When the Bill Doesn't Add Up the Bill Doesn't Add Up<p>​​B​ig Boy diner franchisee Frisch's Restaurants Inc. has filed suit against a former accounting executive for allegedly embezzling more than US$3.3 million from the company, the <a href="" target="_blank"> <em>Cincinnati Enquirer</em> reports</a>. An internal a​udit in December discovered cost discrepancies between the company's credit card transaction records and those of the company's assistant treasurer, Michael Hudson, who had worked at Frisch's for 32 years. Hudson then resigned a few minutes before a meeting to go over the discrepancies. Following an investigation in January, Hudson admitted to stealing the money. Although Hudson said he had lost all the money gambling, Frisch's investigation found that he had made large withdrawals from his personal accounts at a Cincinnati area ​casino and had purchased more than​ US$400,000 in land, vehicles, and jewelry.​ </p><h2>Lessons Learned</h2><p>It might be tempting to focus on the specific circumstances, severity of impact, and prospects for recovering losses from a multiyear fraud against a mid-sized local company. However, although I am not familiar with the corporate history of Frisch's, I suspect the bigger lessons may relate to those companies that start small then grow much bigger, but do not pay sufficient attention to implementing the internal controls and processes essential to protecting themselves from fraud. Such companies may be particularly susceptible to fraud by long-serving employees who have been granted unconditional trust.</p><p>Those controls, which frequently are referenced in the pages of <em>Internal Auditor</em>, include: </p><ul><li> <span style="line-height:1.6;">Ethics and financial management policies that state clear expectations for employee behavior.</span><br></li><li> <span style="line-height:1.6;">Appropriate segregation of authorities and duties, especially to limit senior officials from sole or unchecked control and access over large sums of money.</span><br></li><li> <span style="line-height:1.6;">Accounting systems that integrate monitoring and reporting routines to flag unusual, recurring, and large transactions for further scrutiny.</span><br></li></ul><p>Perhaps most importantly in the context of this story — and maybe unfortunately for what lies ahead for Frisch's board of directors, CEO, and chief financial officer — is the question of the strength of the company's governance and control regime. To be effective, that regime must include directors who regularly ask and get satisfactory answers to penetrating questions about the company's operations and financial health. It also requires a senior executive team that is rigorously focused on balancing business interests and profits with maintaining high standards of ethical corporate behavior. </p><p>One additional essential element of an effective corporate governance and control regime is a strong, independent internal audit function — or its equivalent — that systematically and objectively assesses and advises the board and management on what the organization's people and processes are doing against expectations. The IIA's practice guide, <a href="" target="_blank">Assessing Organizational Governance in the Private Sector</a>, provides examples of what internal audit needs to examine. Without such a review, it is doubtful that an organization of any size could realistically expect to avoid the kinds of problems illustrated in the Frisch's case.</p>Art Stewart0490
An “F” for Fraud “F” for Fraud<p>​​The Chicago Public Schools (CPS) inspector general alleges that a former employee stole more than US$870,000 from the district through a fraudulent billing scheme, <a href="" target="_blank"><em>The Chicago Tribune</em></a> reports. According to the inspector general's annual report, an employee at Clark High School conspired with co-workers and vendors to submit fake reimbursements for purchases and file fake purchase orders between 2009 and 2013. The employee also allegedly received kickbacks from vendors for fraudulent purchases from companies. The employee has since resigned, and CPS is moving to bar the companies involved in the scheme from doing business with the district. A criminal investigation is underway.</p><h2>Lessons Learned</h2><p>As this story and the related 2014 Annual Report of the CPS inspector general observe, a wide range of fraudulent activities occur in school systems on a regular basis. The latter report reveals that the top complaints — from about 1,300 filed in 2014 — related to residency, inattention to duty, contractor violations, tuition fraud, and misappropriation of funds. I have not found any report that quantifies the total impact, but if the level of malfeasance found in the CPS case were replicated across all the school boards throughout the United States, it could total more than US$1 billion a year — a significant waste of taxpayer dollars and an affront to trust in public institutions.</p><p>Typically, boards of education in the United States have some kind of fraud prevention and detection policy in place that requires all employees, school board members, consultants, vendors, contractors, and other parties maintaining any business relationship with the district to act ethically, with due diligence and in accordance with all applicable laws. Boards assign a superintendent or equivalent leadership position responsibility for developing internal controls, policies, and procedures to prevent and detect fraud, financial impropriety, or fiscal irregularities within the district. They also expect every member of the district's administrative team to be alert to any indication of fraud, financial impropriety, or irregularity within his or her areas of responsibility. Further, school boards usually have an accountability requirement: District employees who suspect fraud, impropriety, or irregularity in relation to fiscal or other resources are expected to report their suspicions immediately to their supervisor or the superintendent, who then is responsible for initiating necessary investigations, and taking appropriate action, if warranted.</p><p>However, an inevitable complex patchwork of state and district regulations, combined with ongoing budgetary constraints and governance regimes that often rely on local and volunteer resources, among other factors, make it difficult to consistently implement an effective fraud prevention and detection regime. Here are some targeted suggestions to help make these regimes more effective based on a review I conducted of several different state and school district oversight and audit reports:​</p><ul><li> <strong>More thorough school board governance. </strong>Increasing dissatisfaction with the governance of school boards can be found in numerous news stories and state/district inspection/audit reports, particularly related to significant fraudulent activities uncovered in many school districts across the United States. Despite the important role that school boards play in governing schools across the country, virtually no empirical research exists that examines the governance structure — and its effectiveness — with respect to the board's responsibility to address fraud issues. Although several school board inspection reports I found pointed out that external audit programs were legally mandated, few districts had internal auditors and audit committees. School district governance is a partnership between the school board, the school organization, and the community in which it serves. Two specific measures that should be considered are 1) more comprehensive board education on responsibilities and strategies related to fraud and auditing; and 2) more consistent structuring of board audit committees and related internal audit activities, even if they are part of a larger finance committee and supported by volunteer resources. Once these measures are in place, the board then should actively oversee implementation to ensure they are working well. <br></li></ul><ul><li> <strong>​​Consistent, mandatory codes of conduct and ethics training. </strong>Statewide oversight reports I examined often noted that ethics training for teaching and administrative personnel existed but was not applied consistently across districts. The adoption of a code of ethics for all school system staff was more rare. School leaders also should be educated concerning appropriate actions in common fraud prevention areas. They need to understand the importance of internal auditing, know the language in local policy, and rigorously follow up.​​​ </li></ul><ul><li>​<strong>Strengthen internal controls, especially over the most fraud-susceptible risk areas. </strong> Another consequence of budget stresses and a reliance on external auditing, complaints, and whistleblower-driven processes to deal with fraud is that schools are often behind the curve in preventing and detecting fraudulent activities. Inspection reports frequently provided recommendations, but typically only related to the disciplining of employees or contractors, and much less frequently in relation to systematic changes to controls or procedures that should be changed or improved. In addition to educational and accountability related measures, school districts should undertake regular assessment of risk-prioritized fraud activities and direct their targeted prevention and detection efforts to those areas. Given the kinds of fraud, such as employee theft, documented in the Chicago Public Schools case, some specific control measures to consider include: 1) increased segregation of financial approval authorities over more than two employees, and 2) increased monitoring and scrutiny of frequent bidders and contractors for school supplies and services. To help avoid the potential for "stringing" contract bids — falsely splitting an overall contract amount into smaller pieces to avoid limits on noncompetitive contracting — school boards should consider either lowering the dollar limit or eliminating it entirely.​<br></li></ul>Art Stewart013397
Too Good to Be True Good to Be True<p>Investment fund company F-Squared ha​s admitted to defrauding its investors and will pay a US$35 million fine to the U.S. Securities and Exchange Commission (SEC), <a href="" target="_blank"> <em>Fortune</em> reports</a>. F-Squared is the biggest exchange-traded fund (ETF) company, a class of fund traders that use computer models to forecast when their clients should buy and sell ETFs. The SEC says F-Squared had advertised its investment strategy as being based on historical returns, but those returns were actually based on a computer model devised in 2008. Moreover, the SEC says the company's founder, Howard Present, was aware that the computer model had an error that caused it to overinflate​ its performance, but he never investigated the error. Present stepped down as F-Squared's CEO in November.</p><h2>Lessons Learned</h2><p>Fraud has been an issue since the inception of online performance marketing, once labeled as "innovative business practices." In the past few years, as the ETF and performance marketing industry has grown by leaps and bounds, it has become the target of increasingly sophisticated fraudsters, both from within and outside of its firms. Fraud committed against investment companies, investors, and consumers arguably undermines the industry due to increased regulatory scrutiny and enforcement that ultimately chases off investment dollars and forces firms to redress financial losses.</p><p>There have been continuous calls for organizations and investors to implement a fraud protection system, greater regulations — including some who call for an outright ban on investment performance marketing — and auditor scrutiny. Beyond these demands, what can be done to prevent and mitigate this kind of fraud? Auditors should reinforce an overall need for a proactive, self-regulatory culture, covering both the investment industry and investors, that implements best practices and aggressive fraud-prevention solutions. There are three key elements to such a culture:</p><ul><li> <strong>A continuous improvement approach to the educational and professional requirements of and compliance by those working in the investment industry. </strong>There are many different standards in the advisory world, and some differentiation is needed. However, primary focus needs to be placed on the investors and their changing situation and requirements. The importance of asset mix and what is and what is not appropriate for any investor — including the need to address changing risk levels — is a dynamic process. Most small investors do not have regular reviews of their portfolios and their advisers often are not qualified to address this issue. Instead, advisers recommend funds on past performance — as in the F-Squared case — which statistics show is the worst thing one can do. Education and certification standards should include explicit requirements for investment disclosure and reporting. Auditors should have a role in examining whether standards are robust and being complied with across the industry.<br><br></li><li> <strong>Investor responsibility, supported by the investment industry.</strong> Investors should be responsible for ensuring they are dealing with a reputable financial adviser, just as they would ensure they are seeing a good dentist, doctor, or attorney. Education can help investors protect themselves from marketing abuses. This could include requiring investment institutions to provide essential investor training. Before being accepted as investors, individuals should sign off that they clearly understand the risk of absolute loss they are taking, or alternatively they should be encouraged to invest in products that are conservative and balanced. Investors also must understand investment returns and how they are measured, rather than equating annual returns with annualized returns, or subscribing to similar metrics used to market funds.<br><br> </li><li> <strong>Adequate and meaningful disclosure of investment risks and results.</strong> Certain key information regarding investment decisions, risks, and expected results should be available to investors in clear and concise language, rather than in fine print, footnotes, and thick, legal jargon-filled documents that aren't read, understood, or complied with. In the context of the F-Squared case, it is worthwhile to consider the Chartered Financial Analyst (CFA) Institute's <a href="" target="_blank">Principles for Investment Reporting</a>.<br></li> In particular, the CFA's principle 4 — clear and transparent presentation of investment risks and results — states that effective investment reporting reflects these qualities: </ul><ul><ol><li>​​​​​​​Historical information presented in the investment report is not changed without disclosure to the user. </li><li>The investment report is a fair representation of the investments made, results achieved, risks taken, and costs incurred. </li><li>The investment report is relevant and appropriate for the purpose stated and the assets and investment strategies being presented. </li><li>The investment report provides appropriate comparative data — such as index data, a customized benchmark, peer group data, or a Global Investment Performance Standards composite — to allow the report user to assess the relative performance of the investments. </li><li>The investment report provides information on investment risks that have been experienced and are expected, including changes to assumptions previously adopted. </li><li>The investment report reflects the impact of taxes in general and the impact of taxes on performance, where germane. <br> </li></ol> Before an investment is made, a joint sign-off by the investment company representative and the investor that both investments and investment reporting will reflect these clear principles could contribute to preventing and mitigating related fraud activity.​</ul> ​​​​​Art Stewart014036
Plot to Defraud to Defraud<p>​Sam Associates, a real estate development compay located in Pakistan, hired Shamool Khan as a receptionist/office assistant when the company was first established. He was hard working, educated, and had excellent communication skills. After successfully completing several assignments ahead of schedule, he came to earn the trust of the business owners and was eventually promoted to general manager. This gave him the opportunity to learn exactly where internal control weaknesses lied.<br></p><p>In winter 2011, Sam and Associates owners discovered, through an employee complaint, that Khan was abusing his power and embezzling funds from the firm with help from his co-workers. During his two years with the company, he had issued bogus cash installment receipts to customers and misappropriated firm funds to the amount of Rs4 million (the equivalent of US$47,000).<br></p><p>After climbing the company ranks, Khan’s first major project was a low-cost housing development that met strict quality standards and the needs of low-income households. Sam Associates acquired 1,500 kanals (approximately 188 acres) of land and planned to develop approximately 1,200 kanals (150 acres) of it. Several firm partners had made personal investments contributing to the project.<br></p><p>As a trusted employee, Khan was uniquely positioned to run an embezzlement scheme. Traditional business controls, such as separation of accounting duties, delegation of authority, system access, and administrative approvals, were not prescribed in the early phase of the business. Khan also wasn’t monitored by the firm owners, which enabled him to undertake enormous fraudulent activities by taking advantage of several internal control weaknesses:<br></p><ul><li>Lack of appropriate authorization for commission disbursements.</li><li>No clearly defined lines of authority, roles, or responsibilities.</li><li>No independent checks on performance.<br></li><li>Inadequate documentation policies.<br></li><li>Management override of internal controls.<br></li><li>A willingness among employees and third parties, and lower level employees and management, to collude to circumvent controls.<br></li><li>Insufficient written policies and procedures to direct department processing.<br></li></ul><p>To help sell the plots of land, Sam Associates used dealerships — loosely defined principal-agent relationships — which are an integral part of commercial real estate activity in Pakistan. Sam Associates did not follow consistent policies concerning commission, returned plots, and recovery of commission. The commission to dealers was supposed to be paid to the dealers in three stages: after initial deposits, after each monthly installment, and after the final lump-sum payment. But instead of commissions being paid in stages, they were paid in full upon the initial deposit.<br></p><p>Dealers were allowed to charge varying commission under each plot sale arrangement. This provided opportunity for dealers to defraud the firm by collusion with Khan. The records were made to appear as if the first dealer — who received a lower commission percentage — returned the plot to the firm. The plot was then sold by a second dealer, who usually charged a higher commission. In the process, accounting department employees colluded with dealers and received a percentage on the second sale. Because there was no policy to recover commissions already paid to dealers, the firm sustained significant commission loss on returned plots. As a part of the sale agreement, the dealers also took responsibility for helping collect payment from customers. But practically all monthly installment payments were collected late and, in many instances, initial deposits were not fully paid. Land plots were sometimes booked on partial deposits and commissions were then paid in full.<br></p><p>Accounting department employees also colluded with Khan to create fake dealer identities in the accounting system. Khan himself was selling plots to customers, channeling dealer commissions through these fake dealers, and keeping 100 percent of the commissions. A junior accountant was responsible for collecting, recording, communicating, and depositing funds for cash and credit collections. The application-level controls in place gave the accountant access rights that permitted him to enter, approve, and review transactions.<br></p><p>When a newly appointed accounting employee tipped off management to Khan’s scheme, an investigation determined that Khan abused his authority, organizational powers, and managerial control. He spent lavishly and lent company money to his co-workers. During his employment, two more obvious warning signs were overlooked within the company: unexplained margin erosion and cash flow problems. He extracted cash from the firm’s coffers by issuing phony receipts and counterfeiting documents, and then pocketed the money. The embezzlement and asset misappropriation schemes continued for almost two years, with the help of two of his colleagues. The owners were shocked and devastated to discover just how extensively their trust was violated by one of their key employees. By the time Khan’s scheme was exposed, it was too late. He and his accomplices had disappeared.<br></p><p>Sam Associates management took the matter to the authorities. During the civil and criminal proceedings against him in absentia, Khan and his accomplices were found guilty. Police are still looking for him.<br></p><h2>Lessons Learned</h2><ul><li>When an employee exhibits lifestyle changes, it should be a red flag. Going from a modest lifestyle to a lavish one can be an indication that the individual is stealing from the organization.</li><li>Absent or weak internal controls are an invitation for fraud. A set of internal control procedures can help safeguard company assets, ensure adherence to company policies, and promote efficiency and disclosure of reliable financial information. Many internal controls are neither time-consuming nor expensive to put in place, and their benefits can be significant. </li><li>Segregation of duties is an integral part of operational control and can deter collusion among employees. Because frauds with collusion are more difficult to detect, companies should have whistleblower hotlines for reporting indiscretions when employees see them. </li><li>Lack of management review weakens detection of employee misconduct. Management should maintain documentary evidence of its review and approval of all financial information to demonstrate that it has retained effective control over its financial information.</li><li>Regular disbursements, such as commissions, should not be allowed without applying regular authorization processes and closely watching all exception cases.<br></li><li>Customer control accounts should be regularly monitored and reconciled at least monthly. Any discrepancies should be investigated adequately.</li><li>A fraud policy gives the perception among employees that management is serious about deterring fraudulent behavior. It should make clear that violators will be terminated and prosecuted. <br></li></ul>Syed Zubair Ahmed11814
What Segregation of Duties? Segregation of Duties?<p>​​The former chief financial officer (CFO) of an Indiana township took advantage of his position to embezzle more than US$300,000, fueling a spending spree that included a new house, a pickup truck, Caribbean vacations, and jewelry, the <a href="" target="_blank"> <em>Indianapolis Star</em> reports</a>. Alan Mizen was the township's CFO from 2001 to 2011. According to an audit by Indiana's State Board of Accounts, Mizen had authority to write and sign checks, and also balanced the township's books and wrote its annual report. This enabled him to cut a check for US$343,541 to a fictitious attorney general's account, fake an invoice in the accounting system, and then deposit the check into a bank account he had created. Mizen has pleaded guilty to federal corruption charges.</p><h2>Lessons Learned</h2><p>The amount of money embezzled in this case (less than US$500,000) may seem relatively small compared to many other fraud incidents I have written about in previous columns, but the potential impact of fraud committed by local government public officials is enormous. U.S. census statistics indicate that there are more than 16,000 different civil townships, each with its own governance, authority, and accountability structure. At the heart of this case is an almost complete lack of controls over the activities of the Center Township government's CFO during a period of several years, as noted by an Indiana State Board of Accounts audit.</p><p>In numerous other articles, I have shed light on some of the main types of controls and measures that internal auditors should be aware of and use in their work to combat this kind of fraud, including those intended to address gaps in internal controls over financial management, a lack of segregation of duties, and inconsistent background checks on employees. Auditors also need to be vigilant about fraud "red flags" such as changes in an employee's lifestyle that involve significant increases in personal spending on luxury items. For cases involving local governments, it is important for auditors to periodically review the adequacy of the basic governance and authority regime intended to direct the behavior and activities of officials and employees, as well as how well they are being followed, particularly by the lead trustee and the treasurer. </p><ul style="list-style-type:disc;"><li> <strong>The Trustee</strong>: The duties and obligations of county/township officials vary widely from state to state and from one local government to another. For example, in some places, the county trustee has additional duties such as maintaining cemeteries and administering insulin to the sick. In many instances the most senior official, the trustee, has five major functions:</li><ul><ol><li>Collect all state and county taxes on property.</li><li>Keep a fair and regular account of all the money received.</li><li>Receive the county's bills and maintain a record of all bills received and related details.</li><li>Keep regular accounts of all payments made in relation to bills received.</li><li>On leaving office, deliver all books and papers of the office to his or her successor.</li></ol></ul></ul><ul><li> <strong>The Treasurer/CFO:</strong> Duties include the receipt and payment of county/township funds. Typical state legislation governing township/county governments specify at least three major treasurer duties/obligations that are central to this case: </li><ol><li>Monies that the treasurer receives must be allocated to one of the township's approved funds. Other special purpose funds may be established, but they must be authorized by the entire township/county government. </li><li>The treasurer must file a sworn, itemized financial accounting statement, typically monthly, with the county executive. </li><li>All officials, including the treasurer, are prohibited from requiring or allowing checks or other forms of payment to be payable to the official in his or her own name, rather than the name of the governmental entity, the office, or the official's name and title.  </li></ol></ul><p>It is apparent that the Center Township CFO was defrauding its government and citizens with regard to the above obligations. However, the problem may not have been limited to this. Auditors looking into similar cases should consider whether the trustee played a role in the fraud, and whether his or her activities were reviewed.</p>Art Stewart03082
Fraud Behind Bars Behind Bars<p>​Fraudulent tax refund claims by U.S. prison inmates topped US$1 billion in 2012, a six-fold increase since 2007, according to a report by the Treasury Inspector General for Tax Administration (TIGTA). There were more than 137,000 fraudulent claims in 2012, up from 37,000 in 2007. The report faults the U.S. Internal Revenue Service (IRS) for failing to take necessary steps to curb fr​audulent claims. The IRS blocked US$936 million of fraudulent claims, but paid out more than US$64 million. One North Carolina inmate says he has defrauded the federal government of nearly US$4 million by using real names and Social Security numbers, the <a href="" target="_blank"> <i>Fiscal Times</i> reports</a>.​​​​</p><h2>Lessons Learned</h2><p>The scope of the prisoner tax fraud problem is surprisingly large. According to the U.S. Bureau of Justice Statistics, in 2011, 2.26 million adults were incarcerated in federal prisons, state prisons, and county jails — nearly 1 percent of U.S. adults. Combined with an additional 4.81 million adults who were on probation or on parole, that totals more than 7 million adults, or about 2.9 percent of the U.S. population. </p><p>In its 2014 audit of IRS activities, the TIGTA observes that refund fraud associated with prisoner Social Security numbers is a growing problem for tax administration. Although the IRS is making some progress in implementing anti-fraud measures to counter the threat of crimes perpetrated by prisoners, the inspector general says more can be done. The IRS continues to insist it is doing all it can. Based on my review of the TIGTA's audit and the IRS management's response, of the six recommendations the inspector general makes, there are three that the IRS should address more proactively. All three are issues that auditors will see arise in assessing audit issues generally found in diverse organizations.</p><ul><li> <strong>Required annual prisoner fraud reports to Congress are not timely.</strong> Congress (as legislators and overseers) and the public (as taxpayers) should be informed as soon as possible about the state of play of this fraud issue, and delays in reporting may be affecting the identification and implementation of improvements to fraud detection, including additional legislative initiatives.<br><br> </li><li> <strong>IRS annual reports do not adequately address the full extent of fraudulent tax return filings by prisoners.</strong> The IRS' annual report to Congress only includes false and fraudulent tax returns filed using a prisoner's Social Security number. The TIGTA's audit report includes clear examples the IRS could use to better determine the possible extent of the filing of false or fraudulent returns by federal and state prisoners that is not included in its annual reports. For example, the IRS apparently is not able to prevent the issuance of a refund for fraudulent returns that used a direct deposit account. The inspector general found that there were 16,342 unique direct deposit accounts used on 16,449 tax returns. Using these account numbers, the inspector general identified 1,777 accounts that also were used on another 47,321 tax returns, and the tax refunds claimed on these tax returns totaled more than US$102 million. <br><br>While one cannot conclude this entire sum is based on fraudulent activity, it may indicate that one or more prisoners may be perpetrating an identity-theft fraud scheme — hence its relevance to include in statutory reporting. The kind of profiling and matching process the inspector general is advocating is already in place to deal with many categories of noncompliant taxpayers, both in the United States and internationally. Examples include nonfilers, industries and businesses that are high risk for under-reporting income, and those operating within the "underground economy."<br><br></li><li> <strong>​​​The IRS does not consistently and thoroughly assign a prisoner indicator (or unique identifier) for all </strong><strong></strong><strong>prisoners. ​</strong>If this unique identifier is not assigned, it means that the tax return will not be subjected to the IRS' specialized prisoner fraud checks, according to the TIGTA's audit. But this is the kind of measure that is regularly adopted by governments to enable them to identify and interact with clients of a wide range of programs and services, including for child benefits and others. It is not about presuming that the identified population is automatically engaging in illegal behavior; it is about ensuring that the right clients are provided with the services and benefits they deserve while preserving the integrity of compliance with the program/service requirements. <br>​<br>The IRS management response that essentially defended its limited scope of prisoner indicators based on "systemic limitations," "programming issues," or that it is unnecessary in those cases where no refund is being sought — which does not mean that the right amount of tax is being paid — does not seem entirely defensible in light of the IRS' mandates and resources. Further, the IRS response does not seem to identify privacy or personal information protection as a constraint to taking further actions in this area.​​​</li></ul>Art Stewart0756
Fraud at the Top at the Top<h3>What are some of the top red flags indicative of fraud or unethical behavior at the executive level?</h3><p> <strong>Ratley</strong> Statistically, the most common warning sign displayed by frau​dsters at the executive level is living beyond their means. Even those at the top can outspend their incomes, leading some to pad their bank accounts dishonestly. Other red flags that can be troubling and serve as warning signs of potential fraud or other unethical conduct include a willingness to use questionable or overly aggressive tactics to achieve business or personal objectives, a lack of transparency in decision-making and operations, and an attitude that the rules don’t apply to those at the top.</p><p> <strong>Snell</strong> You can look at the expense reports of some leaders and tell whether there is a problem with the tone at the top. These reports can tell you a lot about a person’s respect for the rules, character, and ethical disposition — and the reports are easy to examine. Also, look for evidence of executive leadership’s support of the compliance and ethics program.</p><h3>What are the most common executive-level frauds and ethical lapses seen in corporations today?</h3><p> <strong>Snell</strong> Executive-level fraud often is related to anti-bribery laws and accounting. Leaders should get to know their industry’s specific high-risk regulations and ensure the compliance officer is constantly working on them. The most common ethical lapses seem to be related to human resource issues associated with personal relationships.</p><p> <strong>Ratley</strong> Research from the Association of Certified Fraud Examiners (ACFE) shows the most common fraud schemes perpetrated by executives and upper management involve corruption, a category of fraud that includes bribes and kickbacks, extortion, and conflicts of interest. Anecdotal evidence bears this out, as stories of high-profile bribery cases, growing regulatory scrutiny, and large Foreign Corrupt Practices Act (FCPA) settlements fill the news headlines.</p><p>Other types of schemes that we commonly see perpetrated by those at the top include billing schemes — those that involve manipulation of purchasing and payment functions in an organization — and fraudulent expense reimbursements.</p><h3>What steps can organizations take to ensure an ethical tone at the top?</h3><p></p> <strong>Ratley</strong> Effective governance by the board of directors sets the foundation for the organization’s ethical tone. The board is charged with overseeing management, and it must expect executives not only to behave ethically, but also to incorporate ethical considerations into company strategy and operations. The directors should make it clear that they will not tolerate dishonest practices by management. <p></p><p>Setting realistic performance targets and incorporating measures of ethical performance into executive evaluation and compensation also incentivize ethical behavior. Additionally, executives should be bound by a published ethics policy and required to attend periodic, targeted ethics training. These requirements help remind executives of their ethical duties and the consequences of honest — and dishonest — conduct.</p><p> <strong>Snell</strong> The quickest way to get complete and demonstrable buy-in from leadership is for the organization to suffer an ethical or compliance lapse, get investigated, pay a huge fine, and suffer ridicule in the media for several months. Or, the organization can choose to hire a compliance officer and implement a compliance and ethics program. The board can help drive the ethical tone. Also, setting up compliance bonus incentives for leadership is simple and very effective.</p><h3>What tactics seem to work best to stop fraud or unethical behavior at the top?</h3><p> <strong>Snell</strong> The organization should hire a compliance officer and implement an effective compliance program. The compliance program must be set up correctly with adequate independence and authority to prevent, find, and fix ethical and regulatory issues.</p><p>Additionally, one person from the top level of management and a board member should attend compliance training with their compliance and ethics officer. Also, consider putting an experienced compliance officer from another company on your board.</p><p> <strong>Ratley</strong> We know most frauds are detected by tips; ACFE research shows that 44 percent of the schemes involving executives are revealed by whistleblowers. So perhaps the best tactic is providing employees at all levels with the means to report unethical or dishonest behavior — even when it is displayed by those at the top — and empowering and encouraging individuals to do so without fear of retaliation.</p><p>Additionally, we need to remember that executives are human, and they face many of the same personal challenges as everyone else. Offering support mechanisms to all employees — including top management — to help them deal with personal and financial pressures (such as debts, family problems, or addiction) can greatly reduce the temptation to commit fraud.</p><h3>What is internal audit’s role in fighting fraud at the executive level?</h3><p> <strong>Ratley</strong> Internal auditors have the unique perspective that comes from a close-up and continuous view into the organization’s culture, risks, and controls. This intimate understanding of the organization’s strengths and weaknesses is a huge benefit in assessing and combatting the risk of fraud at the executive level. However, only about 10 percent of frauds committed by executives are uncovered by internal audit, which shows that many warning signs of fraud are being missed.</p><p>Internal auditors should make sure they are asking the tough questions, examining the answers through the context of the tone at the top, and proactively watching for signs that point to potential wrongdoing at the executive level of the organization.</p><p> <strong>Snell</strong> Enron, HealthSouth, and Tyco had problems that were known by several people but not fixed. Compliance professionals should work with other departments, including internal audit, to ensure tasks related to compliance are effective and timely, and that problems are corrected quickly. The compliance department should ensure that a comprehensive process is put in place to prevent the problem from happening again.</p><h3>Are companies saying one thing about fighting fraud at the executive level and doing another?</h3><p></p> <strong>Snell</strong> I was skeptical; however, recent surveys from the Society of Corporate Compliance and Ethics reveal compliance professionals are predominantly satisfied, if not effusive, about their leadership’s support of compliance. Most leaders are trying to do the right thing. There are a few executives hitting the headlines who are making all business leaders look bad. It’s not fair, nor is it representative of executive leadership’s support for compliance and ethics. <p></p><p> <strong>Ratley</strong> Unfortunately, there are still some organizations — more than there should be — that don’t proactively address fraud at the executive level. Many organizations wait until they have been censured by regulators for breaking the law before taking the risk of fraud seriously. However, I have seen an encouraging number of organizations realize the importance of applying anti-fraud programs consistently across the board, setting the same — or even more stringent — ethical expectations and requirements for senior executives as those that are in place for the rest of the staff. In doing so, these organizations not only fight fraud at the executive level, but also strengthen the overall anti-fraud program and ethical tone of the organization.<br></p><p></p><table width="100%" cellspacing="0" class="ms-rteiaTable-7"><tbody><tr class="ms-rteiaTableEvenRow-7"><td class="ms-rteiaTableEvenCol-7" style="width:50%;">​<img src="/2014/PublishingImages/James-Ratley.jpg" class="ms-rteiaPosition-1" alt="" style="margin:5px;" /></td><td class="ms-rteiaTableOddCol-7" style="width:50%;">​James Ratley is the president and CEO of the Association of Certified Fraud Examiners.<br></td></tr><tr class="ms-rteiaTableOddRow-7"><td class="ms-rteiaTableEvenCol-7">​<img src="/2014/PublishingImages/Roy-Snell.jpg" class="ms-rteiaPosition-1" alt="" style="margin:5px;" /></td><td class="ms-rteiaTableOddCol-7">​Roy Snell is CEO of the Society of Corporate Compliance and Ethics.<br></td></tr></tbody></table> <p></p>Staff11801
Bid-rigging Scheme Grounded Scheme Grounded<p>A U.S. Marine Corps chief warrant officer and two executives of a defense contractor have been indicted for allegedly conspiring on a bid to perform maintenance on the Marine Helicopter Squadron helicopters used to transport the U.S. president and vice president, <a href="">Reuters reports</a>. Prosecutors say the Marine Corps officer leaked confidential information on the cost of the proposed bid contract to the CEO and president of Louisiana-based Valour LLC. The officer then participated on a selection board in which he rated Valour higher than other bidders, despite the Marine Corps having concerns about the company's past performance. </p><h3>Lessons Learned</h3><p>Although it is difficult to quantify precisely how big a problem bid-rigging in procurement processes is, numerous independent sources provide some parameters for this fraud threat. The 2014 Association of Certified Fraud Examiners (ACFE) <a href="">Report To The Nations on Occupational Fraud</a> (PDF) cites corruption — within which bid-rigging is conceptually situated — as the single biggest category of fraud observed within the government and public administration sector (36 percent), with a median loss of US$200,000 per incident (see Figure 24 of the report). Furthermore, corruption is consistently the largest fraud type observed across most industries. </p><p>While not as recent, a 2007 Organisation for Economic Co-operation and Development (OECD) document, <a href="">Guidelines for Fighting Bid-rigging in Public Procurement</a> (PDF), states that "In OECD countries, public procurement accounts for approximately 15 percent of gross domestic product. In many non-OECD countries that figure is even higher." And finally, a 2007 evaluation by the Canadian government's Competition Bureau of its anti-bid-rigging activities cites comparative data for the United States: "As of December 2007, the (U.S. Justice Department) Antitrust Division was dealing with 139 grand jury investigations, of which 40 percent were potential cases of bid-rigging and 60 percent were investigations of price fixing or frauds."</p><p>Much has been written on this subject, and both the ACFE Report To The Nations and the OECD anti-bid-rigging guidelines contain excellent information and advice on the red flags and methods internal auditors should be aware of in fighting bid-rigging fraud. Both a systematic approach to identifying and mitigating contract fraud risk, as well as a balanced, accountable, and transparent approach to identifying contract requirements are fundamentally important in reducing this kind of threat to organizations. There are two areas that bear highlighting.</p><p> <strong>Perform a thorough fraud risk assessment of the planned procurement and process. </strong>The first, and probably most important, step in tackling bid-rigging fraud is identifying the risk of fraud. How the procurement is defined is important because this in turn can be linked to the different areas of the procurement cycle that may be exposed to the risk of collusion or manipulation, and to what extent. </p><p>Procurement officers and their collective knowledge are essential to conducting this risk assessment work. They should understand the dynamics of the markets in which major purchases are made and should be able to correctly assess the degree of risk collusion from market behavior that may not arouse suspicions from a less-informed buyer. </p><p>Risk and control considerations include:</p><ul><ul><li><p>With regard to the identification of needs, there should be a clear requirement for the product or service that has been approved by an independent person or board. Individuals inside the fraud victim organization can have hidden relationships with potential suppliers and bidders that they can use to influence or bias the decision-making process around the identification of needs for a procurement. </p></li><li><p>Similarly, any material goods, results, or savings promised to be delivered should be clear, transparent, and auditable. </p></li><li><p>As a key control mechanism, bid packages should require bidders to sign and submit a noncollusion affidavit stating that the bidder has not colluded and informing bidders of penalties should they violate laws or regulations. <br> <br>A thorough risk assessment also will identify areas where training is needed to strengthen the awareness of purchasing department employees with indicators of bid-rigging, price-fixing, and other types of collusion.<br> </p></li></ul></ul><p> <strong>Contract specification and design is a key area where bid-rigging fraud can be engineered or biased.</strong> Is the specification understood and agreed on by the relevant participants of the organization, or is this understanding and agreement only held narrowly, such as by one individual? This is a scenario in which organizations not only find themselves at risk from bid-rigging fraud, but also from unknowingly (or knowingly) tailoring contract specifications to obtain a predetermined procurement outcome. Specific questions include:</p><ul><ul><li><p> <em>Is the specification narrow to favor a particular individual or company? </em>This can happen frequently when the organization and its representatives have had a satisfactory ongoing relationship with the same supplier or bidder, giving rise to a sense that the existing supplier is "best suited" to continue providing the service or goods. As a result, organizations may exclude legitimate bids and could be confronted by legal complaints and challenges.</p></li><li><p> <em>Does the organization adhere to clear rules regarding contract scope changes? </em>Bidders often submit price quotes based on detailed descriptions of services or products the customer wants. Particularly in government operating environments, work often is added to the contract after it has been awarded, including work that was totally unrelated to what was originally proposed. That might make the winning bidder happy to make more money, but other bidders can rightfully complain that they never got a chance to bid on the new work. Changing the scope of the contract requirements after the contract is awarded typically is considered a violation of internal contract rules. Moreover, insiders to the organization awarding the contract may have conspired to make contract changes even before the contract was awarded. Organizations should require changes to contracts to be documented in the form of contract modifications or amendments.</p></li><li><p> <em>Does the organization award contracts without competition when there's an urgent need for critical items without delay?</em> If so, does the urgency really exist or is it the result of poor planning or because of collusion between the vendor and those within the organization to avoid competition? Procurement officers, auditors, and others with oversight roles in the contracting process should be vigilant and closely scrutinize such arrangements to determine how the organization designated the sole source supplier and verify whether that supplier really is a sole source of expertise or supply of goods and services.</p><p></p></li></ul></ul> Other issues to watch for in the contract specification stage include deliberately writing vague specifications to allow favored but not necessarily best-qualified bidders to succeed, designing specifications to result in eventual bid-splitting, and allowing a potential bidder to view the specifications earlier than its competitors, especially when this influences the final contract specifications.<p></p><p></p>Art Stewart01121
Safeguarding Customer Data Customer Data<p>Individuals who have discovered unauthorized charges on their credit cards or learned that someone has used their name to take out a loan are not alone. A recent CNN/<em>Money</em> magazine article reports that more than 13 million people were identity fraud victims last year, up from 12.6 million in 2012, based on a recent study by San Francisco-based Javelin Strategy & Research. It was the second-highest number of victims in the 10 years Javelin has conducted its study.</p><p>With fraud on the rise, consumer data is at risk. Just this year, thieves have targeted customer data at eBay, Home Depot, Neiman Marcus, and Target. For years, retail organizations and financial institutions have known that having payment card numbers in their company databases required some level of protection. Now hackers, fraudsters, and thieves are going beyond the card numbers to obtain customers' personally identifiable information (PII). They use this stolen data to make purchases, develop fake IDs, take out fraudulent loans, and perpetrate other illegal activities. Internal auditors need to add protecting credit and debit card information to their long list of fraud threats.</p><h2>Three States of Data</h2><p><em>PII</em> is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. This includes information such as credit card, checking account, social security, and driver's license numbers that uniquely identify an individual. Businesses collect such information whenever someone makes a purchase. This enables companies to verify that the person using the payment method is authorized to do so and is who he or she claims to be.</p><p>Although collecting customer data is a good business practice to prevent fraudulent activity, the moment organizations bring PII into their databases, they become custodians of it. As custodians, they are obligated to protect that information. Additionally, auditors have a duty to point out instances where customer PII may need to be protected, and they should look critically at internal systems where customers' data is available for all to see or access.</p><p>To protect PII, auditors need to know where it exists in their organization. Data security experts consider data that needs to be protected to be in three distinct states:</p><ul><li>Data in use. Data on terminals, displays, hand-held devices, paper reports, or other devices that employees use to do their jobs.</li><li>Data at rest. Information stored on file servers, computers, tablets, or information repositories such as email and Web servers.</li><li>Data in motion. Data sent over networks.</li></ul><p>Knowing the state of the data goes a long way toward understanding how to protect and audit it. In most cases, the data at rest needs to be safeguarded. This usually is done through encryption. However, in some cases data is not encrypted because management may believe that the data is on a protected device or network. The other reason people will not encrypt data is because of performance issues such as the time needed to encrypt and decrypt the data. In either case, if the protected device is somehow compromised, the data would be in plain sight and at risk.</p><p>Encryption also is the preferred method of protecting data in motion. However, depending on the networks in use, it may not be possible to encrypt data if the receiver of the information does not have a way to decrypt it. In such cases, the organization should consider implementing other data security measures such as password protection, security keys, and biometric identification.</p><p>Above all, internal auditors need to be aware of the exact information the organization is trying to protect and the cost associated with protecting it. Additionally, as this is primarily a data security issue, the information security group should assist in any projects in this area.</p><h2>Audit Focus</h2><p>Once internal auditors know which information needs to be protected and how to do so, they need to perform a simple inventory to find out where it exists in their organization. For example, auditors should use a spreadsheet to perform the inventory analysis. On one side, the auditor should list each application system, hardware device, report, and item that may contain PII. At the top, the auditor should list the three data states — data in use, data at rest, and data in motion — and use a simple check to identify whether PII exists. Next to the cells in the spreadsheet where the PII exists, the auditor can add a column to indicate how that PII item is protected or note where the data is in plain sight and may need additional protection. This spreadsheet can function as a road map to locate all the organization's PII data and identify the method used to protect it. Moreover, it can demonstrate the organization's due diligence in protecting this information.</p><p>Now that auditors know where all the data resides, they can scope and plan to assess the organization's risks. In addition to testing the encryption in place, auditors should focus on controls over how data is used as well as appropriate data security policies and procedures. Based on the inventory analysis, auditors can decide whether the data is at risk of compromise and then decide on an appropriate protection method. Some examples include:</p><ul><li>If PII is in clear text on a report, procedures need to be in place for those reports to be protected, secured when being used, locked away when not in use, and disposed of appropriately (i.e., shredded) when they are no longer being used.</li><li>If PII is in clear text on a screen from an application that many people can access, the auditor should recommend that the fields on the screen be masked with asterisks or encrypted so only certain individuals in the organization who need to identify customers can see the full information.</li><li>If the organization collects and uses PII regularly, the auditor should recommend that the organization adopt a customer privacy policy and notify customers that it is committed to protecting their information. Additionally, a "protecting customer information" training session should be required for all employees who deal with PII.</li></ul><p>In addition to these areas, auditors should check that backup storage devices that contain PII are protected, as these often are overlooked.</p><h2>Staying Out of the Headlines</h2><p>As attackers increasingly target customer PII, internal auditors need to discard their old assumption that outside forces are primarily after internal information such as company secrets, business strategies, and financial data. With customers' data increasingly threatened, internal auditors have an obligation to help protect this information from prying thieves — or run the risk that their organization will be the next business in the news. </p>Kenneth Pyzik1908
Money in the Drawer in the Drawer<p>​The City of Charlotte has taken corrective actions to fix problems with its cash collections processes that were uncovered by an internal audit, <a href="" target="_blank">WSOC-TV reports</a>. The audit was prompted by the discovery that a t​ransit employee had embezzled more than US$50,000 from the city. After looking at how other city departments handled incoming cash and check payments, auditors found "insufficient compliance and monitoring." For example, in the fire department, auditors found checks totaling more than US$80,000 in employees' desks. The audit recommended the city implement stronger controls over cash handling and frequent checks to ensure they are deposited timely.</p><h2>Lessons Learned</h2><p>Despite the rapid growth of e-commerce and electronic financial transactions, most organizations — particularly governmental bodies — still collect and handle significant amounts of cash and equivalents. This makes them susceptible to fraud, theft, and loss of revenue arising from weak controls over their cash collections and management processes. While difficult to quantify on a global basis, anecdotal evidence suggests the potential magnitude of the problem. </p><p>According to the audit conducted by the Charlotte City Auditor's Office, the city collects at least US$75 million in cash annually. The audit further notes that about US$95,000 in cash collected was not deposited within 24 hours as required by city policy — a useful internal control over cash management. But the problems often go further than this. Cash that is not collected and deposited timely is not available to the organization for its further use and bank interest is forgone. In a recent audit of a large Canadian federal government department, the Office of the Auditor General observed that more than CAN$3 million in cash annually was not being deposited timely. Auditors estimated that up to US$100,000 in interest was foregone as a result. These consequences are in addition to fraud and theft risks.</p><p>The Charlotte City Auditor's report makes several relevant observations and recommendations to specifically address the need for the city to improve its internal controls over cash collections to safeguard funds against fraud, waste, and unnecessary loss. Those recommendations and measures — which are mainly focused on the timeliness of payment and consistent application of cash management policy and processes — can be integrated within the broader context of a systematic approach to establishing strong internal controls over the management of cash.</p><ul><li> <strong>​Recording, documentation, review, and verification of all transactions. </strong><span>Organizations that deal heavily with cash receipts should implement a computerized cash management system or register that incorporates other control features by simultaneously transmitting the cash transaction to other program modules. This in turn promotes consistency of amounts used to record related transactions. Actual cash balances at the end of the day should be compared to the end-of-day balance generated by the machine. Whether automated or not, all monies collected and transferred should be documented timely through a transmittal form. A daily cash report should be prepared by each operator and summarized by a supervisor; copies of any reports and transmittal letters should be forwarded to the accounting department to facilitate validation of back-office accounting entries.</span><br>​<br></li><li> <strong>​Segregation of duties and responsibilities,</strong><span> including monthly bank statements that are reconciled against the general ledger's cash-in-bank balance by a staff member who is not involved in handling cash transactions or issuing check disbursements. This will help identify whether there are bank transactions not yet recorded on the books or whether there are errors or irregularities in the management of cash deposits and check issuances. </span><br><br></li><li> <strong>​Security of physical conditions,</strong><span> including procedures to ensure that all registers, cash boxes, etc., are locked when unattended. For example, during nonworking hours a cash vault or safe should serve as a repository for petty cash funds and cash boxes containing collections that have not been deposited yet. Checkbooks, official receipts, purchase orders, sales invoices, delivery receipts, and debit/credit invoices should be kept under lock and key and in the custody of a control officer.</span><br><br></li><li> <strong>Security of human resources,</strong><span> including preventive measures instituted at the point of hiring to carefully evaluate results of background checks, especially for persons hired to manage or handle cash. Also, cashiers, credit collectors, and officers who have access to the cash vault or safe should be covered by surety bonds.​</span><br><br></li><li> <strong>Limitations over accessibility and availability,</strong><span> including ensuring that the security of a vault or safe is the joint responsibility of two key officers. The vault or safe door should have two sets of control combinations so that one authorized individual cannot gain access to the steel repository's content without the other's knowledge.​</span><br><br></li><li> <strong>Supervision, monitoring, and traceability of funds movements</strong><span style="line-height:1.428571429;">, including independent observation of cash receipts counting.</span><br><br></li><li> <strong>Planning and budgeting controls,</strong><span> including forecasting and establishing appropriate resources and processes related to future-year cash receivables, as well as taking into account available fraud and risk assessment information.</span><br><br></li><li> <strong>Accountability regime,</strong><span> which specifies clear roles and responsibilities for the management and processing of cash in specific job descriptions and performance assessments. On a corporate level, all accountability forms related to cash receipts activities used as supporting documents for filing income tax returns or financial report documents should be verified and registered with the appropriate national tax authority, such as the U.S. Internal Revenue Service, as required by law or policy.</span><br><br></li><li> <strong>​Regular monitoring and reporting,</strong><span> including assessing whether targets/standards for the timeliness of depositing funds are being met consistently. Auditors also should assess patterns in variance between amounts counted versus validation through back office processes.</span><br><br></li><li> <strong>​Periodic audits and related monitoring initiatives, </strong><span>including identifying incidents of robbery, fraud, and noncompliance with policy. Internal audit, or a forensic accounting team, should be assigned to investigate the circumstances, procedures, methods, documents, and devices used to determine the impropriety of cash handling. Weaknesses or breakdowns of internal control should be identified to institute corrective and additional preventive measures.</span>​<br></li></ul>Art Stewart01150

  • CaseWareIDEASpecial_Mar2015
  • Ideagen_Pentana_Mar2015
  • IIA_CIA Practice Test_Mar2015



Auditing Low-hanging Fruit Low-hanging Fruit2015-02-11T05:00:00Z2015-02-11T05:00:00Z
More Important than Facts, Figures, and Data Important than Facts, Figures, and Data2015-02-13T05:00:00Z2015-02-13T05:00:00Z
Viewing Cyberrisk Through a COSO Lens Cyberrisk Through a COSO Lens2015-01-29T05:00:00Z2015-01-29T05:00:00Z
The Search for Top Talent Search for Top Talent2015-01-30T05:00:00Z2015-01-30T05:00:00Z