Fraud

 

 

A Case of Misplaced Trusthttps://iaonline.theiia.org/2018/Pages/A-Case-of-Misplaced-Trust.aspxA Case of Misplaced Trust<p>Jane Dosh was the comptroller and a trusted employee at Smith Interior Design Co. (SID), a small and close-knit professional services firm catering to high net-worth families and individuals, for almost 15 years. As comptroller, she managed many aspects of SID’s financials — such as paying bills, managing payroll, and purchasing supplies for the company and clients — with oversight from Robert Smith, the company’s co-founder. Smith was responsible for monitoring the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload, which meant she handled every aspect of the company’s finances with no oversight. She continued in that role for the next few years until she unexpectedly resigned on Dec. 31, 2016. </p><p>Internal Audit Manager Heather Dittman was the sole internal auditor at SID and did not have the resources to provide a routine set of reviews aligned with a regular risk assessment. As part of her annual plan, Dittman performed a standard review of the accounts payable process. The audit program included sampling transactions, checking support, and ensuring appropriate authorizations. During her review in early 2017, she documented several unsupported and unexplained transactions. </p><p>During the validation process, Dittman interviewed several employees for supporting explanations and documents, but they were unaware of the expenses and could not retrieve the records. Having exceptions in the validation process was a typical event for Dittman, but a large number of unexplained exceptions was unusual — plus there was no supporting documentation. </p><p>Dittman reached out to Dosh, who insisted that the records must be misplaced and that she would find them and send them to Dittman. However, as days turned into weeks, Dosh did not send the records. Dittman sent numerous follow-up emails and voicemails, which went unanswered. After weeks of no response, Dittman went to the file room to search for the records, herself, but the room was empty. </p><p>Unable to obtain answers from Dosh and concerned about missing records, Dittman escalated her concerns to the CEO and chief financial officer and recommended a forensic review. Given Dosh’s control of the financial processes, it appeared possible that she had defrauded the company and was now covering it up. Management was concerned about the extent of the fraud and the company’s ability to recoup the money. As a result, management agreed to a forensic review. </p><p>The forensic review began with traditional surveillance of Dosh to uncover the facts necessary to figure out the fraud. During lunch on the second day of surveillance, Dosh went to a local boutique. This piece let the investigators assemble the rest of the puzzle. </p><p>Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, was granted a company credit card, and Dosh saw her chance. She had access to the new card’s information and knew nobody would be monitoring the credit card activity but her. Dosh then contacted Alexandra Johnson, an acquaintance who worked at a luxury clothing store nearby, and the two began a joint business venture. Dosh went to the store where Johnson worked, and they set up a store account using Brown’s company credit card. Johnson later quit her job at the boutique and got a job at another clothing store. There, she set up another account with Dosh using Brown’s credit card. Dosh also bought expensive jewelry and clothing from other boutiques on the card. She would pay off her purchases on the company card every month from SID’s checking accounts. </p><p>When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a boutique clothing and accessory business owned by Dosh and Johnson. Private investigators followed Dosh for weeks to locate where she was storing the fraudulent purchases. She also forged the signature of the second company co-founder on multiple fraudulent checks to purchase personal goods and services, including payments to family-owned businesses. Investigators went through years of company financial documents to find that she had embezzled more than $4 million from the company in just five years. </p><p>SID and the investigators turned the case over to federal law enforcement. Dosh pleaded guilty and is awaiting sentencing for charges related to identify theft and fraud. SID implemented several policies and procedures to prevent the company from getting defrauded again, including: </p><ul><li>Dispersing cash only after appropriate management authorization and only with dual approvals over certain threshold amounts to ensure company funds were being spent for approved business purposes. <br></li><li>Reviewing all cash receipts and disbursements as part of a monthly bank reconciliation.<br></li><li>Separating financial duties so no one person would handle all of the responsibilities. <br></li><li>Backing up all financial transaction source documents to multiple locations so the documents would not be lost if any one location was compromised. <br></li><li>Developing a risk assessment program to allow internal audit to review, assess, and identify weaknesses in the internal controls and point out areas of high risk concerning fraud. <br></li></ul><p>SID realized that internal controls do not have to be an impediment that slows down work processes. While there is no such thing as a one-size-fits-all system of internal controls, getting the focus of their internal controls right helped safeguard and develop their business. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>Lessons Learned</strong></p><ul><li>No company is immune to fraud. Internal audit needs to help the organization prevent and minimize fraud risks. Small companies that are reluctant to invest the money to provide more internal audit coverage should consider the return on investment in comparison to a $4 million embezzlement. It is imperative for companies to set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and counter all potential risk.<br></li><li>Internal audit should perform a fraud risk assessment to help leadership in small companies understand the extent of their vulnerability to fraud. Significant procedural or segregation of duties gaps can be identified during the process without requiring substantial investment in audit resources. Many of the control weaknesses in this case would have been uncovered during the assessment process. <br></li><li>Internal auditors should include a fraud risk assessment as a standard for their work plans. It applies to every company and is the most compelling method of educating management about fraud vulnerabilities. The act of communicating this tool throughout management is sometimes enough to prevent fraud. <br></li><li>Internal audit needs to know when to involve a forensic investigator. Forensic experts can provide different tools, such as recovering erased hard drives and surveillance, and will preserve the chain of evidence in a fraud case. <br><br></li></ul></td></tr></tbody></table>Frank Rudewicz1
The Case for Due Diligencehttps://iaonline.theiia.org/2019/Pages/The-Case-for-Due-Diligence.aspxThe Case for Due Diligence<p>​Two former executives of U.K.-based Autonomy have been indicted on criminal fraud charges stemming from the software company's 2011 acquisition by Hewlett Packard (HP), <a href="https://www.crn.com/news/applications-os/former-autonomy-executives-indicted-on-criminal-conspiracy-and-fraud-charges" target="_blank"><em>CRN.com</em></a> reports. U.S. prosecutors allege former CEO Mike Lynch and Stephen Chamberlain, former vice president of finance, used fraudulent accounting practices to inflate Autonomy's value. A year after completing the purchase, HP took a $8.8 billion write down of Autonomy's assets and later sold those assets to Micro Focus. Last April, a U.S. federal court jury found former Autonomy CFO Sushovan Hussain guilty of wire and securities fraud. Also, Hewlett Packard Enterprise, which spun off from HP in 2015, has sued Lynch and Hussain in the U.K. Lynch's attorneys claim HP made mistakes in integrating Autonomy's assets that reduced their value. </p><h2>Lessons Learned</h2><p>This story illustrates the need for a thorough due diligence process for a major acquisition. Internal auditors can view advice and resources about the due diligence process provided by organizations such as The IIA, the U.S. Securities and Exchange Commission (SEC), and the Association of Certified Fraud Examiners. Two key aspects of the process may have helped reveal the core issues in dispute in this alleged fraud: due diligence risk assessment and the potential impact of differing international accounting standards.</p><p> <strong>Due Diligence Risk Assessment</strong> A thorough risk assessment of the company targeted for acquisition is essential. Furthermore, the SEC and U.S. Department of Justice (DOJ) have issued A Resource Guide to the U.S. Foreign Corrupt Practices Act (the FCPA Guide), which recommends companies conduct<strong> </strong>pre-acquisition due diligence<strong> </strong>on merger and acquisition deals. Uncovering fraud after the deal is completed can have damaging consequences for an acquirer. Two key parts of this due diligence are:</p><ul><li> <em>Assessing the validity, accuracy, and integrity of the financial statements.</em> This assessment should include related internal and external financial reporting, significant estimates and accounting policies, regulatory changes and their impact on financial statements, past and recent findings of internal and external auditors, and staff competency and training.<br><br></li><li> <em>Examining the organization's internal controls, using a risk-based approach.</em> This examination should review internal control procedures and documentation, and analyze gaps in internal control structures and the adequacy of management's corrective action plans. Moreover, it should review related internal and external audit reports and findings on internal control deficiencies, along with remediation strategies. Depending on the results of these reviews in terms of risk, a further internal audit or external audit of internal controls may be warranted. <br><br>According to the DOJ/SEC FCPA Guide, companies do not examine the target company's internal control environment in detail before completing an acquisition. Consequently, internal control weaknesses that may exist are left to be identified during the post-acquisition integration process. These weaknesses may lead to an increase in the risk of fraud. <br><br></li><li> <em>Applying data mining techniques to uncover potential fraud.</em> At a minimum, the acquiring company should obtain as much transactional data as possible from the target company's accounting system. Analyzing this data using a data mining tool can identify potential anomalies in the operation of internal controls and unusual transactions that may be evidence of fraudulent activity.<br>  </li></ul><p>Other aspects of a risk assessment include a review of the target company's compliance and ethics program, its ethical culture, and background checks on key executives and employees.</p><p> <strong>Financial Accounting Standards</strong> In the Autonomy case, there is a potential issue around the differences among financial accounting standards that exist internationally. Lynch has stated that the claims of fraud come down to a dispute over the application of U.K. accounting standards. The U.K. and many other countries use International Financial Reporting Standards (IFRS) as their accounting method. IFRS has some key differences from the Generally Accepted Accounting Principles (GAAP) approach used in the U.S. Lynch and his attorneys argue that differences in interpretation between them could have contributed to the view that Autonomy inflated its value before its acquisition.</p><p></p><p>A major difference between IFRS and GAAP is the methodology used to assess the accounting process. GAAP focuses on research and is rules-based, whereas IFRS looks at the overall patterns and is based on principles. With an IFRS-based accounting method, potentially different interpretations could result in higher values being included in financial statements in five areas: </p><ul><li> <em>Inventory reversal</em><em>.</em> GAAP specifies that if the market value of the asset increases, the amount of the write down cannot be reversed. Under IFRS, however, the amount of the write down can be reversed. In other words, GAAP is cautious of inventory reversal and does not reflect any positive changes in the marketplace.<br> </li><li> <em>Development costs</em><em>.</em> A company can capitalize its development costs under IFRS, as long as certain criteria are met. This allows a business to leverage depreciation on fixed assets. Under GAAP, development costs must be expensed in the year they occur and are not allowed to be capitalized.<br> </li><li> <em>Intangible assets such as research and development or advertising costs.</em><strong> </strong>IFRS accounting takes into account whether an asset will have a future economic benefit as a way of assessing the value. Intangible assets measured under GAAP are recognized at the fair market value only.<br> </li><li> <em>Income statements</em><em>.</em><strong> </strong>Under IFRS, extraordinary or unusual items are included in the income statement and not segregated. Under GAAP, they are separated and shown below the net income portion of the income statement.<br> </li><li> <em>Fixed assets</em><em> </em><em>such as property, furniture, and equipment.</em><strong> </strong>Companies using GAAP accounting must value these assets using a cost model. This takes into account the historical value of an asset minus any accumulated depreciation. IFRS uses a different model, called the revaluation model, based on the fair value at the current date minus any accumulated depreciation and impairment losses. </li></ul>Art Stewart0
The Unscrupulous Advisorhttps://iaonline.theiia.org/2018/Pages/The-Unscrupulous-Advisor.aspxThe Unscrupulous Advisor<p>​A federal grand jury has indicted the CEO of an investment management firm on 23 counts of fraud, <a href="https://www.idahostatejournal.com/news/local/former-owner-and-ceo-of-yellowstone-partners-investment-firm-indicted/article_bedc9214-f7eb-5fd0-a5fc-aa743fde6362.html" target="_blank">the <em>Idaho State Journal</em> reports</a>. Federal prosecutors say David Hansen, majority owner of Yellowstone Partners LLC, headquartered in Idaho Falls, Idaho, overbilled client accounts by submitting false billing requests to a brokerage firm. Last year, former Yellowstone Partners employees told the <em>Post Register</em> newspaper they had found "significant irregularities" in some customer accounts in 2016. Prosecutors estimate Hansen's alleged scheme defrauded clients of more than $9 million. The indictment also charges Hansen with aiding in preparing false corporate and personal income tax returns that underreported the company's revenue and his own income in 2012 and 2013.</p><h2>Lessons Learned</h2><p>The CEO of the investment management firm in this story allegedly has run afoul of the U.S. Securities and Exchange Commission (SEC) and more particularly Section 206 of the Investment Advisers Act of 1940 (the "Advisers Act"). In part, Section 206: </p><p> <span class="ms-rteStyle-BQ">"prohibits misstatements or misleading omissions of material facts and other fraudulent acts and practices in connection with the conduct of an investment advisory business. As a fiduciary, an investment adviser owes its clients undivided loyalty, and may not engage in activity that conflicts with a client's interest without the client's consent."</span> </p><p>In addition to the general anti-fraud prohibition of Section 206, other sections of the act regulate several practices relevant to the alleged fraud in this story. These include disclosure of fees, investment advisor advertising, custody or possession of client funds or securities, and disclosure of investment advisors' financial and disciplinary backgrounds. All of these rules were allegedly broken in one way or another in this case. </p><p>Internal auditors should consider measures to help their organization prevent and detect the kind of fraud represented in this story. Two main areas of concern surround disclosure obligations:</p><ul><li>"The Brochure Rule" (Advisers Act Rule 204-3), requires every SEC-registered investment advisor to deliver to each client or prospective client a Form ADV Part 2A (brochure) and Part 2B (brochure supplement) describing the advisor's business practices, conflicts of interest, background, and its advisory personnel. Advisors must deliver these documents to a client before or at the time the advisor enters into an investment advisory contract with a client. In addition, advisors must provide them whenever there is a material change to the advisor's profile. <br> <br>Both investors and auditors need to be aware of how business practices and conflicts of interests can be hidden or manipulated. Hansen is a partner at Elite Advisor Institute, a company that trains and coaches investment advisors. Was this partnership disclosed, and were some of the people involved in the overbilling scheme at Yellowstone Partners trained there? <br> <br>A further step that needs to be taken is to cross-check an investment advisor's background with those who regulate and accredit them such as the SEC (registration information is available on <a href="http://www.sec.gov/" target="_blank">the SEC's website</a>). The Financial Industry Regulatory Authority also offers information about the professional designations used by advisors as well as measures that investors can take to avoid investment fraud. </li> <br> <li>The SEC mandates that an investment advisor disclose to clients all material information regarding its compensation such as whether the advisor's fee is higher than the fee typically charged by other advisors for similar services. In most cases, this disclosure is necessary if the annual fee is three percent of assets or higher. <br> <br>Investors and auditors should be proactive in regularly reviewing investment transactions to determine what fees are being incurred, as an early way to detect overbilling. The investment industry should continue to be obligated to regularly and transparently disclose fees to clients. A good practice would be to disclose such fees monthly, although often this is only done annually. <br> <br>A further part of this transparency is to carefully monitor the use of other mechanisms that incur fees such as performance fees and referral to third-party fees. Another mechanism susceptible to overbilling is a "wrap fee program" where advisory and brokerage services are provided for a single fee that is not based on the client's account transactions. </li></ul>Art Stewart0
Crimes of the Centuryhttps://iaonline.theiia.org/2018/Pages/Crimes-of-the-Century.aspxCrimes of the Century<p>Fraud will flourish until human beings and money are removed from the mechanics of the international economy. In fact, all that separates a determined criminal and a company's cash flow is a control regime developed by imperfect human beings, often operating with insufficient manpower and limited technological assistance. So there's a decent chance that somebody will come up with a way to scam any new system. Indeed, most of the worst frauds ever have played out in the last 20 years, because the prize money is growing and the playing field is expanding. <br></p><p>"The fraud climate has greatly improved over the past few decades," says financial analyst Harry Markopolos, who battled unconvinced U.S. Securities and Exchange Commission (SEC) staffers in Boston and New York when he tried to disclose one of the biggest schemes in recent years. "Unfortunately, it's improved for the fraudsters, not the victims." Internal audit functions are doing their best — and they're sometimes the heroes when crimes are uncovered. But a look back at some of the biggest headline-grabbing scandals of the 21<sup>st</sup> century confirms his contention that fraud fighting is, increasingly, a 24/7 responsibility. <br></p><h2>Enron</h2><p>In 2001, former vice president of corporate development, Sherron Watkins blew the whistle on executives at once-giant energy company Enron Corp. for "inventing revenue and hiding losses via elaborate partnerships with dummy companies," as CBS News reported at the time. Enron went bankrupt, taking down Arthur Andersen, its main audit firm, with it. In all, 21 people pleaded or were found guilty in the $74 billion fraud; charges included insider trading, conspiracy, bank fraud, making false statements to auditors, and securities and wire fraud. Former chair and CEO Kenneth Lay, former CEO and chief operating officer Jeffrey Skilling, and former chief financial officer (CFO) Andy Fastow were among the convicted, but Lay died before serving any time. <br></p><p>Watkins played a key role in exposing the fraud, though it proved an uphill battle and took significant time for the scandal to fully come to light. Evidence that fighting fraud is an increasingly titanic endeavor is evident in the numbers, Markopolos says — the dollar amounts of the damage the criminals do keep going up. "You can see the growing problem by the size of the frauds," he says. "They're becoming increasingly larger decade by decade."<br></p><h2>WorldCom</h2><p>Early in the last decade, former CEO Bernie Ebbers' $180 billion WorldCom fraud included underreporting line costs by capitalizing rather than expensing them and inflating revenues with fake accounting entries. The monumental scheme was discovered by the company's then vice president of internal audit, Cynthia Cooper, who along with Watkins was named one of <em>Time</em> magazine's 2002 Persons of the Year for her efforts. WorldCom went bankrupt and is now part of Verizon Communications.<br></p><p>WorldCom's CFO was fired and the controller resigned. Ebbers was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents with regulators; he's still in jail, despite his widely reported "begging" for a presidential pardon. U.S. Congress passed the Sarbanes-Oxley Act of 2002 just weeks after news of the WorldCom scandal broke. <br></p><h2>Bernie Madoff<br></h2><p>A few years after Sarbanes-Oxley went into effect, the fraud case Markopolos tried to expose — involving now-80-year-old Bernie Madoff, the former Nasdaq chair who pleaded guilty in 2009 to federal felonies — racked up an estimated $65 billion price tag in the 10 years Markopolos attempted to convince the SEC that something didn't add up. Madoff's charges included securities, investment advisor, mail, and wire fraud; money laundering; perjury; making false filings with the SEC; and theft from an employee benefit plan. <br></p><p>He's still in prison, with an expected release date of 2139. The former head of Bernard L. Madoff Investment Securities LLC forfeited $17 billion before starting the 150-year sentence for running the largest Ponzi scheme in history — basically, investors' returns came from their own money, not from profits. The case, Markopolos points out, is a sad example of the outcome of most financial fraud scandals. "Unfortunately, when it comes to economic crimes," he explains, "usually only the top tier of planners and architects of the scheme end up serving significant prison sentences." In this instance, "no one at Madoff's hundreds of feeder funds was ever prosecuted, just like no bank executives went to jail for the global financial crises from 2007 to 2009."  <br></p><h2>Olympus</h2><p>In 2011, a low-level Olympus Corp. employee blew the whistle on executives concealing $1.5 billion in investment losses. The brand new CEO, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=1dde819e-8404-419b-88f7-e1c12fb86673">Michael Woodford</a>, exposed the scandal; he got fired and Olympus denied everything.<br></p><p>Ultimately, 11 executives were arrested, much of the board resigned, and the company lost 80 percent of its value. But just three got suspended sentences — two for three years, the other for 30 months. Within a couple years the company returned to profit, and its shares recovered most of their losses.<br></p><h2>FIFA</h2><p>Just three years ago, U.S. officials charged nine executives at the Fédération Internationale de Football Association (FIFA), four sports marketers, and an accused intermediary with racketeering, wire fraud, and money laundering, saying they conspired to solicit and receive $150 million in bribes and kickbacks for rights to televise the quadrennial World Cup and to sway FIFA's decisions on who hosts it. Charles Blazer, former executive committee member, pleaded guilty and forfeited $2 million; he faces a maximum of 10 years in prison. José Hawilla, head of the Traffic Group, a sports marketing conglomerate, and two of his companies, Traffic Sports International Inc. and Traffic Sports USA Inc., also pleaded guilty; he forfeited $151 million. The individuals face maximum terms of 20 years in prison; the corporate defendants face fines of $500,000 and one year of probation.<br></p><p>Since then, the organization has struggled to implement internal reforms — but reminders of the scandal keep surfacing. In 2017, former member Richard Lai pleaded guilty to FIFA-related charges, and this summer, a corporate defendant pleaded guilty to fraud in the case — and paid $25 million in fines and forfeitures.<br></p><h2>Little Restitution for Victims</h2><p>Those fines and forfeitures, unfortunately, rarely make victims whole. For example, in most Ponzi schemes, Markopolos points out, "recoveries range from 20 cents to 50 cents of every initial dollar invested, varying by geographical location, size and type of the scheme, and too many other variables that affect just how much investors will eventually get back." He also notes that it takes a long time to unwind such complex schemes — so when victims finally do receive partial restitution, it's often as much as five to 10 years after the scheme has collapsed. <br></p><p>Indeed, <em>The</em> <em>New York Times</em> reported in April that victims would receive another $504 million from Madoff assets the government seized a decade ago. "With that distribution," the <em>Times</em> reported, "21,000 victims have received more than $1.2 billion." But the theft tally ranged from a conservative $15 billion or so to the widely reported $65 billion; in the better case scenario, in other words, victims haven't yet gotten back 10 percent of their losses. Says Markopolos: "The one constant truth is there are no happy endings for victims."<br></p><p>He blames a regulatory and corporate culture that has its head in the sand, that struggles to take the threat of another shocking scandal seriously, and that gives finance industry titans too much credit for good behavior. Indeed, he famously complained to the SEC for a decade that the Madoff firm's returns weren't mathematically possible, but he was turned away more than once; two SEC executives ultimately resigned, but no one was fired and few were sanctioned. "Investor due diligence on Wall Street is very lax," Markopolos says, and "doesn't come close to The IIA's standards of what a real audit would entail. If financial due diligence professionals would join The IIA and attend chapter meetings, they'd learn enough to be much harder to fool." <br></p>Russell A. Jackson1
Cash-transfer Schemeshttps://iaonline.theiia.org/2018/Pages/Cash-transfer-Schemes.aspxCash-transfer Schemes<p>​Cash-transfer company MoneyGram International has agreed to pay $125 million to settle charges that it covered up weaknesses in its anti-fraud program, <a href="https://www.ocregister.com/2018/11/08/moneygram-to-pay-125-million-in-penalties-tied-to-fraud-case/" target="_blank"><em>The Orange County Register</em> reports</a>. Those weaknesses resulted in $125 million in fraudulent transactions between April 2015 and October 2016. Moreover, MoneyGram violated a 2012 settlement with the U.S. Justice Department. It also violated a 2009 U.S. Federal Trade Commission (FTC) order that required the company to put anti-fraud measures in place. Both of those actions stemmed from a six-year investigation that found the company had been aware that its agents had tricked customers into sending money to fake accounts.  </p><h2>Lessons Learned</h2><p>MoneyGram's website compiles advice on how consumers can avoid being defrauded when sending money (see <a class="vglnk" href="https://bit.ly/1jR6xLu" rel="nofollow" target="_blank"><span>https</span><span>://</span><span>bit</span><span>.</span><span>ly</span><span>/</span><span>1jR6xLu</span></a>). Although MoneyGram may provide this advice to meet regulatory compliance requirements, it also may offer the information because the company has been implicated in such fraud.<strong> </strong>However, none of these examples warn that the culprit of the attempted fraud could be a MoneyGram employee or agent.</p><p>What measures should MoneyGram and other cash-transfer companies consider to prevent and detect employees who try to perpetrate fraud on their clients? MoneyGram has more than 150,000 employees and agents around the world, so a comprehensive internal anti-fraud regime is essential. Here are three measures that could help:</p><ul><li> <strong>Increase the frequency and thoroughness of employee background checks before and after hiring. </strong>MoneyGram allegedly ignored thousands of complaints about a group of agents in the U.S. and Canada who handled hundreds of millions of dollars in transfers annually. Also, court findings in other fraud cases have alleged that many of MoneyGram's agents previously had been fired or suspended by competitor Western Union over fraud allegations. Yet, MoneyGram performed few background checks on those individuals.<br><br></li><li> <strong>Implement, monitor, and publicly report on the results of a complete whistleblower program for employees. </strong>In documenting its cases against MoneyGram going back many years, the FTC found that company managers often told employees to be quiet if they raised concerns about potential fraud by outsiders or employees. In some cases, employees who expressed concerns were disciplined or fired. <br><br>The FTC has alleged that MoneyGram "typically rejected or ignored employee concerns, claiming that they were too costly or that consumer fraud prevention was not the [company's] responsibility." The company operates a hotline through which employees and agents can report violations of its anti-fraud policies. MoneyGram should audit the program regularly to determine its effectiveness.<br><br></li><li> <strong>Institute a meaningful culture and practice of accountability.</strong> The FTC has repeatedly fined MoneyGram, saying the company knew its system was being used to defraud people but did nothing to stop it. As far back as 2009, U.S. investigators found that 131 of its 1,200 agents in Canada and the U.S had solicited consumers to send them deposits via MoneyGram for lottery entries, guaranteed loans, and other schemes. These deposits accounted for more than 95 percent of fraud complaints MoneyGram received in 2008 regarding money transfers to Canada. The FTC further alleged that the employees responsible were never terminated.<br><br>Real accountability calls for moving beyond financial fines to discipline and potentially termination of individuals who perpetuate this kind of fraud. These individuals could include employees, supervisors, managers, senior executives, or board directors. MoneyGram has instituted anti-fraud accountability measures such as creating an ethics and compliance committee reporting to its board, as well as establishing two related executive positions. However, these actions have not generated enough results. <br></li></ul>Art Stewart0
An Injection of Fraudhttps://iaonline.theiia.org/2018/Pages/An-Injection-of-Fraud.aspxAn Injection of Fraud<p>​The CEO of a Michigan-based health-care group has pleaded guilty to charges of paying doctors to administer medically unnecessary injections "that resulted in patient harm," according to <a href="https://www.wxyz.com/news/west-bloomfield-health-care-ceo-pleads-guilty-to-fraud-involving-harmful-injections" target="_blank">WXYZ</a> in Detroit. In the $300 million scheme, Mashiyat Rashid, CEO of pain clinic operator Tri-County Wellness Group, rewarded doctors based on the number of back pain injections Medicare paid for. Many of the patients were addicted to opioids and agreed to receive the shots to obtain pills. As part of his plea, Rashid will forfeit more than $51 million as well as commercial and residential property he owns.</p><h2>Lessons Learned</h2><p>Medicare fraud continues to grow in size and scope, and now encompasses the widespread opioid crisis. Since 2007, the U.S. Medicare Fraud Strike Force has charged more than 4,000 defendants with billing the Medicare program for more than $14 billion collectively. </p><p>Fraudsters such as Rashid aim to profit illegally from schemes that harm taxpayers and expose patients to the dangers of opioid drugs. Internal auditors and regulators can help prevent these abuses by focusing on controls in several areas.</p><ul><li> <strong>Always look out for the "shell game." </strong>Fraudsters often cover up fraud by operating a seemingly innocent activity. Rashid owned, controlled, and operated numerous pain clinics, laboratories, and other providers in Michigan and Ohio. For nine years until his arrest in 2017, Rashid conspired with physicians to require Medicare beneficiaries who wished to obtain controlled substances to submit to expensive, medically unnecessary, and painful back injections. <br> <br>While it isn't known how many of these injections were forced on patients, U.S. Justice Department officials say Rashid and the doctors associated with his clinics distributed more than 6 million doses. Medicare eventually determined that 100 percent of the injection claims were not eligible for reimbursement. Auditors could have detected these red flags earlier using data mining techniques.<br> </li><li> <strong>Establish</strong><strong> robust controls over Medicare enrollment by fake companies.</strong> Shifting and multiple corporate registrations that trace back to the same owners is another red flag that might have been detected and investigated earlier in this case. The fraudsters created new shell companies that they enrolled in Medicare to keep the fraudulent billing going. Often, they only changed the name of the company on the door and invented new suite numbers to conceal themselves. <br> </li><li> <strong>Enhance whistleblower programs and incentives. </strong>Many patients implicated in Rashid's scheme were motivated by gaining access to opioid drugs. Publicizing these Medicare frauds and providing ways for patients to report their concerns to authorities without fear of reprisal can help uncover these crimes. Financial incentives can motivate whistleblowers to come forward. But the fraudsters offer incentives, too. Rashid paid kickbacks to obtain patients and bribed physicians to refer Medicare beneficiaries to specific third-party home health agencies.<br> </li> <li> <strong>Pay attention to significant lifestyle changes of senior executives.</strong> Even in the medical industry, where many people are highly compensated, there are lifestyle clues that can lead the U.S. Internal Revenue Service and financial fraud trackers to illegal activities. Rashid pleaded guilty to money laundering in connection with a $6.6 million wire transfer. He used the money to live extravagantly, purchasing a mansion and other real estate, as well as luxury clothes, rare watches, and exotic automobiles </li></ul>Art Stewart0
The Fall of the Food Researcherhttps://iaonline.theiia.org/2018/Pages/The-Fall-of-the-Food-Researcher.aspxThe Fall of the Food Researcher<p>​A well-known food researcher has stepped down from his university teaching and research posts following the retraction of six of his papers, the <a href="https://nationalpost.com/news/world/cornell-review-finds-academic-misconduct-by-food-researcher" target="_blank"><em>National Post</em> reports</a>. The JAMA medical journals retracted the papers published by Cornell University professor Brian Wansink, after the university could not produce original data to verify the results of his research on consumer behavior. Reviews of Wansink's previous work allege that he had cherry-picked data points in his research to make the findings more likely to be published. Those reviews resulted in seven other papers being retracted. </p><h2>Lessons Learned</h2><p>According to Cornell, Wansink's academic misconduct also included misreporting data, problematic statistical techniques, failure to appropriately document and preserve research results, and inappropriate authorship. Researchers are not the only ones who engage in such practices. This kind of deception can arise from any sector of society, including corporations, governments, journalists, and educators.  </p><p>Internal auditors need to know about the various inappropriate ways data can be collected and used. They should maintain a skeptical stance regarding what they see in their audit work, including financial statements, management reporting of results, assessments of program effectiveness/efficiency, and compliance with standards. Here are some observations about three of the most relevant issues to this story — misreporting data, methodology, and data quality and integrity — along with a few suggestions about how to fix the problems.</p><ul><li> <strong>Misreporting data.</strong> The practice of <a href="https://www.theatlantic.com/science/archive/2015/08/psychology-studies-reliability-reproducability-nosek/402466/" target="_blank">"p-hacking,"</a> in which researchers slice and dice a data set until an impressive-looking pattern emerges, has become prevalent. Also common is publication bias, which is the tendency to favor publication of studies with positive results. The increased presence of the internet and social media has further accentuated the problem. <br><br>Misreporting data can take various forms, from tweaking variables to show a desired result, to pretending that a finding proves an original hypothesis — in other words, uncovering an answer to a question that was only asked after the fact. For example, in psychology research, a result usually is considered statistically significant when a calculation called a p-value is less than or equal to 0.05. But excessive data massaging can produce a p-value lower than 0.05 just by random chance, making a hypothesis seem valid when it's actually a chance result. An insightful paper on this topic can be found <a href="http://journals.sagepub.com/doi/abs/10.1177/0956797611417632" target="_blank">here</a>. <br><br>Sample sizes also matter in survey data analysis. They always should be reported — or at least made available — along with confidence levels and the methodologies applied to the data. Additionally, sample design and the avoidance of sample bias are important considerations in judging the validity of survey sample results.<br></li> <br> <li> <strong>Weak statistical methods. </strong>A related issue is the choice of statistics to represent the findings, and the importance of having a baseline/benchmark for expected results. A basic but prime example of the former is the bell curve. If you read that "the average of a group's score was five out of 10," that does not necessarily mean most scored a 5 — an "upright" bell curve. But the actual range of scores may be quite different. For example, half the group may have scored zero or one out of 10, and the other half nine out of 10 — which means that an "inverted" bell best represents the result. On the latter, understanding the differences between correlation and causation, and the use of a relevant baseline are important. <br><br>Here is a famous example: There is a strong positive correlation between the number of Nobel prizes the people of a country have earned and the quantity of chocolate eaten annually in that country. But this does not show that eating more chocolate will earn you a Nobel prize. Correlation does not imply causation. The countries that eat the most chocolate are the wealthier ones where chocolate is inexpensive and that tend to have more money to invest in education and research — resulting in more Nobel prizes.<br></li> <br> <li> <strong>Poor data quality and documentation.</strong> In many instances, researchers do not do enough to appropriately identify and categorize the quality of data used. This is particularly true where data sets originate from disparate systems or sources, historical data is used, and data definitions have not been validated for comparability. A systematic measurement of data quality and a disclosure against a standard (even a scorecard green, red, yellow type) alongside the published results would help alleviate problems of misinterpretation. And as data increasingly is captured electronically, it should be retained, along with its documentation, coding, and methodological routines.<br> </li></ul><p>Overall, pre-approval and pre-registration, including publicly, of research plans can help to address these three problems. That is especially the case when the specifics are addressed by stating exactly what the hypothesis is and what plans there are to test it and how. When these requirements are in place, there is less room for cherry-picking the most eye-catching results after the study is completed.</p><p>Wherever possible, more efforts should be made to run larger studies or replications, which are less likely to produce spurious results that get published. Researchers should describe their methods in more detail, and upload any materials or code to open databases, making it easier to review the basis of their work. Declaring the quality of the data used against a standard or benchmark also would help. And, journal editors should collaborate to establish and enforce consistently high standards for accepting and publishing research results.</p>Art Stewart0
The Creative Card Fraudhttps://iaonline.theiia.org/2018/Pages/The-Creative-Card-Fraud.aspxThe Creative Card Fraud<p>​The finance department at a Midwest university issued 28 purchasing cards (P-cards) to the university’s IT department so it could more easily purchase electronics and technology items and deliver them to the departments IT supported. P-card use at the university was decentralized, and all supporting purchase documents were maintained in each department. Every month, the university required the cardholder to provide supporting invoices and receipts for purchases, as well as the P-card statement, to his or her direct supervisor for review and approval before submitting. </p><p>Within IT, Lisa Moore recently was promoted from supply technician to operations support manager. Soon after her promotion, Michael Graham was hired as a supply technician within the department, reporting directly to Moore. The two were friends before they became co-workers in the same office.</p><p>Campus internal audit conducted regular reviews of departmental P-card transactions, which looked for risk factors such as high-dollar and high-volume purchases. In one such audit, the auditor in charge, Heath Crocker, noted that departmental cards’ activity as stated in the monthly bill did not match the supporting receipts in several instances. When Crocker questioned the IT department about the discrepancy, it insisted that the information on the bill was not accurate. Crocker then queried the university’s P-card coordinator, who confirmed that the information on the monthly bill is sometimes not accurate. The auditor accepted this explanation and did not take additional action — nor was this information provided to the auditor’s supervisor. As a result, internal audit missed the opportunity to uncover a fraud that lasted 15 months and cost the university $292,371. </p><p>Six months after the audit, an employee noticed a transaction on his P-card that he did not make and notified his manager of the discrepancy. Management conducted an internal review, and the university hired an accounting firm to review the P-card program and evaluate the internal control environment. Information about the theft was then handed over to the State Attorney General’s Office for further investigation and action. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​</strong><strong>Lessons Learned</strong></p><ul><li>Internal audit risks losing credibility when fraud activities go unnoticed. As a result, management will look to cosourced and outsourced relationships to ensure it has the resources necessary to protect the organization from fraud. <br> <br></li><li>Simply accepting that the monthly P-card statements may contain merchant errors on an ongoing basis led to a lack of detailed review and a breakdown of the approval process. Control improvements could have minimized or prevented the fraud.<br><br></li><li>Functional oversight can identify suspicious activities. Without additional reviews from individuals not directly connected to employees, red flags may not be identified and the fraud may be allowed to continue in plain sight. In this case, the director’s “review” was not an effective internal control in detecting discrepancies. <br> <br></li><li>Standardized budget analyses of purchases coded to categories of consumable inventories can identify increases in purchases that do not have an apparent business need. This type of review was not conducted in this case. <br> <br></li><li>The use of electronic software and appropriate system access set-up could have ensured effective segregation of duties — in this case, for the initiation, approval, and reconciliation of purchases.</li></ul></td></tr></tbody></table> <p>The investigation found that Moore and Graham were colluding to manipulate the system. They created fictitious purchase requests for merchandise in the office’s electronic purchasing tracking system. The items were generally office consumables that would not be tracked by the department’s inventory control system. Moore and Graham created false documents, including receipts and invoices for monthly P-card statement approval. They manipulated the receipts to retain the vendor’s main information while adjusting the merchandise itemizations. In addition, they created false receiving documents and logged into the software to update the false purchases as received in the tracking system. </p><p>Actual items purchased consisted of electronic/IT merchandise sourced from various vendors. Moore and Graham collected the items and resold them online. The falsified receipts sometimes listed items that were no longer available from the vendor listed on the P-card statement. </p><p>Moore’s P-card statements were reviewed by a director who provided oversight for several university departments. The director, Emily Darrough, noticed that the merchant information on the monthly P-card statements often did not reconcile with the receipts provided for support. However, Darrough was under the impression that the statements’ vendor information was often inaccurate and did not further question those discrepancies. Because Moore reviewed and approved Graham’s P-card statements, they went unquestioned. </p><p>By circumventing multiple internal controls, the employees were able to conceal the fraud for many months. Because the university had single transaction limits and monthly purchasing limits on P-cards in place, the fraudsters had to get creative. Once the monthly purchase amount on Moore and Graham’s cards had been reached, Moore used her influence to coerce her subordinates into giving her their P-cards to make additional, supposedly legitimate, purchases for the university. Moore also had access to the P-card numbers issued to all employees within the department. She and Graham used these numbers, without the physical P-card, to make additional purchases in their scam. </p><p>A combination of the decentralized nature of the business culture and the manual nature of the purchase review process led to the standard practice of reviewing the monthly card statements and supporting receipts/invoices just once, with document retention left to the cardholder. This placed responsibility on the single supervisory review of the card’s monthly statements. In addition, random undisclosed reviews by internal audit and other oversight functions cannot occur with this type of document retention methodology, as the documents cannot be viewed without the cardholder’s knowledge.</p><p>After an investigation that lasted almost two years, Moore was sentenced to 24 months to 60 months in state prison. A separate case was filed for Graham for a lesser dollar value of fraud, but, to date, he has not been sentenced. In addition, Moore was ordered to pay $292,371 in restitution to the university.<br></p>Emily E. Kidd1
The CEO and Social Mediahttps://iaonline.theiia.org/2018/Pages/The-CEO-and-Social-Media.aspxThe CEO and Social Media<p>​In the U.S. Securities and Exchange Commission (SEC) fraud suit against Tesla Inc. CEO Elon Musk, the SEC alleged Musk issued "false and misleading" statements and failed to notify regulators of "material company events." <a href="https://www.cnbc.com/2018/10/11/reuters-america-update-6-ft-says-james-murdoch-in-line-for-tesla-chair-musk-reply-incorrect.html?&qsearchterm=Tesla" target="_blank">CNBC reports</a> that in August, Musk tweeted, "Am considering taking Tesla private at $420. Funding secured." The tweet sent Tesla stock spiraling for weeks. Among other remedies, the SEC wanted Musk barred from serving as an officer or director of a publicly traded company. On Oct. 10, the SEC, Tesla, and Musk submitted a joint filing with the U.S. District Court, Southern District of New York, in support of a settlement, claiming the terms were in the best interest of investors. According to the settlement, Musk must pay a $20 million fine, and step down as Tesla's chairman for three years. Although not charged with fraud, Tesla agreed to accept a $20 million fine.</p><h2>Lessons Learned</h2><p>Since early 2014, the SEC enforcement division has increased its focus on internal control-related cases. The charges brought against Musk clearly illustrate how the scope of the SEC's focus on internal control rules is much broader than the typical questions that surround the completeness and accuracy of financial reports. It also brings up new questions about the appropriate use of social media by corporate leaders.</p><p>Board chairmen, CEOs, and chief financial officers, along with other senior company officials, are considered "control persons" for purposes of liability under various securities laws and SEC rules enforcing those laws. As such, they possess certain responsibilities regarding internal controls, which the SEC takes very seriously. As in this article, the consequences for failure to meet these responsibilities can be severe. However, auditors and management can help put in place precautions to help prevent running afoul of SEC rules.  </p><ul><li>Developing, implementing, maintaining, and auditing/testing the effectiveness of a comprehensive set of internal controls is a fundamental requirement. There is considerable guidance available on this, including that which has been explicitly developed to reflect SEC requirements. One good example is The IIA's Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners. Internal controls clearly must address corporate governance, including communications — encompassing social media — regarding not only financial records and reports, but also business and investment related matters, past, current, and future.<br> </li><li>With particular regard to the circumstances surrounding Musk's use of social media, it is a little less clear what types of internal controls are required. In 2013, the SEC made clear that companies can use social media outlets like Facebook and Twitter to announce key information in compliance with Regulation Fair Disclosure so long as investors have been alerted about which social media will be used to disseminate such information. Netflix's CEO was investigated for a potentially improper release of a statement related to subscription sales, which in turn had an impact on the company's stock price, but the SEC did not pursue the matter. Presumably, Tesla has done its homework on this aspect. However, internal controls typically presume segregation of duties, but that can be quite powerless against a management override. It seems clear Musk did not consult anyone before musing on the possibility of taking Tesla private. </li></ul><p> </p><p>Short form social media vehicles such as Twitter and Facebook represent a convenient means of communications available to all. They also represent a modern fraud risk to be assessed and mitigated, including through social media policies, board director training, and performance monitoring. </p>Art Stewart0
Taking the City for a Ridehttps://iaonline.theiia.org/2018/Pages/Taking-the-City-for-a-Ride.aspxTaking the City for a Ride<p>The former head of the Phoenix area's transit service has pleaded guilty to fraud charges of misusing public funds for personal purposes, <a href="https://www.azcentral.com/story/news/local/phoenix/2018/09/10/ex-valley-metro-ceo-stephen-banta-pleads-guilty-fraud-after-republic-inquiry/1249374002/"><em>The Arizona Republic</em> reports</a>. The plea comes three years after <em>The Republic</em>'s 2015 investigation alleged that then-Valley Metro CEO Stephen Banta's spent public funds for first-class air travel and dinners. The state auditor general and attorney general allege that the amount of funds was ​more than $32,000. Moreover, a 2015 city of Phoenix audit found $315,000 in "questionable expenses" by Banta and the Valley Metro staff. The plea deal calls for Banta to serve one year of probation, but he could be sentenced to up to one year in prison and ordered to pay a $150,000 fine.</p><p><strong>Lessons Learned</strong></p><p>An effective combination of investigative journalism and internal auditing by the Phoenix city auditor has uncovered flagrant abuse and fraud involving several hundreds of thousands of dollars in travel, business and relocation expenses, and other benefits received by former CEO Stephen Banta. <a href="https://drive.google.com/viewerng/viewer?url=http://archive.azcentral.com/persistent/icimages/watchdog/valleymetroaudit04282016.pdf">The auditors' report</a> (PDF) contains several appropriate recommendations concerning major control weaknesses in Valley Metro's management of travel and business expenses that should help address and prevent future such occurrences. Here are the most important ones, along with some additional suggestions.</p><p><strong>Governance review.</strong> There should be a thorough review and adjustment, where necessary, of  Valley Metro's board governance and accountability regime along with its control framework and policies. This is particularly necessary as it relates to ethics, the performance of board directors and executives, executive compensation, and controls over executive travel and benefits activities. Note that the internal auditors found that Banta and several other employees were in violation of several policies. This would be an opportunity to remedy several gaps found by internal auditors, including:</p><ul><li><span style="font-size:12px;">Specific language and compliance monitoring to ensure coverage of all executives by ethics and travel/business expense policies. For example, the agency had an ethics policy, but no one ensured that the CEO signed it.</span><br></li><li><span style="font-size:12px;">Increasing rigor in segregation of duties over approvals of travel and business expenses to prevent cronyism. Two senior staff members working directly for Banta authorized $115,000 in additional pay so he could avoid paying taxes on relocation travel expenses.</span><br></li><li><span style="font-size:12px;">Enforcement of requirements to provide documentation before and after approvals. The organization also should ensure that compliance with allowable persons and maximums of travel, relocation, and business expenses are enforced. One particular example of the former is that Banta and staff did not comply with policy requirements to submit itemized receipts for meals, including those they had together. This resulted in questionable dining expenses, which were wasteful and represented preferential treatment or a conflict of interest. An example of the latter is that Banta flew first class and paid higher hotel room rates than allowed. He also misused travel expenses by registering his wife and unidentified guests at conferences, traveling for no business purpose, or having no documentation. Furthermore, Banta and his wife took more than 50 relocation-related trips between Phoenix and Portland, Ore., where they had another home.</span><br></li><li><span style="font-size:12px;">Written policies and procedures regarding the process of awarding bonus pay. This gap resulted in overpayments to </span><span style="font-size:12px;">Banta.</span><br>​</li></ul><p><span style="font-size:12px;"><strong>Vacation and leave policy. </strong>Vacation and other types of leave policies must be consistently enforced for all employees, including executives. Banta took at least 50 days off and did not count it as vacation time, but no one challenged this. Similarly, all employees should account for all absences from the office. Banta went golfing many times during the workday, and most of the outings were found to not have a business purpose. <br></span></p><p><span style="font-size:12px;"></span><strong style="font-size:12px;">Board performance reviews.</strong><span style="font-size:12px;"> Regular and transparent reviews of board and executive performance are also essential. In this story, it appears that the performance of the chief financial officer, who approved many of Banta's questionable expenses, went unnoticed for too long.</span></p><p><span style="font-size:12px;"></span></p>Art Stewart0

  • IIA Sawyer PreOrder Web-Jan 2019 IAO_Prem 1
  • IIA COSO_Jan 2019 IAO_Prem 2
  • IIA Membership_BOY_Jan 2019 IAO_Prem 3