The Spy and the Construction Scam Spy and the Construction Scam<p>​A Canadian Superior Court judge has sentenced a former construction company executive and informant for the country's intelligence service to seven years in prison for perpetrating Ottawa's "biggest commercial fraud" through his now-bankrupt company, <a href="" target="_blank" style="background-color:#ffffff;">the <em>Ottawa Citizen</em></a> reports. According to prosecutors, Roland Eid hid payables from outside accountants that made ICI Construction appear to be profitable when it was actually losing money. Moreover, Eid shifted CAN$1.7 million in funds from ICI to a personal account in Lebanon, which had been held in trust to pay tradesmen and construction material suppliers. Soon after, Eid fled to Lebanon. In court testimony, Eid claimed his handlers at the Canadian Security and Intelligence Service (CSIS) had directed him to start ICI and encouraged him to use the proceeds from its construction contracts to gather intelligence against Hezbollah, which is linked to terrorism. ICI's 2011 bankruptcy had a cascading effect on Ottawa's construction industry and resulted in the company's financial backer filing for bankruptcy, itself.</p><h2>Lessons Learned</h2><p>This is a complex case in terms of the circumstances of the fraud, its perpetrator, and the various twists and turns of the court proceedings. However, from a fraud and audit perspective, the main lesson learned can be summarized with a venerable piece of advice: Follow the money trail. In that path, there were numerous regulatory, financial, and corporate control failures.</p><p>Fundamentally, Eid abused his CEO position at ICI Construction to deceive his co-workers and employees, suppliers, other contractors, and the Canadian government in order to move CAN$1.7 million from ICI's bank account to his personal account in Lebanon. Here, the list of missing or underused controls that might have detected or even prevented fraud include:</p><ul><li>Strong financial controls within ICI, such as requiring board of directors approval or chief financial officer sign-off for such a significant money transfer. Controls include specific documentation of where the money would go, to whom, the related contractual arrangements, and evidence of any legal/regulatory approvals needed at the receiving end — in this case from the government of Lebanon. Auditors and accountants should have been vigilant and recommended measures to keep funds intact, or even frozen, that should have been held in trust to pay for wages and materials of ICI's ongoing projects (regulatory rules need to do this, too). A lack of transparency around the activities of a primary financier of ICI also was a factor. And fundamentally, a demand of proof from Eid's claim to have secured a housing project contract in Lebanon could have revealed much about his plot at an early stage. Also revealing would be proof of his claim to have sold ICI to the company's controller in order to justify keeping the CAN$1.7 million.<br><br></li><li>Clear contracting industry rules and monitoring — even if self-imposed — of potentially unusual international transactions. This includes the same kinds of documentation requirements mentioned above as well as requirements for regular, transparent financial reporting.<br><br></li><li>A regular review by financial lenders, insurance institutions, and their regulators of their controls over and risk assessments of potential loans to small construction companies. This would exercise a higher degree of caution and scrutiny in their decision-making.<br><br></li><li>Tighter government rules for the movement of money outside the country. In Canada, a federal financial-tracking organization, FINTRAC, scrutinizes international monetary transactions. However, FINTRAC focuses on money laundering and terrorist financing, along with cash transactions coming into Canada valued at more than CAN$10,000. There is a process for filing a suspicious transaction report, but it is voluntary and no one did so in this case. Lebanon does not have equivalent rules, and it does not have an extradition treaty with Canada.</li></ul><p> </p><p>In closing, while Eid's history as a CSIS informant played next to no role during the proceedings before the judge, there may be lessons for national security agencies and large departments that enter into a myriad of construction contracts. Although we may never know what exact role these organizations may have played in aiding Eid and ICI Construction in the pursuance of gathering intelligence on Hezbollah, this objective could have played a part in the awarding of construction contracts. In that sense, they unknowingly may have assisted Eid in his fraudulent aims. Those organizations should be vigilant in balancing national security interests with crime and fraud prevention interests, including through robust vetting of planned intelligence operations and those to be involved.</p><p>​ </p>Art Stewart0
Champions of Trust of Trust<p>​I enjoy watching football (that is, American football, not soccer). Sometimes during the game, when an infraction is committed before the play begins, the referee will throw a penalty flag. The flag often signifies a false start if certain players on the offensive team move before they’re supposed to. At times, there are referees who either ignore the infraction or are passive about making the judgment call.<br></p><p>Internal auditors who sit on the sidelines and fail to call out inefficiency, waste, fraud, or mismanagement are spectators. More commonly, internal auditors are referees, observing the plays that make up the normal course of business operations and blowing a whistle or throwing a yellow flag when circumstances warrant. They are objective in assessing whether a foul or infraction has occurred, but they are in reactive mode — responding to what took place in the past.<br></p><p>The most effective internal auditors are those with enough fortitude to blow the whistle before trouble ensues. They see troubling issues in the formation stage, raise a concern, and take a stand to ensure things are done right.<br></p><p>But, as I discovered years ago, there has to be a high degree of trust between internal auditors and those whom they are cautioning about pending wrongdoing or calamity. Without trust as a basis for engagement, the conversation can become awkward or even polarizing.<br></p><p>Ethics is an area that plays a significant role in my view of outstanding internal audit performance; so much so that I decided to feature ethical resilience as my first area of focus. I’ve been known to characterize ethics as “table stakes” for those wishing to engage in internal auditing. It’s a strong statement, but I stand by it. Internal auditors can’t accomplish their mission without a diligent, unceasing commitment to ethical behavior.<br></p><p>Larry Sawyer, an iconic internal audit author, wrote about the importance of trust in ethical behavior. He wrote, the “key to any profession is the trust placed in it by its clients.” Everyone knows how important ethics are; that’s a foregone conclusion. But I believe that, for internal auditors, ethical behavior is so critical, it goes beyond just a commitment. Outstanding internal auditors do more than just commit to ethics; they model ethical conduct in everything they do by being resilient, even when it may not be a popular stance. They may be tested ethically, but they withstand the challenges to their ethical convictions and bounce back stronger than ever. <br>Obviously, the CAEs who responded to the AEC survey agreed with this view. More than half of them selected ethical commitment as one of the top three traits shared by successful internal auditors.<br></p><p>Reinforcing that viewpoint, the Internal Audit Foundation’s Common Body of Knowledge (CBOK) 2015 Global Internal Audit Practitioner Survey asked CAEs around the world to rate themselves on their perceived level of competency on 10 core competencies, with 1 being “novice” to 5 being “expert.” The survey data indicated that CAEs rated themselves highest in ethics (4.3 overall), which validates my point that ethical resilience is a top attribute for outstanding internal auditors.<br></p><p>Paul Sobel, vice president/CAE for Georgia-Pacific LLC, states it very simply and powerfully: “In our role as auditors, ethics and integrity are the foundation for our ability to provide objective assurance, advice, and insights. In essence, it’s the foundation for our credibility.”</p><p style="text-align:center;">...<br></p><h2>Committing to Ethics</h2><p>As the leader of a global organization that requires compliance with a formal Code of Ethics to serve as a member or hold a certification, I have an unwavering commitment to behaving ethically. At The IIA, we don’t skirt the issue; we believe internal auditors must stand for what is right, adhere to the highest ethical code, and never yield to pressures to bend the rules. An ethical lapse by one internal auditor can undermine trust not only in that individual but also in those around him or her. The higher in the organizational chart the transgression occurs, the more damaging the potential impact. We in the profession must share a commitment to ethics. For the most part, I believe we do.<br></p><p>In most organizations, the internal auditors are perceived as being far more likely to disclose ethical misconduct than to act unethically themselves. But we are human. I will never forget my surprise and disappointment when I viewed the results of a survey of 70 CAEs attending an IIA event a few years ago. One-third of the respondents acknowledged that they had “discovered or witnessed unethical actions” within their own internal audit functions.<br></p><p>Making the effort to clean our own ethical house is important not only in the context of what internal auditors do in their everyday jobs, but also in their role as business leaders. In her book, <em>7 Lenses: Learning the Principles and Practices of Ethical Leadership</em>, Linda Fisher Thornton says getting employees to act ethically is largely driven by their desire to “follow the leader.” If they see top management behaving ethically, desiring to serve others, and making a positive difference, they are inclined to respond in kind.<br></p><p>Organizational commitment to ethical behavior is not just a matter of hosting an “ethics day” or showing a slide presentation during new-hire orientation, although all efforts at communicating expectations relative to ethics are valuable. The most impactful things leaders can do to influence employees are subtler: openly discussing ethical gray areas, acknowledging the complexities that can arise in work situations, treating ethics as an engrained way of behaving, celebrating displays of ethical conduct, showing respect for those with different opinions and difficult personalities, and expecting everyone to meet ethical standards.<br></p><p>These behaviors (at any rank in the organizational chart) should not be difficult. If we think of ethics as a way we interact, collaborate, and create synergies with others, it should be natural to act ethically and expect the same behavior from others.<br></p><p>The results of such behavior can yield unexpected results. Early in my career as a CAE, the chief financial officer (CFO) asked my internal audit team to perform an audit. He had a strong personality and was sure the company was being billed for purchases it didn’t make. He wanted my team to find evidence to support his belief. I sent the internal auditors to conduct the audit and they found no evidence of transgression, which put me in a bit of a tight situation. The support from the CFO and other executives was important and necessary to me, yet I knew that our audit results weren’t what he wanted to hear. By telling him he was wrong, I risked losing both his fledgling trust in the internal audit department and his willingness to use us for future projects, but I knew I had to be straightforward with him. As expected, he did express some disappointment that we didn’t validate his concerns.<br></p><p>Not long after that, he called me to ask my team to do some work in another of his functional areas. After I expressed our willingness to do so, I told him I was surprised he had contacted me for an additional project since I didn’t give him the news he wanted to hear the last time. He responded that my honesty in those circumstances proved to him that my team and I would be fair and objective and he could rely on our work. I don’t think he intended our first encounter to be a litmus test, but it was. Once your stakeholders have a chance to check your ethical compass and confirm that it’s pointing true north, they know they can follow you because you won’t lead them in the wrong direction.<br></p><h2>Ethical Behaviors</h2><p>No one is saying that exercising ethical behavior is easy, but maybe half the challenge is in agreeing on exactly what constitutes ethical resilience. In the AEC survey, we used the following terms to elaborate on what we meant by ethical commitment, and I suspect few would argue with their inclusion:<br></p><ul><li>Integrity — being known for strict adherence to high moral principles.</li><li>Courage — being brave enough, even in the face of professional or personal danger, to do the right thing.</li><li>Honesty — displaying unwavering commitment to dealing in truth.</li><li>Accountability — taking responsibility for our actions and the resulting perceptions.</li><li>Trustworthiness — building a history of ethical behavior that forms a foundation upon which </li><li>people can place their trust.</li></ul><p><br></p><p>Courage especially seems to be a factor in ethical behavior. A number of the survey respondents ruminated on the importance of courage. Take the following comments, for example:<br><br><em>“Inner courage: to follow leads, to follow your gut belief, to professionally confront management and the board, to raise the questions few people want you to raise, to put it all on the line (in terms of taking the risk to do what is right).”</em><br><br><em>“Courage: the ability to express one’s opinion and give advice even when the ideas are not popular or wanted.”</em><br><br><em>“Courage to stand alone, if needed, when tough issues need to be raised to management and the board.”</em><br><br>Courage is what drove Bethmara Kessler, senior vice president, integrated global services, and former CAE of Campbell Soup Co., to select ethical commitment as one of her top two choices in the AEC survey. She explains that courage is a particular challenge for auditors because in her long experience of managing audit teams, she has seen internal auditors sometimes waver in their defense of difficult findings for a variety of reasons: They, like most humans, want to be liked; they want to avoid difficult conversations; they feel the pressure to serve too many masters with competing needs; and they fear their actions may hinder their future career opportunities in the business. But, she remarks, “We have to remind internal auditors that courage is important and they should step forward when they see something. Look at Harry Markopolos, who tried multiple times to break open the Madoff scandal. He just kept going back to the [U.S. Securities and Exchange Commission] over and over to make his point. I’m sure it was not an easy thing to do. It took a lot of courage. In my view, he’s a hero.”<br></p><p>Another internal audit hero who deserves notice is Heidi Lloce-Mendoza, currently undersecretary general for the United Nations Office of Internal Oversight Services, and before that, commissioner and officer-in-charge of the Commission on Audit (COA) of the Philippines. Mendoza came to the world’s attention as a result of a 2002 audit her team conducted that uncovered massive bid rigging by former Makati City Mayor Elenita Binay. Mendoza served as a government witness in some of the antigraft cases filed against the former mayor. In response to her speaking out against the former mayor’s corruption, Mendoza’s home was broken into multiple times and she was the target of threats that required special security protection. Yet, despite her admission that she was still being harassed about her role in the corruption trials 13 years after the fact, when she resigned from the COA in 2015 she indicated that her passion for her work had not abated and she felt “no pain, no trace of regret” for her experiences.</p><p style="text-align:center;">...</p><p><br>Ethical resilience is a trait that not only provides value in and of itself, it also supports the other traits mentioned in this book. Having a firm grip on our own ethical beliefs clears away some of the clutter that can distract us from focusing on desired results.  <br><br><em>Trusted Advisors: Key Attributes of Outstanding Internal Auditors</em> is available at The IIA’s Bookstore.</p>Richard Chambers0
Gifts From Mom From Mom<p>​The former office manager of a Charleston, W.Va. law firm has agreed to plead guilty to charges of embezzling from her employer over a 12-year period, according to <a href=""><em>West Virginia Record</em></a>. Kim Cooper admitted that she deposited checks for attorneys' fees into her own account and used the proceeds to make rent, car, and credit card payments, and to help her children pay for their homes and college expenses. Cooper has cooperated with U.S. federal prosecutors, who filed charges against her in December. She asked a judge to dismiss a lawsuit filed by her former employer against her two adult children, Erin Burkhill and Jeremy Cooper. The suit alleges that the children should have known about their mother's fraud scheme when they accepted money from her.</p><h3>Lessons Le​​arned​</h3><p>Over the time I've been writing about fraud cases for, I've provided lessons learned regarding many variations on the "trusted employee steals money from his or her employer over a period of several years" type of fraud. (For examples, see "<a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx"><strong>The Tech Know-how for Fraud</strong></a>,<strong>" and "</strong><a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=e720a24b-dd30-4650-914e-a7bc6c4a34a6"><strong>The School Embezzler</strong></a>.<strong>")</strong></p><p>What caught my eye in this latest fraud news story is this statement: ​</p><p><span class="ms-rteStyle-BQ">"Mountain State Justice's (MSJ) lawsuit alleges that Burkhill and Jeremy Cooper knew or should have known of their mother's embezzlement scheme. Kim Cooper used som​​​e of the embezzled money for homes for herself and her children, as well as college and graduate school for Burkhill, according to the suit." ​</span></p><p>In other words, the two children of the alleged fraudster may have been complicit in the perpetration of fraud.</p><p>We do not have access to the investigative documents in this case, but one would expect the fraud investigation process to have disclosed definitive evidence that substantiates the allegations of family involvement in fraud. This case presents a good opportunity to review the components of a leading practice approach to determining who is involved in fraud. Much of the advice is taken from materials available from The IIA and the Association of Certified Fraud Examiners.</p><ul><li><strong>Use the "Case Theory" approach to investigations. </strong>It is essential that every investigator or prosecutor develop and follow a "theory of the case" when investigating complex corruption and fraud offenses. The Case Theory approach to complex investigations is similar to the scientific method of experimentation. It involves three steps: 1) analyze the available data to create an hypothesis; 2) test the hypothesis against the available facts; and 3) refine and amend the hypothesis until reasonably certain conclusions can be drawn. Expressed differently, the approach begins with an informed assumption, based on the available evidence, of what the investigator thinks may have happened. The investigator then generates an investigative plan to test — prove or disprove — the assumption. The reasoning behind this approach is that both sides of fraud must be examined because under the law, proof of fraud must preclude any explanation other than guilt.</li></ul><ul><li><strong>Move from the general to the specific. </strong>Fraud examinations commence when the full facts are unknown or unclear. Therefore, fraud examinations should begin with general information that is known, starting at the periphery, and then move to the more specific details. Typically, fraud examiners will start by interviewing the complainants or victims. From there, they should order their interviews by moving from the periphery toward those who appear to be more involved in the subject of the examination. For example: neutral third-party witnesses, starting with the least knowledgeable and moving to those who are more knowledgeable about the matters at issue; parties suspected of complicity, starting with the least culpable and moving to the most culpable, based on hypothesis and available information; and the primary suspects of the examination.​</li><li><strong style="font-size:inherit;">Use the fraud theory approach to assess parties suspected of complicity. </strong><span style="font-size:inherit;">Investigators should</span><span style="font-size:inherit;"> focus on acquiring new information — or correcting and integrating known information — to determine whether the hypothesis is provable. If, as in this story, the hypothesis is that family members knew, should have known, or were actively involved in the fraud, the fraud examiner would need to assemble a comprehensive, evidence-based picture of family relationships, particularly concerning financial matters. In asserting that family members "should have known" that money being given to them originated from fraudulent activities, investigators will need evidence that the children had good knowledge of their mother's income, expenses, and lifestyle to support the hypothesis of complicity. If such evidence is available, this would then position investigators to better question the primary suspect, Kim Cooper, about what she knew and did for her children and their knowledge of it. Hopefully, the investigators in this case have done their fraud homework.</span><span style="font-size:inherit;">​</span><br></li></ul><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p><br></p></blockquote>Art Stewart0
On the Hook for Fraud the Hook for Fraud<p>​A Montreal-based online retailer has gone out of business after losing an estimated CAN$50,000 from credit card fraud in only three months in operation, <a href="" target="_blank">CBC News reports</a>. Business owner Vincenzo Lingordo says the company's bank approved the fraudulent purchases, which were missing information such as billing addresses and security codes. Based on the approvals, his company shipped goods to the purchasers' shipping addresses. Even after he had complained to the bank and implemented its recommended fixes to secure his website, the system continued to approve fraudulent transactions and only reported them as fraudulent several weeks later. Lingordo's subsequent tests revealed that the bank's software approved transactions even when he deliberately entered incorrect credit card information or left mandatory fields empty. </p><h2>Lessons Learned</h2><p>This news story represents the battleground between e-commerce technology, consumer convenience, and bank profitability. Squeezed into the middle are small business owners facing an ever-growing threat of credit card fraud. In 2015, in Canada alone, an estimated CAN$500 million was lost to various forms of credit card fraud.</p><p>In Canada and the U.S., banks are pushing merchants to adopt EMV (Europay, MasterCard, and Visa) technology and chip and PIN credit cards, instead of or in addition to signatures. But even where card issuers require PINs instead of signatures, this has not stopped fraud; it has just shifted where fraud takes place. For example, in the U.K., where chip and PIN cards have been used since 2003, card-present fraud — transactions done in person with a card — has declined because thieves are unable to use counterfeit cards with stolen data embossed on them anymore. However, fraud involving card-not-present transactions — that is, transactions by phone or online — has increased. Neither a PIN nor a signature is required when customers use their cards online, so simply stealing card numbers is sufficient to use them for fraud.</p><p>That's bad news for merchants, especially small businesses like Lingordo's, because they — not card issuers such as banks — take the losses for this kind of fraud. Merchants are learning the hard way that credit card authorization by a lender does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card had not been reported stolen or lost, and that the card credit limit had not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the "approved" charges. </p><p>Although merchants are footing the bill for 75 percent of the costs of converting to chip and PIN credit cards, they are not getting any relief from counterfeit fraud expenses. One might think that merchants can thwart card-not-present fraud by requiring cardholders to provide the three-digit security code — the card verification value (CVV) — printed on the back of their card. However, fraudsters can defeat this requirement by obtaining the security codes through phishing attacks that trick users into relinquishing the codes, or by installing malware on a victim's computer or on less secure e-commerce sites and recording the security codes as consumers type them into web forms. It should not be surprising that every market where chip and PIN technology has been adopted has seen a dramatic increase in card-not-present e-commerce fraud despite the use of CVVs. </p><p>Additionally, merchants are responsible for more fraud than ever, including the consequences of having their bank fee rates increased, or losing their accounts with the card companies if their fraud rate gets too high. On the other hand, banks will not take on increased responsibilities for the problem because they have no real solution to prevent this kind of e-commerce fraud and want to guard against increased costs.</p><p>What other preventive methods and procedures can merchants perform to prevent and detect credit card fraud — or limit its impact — especially of the card-not-present variety? It is clear that a merchant should not depend on the credit card company, to prevent fraudulent orders. While not an exhaustive list, using a combination of these methods and techniques may be the best possible defense against credit card fraud:</p><ul><li><p> <strong>Follow the procedures recommended by the merchant's payment processor and the credit card companies.</strong> A merchant can lose its account for failing to follow the payment processor's rules. If a merchant suspects a fraudulent order, it should contact the registration service promptly, so it can reduce the total number of charge-backs. Payment processors are likely to charge merchants higher services fees for a large number of charge-backs.</p></li><li><p> <strong>Use the Address Verification Service (AVS), if available to the merchant.</strong> In the U.S., AVS checks whether the cardholder's address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address, and it may fail to reveal a problem such as a recent address change or AVS computers being down. If it does fail, the merchant may decline the transaction. If the company's current merchant account for authorization approval cannot provide AVS, then it can get address verification from the cardholder's issuing bank for most credit card types.</p></li><li><p> <strong>Use card verification methods.</strong> Although these methods are imperfect, they can help prevent fraud, especially in combination with AVS methods. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer who supplies this number is much more likely to be in possession of the credit card. For example, Visa claims that the use of AVS with CVV validation for card-not-present transactions can reduce charge-backs by as much as 26 percent.</p></li><li><p> <strong>Enroll in payer authentication programs. </strong>Programs such as Verified by Visa and MasterCard's SecureCode require use of personal passwords to ensure the identity of the online card user. Additionally, if merchants use these programs, card issuers may incur some of the losses for online fraud that were borne entirely by merchants previously. </p></li><li><p> <strong>Implement real-time authorization.</strong> Real-time authorization sends credit card information to the processor for immediate approval — usually within five seconds. This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. However, there is an additional cost for real-time authorization, and it does not tell merchants whether the person using the card is authorized to use that card.</p></li><li><p> <strong>Use the Bank Identification Number (BIN) to determine whether the cardholder and the issuing bank are located in the same country.</strong> Illegitimate users sometimes use a credit card from another country. Merchants can enter the BIN of a credit card number at <a href="" target="_blank"></a>. The site provides the bank name, card type, and a three-character code for the country.</p></li><li><p> <strong>Keep negative and positive historical files</strong><strong>.</strong> Merchants should keep a database of previous fraud attempts, problem customers, charge-back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, email addresses, and merchant comments. This can reduce the incidence of repeat offenders at a relatively low cost. Data potentially can be shared among multiple merchants. Conversely a positive historical file contains a list of good customers such as customers who are eligible for upgrade purchases. Customers who purchased successfully in the past probably will not commit fraud. </p></li><li><p> <strong>Enact fraud scoring and pattern detection.</strong> While a targeted model should catch more fraud, it requires additional time and money to analyze a business and implement the approach, and it may require new software. With fraud scoring, a merchant assigns points for different elements of a transaction (e.g., IP address, free email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, and certain zip codes) to generate a fraud score to indicate the likelihood of fraud. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year. </p><p>With pattern detection, merchants can check multiple orders that ship to the same address but use different credit cards. It also can check orders that are placed for an unusually high quantity of a single item. These may indicate that thieves have access to several stolen card numbers. Check whether multiple orders are being sent from the same IP address. If the credit card numbers vary by only a few digits, it is likely these numbers were generated by software. Users who repeatedly submit the same credit card number with different expiration dates often have the card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination. And speaking of patterns, most fraudulent orders in the U.S. are made between midnight and 2 a.m. </p></li></ul><p> <br> </p>Art Stewart0
The IT Guy IT Guy<p>​A former Expedia IT technician has admitted hacking into company executives' emails and trading on that information to net more than US$300,000 in profits, according to <a href="" target="_blank">his guilty plea in a U.S. federal court in San Francisco</a>. Between March 2013 and April 2015, Jonathan Ly used his network privileges to access devices belonging to Expedia's chief financial officer and head of investor relations and then used the information about upcoming earnings and agreement announcements gleaned from their email messages to make trades in the company's stock before the information became public. Ly was able to continue the scheme even after he left Expedia because he kept a company laptop. </p><h2>Lessons Learned</h2><p>Recently, <a href="/2016/Pages/The-Hedge-Fund-Analyst.aspx">I wrote a column</a> about a fraud case in which a capital management company and one of its hedge fund analysts ran afoul of the U.S. Securities and Exchange Commission's (SEC's) rules regarding insider trading. That column focused on the systematic policies and procedures that organizations need to implement to combat insider trading, including measures to address this kind of fraud when it involves employees and their outside contacts. </p><p>Perhaps the idea that illegal insider trading can be completely eliminated is unachievable. However, building on the "lessons learned" from that column, here are some additional observations and suggested measures to further help detect and prevent insider fraud, as in this news story:</p><ul><li><p><strong>Take away the discretion to trade from the insider, as much as possible.</strong> The most basic and frequent form of insider trading involves consistent patterns of trading spikes in the days before announcements of earnings or significant business developments, such as a merger. Most organizations probably have insider trading policies that place some restrictions on employee trading during blackout periods. However, these policies often only cover senior executives, but not other key employees, such as senior analysts, sales staff, and technology workers who could potentially gain access to sensitive information. CEOs and other top officers typically have very limited periods during the year when they can trade. In addition to the usual blackout periods, they also are prohibited from trading during times when they possess nonpublic material information. In the case of a CEO, that could be quite often. Implementing a more comprehensive ban on trading by the kinds of employees (and their families) who have the greatest potential access to sensitive information could help dissuade potential fraud. </p></li><li><p><strong>Implement automatic share plans, not only for senior officers, but also other employees who have access to sensitive information</strong>. These plans allow employees to sell their shares according to a pre-arranged schedule. The trading decision has nothing to do with the insider and is not necessarily dependent on any event. Automatic share plans also make it easier for employees to exercise their stock options and help companies avoid the perception of questionable trades.</p></li><li><p><strong>Require top officers and key employees to notify the company's chief financial officer or legal department before making a trade. </strong>Although it may not be possible to prevent a particular trade, in combination with careful ongoing monitoring, review of the company's stock trades by an internal watchdog can reveal unusual patterns of activity that may catch inappropriate behavior. And, while internal monitoring is critical, it's also important to have third-party verification by an accountant or auditor to check insiders' holdings at the end of the year and compare these with transactions they reported throughout the year.</p></li><li><p><strong>"Wall off" both sensitive areas of company computers and the email accounts of senior executives to mitigate the high risk of employee and outsider hacking.</strong> This is perhaps the most challenging element of fraud perpetration. Nonetheless, organizations need to continuously invest in and improve controls over IT administrative access privileges to sensitive computers and information, along with the email accounts of senior executives. They also should take measures to prevent the hacking of "passwords" files and credentials associated with IT administrative service accounts. Physical assets such as laptops and computers also must be stringently controlled to prevent unauthorized employee use. </p><p></p></li></ul><p><br></p>Art Stewart0
A Toxic Culture Toxic Culture<p>​The role of the public relations (PR) department is to maintain a positive image of the company and to communicate with those outside the organization. Typically, those individuals skillfully manage perceptions and expectations, but at one company, these skills were used to mask a hostile work environment. </p><p>The department was led by a vice president, Ginger Dahl, who promoted Scott Goss and Roseanne Gray, two of her close friends, to director and manager, respectively. Dahl delegated all staff management responsibilities to Goss and Gray, leaving Dahl with no direct supervisory responsibility over employees except for these two individuals. Goss and Gray were inexperienced in managing staff, had no industry knowledge, and made decisions without staff input or consideration. For example, they initiated an overhaul of a new project methodology that stalled for months because of their lack of direction. Then, when forced to move forward with the project, they rushed to implement it. Clients called daily to voice their concerns over time delays and roadblocks but were dismissed by Goss and Gray without further investigation by Dahl. Staff members who raised questions were reprimanded, and those who approached Dahl were directed back to Goss and Gray. </p><p>When the organization received a hotline complaint regarding abuse of company assets, internal audit was called in to review. The auditors found that the complaint was just the tip of the iceberg. In initial interviews with staff, the environment was described as hostile and toxic. Seasoned staff members who were well-respected and valued by clients throughout the organization were leaving. The most creative and longest-tenured employee in the department was left to work on projects by herself rather than engage with others within the department and given the least important assignments. Several employees were seeing counselors to help them cope with the environment, many were too afraid to do anything, and all were fearful of saying anything that could be perceived as critical. </p><p>The auditors were so shocked by what they heard, they immediately pulled in human resources (HR) and general counsel to collaborate on next steps. The first step taken was putting Dahl on administrative leave. The company assigned an interim vice president and directed all employees not to make any changes to systems or destroy any documentation. As the internal auditors dug deeper and interviewed others within the department — including a few who had left — they found there was an inadequate internal control system. Gray was allowed to hire relatives and directly supervise them. Company policy regarding gifts to employees was ignored. Purchases to clients throughout the organization were made regularly. </p><p>In digging into the time-tracking system, which was used for departmental chargebacks, internal audit noticed that adjustments could be made without an audit trail. Staff noted that their time was regularly changed on projects by the system administrator, an assistant to Gray. Goss and Gray said this was done to better reflect “revenue” from the job.   </p><p>When the auditors turned to the budget, they found numerous overruns. Their analysis revealed what could only be described as a shopping spree of nonbusiness expenses. Upon further review, auditors identified several instances of misuse of company assets. Dahl, Goss, and Gray each had a laptop for home and work, and a separate tablet for meetings. Dahl used company money for personal donations to organizations of her choice that had no affiliation to the organization. There were lavish celebrations totaling thousands of dollars for Gray’s wedding and baby showers. And perhaps the most egregious was the use of company funds for lunches and dinners several times per week, sometimes with their families. The analysis extended over a two-year time frame and the trend was consistent. This was beyond an extravagant routine. </p><p>All of this was possible because no one tracked expenses. The accounting department did not perform budget-to-actual reviews, and the PR department was left to their whim to spend. While a budget was assigned, there was no accountability for adhering to it, as evidenced by several years of overruns. </p><p>After weeks of gathering data, the internal auditors met with Dahl, Goss, and Gray to hear their explanations. They truly believed they had done nothing wrong and seemed shocked that these behaviors were unacceptable. In light of the observations, which were supported with data analysis, HR, general counsel, and senior leadership decided to terminate Dahl. Goss and Gray left on their own within the following three months. The company did not press charges because nothing was done illegally; there was no restitution paid. The company hired an industry consultant to work with the interim vice president to establish and implement internal controls and process improvement within the creative work methodology. Internal audit was asked to work with the consultant on the process improvement, which it did, and internal audit provided a training session on internal controls to the department. Within a year of Dahl’s termination, she had secured a similar position at another organization in the same industry.</p><h2>Lessons Learned  </h2><ul><li>Toxic cultures are often masked by leadership as something else. These environments are very uncomfortable and difficult to navigate. It is worth recognizing that a toxic work environment requires a lot of effort to create and maintain. Consider its purpose and evaluate its impact on the organization’s performance. In the end, these cultures are often designed to protect leadership’s selfish aims and offer no productive value to an organization.   <br></li><li>Critically review turnover data. If a department’s turnover rate is extremely high, that is a red flag. Auditors should ask questions, talk to HR to find out whether there are any employee concerns, and raise the red flag if there are any issues. <br></li><li>Exit interview results should be reviewed regularly. Even in the most fearful situations, those leaving the company will often leave some indication of their frustrations and concerns. In environments where people are afraid, this could offer a significant piece to the puzzle.  <br></li><li>Chargeback systems are great places to hide resources and could be overlooked — they impact only intercompany allocations, not the financial ledger. Consequently, they should be reviewed like any financial system. Examine reports to source documents, check interfaces, and audit IT general controls. <br></li><li>Assess controls over travel and expense reports to see how they are being reviewed and approved. Is there documentation available to support the expenses? Look beyond the controls, as well, and use graphs and charts to trend the data. Often, seeing the information visually is more impactful.  <br></li></ul><p><br></p><p><em>The author is currently working in public accounting in Connecticut and has more than 15 years of experience in internal audit and accounting roles.</em></p>Anonymous1
Milking Money From the College Money From the College<p>​A former University of Missouri (MU) administrative assistant has been sentenced to four years in federal prison after pleading guilty to embezzling more than US$781,000 from the university over a 13-year period, the <a href="" target="_blank"> <em>Missourian</em> reports</a>. Carla Rathmann, an employee in the College of Agriculture, Food, and Natural Resources' (CAFNR's) Southwest Research Center, made unauthorized purchases on a university credit card and charged the university more than US$570,000 by submitting invoices and bills through shell companies. In 2015, new Southwest Research Center Superintendent David Cope noted concerns about Rathmann's purchases. A subsequent internal audit cited her misappropriations as a "key factor" in the closure of the center's dairy operations in 2015. That audit and a separate University of Missouri System audit reported a lack of oversight and accountability within the CAFNR and its 17 research centers. <strong>     </strong></p><h2>Lessons Learned         </h2><p>Those public institutions most vulnerable to fraud, such as the CAFNR, frequently are among the least prepared to defend themselves. This news story, along with two related internal audits, reveals a litany of control, oversight, and accountability issues for which internal auditors and management must exercise vigilance. Key among them are:</p><ul><li><p> <strong>Inadequate financial oversight</strong><strong>.</strong> The audit of the CAFNR found that the remote locations of its agricultural research centers contributed to an environment where one person could have too much control. Rathmann was responsible for nearly all aspects of the finances, including entering payroll, accepting cash and check payments, purchasing with a university credit card, and completing a monthly review of all financial activity. Further exacerbating the problem, the workaround for a lack of resources to provide for adequate supervision and separation of duties was to ask her supervisor to conduct routine reviews of transactions, which frequently fell by the wayside in the face of other supervisory priorities. Rathmann also was able to take advantage of turnover of supervisors.</p></li><li><p> <strong>Poor financial controls over a wide range of processes, including credit cards, inactive bank accounts, invoicing, payments, and time reporting. </strong>Audit work revealed that some people never used their credit cards; others had card limits that were "excessive" for what their job required. Additionally, CAFNR employees did not document their credit card purchases appropriately. The audit said office support assistants didn't always submit receipts, and the financial officer in charge of approving purchases didn't always ask for them. Officers sometimes were not even fully aware of what kinds of purchases should be made with the cards. There also do not appear to have been adequate rules or policies, nor did anyone ask questions when Rathmann faked invoices and bills to the university to pay herself through the shell companies she created. She also faked payments for farm-related items such as propane and hay, and she was able to deposit and withdraw money to and from a bank account opened in 1967 that was supposed to have been closed down. But at the same time, the university did not keep a record of many of Rathmann's university credit card statements and receipts.</p></li><li><p> <strong>A failure to focus on good human resources management practices, including conflict of interest and fraud risk. </strong>Rathmann worked as an office support assistant while she was employed with the university from January 2000 to September 2015 — a long time that enabled her to become highly familiar with the CAFNR's financial systems and processes. Unfortunately, in parallel with Rathmann's long tenure, there were several gaps and turnover in supervisory staff, contributing to a climate where Rathmann was able to get away with stealing and making it more difficult for management to detect her fraudulent behavior. Changes in Rathmann's lifestyle also were overlooked: Despite earning a modest US$15.90 per hour before being fired, she was able to make significant luxury purchases with the funds she embezzled. Rathmann and her husband both falsified their work attendance records, which went undetected. Both Rathmanns were registered agents for the companies she created, and they also made purchases between them, which should have raised conflict-of-interest concerns.</p></li><li><p><strong>Lessons were apparently not learned from a past significant fraud </strong><strong>case</strong><strong>involving similar issues and amounts stolen.</strong> An administrative assistant named Christy Tutin pleaded guilty in 1994 to stealing US$666,755 from the MU Graduate School between 1988 and 1993. However, she was eventually given a short prison sentence, and the circumstances of her case were not widely shared among university staff.</p></li></ul><p> <br> </p><p>CAFNR administrators have agreed to make several changes in the immediate future, including defining who does what in regards to the state and federal grants, new fiscal training for research center staff, and conducting quarterly reviews of the CAFNR Business Office. In addition to these initiatives, I recommend some others:</p><ul><li>Consequences for management and supervisory staff members who fail to undertake adequate measures to detect and deter fraud, particularly where long-term situations are involved.</li><li>A commitment to ensuring that fraud risk assessment, detection, and prevention become an integral part of MU/CAFNR business culture and processes. This should include a commitment to fraud awareness across the organizations and, more specifically, further auditing of the effectiveness of measures taken to strengthen their financial controls and accountability in the wake of the Rathmann fraud case.</li></ul><p> <br> </p><p>As part of the set of measures needed to strengthen MU/CAFNR financial controls and accountability, the organizations should consider restructuring the roles and authorities of the research centers. For example, they should centralize and limit their degree of autonomy where a single employee has too much financial approval discretion, and introduce centralized, automated ways of scrutinizing potentially fraudulent financial and human resource transactions. </p><p><br></p>Art Stewart0
NFL Players Tackled by Fraud Players Tackled by Fraud<p>​An investment adviser who provided services to professional athletes, including members of the National Football League (NFL), has pleaded guilty to wire fraud and filing a false tax return, according to <em><a href="">Forbes</a></em>. Between 2008 and 2013, the adviser converted and misappropriated US$2.9 million from clients and failed to report the misappropriated funds to the Internal Revenue Service. According to court documents, the investment adviser directed his clients to sign an agreement that gave him access to their accounts. He then used that access to divert funds for his own personal benefit. The adviser is scheduled for sentencing in January.​</p><h2>Lesso​​​​​​ns Learned</h2><p>Identity theft, tax fraud, and wire fraud in professional sports, not just the NFL, may be more prevalent than one might think. In the last year alone, there have been several high-profile, large​ dollar fraud cases involving players in the NFL, Major League Baseball, National Hockey League, and other professional sports organizations. Professional athletes may be one of the more vulnerable target groups for fraud, given their overarching dedication and time devoted to their chosen sport, as well as a strong desire to accumulate and maintain their wealth for a less certain future once their professional careers are over.</p><div>The <em>Forbes</em> news story includes several helpful tips to guide individuals toward enhanced basic protection against identity fraud. But alone, these are not enough to ward off the kind of exploitation seen in the NFL case. Here are suggestions for additional measures to help detect and deter professional sports industry fraud.</div><div><br></div><div><ul><li>Take a closer look at strengthening codes of ethics for professional sports. These codes tend to predominate in areas where government is involved, such as the Olympics, but are less consistently in place across the spectrum of professional sports. Where they do exist, codes of ethics tend to focus on issues of cheating, as well as the health and physical safety of athletes. Protection of the financial security of professional sports players should be an additional consideration. Moreover, owners, sports associations, and others in the sports industry could consider measures aimed at better self-regulation, addressing appropriate expectations of behavior for sports agents/financial advisors. Such groups, for example, could establish a registry of accredited individuals and companies whose track record has been validated against established standards and competencies.<br></li><li>Government needs to keep increasing the pressure on those intent on committing identity theft, tax fraud, and mail fraud, through public awareness campaigns, changes in the design of tax administration security and processes, and further efforts at targeted enforcement. Many countries use a combination of intelligence gathering, risk analysis, risk profiling, and data matching to detect cases of tax fraud and/or money laundering that involve identity theft and identity fraud. Data matching and other information sharing activities between tax authorities and other government agencies are also used to detect and investigate this type of suspected activity. In the U.S., the Department of Justice, Securities and Exchange Commission, and Internal Revenue Service (IRS) all have recently either introduced new measures and/or prosecuted and publicized related fraud cases. In particular, the IRS Criminal Investigation division’s Questionable Refund Program and Return Preparer Program focus on identifying and stopping fraudulent tax refund claims schemes. These schemes often involve hundreds of returns, with refunds totaling hundreds of thousands or even millions of dollars of revenue. Investigating and prosecuting those responsible for these ambitious schemes ranks among the programs’ highest priorities. Incorporating the professional sports industry within the scope that priority could help uncover wrongdoing like the income tax and wire fraud scheme, as well as serve to further deter other would-be fraudsters.​<br></li></ul></div>Art Stewart0
The Hedge Fund Analyst Hedge Fund Analyst<p>​Artis Capital Management and one of its senior research analysts have agreed to settle charges of failing to detect insider trading by one of the hedge firm's employees, according to <a href="" target="_blank">Bloomberg BNA</a>. The U.S. Securities and Exchange Commission (SEC) had earlier charged Matthew Teeple, an Artis research analyst covering networking technology, with using his industry connections to trade on material information not available to the public. According to the new charges, Artis should have recognized the substantial risk that Teeple's interactions with technology sources created and should have established procedures to prevent the specific misuse of information in this case. Moreover, the SEC found that Teeple's supervisor, Michael Harden, did not question Teeple about the source of his information or request that the company's chief compliance officer investigate the issue. Teeple is serving a five-year prison term.</p><h2>Lessons Learned</h2><p>Many readers know that U.S. law requires, and regulators expect, firms to have robust compliance, supervisory, surveillance, and control measures in place to prevent and detect insider trading — which appear to be almost entirely absent in the case of Artis Capital Management. Readers may not know that regulators can bring enforcement action for the failure to have an adequate insider trading prevention program — even if no insider trading has occurred. This story references many of the gaps in Artis' controls over insider trading, such as a lack of policies and measures to track interactions between its employees and their contacts, and lacking requirements for filing research or other reports on such interactions. But what is an appropriate approach to guide companies, employees, and auditors toward an adequate insider trading prevention program?</p><p><strong>1. Establish clear expectations throughout the organization regarding appropriate behavior around insider trading, including through a robust policy.</strong> This includes:</p><ul><li>Senior management demonstrating that it is committed, knowledgeable, and conversant in the steps the firm is taking to combat insider trading. This should include board- and executive-level restrictions such as prohibiting executives from pledging, hedging, short sales, and similar activities. </li><li>The deployment of appropriate personnel, IT, and other resources to focus on prevention, detection, and compliance. </li><li>Policy restrictions, requirements, and responsibilities for employees based on role and level. For example, employees may trade only after being given pre-clearance to trade, and blackout or holding periods may apply. The policy also should provide company-specific examples as to what could be deemed "material nonpublic information" — both positive and negative — and guidance related to gray areas such as communicating with relatives and friends, and information shared with third parties, including potential merger/acquisition targets. </li><li>Whistleblower mechanisms and appropriate training of all employees as part of the policy.</li></ul><p><br></p><p><strong>2. Undertake and evaluate a thorough inventory of sources of material nonpublic information to fully understand the inflow and outflow of information to and from the company.</strong> Part of the evaluation of this inventory should include a risk assessment and ranking of the highest types of sources of potential insider trading. Review the inventory periodically to make sure important developments have been identified and incorporated. Primary sources include:</p><ul><li>Research consultants.</li><li>Vendors, third-party providers, companies that are potential merger/acquisition targets, and corporate executives with whom the firm conducts meetings. </li><li>Investment advisers and portfolio companies to which the firm or its employees or principals are economically connected through a firm investment, personal investment, etc. Also, brokers with whom employees have significant gift and entertainment activity.</li><li>Employee-disclosed personal relationships, employees with board seats on outside entities, former employers of current employees, and current employers of former employees. </li><li>Fund investors.</li><li>Securities transacted around the time of a corporate announcement or that recently had a significant price change around the time of a firm transaction in such an issuer's securities.</li><li>Issuers identified through post-trade surveillance reviews. </li><li>Portfolio companies, other advisers, or other third parties that use the firm's physical premises or network.</li></ul><p><br></p><p><strong>3. Implement an enterprisewide control structure to monitor and promote compliance.</strong> Rank the possible sources of material nonpublic information according to the risk that each creates for the company, and tailor the controls over the source based on the risk. Higher risks may likely require more surveillance and monitoring, while lower risks may rely on training and certification.</p><ul><li>Implement controls covering the use of restricted lists, blackout periods, and pre-clearing requirements/procedures for employees based on their role and level within the organization; controls on blackout/no-trading periods tailored to the type of event, and requiring employees to pre-clear trades by leveraging technology solutions; establishing minimum holding periods and having information barriers in place. For example, debt restructurings should be referred to appropriate walled-off individuals for evaluation. </li><li>Put in place specific controls for high-risk areas, such as the use of "experienced consultants" or "expert panels." Examples include indicating the company's intention not to receive material nonpublic information from an expert, documenting and supervising the use of expert consultants and resulting trading, and reviewing the use of expert consultants and trading. </li><li>Similarly, tailor surveillance based on risks specific to the firm and to managers and traders. Design procedures to effectively detect potential incoming or outgoing material nonpublic information, high-risk relationships, compensation provided or received for such information, and related trading activity. Review firm trading, client trading, and personal trading activity of employees as part of surveillance activities. Some key activities that should be included are post-trade surveillance for specific events such as public announcements, price spikes, and profits; scrutiny of email and other communications about particular stocks for particular employees; and phone log surveillance to determine with whom employees are speaking. </li><li>Once surveillance measures are in place, investigate any indications of aberrant trading to identify whether the trade was made while in possession of material nonpublic information. Take action if the investigation reveals a violation of the firm's compliance policy. Look for patterns by individuals or in particular units. Follow-up rapidly and consider the root cause of problems.</li></ul><p><br></p><p><strong>4. Adopt technology to help leverage controls, monitoring, and surveillance coverage both by restricting the transmission of material nonpublic information and by automating trade review.</strong></p><ul><li>Use information barriers and data security to create a barrier between material nonpublic information and those who should not have access to it. </li><li>Electronic communication surveillance should include testing to identify incoming or outgoing material nonpublic information and patterns and relationships of interest, whether via e-mail, telephone logs, calendar entries, messenger software, business information sources, Bloomberg terminals, or social networking sites used on company networks. </li><li>Restrict trading activities through pre-trade review and approval technologies such as order management configuration rules. For example, require additional approvals for trading watch-list securities. Control employees' personal trading by using pre-clearance software that scans potential trades against the firm's restricted list, fund trading activity, holding periods, black-out windows, and minimum thresholds. </li><li>Test trading activity through automated electronic feeds from brokerage firms and use post-trade surveillance technologies to identify trading in securities where material nonpublic information may be known. Use automated rules or statistical algorithms to identify trading activity patterns that may indicate the use of material nonpublic information based on multiple risk factors, including timing, capital at risk, and performance. </li></ul><p><br></p>Art Stewart0
Blurred Lines Lines<p>​Peter Singer, the head of a marketing department at an event company, was retiring but agreed to stay on for six months to transition the new department head. On day two of the transition, the incoming department head called the CAE and left a voicemail message saying something odd was going on and urged him to take a look. </p><p>During the investigation, the CAE found that Singer purchased marketing services from a vendor to support revenue targets for a specific product. Although that seemed reasonable, the audit also revealed that Singer was holding US$500,000 in late invoices from the vendor, a significant amount to the company. Some invoices were overdue by 18 months, well past the typical 45-day average pay cycle. The vendor representative sent numerous emails to Singer complaining about the invoices. </p><p>The invoices were being paid increasingly late beginning several years earlier, when the budget for this marketing service was reduced by US$400,000. This was due to the belief that the vendor’s services were less useful as the product became more established in the marketplace. If the invoices had been paid timely, Singer would have been over budget. The invoices were never sent to accounts payable, as Singer asked the vendor to send the invoices directly to him. In addition, Singer never disclosed these commitments during the monthly financial close process. </p><p>Singer sent emails requesting that the vendor reduce the amounts of the invoices so that he could avoid additional approvals. The vendor complied by splitting invoices. Singer also developed a close personal friendship with the vendor representative — they would often go on trips together with their spouses. They were so close that, when Singer’s wife lost her job two years earlier, the vendor representative offered her a position at his firm. </p><p>As seemingly fraudulent events like this are investigated, internal auditors are often quick to look for the motivations and benefits to the perpetrators. Although the situation unraveled with a lot of juicy, and often irrelevant, tidbits of information along the way, management wanted internal audit to focus on one question: Why did Singer do it? </p><p>After hundreds of hours of research and several hours of interviews, internal audit was left with a troubling assessment of Singer’s behavior. He had committed fraud. He lied to the company about spending money with the vendor by making it appear that he was on budget, evidenced by the outstanding invoices. He was aware of these outstanding invoices, as they were piled up on his desk. He worked hard to circumvent internal controls for authorizing and recording the invoices, and the vendor representative conspired with him to circumvent company authorization limits. Because of this activity, the company had a US$500,000 debt for services it did not authorize, value, or want.  </p><p>In the end, there was no direct and convincing way to prove that Singer received any benefit from the vendor. In the eyes of management, this made the behavior much less grievous and “not quite fraud.” Internal audit was able to convince management that Singer intentionally circumvented internal controls to conceal the budget overrun, so he was asked to leave a few months earlier than planned. Consequently, management changed the policy to have all invoices sent directly to accounts ​payable to avoid future errors. However, management paid the outstanding invoices without confronting the vendor about its part in knowingly evading internal controls.  </p><p>The absence of a clear-cut villain stealing from the company left management wondering what the concern was about. As a result, management sent a muddled message about what is acceptable and missed an opportunity to strengthen the company’s defenses against future fraud.  </p><p>Fraud investigations are often the most intriguing part of an internal auditor’s job. You have villains, who break rules and selfishly benefit to the detriment of the organization. Until someone catches on, that is.  </p><p>However, the reality is not always so clear cut. In fact, it could be argued that the villain situation is rare. In many cases, a confused individual takes a few small steps across the line of good judgment and winds up entangled in rationalizations and good intentions. As things progress, this person hears the chirping of his or her conscience that something isn’t right, but the warning is distant and the words are muffled. In the end, the employee is baffled as to how his or her actions were perceived so negatively. The individual knows he or she could have done things better, but can’t believe the situation is being taken so seriously. Termination? Fraud? The employee is shocked by the possibility, and many times will utter the words, “But I didn’t steal.” </p><p>It is always difficult to see ordinary people fumble into bad situations. And organizations are not always prepared to handle these situations, which leads them down a messy road of uncomfortable conversations, half measures, and lackluster support.</p><h2>Lessons Learned</h2><ul><li>Organizations need to establish a clear perspective on how they want to approach fraud and its many faces. A strong fraud policy describes what the company perceives as fraud and lays out the expectations for investigation and resolution. Without a policy, fraudulent activity is often addressed by management based on the biases and perspectives associated with each unique instance.  <br></li><li>Internal audit should use these situations to improve the organization’s fraud perspective. Fraud is often interpreted and managed differently across organizations based on corporate culture and understanding of internal control. Although frustrating for those involved, management’s lukewarm support may be the most valuable observation from this scenario. It is an indication that there is significant work to be done to improve internal control awareness at the top of the organization.    <br></li><li>Internal audit has the expertise, perspective, skills, and independence to lead in these situations. Expecting others to share a clear vision of murky fraud cases is not always realistic.​<br></li></ul>Bryant Richards016

  • MNP_Tech-Consulting_Feb2017_Prem 1
  • IIA COSO-OnDemand_Feb2017_Prem 2
  • IIA Quality_Feb2017_Prem3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z