have access to several stolen card numbers. Check whether multiple orders are being sent from the same IP address. If the credit card numbers vary by only a few digits, it is likely these numbers were generated by software. Users who repeatedly submit the same credit card number with different expiration dates often have the card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination. And speaking of patterns, most fraudulent orders in the U.S. are made between midnight and 2 a.m. </p></li></ul><p> <br> </p>Art Stewart0
The IT Guyhttps://iaonline.theiia.org/2017/Pages/The-IT-Guy.aspxThe IT Guy<p>​A former Expedia IT technician has admitted hacking into company executives' emails and trading on that information to net more than US$300,000 in profits, according to <a href="http://www.ibtimes.co.uk/former-expedia-employee-hacked-bosses-net-350000-get-rich-quick-scheme-1595131?utm_source=social&utm_medium=twitter&utm_campaign=%252Fformer-expedia-employee-hacked-bosses-net-350000-get-rich-quick-scheme-1595131&adbsc=IA" target="_blank">his guilty plea in a U.S. federal court in San Francisco</a>. Between March 2013 and April 2015, Jonathan Ly used his network privileges to access devices belonging to Expedia's chief financial officer and head of investor relations and then used the information about upcoming earnings and agreement announcements gleaned from their email messages to make trades in the company's stock before the information became public. Ly was able to continue the scheme even after he left Expedia because he kept a company laptop. </p><h2>Lessons Learned</h2><p>Recently, <a href="/2016/Pages/The-Hedge-Fund-Analyst.aspx">I wrote a column</a> about a fraud case in which a capital management company and one of its hedge fund analysts ran afoul of the U.S. Securities and Exchange Commission's (SEC's) rules regarding insider trading. That column focused on the systematic policies and procedures that organizations need to implement to combat insider trading, including measures to address this kind of fraud when it involves employees and their outside contacts. </p><p>Perhaps the idea that illegal insider trading can be completely eliminated is unachievable. However, building on the "lessons learned" from that column, here are some additional observations and suggested measures to further help detect and prevent insider fraud, as in this news story:</p><ul><li><p><strong>Take away the discretion to trade from the insider, as much as possible.</strong> The most basic and frequent form of insider trading involves consistent patterns of trading spikes in the days before announcements of earnings or significant business developments, such as a merger. Most organizations probably have insider trading policies that place some restrictions on employee trading during blackout periods. However, these policies often only cover senior executives, but not other key employees, such as senior analysts, sales staff, and technology workers who could potentially gain access to sensitive information. CEOs and other top officers typically have very limited periods during the year when they can trade. In addition to the usual blackout periods, they also are prohibited from trading during times when they possess nonpublic material information. In the case of a CEO, that could be quite often. Implementing a more comprehensive ban on trading by the kinds of employees (and their families) who have the greatest potential access to sensitive information could help dissuade potential fraud. </p></li><li><p><strong>Implement automatic share plans, not only for senior officers, but also other employees who have access to sensitive information</strong>. These plans allow employees to sell their shares according to a pre-arranged schedule. The trading decision has nothing to do with the insider and is not necessarily dependent on any event. Automatic share plans also make it easier for employees to exercise their stock options and help companies avoid the perception of questionable trades.</p></li><li><p><strong>Require top officers and key employees to notify the company's chief financial officer or legal department before making a trade. </strong>Although it may not be possible to prevent a particular trade, in combination with careful ongoing monitoring, review of the company's stock trades by an internal watchdog can reveal unusual patterns of activity that may catch inappropriate behavior. And, while internal monitoring is critical, it's also important to have third-party verification by an accountant or auditor to check insiders' holdings at the end of the year and compare these with transactions they reported throughout the year.</p></li><li><p><strong>"Wall off" both sensitive areas of company computers and the email accounts of senior executives to mitigate the high risk of employee and outsider hacking.</strong> This is perhaps the most challenging element of fraud perpetration. Nonetheless, organizations need to continuously invest in and improve controls over IT administrative access privileges to sensitive computers and information, along with the email accounts of senior executives. They also should take measures to prevent the hacking of "passwords" files and credentials associated with IT administrative service accounts. Physical assets such as laptops and computers also must be stringently controlled to prevent unauthorized employee use. </p><p></p></li></ul><p><br></p>Art Stewart0
A Toxic Culturehttps://iaonline.theiia.org/2016/Pages/A-Toxic-Culture.aspxA Toxic Culture<p>​The role of the public relations (PR) department is to maintain a positive image of the company and to communicate with those outside the organization. Typically, those individuals skillfully manage perceptions and expectations, but at one company, these skills were used to mask a hostile work environment. </p><p>The department was led by a vice president, Ginger Dahl, who promoted Scott Goss and Roseanne Gray, two of her close friends, to director and manager, respectively. Dahl delegated all staff management responsibilities to Goss and Gray, leaving Dahl with no direct supervisory responsibility over employees except for these two individuals. Goss and Gray were inexperienced in managing staff, had no industry knowledge, and made decisions without staff input or consideration. For example, they initiated an overhaul of a new project methodology that stalled for months because of their lack of direction. Then, when forced to move forward with the project, they rushed to implement it. Clients called daily to voice their concerns over time delays and roadblocks but were dismissed by Goss and Gray without further investigation by Dahl. Staff members who raised questions were reprimanded, and those who approached Dahl were directed back to Goss and Gray. </p><p>When the organization received a hotline complaint regarding abuse of company assets, internal audit was called in to review. The auditors found that the complaint was just the tip of the iceberg. In initial interviews with staff, the environment was described as hostile and toxic. Seasoned staff members who were well-respected and valued by clients throughout the organization were leaving. The most creative and longest-tenured employee in the department was left to work on projects by herself rather than engage with others within the department and given the least important assignments. Several employees were seeing counselors to help them cope with the environment, many were too afraid to do anything, and all were fearful of saying anything that could be perceived as critical. </p><p>The auditors were so shocked by what they heard, they immediately pulled in human resources (HR) and general counsel to collaborate on next steps. The first step taken was putting Dahl on administrative leave. The company assigned an interim vice president and directed all employees not to make any changes to systems or destroy any documentation. As the internal auditors dug deeper and interviewed others within the department — including a few who had left — they found there was an inadequate internal control system. Gray was allowed to hire relatives and directly supervise them. Company policy regarding gifts to employees was ignored. Purchases to clients throughout the organization were made regularly. </p><p>In digging into the time-tracking system, which was used for departmental chargebacks, internal audit noticed that adjustments could be made without an audit trail. Staff noted that their time was regularly changed on projects by the system administrator, an assistant to Gray. Goss and Gray said this was done to better reflect “revenue” from the job.   </p><p>When the auditors turned to the budget, they found numerous overruns. Their analysis revealed what could only be described as a shopping spree of nonbusiness expenses. Upon further review, auditors identified several instances of misuse of company assets. Dahl, Goss, and Gray each had a laptop for home and work, and a separate tablet for meetings. Dahl used company money for personal donations to organizations of her choice that had no affiliation to the organization. There were lavish celebrations totaling thousands of dollars for Gray’s wedding and baby showers. And perhaps the most egregious was the use of company funds for lunches and dinners several times per week, sometimes with their families. The analysis extended over a two-year time frame and the trend was consistent. This was beyond an extravagant routine. </p><p>All of this was possible because no one tracked expenses. The accounting department did not perform budget-to-actual reviews, and the PR department was left to their whim to spend. While a budget was assigned, there was no accountability for adhering to it, as evidenced by several years of overruns. </p><p>After weeks of gathering data, the internal auditors met with Dahl, Goss, and Gray to hear their explanations. They truly believed they had done nothing wrong and seemed shocked that these behaviors were unacceptable. In light of the observations, which were supported with data analysis, HR, general counsel, and senior leadership decided to terminate Dahl. Goss and Gray left on their own within the following three months. The company did not press charges because nothing was done illegally; there was no restitution paid. The company hired an industry consultant to work with the interim vice president to establish and implement internal controls and process improvement within the creative work methodology. Internal audit was asked to work with the consultant on the process improvement, which it did, and internal audit provided a training session on internal controls to the department. Within a year of Dahl’s termination, she had secured a similar position at another organization in the same industry.</p><h2>Lessons Learned  </h2><ul><li>Toxic cultures are often masked by leadership as something else. These environments are very uncomfortable and difficult to navigate. It is worth recognizing that a toxic work environment requires a lot of effort to create and maintain. Consider its purpose and evaluate its impact on the organization’s performance. In the end, these cultures are often designed to protect leadership’s selfish aims and offer no productive value to an organization.   <br></li><li>Critically review turnover data. If a department’s turnover rate is extremely high, that is a red flag. Auditors should ask questions, talk to HR to find out whether there are any employee concerns, and raise the red flag if there are any issues. <br></li><li>Exit interview results should be reviewed regularly. Even in the most fearful situations, those leaving the company will often leave some indication of their frustrations and concerns. In environments where people are afraid, this could offer a significant piece to the puzzle.  <br></li><li>Chargeback systems are great places to hide resources and could be overlooked — they impact only intercompany allocations, not the financial ledger. Consequently, they should be reviewed like any financial system. Examine reports to source documents, check interfaces, and audit IT general controls. <br></li><li>Assess controls over travel and expense reports to see how they are being reviewed and approved. Is there documentation available to support the expenses? Look beyond the controls, as well, and use graphs and charts to trend the data. Often, seeing the information visually is more impactful.  <br></li></ul><p><br></p><p><em>The author is currently working in public accounting in Connecticut and has more than 15 years of experience in internal audit and accounting roles.</em></p>Anonymous1
Milking Money From the Collegehttps://iaonline.theiia.org/2016/Pages/Milking-Money-From-the-College.aspxMilking Money From the College<p>​A former University of Missouri (MU) administrative assistant has been sentenced to four years in federal prison after pleading guilty to embezzling more than US$781,000 from the university over a 13-year period, the <a href="http://www.columbiamissourian.com/news/higher_education/former-mu-employee-sentenced-to-prison-in-embezzlement-case/article_94856a5c-b0e5-11e6-a352-b3aebc6adb2a.html" target="_blank"> <em>Missourian</em> reports</a>. Carla Rathmann, an employee in the College of Agriculture, Food, and Natural Resources' (CAFNR's) Southwest Research Center, made unauthorized purchases on a university credit card and charged the university more than US$570,000 by submitting invoices and bills through shell companies. In 2015, new Southwest Research Center Superintendent David Cope noted concerns about Rathmann's purchases. A subsequent internal audit cited her misappropriations as a "key factor" in the closure of the center's dairy operations in 2015. That audit and a separate University of Missouri System audit reported a lack of oversight and accountability within the CAFNR and its 17 research centers. <strong>     </strong></p><h2>Lessons Learned         </h2><p>Those public institutions most vulnerable to fraud, such as the CAFNR, frequently are among the least prepared to defend themselves. This news story, along with two related internal audits, reveals a litany of control, oversight, and accountability issues for which internal auditors and management must exercise vigilance. Key among them are:</p><ul><li><p> <strong>Inadequate financial oversight</strong><strong>.</strong> The audit of the CAFNR found that the remote locations of its agricultural research centers contributed to an environment where one person could have too much control. Rathmann was responsible for nearly all aspects of the finances, including entering payroll, accepting cash and check payments, purchasing with a university credit card, and completing a monthly review of all financial activity. Further exacerbating the problem, the workaround for a lack of resources to provide for adequate supervision and separation of duties was to ask her supervisor to conduct routine reviews of transactions, which frequently fell by the wayside in the face of other supervisory priorities. Rathmann also was able to take advantage of turnover of supervisors.</p></li><li><p> <strong>Poor financial controls over a wide range of processes, including credit cards, inactive bank accounts, invoicing, payments, and time reporting. </strong>Audit work revealed that some people never used their credit cards; others had card limits that were "excessive" for what their job required. Additionally, CAFNR employees did not document their credit card purchases appropriately. The audit said office support assistants didn't always submit receipts, and the financial officer in charge of approving purchases didn't always ask for them. Officers sometimes were not even fully aware of what kinds of purchases should be made with the cards. There also do not appear to have been adequate rules or policies, nor did anyone ask questions when Rathmann faked invoices and bills to the university to pay herself through the shell companies she created. She also faked payments for farm-related items such as propane and hay, and she was able to deposit and withdraw money to and from a bank account opened in 1967 that was supposed to have been closed down. But at the same time, the university did not keep a record of many of Rathmann's university credit card statements and receipts.</p></li><li><p> <strong>A failure to focus on good human resources management practices, including conflict of interest and fraud risk. </strong>Rathmann worked as an office support assistant while she was employed with the university from January 2000 to September 2015 — a long time that enabled her to become highly familiar with the CAFNR's financial systems and processes. Unfortunately, in parallel with Rathmann's long tenure, there were several gaps and turnover in supervisory staff, contributing to a climate where Rathmann was able to get away with stealing and making it more difficult for management to detect her fraudulent behavior. Changes in Rathmann's lifestyle also were overlooked: Despite earning a modest US$15.90 per hour before being fired, she was able to make significant luxury purchases with the funds she embezzled. Rathmann and her husband both falsified their work attendance records, which went undetected. Both Rathmanns were registered agents for the companies she created, and they also made purchases between them, which should have raised conflict-of-interest concerns.</p></li><li><p><strong>Lessons were apparently not learned from a past significant fraud </strong><strong>case</strong><strong>involving similar issues and amounts stolen.</strong> An administrative assistant named Christy Tutin pleaded guilty in 1994 to stealing US$666,755 from the MU Graduate School between 1988 and 1993. However, she was eventually given a short prison sentence, and the circumstances of her case were not widely shared among university staff.</p></li></ul><p> <br> </p><p>CAFNR administrators have agreed to make several changes in the immediate future, including defining who does what in regards to the state and federal grants, new fiscal training for research center staff, and conducting quarterly reviews of the CAFNR Business Office. In addition to these initiatives, I recommend some others:</p><ul><li>Consequences for management and supervisory staff members who fail to undertake adequate measures to detect and deter fraud, particularly where long-term situations are involved.</li><li>A commitment to ensuring that fraud risk assessment, detection, and prevention become an integral part of MU/CAFNR business culture and processes. This should include a commitment to fraud awareness across the organizations and, more specifically, further auditing of the effectiveness of measures taken to strengthen their financial controls and accountability in the wake of the Rathmann fraud case.</li></ul><p> <br> </p><p>As part of the set of measures needed to strengthen MU/CAFNR financial controls and accountability, the organizations should consider restructuring the roles and authorities of the research centers. For example, they should centralize and limit their degree of autonomy where a single employee has too much financial approval discretion, and introduce centralized, automated ways of scrutinizing potentially fraudulent financial and human resource transactions. </p><p><br></p>Art Stewart0
NFL Players Tackled by Fraudhttps://iaonline.theiia.org/2016/Pages/NFL-Players-Tackled-by-Fraud.aspxNFL Players Tackled by Fraud<p>​An investment adviser who provided services to professional athletes, including members of the National Football League (NFL), has pleaded guilty to wire fraud and filing a false tax return, according to <em><a href="http://www.forbes.com/sites/kellyphillipserb/2016/11/01/businessman-pleads-guilty-to-tax-wire-fraud-involving-nfl-players/#6d28bb7a61a3">Forbes</a></em>. Between 2008 and 2013, the adviser converted and misappropriated US$2.9 million from clients and failed to report the misappropriated funds to the Internal Revenue Service. According to court documents, the investment adviser directed his clients to sign an agreement that gave him access to their accounts. He then used that access to divert funds for his own personal benefit. The adviser is scheduled for sentencing in January.​</p><h2>Lesso​​​​​​ns Learned</h2><p>Identity theft, tax fraud, and wire fraud in professional sports, not just the NFL, may be more prevalent than one might think. In the last year alone, there have been several high-profile, large​ dollar fraud cases involving players in the NFL, Major League Baseball, National Hockey League, and other professional sports organizations. Professional athletes may be one of the more vulnerable target groups for fraud, given their overarching dedication and time devoted to their chosen sport, as well as a strong desire to accumulate and maintain their wealth for a less certain future once their professional careers are over.</p><div>The <em>Forbes</em> news story includes several helpful tips to guide individuals toward enhanced basic protection against identity fraud. But alone, these are not enough to ward off the kind of exploitation seen in the NFL case. Here are suggestions for additional measures to help detect and deter professional sports industry fraud.</div><div><br></div><div><ul><li>Take a closer look at strengthening codes of ethics for professional sports. These codes tend to predominate in areas where government is involved, such as the Olympics, but are less consistently in place across the spectrum of professional sports. Where they do exist, codes of ethics tend to focus on issues of cheating, as well as the health and physical safety of athletes. Protection of the financial security of professional sports players should be an additional consideration. Moreover, owners, sports associations, and others in the sports industry could consider measures aimed at better self-regulation, addressing appropriate expectations of behavior for sports agents/financial advisors. Such groups, for example, could establish a registry of accredited individuals and companies whose track record has been validated against established standards and competencies.<br></li><li>Government needs to keep increasing the pressure on those intent on committing identity theft, tax fraud, and mail fraud, through public awareness campaigns, changes in the design of tax administration security and processes, and further efforts at targeted enforcement. Many countries use a combination of intelligence gathering, risk analysis, risk profiling, and data matching to detect cases of tax fraud and/or money laundering that involve identity theft and identity fraud. Data matching and other information sharing activities between tax authorities and other government agencies are also used to detect and investigate this type of suspected activity. In the U.S., the Department of Justice, Securities and Exchange Commission, and Internal Revenue Service (IRS) all have recently either introduced new measures and/or prosecuted and publicized related fraud cases. In particular, the IRS Criminal Investigation division’s Questionable Refund Program and Return Preparer Program focus on identifying and stopping fraudulent tax refund claims schemes. These schemes often involve hundreds of returns, with refunds totaling hundreds of thousands or even millions of dollars of revenue. Investigating and prosecuting those responsible for these ambitious schemes ranks among the programs’ highest priorities. Incorporating the professional sports industry within the scope that priority could help uncover wrongdoing like the income tax and wire fraud scheme, as well as serve to further deter other would-be fraudsters.​<br></li></ul></div>Art Stewart0
The Hedge Fund Analysthttps://iaonline.theiia.org/2016/Pages/The-Hedge-Fund-Analyst.aspxThe Hedge Fund Analyst<p>​Artis Capital Management and one of its senior research analysts have agreed to settle charges of failing to detect insider trading by one of the hedge firm's employees, according to <a href="http://www.bna.com/advisory-firm-supervisor-b57982078646/?adbsc=IAO66964756&adbid=788122464471490560&adbpl=tw&adbpr=390782790" target="_blank">Bloomberg BNA</a>. The U.S. Securities and Exchange Commission (SEC) had earlier charged Matthew Teeple, an Artis research analyst covering networking technology, with using his industry connections to trade on material information not available to the public. According to the new charges, Artis should have recognized the substantial risk that Teeple's interactions with technology sources created and should have established procedures to prevent the specific misuse of information in this case. Moreover, the SEC found that Teeple's supervisor, Michael Harden, did not question Teeple about the source of his information or request that the company's chief compliance officer investigate the issue. Teeple is serving a five-year prison term.</p><h2>Lessons Learned</h2><p>Many readers know that U.S. law requires, and regulators expect, firms to have robust compliance, supervisory, surveillance, and control measures in place to prevent and detect insider trading — which appear to be almost entirely absent in the case of Artis Capital Management. Readers may not know that regulators can bring enforcement action for the failure to have an adequate insider trading prevention program — even if no insider trading has occurred. This story references many of the gaps in Artis' controls over insider trading, such as a lack of policies and measures to track interactions between its employees and their contacts, and lacking requirements for filing research or other reports on such interactions. But what is an appropriate approach to guide companies, employees, and auditors toward an adequate insider trading prevention program?</p><p><strong>1. Establish clear expectations throughout the organization regarding appropriate behavior around insider trading, including through a robust policy.</strong> This includes:</p><ul><li>Senior management demonstrating that it is committed, knowledgeable, and conversant in the steps the firm is taking to combat insider trading. This should include board- and executive-level restrictions such as prohibiting executives from pledging, hedging, short sales, and similar activities. </li><li>The deployment of appropriate personnel, IT, and other resources to focus on prevention, detection, and compliance. </li><li>Policy restrictions, requirements, and responsibilities for employees based on role and level. For example, employees may trade only after being given pre-clearance to trade, and blackout or holding periods may apply. The policy also should provide company-specific examples as to what could be deemed "material nonpublic information" — both positive and negative — and guidance related to gray areas such as communicating with relatives and friends, and information shared with third parties, including potential merger/acquisition targets. </li><li>Whistleblower mechanisms and appropriate training of all employees as part of the policy.</li></ul><p><br></p><p><strong>2. Undertake and evaluate a thorough inventory of sources of material nonpublic information to fully understand the inflow and outflow of information to and from the company.</strong> Part of the evaluation of this inventory should include a risk assessment and ranking of the highest types of sources of potential insider trading. Review the inventory periodically to make sure important developments have been identified and incorporated. Primary sources include:</p><ul><li>Research consultants.</li><li>Vendors, third-party providers, companies that are potential merger/acquisition targets, and corporate executives with whom the firm conducts meetings. </li><li>Investment advisers and portfolio companies to which the firm or its employees or principals are economically connected through a firm investment, personal investment, etc. Also, brokers with whom employees have significant gift and entertainment activity.</li><li>Employee-disclosed personal relationships, employees with board seats on outside entities, former employers of current employees, and current employers of former employees. </li><li>Fund investors.</li><li>Securities transacted around the time of a corporate announcement or that recently had a significant price change around the time of a firm transaction in such an issuer's securities.</li><li>Issuers identified through post-trade surveillance reviews. </li><li>Portfolio companies, other advisers, or other third parties that use the firm's physical premises or network.</li></ul><p><br></p><p><strong>3. Implement an enterprisewide control structure to monitor and promote compliance.</strong> Rank the possible sources of material nonpublic information according to the risk that each creates for the company, and tailor the controls over the source based on the risk. Higher risks may likely require more surveillance and monitoring, while lower risks may rely on training and certification.</p><ul><li>Implement controls covering the use of restricted lists, blackout periods, and pre-clearing requirements/procedures for employees based on their role and level within the organization; controls on blackout/no-trading periods tailored to the type of event, and requiring employees to pre-clear trades by leveraging technology solutions; establishing minimum holding periods and having information barriers in place. For example, debt restructurings should be referred to appropriate walled-off individuals for evaluation. </li><li>Put in place specific controls for high-risk areas, such as the use of "experienced consultants" or "expert panels." Examples include indicating the company's intention not to receive material nonpublic information from an expert, documenting and supervising the use of expert consultants and resulting trading, and reviewing the use of expert consultants and trading. </li><li>Similarly, tailor surveillance based on risks specific to the firm and to managers and traders. Design procedures to effectively detect potential incoming or outgoing material nonpublic information, high-risk relationships, compensation provided or received for such information, and related trading activity. Review firm trading, client trading, and personal trading activity of employees as part of surveillance activities. Some key activities that should be included are post-trade surveillance for specific events such as public announcements, price spikes, and profits; scrutiny of email and other communications about particular stocks for particular employees; and phone log surveillance to determine with whom employees are speaking. </li><li>Once surveillance measures are in place, investigate any indications of aberrant trading to identify whether the trade was made while in possession of material nonpublic information. Take action if the investigation reveals a violation of the firm's compliance policy. Look for patterns by individuals or in particular units. Follow-up rapidly and consider the root cause of problems.</li></ul><p><br></p><p><strong>4. Adopt technology to help leverage controls, monitoring, and surveillance coverage both by restricting the transmission of material nonpublic information and by automating trade review.</strong></p><ul><li>Use information barriers and data security to create a barrier between material nonpublic information and those who should not have access to it. </li><li>Electronic communication surveillance should include testing to identify incoming or outgoing material nonpublic information and patterns and relationships of interest, whether via e-mail, telephone logs, calendar entries, messenger software, business information sources, Bloomberg terminals, or social networking sites used on company networks. </li><li>Restrict trading activities through pre-trade review and approval technologies such as order management configuration rules. For example, require additional approvals for trading watch-list securities. Control employees' personal trading by using pre-clearance software that scans potential trades against the firm's restricted list, fund trading activity, holding periods, black-out windows, and minimum thresholds. </li><li>Test trading activity through automated electronic feeds from brokerage firms and use post-trade surveillance technologies to identify trading in securities where material nonpublic information may be known. Use automated rules or statistical algorithms to identify trading activity patterns that may indicate the use of material nonpublic information based on multiple risk factors, including timing, capital at risk, and performance. </li></ul><p><br></p>Art Stewart0
Blurred Lineshttps://iaonline.theiia.org/2016/Pages/Blurred-Lines.aspxBlurred Lines<p>​Peter Singer, the head of a marketing department at an event company, was retiring but agreed to stay on for six months to transition the new department head. On day two of the transition, the incoming department head called the CAE and left a voicemail message saying something odd was going on and urged him to take a look. </p><p>During the investigation, the CAE found that Singer purchased marketing services from a vendor to support revenue targets for a specific product. Although that seemed reasonable, the audit also revealed that Singer was holding US$500,000 in late invoices from the vendor, a significant amount to the company. Some invoices were overdue by 18 months, well past the typical 45-day average pay cycle. The vendor representative sent numerous emails to Singer complaining about the invoices. </p><p>The invoices were being paid increasingly late beginning several years earlier, when the budget for this marketing service was reduced by US$400,000. This was due to the belief that the vendor’s services were less useful as the product became more established in the marketplace. If the invoices had been paid timely, Singer would have been over budget. The invoices were never sent to accounts payable, as Singer asked the vendor to send the invoices directly to him. In addition, Singer never disclosed these commitments during the monthly financial close process. </p><p>Singer sent emails requesting that the vendor reduce the amounts of the invoices so that he could avoid additional approvals. The vendor complied by splitting invoices. Singer also developed a close personal friendship with the vendor representative — they would often go on trips together with their spouses. They were so close that, when Singer’s wife lost her job two years earlier, the vendor representative offered her a position at his firm. </p><p>As seemingly fraudulent events like this are investigated, internal auditors are often quick to look for the motivations and benefits to the perpetrators. Although the situation unraveled with a lot of juicy, and often irrelevant, tidbits of information along the way, management wanted internal audit to focus on one question: Why did Singer do it? </p><p>After hundreds of hours of research and several hours of interviews, internal audit was left with a troubling assessment of Singer’s behavior. He had committed fraud. He lied to the company about spending money with the vendor by making it appear that he was on budget, evidenced by the outstanding invoices. He was aware of these outstanding invoices, as they were piled up on his desk. He worked hard to circumvent internal controls for authorizing and recording the invoices, and the vendor representative conspired with him to circumvent company authorization limits. Because of this activity, the company had a US$500,000 debt for services it did not authorize, value, or want.  </p><p>In the end, there was no direct and convincing way to prove that Singer received any benefit from the vendor. In the eyes of management, this made the behavior much less grievous and “not quite fraud.” Internal audit was able to convince management that Singer intentionally circumvented internal controls to conceal the budget overrun, so he was asked to leave a few months earlier than planned. Consequently, management changed the policy to have all invoices sent directly to accounts ​payable to avoid future errors. However, management paid the outstanding invoices without confronting the vendor about its part in knowingly evading internal controls.  </p><p>The absence of a clear-cut villain stealing from the company left management wondering what the concern was about. As a result, management sent a muddled message about what is acceptable and missed an opportunity to strengthen the company’s defenses against future fraud.  </p><p>Fraud investigations are often the most intriguing part of an internal auditor’s job. You have villains, who break rules and selfishly benefit to the detriment of the organization. Until someone catches on, that is.  </p><p>However, the reality is not always so clear cut. In fact, it could be argued that the villain situation is rare. In many cases, a confused individual takes a few small steps across the line of good judgment and winds up entangled in rationalizations and good intentions. As things progress, this person hears the chirping of his or her conscience that something isn’t right, but the warning is distant and the words are muffled. In the end, the employee is baffled as to how his or her actions were perceived so negatively. The individual knows he or she could have done things better, but can’t believe the situation is being taken so seriously. Termination? Fraud? The employee is shocked by the possibility, and many times will utter the words, “But I didn’t steal.” </p><p>It is always difficult to see ordinary people fumble into bad situations. And organizations are not always prepared to handle these situations, which leads them down a messy road of uncomfortable conversations, half measures, and lackluster support.</p><h2>Lessons Learned</h2><ul><li>Organizations need to establish a clear perspective on how they want to approach fraud and its many faces. A strong fraud policy describes what the company perceives as fraud and lays out the expectations for investigation and resolution. Without a policy, fraudulent activity is often addressed by management based on the biases and perspectives associated with each unique instance.  <br></li><li>Internal audit should use these situations to improve the organization’s fraud perspective. Fraud is often interpreted and managed differently across organizations based on corporate culture and understanding of internal control. Although frustrating for those involved, management’s lukewarm support may be the most valuable observation from this scenario. It is an indication that there is significant work to be done to improve internal control awareness at the top of the organization.    <br></li><li>Internal audit has the expertise, perspective, skills, and independence to lead in these situations. Expecting others to share a clear vision of murky fraud cases is not always realistic.​<br></li></ul>Bryant Richards016
Bribes for Mineshttps://iaonline.theiia.org/2016/Pages/Bribes-for-Mines.aspxBribes for Mines<p>​Hedge fund Och-Ziff has pleaded guilty and agreed to pay US$412 million to the U.S. Securities and Exchange Commission (SEC) and Department of Justice (DOJ) to settle foreign bribery charges, <a href="http://www.vanityfair.com/news/2016/09/och-ziff-foreign-bribery-charges?adbsc=IAO66447596&adbid=781901431959724032&adbpl=tw&adbpr=390782790" target="_blank"> <em>Vanity Fair</em> reports</a>. According to the SEC, the firm paid around US$200 million in bribes to politicians, officials, and judges to obtain mining rights in Africa between 2007 and 2011. <em>The Wall Street Journal</em> found an example in the Democratic Republic of Congo where Och-Ziff partnered with Israeli billionaire Dan Gertler, who allegedly sent bags of money to high-ranking government officials. A week later, mining firm Africo sold its mining interests in that country to a Gertler-controlled company. </p><h2>Lessons Learned</h2><p>This story provides a good opportunity to revisit what management and internal auditors should be aware of to help their organizations stay compliant with the U.S. Foreign Corrupt Practices Act (FCPA). Here are six relevant suggestions:</p><p> <strong>1. Deterrence can work — investigation, prosecution, and punishment under the FCPA is becoming more common.</strong></p><p>This story outlines a significant case and large penalties. Ten years ago, FCPA prosecutions were rare, but since 2008, the U.S. government has had about 150 FCPA investigations in progress at any one time and has brought about 40 cases each year. In 2014 alone, 10 corporations were indicted, sentenced, or convicted, with assessed penalties of more than US$1.25 billion. About half of the cases have been against companies and half against individual company managers and employees. The DOJ has stated that individuals will not believe the FCPA has any teeth until they see business people going to jail, and increasingly this is what is happening.</p><p> <strong>2. Perform a corruption risk assessment to understand the organization's risk of being involved in international bribery.</strong></p><p>Companies must assess the risk of FCPA violations in their international business. The FCPA's definition of "government official" is extremely broad and includes even low-level employees of government-owned companies. Auditors need to understand in which countries their organization is placed under high-risk circumstances. <a href="http://www.transparency.org/" target="_blank">Transparency International</a> publishes an annual Corruption Perceptions Index for most countries in the world. Internal auditors also need to understand all the ways in which the business has contact with government customers or employees. If a company doesn't understand its specific risk, the company may fail to spend its compliance resources cost-effectively. For most companies, 80 percent of FCPA risk will come from less than 20 percent of their business. Some questions to consider are:</p><ul><li>What kind of business does the company do outside the U.S.?</li><li>Does it conduct foreign business through its own employees; agents, distributors and intermediaries; joint ventures; or all of the above?</li><li>Does the company need to get permits or qualify products for sale in foreign countries?</li><li>Does the company ship through freight forwarders and use customs agents? </li><li>Does the organization know all the third parties it uses in business outside the U.S., and has it conducted due diligence on them? Sales agents, lobbyists, and joint ventures are at the top of the risk list, along with distributors or resellers who receive variable pricing or discounts. It is important to understand who the company's intermediaries are, how many it has, why it is using them, and who in the company has authority to enter into a contract with them. These third parties create liability, accounting for 90 percent of FCPA cases brought by the U.S. government.</li><li>Does the company deal with universities, use professors in an advisory capacity, or deal with doctors or hospitals? In many countries, education and health care are government-run and all employees, including doctors and professors, are government officials who fall under the FCPA.</li><li>Is the company involved in litigation? In some countries, lawyers routinely bribe court officials and judges.</li></ul><p> <strong><br></strong></p><p> <strong>3. Establish a stand-alone international anti-corruption compliance program and policy</strong><strong>.</strong></p><p>A few paragraphs about international corruption buried in the company's general standards of business conduct are not sufficient. A member of the company's senior management team must be designated as responsible for FCPA compliance. And, in light of this story, it probably should be someone other than the president or general counsel. There also needs to be specific language placed into employment and performance contracts for <em>all</em> employees regarding compliance with the organization's anti-corruption compliance program. The company's board needs to reinforce the value of FCPA compliance to the management team, and the CEO, chief financial officer, and other responsible executives must do the same with employees about the company's commitment to FCPA compliance.<br><br>Clear FCPA terms should also be included in every international contract, and should specifically mention the importance of FCPA compliance and require the company's partners to represent that they know the elements of the law and will comply with it. The company should have a clearly worded audit clause that requires the partner to provide documents and assistance in an investigation. Finally, the company must have the ability to terminate the contract if its partner violates the FCPA.</p><p> <strong>4. Train the company's board, management, employees, and third parties who distribute its products.</strong></p><p>These individuals may or may not have had experience with "on the ground" international business, but those who have international experience will probably be out of date with FCPA compliance. Familiarize them with the actual corruption risks in the company's industry, the countries where it does business, and the business model the company is using. Employees should be able to recognize the red flags of corruption that are most likely in the business and know what to do when they see them.</p><p>Many U.S. companies do not train the third parties who facilitate their international distribution, even though these third parties represent their highest FCPA risk. Small companies may think they are safer if they use third parties that also represent major U.S. and multinational companies. They assume those companies have done appropriate vetting and provided training, but that may not be true. Major U.S. and multinational companies often have weak FCPA compliance programs and do not vet or train their third parties.<br><strong></strong></p><p> <strong>5. Establish internal controls over company expenditures and assets.</strong></p><p>The FCPA has no threshold of materiality. Companies have been prosecuted for very small bribes, inaccurate books and records, and failure to set up systems of controls, which arguably have no monetary value. A company can comply with generally accepted accounting principles and still fail to detect bribery or false or inaccurate records. The employees who are involved in corruption, kickbacks, and creating false transactions are likely to be quite smart. Finance department employees may be involved in corrupt schemes, as well — they know how the company makes and keeps records and how it audits, so they know how to keep the books looking clean and hide evidence of corruption.</p><p>Making sure the company is keeping books and records that accurately document all transactions can help prevent and detect corrupt payments. If the company has good control over its books and records, it should be much easier to accurately control and account for gifts, meals, entertainment, and travel for government officials.<br></p><p> <strong>6. Plan for the likelihood that a high-quality, international internal investigation will have to be conducted.</strong></p><p>In an FCPA investigation, a company is looking for evidence of criminal behavior and serious fraud among its employees and business associates. In many cases, internal audit may find the company's own employees working in concert with third parties and government officials. Perhaps its employees are personally receiving kickbacks. If auditors are lucky, they will "only" find private corruption — payments between commercial companies with no government officials involved. Private corruption still costs companies, and they have to deal with the FCPA issue of intentionally falsified corporate records made by employees to cover up the private corruption.</p><p>It is likely internal auditors will not be comfortable trusting anyone in the company's local country management, and auditors will not want to let local management know they have suspicions before auditors actually start their investigation. Even if they are not involved, local managers may not appreciate the danger to the parent company. They may try to conduct their own amateur investigation, or simply call a meeting of their managers and ask them what happened. In either case, they will alert the perpetrators and evidence will be destroyed, documents fabricated, or stories aligned so that an actual professional investigation will be much longer, more difficult, and expensive. </p><p> <br> </p>Art Stewart0
Following the Moneyhttps://iaonline.theiia.org/2016/Pages/Following-the-Money.aspxFollowing the Money<p>Money laundering accusations have led Canadian payment processor PacNet to be branded a "significant transaction criminal organization" by the U.S. Treasury Department, <a href="http://www.cbc.ca/news/canada/british-columbia/pacnet-criminal-fraud-treasury-1.3774587" target="_blank">CBC News reports</a>. Treasury officials say PacNet has acted as a middleman between fraudsters and their victims in a large number of mail fraud schemes. They allege the victims would send money through a partner company to PacNet's processing operation, which would transfer it to criminals through a holding account. The Treasury designation names 12 individuals and 24 entities connected to the payment processor. PacNet claims it was misled by clients.</p><h2>Lessons Learned</h2><p>This story clearly demonstrates that individuals, companies, and institutions are at risk of mail fraud and must take steps to protect themselves as best they can. While the charges involving PacNet have yet to be heard in court, innocent or not, third-party organizations are facilitating a worldwide explosion in mail fraud. </p><p>Here's how these crimes are carried out: To shield their operations from authorities, fraudsters need a way to process payments that won't easily link them to their scheme or raise red flags. Many banks and financial institutions will shut down an account or report it to authorities if they detect suspicious activity such as a high number of small deposits, complaints, or refunds. Instead, con artists and other fraudsters turn to payment processors, most of which have a heavy online presence. </p><p>Payment processors have relationships with banks around the world, and can set up accounts for clients in the countries in which they do business, processing payments in currencies ranging from the British pound to the Indonesian rupiah. This gives fraudsters the ability to access victims and bank accounts in countries far from their home base. These criminals use a wide range of fraud schemes — from lottery prizes to charitable causes to goods and services purchased by companies and institutions — to illegally collect payments that will disappear forever, payments that frequently end up with a payment processor. The processor then deposits the money into an account under its own name and takes a cut as a commission. It holds on to the rest of the funds until they are sent to the fraudster's own bank account, typically through a wire transfer. There are so many layers that victims usually have no idea that a payment processor was involved. </p><p>U.S. regulators and enforcement agencies are on the right track in investigating and taking action against payment processing companies that are implicated in facilitating mail fraud schemes, even where that company is not a U.S. firm. Greater scrutiny and increased penalties would help further.</p><p>But the payment processing industry itself should not step back and take an "it's between the buyer and seller," hands-off approach. The industry appears to be much more focused on potential fraud by customers than that perpetrated by sellers and providers. Processors should take further strides to increase consumer and business education about the risks of mail fraud committed by sellers and to strengthen their knowledge and controls over potential seller fraud, such as by:</p><ul><li><p>Reviewing whether prevailing account-opening procedures are adequate to prevent fraudulent receiving accounts. Some countries, such as South Africa, require that a national fingerprint database be accessed to verify the identity of account holders. Denmark offers a more practical model to follow, in which payment processors and banks have built-in delays that prevent both users and providers from making or receiving payments for several days after opening an account.</p></li><li><p>Using analytics, such as velocity checks and pattern recognition checks, to detect fraud that processors otherwise would not notice. This would include factors such as providers and sellers with connections to high-risk countries, high-risk types of products and services such as lottery sales and solicitations of money for causes, and volumes of complaints. Analytics can be used to flag suspicious recipient account holders, and then place a hold on payments to the account, review transactions, inform customers and regulators, or reject the transactions outright. The use of analytics provides an extra barrier when fraudulent transactions are initiated.</p></li><li><p>Particularly in a real-time environment, an anti-fraud best practice for a payment processor is to calculate the probability of a transaction being fraudulent (also known as scoring transactions) and refer suspicious transactions to the organization's anti-fraud unit or a manager with experience in reviewing such transactions for decision-making instead of blocking the transaction outright. This allows processing operators to capitalize on the fact that they can sometimes detect patterns that customers and businesses might miss, such as a suspicious set of transactions originating from one source and headed for multiple receivers. Few payment processors actually employ such techniques. Many state that they do not have the financial strength to accept liability for fraud cases that may slip through, and some operators have expressed concerns that establishing fraud checks could reduce the incentive of banks to establish effective prevention mechanisms. Nevertheless, and particularly for the largest and most profitable payment processors, these kinds of measures should be included in any set of best practices.</p></li></ul><p></p>Art Stewart0298
Doing a Number on REITshttps://iaonline.theiia.org/2016/Pages/Doing-a-Number-on-REITs.aspxDoing a Number on REITs<p>​The U.S. Securities and Exchange Commission (SEC) has charged two former financial executives of a Phoenix-based real estate investment trust (REIT) with overstating the company's financial performance, <a href="http://www.azcentral.com/story/money/business/2016/09/08/sec-brian-block-lisa-mcalister-phoenix-reit-improper-accounting/90068506/?adbid=774276247828307969&adbpl=tw&adbpr=390782790&adbsc=IAO65736126" target="_blank"><em>The Arizona Republic</em> reports</a>. According to the SEC, Brian Block, former chief financial officer (CFO) at American Realty Capital Properties, conspired with the then-chief accounting officer, Lisa McAlister, to manipulate a key cash-flow measure that investors use to evaluate REITs. When the company's accounting department warned that the first quarter results were based on an incorrect accounting method, Block allegedly falsified the company's presentation of its second quarter results to conceal the previous quarter's overstatement and make it appear that the company had met its second quarter estimates. In addition to the SEC charges, the U.S. Justice Department has filed criminal charges against Block and McAlister.</p><h2>Lessons Learned</h2><p>REITs have been an option for investors since the 1980s. Although they potentially are a risk-laden choice — nontraded REITs are even higher risk — many investors have profited significantly from the generally higher movements in the value of properties. But there also has been a rise of fraud by unscrupulous owners, managers, and others, as in this story. To better understand this kind in fraud, and how to prevent and detect it, a little background is needed on how financial and accounting methods are applied to them, including the particular measure called adjusted funds from operations (AFFO). </p><p>Before new accounting rules were adopted in June, it was common for REITs to pay out more than they reported in profit. That is because they were required, under U.S. generally accepted accounting principles (GAAP), to gradually depreciate their property much as a manufacturer depreciates machinery and equipment. The purpose of depreciating an asset under GAAP was to spread the cost over the item's useful life instead of taking the full hit all at once. In the case of REITs, it ended up distorting their bottom lines, making it appear as if they earned less money than they actually did. </p><p>But real estate doesn't depreciate that way. The land doesn't depreciate at all; in fact, if it's well-located, it usually goes up. And the building doesn't really depreciate in the manner that GAAP came up with, predictably over a certain period of time.</p><p>To get around this problem, REITs have used alternative, non-GAAP measures — namely, funds from operations (FFO) and AFFO — to assess their financial performance in a REIT's financial statements. The actual definitions are complex, but FFO is essentially operating profit excluding GAAP-style depreciation and any gains or losses on disposals of properties. AFFO is generally equivalent to FFO less an allowance for maintenance capital expenditures and leasing costs, to reflect the cash a REIT spends to maintain its buildings. In other words, AFFO is the real estate equivalent of profit, and it is a key metric for assessing a REIT's payout ratio.</p><p>There are two ways to deter REIT accounting fraud:</p><ul><li><p> <strong>Tightened regulatory and enforcement framework for REITs.</strong> The two executives in this case allegedly committed accounting fraud when they used a metric that did not comply with GAAP and deliberately inflated the company's results. The SEC asserts that the executives added 3 cents per share to the company's AFFO number and misled investors into believing the company was on track to meet its full-year guidance. As a potentially key deterrent to REIT accounting fraud, the SEC recently has cracked down on made-up numbers and vague language in U.S. publicly listed companies' earnings filings. The SEC has <a href="https://www.sec.gov/divisions/corpfin/guidance/nongaapinterp.htm">updated guidance</a> on the use of metrics that don't conform with GAAP, and companies should expect deeper scrutiny if they fail to comply. The updated rules allow companies to supplement their GAAP numbers with non-GAAP numbers to provide more detail, but they must provide the GAAP numbers first, give both sets of numbers equal prominence, and show how they reconcile.</p></li><li><p> <strong>Good governance by investors, boards, and audit committees</strong><strong>.</strong> Despite his knowledge of a material error in previous SEC filings, American Realty Capital Properties' CFO took no steps to advise the audit committee, board, and outside auditors of the error, which went undetected for some time. All of these parties need to exercise careful, active vigilance and scrutiny of these kinds of numbers, especially because there are relatively few reliable measures of REIT financial performance. They should ask lots of questions when reviewing financial and performance statements, including from a long-term performance trend perspective. </p></li></ul><p></p>Art Stewart0803

  • TeamMate_Jan2017_Prem 1
  • IIA TeamDevelopment_Jan2017_Prem 2
  • IIA PerformanceAuditing_Jan2017_Prem 3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z