The CEO and Social Media CEO and Social Media<p>​In the U.S. Securities and Exchange Commission (SEC) fraud suit against Tesla Inc. CEO Elon Musk, the SEC alleged Musk issued "false and misleading" statements and failed to notify regulators of "material company events." <a href="" target="_blank">CNBC reports</a> that in August, Musk tweeted, "Am considering taking Tesla private at $420. Funding secured." The tweet sent Tesla stock spiraling for weeks. Among other remedies, the SEC wanted Musk barred from serving as an officer or director of a publicly traded company. On Oct. 10, the SEC, Tesla, and Musk submitted a joint filing with the U.S. District Court, Southern District of New York, in support of a settlement, claiming the terms were in the best interest of investors. According to the settlement, Musk must pay a $20 million fine, and step down as Tesla's chairman for three years. Although not charged with fraud, Tesla agreed to accept a $20 million fine.</p><h2>Lessons Learned</h2><p>Since early 2014, the SEC enforcement division has increased its focus on internal control-related cases. The charges brought against Musk clearly illustrate how the scope of the SEC's focus on internal control rules is much broader than the typical questions that surround the completeness and accuracy of financial reports. It also brings up new questions about the appropriate use of social media by corporate leaders.</p><p>Board chairmen, CEOs, and chief financial officers, along with other senior company officials, are considered "control persons" for purposes of liability under various securities laws and SEC rules enforcing those laws. As such, they possess certain responsibilities regarding internal controls, which the SEC takes very seriously. As in this article, the consequences for failure to meet these responsibilities can be severe. However, auditors and management can help put in place precautions to help prevent running afoul of SEC rules.  </p><ul><li>Developing, implementing, maintaining, and auditing/testing the effectiveness of a comprehensive set of internal controls is a fundamental requirement. There is considerable guidance available on this, including that which has been explicitly developed to reflect SEC requirements. One good example is The IIA's Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners. Internal controls clearly must address corporate governance, including communications — encompassing social media — regarding not only financial records and reports, but also business and investment related matters, past, current, and future.<br> </li><li>With particular regard to the circumstances surrounding Musk's use of social media, it is a little less clear what types of internal controls are required. In 2013, the SEC made clear that companies can use social media outlets like Facebook and Twitter to announce key information in compliance with Regulation Fair Disclosure so long as investors have been alerted about which social media will be used to disseminate such information. Netflix's CEO was investigated for a potentially improper release of a statement related to subscription sales, which in turn had an impact on the company's stock price, but the SEC did not pursue the matter. Presumably, Tesla has done its homework on this aspect. However, internal controls typically presume segregation of duties, but that can be quite powerless against a management override. It seems clear Musk did not consult anyone before musing on the possibility of taking Tesla private. </li></ul><p> </p><p>Short form social media vehicles such as Twitter and Facebook represent a convenient means of communications available to all. They also represent a modern fraud risk to be assessed and mitigated, including through social media policies, board director training, and performance monitoring. </p>Art Stewart0
Taking the City for a Ride the City for a Ride<p>The former head of the Phoenix area's transit service has pleaded guilty to fraud charges of misusing public funds for personal purposes, <a href=""><em>The Arizona Republic</em> reports</a>. The plea comes three years after <em>The Republic</em>'s 2015 investigation alleged that then-Valley Metro CEO Stephen Banta's spent public funds for first-class air travel and dinners. The state auditor general and attorney general allege that the amount of funds was ​more than $32,000. Moreover, a 2015 city of Phoenix audit found $315,000 in "questionable expenses" by Banta and the Valley Metro staff. The plea deal calls for Banta to serve one year of probation, but he could be sentenced to up to one year in prison and ordered to pay a $150,000 fine.</p><p><strong>Lessons Learned</strong></p><p>An effective combination of investigative journalism and internal auditing by the Phoenix city auditor has uncovered flagrant abuse and fraud involving several hundreds of thousands of dollars in travel, business and relocation expenses, and other benefits received by former CEO Stephen Banta. <a href="">The auditors' report</a> (PDF) contains several appropriate recommendations concerning major control weaknesses in Valley Metro's management of travel and business expenses that should help address and prevent future such occurrences. Here are the most important ones, along with some additional suggestions.</p><p><strong>Governance review.</strong> There should be a thorough review and adjustment, where necessary, of  Valley Metro's board governance and accountability regime along with its control framework and policies. This is particularly necessary as it relates to ethics, the performance of board directors and executives, executive compensation, and controls over executive travel and benefits activities. Note that the internal auditors found that Banta and several other employees were in violation of several policies. This would be an opportunity to remedy several gaps found by internal auditors, including:</p><ul><li><span style="font-size:12px;">Specific language and compliance monitoring to ensure coverage of all executives by ethics and travel/business expense policies. For example, the agency had an ethics policy, but no one ensured that the CEO signed it.</span><br></li><li><span style="font-size:12px;">Increasing rigor in segregation of duties over approvals of travel and business expenses to prevent cronyism. Two senior staff members working directly for Banta authorized $115,000 in additional pay so he could avoid paying taxes on relocation travel expenses.</span><br></li><li><span style="font-size:12px;">Enforcement of requirements to provide documentation before and after approvals. The organization also should ensure that compliance with allowable persons and maximums of travel, relocation, and business expenses are enforced. One particular example of the former is that Banta and staff did not comply with policy requirements to submit itemized receipts for meals, including those they had together. This resulted in questionable dining expenses, which were wasteful and represented preferential treatment or a conflict of interest. An example of the latter is that Banta flew first class and paid higher hotel room rates than allowed. He also misused travel expenses by registering his wife and unidentified guests at conferences, traveling for no business purpose, or having no documentation. Furthermore, Banta and his wife took more than 50 relocation-related trips between Phoenix and Portland, Ore., where they had another home.</span><br></li><li><span style="font-size:12px;">Written policies and procedures regarding the process of awarding bonus pay. This gap resulted in overpayments to </span><span style="font-size:12px;">Banta.</span><br>​</li></ul><p><span style="font-size:12px;"><strong>Vacation and leave policy. </strong>Vacation and other types of leave policies must be consistently enforced for all employees, including executives. Banta took at least 50 days off and did not count it as vacation time, but no one challenged this. Similarly, all employees should account for all absences from the office. Banta went golfing many times during the workday, and most of the outings were found to not have a business purpose. <br></span></p><p><span style="font-size:12px;"></span><strong style="font-size:12px;">Board performance reviews.</strong><span style="font-size:12px;"> Regular and transparent reviews of board and executive performance are also essential. In this story, it appears that the performance of the chief financial officer, who approved many of Banta's questionable expenses, went unnoticed for too long.</span></p><p><span style="font-size:12px;"></span></p>Art Stewart0
AML Negligence Proves Costly Negligence Proves Costly<p>​Netherlands-based bank ING is paying for lax anti-fraud measures, <a href="" target="_blank"> <span style="text-decoration:underline;">the BBC reports</span></a>. The bank agreed to pay €775 million in fines after Dutch investigators found that errors in its policies failed to stop financial crimes. Investigators said "collective shortcomings" by management enabled customers to use their accounts for money laundering and other frauds between 2010 and 2016. </p><h2> Lessons Learned</h2><p>This story involving ING illustrates that it is vigilance and diligence that are needed to fight criminal activity, not negligence. It also is important to remember the dire consequences of such negligence: the link between money laundering and terrorist financing of terrible events such as the 9/11 attacks.</p><p>So much has been written about money laundering and how to detect and avoid it. Internal auditors should consider some recent leading practices in anti-money laundering (AML) when providing assurance on the adequacy and reliability of AML regimes.</p><p>First, most large multinational financial institutions, including ING, are covered by tough AML legislative and regulatory requirements. For example, the Dutch government has kept pace with European Union directives by adopting requirements for banks to conduct an AML risk analysis. It also has established detailed rules and authorities for banks to require specific ownership information about accounts and money. These rules carry the threat of sizeable financial penalties or even withdrawal of licensing to operate.</p><p>Most large banks face significant challenges in succeeding in the fight against money laundering. Most rely on legacy compliance processes to fight financial crimes that have grown so complex as to be barely manageable. Multiple iterations, multiple handovers, and too many manually controlled processes prevent banks from maintaining effective compliance systems. </p><p>This complexity has led to greater operational risks. Ironically, several large fines have resulted in part from the need for banks to spend time investigating what turned out to be false alarms or to escalate a decision about a potential problem to higher levels of management.</p><p>Four areas of leading practice for auditors to pay attention to are:<strong><br></strong></p><ul><li> <strong>An experienced, well-trained financial intelligence unit to analyze AML reports and data.</strong> If banks staff transaction-monitoring processes with inexperienced employees — especially when dealing with foreign or multi-country transactions — the amount of investigative effort will continue to increase. This could lead the bank to either emphasize risk reduction over efficiency, or the reverse — miss risks and the root causes of problems in more complex cases.<br><br>The financial intelligence unit also needs the authority and capacity to communicate frequently among other teams, such as due diligence analysts and transaction-monitoring teams. Moreover, the unit should release information to intelligence and law enforcement agencies when appropriate.<br><br> </li><li> <strong>A</strong><strong> streamlined, end-to-end AML compliance </strong> <strong>process.</strong> Banks have better AML results when they review their processes to define the desired future state of compliance, identify the gap between the future and current states, and mobilize the organization to redesign processes. To do this, some banks use a start-from-scratch view to set the baseline for compliance activities and roles, rather than starting from existing activities. <br> <br>An integrated AML compliance process can help address other dilemmas, such as when compliance questions are not aligned with regulatory objectives. Banks also can link the process to a system that would provide a better understanding of clients.<br> </li><li> <strong>A single source for all compliance processes.</strong> This source should consist of internal structured data that goes through a rules-based cleanup and is integrated into a database. That data should be enhanced with unstructured and external data such as text, voice, and pictures, some of which may come from web pages and search-engine results. Predefined algorithms then would process and score the data for relevance. <br> <br>This approach contrasts with the fragmented, siloed nature of many current compliance processes that require frequent manual interventions and delays. Low-quality and unstructured data resides within most banks without being fully integrated. This situation  creates difficulties with client reference data and documentation sharing, as well as data extraction or aggregation from flawed databases. <br> <br>When data quality suffers, so does the quality of the compliance process. The rigidity of hard-coded monitoring algorithms makes it difficult to adjust for policy changes or client behaviors that drive up the volume of investigations, resulting in high false-positive rates.<br> </li><li> <strong>Advanced analytics and algorithms. </strong>Artificial intelligence increasingly uses enhanced databases to support a proactive compliance model. Human intervention remains valuable where machines cannot make better decisions. However, a growing number of tasks blend machines and people — data collection and analysis by the former; assessment of unclear data points by the latter. <br> <br>Regulatory technology companies may provide expertise to assist banks, ranging from know-your-customer or AML specialists, to customer on-boarding and workflow process services. These partnerships have their own risks, including knowledge transfer complexities and business/customer data privacy considerations. </li></ul>Art Stewart0
The Slice and Dice Fraud Slice and Dice Fraud<p>​Hanzo Enterprises was a global operation that produced fine cutlery for sophisticated consumers. While assisting government authorities during a routine tax audit, the Asia-Pacific controller, Jane O'Ren, discovered that company policies on the retention of support documentation for invoices was not being followed and details behind these invoices were raising red flags. O'Ren soon determined that the exceptions were related to invoices processed by the Okinawa location controller, Bill Tripp. However, Tripp had left the company during a downsizing process more than a year earlier.</p><p>O'Ren reached out to Tripp via email to ask about the invoices in question. Tripp responded almost immediately, apologized, and indicated he would take care of it. He later sent a payment of $10,000. During the intervening time, O'Ren felt a knot forming in the pit of her stomach and reached out to Hanzo's chief financial officer, Brad Gates, about what she'd found. Gates listened and determined legal and internal audit needed to be contacted. Beatrix Hales, Hanzo's new chief audit executive (CAE), was subsequently asked to meet with corporate counsel to discuss the situation. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <strong>​Lessons Learned</strong><br> <ul><li>Hanzo Enterprises didn’t perform a fraud risk assessment, relying instead on its enterprise risk assessment, which allowed potential red-flag situations to go unaddressed.</li><li>Internal audit was structured to focus on Sarbanes-Oxley compliance, allowing attention to nonmaterial operations to slip. In essence, the third line of defense had governance failures.</li><li>Budget analyses were not performed at an appropriate level of detail to note excessive spending around renovations that were taking place at the subsidiary during Tripp’s tenure, and to question such.</li><li>Tripp’s fraudulent activity could have been detected earlier, or even prevented, if the review controls, such as invoice reviews, in place were executed appropriately.</li><li>Controls that were missing at the Okinawa location, including secondary review, segregation of duties, and exception reporting, were validated or implemented at all locations that were previously included within the scope of Sarbanes-Oxley controls testing.</li><li>Hanzo’s detective controls over third-party service providers, such as its third-party payroll provider, did not include validation of transmitted files by an individual independent of the process, so Tripp was able to easily manipulate the system. </li><li>Detective controls also were not in place to ensure the approved payment register tied — in vendor name and payment amount — to the actual bank payment register, allowing Tripp to alter payment amounts and create vendors.</li><li>Due diligence efforts during the hiring process were insufficient given the importance of the controller position and its breadth of responsibility. Because Hanzo Enterprises did not conduct due diligence during the new-hire process, it didn’t know that Tripp was a career criminal. Japan had strict privacy guidelines, but there were ways to ask the right questions to validate a candidate’s responses with governing agencies and that was not done. Had Hanzo followed through and confirmed the candidate’s background, it would have learned of Tripp’s past.</li></ul></td></tr></tbody></table> <p>After the meeting, a course of action was determined. The invoices at the Okinawa office needed to be reviewed for anomalies, discrepancies, support, and payment trails. Okinawa was a small operation and had not been included within the scope of U.S. Sarbanes-Oxley Act of 2002 controls testing. In fact, internal audit's focus had been primarily Sarbanes-Oxley testing at larger, in-scope locations, so it had not covered small operations globally. </p><p>The chief financial officer, internal audit, and corporate counsel selected a third-party firm based on language skills necessary to review and translate documents. Hales made sure the external auditors were kept informed of the progress of the review as the discovery was close to the completion of the company's quarterly financials. </p><p>The review started with invoices from the Okinawa operation to ensure issues weren't prevalent in other locations. The invoice review soon spread to human resources (HR) and payroll once it revealed that Tripp had wide control on that side of the operation, as well. The scope of the issues grew exponentially as the review proceeded, but internal audit and the third-party team were able to determine the issues were confined to the Okinawa operation.</p><p>The fraud review identified numerous control deficiencies that allowed Tripp to carry out different methods of theft. In the small operation, Tripp was the only person in charge of financial operations and HR. As such, he took advantage of his position in several ways.</p><p>As the Okinawa controller, Tripp was the only approver of invoices. The biweekly check run was sent as a file with supporting invoices to O'Ren for approval. Invoice review was not done at a level of precision to detect anomalies or even glaring fraudulent activity. Some paid invoices were for items Tripp purchased for his personal property or services provided.</p><p>Once the check run was approved, Tripp would log into the online bank account and change payment recipients. In many cases, payments were being sent to Tripp's credit card companies. He also easily created false vendors by editing the vendor master list. He was able to do both of these things without a requirement of secondary review.</p><p>Tripp also was in charge of the third-party payroll service interface and added extra funding to the file to get additional pay or expenses reimbursed without the requirement of secondary review. Lastly, he manipulated the funds sent to the company's pension administrator by convincing her to not only return erroneous overpayments, but to return them to an account different than the source — his own personal account. </p><p>The fraud review determined that over two years, Tripp stole more than $1 million. The efforts made by Hales to keep the audit committee and external auditors informed via status calls and check-ins kept worries at a minimum during the six-week investigation, and the interaction between legal and external audit helped build cooperation and coordination. Legal found that Hanzo's insurance policy had provisions for loss due to fraud, so the company was able to file a claim for most of the losses.</p><p>Oddly, Tripp cooperated during the fraud review, answering questions and admitting guilt whenever presented with proof. Authorities arrested Tripp and his wife, who also had a criminal past, and confiscated cash, property, and vehicles. <br></p>Michael McShea1
The Ones You Least Suspect Ones You Least Suspect<p>​Anyone who has been exposed to employee fraud knows how unsettling it can be to learn that someone known and trusted has betrayed co-workers and the organization itself. Shocked employees wander the office halls, whispering to each other, “I would never have suspected him of doing something like that.” </p><p>And the perpetrator may, indeed, be a likable, friendly person who maintained cordial relationships with colleagues. Even good people occasionally stumble. </p><p>Internal auditors are responsible for understanding and assessing the red flags that may indicate that such a stumble is being considered or has already occurred. Proactive recognition and response can go a long way toward protecting the enterprise from the financial and reputational damage a successful fraud can create. </p><h2>Holding the Line</h2><p>Fraud represents one of the many risks associated with an unhealthy culture (see “It Starts With Culture” at right), and one that internal audit can address directly in its capacity as the third line of defense. The first line, management, sets, communicates, and models desired values and conduct. The second line, oversight functions such as an ethics office, monitors risks related to employee conduct and compliance with policies and procedures. Internal audit assesses various functions and lines of business and determines whether values and behaviors that drive strategy and good performance are embedded in the organization. </p><table class="ms-rteTable-default" cellspacing="0" style="width:100%;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​It Starts With Culture</strong><p>Fraud is often enabled, even supported, by the culture of the organization, but understanding that culture is often easier said than done. Part of the problem involves coming to agreement on the definition of <em>organizational culture</em>. Most definitions allude to values, attitudes, beliefs, and behaviors — even taboos, symbols, rituals, and myths — that determine how a company’s management and staff interact internally and conduct business transactions. Perhaps the most direct definition is that culture is “how we do things around here.”</p><p>Regardless of the definition, ethics undoubtedly plays a significant part in an organization’s culture. Organizational ethics define how the company expects its employees to behave — expectations that are conveyed to employees in written form (policies, procedures, a code of conduct) and behavioral form (tone at the top).</p><p>As an ethical concept, tone at the top is frequently cited but not always fully appreciated — even though it is so powerful that its misuse can undermine all the other elements in place to prescribe ethical conduct. Tone illustrates vividly the fact that, when it comes to ethics, what matters most is not what is said, but what is done. One need only glance at Enron’s code of ethics, which called for employees to perform in accordance with “all applicable laws and in a moral and honest manner,” to see the difference between “walk” and “talk.”</p><p>Organizations should care about employees’ behavior for a multitude of reasons, but a primary concern is that, when unethical behavior goes unaddressed, it can erode the organizational culture — and anything that damages the culture damages the company. In a 2015 Duke University study, Corporate Culture: Evidence From the Field, more than 90 percent of CEOs and chief financial officers indicated their conviction that improving organizational culture would improve their companies’ value. Why? Because they believe culture influences productivity, creativity, profitability, and growth rates. </p><p>Culture is not just a “nice to have”; it ties directly to the bottom line. In a 2017 research report titled, Transforming Attitudes and Actions: How Senior Leaders Create Successful Workplace Cultures, 600 senior leaders — from India, Germany, Indonesia, and the U.S. — were asked about their companies’ culture and its contribution to success. Ninety-two percent say that organizational culture has a high impact on financial performance, so much so that 84 percent report they are currently taking steps to improve the culture in their organizations.<br></p></td></tr></tbody></table><p>Although this role may be clear to internal auditors, how to approach it may be less apparent. The job can be tackled in many ways, but two objectives should remain paramount: understanding behaviors (red flags) associated with fraud — remembering that no one, even a “good” person, is immune from forces that may lead to misconduct — and considering the possibility of fraud on every audit.</p><p><strong>Understanding Behaviors Associated With Fraud</strong> Criminologist Donald Cressey’s fraud triangle theory indicates that frauds require three elements: pressure, opportunity, and rationalization. Fraudsters are often experiencing some type of pressure, at work or at home, real or imagined. They seek an opportunity to alleviate the pressure (via misdeed), and they must then be able to justify the behavior to themselves (“I deserve it,” “Everyone is doing it,” “No one will know”). Knowing this chain of events makes it easier to understand how employees who are generally esteemed and respected may suddenly commit fraud. When people faced with a nonsharable financial problem realize they can alleviate that problem through violation of a position of financial trust, and are able to convince themselves that their dishonest actions don’t run afoul of their personal codes of conduct, they make a transition Cressey describes as going from “trusted persons” to “trust violators.” </p><p>The fraud triangle’s opportunity element may be easier for internal auditors to identify, as it often arises through a lack of controls. It may be more difficult to discern when someone is feeling pressured — especially because, in some organizations, working under pressure represents the norm. One indicator of pressure may be a sudden change in working hours: arriving early or leaving late may hint at trouble at home or a desire to be alone at the workplace. Or an employee may display a sudden enhancement of lifestyle not commensurate with his or her salary, demonstrated through luxuries such as an expensive car, a high-end watch, an upgraded wardrobe, or an exotic vacation. Fraud may have supplied the original funding for these items, and pressure to maintain them may lead to repeated misconduct. (For additional indicators of potential fraud, see “Red Flags of Unethical Behavior” below)</p><p>How do internal auditors balance their responsibility to identify suspicious employee behavior against their need to maintain good relationships? They apply healthy skepticism, which is not an automatic and cynical predisposition to distrust, but the appropriate use of questioning to see beyond the superficial. <br></p><p> <strong>Fraud in Every Audit</strong> Internal auditors must begin every audit aware that fraud may exist. They cannot assume that a particular area or individual is incorruptible. Even minor ethics violations can spiral into something much bigger and more damaging to the organization, which is why internal auditors must maintain a thorough understanding of codes of ethics, policies, and procedures; organizational structures and defined roles and responsibilities; and compensation policies. </p><p>Internal auditors must remember that they are not only auditing processes, they are auditing people. Even good people can — under certain circumstances — commit unethical and fraudulent acts. Practitioners need to understand that, although most people want to do the right thing, definitions of what is “right” can vary, depending on culture and context. To get to the bottom of potential or actual fraud, internal auditors must have probing conversations with employees, gathering pertinent information but avoiding overreliance on their representations. </p><h2>Trust but Verify</h2><p>How do internal auditors meet their dual responsibilities of recognizing the red flags of fraud and considering fraud in every audit? They must first open their eyes to the possibility that everyone, in the “right” circumstances, is capable of committing fraud. Then, using this heightened sense of awareness, they can start asking employees appropriate questions and listening carefully to the answers:</p><p></p><ul><li>Do you believe employees of this company behave ethically? If not, do you believe they will be caught? If they are caught, do you believe they will be punished? Why or why not? </li><li>Do you think transparency exists around the reasons behind key decisions? </li><li>Do you think compensation is fairly tied to organizational objectives?</li><li>Are you aware of, or have you noticed, any activity that might indicate that fraud is taking place? Have you noticed any unusual behaviors by other employees, such as a change in lifestyle?</li><li>Do you think people trust the whistleblower process and have confidence there will be no retaliation against those who use it? </li></ul><p><br></p><p>These questions can smooth the path for internal auditors to address tone at the top by enabling them to structure their conversations with senior management around the employees’ perceptions of company ethics.</p><p>In addition to questioning, various types of tests can be used to identify red flags. Some typical areas to investigate could include:</p><p></p><ul><li>Vendors with the same contact information as employees or multiple vendors with the same contact information.</li><li>Pre- or post-dated transactions.</li><li>Consecutively numbered invoices and invoices in amounts just below the threshold for review.</li><li>Patterns in the data — as identified by data analytics — that may indicate fraud (e.g., invoice amounts that end in .00, transactions made by upper management, transactions made late in the accounting period).</li><li>Employees’ use of their mandatory vacation time.</li><li>Transactions processed outside normal channels. If such transactions exist, some follow-up questions may be useful: How is this transaction normally handled? When is it not done that way? How else could it be done?</li></ul><p><br></p><p>Finally, internal auditors can learn quite a bit simply by keeping their eyes open and asking themselves a few questions, such as: <br></p><ul><li>Do employees display an unusual degree of deference to leadership?</li><li>Are values and conduct understood and aligned organizationwide?</li><li>Does the organization’s culture foster a general sense that what is good for the organization trumps everything else — that results are more important than standards?</li><li>Do management training and leadership programs stress management’s responsibility to model and advocate for integrity? </li><li>Do employees appear to suffer unreasonable pressure to perform? Is management trained to identify and minimize the sources of pressure?</li></ul><p><br></p><p>Internal auditors’ ability to ask pertinent questions, listen for messages between the lines, watch for both tangible evidence and suggestive behaviors, test objectively and independently, and constantly ask “why?” makes them particularly well-suited to uncovering fraud indicators. Their efforts can go a long way in contributing to the organization’s fight against fraud.</p><h2>Red Flags Unfurled</h2><p>Ultimately, instituting a program that places fraud recognition and awareness on the front burner does not require an overhaul in the way internal auditors approach their work. It does, however, require an understanding of the red flags associated with fraud and an acknowledgment that, in every audit, opportunities for fraud, past or present, may exist. And critically, it requires internal auditors to hold on to their inherent trust in people, while recognizing that even those who raise the least suspicion may in fact be quite capable of organizational wrongdoing. </p><p><img src="/2018/PublishingImages/Chambers_red-flags-of-unethical-behavior-p50.jpg" alt="" style="margin:5px;width:700px;height:875px;" /><br></p>Richard F. Chambers1
Foreign Bank Fraud Bank Fraud<p>​The recent conviction of Paul Manafort on eight charges of bank and tax fraud are a reminder that financial institutions need to take strong measures to prevent and detect fraud. Putting aside the politics, this case is about bank fraud, failure to register foreign bank accounts, and filing false tax documents. <a href="" target="_blank">Politico</a> reports Manafort was accused of hiding much of the $60 million he earned consulting for Ukraine's president and other political leaders between 2010 and 2014 and failing to report the amount to the U.S. government. He also allegedly transferred more than $15 million to the U.S. without paying taxes on it. </p><h2> Lessons Learned</h2><p>To uncover and prevent bank fraud, vigilance by financial institutions and their officials is essential, backed up by strong policies and procedures. Measures to take include:</p><ul><li>Establishing a clear bank fraud/anti-money laundering policy and appointing an anti-money laundering officer responsible for handling legal obligations to report suspicious activities to authorities.<br> </li><li>Undertaking a fraud risk assessment, paying particular attention to high-risk clients such as those with significant international connections and types of financial transactions. As part of that assessment, organizations should thoroughly check the identity and background of clients, trading partners, or anyone else involved in moving money into, out of, or around the institution.<br> </li><li>Assigning sufficient numbers of senior experienced staff to scrutinize the source of funding for accounts, deals, or investments. Moreover, these staff members should devise and enforce a procedure for third parties to disclose their funding sources. <br> <br>In this story, bank officials eventually assembled a massive number of documents such as emails, bank records, and invoices. These documents enabled them to testify that Manafort provided inaccurate information about his income and debts, and whether properties were being used by family members or as rental units. Officials also uncovered unusual payment methods such as wire transfers from oddly named foreign bank accounts. Data analytics can help pinpoint areas of concern.<br> </li><li>Introducing accounting and cash-handling procedures that make it hard for bank fraud to happen. That includes enforcing a no-cash policy on transactions that are more than a specified amount.<br> </li></ul><p>Regarding the failure to register or report a foreign bank account, financial institutions and the U.S. Internal Revenue Service (IRS) could use several methods to uncover such activities, including:</p><ul><li>Foreign income or financial accounts must be reported to the IRS as part of an information-sharing treaty enacted by the U.S. Foreign Account Tax Compliance Act. Suspicious activity forms may be submitted to the IRS by banks, auto dealers, and other institutions that suspect tax evasion and other activities. Authorities can receive this kind of information from other sources. For example, adult children who apply to U.S. universities may inadvertently provide information about foreign income and payments.<br> </li><li>The movements of individuals attempting to hide foreign bank accounts can be used to detect fraud. For example, an individual who seeks to renew a passport may provide a Social Security number, which is then sent to the IRS. Other examples include entering the U.S. using a foreign passport indicating that the individual was born in the U.S., or when the individual's name appears on stolen information on foreign financial accounts, which are passed on to the IRS.<br> </li><li>Business documents can reveal potential fraud. For example, an individual may be listed on another's U.S. citizen's tax return or foreign business documents, which have been shared with the IRS. Forming a corporation or partnership in a foreign country may require the individual to identify the owner as a U.S. citizen.<br> </li><li>Whistleblower reports are an effective source of fraud tips. The IRS offers finder fees for individuals who report other individuals for not paying their income taxes.<br> </li></ul><ul><li>If the individual was thinking he or she could take advantage of an Offshore Voluntary Disclosure Initiative to avoid enforcement action, the federal government ended this program this year. </li></ul>Art Stewart0
Trouble in the Emergency Room in the Emergency Room<p>​A California-based hospital chain has agreed to pay $65 million to settle a federal lawsuit alleging the company had fraudulently admitted emergency room patients who didn't need that level of care, <a href="" target="_blank"> reports</a>. The suit alleges that by increasing the number of emergency room patients in its California hospitals, Prime Healthcare could bill Medicare at higher in-patient rates, often for medically unnecessary care. </p><p>A Prime nurse secretly recorded evidence that the company had set quotas for admitting Medicare patients and had questioned doctors who discharged patients rather than admitting them. The alleged scheme lasted from 2006 to 2013. </p><p>As part of the settlement, the whistleblower will receive more than $17 million. Prime was not required to admit "improper conduct or wrongdoing." </p><h2>Lessons Learned</h2><p>This story reveals yet another facet of how the health-care system is being defrauded from every angle. The problem is financially enormous. In the U.S., the National Healthcare Anti-Fraud Association estimates health-care fraud losses are $80 billion annually. Other industry sources estimate the losses to be more than $200 billion. This accounts for 3 percent to 10 percent of the more than $2 trillion spent annually on health care.</p><p>Three interrelated strategies may be among the most effective in combatting this kind of fraud: analytics and big data that uncover anomalies transposable to nationwide situations, active oversight and proactive investigation by health-care providers and regulatory overseers, and well-structured whistleblower programs that bring suspicious activity into the light.  </p><ul><li> <strong>Data analytics and big data.</strong> Health-care providers should leverage data analytics to find errors and fraud, even within the complex coding and billing structures and processes of the health-care system. In the health insurance industry, payment of claims is primarily governed by using codes to identify treatments and procedures, and serve as basis for the payments. <br> <br>The latest version of the medical coding guide was implemented in 2014. In part, the guide was designed to deter fraud and discourage abuse by adding an increased level of detail to every code. However, there are more 67,000 diagnosis and 87,000 procedure codes. The length and structure of each code — seven alphanumeric characters — has led to many coding errors. Inexperience with the restructured codes, a lack of training in coding, and overworked staff also contribute to errors. <br> <br>Using advanced "big data" platforms focused on the specifics of health-care systems — these may be in-house or through service providers — identifying claims that may involve fraud, waste, or abuse is no longer as tedious and time-consuming as before. That includes billing for more expensive services and procedures, or "up-coding," the fraud tactic in this story. <br> <br>Machine learning and big data can identify potentially fraudulent or wasteful claims on a daily or more frequent basis. Algorithms can run at the same time as claims are batch processed. As a result, they can immediately identify questionable claims and send them to clinical coding experts for review. <br> <br>Health-care providers should identify potentially fraudulent or erroneous transactions before payment is made, rather than using the "pay-and-chase" model that may not guarantee the return of overpayments. Effective fraud detection, however, should be a layered approach that includes other forms of analytic reviews to prevent the identification of false positives. <br> <br></li><li> <strong>Health-care providers and regulators.</strong> Communication and sharing of big data among health-care companies and regulators is essential.<strong> </strong>The fraud in this story took place in California, but Prime owns hospitals located throughout the U.S. The likelihood that this kind of activity is occurring in other regions where Prime operates and other parts of the company may be high. <br> <br>Hospital operators and their regulators need to leverage data analytics to efficiently determine whether similar problems exist within their broader operations. Regulators using advanced analytics also can scrutinize links between multiple providers to see whether an unethical or illegal activity associated with one provider may also be practiced by another. <br> <br></li> <li> <strong>Whistleblower program.</strong> An effective whistleblower policy and program is essential for all organizations, but it's especially important for health-care providers in light of industry-specific legal mandates and best practices. Under the U.S. Sarbanes-Oxley Act of 2002, criminal penalties apply to organizations that retaliate against an employee who reports suspected illegal activity. Having an effective whistleblower policy evidences intent to comply with Sarbanes-Oxley. </li></ul>Art Stewart0
Reuse Abuse Abuse<p>​The U.K.'s national recycling system is prone to fraud and error, the National Audit Office (NAO) reports. Although the U.K. government previously estimated the nation had exceeded its overall packaging target each year since 1997, businesses may be overstating how much paper, plastic, and other materials they recycle, <a href="" target="_blank">according to <em>The Telegraph</em></a>.</p><p>The NAO estimates that 10 percent of packaging sent to recycling plants cannot be recycled because of contamination. Meanwhile, some materials are shipped to other countries where it is likely they will not be recycled, and worse, may be thrown into the sea. </p><p>Plastic recycling is particularly susceptible to fraud because of financial incentives. In addition, the NAO report found some of the U.K.'s largest companies have not paid into the recycling system — some for more than a decade.</p><h2>Lessons Learned</h2><p>There is at least one striking comment made within the NAO's review of the U.K.'s plastics recycling programs: "The government should have a much better understanding of the difference this system makes and a better handle on the risks associated with so much packaging waste being recycled." </p><p>Based on reviewing the limited number of audits conducted of recycling programs in Canada, Europe, the U.K., and the U.S., not only are there issues with potential overstatement of recycling levels, but also the measured achievement of program goals are declining over time. This observation extrapolates to recycling programs more generally. </p><p>While recycling programs are not new, the scope and scale of modern approaches to this societal issue certainly is. Moreover, auditors' involvement and experience in helping governments identify risks such as fraud and recommending improvements to these programs appears to still be emerging. Here are some key elements of an effective recycling audit program, with a particular eye to the issues the NAO identified.</p><ul><li> <strong>Define the scope of recycling programs. </strong>Even the basic definition of <em>recycling</em> is important to clarify. A Canadian Standards Association (CSA) definition is among the clearest and most comprehensive:<br> <br>"The amount of material recycled as a percentage of the amount of targeted material collected (inbound) minus reuse and shrinkage. The recycling efficiency rate must reflect the net mass balance of all processing of that material, not simply one service provider's gate-to-gate efficiency rate."<br> <br>The current reality is that these definitions vary, at times considerably, from country to country and within particular country jurisdictions. Adding to this is the need to clearly identify the policy goals and expected outcomes of recycling programs. Prevention and reuse are commonly articulated policy goals, but they are not necessarily consistently defined or scoped among jurisdictions. Program components such as composting, separating, processing, and disposal services need clear definition and alignment with other relevant jurisdictions to permit useful comparisons.<br> </li><li> <strong>Establish, monitor, and report on a recycling program performance measurement framework. </strong>This work needs to address performance measures adequately enough to provide sufficient and reliable information to conclude on the effectiveness and efficiency of the program. It should cover the completeness, measurability, and consistency across the entire recycling program. <br> <br>Public transparency in communicating and reporting results also is critical. For example, many recycling programs identify and measure both gross and net recycling targets. But as this story notes, a considerable percentage of recycled materials cannot be used as intended. <br> <br>There are even better measures of recycling system performance that also support improvement of program and policy objectives. Rather than setting percentage recycling targets based on weight measures, a kilogram/capita disposal target may be better. According to the recycling policy literature, reduction is more important than recycling. Therefore, reducing waste should decrease total quantities for disposal, even if there is no increase in recycling rates. <br>Auditors also need to review performance measure calculation methodologies to ensure they provide reliable, comparable, and consistent information to demonstrate achievement of program goals and support management decision-making.<br> </li><li> <strong>Monitor the cost-effectiveness of recycling program operations</strong><strong>.</strong> Formal and regularly conducted operational performance monitoring and reporting processes must be in place that allow management to ensure recycling operations are meeting cost performance expectations. Rather than adopting a simple cost–benefit analysis perspective, organizations also must consider policies such as the need to influence behavior toward conservation and reduced use/disposal. <br> </li><li> <strong>Recommend an effective process to plan for and manage the recycling program and its projects. </strong>This process should include business cases for new strategies and projects. Business cases must provide assurance that information presented is complete, accurate, and supported. <br> <br>The process should include project management practices such as regular inspections of all facilities (whether contracted or owned) to ensure standards are being met. Project management considerations should incorporate strategies to manage and maintain the recycling facilities (including equipment), on-site mobile equipment, and asset management processes. Such assets include any equipment used to classify, sort, construct, and demolish recycled materials. <br> <br>A further component is research and development to support future strategies and ensure capacity remains sufficient to meet evolving requirements.</li></ul>Art Stewart0
Unsafe Inspections Inspections<p>​Toronto's auditor general (AG) says poor record keeping by city officials may have enabled three vendors to commit multiple frauds related to fire safety inspections, according to a <a href="" target="_blank">Toronto City News report</a>. AG Beverly Romeo-Beehler alleges three companies controlled by the same individual — Advance Fire Control, Advanced Detection Technologies Corp., and York Fire Protection — engaged in double billing, overcharged for work, double bid for city contracts, and used multiple false identities in their business with the city over a decade, the <a href="" target="_blank"><em>National Post</em></a> reports. The AG's report notes a missing audit trail, and only about half of invoices were documented by the city's Facilities Management division. A lack of a documented inspection trail may mean fire alarm inspections were not carried out and those buildings are not safe. </p><h2>Lessons Learned</h2><p>Because of poor or nonexistent record keeping and management controls at the city of Toronto's Facilities Management division, it is not clear whether this case will result in criminal charges. Nevertheless, auditors should take note of the many measures the city could have taken to help prevent what happened.</p><p>First among other measures, the city should pay for a comprehensive new audit of fire and safety at city facilities, as noted in the <em>National Post</em> story. That is likely to reveal a great deal about what went wrong and why, even if the audit trails are weak. This should have been done a long time ago. </p><p>According to public records relating to audits of city services and administration conducted over the past several years, Toronto Fire Services was last audited in September 2013, with a focus on "improving the administration and effectiveness of firefighter training and recruitment." However, under these circumstances of apparent poor management controls, the proposed new audit and its results should be managed and received by Toronto's city manager — or, even better, by the mayor and council, themselves. And the city and its AG should take a good look at its fraud risk assessments and priorities. Seemingly lower value, repeating activities that are contracted out often are overlooked as higher risk for fraud.</p><p>Secondly, it appears managers within the city's facilities management department needed much better training in the awarding and management of contracts, documentation and related controls, and fraud awareness and fraud risk assessment techniques. The long list of specific improvements needed includes:</p><ul><li>Probing the backgrounds of companies bidding on contracts to verify ownership and qualifications, including of key employees. For the city of Toronto, this measure might need to include face-to-face meetings with vendor company officials to ensure they are distinct and have real employees. In fairness, this also is somewhat of a Province of Ontario matter, as the certification of fire safety inspection technicians falls under its jurisdiction.<br><br></li><li>Reviewing contract-bidding policies and procedures to avoid, restrict, and scrutinize situations where the same companies successfully obtain the same contracts year after year. <br><br></li><li>Regular review and updating of contract performance standards for the quality, completeness, and timeliness of expected work and its documentation. The city also should more rigorously monitor the inspection work as it is being performed and require interim progress reporting by the successful bidding companies.<br><br> </li><li>Enforced requirements for full and accurate invoicing of work performed. The city needs verification routines and other internal controls to help avoid and detect fake, duplicate, overbilled, and other illegal practices. Partial information is not sufficient, and cut-and-paste sign-offs for the work are unacceptable.<br><br></li><li>Where performance or other standards, such as for work documentation, are not being met, clear and timely sanctions are needed, along with documentation of these events.<br></li></ul><p> <br> </p><p>Third, the city's oversight, accountability, and management culture seem overdue for improvement. Management of the city's Facilities Management division appears to have been aware of many issues in this case, but it continued to award the contracts to the vendors in the same way. Inspection reports and related documentation were not reviewed closely enough. This would have enabled the division to uncover faked signatures by nonexistent inspectors, inspections of facilities where sprinklers supposedly existed (but didn't), and other fraudulent activity much earlier. Expectations for accountability and consequences where these expectations are not met seem badly needed.</p>Art Stewart0
The CFO Check Scam CFO Check Scam<p>​Assigned to what appeared to be a routine audit, internal auditors Juan Morales and Jim Burton were sent to the Ottawa office of Smith Construction Inc. (SCI), an engineering and construction subsidiary whose parent company, U.S. Constructors Inc. (USCI), was headquartered in New Jersey. SCI made most of its profits from manufacturing boilers and associated products for electric power generation plants and oil and gas refineries. </p><p>Generating approximately $200 million in annual sales, SCI was in good standing with USCI. However, it began to struggle when senior management at USCI started implementing highly aggressive sales targets. Once sales numbers could not keep up with anticipated goals, SCI began to spiral toward disaster. </p><p>SCI was faced with significant charges against earnings based on poor business decisions that led to several cutbacks and layoffs at the Canadian operations. Employees responsible for managing the vendor master file — a list of all the company's suppliers — were laid off as a cost-cutting measure and the accounting department was reduced from seven to four people. The aggressive layoffs inevitably led to a potential lack of segregation of duties. A task or process previously performed and reviewed by several people became the responsibility of one individual. In many cases, the responsibility fell to the company's chief financial officer (CFO), Paul Fournier. </p><p>After a few more significant charges against earnings, senior management terminated Fournier and the business unit CEO. Per company policy, every time a high-level employee left the company, internal auditors were assigned to check the critical general ledger accounts, including cash. Burton's position was his first audit job after working in the accounting field for just under one year. Du​e to his lack of experience, Morales, his supervisor, assigned him to look over the company's liability accounts, which included accounts payable and accruals, as it was considered the most routine part of internal auditing.</p><p>Reviewing the details of the company's liabilities requires a simple, step-by-step process that even an inexperienced auditor could perform. By following each step of standard internal audit procedures, Burton was able to uncover an enormous fluctuation in liabilities. He noticed that around $30,000 was being made payable every month to a law firm in Boston. He mentioned this to Morales and the two decided to look into it further. An engineering and construction company making regular payments in significant amounts to a law firm outside of the country was suspicious. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Lessons Learned</strong></p><ul><li>Segregation of duties is crucial for every company and is the easiest way to prevent fraud from occurring. Even when faced with major cutbacks, it is important to make sure duties within the accounting department are performed and reviewed by different personnel. This internal control separates key processes to make fraud more difficult to attempt.</li><li>Companies should always keep an updated vendor master file. The process of updating it should go through several employees to ensure accuracy and prevent fraudulent payments to fictitious vendors. Employees responsible for issuing payments should never be able to modify the vendor master file. </li><li>Employing internal audit after a high-level employee leaves the company is a good practice and should be the case for all companies. A post-departure audit review helps companies catch fraud that may have otherwise gone completely undetected and prevent new hires from getting involved in the actions of the previous employee in their position. </li><li>A strong and trusted audit program with clearly documented procedures can help even a rookie auditor discover fraud. Though this will not guarantee that a fraud will be detected, even if procedures are followed with due care, internal auditors can be a deterrent for employees looking to commit fraud. </li></ul></td></tr></tbody></table><p>They discovered that the law firm specialized in international trade issues related to the North American Free Trade Agreement (NAFTA), but it had been several years since the company required legal expertise related to NAFTA issues. This fact prompted them to look into the situation even further. Morales contacted the law firm and asked to speak to the accounting manager, who revealed that SCI had not been an active client for four years and there was no record of the company in their accounts receivables records. Burton also found a check made out for $12,000 to the law firm that had not been cashed for two months, which created more suspicion. </p><p>Because the review had occurred before any sort of electronic records existed, Burton and Morales had to retrieve physical canceled checks from boxes in the record storage area of the basement to see who had endorsed them. They found most checks were signed "for deposit only" and written by hand instead of stamped with the company's name. After hours of going through boxes, they found a check endorsed with Fournier's signature. When they pulled the vendor master file, they realized that check payments to the law firm were being sent to an address in Canada, not the U.S. </p><p>After the layoffs, Fournier became the only one in charge of the vendor master file and was able to change data with no other type of review. This allowed Fournier to manipulate the information on the vendor master file on his own, without co-workers noticing. He changed the firm's address to one in Canada so he would be able to cash the checks on his own behalf. He copied and pasted data from legitimate invoices from the law firm, presented them for payment, noted them in the accounting records, and filed them.</p><p>Realizing this case could require third-party expertise, Morales and Burton called the CAE and controller at USCI to recommend a forensic investigation. The forensic investigators recreated all of the accounting books to reveal what they should look like and exactly how much was missing. Ultimately, this effort revealed a total of $1.1 million in checks from the U.S. cashed in Canada over three years. Morales and Burton remained on site assisting with procedures such as cash reconciliation and overhead analysis. </p><p>Based on recommendations from USCI's general counsel and outside counsel, Fournier was issued a Form 1099 that recorded the $1.1 million he had stolen from the Canadian subsidiary and notified the U.S. Internal Revenue Service of his compensation received through the fraud. Fournier was eventually convicted of the fraud and sentenced to a U.S. federal prison for 18 months.</p>John Ney1

  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3