Running on Empty on Empty<p>​At the end of the third business quarter, Sten Lepp, the chief audit executive at NorthStar Energy Corp., received an email from the head of sales, Henry Klassen:</p><p><em>“For your information, on the 8th of July, we discovered that a salesperson, Andy Pine, used standard consumption graphs for certain customers instead of the customers’ actual consumption history. Thus, sales to those clients were made with wrong assumptions. As soon as we discovered the manipulation, I had Pine write an explanatory letter and sent him home. We are processing termination documents, and I intend to deduct sales bonuses from his last paycheck to recoup monies. I am truly sorry for the incident. As a manager, it is difficult when a team member breaches trust.”</em></p><p>After reading the email, Lepp wanted to better understand exactly how the salesperson manipulated sales. How had such a standardized business process become so trust-based? The email looked like an attempt to sweep the matter under the rug as quickly as possible, so Lepp initiated an internal investigation.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Lessons Learned</strong><br> <style> p.p1 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <ul><li>Don’t jump to conclusions. Just because the prime suspect was no longer with the company and Klassen assured everyone that the incident had been taken care of doesn’t mean there isn’t much to investigate. When beginning an investigation, avoid assessments and conclusions early on and keep an open mind.  </li><li>Use professional skepticism, instead of falling victim to truth bias, which is people wanting to believe what they see or hear. The investigators first interviewed Klassen, who was cooperative and ready to explain the sales process and fraud scheme. While the chief investigator then compiled a summary of Pine’s deeds, the effective resolution, and the incident’s low impact, the other investigation team member decided to talk to the portfolio analyst. By talking to the analyst, the investigator learned that Klassen was not telling the truth and that the loss from those contracts was more substantial than a single person’s bonuses. The analyst also revealed that Pine and Klassen were close friends. </li><li>Have a thorough investigation plan. List all employees to be interviewed and in what order. Never start with those who could potentially be main suspects. Had the auditor not decided on her own to talk to the portfolio analyst, he never would have discovered that Klassen was less than truthful. Make sure investigation steps and responsibilities are listed, as well as what evidence is most likely needed. Agree ahead of time on communication channels and frequency, where evidence is stored and how it is indexed, and set and monitor deadlines for each step of the investigation.</li><li>Understand business context. Klassen succeeded in undermining the impact of the fraud because he focused everybody’s attention on bonuses overpaid to a single salesperson rather than the lack of controls withinin the sales system. If you are not familiar with the business, step back to read through manuals and related procedures, and interview employees.  </li><li>Conduct due diligence by preserving evidence. The decision to turn the case over to law enforcement may be reached several months later, but the evidence should still be available and the chain of custody must be clear. </li></ul><br></td></tr></tbody></table><p>The pricing strategy for each customer was based on the customer’s profile. One of the inputs that shaped the profile was the customer’s historical energy consumption data, which was used to project future consumption patterns. The pricing model then calculated the minimum selling price, allowing the salesperson to add a margin to that price while maintaining customer relations. This margin was shared between the salesperson and the company, and the salesperson’s bonus was a percentage of the added margin. </p><p>In the previous year, energy market prices increased, resulting in a higher precalculated base selling price. Most of the sales team was struggling to add every cent to the sales margin without customers complaining about the cost increases. Pine, however, completed contracts and bragged about his bonuses. His colleagues grew curious, but no one dared to ask Klassen because of his close friendship with Pine. Their chance came when Klassen left for a scheduled vacation and Helina Saar, a recent hire, came in as his temporary replacement. </p><p>When the other salespeople approached Saar about the discrepancies in bonuses, she accessed Pine’s portfolio in the sales system and found that he used creative solutions to ensure his bonuses while his co-workers struggled. Specifically, he changed the presumably unchangeable — the customer’s profile. He manually changed inputs to the pricing model in the sales system. Instead of using the customer’s real historic consumption data, Pine entered the customer’s consumption as a single value, so the system disregarded real consumption patterns and distributed consumption equally, calculating lower base prices. Lower base prices allowed Pine to add the desired margin and receive a larger bonus from each sale. </p><p>Saar talked about her findings with the portfolio analyst responsible for monthly sales results reporting, who then approached her supervisor to confirm the findings. The supervisor waited until Klassen returned from his vacation and informed him about Pine’s contracts. Klassen had no choice but to fire Pine. </p><p>The investigation unveiled several key findings:</p><ul><li>The sales process manual had not been reviewed for more than five years, and actual practices deviated substantially. There were no controls or monitoring from the head of sales or anyone else.</li><li>No attention was paid to the development of the sales information system. As a result, IT controls were not performing as intended and could be easily overridden with no one noticing.</li><li>Bonuses were paid out immediately based on forecasted revenues, and actual execution of sales contracts were not monitored, which invited fraudulent behavior from sales personnel.</li><li>Klassen and Pine owned and ran an online retail business together. Though it was in an unrelated business sector and did not breach NorthStar’s code of conduct, the investigation found that they took care of their affairs during business hours. Therefore, Klassen was paying little attention to what was going on in the sales unit.</li></ul><p><br>NorthStar, of course, suffered losses from such deals as it will have to cover energy costs from the customers’ real consumption patterns.</p><p>As a result, the company completely restructured the sales process, supporting information system, and bonus principles; contacted law enforcement; reviewed whistleblowing channel effectiveness; and fired Klassen.  </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:-12.0px; line-height:12.0px; } p.p5 { text-align:justify; text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p6 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Anna Kon1
An Education in Misleading Ads Education in Misleading Ads<p>​The University of Phoenix will pay $191 million to settle deceptive advertising charges, <a href="" target="_blank">National Public Radio reports</a>. According to the U.S. Federal Trade Commission (FTC), the for-profit university's ads "gave the false impression" that it could provide job opportunities with employers such as AT&T and Microsoft. The FTC says the ads targeted minorities, military veterans, and service members and their families. </p><p>The settlement requires the University of Phoenix to cancel $141 million in debt owed to the university by students who enrolled from October 2012 through the end of 2016. The university must pay $50 million to the FTC.</p><h2> Lessons Learned</h2><p>This story is yet another example of why educational institutions, especially for-profits, must strive to prevent and detect fraud on the behalf of students. The settlement in this case follows on the heels of last year's <a href="/2019/Pages/Big-Scam-on-Campus.aspx">college admissions bribery scandal</a>. In continuing fallout from that story, students have filed a class-action suit against eight universities.</p><p>The fraud involved in this story is neither new, nor does it address a bigger issue. In its complaint, the FTC notes the University of Phoenix has been the largest recipient of money from the Post-9/11 GI Bill Fund established to help veterans pursue education. </p><p>The FTC's settlement with the university puts pressure on the Veterans Administration to cut off GI Bill funds to schools that engage in deceptive recruiting and advertising, as required by federal law. Here are some strategies that could help deter false advertising by universities as well as address misleading and predatory marketing practices.</p><ul><li> <strong>Authorities must act against deceptive advertising.</strong> It helps to understand why the University of Phoenix is in trouble. The Federal Trade Commission Act allows the FTC to act in the interest of all consumers to prevent deceptive and unfair acts or practices. According to Section 5 of the act, a representation, omission, or practice is <em>deceptive</em> if it is likely to mislead consumers and affect their decisions about the product or service. In addition, an action or practice is unfair if the injury it causes, or is likely to cause, is substantial, not outweighed by other benefits, and not reasonably avoidable.  <br> </li><li> <strong>Claims must be substantiated, especially when they concern health, safety, or performance.</strong> The type of evidence required may depend on the product, the claims, and what experts consider necessary. If an ad specifies a certain level of support for a claim — "tests show X" — the advertiser must have at least that level of support. <br> <br>The University of Phoenix was not able to substantiate the connection between paying fees and obtaining jobs at major companies. Therefore, prospective students should be skeptical about this type of advertising. They should ask for evidence, in writing, that a course was developed with reputable partners, or that attending the school will lead to jobs at the companies mentioned in the ads. If the claims are true, the school should be able to produce signed partnership agreements or testimonials from individuals about jobs, without compromising privacy rules.<br> </li><li> <strong>Third parties can be accountable for deceptive claims by advertisers.</strong> Although in-house employees perform much of universities' advertising and online marketing work, third parties often are involved. The FTC's investigative framework allows the commission to hold advertising agencies, website designers, and catalog marketers liable for deceptive marketing practices. These groups can be accountable if they participate in preparing or distributing deceptive representations or know about the false claims.<br><br>All agencies working on ads are responsible for reviewing the information used to substantiate claims, rather than relying on the advertiser's assurance that they are true. In determining whether an ad agency should be held liable, the FTC looks at the extent of the agency's participation in preparing the challenged ad. The commission also considers whether the agency knew or should have known that the ad included false or deceptive claims. If the agency is aware of false claims, agencies should not perform the requested work and should notify authorities such as the FTC.</li> <br> <li> <strong>An effective whistleblower program is an important deterrent.</strong> In addition to in-house reporting, organizations should ensure employees can talk to authorities about potential wrongdoing. During the FTC's investigation of the University of Phoenix, an advocacy group for students who are military veterans connected the commission with six whistleblowers who served as recruiters for the university. Those whistleblowers in turn helped the FTC uncover deceptive advertising practices.<br> </li><li> <strong>The federal government should take a more vigilant stance regarding advertising fraud.</strong> In addition to the FTC, agencies should step up monitoring and auditing of schools that receive government money. This funding is a major, stable source of revenue at for-profit schools. <br> <br>The aggressive marketing and recruiting practices of some for-profit colleges has been well-documented. A 2012 Senate investigation found evidence of schools deploying teams at veterans hospitals and Wounded Warrior centers to enroll students. Veterans groups have long criticized federal agencies for not doing enough to keep education benefits out of the hands of colleges that they say prey on military members. One recent audit found lax oversight could result in $2.3 billion in tuition benefits going to predatory schools during the next five years.<br></li> <br> <li><strong>Authorities should consider significant sanctions against schools that commit major or protracted advertising fraud.</strong> Such sanctions are particularly needed when vulnerable segments of society, such as students and veterans, are involved. For example, the Defense Department has considered banning the University of Phoenix from participating in its tuition assistance program, citing the FTC's investigation and other government inquiries. <br> <br>The department also has suspended the university from recruiting on military bases and placed a six-month moratorium on access to education funding dedicated to service members. That decision stemmed from allegations that the university sponsored recruiting events in violation of an executive order preventing for-profit colleges from gaining preferential access to the military. </li></ul>Art Stewart0
Data Theft Aids Tech Support Scam Theft Aids Tech Support Scam<p>​An employee at Trend Micro allegedly stole information on 70,000 customers to help a fake IT support scam, <a href="" target="_blank"> <em>PC Magazine</em> reports</a>. The anti-virus company says the employee accessed a database and sent names, email addresses, phone numbers, and support ticket numbers to the alleged scammers. </p><p>The company says those individuals, in turn, contacted customers, posing as technical support staff. Typically, IT support scams try to charge victims for unnecessary services, <em>PC Magazin</em>e says. </p><p>Trend Micro says it hasn't found evidence that the employee exposed credit card or financial information, nor did the employee access information on government or corporate customers. It has since fired the employee.</p><h2>Lessons Learned</h2><p>Preventing employees from stealing data is a necessity. Customer data, employee records, software code, engineering designs, and business strategies are particularly vulnerable to data theft. </p><p>While the human resources (HR), IT, and legal functions all are vital for preventing data theft, it is not any one function's job. Instead, the best defense is an integrated approach involving all employees. Here are two areas where organizations need effective controls, along with some strategies that internal auditors can recommend and help implement.</p><p> <strong>1. Employee Recruitment, Onboarding, and Offboarding</strong></p><p>A variety of research indicates that employees commit data breaches unintentionally because they aren't aware of how the organization governs its data. But organizations can blame ineffective recruitment screening, onboarding, and offboarding processes, as well. </p><p> <strong>Recruitment</strong> Before hiring new employees, the organization should conduct thorough background checks, including reviewing their social media presence. It should look for signs of tolerance of theft, laxness in security protection, and similar traits. </p><p> <strong>Onboarding</strong> Upon hire, new employees should attend required sessions covering the organization's data sharing, ownership, and privacy policies. During these small group sessions, HR executives should ensure employees understand the data security, ethics, and conflict-of-interest sections of their employment agreements. Employees also should be aware of the organization's privacy and data security policies and procedures. </p><p>Additionally, the organization should conduct mandatory training on its data sharing, ownership, security, and privacy policies. This session should test new employees' comprehension and ability to document these processes.</p><p> <strong>Off-boarding</strong> When employees leave the organization, devices issued to them should be scanned and verified for organizational data. These devices should include laptops, tablets, smartphones, and removable media.</p><p>Because different employees have access to different types of data, the organization should maintain a record of each employee's access privileges. It should reset or delete all of an employee's accounts, access privileges, and passwords upon his or her departure. The organization also should hold former employees accountable for any data breach that is traced back to them. </p><p>These recruitment, onboarding, and offboarding policies should be implemented in combination with other measures designed to help detect and deter data theft such as a whistleblower program and providing information about the consequences of data theft.</p><p> <strong>2. Technology Measures Against Data Breaches </strong></p><p>IT measures that can help prevent data theft from happening include:</p><ul><li> <em>Role-base and access-based controls.</em> Limiting data access to only what is required for a particular job and logging user interactions with the data can reduce the chances of theft. For example, a junior-level software developer should have well-defined, limited, or even no access to a primary database. Tracking software can enable organizations to monitor activity within an intranet or network.<br> </li><li> <em>Separate devices for professional versus personal use.</em> Many organizations allow employees to use the same devices for personal and professional use. This blurred boundary between business and personal data can lead to incidental or intentional data breaches. If a single device is allowed for both purposes, the organization should monitor usage of the device and install software to keep each usage separate.<br> </li><li> <em>Establish strict controls over use of removable storage and cloud services. </em>Organizations should restrict employees' ability to access, copy, and move data, and limit access to all forms of removable storage and cloud services. The best solution is to prohibit data copying, whether by email, photocopy, screen shot, camera, or by hand — or even eliminate all the external storage ports of devices. Practically speaking, though, such restrictions can result in lost productivity and employee inconvenience. The next best method is to monitor all forms of data copying, movement, or exchange from the organization's systems. To this monitoring, organizations should add random, in-depth spot checks of employee behavior and audits of control measures. </li> </ul>Art Stewart0
When Fraud Experts Go Bad Fraud Experts Go Bad<p>​A professor may have learned the wrong lessons from his decades of research on organized crime. U.S. federal prosecutors say Bruce Bagley, an expert on money laundering and corruption, laundered $3 million that foreign individuals had obtained through bribes and embezzlement, <a href="" target="_blank">National Public Radio reports</a>. </p><p>Prosecutors allege that between November 2017 and April 2019 Bagley received monthly deposits from bank accounts that were tied to a Colombian national. Bagley then would withdraw the funds through a cashier's check and give it to a second individual from Colombia, while retaining 10% for himself, prosecutors say in court documents filed after his arrest. </p><p>Bagley, a professor at the University of Miami, has written several books about drug cartels and corruption. He frequently has consulted with law enforcement agencies and has served as an expert witness in drug-trafficking trials.</p><h2>Lessons Learned</h2><p>This case is striking because the alleged fraudster is an expert on money laundering. Yet for all his knowledge, Bagley may not have chosen a sophisticated approach to covering up his alleged crimes — prosecutors say he created fake contracts to account for the money he was making. </p><p>Rather than focusing on the systems, techniques, and processes involved in preventing and detecting money laundering, let's take a step back and consider: Why would a fraud expert commit fraud? Most internal auditors are familiar with the fraud triangle — opportunity, motivation, and rationalization — but here are five explanations. </p><ol><li> <strong>Narcissism. </strong>The basic thinking is "I'm important and the rules don't apply to me." These fraudsters do and take what they please, and justify it given their superiority, importance, or desire. A form of sociopathy may drive their behavior, and they may not have empathy for other people. When individuals are influential and set rules for others, such as when teaching students or advising government officials, they can begin to see themselves as morally distinct and not subject to the same rules.<br><strong> </strong></li><li> <strong>Impact minimization. </strong>Any workplace presents many opportunities for theft, some of which are small and easy to ignore. In this case, the alleged fraudster may have considered a 10% cut of the money laundered to be a small amount. <br> <br>Some fraudsters make a small compromise or act unethically in a way that they don't consider to be a big deal. When no one cares or notices, they get away with it. They then repeat their crimes and even try for a larger amount. <br> <br>As the crimes escalate, small thefts can become bigger and more persistent. Then, if the fraudster feels there is no way out, the individual may take larger risks if the original risk suddenly results in a big loss. Ultimately though, even an expert will be noticed and caught. <br> <strong> </strong></li><li> <strong>Ethical rationalization. </strong>Some people commit fraud because they believe what they are doing is in some sense ethical — they convince themselves to do unethical things depending on the way something is framed. In a case like this story, a money-laundering expert may rationalize that "the amount of money I'm keeping for myself is a small fraction of what is being stolen." <br> <br>Constant exposure to extreme wealth, or environments that reflect it through feelings of injustice and jealousy, can lead people to unethical behavior. Also, individuals may feel that they have accumulated "ethical credit" by being morally and ethically appropriate in their actions to date. In doing so, these people can justify wrongful behavior. <br> <br>Further along the path of fraudulent behavior, a cognitive dissonance and rationalization can set in: If a person's actions differ from his or her morals, the individual may rationalize both to protect himself or herself from the contradiction. The bigger the dissonance, the larger the rationalization; the longer it lasts, the less immoral it seems.<br><strong> </strong></li><li> <strong>Self-serving bias. </strong>People often are competitive and can be self-aggrandizing in their thinking and actions. These individuals think they are better than the people around them, which can lead to feelings of injustice and acting to rectify those feelings. An example is a person who does not think he or she is receiving a fair share of the rewards from his or her performance and capacity. <br> <br>Such perceptions can be worsened by tunnel-vision thinking. Focusing on only one goal, such as financial reward, can distract people from ethical concerns. Combining this type of thinking with feelings of alienation from large organizations and institutions may lead individuals to feel detached from their goals and leadership, driving them to consider committing fraud.<br><strong> </strong></li><li> <strong>Health and physical factors. </strong>People who are physically ill, stressed, lack sleep, or suffer from other issues, may have less self-control. Moreover, they may have greater financial need to address these issues, which may lead them to think crime is their only alternative. </li></ol>Art Stewart0
Special Delivery Delivery<p>​Federal prosecutors allege several Utah companies bribed a FedEx employee to obtain $280 million in contracts from the shipping company, <a href="" target="_blank">KUTV reports</a>. Prosecutors charged 10 individuals, including FedEx employee Ryan Lee Mower, who they described as "the highest-ranking FedEx Ground employee in Utah."</p><p>According to the federal indictment, Mower received more than $1 million to help the companies win contracts for FedEx shipments over a 10-year period. Additionally, he allegedly approved "ghost runs" in which trucking companies were paid for delivery routes that they didn't actually run. To make more money from the scheme, prosecutors say Mower boosted mileage, and falsely reported accidents and miles.</p><h2>Lessons Learned</h2><p>FedEx's response to this alleged multi-million-dollar bribery case includes this statement: "The vast majority of this money was payment for work that was actually performed. Therefore, because FedEx Ground would have paid to have that work performed in any event, the net financial loss to FedEx Ground is a small fraction of this amount and is not material."<em> </em></p><p>This response is beside the main point of this story, however. A significant amount of money was allegedly paid out illegally through bribery schemes over 10 years, and it took a U.S. federal investigation to uncover it.</p><p>Moreover, bribery and corruption, within organizations, countries, and internationally, continues to grow. In 2016, the International Monetary Fund estimated that corruption amounted to roughly 2% of global economic output — between $1.5 trillion and $2 trillion worldwide. This story provides a good opportunity to review effective ways to fight a culture of corruption, including a systematic approach to maintaining rigorous controls over contracting.</p><p>Organizations typically manage bribery and corruption risk through a mix of internal control processes, certification requirements, promoting good practices, and monitoring and auditing throughout their operations, including with suppliers and vendors. External standards also can be powerful tools for those efforts, helping to strengthen ethics and compliance practices by offering a clear framework for action. </p><p>One external tool is the International Organization for Standardization's <a href="" target="_blank">(ISO) 37001</a>: Anti-bribery Management Systems standard, published in 2016. The standard offers organizations a structure for setting up or benchmarking an effective anti-bribery program aligned with their own risk profile and building a culture that values ethical behavior. The standard sets out an approach that is independently certifiable — and in the context of the broader ISO 9001 quality management standard — addresses bribery in all of its forms, and can be integrated into an organization's existing management systems. </p><p>However, ISO 37001 only addresses anti-bribery management systems, not broader fraud and corruption issues. These issues should be addressed through a fraud risk assessment and management process, among others. In particular, this standard contains four important ways for organizations to strengthen their anti-bribery practices:</p><ul><li> <strong>Define ethical governance.</strong> Leadership is central to an effective anti-corruption system. ISO 37001 describes the responsibilities of the board and top management, including ensuring that the organization's strategy and anti-bribery policy and processes are aligned. The standard also requires the compliance function to be staffed by individuals with the right skills, status, authority, independence, and resources. It particularly needs a designated official who is responsible for anti-bribery efforts.<br><br></li><li> <strong>Embed a culture of compliance. </strong>The standard supports efforts to build an organizational culture that values ethics and compliance. Communication and training are needed to bolster the compliance program, and continual improvement is necessary to ensure that the program does not become stagnant. Other measures include establishing strong human resources policies and practices for background checks, turnover and rotation of staff, and a compliance hotline. And, the organization should establish investigations and monitoring to uncover wrongdoing. <br> <br>Fighting bribery through a strong compliance culture also can help build the organization's reputation and value. Demonstrating conformance with an internationally accepted anti-bribery standard may make it easier for the organization to attract business partners and investors who expect greater financial transparency and disclosure of anti-bribery activities. Ethical organizations also may have lower employee turnover, as well as receive greater respect from customers and clients who value organizations with good ethical practices.<br><br></li><li> <strong>Implement a uniform framework. </strong>This framework should have measurable, trackable indicators that promote consistency organizationwide. ISO 37001 intentionally does not prefer the legal regime or regulatory architecture of one country over another. Instead, it outlines a set of practices that can be used by organizations regardless of where they operate. Additionally, more and more organizations are using automated data capture, analysis, and tracking to support this approach.<br><br></li><li> <strong>Require good practices throughout the supply chain</strong><strong>.</strong> Many organizations have a complex web of third-party partners that support their business, similar to the trucking-company contractors in the FedEx story. The risk with these partners is that a bidder or business partner will bribe an employee of the organization to help obtain a contract. ISO 37001 addresses the need for due diligence, monitoring, and auditing of third parties, and provides a tool to measure the capabilities of third parties and the strength of their compliance programs. In addition, organizations could ask third parties to demonstrate compliance with the standard. <br><br></li> </ul><p>Adopting these four methods does not guarantee protection against bribery, but it is one way organizations can better prevent and detect it. The ISO website provides <a href="" target="_blank">more information on ISO 37001</a>. To learn about ways to fight bribery and contracting fraud, refer to the many articles in the <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=e5d7369b-6f2b-4374-b858-0a0d30c483c6">Fraud section of</a>. </p>Art Stewart0
Municipal Misappropriation Misappropriation<p>X​avier County billed its residents monthly for their utility use through its finance division using in-house legacy software, which was not up to the rigors of modern billing and reconciliation processes. Unfortunately, the county had a “We have always done it this way” mindset, so there were no plans to upgrade the system. The county was collecting an average of $1.3 million each month in accounts receivables for the utility, cranking out manual receipts upon request and patching the system as needed to limp along to the next billing cycle.</p><p>The IT employee who set up the legacy platform and managed it for decades had retired, and back-of-the-house adjustments were much more difficult to achieve without his institutional knowledge. When new executive management at the county requested additional reporting from the system and management personnel asked to supplement controls, they were told that the software could not produce the reports they were asking for nor could they implement the additional controls requested. At this point, the internal audit department became aware of the software’s reporting constraints and initiated a soft-monitoring project regarding the internal controls of the billing and payment process. </p><p>Because the software was incompatible with modern online processes, certain account activities could not be completed online. Instead, customers were encouraged to call the division with account concerns and other matters. The customer service line was shared by several employees in the finance division who were involved in the billing and payment process. The employees would take customer calls and process payments and adjustments within the system, as needed. Financial and county management accepted this diversity of personnel providing customer contact as a satisfactory level of segregation of duties. A few functions, however, were handled by Jeff Neeley, the most senior staff member in the division, who was familiar with the legacy software and the most effective at resolving those requests. </p><p>The division needed institutional knowledge so much that many weekends, when customer needs were high, he would come into the office and process those payments needing adjustment. It was during this time, without supervisory oversight, that Neeley conducted inappropriate transactions, feeling empowered by the lack of physical management review. </p><p>The fraud, itself, included a few adjustments to the financial software and a bit of manual tracking. When a customer paid using a credit card over the phone with Neeley, he would tally the payment amount in a workbook on his desktop computer. During month-end close-out procedures, he would take the running tally amount in the workbook, create a journal entry, and move that amount from accounts receivable revenues to accounts payable. This entry was processed within the financial system without additional review as Neeley had both a staff-level login and a supervisory-level login, presumably to perform different roles for different duties, as assigned. A phony invoice was then created for a fictitious vendor and included in the backup documentation for that journal entry. The fictitious services amounted to the total of all individual accounts that were manipulated during the month. The vendor was paid via the standard accounts payable process within the county. The vendor verification process had been completed by Neeley many years before.</p><p>Through multiple inquiries during performance audits throughout the organization, internal audit identified a weakened internal control structure due to the level of trust within the county. Internal audit discussed the risks multiple times with executive management, with no change. In fact, when internal auditors cautioned against this untested trust, they were told it was important not to upset employees because they were still skeptical of the county after layoffs during the Great Recession. Those who remained were territorial regarding their responsibilities and did not see the value of cross-training. </p><p>The utility’s legacy system led to the practice of a few key employees handling adjustments every time one was needed. The work became so specialized that certain customer account adjustments were put on hold until Neeley returned to work. It wasn’t until he was out on unscheduled medical leave that another person within the department had to handle his transactions for waiting customers. That’s when personnel noticed unusual adjustments within the system. </p><p>Adjustments within the monthly journal were paid via the accounts payable process to a fictitious service vendor account Neeley set up many years before that appeared to be a legitimate cost of service as payment lockbox service fees. This service fee was one of two that the county paid — because the fee amounts were consistent, without material variances, and of a nominal amount, no one thought to ask why there were two separate payments for the lockbox service fee. </p><p>Once the fraud was identified, internal audit asked the employees who reviewed Neeley’s summary reports why the fictitious vendor account wasn’t flagged or reviewed further. They explained that it did not receive any attention because the fee was nominal considering the large amounts that were being processed monthly. The fraud investigation determined that those nominal fees siphoned to Neeley’s personal account added up to nearly $91,000 and, because the system did not retain records more than 10 years back, the true dollar amount lost by the county was estimated to be greater.</p><p>The department was informed of the suspected fraud, and a vendor service company conducted a financial investigation. Still out on medical leave, Neeley hastily completed retirement paperwork with human resources and did not return to work. The investigation resulted in multiple recommendations that brought the division back up to an appropriate level of internal control. The county later submitted the case to the local district attorney’s office for prosecution, which is currently in process.</p><p>The impact to the county was perhaps greater than the monetary loss of the fraud. It became a local media topic, drawing many concerned citizens to the county’s public meetings to voice their disproval of the situation and the county. The level of trust in the community has been eroded and it will take time to mend. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } </style> <p><strong>Lessons Learned</strong></p><ul><li>Internal controls should be respected in all organizational cultures. Creating a baseline for oversight and applying management reviews consistently for all employees is recommended. </li><li>Key employees are great additions to organizations and are often the most trusted employees. They can provide institutional knowledge that can compel fact-driven decision-making. However, trust is not an internal control and all employees require oversight. </li><li>Succession planning and work-task rotations could have been key in preventing the fraud from occurring at the level it did. </li><li>By not requiring Neeley to attend staff training and enabling special working conditions, management created an environment where the employee felt outside of the system and its authority.  </li><li>Physical security of a work area is important to instill a sense of oversight and supervisory review for employees. Working outside of normal business hours is not recommended.</li><li>Segregation of duties within the financial system is key to ensuring appropriate reviews. If one employee has two separate logins for staff transactions and supervisory/review transactions, this built-in internal control is no longer effective.<br></li></ul></td></tr></tbody></table><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { font:8.0px Interstate; letter-spacing:-0.1px; } </style><br>Emily E. Kidd1
The Price of Carbon Price of Carbon<p>​A lawsuit against Exxon Mobil alleges the oil company understated to investors the impact of carbon pricing in evaluating projects, the <a href="" target="_blank"><em>National Post</em> reports</a>. Court documents in the case filed last year by New York's state attorney general allege that Exxon often used a lower price per ton for greenhouse gas (GHG) emissions and forecast it for future years. That created "the illusion that it had fully considered the risks of future climate change regulations," the documents state. </p><p>For example, in Canada, the lawsuit claims Exxon understated carbon pricing of 14 projects in the Alberta oilsands by $30 billion, including understating one project by 94%. Exxon claims the lawsuit does not consider the multiple ways in which the company accounts for climate regulations.</p><h2>Lessons Learned</h2><p>Governments around the world are increasingly enacting new laws to put a price on carbon emitted by industrial producers, so it should not be surprising that the question of fraud has come up. As of 2019, more than 70 jurisdictions, representing about 20% of GHG emissions, have put a price on carbon.</p><p>This story involves one company, Exxon, and a case of alleged fraudulent carbon pricing that is still before the courts in two U.S. states. What can internal auditors learn about these laws that can help organizations prevent and detect what could become a more frequent fraud issue?</p><ul><li> <strong>Keep up knowledge of environmental laws and carbon-pricing regimes.</strong> In particular, internal auditors should learn about the requirements and methodologies for dealing with the pricing and taxing of carbon globally. For example, <a href="" target="_blank">a section of the World Bank's website</a> defines and measures carbon-pricing regimes around the world. The website's up-to-date dashboard sets out the various kinds of carbon-pricing regimes in place, planned, or being implemented in various jurisdictions, including both emissions trading systems and carbon tax regimes.<br> </li><li> <strong>Assist in compliance.</strong> At this point, companies have considerable discretion in their methodologies for assessing the amounts and impacts of carbon pricing on their products and services. Greater government specificity regarding these methodologies, including their uses and disclosure, appears to be coming. For example, starting in 2020, companies under the jurisdiction of Canada's Greenhouse Gas Pollution Pricing Act must file annual compliance reports with both Environment and Climate Change Canada and the Canada Revenue Agency. Internal auditors would be useful contributors to these reports.<br><br></li><li> <strong>Understand GHC calculation criteria.</strong> Of particular note in relation to this story, Canada's compliance guidance includes several criteria regarding GHG calculations. Specifically, companies must perform these calculations in accordance with a reliable and replicable methodology.<br><br>This methodology should ensure that net emissions are capable of being measured or modeled in a reliable and repeatable manner that includes all relevant sources. Calculations should consider uncertainty to ensure quantified or estimated emissions are accurate and within scientifically established standards or acceptable statistical precision for the project or equipment type. Moreover, they should consider the conservativeness principle in quantifying GHG emissions to ensure they are neither under- or over-estimated.<br><br></li><li> <strong>Advise the organization about disclosure practices.</strong> Companies increasingly face pressure to be more transparent about their treatment of carbon pricing. A proactive approach seems advisable. There are many sources of good disclosure practices and guidance regarding carbon pricing, including CDP Worldwide's <a href="" target="_blank">Carbon Pricing: CDP Disclosure Best Practice (PDF)</a>. </li></ul>Art Stewart0
Faking the Winning Ticket the Winning Ticket<p>​He might have gotten away with it if he hadn't been greedy, a U.K. judge said in sentencing a man to nine years in prison for lottery fraud. <a href="" target="_blank">The BBC reports</a> that Edward Putman used a forged lottery ticket to claim a £2.5 million prize in 2009. The court found that Putman collaborated with an employee of National Lottery operator, Camelot U.K. Lotteries Ltd., to create the fraudulent ticket based on a list of unclaimed winning numbers.</p><p>The scheme began to unravel after Putman's accomplice, Giles Knibbs, took his own life in 2015. Putman and Knibbs had a dispute over dividing the winnings, and earlier in 2015, Knibbs had told friends he had "conned" the Lottery.</p><h2>Lessons Learned</h2><p>Creating a fraudulent lottery ticket is not as difficult as one might think. Similar to <a href="/2019/Pages/The-Make-Your-Own-Credit-Card-Scam.aspx">creating fake credit cards</a>, there are resources on the internet that describe the basic steps for making a fake ticket. One simple method is to alter the date for which an expired ticket, with a winning number, was issued to fool the sales agent into believing that the ticket is currently valid. </p><p>However, this story involves a much more sophisticated methodology that requires a more systematic approach to fraud prevention and detection. In this case, the story notes that the U.K.'s Gambling Commission fined Camelot £3 million in 2016 for violating its operating license in the way it controlled databases, investigated prize claims, and paid out prizes. These are areas where lottery operators and regulators should consider some measures:</p><ul><li> <strong>Regularly review and enhance controls relating to ticket-making databases and other information sources.</strong> Putman's accomplice, Knibbs, had seen a document detailing big prizes that had not yet been claimed, while he was working for Camelot. Lottery operators should tightly protect such information, particularly details of unclaimed winning ticket numbers and locations of their sales. Very few people should have access, even within the fraud detection department. <br> <br>Related to this, human resource controls, such as regular background checks and rotation of staff, can help deter and detect fraudulent activity. Lottery operators cannot assume that specialized, experienced, long-term employees who perform highly sensitive duties can always be trusted without some measures of verification.<br><br></li><li> <strong>Make processes for investigating and paying out a prize claim as stringent as possible.</strong> This is especially necessary for large prizes. In this case, Camelot paid out the prize to Putman despite the fact that the bottom part of the mangled ticket was missing its barcode. Even if the ticket had been found valid, this is an obvious "red flag." Lottery operators should consider some form of multifactor authentication of a ticket purchase such as a duplicate paper receipt or an electronic form that contains all relevant security information. A winning ticket should not be successfully claimed without such evidence.<br><br><strong></strong></li><li> <strong>Improve public communications about fraud prevention.</strong> Lottery operators such as Camelot should communicate about fraud-prevention measures on their websites and through other channels. Moreover, they should add audit requirements to demonstrate the continuing effectiveness of their controls over the lottery ticket process. <br> <br>In the news story, Camelot states that, "We've strengthened our processes significantly since then and are completely confident that an incident of this nature could not happen today." However, Camelot's website does not provide information about either this incident or how the company is improving its fraud-prevention measures.<br><br>Lottery industry regulators should consider requirements to improve this aspect of fraud awareness and prevention, including for public communications and auditing. This might include public reporting of audit results. As a measure of deterrence, regulators could mandate that a company's operating license be suspended if a further incident of fraud occurred. </li></ul>Art Stewart0
Making a Bad Match a Bad Match<p>​Your online dream date may be scam artist. And the dating service may be knowingly turning a blind eye to the fraud. That's among the accusations in a U.S. Federal Trade Commission (FTC) lawsuit against Match Group, which operates many popular online dating apps, <a href="" target="_blank"> <em>TechCrunch</em> reports</a>. </p><p>The FTC suit accuses Match of using misleading advertising, billing, and cancellation policies to convince <span>Match</span><span>.</span><span>com</span> app users to become subscribers. The FTC alleges that <a class="vglnk" href="" rel="nofollow"> <span>Match</span><span>.</span><span>com</span></a> sent emails to app users alerting them to messages from interested individuals, even though the service already had flagged those accounts as fraudulent. Indeed, the FTC contends that Match knew scammers comprise as much as 30% of <span>Match</span><span>.</span><span>com</span> registrations. Moreover, Match's research confirms that between June 2016 and May 2018, almost 500,000 people signed up for subscriptions to the site within 24 hours of receiving an email associated with a fraudulent account. </p><p>Once users had signed up for a six-month subscription, the FTC alleges <span>Match</span><span>.</span><span>com</span> made it difficult for them to cancel the service. That would put <span>Match</span><span>.</span><span>com</span> in violation of the U.S. Restore Online Confidence Act, which requires companies to provide a simple method to stop recurring charges.</p><h2> Lessons Learned</h2><p>According to FTC statistics, U.S. residents reported losing $143 million to romance scams in 2018 — a higher total than for any other type of scam reported to the commission. The median reported loss was $2,600, and it was $10,000 for people over 70. </p><p>This story brings to light that online dating businesses cannot be trusted to fully protect subscribers from such scams, nor are they transparent in the way they deal with customers and their concerns. While the outcome of this case is not yet known, online dating services can take several measures to detect and reduce such scams and business practice exploitation. </p><ul><li> <strong>Mandatory audits of anti-fraud and scamming activities should be required.</strong> While Match does have some educational anti-fraud material on its company website, it is not clear how comprehensive the company's approach is. According to this story, Match contends that it has "developed industry-leading tools and [artificial intelligence] that block 96% of bots and fake accounts from our site within a day." The company says it relentlessly pursues malicious accounts.<br> <br>Companies that operate in fields where quantitative business processes and data are abundant should be able to monitor, audit, and publicly report the results. The latter may be a regulatory measure worth considering by the FTC, at least temporarily when a company has violated standards and laws.<br><br></li><li> <strong>The consequences for deceptive business practices need to be significant.</strong> These consequences also should apply to companies that knowingly allow fraud to take place. Penalties such as reimbursement of subscription fees — as the FTC is asking for in this case — are justified. <br> <br>Match also needs to review and clean up its subscription, billing, and cancellation policies and process. For example, the company could establish a "no questions asked" cancellation and refund policy for an initial period, or provide potential new subscribers with a free trial period with full access to services. The billing and cancellation policy and process should be simplified and publicized, with no hidden additional requirements. Internal auditors would be able to advise on ways to implement these measures.<br><br></li><li> <strong>Measures to ensure market competition may be needed.</strong> Match may face negative publicity from this case, which could lead the company to change its business practices. Given that Match is the predominant company in the online dating field, the FTC could consider whether there is sufficient competition in this industry to foster a high ethical standard of business practices and undertake additional regulatory measures. </li></ul>Art Stewart0
Deepfake Deception Deception<p>​The CEO just called asking you to send a wire transfer. But are you sure it's the CEO? That voice that sounds like the organization's leader may be a deepfake — an audio or video file that has been created using artificial intelligence.</p><p>Deepfakes are becoming the latest lure in phishing schemes, <a href="" target="_blank"> <em>PC Magazine</em> reports</a>. Recently, hackers tricked a managing director at a British energy company into authorizing a $243,000 wire transfer to an account in Hungary by creating a fake voice model that sounded like the company's CEO, according to <a href="" target="_blank"> <em>The Wall Street Journal</em></a>. In an email, the employee told the company's insurance carrier, Euler Hermes, that "the voice was so lifelike that he felt he had no choice but to comply," <a href="" target="_blank"> <em>The Washington Post</em></a> says. Cybersecurity firm Symantec told the <em>Post</em> that it knew of three recent incidents in which attackers mimicked the voices of executives to defraud companies.</p><h2>Lessons Learned</h2><p>Any new technology or societal advance seems to inevitably raise opportunities for fraudsters to benefit at the expense of organizations and individuals. As this news story illustrates, the threat of deepfake fraud and phishing is here and likely to grow. In fact, deepfake audio and video is becoming cheap and easy to create with computers and software, and how-to videos are showing up on social media. </p><p>Deepfake video and audio files are not necessarily bad, as we have seen with some educational and comedic videos on late night TV. The problem is when they are used for crime. What can regulators, organizations, and internal auditors do to identify and counter this threat before it causes damage?</p><ul><li>First and foremost, fraud detection and prevention is a cat-and-mouse exercise — what works now may not last as a long-term solution. Therefore, regulators, organizations, and internal auditors need to educate themselves on how the AI behind deepfakes can be used to defraud.<br><br></li><li>Implementing a two-step verification process where sensitive information, money, or decisions are being sought, is essential. Auditors should keep in mind the concept of "never trust, always verify." That verification process can be as simple and low-tech as a mandatory return phone call to verify sources. Technology-based verification includes requiring the requestor to enter an encrypted passcode separately, and subjecting the request, regardless of its form, to computer-based audio/video analysis to verify its authenticity before taking action. <br><br></li><li>While human beings inevitably will bear the brunt of having to respond to these deepfake fraud attacks, a machine-based approach will be more effective — but only under certain conditions. People still need to learn more about this threat and be equipped to address it.<br><br></li><li>One tool that shows promise is a recurrent neural network (RNN). An RNN is a class of artificial neural network in which connections between nodes form a pattern along a temporal sequence, allowing it to exhibit temporal dynamic behavior that can be applied to handwriting, speech, or visual recognition. These networks can be trained to identify inconsistencies. <br> <br>Applied to video deepfakes, an RNN could identify inconsistencies in lighting conditions, shadows, reflections, or even an entire face, including physiological elements such as mouth movement, blinking, and breathing. This is possible because the algorithms used to build a deepfake work frame by frame but cannot remember what is created for previous frames. <br> <br>While RNN technology can be expensive and may be best suited to protecting against deepfakes of senior executives, software companies currently are developing products that will be more cost-scalable and readily deployed across larger organizations. Such technology could be used in real time to verify the authenticity of a video or audio request as it comes in. For example, Adobe has developed AI that can detect faces that have been manipulated in Photoshop. Another example uses blockchain technology along with AI to create a digital signature that cannot be altered, and will identify attempts to alter it, for embedding in legitimate audio and video.<br><br></li><li>Academic research and collaboration also is needed to understand deepfakes and other forms of manipulated media. Since deepfake videos can go viral on social media, these sites already are working to combat the threat. <br> <br>For example, Facebook deploys engineering teams that can spot manipulated photos, audio, and video. In addition to using software, Facebook and other social media companies hire people to look for deepfakes manually. Similarly, the AI Foundation, a nonprofit organization that focuses on human and AI interaction, conducts research into these issues.</li> </ul>Art Stewart0

  • AuditBoard_Jan 2020_Premium 1
  • IIA Integrated BOY_Jan 2020_Premium 2
  • IIA GAM_Jan 2020_Premium 3