Fraud

 

 

The Alternate Reality of REMhttps://iaonline.theiia.org/2021/Pages/The-Alternate-Reality-of-REM.aspxThe Alternate Reality of REM<p>​Among the pandemic’s many impacts, occupational fraud risk has increased substantially in many companies and industries worldwide. Nearly three-fourths of respondents to the Association of Certified Fraud Examiners’ (ACFE’s) Fraud in the Wake of COVID-19: Benchmark Report–September 2020 Edition predicted fraudulent behavior to increase in the following 12 months. </p><p>As revenue streams and planned spending have been dramatically upended and altered, organizations have eliminated or drastically cut operational spending to account for the lost revenue. That opens the door for financial statement fraud risks. Financial statement fraud represents only 10% of fraud cases in ACFE’s 2020 Report to the Nations global study, yet it accounts for the highest median loss ($954,000). Further, such schemes can go undetected for as long as two years.</p><p>Real earnings management (REM) can be construed as a type of financial statement fraud in which managers intentionally create an alternative reality of what is going on within the organization’s accounts. With this fraud, management deviates from normal business practices to meet short-term earnings thresholds. That can delay bad news but eventually could cause a more significant market disappointment. As financial regulators increase scrutiny of companies’ earnings management practices, internal audit can help preemptively by assessing and monitoring operational decisions to ensure financial reliability and effective risk management. </p><h3>REM PRACTICES RAISE RISKS <br></h3><p>REM can raise audit concerns about a company’s accounting practices, and those practices also may have legal risks. Green Mountain Coffee Inc. is among several companies that have faced class-action securities fraud lawsuits stemming from the controversial practice of inflating product demand by building up inventory.</p><p>There are five ways that companies perform REM:</p><ul><li>Overproduction to decrease cost of goods sold (COGS) expense. </li><li>Cutting desirable research and development expenditures.</li><li>Cutting general and administrative expenses of sales.</li><li>Timing the sale of fixed assets to report gains to boost current period earnings.</li><li>Encouraging customers to take excess inventory accompanied with unusual discounts or rights of return, also known as channel stuffing.</li></ul><p><br>Internal auditors should be aware that managers’ intentions distinguish acceptable REM from fraudulent REM activities. For example, a manager may intentionally engage in fraud-ulent REM to achieve a bonus or avoid missing an earnings target. This behavior creates an alternate, fraudulent reality through a deliberate distortion of the financial statements.</p><h3>THE ILLUSION OF COST-CUTTING<br></h3><p>Auditors can better understand about REM practices by taking a closer look at how companies overproduce inventory to decrease COGS expenses. U.S. Generally Accepted Accounting Principles require absorption costing when valuing inventory for external financial reporting. This costing method allows companies to allocate the full manufacturing costs (variable and fixed) to a product.</p><p>Absorption costing occurs when a company assigns the direct material, direct labor, and manufacturing overhead to the product in the work-in-process account during production. Once the product is completed, the company transfers the cost of goods manufactured (COGM) from the work-in-process account to the finished goods account, where those costs reside on the balance sheet. When the finished product is sold, the company transfers the COGM off the balance sheet to the income statement as COGS.</p><p>Manufacturing overhead represents a significant percentage of overall manufacturing costs. In addition, management has discretion in determining a basis for allocating the overhead to the product, such as based on direct labor, machine hours, or volume. Therefore, internal auditors should be aware of the method management uses to allocate the overhead and whether it may have fraudulent implications. Auditors can learn this by asking the production manager or cost accountant about the allocation method in place and why it is used.</p><p>U.S. Financial Accounting Stand-ards Board (FASB) Statement of Fin-ancial Accounting Standards No. 151 provides discretion by allowing companies to account for normal excess capacity under absorption costing. However, FASB does not clearly define what constitutes <em>normal excess capacity</em>. This discretion provides managers an opportunity to increase manufacturing production above normal capacity — what the company is normally able to sell — to achieve analyst earnings per share, annual bonus, or enhanced financial statement performance expectations. </p><p>Although the organization’s financial statements are strengthened in the short term, the additional inventory can have an adverse long-term effect by eroding firm value and brand image. Internal auditors should determine whether the company has significantly built up inventory that exceeds planned production or forecasted sales. Such an increase would affect the inventory account on the balance sheet and the COGS account on the income statement, providing a red flag. Further, auditors should investigate the associated expenses related to the excess inventory, such as storage and insurance expenses, which would not have been incurred otherwise.</p><h3>INTERNAL AUDIT AND FRAUD DETECTION<br></h3><p>Internal audit is well-suited to examine management’s business decisions as well as investigate REM and its fraud potential. However, auditors may struggle to detect managerial intentions because of REM’s opaque nature and ability to be disguised as actual operational decisions. That is particularly unfortunate in the manufacturing industry, which suffers among the highest median losses from a case of financial statement fraud ($198,000), according to the ACFE’s Report to the Nations.</p><p>Internal auditors can use their broad access to organizational systems and many areas of the business to detect fraudulent REM activities such as overproduction of inventory. Those efforts may be helped by three types of analysis tools:</p><ul><li><em>Horizontal analysis.</em> Considers the financial performance of an account over time.</li><li><em>Vertical analysis.</em> Compares the financial performance of an account to a base amount in a particular year.</li><li><em>Ratio analysis.</em> Measures the relationship between financial statement accounts.</li></ul><p><br>Internal auditors should use these three analysis tools together to identify areas of fraud risk and potential red flags in the financial statements. They can use horizontal analysis to compare the current balance of the inventory account to previous quarters and years. For example, if the inventory account is growing significantly over time without irregular sales volume, it could indicate there is inventory buildup for fraudulent reasons.</p><p>Vertical analysis, or common size analysis, is most useful when comparing industry benchmarks or competitors’ financial statement accounts. Common-sizing involves dividing each account into a base number — that is, the total assets for the balance sheet and revenues for the income statement — thereby showing each account as a percentage of the base number. By common-sizing the financial statements, it becomes easy to measure the relative importance of each account and provides an opportunity to compare companies of different sizes. For example, is the organization’s COGS account significantly less than industry benchmarks or competitors?</p><p>Finally, ratio analysis is helpful in measuring the relationship between the balance sheet and income statement accounts. Two ratios that would be of interest are inventory turnover and day’s sales in inventory. The inventory turnover ratio — the COGS divided by the average inventory — indicates the number of times an organization goes through its inventory in a year. If this ratio has decreased significantly over time, it could indicate an excessive buildup of inventory.</p><p>The day’s sale of inventory provides information on how much inventory an organization has available. It is calculated by dividing the ending inventory by the COGS and then multiplying by 365. A dramatic increase in this ratio could indicate an inventory issue.</p><p>Besides these analysis tools, internal auditors should monitor the organization’s budget-to-actual report monthly to identify any significant changes in inventory-related accounts. Furthermore, where analysis shows accounts with red flags, auditors should investigate further by performing more substantive tests of analytical procedures and the details of transactions and balances, as well as questioning operational personnel. Additionally, internal auditors should review the controls over manufacturing production and examine the master budget and its components. If internal auditors are familiar with REM and can detect when it is practiced, they can investigate whether the intention is to mask declining sales and report what they discover to management and those charged with governance.</p><h3>THE SIGNS OF FRAUD<br></h3><p>Buildup of inventory could be attributed to slumping sales or intense competition from competitors, rather than fraud. Being able to distinguish between fraudulent and legitimate practices is one reason why internal auditors should possess a solid understanding of their organization and the industry in which it competes.</p><p>Likewise, auditors should know what pressures and incentives influence managers’ behaviors and, ultimately, their decision-making. Analyst expectations and managerial compensation incentives can motivate managers to commit financial statement fraud through an REM fraud scheme. In turn, the manager’s REM decisions to increase manufacturing production intentionally deceive analysts, shareholders, and creditors. Such temptation is even more reason for internal auditors to take extra steps to help safeguard their organizations against fraudulent schemes in these volatile and uncertain economic times.  <br></p>Robert J. Knisley1
Sailing the Tradewinds to Fraudulent Gainshttps://iaonline.theiia.org/2021/Pages/Sailing-the-Tradewinds-to-Fraudulent-Gains.aspxSailing the Tradewinds to Fraudulent Gains<p>​Do you know why I’m here?” asked Robert Schull, the forensic audit manager at Orion Advertising, a direct mail marketer. Cathy Francis, Orion’s regional sales manager, responded, “Yes, and I will return the checks.” Her response took Schull by surprise as the purpose of the meeting was to discuss the claim of a questionable sales bonus. So, his next question was, “How much are we talking about?” Francis replied, “About half a million dollars.”</p><p>Orion’s primary product is a print magazine where local businesses advertise their services. The magazine is delivered by mail to residents within predefined geographic markets. Orion’s pricing plan is simple: Front-facing pages are priced at a premium while back-facing pages are priced at approximately half the rate as the front pages. </p><p>Sales representatives work for commission with some additional sales incentives. One of the incentives was a $5,000 bonus for each new customer. But because advertising revenues were in decline due to online competition, Orion reduced its commission structure for all sales representatives. </p><p>The internal control environment at Orion also suffered from the decrease in advertising revenue. Accounting positions were eliminated and departing employees were replaced with lower cost, less experienced people. Tasks were consolidated, resulting in a lapse of separation of duties controls. Management was unconcerned. </p><p>Francis was a successful regional sales manager who routinely earned a six-figure income. The new commission structure upset her because she was unable to earn the same income she’d become accustomed to. Francis was aware of the challenged internal control environment and believed she could execute a simple fraud scheme to replace her lost income. She rationalized that the money she would be taking was, in fact, owed to her for her hard work.</p><p>Francis set up a shell company called Tradewinds Inc. Tradewinds would bill her new customers for the premium rate regardless of where their ads appeared in the magazine. Tradewinds would then pay Orion as if the customers received the back-of-page advertising. Francis knew she could cover any billing discrepancies with accounting by telling the billing department that the customer was billed at the incorrect rate. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Lessons Learned</strong><p><br></p><ul><li>A strong control environment requires sufficient qualified staff to institute appropriate separation of duties. Internal audit should assess a company’s control environment, which includes evaluating the qualifications of employees in key positions. </li><li>Commission-based compensation or incentive programs are subject to manipulation. Coupled with weak internal control environments, significant performance-based compensation plans are an invitation for fraud, waste, and abuse.</li><li>Management should take ethics violations seriously. Disciplinary action should be consistently applied to all employees regardless of job title or historic performance. </li><li>Internal auditors working in environments where employees receive commission-based compensation should add a review of these programs to their audit plan. The review should include a thorough understanding of the mechanics of the program, the separation of duties within the program, and the existence of preventive and detective controls in conjunction with validating the integrity of the program.</li></ul><p></p></td></tr></tbody></table><p>There were some initial hiccups with Francis’ scheme. For example, some of her new customers sent their payments to Orion instead of Tradewinds. Because these payments were at the premium rate for back-of-page placement, it resulted in overpayments. Francis knew that overpayments would look suspicious, so she instructed the billing department to adjust accounts for the overpayments or to transfer the overpayments from one customer account to another. No one in accounting took a serious interest in the overpayments or transfers.<br></p><p>Francis’ scheme went undetected for several months and involved more than replacing any lost income she sustained from the change in the commission plan. However, this was not enough for Francis. In addition to marketing local businesses to residences, Orion had national accounts that would advertise in all magazines across the country. Francis knew that national accounts payments were multiples of her best local customers and theorized that she could scale her fraud scheme. The problem she faced was how she could deposit the large checks from national accounts into her local bank without raising suspicion.   </p><p>Robert Baggio was Francis’ neighbor and a local bank manager who had just been offered a promotion to manage a branch out of state. She invited him to her house under the guise of celebrating his new job before confiding in him about her scheme and dilemma in scaling it to national accounts. Francis offered Baggio a percentage of the proceeds if he could assist her with the fraud. He was receptive to the offer and told her he would open a bank account at his new branch under the name Original Retail In Online News (ORION). That way, checks made out to Orion could be deposited into the account with little scrutiny by bank auditors. </p><p>Francis knew that national customers would question being billed by Tradewinds but theorized that a change of billing address may go undetected. She created a change of billing address letter for her national account customers and instructed them to mail checks to a post office box. As suspected, many of her national account customers simply made the change of billing address in the accounts payable system and checks began appearing in Francis’ post office box. Upon receipt, she would overnight the checks to Baggio, who would deposit them in the bank account under his control.</p><p>Amanda Olson was a recent hire in the accounting department at Orion. Her first assignment was to look at a series of transfers of overpayments made by Francis between customer accounts. Confused, she called Francis for an explanation. Francis rudely dismissed Olson and ordered her to make the transfers as instructed. Olson reported the encounter to her manager. She knew something was awry with Francis’ transferred overpayments from customer account to customer account.  </p><p>Orion’s internal audit department knew Francis was no stranger to questionable business practices. Just the year before, she attempted to earn the new customer bonus by misrepresenting the owner of an existing customer who started a new business. Francis was reprimanded when it was discovered. Because of her strong performance, management was unwilling to part ways with her. Schull, who had interviewed Francis the year before, knew she could be difficult and decided to interview her face to face. When she confessed to Schull, he began a companywide investigation that uncovered a similar scheme her boss was conducting that netted him more than $1 million.</p><p>Orion contacted local law enforcement. For her actions, Francis was sentenced to two years in prison. Baggio was also arrested and served time in prison.  <br></p>Grant Wahlstrom1
The Many Facets of Procurement Fraudhttps://iaonline.theiia.org/2021/Pages/The-Many-Facets-of-Procurement-Fraud.aspxThe Many Facets of Procurement Fraud<p>​Procurement is one of the most important functions of business, impacting strategy, operational performance, and risk management. Internal auditors are key players in the process, providing assurance that procurement practices foster access, competition, and fairness.<br></p><p>Internal auditors also have a responsibility to promptly identify and report deceptive activity, and provide recommendations that strengthen internal controls. Internal auditors must be alert to red flags for dishonest conduct in procurement activities that can lead to significant financial losses for the organization. Red flags can alert internal auditors to four common methods of procurement fraud and give them the foresight to make recommendations that prevent it in the future.<br></p><h3>Contractor Collusion <br></h3><p>To avoid competing with one another, or to inflate the price of goods and services, contractors in the same market will work together to circumvent a transparent and ethical bidding process. As a result, the procurement entity loses its right to fair, ethical, and competitive prices. Internal auditors should be aware of several types of collusion among contractors.<br></p><p><strong>Complementary Bidding</strong> In an effort to influence the contract price and who it is awarded to, contractors intentionally submit false token bids in the procurement process that appear to be genuine. Token bids typically are too high to be accepted, appear to be competitive but do not meet other bidding requirements, or contain special terms and conditions known to be unacceptable to a potential buyer.<br></p><p><strong>Bid Rotation</strong> Instead of bidding competitively, two or more contractors tacitly agree to submit tailored bids and conspire to alternate the business among themselves. Each contractor wins a portion of the total business.<br></p><p>For example, Suppliers A, B, and C are bidding on three separate contracts. They agree that A's bid will be the lowest on the first contract, B's will be the lowest on the second, and C's on the third. So, no one gets all three contracts, but each gets a share. Meanwhile, they may also plan their bids to raise the contract price artificially. Often, losing bidders are appointed as subcontractors by the winning contractor to tide over their cash flow while they wait for their winning bid.<br></p><p><strong>Bid Suppression</strong><strong> </strong>Bids are suppressed when two or more contractors enter into an unlawful agreement, and one or more conspirators abstain from bidding on proposals. They also may withdraw a previously submitted bid with the goal of getting the desired bid accepted.<br></p><p><strong>Market Division</strong><strong> </strong>Colluding contractors may divide the market according to various criteria, such as geographic area or different segments. Firms that meet the same criteria will not bid against each other, may submit complementary bids, or may rotate bids. Market division also can happen via shell companies used to submit fictitious bids. This allows the real companies to inflate prices because the fraudulent bids are designed to validate the higher price quoted by the real bidder.<br></p><p>When trying to determine this type of collusion, internal auditors may notice peculiar behavior from contractors, such as unqualified contractors consistently bidding high on each project while qualified contractors don't submit bids at all. The winning bidder uses the losing bidder as a subcontractor and losing bids are poorly prepared and designed to fail. In addition, prices fall when a new contractor enters the competition and there may be a pattern of conduct whereby the last party to submit a bid wins the contract.<br></p><h3>Collusion Between Contractors and Buyer's Employees<br></h3><p>A contractor or supplier may attempt to get an advantage in the bidding process by influencing the procuring company's staff with bribes, gifts, and hospitality. This results in a higher cost to the buyer through various<strong><em> </em></strong>inside schemes.<br></p><p><strong>Need Recognition</strong><strong> </strong>A procuring company employee who is in on the scheme may overestimate — quantitatively or qualitatively — the actual need of the product/service and convince his or her supervisor of the excessive need to get the procurement authorized.<br></p><p>Internal audit should be alert to some common red flags to identify likely collusion. For example, the needs assessment may be inadequately developed or inaccurately documented. It also is likely that no alternative supplier has been identified, resulting in continuous procurement from a single source. Specifications may be drawn up in a way that only particular suppliers or contractors can deliver, and purchases may be made without receiving reports. Auditors also may come across excessive inventory levels or large write-offs to justify excessive purchases.<br></p><p><strong>Bid Tailoring</strong><strong> </strong>In this situation, the corrupt employee manipulates specifications to suit a preferred contractor or supplier and eliminate competitors. Specifications may be too narrow to accommodate the preferred supplier, too broad so that an otherwise unqualified contractor is qualified, or vague so that bid specifications are omitted to allow the preferred contractor to raise the price through contract amendments.<br></p><p>Some red flags include weak control over the bidding process, one or few bid responses to invitations, a contract not being rebid despite fewer than the minimum bidders, or a high number of competitive awards going to one supplier. It also is likely that the request for bid submissions does not provide clear submission information, or the specifications for the type of goods/services being procured are too narrow or broad. Bid tailoring often is accompanied by a large number of change orders or variations after the order is placed.<br></p><p><strong>Manipulating Bids</strong><strong> </strong>Corrupt employees may tamper with bids to favor particular contractors or suppliers by using obscure publications to publish bid solicitations, opening bids prematurely, extending bid opening dates without justification, discarding or losing a bid, accepting delayed bids, falsifying bid registers, or altering bids received. Often, they limit the time for submitting bids so that only those with advance notice have time to prepare and submit. Unethical employees may even void bids for unsubstantiated, frivolous errors in specification or for other false, arbitrary, or personal reasons.<br></p><p><strong>Bid Splitting</strong><strong> </strong>In this case,<strong> </strong>employees break a large project into several small projects that fall below the mandatory bidding threshold and award some or all of the component jobs to a contractor or supplier with whom they are conspiring. Internal auditors should be alert for multiple, similar, or identical procurement from the same party, unjustified split procurements in amounts that are just under the upper-level review or competitive bidding threshold, or sequential procurements just under the upper-level review or competitive bidding threshold. This may be followed by change order abuse.<br></p><p><strong>Unjustified Sole-source Procurements</strong><strong> </strong>Dishonest employees may use noncompetitive procurement to exclude competition and steer contracts toward particular vendors. Justification for sole-source contracting occurs when the product is available from only the single source, when exigent circumstances preclude competitive solicitation, or when solicitation is deemed inadequate after a reasonable search.<br></p><p>Telltale signs of this collusion include frequent use of sole-source procurement contracts — often to the same supplier — or requests for sole-source procurements when there is an available pool of contractors to compete for the project. Often, the procuring staff does not keep accurate minutes of pre-bid meetings or does not obtain the required review for sole source justification. Again, false statements may be made to justify noncompetitive procurements or justifications may be approved by employees without authority.<br></p><h3>Negotiated Contract Pricing Schemes <br></h3><p>Negotiated contracts are more common in circumstances where conditions are not conducive to competitive, sealed bidding. It is a contracting method that permits negotiations between the procurement entity and potential contractors. In negotiated contracting, potential contractors submit cost or pricing data, such as vendor quotes or already-attained discounts. Unethical contractors will intentionally use inaccurate cost or pricing data to inflate costs in negotiated contracts.<br></p><p>Internal auditors should look for inaccurate or incomplete documentation provided by the contractor to support cost proposals. Sometimes, the contractor may delay providing supporting documentation for cost or pricing data, which may be inconsistent with actual prices or out-of-date pricing. It also is possible that the contractor does not include its negotiated discounts or rebates, or includes an unrealistic profit margin in pricing. Sometimes, contractors use different vendors and subcontractors during contract performance than the ones named in the original proposal. It is also possible that materials and components used are different than the ones included in the original proposal.<br></p><h3>Post-contract Schemes <br></h3><p>Fraud in the post-contract phase mainly focuses on contract management and payments made on contracts. Most organizations use an electronic accounts payable system with key controls around separation of duties between requisition, ordering, checking receipts of goods/services, and authorizing payments. Schemes are designed, often in collusion with in-house staff, to bypass these controls.<br></p><p><strong>Nonconforming Goods or Services</strong><strong> </strong>Here, the supplier intentionally delivers goods or services that do not conform to agreed specifications, substituting cheaper or inferior products. One red flag for internal auditors is a high percentage of returns or defects for noncompliance with specifications. Another red flag could be missing, altered, or modified product compliance certificates or compliance certificates signed by employees with no quality assurance responsibilities. Contractors and suppliers should not be allowed to select the sample of goods to be tested for quality assurance, prepare it for testing, or perform their own testing using their personnel and facilities.<br></p><p><strong>Change Order Abuse</strong><strong> </strong>Change orders and variations are written agreements between the procuring entity and the contractor to make changes to the finalized contract. This is a scheme whereby colluding parties — the contractor and the procuring staff — submit and accept a lower bid to win/award a contract and later bump up the cost via change orders or variations. These typically receive less scrutiny than the usual procurement contracts, which makes them vulnerable to dishonest contractors and employees looking to misuse and abuse established procurement processes for their own gain.<br></p><p>Change order misuse often is characterized by poor internal controls, making it difficult for management to ensure that all change orders are really necessary for work that was unknown at the time the contract was awarded. Usually, procurement employees act out of scope and numerous change orders are justified on a variety of grounds, including the need to substitute more expensive alternatives, unavailability of material or equipment, change in price, and inflation. There is, usually, a repeated pattern of change orders that increases the price, scope, or agreement period. Internal auditors may also find questionable change orders favoring particular contractors.<br></p><p><strong>Cost Mischarging</strong><strong> </strong>Here, the contractor charges the procuring entity for costs that are unreasonable or unallowable. They also may charge costs that cannot be allocated directly or indirectly to the contract, or may mischarge for accounting, labor, or materials. Internal auditors should be alert to inadequate or absent audit trails supporting the costs charged. Sometimes cost estimates are inconsistent with prices charged or the contractor may even use outdated standards.<br></p><h3>Mitigating Fraud <br></h3><p>Internal auditors should be alert to distorted rationalizations used by staff and managers to justify noncompliance with established policies, procedures, and practices. Ultimately, it is management's responsibility to take appropriate steps to prevent fraud and minimize procurement risks. This is done through data analytics implementation, strengthening the first two lines in the internal control structure, and staff awareness and training to identify vulnerabilities in the procurement process. The overarching requirement is to improve organizational culture, whereby ethical breaches are identified and reported by employees early and rectified promptly.<br></p>Subhasis Sen1
The Phony Vendor Fraudhttps://iaonline.theiia.org/2021/Pages/The-Phony-Vendor-Fraud.aspxThe Phony Vendor Fraud<p>​Hunter Miller and Thomas Wynne had been friends since high school. They met up at a local bar to reminisce about their high school days and, eventually, their conversation took on a more serious tone.<br></p><p>"Once you send me the drilling pipe inspection information, I'll copy and paste it into an email using my Clean Pipe account to throw anyone off our trail," Miller said after sipping his beer. Wynne nodded in agreement.<br></p><p>The next morning, Miller reported to his job as a policeman and logged into his Clean Pipe email. He found Wynne's email waiting, copied its contents into a new message with his signature and Clean Pipe logo, and hit "send." If caught, he knew he could be charged with wire fraud.<br></p><p>That same morning, Wynne entered True Resources' headquarters, one of Calgary's largest oil exploration and production operators, and sat at his desk. He had advanced rapidly within the company and was making good money, but felt he had stalled and deserved more. He logged into the intranet and initiated the process to request that Clean Pipe be added as a new vendor. It was simple: Enter the vendor name, address, point of contact, and business case.<br></p><p>Wynne then forwarded Miller's email to the drilling superintendent with a note at the top: "This company came highly recommended." Two days later, Wynne received an automated email from the procurement department letting him know Clean Pipe was approved as a vendor. He called Miller and told him that he could submit an invoice in a few weeks.<br></p><p>Wynne also convinced his father-in-law to use JX Oilfield Services, a now defunct business that he kept for tax purposes, as a vendor in the scheme. He was given access to JX Oilfield Services' email account, where he carefully crafted a message that he again forwarded to the drilling superintendent after he completed the process to add a new vendor.<br></p><p>For the next few months, Clean Pipe and JX Oilfield Services submitted invoices through the online invoicing system and Wynne approved them for payment. After they were paid, Wynne's portion was sent to him via Venmo. He and his accomplices couldn't believe how easy it was.<br></p><p>While celebrating at an expensive restaurant, Wynne, Miller, and their wives decided to include additional materials on Clean Pipe's invoices to increase the amount of money they'd be paid. Wynne planned to tell the drilling superintendent that Clean Pipe was giving them a discount on pipe, knowing that the company was stocking most of the pipe on location and the superintendent wouldn't be able to check inventory.<br></p><p>On the test run, Clean Pipe sent an invoice that included line items for inspection services and 25 pieces of pipe measuring 32' by 2 7/8". The invoice also indicated that the pipe was being shipped to a pipe-coating company to be treated before arriving on location. This was normal practice for True Resources, so anyone scrutinizing the invoices wouldn't see it as an issue unless someone called to confirm the pipe's whereabouts. Wynne approved the invoice, and the payment came a week later.<br></p><p>While the couples were on a lavish vacation over the holidays, True Resources' auditor, Kristin Jones, found herself reviewing notes from a third-party audit firm assigned to audit the company's vendors. Jones couldn't believe what she read. She called Matthew Downs, the auditor in charge. She apologized for disturbing him during the holidays but explained that she needed to review his notes.<br></p><p>"I didn't think anyone would get back to us until January," he said, before launching into his laundry list of findings. "We don't normally review invoices from recently-approved vendors, but Clean Pipe and JX Oilfield Services hit our radar." While performing a risk assessment of vendors appearing in certain general ledger accounts, they'd noticed that Clean Pipe seemed like an outlier, so they did a bit of due diligence. First, its website only listed residential work and nothing about oil was mentioned. Second, using background investigation software, they traced the listed principal, Miller, to the Calgary Police Service (CPS). This furthered their hunch that Clean Pipe was not<em> </em>an oilfield services company, so they started reviewing their invoices.<br></p><p>The audit team called Namkoong Pipe, the original supplier of the 32' by 2 7/8" pipe listed on Clean Pipe's invoices, and discovered that it didn't manufacture that size. Also, each invoice included shipping instructions to Shepherd Pipe Coating, so the auditors called the company's owner and inventory manager to verify. Both men stated that they had not conducted business with True Resources in some time, and they never received pipe from a company called Clean Pipe.<br></p><p>Downs then explained that they ran a duplicate invoice check of Clean Pipe field tickets against other vendors, and noted that the invoice numbers were almost identical to those from JX Oilfield Services. Moreover, the look and feel of the invoices from both companies was almost identical, as if the same person created both.<br></p><p>Downs continued, "When we ran JX Oilfield Services in our investigation software, we were able to connect the principal of that company to your company's vice president of Drilling, Mike Wynne."<br></p><p>After the call, Jones called the vice president of Internal Audit, which set off a rapid chain of events with True Resources' executive team, the CPS, and the Royal Canadian Mounted Police (RCMP).<br></p><p>Within six months, the couples raked in almost $1.5 million, which they split 50/50. After multiple interviews with the RCMP, Wynne, Miller, and their wives, and a forensic audit of Clean Pipe's and JX Oilfield Services' invoices and backup, multiple charges were brought against the two men and their wives, including wire fraud, embezzlement, and racketeering. Wynne and Miller were sentenced to four years in prison and ordered to pay restitution in the amount of $250,000 each. Their wives were each sentenced to two years in prison.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Lessons Learned<br></strong><br><ul><li>Before onboarding a new vendor, perform a thorough due diligence review of its financial and operational background. Due diligence includes reviewing the vendor's website, blogs, YouTube channel, and LinkedIn posts to confirm the business case for onboarding reflects the online sources.</li><li>Vendor audits should be conducted as part of every organization's vendor management program. A vendor audit is performed to validate billing and contract compliance, and it can be enhanced with a visit to the vendor's work site and headquarters.</li><li>Vendor monitoring is a must. Consider using analytics to keep an eye on vendor spending trends, regulatory compliance, and adherence to company policies. Anomalies or red flags should be shared with internal audit, supply chain management, or the company's vendor representative.</li><li>Three-way matching is a critical procedure that helps prevent overspending or paying for an item never received. Many companies ensure there is a two-way match (a purchase order matched up against an invoice), but fraudsters can avoid detection if they both create the purchase order and approve the invoice. The important piece of the puzzle is the independent person who inspects and receives the goods. Segregation of duties is a key element in this process.<br></li></ul></td></tr></tbody></table><p></p>Rick Roybal1
The Diesel Fuel Heisthttps://iaonline.theiia.org/2021/Pages/The-Diesel-Fuel-Heist.aspxThe Diesel Fuel Heist<p>​Veronica Vanatamm was the internal auditor for East Mining Co. (EMC), an underground mining company that relied on heavy machinery powered by diesel fuel it purchased from Best Fuel Plc. Vanatamm was assigned to audit whether the diesel fuel consumed by EMC’s machinery was accounted for correctly and whether fraud risks were mitigated. </p><p>When Vanatamm began the audit, she learned that the main refueling facility was located at EMC’s mine site, but the equipment and diesel fuel in the tanks were owned by Best Fuel. EMC drivers purchased diesel fuel in the same way as at an ordinary gasoline station. After refueling, EMC drivers received receipts that they would submit to EMC accounting. Best Fuel transferred information about refueling electronically to EMC at the end of each month. <br></p><p>EMC vehicles had the capacity to carry 5,000 liters of diesel. After refueling, they transported diesel fuel to the underground mine and dispatched it to 12 underground tanks for trucks, loaders, and stationary mining machinery. Carrying vehicles had fuel pistols with meters and underground tanks had fuel counters. </p><p>EMC became the owner of the diesel fuel when the vehicle used to transport diesel underground tanked at Best Fuel’s main on-land facility. So, Vanatamm had to trace diesel from the time it was purchased until its usage was recorded and reported. She decided to test whether the balancing equation worked. Namely, whether the monthly end balance equaled the balance at the beginning of the month plus the purchased amount, minus the amount consumed by the machines. </p><p>EMC performed a physical inventory of the underground fuel tanks every Sunday and the first day of the month, and compared actual measurements to expected calculated results. The calculated results were based on sales receipts from Best Fuel and meter readings from the underground tanks. Vanatamm extracted data for three months and discovered the physically measured balance of diesel fuel was always precisely the same as the calculated end balance. There never was a single liter difference. She became suspicious and extracted a new data set looking at two years’ worth of data. Still, there was always an exact match.</p><p>Vanatamm discussed her concern with Peter Kirs, the mine’s main engineer. He told her that EMC reconciled the physical inventory balance with the calculated inventory balance. However, the reconciliation required an additional adjustment. During this step, any differences between the measured physical end balance and calculated end balance were solved. Kirs explained that diesel fuel contracts and expands depending on the temperature of the environment. The mine maintains a temperature of 8 degrees Celsius, so, during winter months when it is colder outside, the diesel expands in the underground tanks. However, during summer months, when it is warmer outside, the diesel contracts in the underground tanks. As a result, Kirs explained to Vanatamm, it was not possible to conduct precise verifications without automated corrections that took into account those peculiarities. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Lessons Learned</strong></p><ul><li>When conducting an operational audit, technical nuances and peculiarities of business processes must be investigated so that auditors fully understand what the purpose of each procedure is. It could indicate that a claimed control is an actual control or a smart workaround to conceal process deficiencies.</li><li>Understand the data. Data that is perfect or close to perfect may have another story to tell. Internal auditors should pay attention and try to comprehend the story behind it. </li><li>Sometimes it is more convenient for managers not to see fraud, even if it takes place on their watch. Management might be content with explanations of anomalies as long as the reasoning is plausible. The role of any diligent auditor is to work closely with management, and advise and train them on fraud risks and anomalies.<br></li></ul></td></tr></tbody></table><p>Vanatamm decided to verify Kirs’ statements. She inquired with the IT department on exactly how the automatic algorithm worked and obtained data before corrections. From data and algorithm analysis, she found that Kirs’ statement regarding contraction and expansion of diesel due to changes in temperature was not the main reason automatic corrections were introduced into the process. </p><p>Vanatamm discovered that almost every month, the physical inventory of diesel fuel measured considerably less than it was supposed to, according to expected, receipts-based calculations. In addition, the variances existed in both winter and summer months. The algorithm always neatly enlarged the amount of diesel issued from underground tanks so that figures would equal the calculated ones. </p><p>Vanatamm observed that there were substantial differences between purchased amounts and the diesel month-end balance that could not be fully explained either by temperature changes or by imprecise counters. Her recommendation was to inspect all tanks and vehicles and calibrate all meters that belonged to EMC. </p><p>Three months later, Anton Pavlovski was appointed as the new main mining engineer. He implemented Vanatamm’s audit recommendations and spoke to her about their shared feelings that diesel fuel was possibly being stolen. Vanatamm pointed out that because there was video surveillance near the underground tanks, she did not think fuel was being stolen there. She believed that the weakest point in the process was in the transportation of fuel from the ground facility to the underground tanks. Pavlovski placed the refueling facility under video surveillance, which captured one of the drivers making a strange gesture near the diesel pistol. He conducted a site visit of the refueling facility with representatives of Best Fuel, where they discovered a backflow pipe with a tap. </p><p>The team found that EMC drivers would open the backflow tap during the fueling process, allowing diesel fuel to flow back into Best Fuel’s tank. The backflow was not recorded. For example, while fueling a 5,000 liter tank, the driver opened the backflow tap, allowing 300 liters of diesel fuel to flow back into Best Fuel’s tank. The driver would close the tap, collect the receipt for 5,000 liters, and transport 4,700 liters underground.</p><p>The investigation found that the backflow scam had been in place for more than 10 years and every EMC vehicle driver was involved. Each driver would report how many liters were pumped back to a “cashier” at Best Fuel and would be paid for each liter. Shortages were concealed with the help of the work-around algorithm, shrinkage and expansion explanations, and imprecise underground meters. </p><p>The investigation results were submitted to the authorities, and a criminal investigation was initiated. Management at Best Fuel claimed to have no knowledge of any diesel surplus and said that there was never any intention to defraud EMC. EMC drivers involved in the scam were fired and investigated by police. Financial loss was estimated to be in the hundreds of thousand of dollars; however, not all of it was possible to prove.  <br></p>Anna Kon1
A Jackpot Winhttps://iaonline.theiia.org/2021/Pages/A-Jackpot-Win.aspxA Jackpot Win<p>​When Jenny Smith, a store manager for Australian retail chain Kangaroo Konvenience, realized she could easily defraud her employer by exploiting its point-of-sale (POS) system, she seized the opportunity. Her unsegregated sale and reconciliation duties allowed her to validate lottery tickets for herself without logging the sale in the system, leading to sizeable losses for the chain.</p><p>As in many countries, lotteries in Australia are state-run as a way of raising state revenues. Typically, about half of ticket sales are spent on marketing, administration, and gaming taxes, while the remainder is returned to the prize pool. While low-value prizes are mathematically frequent, the possibility of winning millions, despite its low probability, engenders player loyalty. On average, players win 30% to 40% of their ticket spend, leading players to believe that a jackpot win is imminent. Acting as a lottery agent can be profitable for retailers that benefit from lottery customer foot traffic, as well as earning a commission of about 10% on each ticket sold. </p><p>Lottery tickets have several controls to prevent cheating the state, including electronic codes that guard against counterfeiting, alteration, or duplication. In Australia, each ticket sold by the retailer must be validated and time stamped in the state government's independent POS system to participate in the game. After game validation, the retailer must enter the sale into its own POS system and collect payment. </p><p>Although the two systems should record identical lottery transactions, the risk falls to the retailer if they do not. The retailer sells the ticket at 100% of its face value, retains approximately 10% as commission income, and remits the remaining 90% of the ticket price back to the state. So, the theft of a single lottery ticket costs the retailer nine times the amount of the earned commission. Under The IIA's Three Lines Model, Kangaroo's first-line function includes a daily reconciliation of all lottery transactions between the two systems to ensure that every ticket activated in the state's POS system is also paid for in full in Kangaroo's POS system. </p><p>Second-line head office monitoring controls provide additional assurance that in-store controls log all ticket sales. Monitoring by the head office was slightly complicated by the different lottery games across Kangaroo's store portfolio, occasional keying errors by staff when entering transactions, low-value cash payouts to in-store customers, and the sale of syndicated tickets to groups of customers that required unsold portions to be charged back to the retailer by the state. Second-line controls were difficult for new head office staff to grasp unless they had in-store experience or were adequately briefed during induction. </p><p>By not logging the sale in Kangaroo's POS system, Smith knew the absent ticket sales would not appear on Kangaroo's end-of-day cash till, so an end-of-day cash variance would not arise. This first-line failure meant Kangaroo was charged by the state for the validated tickets even though the tickets had not been paid for. </p><p>It was second-line control lapses at Kangaroo's head office during a finance supervisor's maternity leave that enabled Smith's fraud to go unnoticed. A replacement staff member spotted the control failure, but she also went on leave before it could be remedied. Against earlier advice from Kangaroo's internal auditors, job handover during staff changeovers remained poor and controls undocumented, so new staff members did not understand the in-store risk or the absence of second-line controls.</p><p>Even worse, Smith figured she could outsmart the head office by entering fake lottery winnings into Kangaroo's POS system to steal cash from the till, which she fraudulently logged as genuine prize payouts. Her stolen lottery tickets and the 30% to 40% average winnings per fake player were further supplemented by direct cash thefts from the till masked as genuine prize payouts, which allowed her to pocket more than AU$100,000 (US$77,000) over a two-year period. </p><p>The declining lottery commission margin was finally noticed after another staff change at Kangaroo's head office, which led to the discovery that the lottery control account was not oscillating around zero as expected. An after-hours visit to the store by management revealed the first-line store controls had lapsed under Smith. When interviewed, she confessed to what she was doing. <br></p><p>Smith first realized the opportunity when she erroneously processed a ticket sale that was never investigated by the head office. A gambling addiction and the intent to repay the money after she won the jackpot was how she rationalized her actions, which grew in intensity when she realized she could win 30% to 40% of the payouts built into the lottery system on tickets she obtained free of charge. </p><p>Management engaged internal audit to research and explain the control failures to it and the audit committee. The auditors used data mining to identify specific theft occurrences by matching state government lottery transactions to the retailer's sales and payouts. They also used the technology to cross match staff time sheets to check whether other store staff may have been involved and determine if similar frauds occurred at other stores. This enabled internal audit to piece together the make-believe lottery cash payouts and ticket theft fraud.</p><p>Smith was immediately fired and forfeited all accrued employment benefits, but she was not prosecuted as police and lawyers determined Kangaroo was at fault through failing to exercise first-line and second-line controls. </p><p>Matt Knight, the financial controller, was fired because he failed to spot second-line control lapses by the finance supervisors in his charge. Plus, Knight had several actions from unrelated internal audits that were overdue. The area manager also was dismissed for failing to oversee in-store reconciliations, along with the dubiously titled loss prevention manager.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>As Kangaroo Konvenience's smallest out-of-town store, duties were not segregated and visits by management and internal audit were infrequent. Staff members were reminded of the importance of segregating duties and carrying out supervisory visits, or otherwise repurposing small stores if their risks cannot be controlled. <br><br></li><li>Control accounts are designed to oscillate around zero as reversing transactions self-cancel, or otherwise show a growing imbalance. In this case, the financial controller's team had ignored the control account imbalance warning.<br><br></li><li>Staff turnover in head office second-line oversight, combined with undocumented controls, was a red flag. Updated controls should be recorded in process playbooks that can help sustain control continuity when someone is filling in for another employee on leave or when training new staff members. <br><br></li><li>Head office staff members with no in-store experience should be required to visit stores at least twice per year to participate in, and better understand, first-line controls.<br><br></li><li>The fraud prompted management to improve controls and make staff changes resulting in reduced salary costs and promotion of capable juniors into the newly vacant roles. These enhancements recouped Kangaroo's losses by refreshing and strengthening the head office finance and loss prevention teams.</li></ul></td></tr></tbody></table><p></p>Christopher Kelly1
Where Were the Internal Auditors?https://iaonline.theiia.org/2021/Pages/Where-Were-the-Internal-Auditors.aspxWhere Were the Internal Auditors?<p>​Most internal auditors dread hearing management ask, “Where were the auditors?” — particularly when it relates to fraud. The moment fraudulent activity is uncovered, organizational stakeholders often blame the auditors even before holding perpetrators accountable. As a result, auditors can find themselves on the defensive and fail to engage in valuable activities such as consulting — they lack trust and fear reprisal in the event of any unforeseen fraud or operational errors in the areas for which they provided services. So rather than covering their organizations against fraud, internal auditors frequently seek to cover their backs. It is time for that to change.</p><p>Clinging to a fear-based approach represents a disservice to the organization and its stakeholders, depriving them of internal audit’s expertise and assurance. Auditors need to help ensure systems are established throughout the organization to manage fraud risks effectively. They can accomplish that by addressing several areas.</p><p>First, internal auditors need to partner with the board and management to fraud-proof their organizations. Developing relationships with these stakeholders is critical to identifying potential risks, as they possess key information regarding where those risks may lie. Additionally, practitioners need to share their knowledge and ensure stakeholders have the benefit of internal audit’s unique purview of the organization. </p><p>They also must help ensure anti-fraud controls are strong and robust. Auditors play an important role in assessing the effectiveness of key anti-fraud controls, such as the presence of an effective code of conduct, whistleblowing system, and external audit selection and oversight process. Auditors should proactively diagnose process weaknesses; they should also push for the implementation of preventive automated controls. </p><p>Furthermore, auditors must take governance considerations into account. They should conduct a governance audit with a specific focus on conflicts of interest, segregation of duties, and related-party transactions. They also should audit culture and provide recommendations that can help align the organization’s value system with the behaviors of all stakeholders. Moreover, conducting a thorough assessment of nomination and remuneration policies can enhance the organization’s ability to hire qualified, ethical board members and executives and help ensure remuneration policies do not incentivize fraud.</p><p>Although internal auditors are not responsible for identifying a specific fraud, they may be held accountable for not addressing foundational weaknesses that can enable and promote fraud within the organization. Helping to fortify anti-fraud controls and ensure the organization constructs processes with the potential for fraud in mind is essential to organizational health. Once auditors address fraud risk effectively, they can answer the question “Where were the auditors?” with a simple reply: “We were here all along.”  <br></p>Mohamad Kaissi1
The Lucrative Library Fraudhttps://iaonline.theiia.org/2021/Pages/The-Lucrative-Library-Fraud.aspxThe Lucrative Library Fraud<p></p><p>This is a very surprising allegation,” said the library manager during an interview with auditors. When the Office of the City Auditor in Austin, Texas, initially looked into an accusation that a staff member of the Austin Public Library was buying printer toner with the library’s credit card and reselling it out of his garage, library staff reported that nothing appeared to be particularly out of place. The auditors were repeatedly told that Randall Whited, the accounting associate who, according to auditors, allegedly stole at least $1.3 million in printer toner while employed with the library, was very well liked. </p><p>The Office of the City Auditor received an anonymous tip in March 2019 with few details. The City Auditor’s Integrity Unit had a name, a job title, and knowledge that Whited had access to a city credit card. The investigation began by sifting through purchase records, which allegedly revealed that Whited spent hundreds of thousands of dollars on one particular brand of printer toner. The auditors wondered if this was too much toner or an appropriate amount for a library with more than 20 locations, so they set out to learn more about the library’s purchasing system and the amount of toner used by staff. </p><p>Library employees told the auditors their branches used just a few cartridges a year. However, the public-facing printers, which received the bulk of use, used a different brand of toner than Whited’s purchases. Auditors took the printer’s usage history from each printer’s memory and combined it with manufacturer printer cartridge capacity data to estimate how much toner was needed. It appeared that Whited was overbuying hundreds of boxes of toner every year. So where were the extra boxes going? </p><p>Despite his 8 a.m. start time and instructions from his supervisor to arrive no more than 30 minutes early, camera footage allegedly revealed that Whited often came in as early as 6:30 a.m. and would take boxes of toner from the library and hide them in his vehicle. </p><p>Once the auditors had evidence that Whited was stealing toner, the focus shifted to determining how much he may have stolen during his employment. The initial review of purchase transactions was expanded to encompass Whited’s entire tenure with the library starting in 2007. The analysis uncovered more than $1.5 million in printer toner purchases dating back to 2010. Through printer usage data, auditors estimated that the library would have needed about 15% — roughly $200,000 — of that amount, at most. </p><p>The expanded review also found other ways that Whited allegedly was defrauding the city, including dozens of purchases totaling at least $18,000 that were reportedly shipped to Whited’s home address or to Amazon lockers located outside of Austin. The auditors were able to find backup documentation for these purchases — ranging from video games to drones to robotic vacuums — which clearly indicated some of the items were never sent to the library. Additionally, some of the documents lacked detail, only including descriptions such as “supplies,” which made it nearly impossible for the people responsible for approving Whited’s purchases to know what they were signing off on. Library managers trusted him, so they never questioned him on the purchases or why they were being shipped to his home. To make matters worse, the approvers had no idea how much toner was appropriate to buy, so Whited’s daily purchases of toner did not raise any concerns. Nor did the fact that the library overspent its budget for office supplies by roughly 400% for several years in a row. As long as the library was under its total allocated budget, management did not look into details.</p><p>According to auditors, a lack of segregation of duties also contributed to Whited’s alleged fraud. He reportedly received most of the items he ordered, so he controlled both ends of the process for the library. He also was assigned multiple roles in the purchase tracking system, so he could more easily redirect questions about the purchasing process or his purchases.</p><p>After evidence allegedly confirmed the audit findings, auditors wanted to know what Whited was doing with the goods he appeared to be purchasing using city credit cards. The answers starting trickling in through social media. Auditors found Whited allegedly was using online marketplaces to sell some of the items he stole from the library. Auditors also found evidence that suggested Whited was selling toner to online grey market websites that specialized in selling pre-owned toner. </p><p>Ultimately, the City Auditor’s report in October 2020 detailed Whited’s alleged enormous fraud, as well as the waste that the City of Austin incurred as a result of the purchases and management’s failure to catch on sooner. Whited resigned in August 2019, before the conclusion of the investigation. He was arrested in September 2020 and is awaiting trial. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​LESSONS LEARNED</strong><ul><li>Segregation of duties works for a reason. The same person should not be allowed to order and receive items. Just as importantly, employees should not be able to approve their own purchases. When investigating, auditors should look for individuals who hold dual roles like these that could be exploited.</li><li>Empower reviewers. Purchase approvers or reviewers in an organization should know they are more than just a rubber stamp. They should be trained on the importance of their role and their ability to say “yes” or “no” in the purchase approval process. Additionally, auditors should make sure these individuals have appropriate operational knowledge about the area of the organization for which they approve purchases so they understand what needs are real. When investigating, auditors should listen for witnesses who say they “just trust” someone to take care of things.</li><li>Don’t rely solely on witness testimony. In this investigation, like many, witnesses were interviewed to learn more about library operations before auditors knew what records or other evidence might be useful. The initial witnesses shot down the idea that Whited might be defrauding the City. He was a “great employee” who had been in the job for years and knew what the library needed. Had auditors stopped the investigation after witnesses contradicted the allegation, the fraud might still be occurring today.</li><li>Keep an open mind about evidence. Auditors never know what they are going to find during an investigation or where evidence will come from. When this investigation started, no one on the audit team knew much about printers or printer usage. They worked with IT staff to review printer manufacturer information and learned that most printers have enough memory to keep a record of everything they ever printed. By combining the printed page records with manufacturer toner data, they were able to calculate how much toner the library needed over a given time period. That was a huge step in the investigation and allowed auditors to determine how much excess toner Whited allegedly was buying and stealing.<br></li></ul></td></tr></tbody></table><p></p>Michael Yamma1
Procurement Fraud: 12 Common Pitfallshttps://iaonline.theiia.org/2021/Pages/Procurement-Fraud-12-Common-Pitfalls.aspxProcurement Fraud: 12 Common Pitfalls<p>​<span style="text-align:justify;">Fraud can occur during any stage within the procurement life cycle, resulting in recurring and significant losses. Organizations may be at risk of fraudulent activities conducted by internal staff, collusion between internal staff and external service providers, or collusion among suppliers. Procurement fraud can be perpetrated in many ways, and it can be difficult to detect. </span></p><p style="text-align:justify;">Twelve common pitfalls, in particular, can increase the risk of fraud in the procurement process. By remaining alert to these areas, internal auditors can help protect their organizations from procurement-related losses. </p><p style="text-align:justify;"><strong>1.</strong> <strong>Weak control environment.</strong> When formalized policies are inadequate or ineffective, and staff training to help the organization prevent and detect procurement fraud is insufficient, employees may write off fraudulent or unethical activities as cultural norms. They might assume, for example, that receiving gifts and entertainment from vendors — regardless of value — is always acceptable. These perceptions can result in widespread control weaknesses and increased potential for fraud.</p><p style="text-align:justify;">Procurement policies and procedures that lack comprehensive review, approval, and monitoring of scenarios will also increase the risk of procurement fraud. For instance, in the absence of well-defined guidelines and controls, purchases can be designated as "urgent" or "emergencies" to bypass the need to compare competitive quotes.  </p><p style="text-align:justify;"><strong>2.</strong> <strong>Incompetent purchase budget review or approval.</strong> Reviewers and approvers may not have been equipped with relevant antifraud skills to ask the right questions before requested items are approved in the purchase budget. After budget approval, users or requestors can make purchases much more easily. Effective budget reviews are therefore especially critical to fraud prevention. </p><p style="text-align:justify;"><strong>3.</strong> <strong>Inadequate purchase request scrutiny.</strong> In the absence of proper scrutiny, staff members might be able to request and make excessive or unnecessary purchases. It is therefore essential for those charged with evaluating the validity of purchase requests to carefully review and assess the justifications for items to be purchased. </p><p style="text-align:justify;"><strong>4.</strong> <strong>Inadequate review of purchase specifications</strong>. Organizations require specific expertise to evaluate the validity and appropriateness of purchase specifications indicated for sourcing.  Without this resource, purchase specifications can be customized to favor certain vendors and cause unnecessary financial losses to the organization. </p><p style="text-align:justify;"><strong>5.</strong> <strong>Ineffective quote reviews.</strong> Without effective assessment of quotes or bids before contract award, intentional favoritism of a particular vendor might not be easily detected. It is easy to enable a particular vendor to be selected when limited criteria are used to assess competing vendors. Management should carefully review and decide on vendor assessment criteria and then evaluate the competing quotes or bids received accordingly.  </p><p style="text-align:justify;"><strong>6.</strong> <strong>Insufficient background checks.</strong> The organization may fail to conduct effective background checks on new vendors. It may approve vendors without requiring them to provide appropriate documentation, such as business registration details. This deficiency creates, for example, the potential for staff members or their relatives to set up a shell company to make excessive or fictitious purchases that benefit themselves or their relatives at the expense of the organization. </p><p style="text-align:justify;"><strong>7.</strong> <strong>Ineffective conflict-of-interest declaration procedures.</strong> Periodic conflict-of-interest declaration procedures may become a check-the-box exercise instead of a meaningful control activity to prevent and detect inappropriate transactions. For example, the procedures may lack adequate vendor details to help staff identify the companies with which their organization is transacting. Without well-designed procedures, employees may perceive the conflict-of-interest declaration as routine and fail to recognize its importance. </p><p style="text-align:justify;"><strong>8.</strong> <strong>Ineffective inspection of goods and services received.</strong> If goods and services are delivered to the organization without being checked and acknowledged by independent, competent parties, intentional underdelivery, damaged goods, or inferior goods could go undetected. </p><p style="text-align:justify;"><strong>9.</strong> <strong>Ineffective project monitoring.</strong> Without robust controls in place to monitor ongoing projects — including periodic reviews of percentage-of-completion, estimated costs-to-complete, etc. — the organization may not detect warning signs of fraud such as excessive change orders and cost mischarging. </p><p style="text-align:justify;"><strong>10.</strong> <strong>Ineffective three-way matching.</strong> Those responsible for reviewing invoices submitted for payment may lack the expertise to recognize potentially fraudulent items, such as personal purchases, inflated invoices, and fictitious purchases. Moreover, they may neglect to perform a three-way match among the purchase order, receipt of goods, and supplier invoice. As a result, procurement fraud schemes may go undetected prior to vendor payment. </p><p style="text-align:justify;"><strong>11.</strong> <strong>Absence of robust procurement analytics.</strong> Highly irregular one-time payments may be relatively easy to spot with periodic checking and basic review procedures. But when irregularities occur more frequently, with lower dollar amounts that seem insignificant in isolation, they might easily go unnoticed without more sophisticated analytics. The organization can perform analytics with indicators that reflect repeated purchase orders with amounts just below the approval threshold limits, excessive purchases made from particular vendors, etc., to facilitate the identification of irregular activity. </p><p style="text-align:justify;"><strong>12.</strong> <strong>Inadequate criteria for evaluating vendors.</strong> Once a vendor is hired, the organization may neglect to monitor its performance on an ongoing basis. Robust criteria, such as applicable quantitative and qualitative performance criteria and indicators (e.g., price competitiveness, timeliness of delivery, product or service quality, and customer service responsiveness), should be evaluated periodically to ensure staff make value-for-money purchases, instead of excessive or fraudulent purchases, on the organization's behalf. <br></p><h2>Avoiding the Pitfalls</h2><p>Opportunities for procurement fraud abound in nearly every organizational setting. With awareness of the potential pitfalls, internal auditors can take steps to equip themselves with crucial knowledge to review and provide advice on control procedures that can prevent unnecessary procurement fraud losses. <br></p>Sylvia Lim1
Hush Money Fraudhttps://iaonline.theiia.org/2020/Pages/Hush-Money-Fraud.aspxHush Money Fraud<p>​In early 2020, Lauren George was promoted to director of internal audit at the Pier Ten Group, a management company for a hotel chain in Southern California. George was interested in innovation and had training in robotic process automation, which she was eager to bring to her new role to increase productivity and expand risk coverage.</p><p>Before her promotion, Pier Ten’s internal audit department typically performed smaller audits using manual processes. George’s first goal as director was to improve coverage without increasing staffing. She started by adapting a pre-built reconciliation bot to compare expenses to receipts and reperform all bank reconciliations starting with the company’s San Diego property.</p><p>The expense reimbursement bot was simple. Receipts were already stored in a shared folder by date and titled by date and dollar amount. The bot downloaded expenses for the year into one Excel file. It then went into the receipts folder and copied the date, description, and amount for the expense into the same file. Finally, the bot sorted the expenses by date and amount and flagged any unsupported expenses and receipts not matching an expense. </p><p>Before she reviewed the flagged items, George manually checked a sample of matched items to confirm the bot was working correctly. In the first pass, it identified 22 mismatches where expenses matched but the date on the receipt was off by a day. To be certain, she reviewed some of the receipts to make sure they matched the descriptions. The bot also flagged 12 expenses for $500 without receipts totaling $6,000. George thought the bot wasn’t picking up the receipts until she saw there were no receipts in the folders, just a blank sheet titled by day and dollar amount. </p><p>When George pulled the expense reports filed for each of these, she identified three commonalities: The receipts were missing, the description on the expense report was labeled “business expense reimbursement,” and the reimbursements were made to Skip Townes, the hotel controller.</p><p>The reconciliation bot was deployed next. It was pre-built, but required some modifications to make certain it was accessing the bank systems to retrieve bank account and credit card information. It also downloaded information into Excel and compared dates and amounts and flagged items that did not match. The results were messier than the expense reimbursement bot. Although many items matched, several items remained unreconciled. </p><p>George pulled the monthly reconciliations and started comparing line items with the bot’s reconciliation. She identified better rules that would help the bot perform more effectively next time, including pulling different reports to help reconcile some items. After her review, she was left with 12 credit card overpayments totaling $87,321.53. </p><p>Satisfied with a successful first pass, George documented her results and met with Walter Banning, the property manager, and Townes. To her surprise, Banning and Townes did not share her enthusiasm about the bot’s performance. George’s questions about the undocumented receipts and credit card payments were met with challenges about the technology. When she showed the source documents supporting the outstanding questions, both men expressed concern and insisted they would investigate and get back to her. </p><p>George suspected she was being stalled after weeks passed with no answers. The questions she asked could easily be answered with a little digging, so she contacted Wilson Kon, the audit committee chair, for guidance. George explained to Kon how the bots reperformed manual repetitive tasks, just like having an audit staff member who did exactly what he or she was told over and over. The work still needs to be reviewed and source documents pulled to investigate, but the observations are validated just like any other audit. Convinced by George’s explanation, Kon encouraged her to expand her review of the property’s financial processes, and assured her that Banning and Townes would provide her answers. </p><p>The next day, George met with Banning and Townes to discuss the observations. Both men were on edge and kept changing their answers. According to Banning, it was an IT issue that they were exploring. When George asked them to explain, they could not. Townes suggested it was a performance issue with the employee performing the reimbursements and reconciliation. George pointed out that Townes approved the reconciliation and Banning approved the expense reimbursement. She followed by asking why they did not flag these issues in their review. Banning went back to blaming the issues on the bot. George again left the meeting with no answers. </p><p>George first called Kon with an update and then the district manager and human resources (HR). With their support, she expanded her review to all financials for a month and went directly to the staff member performing the reconciliations. Several flagged items appeared, which were validated. The hotel accountant quickly identified the flagged items as bonus checks, reimbursements for Banning’s credit card, and car allowances for Townes. Surprised and curious, George dug in deeper.</p><p>She discovered that shortly after Banning was promoted to property manager, the corporate office cut the bonus program. He felt this was unfair and that he should be compensated for the success of his property, so he instituted his own bonus program. With the help of Townes, Banning found various ways to issue the bonuses, including a $500 monthly reimbursement to the controller to keep quiet about the bonuses. An expanded review found that the expenses for $87,321.53 were payments to Banning’s personal credit card company, and that extra manual payroll checks were issued to the controller, front desk manager, and housekeeping manager. In total, George identified nearly $485,000 in unsupported and suspicious payments, payroll checks, and reimbursements spanning three years. </p><p>George turned over her results to HR and local authorities. Pier Ten terminated Banning and Townes and brought charges against them. They claimed that the bonus program was sanctioned by the corporate office through a handshake deal.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned</strong><ul><li>Robotic process automation (RPA) is a useful tool for enhancing internal audit capabilities. Simple and quick bots can immediately enhance department productivity when applied to repetitive processes relying on digitized data and tasks. </li><li>Fraud risk always exists, but internal audit must balance risk and resources. Deploying RPA can significantly lower the cost of certain fraud detection procedures. These procedures would mitigate many difficult-to-close internal control gaps in small- and medium-size companies. Initially, this could lead to fraud detection, but over time, these inexpensive procedures would become preventative. </li><li>When developing bots for audit work, internal audit should consider passing them off to the business units. Reconciliation bots make useful audit tools, but once hardened, they are capable of performing the regular control function, providing additional value and capacity to the business departments. Just like analytics, later reviews can include regularly testing the bot’s performance and, when convinced, relying on the bot’s results. <br></li></ul></td></tr></tbody></table><p></p>Bryant Richards1

  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3