Schoolhouse Fraud Fraud<p>When the Wellington School District budget crisis hit the local newspaper, citizens were shocked. The superintendent, Tina Franken, and business manager, William McKenzie, implemented innovative programs that improved employee morale and productivity — not only for the central office, but also for the eight schools within the district. Before Franken’s arrival, the school district was often an embarrassment to the town, as employee issues led to frequent firings or resignations and the airing of dirty laundry in the local news. When the longtime district accountant resigned and filed a legal complaint against McKenzie, which consisted of fraud, abuse of town policies, and violations of state laws, gossip among district employees and citizens implied there were ties between the legal complaint and the budget crisis.</p><p> With a school budget shortfall of $2 million at fiscal year-end and a legal complaint, the select board for the town had no choice but to act. It asked the town’s internal auditor, Denise Silva, to review the school district’s budget process. </p><p> Silva knew town government issues could get messy and complicated. So she prepared a high-level audit program and planned to spend a lot of time exploring. First, she reviewed the district’s budget policies and procedures and requested the previous year’s approved budget with all planning comments and 12 months of results by month and account. She planned to interview employees involved in the process and take deeper dives into any areas with significant overruns. After receiving the budget documents, she realized that she needed to clear her calendar. </p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>Lessons Learned</h3><ul><li>The budget process should be included in the risk assessment and reviewed regularly, especially in regulated environments like municipalities. A quick review would have caught many of these issues in the first year. </li><li>Removing key controls from important processes should raise red flags. If the controls had been reviewed regularly, the budget crisis and fraud could have been avoided. </li><li>Small internal audit departments should consider rotational reviews that provide greater coverage across the organization. In this example, reviews of petty cash, budget, vendors, payroll, or accounting would have identified smaller issues that would have raised red flags and the need for additional reviews.</li><li>Messy situations may require internal audit to shut down the audit schedule for the rest of the year. Not only is it important to focus internal audit resources on high-risk areas, but it is critical to those responsible for oversight that they receive the clearest picture possible to make the most informed decisions about how to move forward.<br><br></li></ul></div><p>Silva detected several red flags in her initial review of the budget documents. First, McKenzie put the budget together under four large categories — instructional supplies, curriculum, payroll, and equipment — with lump sum amounts under each. Once the town approved it, the business manager arbitrarily assigned amounts to line item accounts in each category. Silva could not discern any reason for the assignment of funds. The second thing that stood out to her were hundreds of transfers throughout the line item accounts each month that were not approved by the school committee or board. Lastly, there were no budgets in place for revenue accounts, even though large amounts of money were collected for sports fees, bus fees, and student activities. These collections were recorded as petty cash for the school district to use on purchases. </p><p> Silva first interviewed McKenzie about his budget process. He explained that the budget process was cumbersome and a source of significant productivity issues, so he streamlined the two-month planning cycle to one week. Instead of providing a detailed number for each line item, McKenzie broke the accounts down into four categories based on prior years and departmental needs, and assigned each category a lump number. The school committee and board voted on and approved the categories. The town approved this process because it trusted Franken and McKenzie. </p><p> When Silva asked about missing revenue accounts in the process, McKenzie insisted that the district accountant required that all cash collections be received into petty cash, so budget figures weren’t necessary. Adjustments were made at the end of the year to reflect the accounting. McKenzie blamed the district accountant for many of the budget challenges. </p><p> Silva’s findings list was filled with broken policies, regulations, and accounting rules, but she knew more data was needed. Some basic analytical testing found that administrators in the central office were using funds to purchase large flat screen televisions, office equipment, and laptops. However, these items could not be located anywhere in the district, so Silva assumed that administrators were taking them home. She began testing invoices, which showed that the district often reimbursed administrators for conferences and travel more than once. On several of the travel reimbursements, spouses were included and paid for by the district. The amounts submitted for reimbursement exceeded the threshold specified in the district’s policy. </p><p> When Silva conducted interviews with staff in the central office, she found there were relatives of administrators on the payroll who never showed up for work. And though the office was open until 5 p.m., many administrators left at 2 p.m. Lastly, an employee who worked in disbursements revealed that administrators received kickbacks from vendors for large purchases and the awarding of contracts. </p><p> Silva identified $2 million of fraud and abuse while reviewing five years of data. But she was unable to quantify much of the activity, such as the vendor kickbacks. A reasonable comparison of the actual costs of big-ticket items and what was paid by the school district added another $2 million to the total. </p><p> As a result of Silva’s investigation, Franken and McKenzie were forced to resign and are currently serving jail time for their part in the fraud schemes. Silva quantified the known abuses — like the technology gifts, no-show jobs, time theft, and travel and expense violations — per administrator, and found that nearly every one of them received, on average, an additional $10,000 per year on top of their salary. Those in higher levels of administration received more. The district accountant received none and acted as a whistleblower by filing a legal complaint. Franken and McKenzie were making significant money with kickback and petty cash schemes, using gifts, no-show jobs, and abridged schedules to keep staff from complaining or noticing, and covering their tracks with a convoluted budget process.<br></p>Deanna Polli Foster1
Officials Call Penalty on Ex-NFL Player Fraud Call Penalty on Ex-NFL Player Fraud<p>​The U.S. Department of Justice has charged six former National Football League (NFL) players with filing $3.9 million in fraudulent health-care claims, according to <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"> <em>Infosecurity Magazine</em></a>. Prosecutors say the retired players submitted out-of-pocket medical expense claims for expensive medical equipment they never purchased.</p><p>The alleged fraudulent claims — some using forged prescriptions, invoices, and medical orders — were filed between June 2017 and December 2018. Moreover, some of the former players allegedly received kickbacks for recruiting other players into the scheme. Seven other retired players, who were indicted in December as part of the same alleged conspiracy, have pleaded guilty to making fraudulent claims.</p><h2>Lessons Learned</h2><p>There are both lessons to learn and actions to take from this fraud case — not only by all professional sports organizations, but also health insurance providers. These lessons are all the more important in the context of the COVID-19 pandemic and its consequences for the economy and public health.</p><p>The NFL alone has more than 20,000 retired players. Many of them, but not all, qualify for the Gene Upshaw NFL Player Health Reimbursement Plan. The league's plan provides up to $350,000 in benefits, and many retired players covered by it have medical conditions. Most former players lawfully rely on the plan's benefits; they are the real victims of this alleged fraud.</p><p>At its root, this case involves allegations of conspiracy, wire and health-care fraud, and a dose of a pyramid scheme. So what can internal auditors and health insurance providers learn from this case that can help prevent and detect future reimbursement frauds?</p><p>The main message is that health insurance providers<strong> </strong>need to continuously expand and improve their ability to detect potential fraud, including through the use of technology and data analytics, backed by monitoring and audits. Beyond that, here are three specific strategies:<br></p><ul><li> <strong>Monitor for suspicious transactions. </strong>The retired NFL players in this case allegedly used methods similar to those in other health-care fraud cases to deceive the insurance provider. These methods included submitting fabricated supporting documents such as false signatures on faked official letterhead with the names of real doctors.<br><br>The alleged claims frequently involved medical equipment such as hyperbaric oxygen chambers, cryotherapy machines, ultrasound machines, and electromagnetic therapy devices (designed for use on horses), costing as much as $50,000. These kinds of transactions should automatically receive additional scrutiny, including by using data analytics to detect repeating and irregular activity patterns from the same individuals. Internal auditors also should perform spot checks with equipment providers and physicians to verify the authenticity of purchases.</li> <br> <li> <strong>Verify providers.</strong> Health insurers should digitally store verified original signatures of equipment providers' staff physicians and compare them electronically for anomalies when especially large dollar reimbursement amounts are requested.<br><br></li><li> <strong>Implement electronic account controls.</strong> Insurers should use account-control mechanisms, including two-step verification and voice recognition-based account access. The individuals in this case allegedly dialed the telephone number provided on the reimbursement form and impersonated conspiring players to check the status of fraudulent claims and encourage payment as soon as possible. Phone calls to health-care companies should be recorded and monitored, as well.</li></ul><br>Art Stewart0
Where Did All the Payments Go? Did All the Payments Go?<p>​More than $2 billion in missing funds led to the resignation and arrest of Wirecard's CEO last month, <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">CNN reports</a>. The scandal broke when the company's external auditors couldn't find the money in trust accounts and refused to sign off on the digital payment company's financial statements. The missing amount equates to one-fourth of Wirecard's assets and set off a global search for the funds.</p><p>German authorities suspect that former CEO Markus Braun used fake transactions to inflate Wirecard's revenues and balance sheet. The company says the missing money may never have existed and has withdrawn preliminary results for 2019 and the first quarter of 2020. At the time of Braun's resignation, he said the company had been the victim of a massive fraud. Wirecard has since fired its chief operating officer.</p><h2>Lessons Learned</h2><p>This story about Wirecard's financial scandal may bring make memories for internal auditors. The infamous 2001 case of Enron and its CEO, found guilty of accounting fraud, became a major driver of the U.S. Sarbanes-Oxley Act of 2002 financial regulatory reform.</p><p>Germany's finance minister summed up the essence of the Wirecard scandal, saying, "Critical questions arise over the supervision of the company, especially with regards to accounting and balance sheet control. Auditors and supervisory bodies do not seem to have been effective here." So what can internal auditors learn from this case?</p><p>The Association of Certified Fraud Examiners defines <em>accounting fraud</em> as "deception or misrepresentation that an individual or entity makes knowing that the misrepresentation could result in some unauthorized benefit to the individual or to the entity or some other party." Financial statement fraud can take multiple forms, including:</p><ul><li>Overstating revenues through outright falsifications, manipulations such as recording future expected sales, or irregular accounting practices. An example is when a company understates revenues in one accounting period and maintains them as a reserve for future periods with worse performances to reduce the appearance of volatility.</li><li>Inflating an asset's net worth by knowingly failing to apply an appropriate depreciation schedule.</li><li>Hiding obligations and liabilities from a company's balance sheet.</li><li>Incorrectly disclosing related-party transactions and structured finance deals.</li></ul><p> </p><p>Several actions are key to reducing the threat of financial statement fraud.</p><p><strong>Strengthen </strong><strong>and rigorously implement internal controls over balance sheet account reconciliation</strong><strong>.</strong> Efforts to sustain a timely and accurate account reconciliation process should include:</p><ul><li>A strong management focus.</li><li>Sufficient understanding of the process.</li><li>Written policies and procedures.</li><li>Adequate employee training.</li></ul><p> </p><p>Identifying and addressing any weaknesses in this process can help auditors and companies detect and correct errors before they file their reports. Organizations need to reconcile all high- and medium-risk accounts that could contain a significant or material misstatement and make all necessary adjustments to the general ledger timely. Because account reconciliations are so important, organizations also should adopt a continuous improvement process aimed at reconciling all accounts before the post-closing adjustment review process.</p><p><strong>Pay</strong><strong> close attention to the work of external auditors. </strong>That scrutiny should include the audit committee asking questions of the external auditor and regularly reviewing the renewal process for selecting the auditor.<strong> </strong>The company also should be listening to its investors' concerns and complaints.</p><p>The focus in the Wirecard case has turned to its external auditors, who reportedly failed to report the company's unorthodox financial arrangements in the past. Wirecard's missing $2 billion allegedly involved an unconventional measure in which the company used third-party partners to process payments in countries where it wasn't licensed. Those businesses deposited revenue in trust accounts rather than pay it straight to the company. Wirecard explained that the money was kept that way to manage risk, saying it could be saved to provide refunds or chargebacks if needed.</p><p><strong>External auditors need to be vigilant in self-regulating the quality of their work. </strong>The external auditors allegedly did not confirm that Singapore's Banking Corp. held large amounts of cash on Wirecard's behalf. Instead, they relied on documents and screenshots provided by a third-party trustee and Wirecard, itself.<br></p>Art Stewart0
The Fraudulent Finance Officer Fraudulent Finance Officer<p>Fabrina Carr joined CA Clubs, athletic and social clubs scattered throughout the Northeast, in 2012 as a secretary. Soon after, she was promoted to chief financial officer. As the financial director, she had overall control of the company's finances with little oversight, and she managed a small group of employees. </p><p>In late 2017, Carr phoned her work colleague from Bermuda to announce her resignation. This event, like any other unexpected executive departure, triggered an internal audit. The CEO of the company called Gina Cupler, the director of internal audit, whose team quickly started assessing the situation.</p><p>Internal audit requested emails and reports for corporate credit cards, travel expenses, and department expenses for the previous two years. Review of travel found significant and unusual spending activity, an excessive amount of expensive business trips, and a suspicious expense of $7,213. Cupler reviewed Carr's credit card statements and saw that the expense was paid to a funeral home. Public burial records revealed that Carr's sister had passed away and that the burial service was conducted by the funeral home noted in the credit card statement. A keyword search in Carr's email account captured correspondence with the funeral home, as well as an itemized invoice. </p><p>Cupler decided to dig deeper into CA Clubs' banking activity. Records indicated that Carr wrote checks to various people and vendors, yet the vendor master file did list those check recipients. When Cupler asked Carr's employees about the vendor master file, they told her that Carr maintained administrative control of the accounting system. This gave her unrestricted access to manipulate vendor records and transactions without detection. In addition, bank statements revealed five $100,000 wire transfers to an offshore account just before Carr resigned, which she approved herself. </p><p>Cupler notified the CEO of internal audit's findings and asked her team to expand the investigation to all five years of Carr's employment. Internal audit identified 1,464 personal transactions that started one month after Carr joined the company and carried forward for almost five years. Details of her unbelievable spending spree included 51 flights, 56 hotel stays, and 270 shopping transactions. </p><p>Cupler also inquired with the external auditors about their work over the past few years. Because the current external auditors had recently taken over the account, internal audit had to request copies of the audit reports from the previous auditors. The reports included findings about poor record keeping and insufficient evidence to support expenses and vendor payments. However, all interactions with the external auditors were through Carr, who never shared audit reports with the board. And the board never requested to see them. </p><p>Cupler was perplexed at how this could happen, so she instructed her team to perform more research into Carr's background. Her human resources (HR) file included a black and white copy of an accounting degree from Whatsworth College. An inquiry with the college found no record of Carr's attendance. The degree was forged, and HR never reviewed Carr's education or accounting certifications. The team then looked into Carr's criminal and past employment records, which revealed a history of theft and writing of fraudulent checks. </p><p>At the first evidence of fraud, Cupler notified the authorities and kept them abreast of developments. Carr was arrested at the airport upon her return from Bermuda and was questioned by authorities about the money that was missing. Carr claimed she loaned $500,000 to her boyfriend, a Nigerian man who she met online. A subordinate of Carr testified at the court hearing that Carr texted her outside of business hours instructing her to make payments to the man. Despite being suspicious about the payments, she felt bullied and did not want to question her supervisor. The prosecutor argued that these transactions were the reason Carr eventually resigned from CA Clubs — she had taken $500,000 to help her boyfriend leave Nigeria, but he never repaid her. The judge sentenced Carr to six years in jail, but she was not ordered to repay any costs because she declared bankruptcy.</p><p>CA Clubs sent an announcement to its 7,000 members sharing information about Carr's conviction and explaining that a new management structure was put in place with more rigorous financial processes to better protect the company. The incident was a painful reminder of what can go wrong without adequate checks and balances in place.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned<br><br></strong><ul><li>A pre-employment background check is a key preventive control. Verification that a person is who he or she claims to be is important, especially when it comes to meeting the compliance requirements with hiring legally authorized citizens. The background check also provides an opportunity to check a person's criminal record, education, employment history, and other information to confirm its validity.</li><li>Validation checks also should be performed when internal employees are promoted or move into new roles. Just because they have the skills, experience, and qualifications for the roles they were initially hired for does not mean they are immediately qualified for other roles in the company. HR should verify that their education, certifications, and any other skill sets are legitimate to meet the requirements of the new role. </li><li>Reliance on a single person to control all aspects of financial transactions is never a good idea because it creates opportunities to commit fraud. Small organizations may need to get creative when it comes to segregation of duties. Board members for small not-for-profit organizations can take on an active financial governance role by reviewing financial information monthly. </li><li>Thresholds should be in place around bank and credit card transactions with any override of these controls placed with the board. Companies also should work with their bank and credit card vendors to put automatic controls in place to prevent overspending.</li><li>Small companies may not have the resources to look at the cultural aspects of their work environment. However, board leadership can have an active presence and provide employees with an outlet outside of their normal chain of command, such as a whistleblower hotline, to report suspicious or unethical activity.<br><br></li></ul></td></tr></tbody></table>William Byrne1
Exploiting the Crisis the Crisis<p>​Throughout the coronavirus pandemic, the state of Washington has paid out hundreds of millions of dollars in fraudulent unemployment claims, the <a href="" target="_blank" style="background-color:#ffffff;">Associated Press reports</a>. State and U.S. government officials allege that a West African fraud ring is filing false claims using stolen identities. Many of those people still were employed, so they weren't likely to notice that someone had filed an unemployment claim in their name unless their employer contacted them about it.<br></p><p>Like many states, Washington has faced a massive spike in unemployment claims. Since March, 2 million unemployment claims have been filed in the state, with weekly initial claims topping 180,000 compared to the usual amount of 6,000.</p><p>Authorities have tried to recover some of the money paid to false applicants and have blocked some other payments. Since Washington first discovered the fraudulent claims, eight other states have reported similar schemes to defraud their unemployment systems.</p><h2>Lessons Learned</h2><p>Around the world, governments have paid out huge amounts to assist individuals and businesses adversely affected by the COVID-19 pandemic. These payments have supported millions of people who have been laid off or furloughed, as well as assisted businesses of all sizes.</p><p>But in responding to the unpredictability and urgency of the crisis, governments emphasized speed over controls to get money to those in need as quickly as possible. That has created opportunities for fraud.</p><p>The unemployment fraud in this story is one of many schemes seeking to take advantage of growing demand for financial relief. There are several audit-related strategies governments can adopt to help clean up this fraud now and be better prepared to provide aid during a second wave of the pandemic.</p><p><strong>Audits</strong> Internal auditors need to audit the performance of temporary relief programs. These reviews should include looking for ways to achieve a more optimal balance between delivering benefits quickly and accurately.</p><p>Throughout the crisis, government officials in areas such as employment and taxation may have approved payments and not referred suspected abuse to their quality control, integrity, or enforcement functions. For example, Canada Emergency Relief Program staff members were instructed that applicants should still receive benefits even if records indicated they quit voluntarily or were fired for possible misconduct. However, the program's legislation excludes these factors from eligibility for benefits.</p><p>Not only should the departments directly involved in assistance programs perform audits, so should national audit functions, such as the U.S. Government Accountability Office, given the widespread nature of the government's response. Additional funding may be needed to undertake this work.</p><p><strong>Controls</strong> Program controls over emergency financial relief programs should be designed and operate in relation to other existing employment and social support programs such as unemployment insurance. Government agencies need to conduct pre-payment verifications and post-payment reviews to some degree, even during an emergency situation.</p><p>For example, government agencies have discovered a significant number of individuals who were receiving duplicate payments. Some people received this money by mistake, but others were intentionally trying to collect both emergency and unemployment payments at the same time. Uncovering these "double dippers" should be simple because applicants must provide basic identifying information to apply for either program. What is necessary is taking faster action to verify the problem and recover the money.</p><p><strong>Deterrence</strong> Effective fraud deterrence measures include clear warnings to benefit recipients about the consequences of cheating. In the example of a business that falsifies documents to claim a wage subsidy benefit, a deterrent would be penalties that are larger than the amount received through the program.</p><p>Whistleblower mechanisms also are needed. They should be tailored to the design of emergency programs and their eligibility criteria, and should operate via existing taxation agencies. These agencies typically collect reports of tax cheating such as not declaring all income, accepting "under the table" cash payments, or setting up a fake business to claim losses and reduce taxes.</p><p>Adding emergency financial relief programs to the existing whistleblower system may require someone who wants to report a potential fraudster to provide key information about the suspect. These details may include the individual's work or education situation, or his or her employer's number of employees and total payroll.</p><p><strong>Ongoing Assistance</strong> Governments should implement "exit strategies" for assistance programs that balance the ongoing needs of those who still are affected by the COVID-19 crisis with the necessity to reopen economies. Fewer people will require help as businesses reopen and workers are rehired. However, those who still don't have a job, or those who cannot qualify for unemployment insurance, may still need some form of assistance.</p><p>Moving forward, the lessons that governments learn from this crisis about audits, controls, and fraud deterrence could help them design a more effective, less fraud-susceptible relief program.<br></p>Art Stewart0
Police Entangled in Tow-truck Kickbacks Entangled in Tow-truck Kickbacks<p>​A 10-month investigation has uncovered an alleged kickback scheme involving Ottawa police officers and a tow-truck operator. According to the police investigation and reporting by the <a href="" target="_blank"> <em>Ottawa Citizen</em></a>, three officers solicited bribes from a towing service in exchange for information about the locations of vehicle crashes. </p><p>Other towing services had complained to the police about the alleged arrangement since 2018. Moreover, drivers involved in crashes said they had observed money changing hands between police officers and tow-truck drivers. The Royal Canadian Mounted Police (RCMP) has filed criminal charges against the officers, the owner of a tow-truck company, and two other individuals. </p><h2>Lessons Learned</h2><p>This news story and a <a href="" target="_blank">similar investigation involving sheriff's deputies in California</a> highlight two issues that internal auditors can help law enforcement agencies address: 1) establishing and enforcing a strong ethics and conflict-of-interest regime, and 2) implementing better controls over tow-truck operations involving police officers. </p><p>The City of Ottawa's police chief has expressed that the Ottawa Police Service's (OPS') code of conduct and ethics regime must be reviewed and strengthened. That exercise should be informed by the breadth and depth of the allegations against the three officers charged with several crimes by the RCMP, including:</p><ul><li>Giving out police information about vehicle collisions to one towing service and getting a financial kickback. Further, the officers allegedly gave that operator access to confidential OPS databases. Additionally, the RCMP has charged a family member of the towing operator with secret commissions.</li><li>Obstruction of justice and breach of trust.</li><li>Causing a false insurance claim to be made about a collision.</li><li>Using the position of a police officer for personal gain on a dating website.</li><li>Conspiring to break and enter to commit theft.</li></ul><p><br></p><p>From the standpoint of strengthening the OPS code of conduct and ethics regime, one step the department has undertaken is establishing a unit responsible for ethics and code of conduct issues, headed by a senior officer at the superintendent (executive equivalent) level. Other measures that should be in place include:</p><ul><li>A code of conduct and ethics compliance regime, policies, and processes that specifically prohibit the kinds of behaviors listed above, along with disciplinary consequences for noncompliance. The regime should include a "zero tolerance" policy as appropriate for law enforcement officials.</li><br> <li>Regular reporting of cases involving disciplinary, ethics, and conduct issues, such as in the OPS Annual Report. The OPS reports on some professional conduct issues, but this mainly is statistical information. As a deterrent, the OPS should publicize cases where officers are found guilty of inappropriate or fraudulent actions.</li></ul><p><br></p><p>Regarding the issue of controls over police forces and their interactions with towing services, the OPS and city officials should review the department's operations and policies, in part, to determine whether its processes need to change. That should include whether officers should have discretion about which towing service to call.</p> <p>Perhaps a "blind" dispatch system is needed to ensure a better distribution of work among the various tow-truck operators in Ottawa. Making such changes may be complex in cases in which vehicles are involved in possible criminal activities, or where drivers in an accident have their own towing service, such as through the Canadian Automobile Association or a credit card company. </p>Art Stewart0
Breaking Down the Fraud Policy Down the Fraud Policy<p>​Nearly half of all global organizations in PwC's 2018 Global Economic Crime and Fraud Survey admit to having been the victim of fraud and economic crime in the past two years, resulting in more than $7 billion in total losses and a median loss of $130,000 per case. Nearly half of those frauds were because of internal control weaknesses.</p><p>Internal audit plays several key roles in the prevention, detection, and monitoring of fraud risks. First, as internal audit has broad visibility into the different areas of the enterprise, it should be aware of potential red flags of fraud in all audit engagements and identify ones that may warrant further investigation. Also, internal audit should assess the effectiveness of controls designed to mitigate fraud risk. Finally, internal audit can lend valuable expertise in an advisory role to the development of the fraud policy. To do this, internal auditors need to understand the key elements of a strong policy, and who it should involve.</p><h2> The Building Blocks<br></h2><p>Any organization can be a victim of fraud, regardless of its size, industry, or location. The most effective recourse is to develop a strong and implementable fraud policy that defines unacceptable behavior and how the organization will respond to it. While policies can vary depending on the organization's number of employees, industry complexity, and operating environment, the fundamental elements remain the same:</p><ul><li>The policy has top-down support.</li><li>It includes clear, specific language and examples.</li><li>It accurately and effectively defines fraud.</li><li>There is policy ownership, so a specific person or group of people are charged with overseeing the development and implementation of the fraud policy.</li><li>It clearly spells out personnel roles and responsibilities.</li><li>It explains the disciplinary and legal actions the organization will take.</li><li>It makes anonymous hotlines and reporting options available.</li><li><p>There is an effective communication plan around the policy.<br></p></li></ul> <p>While no fraud policy can define every fraudulent action, a well-written policy uses clear language and relatable examples to help reduce uncertainty of what the organization considers illegal activity. It also provides clear instructions regarding the responsibilities and procedures to be followed by all involved when illegal activity is suspected or uncovered. </p><p>However, it doesn't matter how well the fraud policy is written if it sits in a three-ring binder gathering dust. The organization must ensure that the fraud policy is not only created, but also read and understood by all internal personnel and external parties with which it engages. The greater the importance the organization places on this document, the greater the likelihood employees will place an equal amount of importance to it. From regular manager/employee policy reviews to live training to role playing, the same message, stance, and emphasis on eliminating fraud can be reinforced. Regular communication not only promotes understanding, but also can deter potential fraudsters.<br></p><p>Occupational fraud is most efficiently organized into three categories, each of which companies must identify and communicate with personnel. </p><ul><li> <em>Asset misappropriation</em> is the stealing or misuse of enterprise resources by personnel. This occurred in more than 89% of all reported cases and resulted in a median loss of $114,000, according to the Association of Certified Fraud Examiner's (ACFE's) Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.</li><li> <em>Corruption schemes</em> occur when personnel misuse their influence during business transactions to obtain benefit and violate their duties to the employer. According to the ACFE study, this results in 38% of occupational fraud cases with a median loss of $250,000.</li><li><p> Financial statement fraud occurs when personnel intentionally cause misstatements or omit information in enterprise financial reports. It is the least common but most costly, averaging $800,000 per incident.</p></li></ul><h2> Prosecuting Fraud<br></h2><p>While fraud detection and prevention is an organizationwide effort, clearly defined roles must be instituted to promote responsibility and reduce confusion. For example, the board of directors is responsible for corporate fraud governance, and management must be engaged in executing these policies. Internal audit's role should be clearly defined, as well. Auditors must have the authority to ensure fraud controls are appropriate and effective, to investigate instances of possible fraud, and to support management in executing the fraud risk assessment.</p><p>Without the threat of prosecution, a fraud policy is little more than a toothless tiger. Therefore, it's critical that the policy conveys a plan of disciplinary action to all personnel. The fraud policy must include a statement that all appropriate measures to deter fraud will be taken and all instances of suspected fraud will be investigated and reported to the appropriate authorities. </p><p>Generally, organizations have four options when fraud is uncovered: criminal prosecution, civil fraud lawsuit, a mutually agreed upon termination of the perpetrator, or no action. There are varying schools of thought as to which of these actions should apply to different fraud situations. For example, it can be argued that taking no action is one of the surest ways to promote an organization's susceptibility to future fraud because of the perception of impunity. On the other hand, there also are cases when the cost of prosecution exceeds the cost of the fraud and other disciplinary actions may be preferred. Some organizations will prosecute all fraud regardless of monetary value. From the internal auditor's perspective, however, the key question is whether the organization has considered the risks of its disciplinary policy (reputational risk, cost, future fraud risk, etc.) and is comfortable with them.</p><p>The fraud policy must provide personnel with instructions regarding the steps to take when suspecting fraud. The policy should remind personnel that they are not prosecutors of the law and that their job is to report their findings to the organization's appropriate party. The fraud policy should provide anonymous avenues to give employees confidence that they can safely report potential fraud, such as a fraud hotline number. In addition to verifying the existence of a hotline, internal audit also may want to understand whether it is being used and how effectively the company has responded to these tips.</p><h2>A Preventive Measure</h2><p>In the end, a fraud policy is an inexpensive and effective method for reducing the threat of potentially crippling financial losses. Furthermore, all departments, including internal audit, can play major roles in its development. This stand-alone document should be seen by all personnel as playing an integral role in the organization's health and longevity.  <br></p>Chris Errington1
The Double Dipper Double Dipper<p>​Robert Shull and Alysa Cayden, the forensic audit team at Midnight Sun Inc. (MSI), sat with Justin Planter, a regional sales manager at the solar power company, as he rolled his eyes and made condescending faces. MSI’s procurement department forwarded Planter’s travel and expense (T&E) reports to Cathy Francis, the human resources manager, after an employee noted that spending was not consistent with the company’s T&E policy. Francis reviewed the reports and was concerned that there was a greater pattern of abuse, so she requested that Shull and Cayden examine his T&E reports.</p><p>Sitting next to Planter was his boss, Thomas Cooper, a veteran regional manager with more than 25 years of experience with MSI. During the interview, Planter admitted to purchasing a personal cell phone using his company credit card. In addition, he frequently used the card for alleged business meetings at establishments that bordered on adult entertainment. Much to his surprise, Planter’s employment was subsequently terminated. </p><p>After the interview, Shull and Cayden felt something was amiss. Cooper approved all of Planter’s T&E reports but was not suspicious of any of his spending. Also, they noticed that Cooper’s statements were inconsistent, requiring him to revise them on several occasions.</p><p>After his firing, Planter contacted MSI’s CEO, James Spicolli, and explained how Cooper allowed his management team members to use their corporate credit cards to dine out, make personal purchases, and charge mileage for business travel despite being reimbursed through another program. Planter also claimed that Cooper attended many of the dinners and instructed him to pay the bill so that he could approve the expenditure, thus avoiding the scrutiny of Cooper’s manager. He also alleged that Cooper coached him before the interview on what to say and promised that there would be no significant disciplinary action.</p><p>To review Planter’s allegations, Shull and Cayden obtained all T&E reports for Cooper and his management team. Data analytics compared the company policy against spending. One area of focus was cash reimbursements for expenses below $25, the minimum amount requiring receipts to be submitted.</p><p>The results were shocking. Cooper’s team members used their corporate credit cards for expenses well outside the T&E policy. Furthermore, Cooper approved every expense report submitted to him. They found numerous abuses of travel expenses:</p><p></p><ul><li>Managers split expenses to stay below the $25 internal control threshold. In one instance, two managers split unknown expenses at a liquor store. </li><li>One manager submitted for cash reimbursement for client meetings over lunch or dinner for $24.99 every other day for more than two years.</li><li>Multiple holiday parties and team meetings were reimbursed, including a substantial liquor bill at each.</li><li><p>Team members expensed mileage reimbursement twice. <br></p></li></ul><p>Shull and Cayden put together detailed profiles on Cooper and each manager, including their expense reports, supporting invoices, and the section of the T&E policy they violated. Additional evidence gathered during interviews resulted in the termination of Cooper and several other managers. Cooper justified the expenditures by explaining he was under budget for T&E expenses on his annual profit and loss statement.</p><p>Shull and Cayden then embarked on a companywide T&E audit. They obtained six months of data from MSI’s online T&E reporting program. The program allowed employees to book transportation and lodging, code expenditures by spending category, and submit expense reports for approval. Deviations from policy were flagged for the employee’s manager to review before approving the expense report. </p><p>Shull and Cayden organized and ranked all spending by employee and spending category. Their team selected T&E reports for detailed testing for the most egregious spending by category based on total spending and frequency of policy violation. Text analysis on words such as “gift card,” “baby shower,” and “party” identified miscoded or out-of-policy expenditures. They selected samples, reviewed receipts attached to the expense reports, and documented all policy violations. Finally, the investigation team interviewed the employees who submitted the expense reports. Policy violations included:</p><ul><li>A lack of review by managers of exceptions identified by the T&E program, which flagged millions of dollars of expenditures that were outside policy. </li><li>Abuse of cellphone reimbursement.</li><li>Abuse of meal reimbursement, first-class travel, and hotel lodgings.</li><li>Cash reimbursement where no invoice was submitted to support the expense.</li><li>Personal spending at online retailers.</li><li>Spending and funds transfers through money service providers, such as PayPal and Venmo, which have limited audit trails. </li><li>Purchases of gift cards. </li><li><p>Numerous spending violations in Las Vegas, including front row seats to shows and $1,000 dinners at four-star restaurants. <br></p></li></ul><p>Individual violations included:</p><ul><li>An employee transfered $7,000 from his corporate credit card to his personal business through a money service provider. </li><li>Employees shared their credit cards with one another when they reached their card limits.</li><li>A manager sponsored a “kids” event at a local bar. </li><li><p>A manager purchased gifts for his secretary at a popular women’s lingerie company.<br></p></li></ul><p>After the investigation, MSI invested in T&E audit software to review all reports in real time. When the software identifies T&E reports with excessive policy violations, the procurement department rejects them. In extreme cases, procurement forwards them to the forensic audit team. In addition, MSI started blocking spending on company credit cards by merchant category codes, which classify businesses by the products or services they provide. The T&E policy was updated to eliminate the use of money service providers. </p><p>In most cases of fraud, the employee was terminated. Employees who violated the T&E policy were reprimanded, and demand notices for repayment were sent to employees whose misdeeds were discovered after they left MSI. After one year, T&E spending was reduced by more than $5 million.  </p><p><br></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Periodically conduct a T&E audit to ensure employees are in compliance with the T&E policy. Review and update the T&E policy and educate employees as part of annual code of conduct training. Low-cost software can review all T&E reports in real time. </li><li>Management should review subordinates’ T&E assumptions during its annual budgeting period. In MSI’s investigation, a management team used the T&E budget as a slush fund for personal spending and out-of-policy entertainment. </li><li>T&E policies should not allow for the use of money service providers (e.g., PayPal). These providers allow for the purchase of goods and services or the transfer of funds for personal use. They also have limited audit trails, which enhances the risk of fraud. </li><li>The organization should block merchant category codes on corporate T&E cards for goods and services that would not be appropriate for its business or allowable under its T&E policy.</li></ul></td></tr></tbody></table><p></p>Grant Wahlstrom1
Beware the Coronavirus Scams the Coronavirus Scams<p>​As if sheltering in place during a pandemic wasn't bad enough, criminals are using the coronavirus (COVID-19) crisis to target people who are working from home, the <a href="" target="_blank">U.S. Federal Bureau of Investigation (FBI) warns</a>. According to the FBI's Internet Crime Complaint Center, these attacks are using email on two fronts. </p><p>First, attackers are sending email pretending to come from the U.S. Centers for Disease Control and Prevention (CDC), offering information on COVID-19. Instead, the links and attachments contain malware that steals personal information or ransomware that locks the user's computer until the person makes a payment.</p><p>Second, criminals are using phishing email to request personal information, claiming it is necessary for receiving a government economic stimulus check. Other phishing scams include requests for charitable contributions and offers for financial relief, airline refunds, and fake virus cures and testing kits. </p><h2>Lessons Learned</h2><p>Whenever an extraordinary event occurs that forces people to rapidly modify their behaviors from their normal routines, fraudsters exploit the situation. As the COVID-19 pandemic unfolds, the FBI's warning about fraud schemes is both timely and helpful. </p><p>Internal auditors should watch out for additional fraud threats not mentioned by the FBI. Inevitably, while the current pandemic is unique, as it progresses through its various stages of impact and ultimately fades, new forms of fraud will be on the march. Here, auditors can learn from what happened during the 2009 H1N1 swine flu pandemic.</p><p>During the H1N1 outbreak, the CDC had to address fraud related to falsification of testing, certification, distribution, and marketing irregularities involving influenza vaccines and related supplies. Some of the fraud and abuse schemes that are likely to arise once COVID-19 vaccines or treatments become available include:</p><ul><li> <strong>Investment scams and false claims about supposed COVID-19 vaccines and treatments.</strong> Already, authorities have arrested an individual in California who <a href="" target="_blank">allegedly had solicited investments</a> for a COVID-19 "miracle cure." Criminals are likely to market and advertise fraudulent product claims, bogus products, and implied endorsements by government agencies — including agency logos — through websites, email, and social media. Regulators, investors, and auditors need to be vigilant, do their investment research, and avoid being panicked or swayed by the current pandemic.<br><br></li><li> <strong>Health-care provider schemes.</strong> Likewise, internal auditors should watch out for schemes in which doctors, pharmacists, and other medical professionals collude to make false claims, get kickbacks, and seek reimbursement for unnecessary tests from Medicaid, Medicare, and insurance providers. Such fraud already is common, but may grow as the scope and scale of COVID-19 treatment activities expands. For example, the FBI recently charged a marketing company executive in Georgia with <a href="" target="_blank">allegedly receiving kickback payments</a> for steering patients to providers for COVID-19 testing and defrauding Medicare.<br><br></li><li> <strong>False or inflated billing for a COVID-19 </strong> <strong>vaccine</strong><strong>.</strong><strong> </strong>Governments have not determined how they will deal with the costs and pricing of a potential COVID-19 vaccine. In the U.S., the federal government provided H1N1 vaccine doses and related supplies at no cost to patients, although it charged administrative fees. Regardless of who pays for doses of a vaccine, authorities should be wary of schemes in which health-care providers seek an out-of-pocket fee directly from the patient that is above the maximum allowable charge from insurance or government-provided coverage.<br><br></li><li> <strong>Illegal or false manipulation of COVID-19 vaccine supplies. </strong>Given the global nature of this pandemic and of worldwide supply chains, fraudulent diversion schemes are likely. One example is selling or diverting vaccines or related supplies provided by the federal government. This activity may occur in combination with counterfeiting, adulterating, theft, or other consumer fraud schemes. <br> <br>Diversion schemes may include situations where criminals move legitimate prescription drugs or vaccines into illegal channels, such as the black market, illegal Internet sales, and sales without prescription. These treatments also may be acquired illegally through smuggling or via cargo, wholesale, manufacturer, and distributor theft.<br><br></li><li> <strong>Exploiting control weaknesses.</strong> Governments and health-care agencies have emphasized using computer-based modeling and analysis to, for example, attempt to predict the path of COVID-19 impacts, with and without mitigation strategies. This analysis was not as advanced in the era of H1N1. However, it could assist in identifying control weaknesses in regulatory, benefits delivery, and program management systems that are being developed and deployed rapidly to address COVID-19. Internal auditors should focus on ways to help identify these weaknesses and reduce the organization's susceptibility to fraud threats.</li> </ul><p><br></p><p>The CDC's website has much good <a href="" target="_blank">information</a> to educate the public about pandemic fraud. It should add information about where and how to report suspected COVID-19 fraud, including a hotline.</p>Art Stewart0
The Fraud Behind the Flags Fraud Behind the Flags<p>​After Greg Kane was promoted to director of internal audit at State Elder Care Co., a management firm for 54 long-term senior citizen care centers in Florida, his first objective was to refresh the risk assessment process. In his opinion, the previous director was too loose with his approach. </p><p>Kane met with department leaders as part of the risk assessment, including Tom Anderson, the director of purchasing. Purchasing was identified as an increasingly high-risk area because of the volume of spending and the absence of an internal audit in the last five years. According to Anderson, the department was deeply focused on a cost-savings initiative led by the chief operating officer, Dianna Foster. When asked how the initiative was going, Anderson eagerly expressed how 80% of spending from the 54 centers was consolidated to better leverage purchasing's buying power and reduce expenses and costs. </p><p>Kane presented his risk assessment and internal audit plan to the audit committee, which included a review of the purchasing department. Foster resisted the inclusion of purchasing, insisting that the cost-savings initiative was not complete and that an audit would halt improvements. The audit committee agreed to the review primarily based on Kane's insistence that a high-risk area should not be ignored for more than five years. </p><p>Internal auditors started the review by testing purchasing controls and performing a high-level analysis of purchasing data, which included looking at overall spending trends by year. They also conducted walk-throughs of purchase order approvals, vendor master file additions, and the bid process. Satisfied with well-documented and performed controls, the auditors chose a sample of 30 purchased items and services and tested them through all purchasing controls. Each test was perfect with three bids for each product, the best bid selected, approvals documented, and authorization levels followed. </p><p>When Kane met with his team, one auditor had an unusual comment about one of the samples — the 900 flags purchased the previous year for $150 each for the centers. Having never considered the cost and durability of a flag before, the auditor thought this seemed like a large expense. A quick Google search found that reasonable, quality flags last approximately 90 days and cost around $40. This resulted in a potential overspend of ($150 – $40) x (900 – 200) = $77,000.</p><p>Kane double-checked all the workpapers. Everything was in accordance with the purchasing policy, and controls appeared to be in place. And then it hit him. The audit team had not looked into the vendors. He Googled the flag vendor but was unable to find a website. However, he learned that it was incorporated just two years before. </p><p>With this new insight, Kane and his team identified any items that increased in spending by 10% or more each year. Several items popped up, adding up to total expenditure of roughly $200 million. The data showed that the items with increased spending nearly doubled each year. Within this sample, they identified items being provided by new vendors, which was nearly half of the sample. </p><p>The team then investigated each vendor within the bid process. Each bid appeared legitimate, but many of the companies providing the bids were recently formed and had no website. A few companies were consistently part of the bid process, whether they won or lost. When reviewing past bids, the team noticed that, in many cases, previous vendors were not included in the bid process. Kane's team documented its findings in preparation for a meeting with Anderson.</p><p>Kane explained that because of what he found with the flags, he decided to look at more data. Anderson turned pale. Kane asked how procurement chose the flag vendor and how often the flags need to be replaced. After a long silence, Anderson explained in a quivering voice how he and his team worked hard on cost savings and made great progress each year. Because he was short staffed, Foster helped administer bids for some of the items. It seemed like a great idea at first, but the number of items Foster managed grew each year. </p><p>Anderson admitted to rubber stamping many of the bids and approvals, assuming everything was above board. They were getting the same quality items they needed and cost savings were going up each year, so he did not think much of it. But he became concerned two years earlier, after one of his long-term vendors contacted him about being excluded from the bid process. Anderson looked into the bid and was surprised to see that it came in higher than expected. </p><p>Kane and his team then looked into all the bids to identify the vendors. Twenty-one recently formed companies were new vendors to the company. Further investigation revealed that many of them were registered to Erin Foster, Dianna's sister. Kane and the vice president of legal went directly to the audit committee with their concerns. </p><p>For five years, Dianna Foster hid a $15 million fraud behind the purchasing department's cost-savings initiative. She threatened to take business away from vendors if they did not agree to increase their costs by 20% to 30% and give her 80% of the increase as a kickback. One vendor, a hospice provider, agreed to pay Foster a personal referral fee for every senior referred from one of the elder care facilities. By year two, she realized that it would be easier to create companies and include them in the bidding process. The companies, run by her sister, would act as the pass-through for the business — buying the items from the prior vendor, marking up the prices, and splitting the money. </p><p>Dianna Foster was eventually arrested and sentenced to six years in jail and restitution. The organization of vendors Erin Foster created included 16 different companies and 87 unique bank accounts. Erin Foster was sentenced to three years in jail and restitution.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Assume every unanswered question is important. In this case, the fraud would have gone undetected if not for the question about the flags. These unanswered questions do not always lead to fraud, but they will always add context to the state of the business and help demonstrate an understanding of the process reviewed by internal audit. <br><br></li><li>Analyzing data can be a powerful tool. However, it is always significantly more powerful when internal auditors know what questions to ask. Running ad hoc analytics midway through an internal audit is a great supplement to running a standard set of analytics at the start. <br><br></li><li>Adjust procedures based on risk. Plans are based on assumptions and should be adjusted once new information is discovered. The value of internal audit is not in meeting deadlines, but in helping to identify areas of improvement. As the risk of a process increases with new information, the potential value of audit procedures also increases. <br><br></li><li>High-risk areas should always be reviewed regularly. The possibility of a review each year would have prevented this fraud, as Foster would have been more fearful of getting caught. Each year after the first incident, the fraud nearly doubled in size. Catching the perpetrator in year three would have saved the company nearly $10 million. Comparing this to the 300 hours of internal audit time and about 40 hours of purchasing employee time seems like a high return on investment. </li></ul><br></td></tr></tbody></table><p></p>Bryant Richards1

  • FastPath-October-2020-Premium-1
  • AuditBoard-October-2020-Premium-2
  • CIALS-October-2020-Premium-3