The Fraud Behind the Flags Fraud Behind the Flags<p>​After Greg Kane was promoted to director of internal audit at State Elder Care Co., a management firm for 54 long-term senior citizen care centers in Florida, his first objective was to refresh the risk assessment process. In his opinion, the previous director was too loose with his approach. </p><p>Kane met with department leaders as part of the risk assessment, including Tom Anderson, the director of purchasing. Purchasing was identified as an increasingly high-risk area because of the volume of spending and the absence of an internal audit in the last five years. According to Anderson, the department was deeply focused on a cost-savings initiative led by the chief operating officer, Dianna Foster. When asked how the initiative was going, Anderson eagerly expressed how 80% of spending from the 54 centers was consolidated to better leverage purchasing's buying power and reduce expenses and costs. </p><p>Kane presented his risk assessment and internal audit plan to the audit committee, which included a review of the purchasing department. Foster resisted the inclusion of purchasing, insisting that the cost-savings initiative was not complete and that an audit would halt improvements. The audit committee agreed to the review primarily based on Kane's insistence that a high-risk area should not be ignored for more than five years. </p><p>Internal auditors started the review by testing purchasing controls and performing a high-level analysis of purchasing data, which included looking at overall spending trends by year. They also conducted walk-throughs of purchase order approvals, vendor master file additions, and the bid process. Satisfied with well-documented and performed controls, the auditors chose a sample of 30 purchased items and services and tested them through all purchasing controls. Each test was perfect with three bids for each product, the best bid selected, approvals documented, and authorization levels followed. </p><p>When Kane met with his team, one auditor had an unusual comment about one of the samples — the 900 flags purchased the previous year for $150 each for the centers. Having never considered the cost and durability of a flag before, the auditor thought this seemed like a large expense. A quick Google search found that reasonable, quality flags last approximately 90 days and cost around $40. This resulted in a potential overspend of ($150 – $40) x (900 – 200) = $77,000.</p><p>Kane double-checked all the workpapers. Everything was in accordance with the purchasing policy, and controls appeared to be in place. And then it hit him. The audit team had not looked into the vendors. He Googled the flag vendor but was unable to find a website. However, he learned that it was incorporated just two years before. </p><p>With this new insight, Kane and his team identified any items that increased in spending by 10% or more each year. Several items popped up, adding up to total expenditure of roughly $200 million. The data showed that the items with increased spending nearly doubled each year. Within this sample, they identified items being provided by new vendors, which was nearly half of the sample. </p><p>The team then investigated each vendor within the bid process. Each bid appeared legitimate, but many of the companies providing the bids were recently formed and had no website. A few companies were consistently part of the bid process, whether they won or lost. When reviewing past bids, the team noticed that, in many cases, previous vendors were not included in the bid process. Kane's team documented its findings in preparation for a meeting with Anderson.</p><p>Kane explained that because of what he found with the flags, he decided to look at more data. Anderson turned pale. Kane asked how procurement chose the flag vendor and how often the flags need to be replaced. After a long silence, Anderson explained in a quivering voice how he and his team worked hard on cost savings and made great progress each year. Because he was short staffed, Foster helped administer bids for some of the items. It seemed like a great idea at first, but the number of items Foster managed grew each year. </p><p>Anderson admitted to rubber stamping many of the bids and approvals, assuming everything was above board. They were getting the same quality items they needed and cost savings were going up each year, so he did not think much of it. But he became concerned two years earlier, after one of his long-term vendors contacted him about being excluded from the bid process. Anderson looked into the bid and was surprised to see that it came in higher than expected. </p><p>Kane and his team then looked into all the bids to identify the vendors. Twenty-one recently formed companies were new vendors to the company. Further investigation revealed that many of them were registered to Erin Foster, Dianna's sister. Kane and the vice president of legal went directly to the audit committee with their concerns. </p><p>For five years, Dianna Foster hid a $15 million fraud behind the purchasing department's cost-savings initiative. She threatened to take business away from vendors if they did not agree to increase their costs by 20% to 30% and give her 80% of the increase as a kickback. One vendor, a hospice provider, agreed to pay Foster a personal referral fee for every senior referred from one of the elder care facilities. By year two, she realized that it would be easier to create companies and include them in the bidding process. The companies, run by her sister, would act as the pass-through for the business — buying the items from the prior vendor, marking up the prices, and splitting the money. </p><p>Dianna Foster was eventually arrested and sentenced to six years in jail and restitution. The organization of vendors Erin Foster created included 16 different companies and 87 unique bank accounts. Erin Foster was sentenced to three years in jail and restitution.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Assume every unanswered question is important. In this case, the fraud would have gone undetected if not for the question about the flags. These unanswered questions do not always lead to fraud, but they will always add context to the state of the business and help demonstrate an understanding of the process reviewed by internal audit. <br><br></li><li>Analyzing data can be a powerful tool. However, it is always significantly more powerful when internal auditors know what questions to ask. Running ad hoc analytics midway through an internal audit is a great supplement to running a standard set of analytics at the start. <br><br></li><li>Adjust procedures based on risk. Plans are based on assumptions and should be adjusted once new information is discovered. The value of internal audit is not in meeting deadlines, but in helping to identify areas of improvement. As the risk of a process increases with new information, the potential value of audit procedures also increases. <br><br></li><li>High-risk areas should always be reviewed regularly. The possibility of a review each year would have prevented this fraud, as Foster would have been more fearful of getting caught. Each year after the first incident, the fraud nearly doubled in size. Catching the perpetrator in year three would have saved the company nearly $10 million. Comparing this to the 300 hours of internal audit time and about 40 hours of purchasing employee time seems like a high return on investment. </li></ul><br></td></tr></tbody></table><p></p>Bryant Richards1
Building Scheme Is No Big Hit Scheme Is No Big Hit<p>It's like a country song where a bad deal has gone down. Federal prosecutors say Arizona businessman Frank Capri defrauded developers and contractors throughout the U.S. by entering deals for branded restaurants that were never built, <a href="" target="_blank">the <em>Arizona Republic</em> reports</a>. </p><p>According to a <em>Republic</em> investigation, Capri's company, Boomtown Entertainment, licensed the names of country music stars Toby Keith and Rascal Flatts to establish restaurants at malls. Boomtown built 20 Toby Keith restaurants and made deals to develop more restaurants, which were never built. </p><p>Instead, authorities say Capri and his associates funneled construction money into their own accounts and covered it up using fraudulent paperwork, fabricated contractors, and forged signatures. Nineteen Toby Keith restaurants have closed since 2013, and Boomtown became insolvent. Toby Keith and Rascal Flatts are not implicated in the alleged fraud.</p><p>Capri and his associates face wire fraud, money laundering, and conspiracy charges. Separately, civil court judges have ordered Capri to pay $65 million in civil judgments.</p><h2>Lessons Learned</h2><p>Global studies by the Association of Certified Fraud Examiners (ACFE) have consistently ranked real estate and construction fraud as the second or third most costly frauds in terms of median loss, with estimated average losses of more than $600,000. Construction companies can be both the victims of this type of fraud and the perpetrators. </p><p>ACFE's studies also note that most occupational frauds in all industries were committed by individuals at the employee or managerial level. Most often these individuals work in accounting, operations, sales, and executive management. Not surprisingly, the higher the fraudster's authority level, the greater the losses. Overall, more than half were with their firms or in business relationships for more than five years.</p><p>Capri's alleged fraud encompasses many of the most common types of construction fraud schemes, including:</p><ul><li>False representations.</li><li>Diverting money intended for construction purchases through money laundering and mail fraud.</li><li>Nonpayment of subcontractors and materials suppliers.</li><li>Falsifying payment applications.</li><li>Billing for unperformed work.</li></ul><p><br></p><p>Auditors should not overlook an additional group of fraudulent activities that does not appear as a central part of this story, such as:</p><ul><li>Diverting lump-sum cost to time-and-material costs.</li><li>Substituting or removing materials, usually for lower quality items.</li><li>Manipulating change orders.</li><li>Subcontractor collusion.</li><li>Theft of equipment or tools.</li></ul><p><br></p><p>The need to have a strategy to prevent and detect construction fraud extends to a broad range of individuals and businesses involved in construction projects. These include investors — especially wealthy, famous, and busy investors — lawyers, real estate companies, property developers, and property management companies.<br></p><p>Particularly in the somewhat unusual circumstances of this fraud involving individuals in the entertainment industry, the best way to prevent and detect fraud on a construction project is careful oversight by both the owner/investor and a trusted management team. There are three specific measures auditors and their organizations should take for such projects.<br></p><p><strong>Conduct Due Diligence</strong> When entering into a business relationship and hiring people for a project, especially larger scale national projects, perform research on the individuals' backgrounds, including reference checks. Where warranted, these can be conducted by private investigators. A "wheeler dealer" or anti-controls attitude can be a sign of future fraud trouble.</p><p>Local and established contractors can be better choices to reduce the possibility of fraud. Be well-informed about local market conditions, availability of competition, and bid pricing of comparable projects in the area.</p><p>Also, become familiar with their business structure and the people involved. Many times the people who appear to be primarily involved in the business will have relationships with others, such as subsidiary companies. They may have family members who are trying to conceal who the principal is.</p><p>If the primary investors don't have the time to perform due diligence, they should engage a manager, accountant, compliance officer, or similar professional to do it.</p><p><strong>Ensure Projects Are Monitored Effectively</strong> A designated person, such as a chief compliance officer, should be a communication point between contractors on the project and the investor/owner/management team. This compliance officer should conduct initial investigations as well as ongoing reviews. Continuous monitoring is a simple way to decrease the likelihood of fraud. The compliance officer also should be empowered to conduct periodic audits and be able to review payrolls, invoices, and contracts.</p> <p> <strong>Stay Alert </strong>Fraud occurs when people stop paying attention. Implementing some of these measures early on will help in the long run, but as a baseline action, staying alert can help ward off construction fraud. Litigation costs money, violations can lead to lawsuits and even criminal charges, and a history of fraud can destroy reputations. Always be vigilant! </p>Art Stewart0
The Shady Stockbroker Shady Stockbroker<p>​The stockbroker promised his clients a "no lose" investment, but now he is on trial for fraud, <a href="" target="_blank" style="background-color:#ffffff;">CBS News reports</a>. Prosecutors allege Anthony Diaz sold high-risk, high-fee alternative investments and filed false documents with the U.S. Securities and Exchange Commission (SEC) about clients' suitability to invest in those products. Additionally, the advertised guarantee rates of return were "highly speculative" and tied up clients' money for long periods, court documents allege.</p><p>Diaz is no stranger to controversy. Five brokerage firms have fired him, and he was permanently barred from trading in 2015. The Financial Industry Regulatory Authority (FINRA) ordered Diaz to pay $4 million in damages to former clients two years ago, but the organization says he has not complied.</p><h2>Lessons Learned</h2><p>The stockbroker's alleged illegal activities highlight the importance of investor self-education and awareness, as well as the role of FINRA, the U.S. financial industry's self-regulatory body. FINRA oversees more than 630,000 brokers across the U.S. Its BrokerCheck system — providing information on cases of broker misconduct and illegality — lists several thousand brokers, demonstrating the huge scale of broker misconduct. The cases go back a decade or more.</p><p>While BrokerCheck is a useful tool for investors, FINRA also provides other tools, such as investor education materials, an inventory of disciplinary actions against brokers, and a whistleblower hotline. Here are some suggestions that could help FINRA in its anti-fraud efforts.</p><ul><li>In its For Investors section, <a href="" target="_blank">FINRA's website</a> lists numerous reasons for filing a complaint, such as potential fraud and misrepresentation. However, there is only an "other" category for individuals who want to learn about how to file a complaint and the problems that FINRA may address versus those that the SEC handles. FINRA should make broker fraud and misrepresentation a more explicit category of complaint. Moreover, it should provide more detailed information about how investors can identify these activities.<br><br></li><li>Investors need to be aware of the types of prohibited conduct for brokers, including the kind of illegal activity Diaz is alleged to have committed. However, FINRA's Investor Complaint Center only references this information as "see definitions below." FINRA's website should display this information more prominently within its BrokerCheck, Investor Complaint Center, and Rules and Guidance sections.<br><br></li><li>Broker misrepresentations and falsification of investor credentials and approvals are among the prohibited conduct. FINRA requires brokers to submit this information for monitoring. However, it is less clear what FINRA's monitoring specifically consists of and whether it could be strengthened to help prevent broker fraud.<br><br></li><li>Any strategy to deter fraudulent activity should publicize cases where individuals have been found guilty of fraud. While BrokerCheck provides extensive information regarding individual cases of brokers' prohibited conduct or fraud, FINRA's media center does not mention these cases. FINRA should provide regular updates such as highlighting these cases quarterly or at least annually and linking readers to BrokerCheck for more information. These updates also would be an opportunity for FINRA to summarize trends, including cases where judgments and awards occurred, as well as cases that were settled, withdrawn, or denied.<br><br></li><li>The SEC should consider what it might do to strengthen rules and requirements over FINRA's self-regulatory efforts. Specifically, the SEC should require much greater transparency and disclosure of fraud cases, including names and details.<br><br></li><li>In 2017, FINRA launched FINRA 360, a "comprehensive self-evaluation and organizational improvement initiative." Part of that initiative brings together two distinct enforcement teams. The first team comprises the surveillance and examination programs that handle disciplinary actions related to trading-based matters. The second team deals with cases referred from other regulatory oversight divisions, including Advertising Regulation, Corporate Financing, Member Regulation, and the Office of Fraud Detection and Market Intelligence. Some of the previous suggestions may help this integration to better fight fraud.<br></li></ul>Art Stewart0
Running on Empty on Empty<p>​At the end of the third business quarter, Sten Lepp, the chief audit executive at NorthStar Energy Corp., received an email from the head of sales, Henry Klassen:</p><p><em>“For your information, on the 8th of July, we discovered that a salesperson, Andy Pine, used standard consumption graphs for certain customers instead of the customers’ actual consumption history. Thus, sales to those clients were made with wrong assumptions. As soon as we discovered the manipulation, I had Pine write an explanatory letter and sent him home. We are processing termination documents, and I intend to deduct sales bonuses from his last paycheck to recoup monies. I am truly sorry for the incident. As a manager, it is difficult when a team member breaches trust.”</em></p><p>After reading the email, Lepp wanted to better understand exactly how the salesperson manipulated sales. How had such a standardized business process become so trust-based? The email looked like an attempt to sweep the matter under the rug as quickly as possible, so Lepp initiated an internal investigation.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​Lessons Learned</strong><br> <style> p.p1 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style> <ul><li>Don’t jump to conclusions. Just because the prime suspect was no longer with the company and Klassen assured everyone that the incident had been taken care of doesn’t mean there isn’t much to investigate. When beginning an investigation, avoid assessments and conclusions early on and keep an open mind.  </li><li>Use professional skepticism, instead of falling victim to truth bias, which is people wanting to believe what they see or hear. The investigators first interviewed Klassen, who was cooperative and ready to explain the sales process and fraud scheme. While the chief investigator then compiled a summary of Pine’s deeds, the effective resolution, and the incident’s low impact, the other investigation team member decided to talk to the portfolio analyst. By talking to the analyst, the investigator learned that Klassen was not telling the truth and that the loss from those contracts was more substantial than a single person’s bonuses. The analyst also revealed that Pine and Klassen were close friends. </li><li>Have a thorough investigation plan. List all employees to be interviewed and in what order. Never start with those who could potentially be main suspects. Had the auditor not decided on her own to talk to the portfolio analyst, he never would have discovered that Klassen was less than truthful. Make sure investigation steps and responsibilities are listed, as well as what evidence is most likely needed. Agree ahead of time on communication channels and frequency, where evidence is stored and how it is indexed, and set and monitor deadlines for each step of the investigation.</li><li>Understand business context. Klassen succeeded in undermining the impact of the fraud because he focused everybody’s attention on bonuses overpaid to a single salesperson rather than the lack of controls withinin the sales system. If you are not familiar with the business, step back to read through manuals and related procedures, and interview employees.  </li><li>Conduct due diligence by preserving evidence. The decision to turn the case over to law enforcement may be reached several months later, but the evidence should still be available and the chain of custody must be clear. </li></ul><br></td></tr></tbody></table><p>The pricing strategy for each customer was based on the customer’s profile. One of the inputs that shaped the profile was the customer’s historical energy consumption data, which was used to project future consumption patterns. The pricing model then calculated the minimum selling price, allowing the salesperson to add a margin to that price while maintaining customer relations. This margin was shared between the salesperson and the company, and the salesperson’s bonus was a percentage of the added margin. </p><p>In the previous year, energy market prices increased, resulting in a higher precalculated base selling price. Most of the sales team was struggling to add every cent to the sales margin without customers complaining about the cost increases. Pine, however, completed contracts and bragged about his bonuses. His colleagues grew curious, but no one dared to ask Klassen because of his close friendship with Pine. Their chance came when Klassen left for a scheduled vacation and Helina Saar, a recent hire, came in as his temporary replacement. </p><p>When the other salespeople approached Saar about the discrepancies in bonuses, she accessed Pine’s portfolio in the sales system and found that he used creative solutions to ensure his bonuses while his co-workers struggled. Specifically, he changed the presumably unchangeable — the customer’s profile. He manually changed inputs to the pricing model in the sales system. Instead of using the customer’s real historic consumption data, Pine entered the customer’s consumption as a single value, so the system disregarded real consumption patterns and distributed consumption equally, calculating lower base prices. Lower base prices allowed Pine to add the desired margin and receive a larger bonus from each sale. </p><p>Saar talked about her findings with the portfolio analyst responsible for monthly sales results reporting, who then approached her supervisor to confirm the findings. The supervisor waited until Klassen returned from his vacation and informed him about Pine’s contracts. Klassen had no choice but to fire Pine. </p><p>The investigation unveiled several key findings:</p><ul><li>The sales process manual had not been reviewed for more than five years, and actual practices deviated substantially. There were no controls or monitoring from the head of sales or anyone else.</li><li>No attention was paid to the development of the sales information system. As a result, IT controls were not performing as intended and could be easily overridden with no one noticing.</li><li>Bonuses were paid out immediately based on forecasted revenues, and actual execution of sales contracts were not monitored, which invited fraudulent behavior from sales personnel.</li><li>Klassen and Pine owned and ran an online retail business together. Though it was in an unrelated business sector and did not breach NorthStar’s code of conduct, the investigation found that they took care of their affairs during business hours. Therefore, Klassen was paying little attention to what was going on in the sales unit.</li></ul><p><br>NorthStar, of course, suffered losses from such deals as it will have to cover energy costs from the customers’ real consumption patterns.</p><p>As a result, the company completely restructured the sales process, supporting information system, and bonus principles; contacted law enforcement; reviewed whistleblowing channel effectiveness; and fired Klassen.  </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:-12.0px; line-height:12.0px; } p.p5 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p6 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; letter-spacing:-0.1px; } </style>Anna Kon1
An Education in Misleading Ads Education in Misleading Ads<p>​The University of Phoenix will pay $191 million to settle deceptive advertising charges, <a href="" target="_blank">National Public Radio reports</a>. According to the U.S. Federal Trade Commission (FTC), the for-profit university's ads "gave the false impression" that it could provide job opportunities with employers such as AT&T and Microsoft. The FTC says the ads targeted minorities, military veterans, and service members and their families. </p><p>The settlement requires the University of Phoenix to cancel $141 million in debt owed to the university by students who enrolled from October 2012 through the end of 2016. The university must pay $50 million to the FTC.</p><h2> Lessons Learned</h2><p>This story is yet another example of why educational institutions, especially for-profits, must strive to prevent and detect fraud on the behalf of students. The settlement in this case follows on the heels of last year's <a href="/2019/Pages/Big-Scam-on-Campus.aspx">college admissions bribery scandal</a>. In continuing fallout from that story, students have filed a class-action suit against eight universities.</p><p>The fraud involved in this story is neither new, nor does it address a bigger issue. In its complaint, the FTC notes the University of Phoenix has been the largest recipient of money from the Post-9/11 GI Bill Fund established to help veterans pursue education. </p><p>The FTC's settlement with the university puts pressure on the Veterans Administration to cut off GI Bill funds to schools that engage in deceptive recruiting and advertising, as required by federal law. Here are some strategies that could help deter false advertising by universities as well as address misleading and predatory marketing practices.</p><ul><li> <strong>Authorities must act against deceptive advertising.</strong> It helps to understand why the University of Phoenix is in trouble. The Federal Trade Commission Act allows the FTC to act in the interest of all consumers to prevent deceptive and unfair acts or practices. According to Section 5 of the act, a representation, omission, or practice is <em>deceptive</em> if it is likely to mislead consumers and affect their decisions about the product or service. In addition, an action or practice is unfair if the injury it causes, or is likely to cause, is substantial, not outweighed by other benefits, and not reasonably avoidable.  <br> </li><li> <strong>Claims must be substantiated, especially when they concern health, safety, or performance.</strong> The type of evidence required may depend on the product, the claims, and what experts consider necessary. If an ad specifies a certain level of support for a claim — "tests show X" — the advertiser must have at least that level of support. <br> <br>The University of Phoenix was not able to substantiate the connection between paying fees and obtaining jobs at major companies. Therefore, prospective students should be skeptical about this type of advertising. They should ask for evidence, in writing, that a course was developed with reputable partners, or that attending the school will lead to jobs at the companies mentioned in the ads. If the claims are true, the school should be able to produce signed partnership agreements or testimonials from individuals about jobs, without compromising privacy rules.<br> </li><li> <strong>Third parties can be accountable for deceptive claims by advertisers.</strong> Although in-house employees perform much of universities' advertising and online marketing work, third parties often are involved. The FTC's investigative framework allows the commission to hold advertising agencies, website designers, and catalog marketers liable for deceptive marketing practices. These groups can be accountable if they participate in preparing or distributing deceptive representations or know about the false claims.<br><br>All agencies working on ads are responsible for reviewing the information used to substantiate claims, rather than relying on the advertiser's assurance that they are true. In determining whether an ad agency should be held liable, the FTC looks at the extent of the agency's participation in preparing the challenged ad. The commission also considers whether the agency knew or should have known that the ad included false or deceptive claims. If the agency is aware of false claims, agencies should not perform the requested work and should notify authorities such as the FTC.</li> <br> <li> <strong>An effective whistleblower program is an important deterrent.</strong> In addition to in-house reporting, organizations should ensure employees can talk to authorities about potential wrongdoing. During the FTC's investigation of the University of Phoenix, an advocacy group for students who are military veterans connected the commission with six whistleblowers who served as recruiters for the university. Those whistleblowers in turn helped the FTC uncover deceptive advertising practices.<br> </li><li> <strong>The federal government should take a more vigilant stance regarding advertising fraud.</strong> In addition to the FTC, agencies should step up monitoring and auditing of schools that receive government money. This funding is a major, stable source of revenue at for-profit schools. <br> <br>The aggressive marketing and recruiting practices of some for-profit colleges has been well-documented. A 2012 Senate investigation found evidence of schools deploying teams at veterans hospitals and Wounded Warrior centers to enroll students. Veterans groups have long criticized federal agencies for not doing enough to keep education benefits out of the hands of colleges that they say prey on military members. One recent audit found lax oversight could result in $2.3 billion in tuition benefits going to predatory schools during the next five years.<br></li> <br> <li><strong>Authorities should consider significant sanctions against schools that commit major or protracted advertising fraud.</strong> Such sanctions are particularly needed when vulnerable segments of society, such as students and veterans, are involved. For example, the Defense Department has considered banning the University of Phoenix from participating in its tuition assistance program, citing the FTC's investigation and other government inquiries. <br> <br>The department also has suspended the university from recruiting on military bases and placed a six-month moratorium on access to education funding dedicated to service members. That decision stemmed from allegations that the university sponsored recruiting events in violation of an executive order preventing for-profit colleges from gaining preferential access to the military. </li></ul>Art Stewart0
Data Theft Aids Tech Support Scam Theft Aids Tech Support Scam<p>​An employee at Trend Micro allegedly stole information on 70,000 customers to help a fake IT support scam, <a href="" target="_blank"> <em>PC Magazine</em> reports</a>. The anti-virus company says the employee accessed a database and sent names, email addresses, phone numbers, and support ticket numbers to the alleged scammers. </p><p>The company says those individuals, in turn, contacted customers, posing as technical support staff. Typically, IT support scams try to charge victims for unnecessary services, <em>PC Magazin</em>e says. </p><p>Trend Micro says it hasn't found evidence that the employee exposed credit card or financial information, nor did the employee access information on government or corporate customers. It has since fired the employee.</p><h2>Lessons Learned</h2><p>Preventing employees from stealing data is a necessity. Customer data, employee records, software code, engineering designs, and business strategies are particularly vulnerable to data theft. </p><p>While the human resources (HR), IT, and legal functions all are vital for preventing data theft, it is not any one function's job. Instead, the best defense is an integrated approach involving all employees. Here are two areas where organizations need effective controls, along with some strategies that internal auditors can recommend and help implement.</p><p> <strong>1. Employee Recruitment, Onboarding, and Offboarding</strong></p><p>A variety of research indicates that employees commit data breaches unintentionally because they aren't aware of how the organization governs its data. But organizations can blame ineffective recruitment screening, onboarding, and offboarding processes, as well. </p><p> <strong>Recruitment</strong> Before hiring new employees, the organization should conduct thorough background checks, including reviewing their social media presence. It should look for signs of tolerance of theft, laxness in security protection, and similar traits. </p><p> <strong>Onboarding</strong> Upon hire, new employees should attend required sessions covering the organization's data sharing, ownership, and privacy policies. During these small group sessions, HR executives should ensure employees understand the data security, ethics, and conflict-of-interest sections of their employment agreements. Employees also should be aware of the organization's privacy and data security policies and procedures. </p><p>Additionally, the organization should conduct mandatory training on its data sharing, ownership, security, and privacy policies. This session should test new employees' comprehension and ability to document these processes.</p><p> <strong>Off-boarding</strong> When employees leave the organization, devices issued to them should be scanned and verified for organizational data. These devices should include laptops, tablets, smartphones, and removable media.</p><p>Because different employees have access to different types of data, the organization should maintain a record of each employee's access privileges. It should reset or delete all of an employee's accounts, access privileges, and passwords upon his or her departure. The organization also should hold former employees accountable for any data breach that is traced back to them. </p><p>These recruitment, onboarding, and offboarding policies should be implemented in combination with other measures designed to help detect and deter data theft such as a whistleblower program and providing information about the consequences of data theft.</p><p> <strong>2. Technology Measures Against Data Breaches </strong></p><p>IT measures that can help prevent data theft from happening include:</p><ul><li> <em>Role-base and access-based controls.</em> Limiting data access to only what is required for a particular job and logging user interactions with the data can reduce the chances of theft. For example, a junior-level software developer should have well-defined, limited, or even no access to a primary database. Tracking software can enable organizations to monitor activity within an intranet or network.<br> </li><li> <em>Separate devices for professional versus personal use.</em> Many organizations allow employees to use the same devices for personal and professional use. This blurred boundary between business and personal data can lead to incidental or intentional data breaches. If a single device is allowed for both purposes, the organization should monitor usage of the device and install software to keep each usage separate.<br> </li><li> <em>Establish strict controls over use of removable storage and cloud services. </em>Organizations should restrict employees' ability to access, copy, and move data, and limit access to all forms of removable storage and cloud services. The best solution is to prohibit data copying, whether by email, photocopy, screen shot, camera, or by hand — or even eliminate all the external storage ports of devices. Practically speaking, though, such restrictions can result in lost productivity and employee inconvenience. The next best method is to monitor all forms of data copying, movement, or exchange from the organization's systems. To this monitoring, organizations should add random, in-depth spot checks of employee behavior and audits of control measures. </li> </ul>Art Stewart0
When Fraud Experts Go Bad Fraud Experts Go Bad<p>​A professor may have learned the wrong lessons from his decades of research on organized crime. U.S. federal prosecutors say Bruce Bagley, an expert on money laundering and corruption, laundered $3 million that foreign individuals had obtained through bribes and embezzlement, <a href="" target="_blank">National Public Radio reports</a>. </p><p>Prosecutors allege that between November 2017 and April 2019 Bagley received monthly deposits from bank accounts that were tied to a Colombian national. Bagley then would withdraw the funds through a cashier's check and give it to a second individual from Colombia, while retaining 10% for himself, prosecutors say in court documents filed after his arrest. </p><p>Bagley, a professor at the University of Miami, has written several books about drug cartels and corruption. He frequently has consulted with law enforcement agencies and has served as an expert witness in drug-trafficking trials.</p><h2>Lessons Learned</h2><p>This case is striking because the alleged fraudster is an expert on money laundering. Yet for all his knowledge, Bagley may not have chosen a sophisticated approach to covering up his alleged crimes — prosecutors say he created fake contracts to account for the money he was making. </p><p>Rather than focusing on the systems, techniques, and processes involved in preventing and detecting money laundering, let's take a step back and consider: Why would a fraud expert commit fraud? Most internal auditors are familiar with the fraud triangle — opportunity, motivation, and rationalization — but here are five explanations. </p><ol><li> <strong>Narcissism. </strong>The basic thinking is "I'm important and the rules don't apply to me." These fraudsters do and take what they please, and justify it given their superiority, importance, or desire. A form of sociopathy may drive their behavior, and they may not have empathy for other people. When individuals are influential and set rules for others, such as when teaching students or advising government officials, they can begin to see themselves as morally distinct and not subject to the same rules.<br><strong> </strong></li><li> <strong>Impact minimization. </strong>Any workplace presents many opportunities for theft, some of which are small and easy to ignore. In this case, the alleged fraudster may have considered a 10% cut of the money laundered to be a small amount. <br> <br>Some fraudsters make a small compromise or act unethically in a way that they don't consider to be a big deal. When no one cares or notices, they get away with it. They then repeat their crimes and even try for a larger amount. <br> <br>As the crimes escalate, small thefts can become bigger and more persistent. Then, if the fraudster feels there is no way out, the individual may take larger risks if the original risk suddenly results in a big loss. Ultimately though, even an expert will be noticed and caught. <br> <strong> </strong></li><li> <strong>Ethical rationalization. </strong>Some people commit fraud because they believe what they are doing is in some sense ethical — they convince themselves to do unethical things depending on the way something is framed. In a case like this story, a money-laundering expert may rationalize that "the amount of money I'm keeping for myself is a small fraction of what is being stolen." <br> <br>Constant exposure to extreme wealth, or environments that reflect it through feelings of injustice and jealousy, can lead people to unethical behavior. Also, individuals may feel that they have accumulated "ethical credit" by being morally and ethically appropriate in their actions to date. In doing so, these people can justify wrongful behavior. <br> <br>Further along the path of fraudulent behavior, a cognitive dissonance and rationalization can set in: If a person's actions differ from his or her morals, the individual may rationalize both to protect himself or herself from the contradiction. The bigger the dissonance, the larger the rationalization; the longer it lasts, the less immoral it seems.<br><strong> </strong></li><li> <strong>Self-serving bias. </strong>People often are competitive and can be self-aggrandizing in their thinking and actions. These individuals think they are better than the people around them, which can lead to feelings of injustice and acting to rectify those feelings. An example is a person who does not think he or she is receiving a fair share of the rewards from his or her performance and capacity. <br> <br>Such perceptions can be worsened by tunnel-vision thinking. Focusing on only one goal, such as financial reward, can distract people from ethical concerns. Combining this type of thinking with feelings of alienation from large organizations and institutions may lead individuals to feel detached from their goals and leadership, driving them to consider committing fraud.<br><strong> </strong></li><li> <strong>Health and physical factors. </strong>People who are physically ill, stressed, lack sleep, or suffer from other issues, may have less self-control. Moreover, they may have greater financial need to address these issues, which may lead them to think crime is their only alternative. </li></ol>Art Stewart0
Special Delivery Delivery<p>​Federal prosecutors allege several Utah companies bribed a FedEx employee to obtain $280 million in contracts from the shipping company, <a href="" target="_blank">KUTV reports</a>. Prosecutors charged 10 individuals, including FedEx employee Ryan Lee Mower, who they described as "the highest-ranking FedEx Ground employee in Utah."</p><p>According to the federal indictment, Mower received more than $1 million to help the companies win contracts for FedEx shipments over a 10-year period. Additionally, he allegedly approved "ghost runs" in which trucking companies were paid for delivery routes that they didn't actually run. To make more money from the scheme, prosecutors say Mower boosted mileage, and falsely reported accidents and miles.</p><h2>Lessons Learned</h2><p>FedEx's response to this alleged multi-million-dollar bribery case includes this statement: "The vast majority of this money was payment for work that was actually performed. Therefore, because FedEx Ground would have paid to have that work performed in any event, the net financial loss to FedEx Ground is a small fraction of this amount and is not material."<em> </em></p><p>This response is beside the main point of this story, however. A significant amount of money was allegedly paid out illegally through bribery schemes over 10 years, and it took a U.S. federal investigation to uncover it.</p><p>Moreover, bribery and corruption, within organizations, countries, and internationally, continues to grow. In 2016, the International Monetary Fund estimated that corruption amounted to roughly 2% of global economic output — between $1.5 trillion and $2 trillion worldwide. This story provides a good opportunity to review effective ways to fight a culture of corruption, including a systematic approach to maintaining rigorous controls over contracting.</p><p>Organizations typically manage bribery and corruption risk through a mix of internal control processes, certification requirements, promoting good practices, and monitoring and auditing throughout their operations, including with suppliers and vendors. External standards also can be powerful tools for those efforts, helping to strengthen ethics and compliance practices by offering a clear framework for action. </p><p>One external tool is the International Organization for Standardization's <a href="" target="_blank">(ISO) 37001</a>: Anti-bribery Management Systems standard, published in 2016. The standard offers organizations a structure for setting up or benchmarking an effective anti-bribery program aligned with their own risk profile and building a culture that values ethical behavior. The standard sets out an approach that is independently certifiable — and in the context of the broader ISO 9001 quality management standard — addresses bribery in all of its forms, and can be integrated into an organization's existing management systems. </p><p>However, ISO 37001 only addresses anti-bribery management systems, not broader fraud and corruption issues. These issues should be addressed through a fraud risk assessment and management process, among others. In particular, this standard contains four important ways for organizations to strengthen their anti-bribery practices:</p><ul><li> <strong>Define ethical governance.</strong> Leadership is central to an effective anti-corruption system. ISO 37001 describes the responsibilities of the board and top management, including ensuring that the organization's strategy and anti-bribery policy and processes are aligned. The standard also requires the compliance function to be staffed by individuals with the right skills, status, authority, independence, and resources. It particularly needs a designated official who is responsible for anti-bribery efforts.<br><br></li><li> <strong>Embed a culture of compliance. </strong>The standard supports efforts to build an organizational culture that values ethics and compliance. Communication and training are needed to bolster the compliance program, and continual improvement is necessary to ensure that the program does not become stagnant. Other measures include establishing strong human resources policies and practices for background checks, turnover and rotation of staff, and a compliance hotline. And, the organization should establish investigations and monitoring to uncover wrongdoing. <br> <br>Fighting bribery through a strong compliance culture also can help build the organization's reputation and value. Demonstrating conformance with an internationally accepted anti-bribery standard may make it easier for the organization to attract business partners and investors who expect greater financial transparency and disclosure of anti-bribery activities. Ethical organizations also may have lower employee turnover, as well as receive greater respect from customers and clients who value organizations with good ethical practices.<br><br></li><li> <strong>Implement a uniform framework. </strong>This framework should have measurable, trackable indicators that promote consistency organizationwide. ISO 37001 intentionally does not prefer the legal regime or regulatory architecture of one country over another. Instead, it outlines a set of practices that can be used by organizations regardless of where they operate. Additionally, more and more organizations are using automated data capture, analysis, and tracking to support this approach.<br><br></li><li> <strong>Require good practices throughout the supply chain</strong><strong>.</strong> Many organizations have a complex web of third-party partners that support their business, similar to the trucking-company contractors in the FedEx story. The risk with these partners is that a bidder or business partner will bribe an employee of the organization to help obtain a contract. ISO 37001 addresses the need for due diligence, monitoring, and auditing of third parties, and provides a tool to measure the capabilities of third parties and the strength of their compliance programs. In addition, organizations could ask third parties to demonstrate compliance with the standard. <br><br></li> </ul><p>Adopting these four methods does not guarantee protection against bribery, but it is one way organizations can better prevent and detect it. The ISO website provides <a href="" target="_blank">more information on ISO 37001</a>. To learn about ways to fight bribery and contracting fraud, refer to the many articles in the <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=e5d7369b-6f2b-4374-b858-0a0d30c483c6">Fraud section of</a>. </p>Art Stewart0
Municipal Misappropriation Misappropriation<p>X​avier County billed its residents monthly for their utility use through its finance division using in-house legacy software, which was not up to the rigors of modern billing and reconciliation processes. Unfortunately, the county had a “We have always done it this way” mindset, so there were no plans to upgrade the system. The county was collecting an average of $1.3 million each month in accounts receivables for the utility, cranking out manual receipts upon request and patching the system as needed to limp along to the next billing cycle.</p><p>The IT employee who set up the legacy platform and managed it for decades had retired, and back-of-the-house adjustments were much more difficult to achieve without his institutional knowledge. When new executive management at the county requested additional reporting from the system and management personnel asked to supplement controls, they were told that the software could not produce the reports they were asking for nor could they implement the additional controls requested. At this point, the internal audit department became aware of the software’s reporting constraints and initiated a soft-monitoring project regarding the internal controls of the billing and payment process. </p><p>Because the software was incompatible with modern online processes, certain account activities could not be completed online. Instead, customers were encouraged to call the division with account concerns and other matters. The customer service line was shared by several employees in the finance division who were involved in the billing and payment process. The employees would take customer calls and process payments and adjustments within the system, as needed. Financial and county management accepted this diversity of personnel providing customer contact as a satisfactory level of segregation of duties. A few functions, however, were handled by Jeff Neeley, the most senior staff member in the division, who was familiar with the legacy software and the most effective at resolving those requests. </p><p>The division needed institutional knowledge so much that many weekends, when customer needs were high, he would come into the office and process those payments needing adjustment. It was during this time, without supervisory oversight, that Neeley conducted inappropriate transactions, feeling empowered by the lack of physical management review. </p><p>The fraud, itself, included a few adjustments to the financial software and a bit of manual tracking. When a customer paid using a credit card over the phone with Neeley, he would tally the payment amount in a workbook on his desktop computer. During month-end close-out procedures, he would take the running tally amount in the workbook, create a journal entry, and move that amount from accounts receivable revenues to accounts payable. This entry was processed within the financial system without additional review as Neeley had both a staff-level login and a supervisory-level login, presumably to perform different roles for different duties, as assigned. A phony invoice was then created for a fictitious vendor and included in the backup documentation for that journal entry. The fictitious services amounted to the total of all individual accounts that were manipulated during the month. The vendor was paid via the standard accounts payable process within the county. The vendor verification process had been completed by Neeley many years before.</p><p>Through multiple inquiries during performance audits throughout the organization, internal audit identified a weakened internal control structure due to the level of trust within the county. Internal audit discussed the risks multiple times with executive management, with no change. In fact, when internal auditors cautioned against this untested trust, they were told it was important not to upset employees because they were still skeptical of the county after layoffs during the Great Recession. Those who remained were territorial regarding their responsibilities and did not see the value of cross-training. </p><p>The utility’s legacy system led to the practice of a few key employees handling adjustments every time one was needed. The work became so specialized that certain customer account adjustments were put on hold until Neeley returned to work. It wasn’t until he was out on unscheduled medical leave that another person within the department had to handle his transactions for waiting customers. That’s when personnel noticed unusual adjustments within the system. </p><p>Adjustments within the monthly journal were paid via the accounts payable process to a fictitious service vendor account Neeley set up many years before that appeared to be a legitimate cost of service as payment lockbox service fees. This service fee was one of two that the county paid — because the fee amounts were consistent, without material variances, and of a nominal amount, no one thought to ask why there were two separate payments for the lockbox service fee. </p><p>Once the fraud was identified, internal audit asked the employees who reviewed Neeley’s summary reports why the fictitious vendor account wasn’t flagged or reviewed further. They explained that it did not receive any attention because the fee was nominal considering the large amounts that were being processed monthly. The fraud investigation determined that those nominal fees siphoned to Neeley’s personal account added up to nearly $91,000 and, because the system did not retain records more than 10 years back, the true dollar amount lost by the county was estimated to be greater.</p><p>The department was informed of the suspected fraud, and a vendor service company conducted a financial investigation. Still out on medical leave, Neeley hastily completed retirement paperwork with human resources and did not return to work. The investigation resulted in multiple recommendations that brought the division back up to an appropriate level of internal control. The county later submitted the case to the local district attorney’s office for prosecution, which is currently in process.</p><p>The impact to the county was perhaps greater than the monetary loss of the fraud. It became a local media topic, drawing many concerned citizens to the county’s public meetings to voice their disproval of the situation and the county. The level of trust in the community has been eroded and it will take time to mend. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } p.p2 { text-indent:-12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } span.s2 { letter-spacing:-0.1px; } </style> <p><strong>Lessons Learned</strong></p><ul><li>Internal controls should be respected in all organizational cultures. Creating a baseline for oversight and applying management reviews consistently for all employees is recommended. </li><li>Key employees are great additions to organizations and are often the most trusted employees. They can provide institutional knowledge that can compel fact-driven decision-making. However, trust is not an internal control and all employees require oversight. </li><li>Succession planning and work-task rotations could have been key in preventing the fraud from occurring at the level it did. </li><li>By not requiring Neeley to attend staff training and enabling special working conditions, management created an environment where the employee felt outside of the system and its authority.  </li><li>Physical security of a work area is important to instill a sense of oversight and supervisory review for employees. Working outside of normal business hours is not recommended.</li><li>Segregation of duties within the financial system is key to ensuring appropriate reviews. If one employee has two separate logins for staff transactions and supervisory/review transactions, this built-in internal control is no longer effective.<br></li></ul></td></tr></tbody></table><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { font:8.0px Interstate; letter-spacing:-0.1px; } </style><br>Emily E. Kidd1
The Price of Carbon Price of Carbon<p>​A lawsuit against Exxon Mobil alleges the oil company understated to investors the impact of carbon pricing in evaluating projects, the <a href="" target="_blank"><em>National Post</em> reports</a>. Court documents in the case filed last year by New York's state attorney general allege that Exxon often used a lower price per ton for greenhouse gas (GHG) emissions and forecast it for future years. That created "the illusion that it had fully considered the risks of future climate change regulations," the documents state. </p><p>For example, in Canada, the lawsuit claims Exxon understated carbon pricing of 14 projects in the Alberta oilsands by $30 billion, including understating one project by 94%. Exxon claims the lawsuit does not consider the multiple ways in which the company accounts for climate regulations.</p><h2>Lessons Learned</h2><p>Governments around the world are increasingly enacting new laws to put a price on carbon emitted by industrial producers, so it should not be surprising that the question of fraud has come up. As of 2019, more than 70 jurisdictions, representing about 20% of GHG emissions, have put a price on carbon.</p><p>This story involves one company, Exxon, and a case of alleged fraudulent carbon pricing that is still before the courts in two U.S. states. What can internal auditors learn about these laws that can help organizations prevent and detect what could become a more frequent fraud issue?</p><ul><li> <strong>Keep up knowledge of environmental laws and carbon-pricing regimes.</strong> In particular, internal auditors should learn about the requirements and methodologies for dealing with the pricing and taxing of carbon globally. For example, <a href="" target="_blank">a section of the World Bank's website</a> defines and measures carbon-pricing regimes around the world. The website's up-to-date dashboard sets out the various kinds of carbon-pricing regimes in place, planned, or being implemented in various jurisdictions, including both emissions trading systems and carbon tax regimes.<br> </li><li> <strong>Assist in compliance.</strong> At this point, companies have considerable discretion in their methodologies for assessing the amounts and impacts of carbon pricing on their products and services. Greater government specificity regarding these methodologies, including their uses and disclosure, appears to be coming. For example, starting in 2020, companies under the jurisdiction of Canada's Greenhouse Gas Pollution Pricing Act must file annual compliance reports with both Environment and Climate Change Canada and the Canada Revenue Agency. Internal auditors would be useful contributors to these reports.<br><br></li><li> <strong>Understand GHC calculation criteria.</strong> Of particular note in relation to this story, Canada's compliance guidance includes several criteria regarding GHG calculations. Specifically, companies must perform these calculations in accordance with a reliable and replicable methodology.<br><br>This methodology should ensure that net emissions are capable of being measured or modeled in a reliable and repeatable manner that includes all relevant sources. Calculations should consider uncertainty to ensure quantified or estimated emissions are accurate and within scientifically established standards or acceptable statistical precision for the project or equipment type. Moreover, they should consider the conservativeness principle in quantifying GHG emissions to ensure they are neither under- or over-estimated.<br><br></li><li> <strong>Advise the organization about disclosure practices.</strong> Companies increasingly face pressure to be more transparent about their treatment of carbon pricing. A proactive approach seems advisable. There are many sources of good disclosure practices and guidance regarding carbon pricing, including CDP Worldwide's <a href="" target="_blank">Carbon Pricing: CDP Disclosure Best Practice (PDF)</a>. </li></ul>Art Stewart0

  • AuditBoard_March 2020_Premium 1
  • IIA AEC_March 2020 Premium 2
  • IIA Quality_March 2020_Premium 3