Fraud

 

 

Robbing the Poorhttps://iaonline.theiia.org/2015/robbing-the-poorRobbing the Poor<p>The founder and former president of Native Relief Charities was sentenced to three years in prison for stealing US$4 million from the organization, which provides college scholarships for poor Native American students, <a href="http://www.oregonlive.com/portland/index.ssf/2015/05/oregon_charity_chiefs_4_millio.html" target="_blank"> <em>The Oregonian</em> reports</a>. A U.S. District Court judge in Portland, Ore. found Brian J. Brown guilty last year of conspiring with one of the charity's board members to commit mail and wire fraud and money laundering. According to prosecutors, board member William Peters set up a US$4 million endowment at Native Relief Charities between 2006 and 2009, from which Brown took US$3 million and Peters received nearly US$1 million. Brown produced tax statements showing that Native American students were receiving the money. Brown was arrested after federal agents received a tip about the fraud, which prevented 650 students from attending college, prosecutors say. </p><h2>Lessons Learned</h2><p>The size of the nonprofit sector and the fraud activity related to it are substantial. According to the <a href="http://nccs.urban.org/" target="_blank">National Center for Charitable Statistics (NCCS)</a>, there are more than 1.5 million nonprofit organizations in the United States, including more than 1 million public charities, 101,558 private foundations, and 369,176 other nonprofits such as chambers of commerce, fraternal organizations, and civic leagues. These organizations reported more than US$1.65 trillion in total revenues and US$1.57 trillion in total expenses in 2012, the last year when figures were available. </p><p>The 2014 Association of Certified Fraud Examiners (ACFE) <a href="http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf" target="_blank">Report To The Nations On Occupational Fraud And Abuse</a> (PDF) reports that fraud in nonprofit organizations has been growing steadily since 2010 and represented 10.8 percent of the cases reported in 2014. Median losses for nonprofits have grown from US$90,000 in 2010 to US$108,000 in 2014. </p><p>The reputational damage may be far worse. According to a recent report by the London-based Centre For Investigative Journalism, the 50 worst charities collectively raised more than US$1.3 billion over the past decade and paid nearly US$1 billion of that directly to the companies that raise their donations. This story of insider fraud and theft committed against Native American students adds to this grim picture. </p><p>Nonprofit organizations and their directors can consult a vast amount of guidance to better equip themselves to detect and prevent fraud, including from sources such as the ACFE, The IIA, and the National Council of Nonprofits. But what else can internal auditors learn from this situation?</p><ul><li> <strong>Get up to speed regarding new "single audit" requirements for nonprofit organizations. </strong>U.S. regulations (albeit complicated regulations) require nonprofits to conduct an independent financial audit if the organization receives federal funds above a specified amount in a single fiscal year. The U.S. government passed the Single Audit Act in 1984 to ensure that those organizations receiving substantial federal funds use the funds in compliance with the federal government's funding requirements. "Single audit" refers to one of the objectives of that law: to replace the need for the federal government to audit the same nongovernmental organization multiple times. <br> <br>In December 2013, the U.S. Office of Management and Budget issued new guidance, called <a href="https://www.whitehouse.gov/omb/financial_fin_single_audit" target="_blank">"Uniform Guidance,"</a> that applies to audits of nonprofit organizations that receive federal grants, effective for Dec. 31, 2015 year-end audits. All non-federal government agencies and nonprofit organizations that expend US$750,000 or more in federal awards in a fiscal year are required to conduct a single audit (the previous threshold was US$500,000). The overall single audit scope may focus on ensuring that the organization's financial statements are presented fairly, have an adequate internal control structure, and comply with any special government regulations and laws that apply to the specific type of federal funding. However, a single audit is significantly more detailed than a regular independent audit. Auditors performing single audits are required to receive an enhanced level of certification, and they must conduct higher levels of testing on expenses to ensure that federal funds have been used appropriately and are documented and reported correctly in the nonprofit's financial statements. <br></li></ul><ul style="list-style-type:disc;"><li> <strong>Advise on governance and regulatory oversight. </strong>Auditors can go beyond compliance issues by making observations and providing recommendations to help improve the governance and regulatory framework surrounding nonprofit organizations.<strong> </strong>This framework is so fractured it is difficult to know who is in charge and who is watching whom. In the Native Relief Charities case, the U.S. Internal Revenue Service (IRS) was able to catch the fraudster. But the regulatory approach taken is either "front-end loaded" (e.g., to grant tax-exempt status) or focused on catching up to the thief after the crime has been committed. Setting up a subsidiary or parallel nonprofit structure to hide fraudulent activity, as in this story, does not seem to receive particular scrutiny. Once nonprofits start raising money or spending grants, oversight is largely left to state governments. In a December 2014 <a href="http://www.gao.gov/assets/670/667595.pdf" target="_blank">report</a> (PDF), the U.S. Government Accountability Office (GAO) critiqued the IRS for failing to track how well its regulators are doing their jobs in this area. The GAO also observed that the IRS doesn't have the manpower to go after charities that flout the law and could do more to help state regulators target the crooks operating within them.<br> <br> The situation at the state level also needs improvement. The authorities in charge vary significantly. For example, in Pennsylvania the Department of State is responsible; in California it is the Attorney General; and in Florida the Department of Agriculture and Consumer Services has this authority. Moreover, the rules from state to state are even harder to follow. Various state and local laws may also require an independent financial audit for charitable nonprofits that receive funds from state and local governments, but only 23 states require charities to undergo an annual audit. Regulatory offices nationwide are overflowing with information on charities, but they may not be able to analyze it deeply for signs of fraud. Penalties, including for multiple violations, also vary enormously and often are small compared to the impact of the fraud. Regulators have yet to create a national list to track violators or a formal system to share information, and a fraudster forced out of one state can readily move to another state. </li></ul>Art Stewart0117
Fraud Sewed Uphttps://iaonline.theiia.org/2015/fraud-sown-upFraud Sewed Up<p>California authorities have charged two jeans company subcontractors and their accountant with workers' compensation insurance fraud, <a target="_blank" href="http://abcnews.go.com/US/wireStory/jeans-company-subcontractors-accused-79m-payroll-fraud-30371664">the Associated Press reports</a>. Sisters Su​​ng Hyun Kim and Caroline Choi, who owned separate sewing companies, allegedly conspired to underreport US$78 million in payroll, which caused the loss of more than US$1 million in premiums to insurers. California insurance officials began their investigation after discovering a significant gap between the payroll amount the sisters reported to them and the amount they reported to the California Employment Development Department. Officials say the sisters also paid some employees under the table.</p><h2>Lessons Learned </h2><p>Workers' compensation insurance premium fraud has a significant dollar impact on the operations of insurance companies and workers themselves. Yet this amount pales in comparison to the staggering size and growth of the overall "underground economy" in the U.S. Although difficult to measure, economists estimate that as much as US$2 trillion in unreported economic activity takes place annually — double what it was in 2009. That amounted to an estimated US$500 billion in revenue losses for the U.S. government in 2013, up from US$385 billion in 2006, according to a U.S. Internal Revenue Service study.</p><p>What's behind this trend? Answers include the severity of the 2008 recession and the weakness of the recovery from it, general distrust of governments and taxation, the growth of casual work arrangements and cash wage payments in many types of jobs, immigration growth and illegal workers, and U.S. Affordable Care Act mandates to provide health insurance to employees. And, as illustrated in this story, some businesses and people commit fraud to keep more money for themselves.</p><p>Employers commit three basic types of premium fraud: </p><ul style="list-style-type:disc;"><li> <strong>Underreporting of payroll</strong> occurs when a policyholder fails to accurately report its entire work staff to the insurance company, often by paying employees off the books or presenting employees as subcontractors or independent contractors rather than as actual employees.</li><li> <strong>Misclassification of employees</strong> occurs when a high-risk employee, such as a construction worker, is classified as a person with low-risk clerical duties, enabling the company to pay lower workers' compensation premiums.</li><li> <strong>Experience modification evasion</strong> occurs when a company closes, then attempts to re-emerge as a new company on paper to obtain a lower experience-modification factor — and lower premiums — but the new business is actually unchanged from the original business.</li></ul><p>Regulators, organizations, and internal auditors can take several steps to deter or detect payroll and workers' compensation fraud:</p><ul style="list-style-type:disc;"><li> <strong>Strengthen and make more consistent use of regulatory tools. </strong>Many states have insurance funds and laws that prohibit workers' compensation insurance fraud schemes and grant the states audit and punitive powers including financial restitution, penalties, and criminal prosecutions. States like California go a step further by publishing all of the pertinent information associated with the crime committed by an employer convicted of premium fraud to the state's Department of Insurance website.</li></ul><ul style="list-style-type:disc;"><li> <strong>Educate employers regarding the need for diligence, compliance, and accurate reporting.</strong> Employers must understand the implications of good reporting, such as for the classification of jobs, as well as the fact that reporting statements could be used in fraud investigations.</li></ul><ul style="list-style-type:disc;"><li> <strong>Regularly exercize the audit provisions of workers' compensation insurance policies.</strong> The standard workers' compensation insurance policy will contain a provision allowing the insurance company to audit the insured's records at its discretion. Auditors can use certain industries, geographical locations, economic circumstances, and other factors to better target potential employer fraud abuse before it takes hold. If the auditor finds potential irregularities at an early stage, with the employer's cooperation, the typical result may be a simple reassessment and correction of the premium actually owed.</li></ul>Art Stewart0519
The “Fake President” Fraudhttps://iaonline.theiia.org/2015/the-fake-president-fraudThe “Fake President” Fraud<p>​This is urgent,” “this needs to remain confidential,” and “I’m relying on you.” These were the phrases that the man on the other end of the phone repeated to Catherine Martin, an accounts payable clerk in the Belgian branch of Evergreen Inc., a Toronto-based company. Once she hung up, she corresponded with the man via their personal email accounts, per his instructions.<br></p><p>Martin believed she was speaking with Fraser Durand, the chief financial officer (CFO) of their medium-sized manufacturing company, and that she was helping to resolve payment to a subcontractor because Evergreen’s usual account was in overdraft. In truth, Durand had no knowledge of this transaction and had not spoken to anyone in the Belgium division in more than a week. “Durand” was actually the perpetrator of an increasingly common deception known as the “fake president” fraud.<br></p><p>The perpetrator emailed Martin an invoice for €612,000 (US$694,000) from a Moldovan company with details of a bank account in Moldova. Martin had not heard of Evergreen doing any business in Moldova, but as the orders came directly from “Durand,” she was not as suspicious as she might have ordinarily been. The email was flagged as important, and, while the message had grammatical and spelling mistakes, it clearly explained that the money was to be transferred immediately and payment was to be divided into increments of approximately €15,000 (US$17,000).<br></p><p>For the next few hours, Martin received several other calls from “Durand” inquiring about the transfer. Payment was delayed because Martin needed the approval of Michel Lemaire, her supervisor in Brussels. Lemaire was out of the office, so Martin contacted him on his mobile phone, indicating the amount and purpose of the transfers, and urged him to act quickly. Lemaire accessed the company’s banking website from home and approved the transfers without asking for supporting documentation.<br></p><p>The following morning in Toronto, Liz Bertrand, Evergreen’s controller, logged onto the company’s banking website as she did every morning before the start of the workday. Between sips of coffee, she noticed a series of transfers to an account in Moldova. As these transfers had been initiated and approved in Brussels, she called Martin. Martin told Bertrand that the transfers had been done at the request of Durand and provided the invoice. Bertrand then spoke to Durand, and they quickly realized the company had been the victim of a fraud.<br></p><p>Bertrand and Martin scrambled to call their bank and halt or recall the transfers, but it was too late: Transfers totaling €186,000 (US$211,000) had been successfully sent to Moldova. The Belgium office filed a police report and began to prepare an insurance claim. Ultimately, the perpetrator was able to successfully withdraw the proceeds of the fraud and escape justice.<br></p><p>This fraud was successful for a variety of reasons. First, the perpetrator had done his homework by researching Evergreen thoroughly. Information about Evergreen executives was publicly displayed on the organization’s website, and company promotional videos may have helped the perpetrator to perfect Durand’s accent and mannerisms. Knowing details such as reporting lines, names, and titles of employees helps perpetrators avoid arousing suspicion. This practice is known as social engineering, and it is an increasingly powerful tool available to perpetrators in the digital era.<br></p><p>The second factor behind the perpetrator’s success was his knowledge of corporate policy. He had an invoice on hand to justify the payment to a “subcontractor,” adding legitimacy to the transaction, and asked for the payment to be split into increments — a practice known as structuring. By splitting the amounts into smaller increments, the perpetrator was able to avoid the usual authorization limits and approval process around cash disbursement. A perpetrator may not know the exact authorization limits, but may specifically ask the target or simply guess at common limits for an employee based on his or her title. Perpetrators also have been known to assume the identity of a genuine supplier or vendor, while providing the targeted employee with new, fraudulent banking details and asking him or her to pay all unpaid invoices. Additionally, some perpetrators will add legitimacy to their email communication by copying an unwitting external professional in email communications — perhaps a partner in a law or accounting firm.<br></p><p>The biggest advantage that perpetrators of this fraud have is that it is easily repeatable with other companies. If discovered, a perpetrator will likely just hang up and move on to the next target. Perpetrators typically use a prepaid, disposable mobile phone and operate out of jurisdictions with lax enforcement, minimizing the chance of being caught. As the dollar values involved in these schemes are high, perpetrators only need to be successful once to make it worth their while.<br></p><p>In this situation, the targeted employee did not notice, or failed to act upon, several red flags. The use of bogus personal email accounts designed to spoof the details of the person the perpetrator is attempting to impersonate such as “Fraser@gmail.com” is common. Alternatively, perpetrators may use email accounts designed to approximate genuine corporate email accounts such as “CFO@comp<span style="text-decoration:underline;">a</span>any.com” (often with extra vowels or other small misspellings). Spelling and grammatical mistakes are another red flag. Company or banking details in countries that are known to be at risk for fraud or not known to be areas where the company does business are also indicators that the transaction may not be genuine. Finally, a sense of urgency from the caller and a desire for confidentiality and to circumvent controls are common in such schemes.<br></p><h2>Lessons Learned</h2><p></p><ul><li>Employees should be educated about the “fake president” fraud and similar schemes. Internal auditors can help by offering formal training that ensures employees are aware of the red flags and are encouraged to be skeptical. Upper management should visibly buy into these efforts by publicly stating their approval, and show potentially targeted employees that it is acceptable to challenge suspicious requests for payment.</li></ul><p></p><ul><li>Internal auditors can perform an internal controls review of the cash disbursement function in light of the “fake president” fraud. Payments should not be made to an organization or bank account not already in the vendor master file. Changes or additions should always be approved by more than one employee and confirmed with a known contact at the payee. Controls on approval limits should be adjusted to prevent the structuring of payments or transactions to pass beneath limits.</li></ul><p></p><ul><li>Every company should have a financial authority limits policy that provides employees clear direction with respect to the approval process. Internal auditors can perform a review to ensure that the policy is followed.</li></ul><p></p><ul><li>Employers should be aware of the information employees make public via social networking websites — especially LinkedIn. Formal training offered by the internal audit department should cover the risks posed by social media.</li></ul><p></p><ul><li>Internal auditors should consider reviewing information the firm makes public on its website, such as employee positions, email addresses, and phone numbers. </li></ul><p><br></p>Alistair Beauprie03105
Municipal Fraudhttps://iaonline.theiia.org/2015/municipal-fraudMunicipal Fraud<p>The former utility manager for South Whitehall, Pa. has pleaded guilty to stealing US$854,000, according to <a target="_blank" href="http://www.mcall.com/news/breaking/mc-tonkins-plead-guilty-south-whitehall-embezzlement-20150408-story.html"> <em>The Morning Call</em></a> newspaper. Prosecutors say Nancy Tonkin pocketed cash payments made by utility customers and then manipulated accounting records to hide the missing money. The funds went undetected for several years until Tonkin's supervisor retired and the township's finance department was restructured. Prosecutors allege Tonkin and her husband spent the money at area casinos. As part of a plea deal, Tonkin was sentenced to a minimum of two years in prison, and she and her husband must forfeit their township retirement savings and pay US$333,032 in restitution.</p><h2>Lessons Learned</h2><p>Many of the columns I've written for InternalAuditor.org have profiled the lessons learned from frauds committed by public servants against taxpayer-funded public organizations. Typically in these cases, a long-employed and trusted public official — benefiting from a position of financial authority and a lack of oversight, controls, and an internal audit function — steals a significant amount of public funds over many years. This time I'd like to step back from the specifics of the story and provide a broader, yet more systematic perspective on what local governments, state and federal regulators, and internal auditors could do to help prevent and detect this kind of fraudulent behavior. </p><p>In making my observations, I found helpful <a href="http://www.theiia.org/bookstore/product/emerging-strategies-for-performance-auditing-insights-from-city-auditors-in-major-cities-in-the-us-and-canada-1873.cfm" target="_blank">a 2014 research study</a> conducted for The IIA Research Foundation (IIARF), Emerging Strategies for Performance Auditing: Insights From City Auditors in Major Cities in the U.S. and Canada. The study is based on surveys of numerous U.S. and Canadian municipalities. Although focused on performance auditing, this report provides insights — and potential remedies — into why local governments don't have the fundamental elements of an effective audit function in place that would allow them to protect against fraud. </p><p>Among the gaps the report discusses, four are noteworthy:</p><ul><li> <strong>A lack of legislation or mandate for audit. </strong>A patchwork of state and municipal legislation still exists for many local governments regarding internal audit functions, with some having a very general mandate, and others none at all. For example, a search of the South Whitehall website for topics related to audit returned no results. Where a mandate does exist, it often is unclear about internal audit's roles and responsibilities, including for fraud and performance audit issues.</li><br> <li> <strong>A lack of funding. </strong>In both the U.S. and Canada, federal and state/provincial authorities generally have not established clear funding parameters or formulas for the funding of audit functions. This has been exacerbated by current government fiscal pressures. Interestingly, the IIARF study includes examples of U.S. cities that have established minimum funding standards for audit functions. Moreover, the report suggests guidelines for funding audit relative to the size of the municipal organization's budget.</li><br> <li> <strong>Inadequate or immature governance processes.</strong> In organizations that have them, audit functions may report to a wide variety of authority structures, including a city manager, treasurer, or chief financial officer, raising questions regarding conflict of interest. Audit committees, where they exist, may have different mandates and compositions.</li><br> <li> <strong>A lack of understanding and support for internal audit on the part of officials, the media, and citizens. </strong>Misunderstandings and misrepresentations about internal audit's mandate, function, and value continue to persist. This is particularly common in local government environments where internal audit has few resources and may be perceived as a threat or an unnecessary bureaucratic burden.</li></ul>Art Stewart0557
Financial Reporting and the Audit Committeehttps://iaonline.theiia.org/blogs/marks/2015/financial-reporting-and-the-audit-committeeFinancial Reporting and the Audit Committee<p>​I recently came across <a href="http://www.financialmirror.com/blog-details.php?nid=1511" target="_blank">an excellent article by Rakis Christoforou in the U.K.'s <em>Financial Mirror</em></a>. It does a fine job of summarizing both the drivers of financial statement fraud and the role of the audit committee.</p><p>Here are some excerpts with my comments.</p><p> <span class="ms-rteiaStyle-BQ">A financial misstatement usually involves senior management of public companies, who are in a unique position to perpetrate financial misstatement by overriding controls.</span> </p><p>This is absolutely true when it comes to the deliberate material misstatement of the financials (which includes deliberate omissions). It is very hard for the Sarbanes-Oxley program to detect deliberate misstatements by senior management; perhaps the most that can be done is to examine period-end journal entries for unusual amounts or postings. However, the external audit team should be (and usually is) sensitive to the possibility.</p><p> <span class="ms-rteiaStyle-BQ">As a consequence, the role of the board of directors, audit committees, external and internal auditors is critical in properly addressing financial misstatements and override of controls.</span> </p><p>It is also hard for internal audit to detect senior management fraud, but they should be alert to the indicators that the risk is greater (such as concerns about the tone at the top, pressure by senior management on lower levels of management (especially finance) to "make the numbers," and so on).</p><p>The audit committee should also be alert to red flags and question the external and internal audit teams on the topic.</p><p> <span class="ms-rteiaStyle-BQ">At times of negative economic environment, when targets are much harder to achieve, increased pressure is imposed at corporate level for better results and this creates incentives for financial misstatement and fraud. </span></p><p>This is, again, very true.</p><p> <span class="ms-rteiaStyle-BQ">But financial misstatement and fraud could also occur at lower levels of management when middle corporate managers may claim that they did not realize that they were committing a financial misstatement or fraud, but saw themselves as simply doing what was expected of them by senior management. Middle managers and other employees committing this type of fraud may not be doing it for a direct personal gain, but because senior management created the impression that the manipulation (or omission of adjustment/action) is needed, it is for the best interests of all, and after all this is what is expected of them by senior management.</span></p><p>I have seen this happen. When a division or unit fears for its survival, it may resort to accounting fraud.</p><p> <span class="ms-rteiaStyle-BQ">Audit committee members should … be in a position to challenge senior management with questions on risks that could potentially create incentives for financial misstatement. Such probing questions should be addressed to senior management, external and internal auditors. Audit committee members are expected to have an active role, and not a passive one, when dealing with significant financial statement reporting issues.</span></p><p>​​​​This is a very good point. But what should the audit committee do beyond this?</p><p>I suggest the following:</p><ul><li>If the company is doing better than its competitors, according to the financial statements, ask why. Be aware of indicators, such as analyst or other media comments, that do not support the company excelling while others falter.</li><li>Meet with management at levels below the CEO and chief financial officer (CFO). Listen to whether their comments on operations they run are consistent with the financial results.</li><li>Talk to the internal and external audit teams. Understand which accounts are most likely to contain deliberate misstatements and ensure they, between them, have done enough work to satisfy the audit committee.</li><li>Be aware of any senior financial managers who leave the company unexpectedly.</li><li>Challenge management if it does not run an employee survey, providing employees an opportunity to indicate their level of trust in the integrity of management.</li><li>Make sure all whistleblower calls/messages get to the audit committee without the opportunity for management to filter them.</li><li>Consider meeting with finance personnel below the CFO. Provide them a way to contact the audit committee should they have concerns about pressure being placed on them, or on entries being made at the corporate level that are not consistent with results at theirs.</li></ul><p>I welcome your thoughts.</p>Norman Marks01235
Services Not Renderedhttps://iaonline.theiia.org/2015/services-not-renderedServices Not Rendered<p>A hospital system employee has confessed to stealing more than US$9 million from the Memorial Hermann Healthcare System through a fraudulent billing scheme, the <a href="http://www.houstonchronicle.com/news/houston-texas/houston/article/Man-charged-in-Memorial-Hermann-fraud-case-was-6160768.php" target="_blank"> <em>Houston Chronicle</em></a> reports. U.S. federal prosecutors say Kenneth Wild II, who managed the hospital's printing services division, submitted more than 200 fake invoices to the hospital for printing and data services that were payable to a company, Digital Designs. Wild, a former felon and disbarred attorney, began submitting fake invoices in February 2001, shortly after he w​as promoted to division manager. According to the federal complaint, the hospital's chief audit and compliance officer received an anonymous tip in March that the Digital Designs payments were to a "ghost account." After hospital officials discovered there was no evidence of work by that company, the U.S. Attorney's Office and U.S. postal inspectors opened an investigation, which uncovered that Wild had deposited checks from the hospital in a Digital Designs bank account that he controlled. Prosecutors confronted Wild upon his return from a trip to Europe. He faces up to 20 years in prison for mail fraud.​</p><h2>Lessons Learned</h2><p>This story presents a mixed picture of lessons learned. Memorial Herrmann's management have clearly acknowledged the need to improve and follow through on a more ethically and anti-fraud focused culture and regime, but are the related actions taken by the organization enough? </p><ul><li><span style="line-height:1.6;">On the positive side, the hospital system's recently established (July 2014) standards of conduct include numerous requirements that, if monitored rigorously for compliance, could help it prevent and detect employee fraud instances such as those in this story. Two of these requirements are worth mentioning as practices that internal auditors can recommend for their organizations:</span></li></ul><ul><ul><li> <span style="line-height:1.6;"> <strong>​Conflicts of interest in human resources (HR) hiring.</strong> "We are resolute in our intention to not employ a person to be supervised by, or to supervise, another member of the person's family unless the situation is warranted by special circumstances. In such situations, special oversight will be arranged so that a conflict of interest does not occur between family members with respect to their Memorial Hermann duties," the standards of conduct note on pg. 12. One could reasonably expect that such a policy, if followed, would prevent hiring a known felon to work for his mother, which occurred in this story.</span>​<br> </li><li>​<span style="line-height:1.6;"><strong>Protection of anonymity and a nonretaliation clause for compliance violation reporting.</strong> "Employees, volunteers, contractors, medical staff, and anyone else engaged in work at Memorial Hermann should be able to ask questions, seek clarification, and report potential or actual noncompliance without fear of retaliation. Similarly, health plan members should be able to report concerns about plan administration or suspected fraud, waste, or abuse without fear of retaliation. No disciplinary action or retaliation will be taken against you when you report a compliance issue in good faith, meaning you believe the information you are reporting is true. We value and respect the dignity of the individual; therefore, you will be treated fairly and with respect," the standards state on pg. 22.</span></li></ul></ul><ul><li> <span style="line-height:1.6;">Less evident, however, is the degree to which the organization has made progress in systematically strengthening internal controls over its HR recruitment policies and practices, particularly to address the need for increased scrutiny of both prospective and ongoing employee background and reference checks. Psychological and other related testing has become a crucial element in preventing potential employee noncompliance and fraud, as fraud from within continues to grow. Of course, such measures must be balanced by respect for individual privacy and caveats around the validity of such testing. <br> <br>Integrity tests, both overt (i.e., asking a subject directly about his or her honesty, criminal history, attitudes toward drug use, thefts by other people, and general questions that show integrity), and personality-oriented (i.e., assessing personality characteristics that have been shown to relate to counterproductive work behavior, such as dependability, social conformity, thrill seeking, and conscientiousness) have existed for many years. Recent updates of these techniques by universities, business associations, and hiring firms reflect current technological trends, diverse work environments, and organizational culture in integrity testing.</span></li></ul><ul><li> <span style="line-height:1.6;">Finally, there is the serious question of how much the organization has learned from the substantial and long-running billing fraud involved in this case. It took an anonymous tipster to identify the issue that had been going on for more than a decade. But the organization's senior management, including its chief audit and compliance officer, must bear some responsibility for gaps in oversight and periodic and penetrating audit work that, if appropriately conducted, may have uncovered this fraudulent billing activity. There were more than 200 fake invoices involved over the years — none of these seem to have been examined closely enough to detect the fact that there were no services provided. Internal auditors can refer to a mountain of documented cases of billing fraud, including many in the health-care industry. If an organization thinks "it can't happen here," it is mistaken.</span><br></li></ul>Art Stewart0709
The Empty Boxes Schemehttps://iaonline.theiia.org/2015/the-empty-boxes-schemeThe Empty Boxes Scheme<p>​A Nigerian man living in Canada has admitted to scamming more than a dozen individuals in the U.S. out of US$13 million between 2009 and 2013, the <a href="http://www.azcentral.com/story/money/business/consumer/call-12-for-action/2015/03/02/fraud-victims-paid-worthless-boxes/24228211/" target="_blank"> <em>Arizona Republic</em> reports</a>. According to a plea deal, Alex Sualim said he recruited the individuals to act as distributors between a Chinese supplier, AEG Global Contracting Ltd., and a Canadian company, Agmine International Ltd. Agmine instructed the distributors that the boxes containing the silicon germanium-based semiconductors — a real material used in microchips — could only be opened under laboratory conditions, so they didn't open the boxes they received. The distributors were asked to send wire transfers to AEG via banks in Cyprus, Greece, and China, which escalated as the supplier repeatedly increased its minimum order level. Agmine turned out to be a fictional company, while the shipping invoices from AEG were forgeries. When some of the distributors became suspicious, they finally opened the boxes to find only packing materials. Sualim was arrested in 2013 following an investigation by the U.S. Federal Bureau of Investigation and the Internal Revenue Service.</p><h2>Lessons Learned</h2><p>This case exemplifies how the perpetration of fraud continues to evolve to become increasingly more sophisticated and encompass multitactic and international dimensions. At its root however, this is one form of advance-fee fraud — when fraudsters target victims to make advance or upfront payments for goods, services, and financial gains that do not materialize. There are many variations on this scheme, including West African letter or 419 fraud (419 refers to the section of the Nigerian criminal code dealing with advance-fee fraud); career opportunity scams; clairvoyant or psychic scams; check overpayment fraud; dating or romance scams; impersonation of officials; inheritance fraud; loan scams; lottery, prize drawing, and sweepstake scams; rental fraud; and work from home and business opportunity scams. There are even fraud recovery schemes. These common frauds create significant monetary losses not only for individuals but also for businesses and other organizations that fall victim to them.</p><p>Here are some guidelines on how organizations and internal auditors can detect and avoid advance-fee schemes:</p><ul><li> <strong>Follow the saying, "If something seems too good to be true, then it probably is." </strong>Stick to common business practices. Never consider business being carried out on the street corner in cash as legitimate. Also, be aware that, as in this story, the apparent source, tone, grammar, and overall style of emails and other forms of communications may be as polished and professional as would be expected from a reputable, established company.<br> </li><li> <strong>Be sure the organization knows with whom and what it is dealing.</strong> If the organization isn't familiar with the person, company, or product it plans to get involved with, it should learn more about them. Ask a lot of questions. Visit the company's location if possible, research the organization and its products, and consult with family, friends, an attorney, and experts such as at universities. For example, silicon germanium is potentially harmful to humans at certain stages of its production, so it might be credible that those particular stages should be controlled within a laboratory clean room. But instead of accepting a shipment of empty boxes, the victims in this case could have demanded that a sample of silicon germanium be sent for analysis to an independent laboratory they selected, with the subsequent report sent directly to them. <br> </li><li> <strong>Get a contractual agreement in writing and signed by all parties.</strong> Also, money spent up front to pay an attorney to review complex business agreements can save an organization even more money in the long run. Consulting a knowledgeable attorney is especially important when the organization doesn't understand the terms of the business or the agreement completely.<br> </li><li> <strong>Be skeptical of businesses that operate at a distance. </strong>Organizations and their internal auditors should be wary of businesses that can only be contacted by phone<strong> </strong>or email, or that operate out of post office boxes, mail drops, or without a street address. They also should be cautious of businesses that don't have a direct phone line, can't be reached, and must always return calls at a later date and time. In this story, the fact that victims were contacted by supposed officials of the Agmine and AEG companies, rather than by a single company contact, also was a potential red flag. Moreover, a legitimate company likely would need to be registered within a particular country for regulatory or taxation purposes, so a potential investor should verify whether that company has been registered. </li></ul><p>Additionally, organizations and their internal auditors should be cautious of business deals requiring upfront or unexpected increases in cash outlays. Also, they should avoid signing nondisclosure or noncircumvention agreements, which could prevent the organization from verifying the legitimacy of those with whom it is doing business. Scammers use these agreements as a threat to file civil suits against victims if they report their losses and business activity to law enforcement agencies.</p>Art Stewart06149
Tech Fraud and the Small Businesshttps://iaonline.theiia.org/2015/tech-fraud-and-the-small-businessTech Fraud and the Small Business<p>​Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. <em>The New York Times</em> recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.<br></p><p>When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.<br></p><p>Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.<br></p><h2>Small and Vulnerable</h2><p>Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) <em>2014 Report to the Nations</em>. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.<br></p><p>Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.<br></p><p>Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.<br></p><h2>Reducing Risk</h2><p>Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.<br></p><p>From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.<br></p><p>Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.<br><br><strong>Watch out for the top causes of technology-related fraud.</strong> Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.<br></p><p>Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.<br></p><p>Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.<br><br><strong>Plan regular and surprise audits in areas that may pose greater risk.</strong> Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.<br></p><ul><li>An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.<br></li><li>Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.<br></li><li>Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.<br></li></ul><h2>A Matter of Survival</h2><p>While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim. <br></p>Alisanne Gilmore-Allen13075
Fighting Welfare Fraudhttps://iaonline.theiia.org/2015/fighting-welfare-fraudFighting Welfare Fraud<p>​The hiring of a full-time investigator has led to more arrests in welfare fraud cases and has generated more than US$1 million in savings for the Schuyler County, N.Y., government, the <a href="http://www.stargazette.com/story/news/local/2015/02/26/schuyler-benefit-fraud/24068687/" target="_blank"> <em>Elmira</em> <em>Star Gazette</em></a> reports. County officials say the new investigator has worked with the Department of Social Services' welfare fraud unit to investigate more than 300 cases and make 23 arrests for welfare fraud, grand larceny, and other charges. The county averaged only four to eight arrests in previous years, and it had a reputation as a welfare haven. </p><h2> Lessons Learned</h2><p>Schuyler County officials should be commended for taking appropriate action, including the hiring of a fraud investigator, to address government benefits fraud, a problem faced by local, state, and national governments worldwide. One statement made by the Schuyler County district attorney is particularly intriguing: "When we catch people, they get punished. It creates a deterrent for other people considering welfare fraud."</p><p>In that context, the two questions worth asking are "How do we know if we have the right deterrence mechanisms in place and that they are working?" and "Is the audit profession taking full advantage of fraud deterrence methods and thinking in the practice of auditing?" If fraud deterrence is effective, there should be little or no fraud being committed, with significant financial savings. My perspective, however, is that organizations and their internal auditors still need to invest further in improved fraud deterrence as well as enhanced detective skills and resources.</p><p>The "fraud triangle" (motive-rationalization-opportunity) has underpinned much of ​the thinking about what fraud is and how to address it for about 50 years. Efforts to "break the fraud triangle" by removing one or more of its three elements to reduce the likelihood of fraudulent activities have focused on eliminating opportunity. In turn, the opportunity element is generally considered to be the factor that is most directly affected by the system of internal controls, which is where organizations and auditors have invested much of their time and efforts in deterring fraud. Motive and rationalization are considered less measurable and therefore less controllable.</p><p>Emphasizing strong internal controls is not enough. Organizations with adequate controls shouldn't experience significant fraud, but unfortunately they do time and time again. Of course, no control can provide absolute assurance against fraud. Fraudsters who are sufficiently motivated to override or circumvent controls usually can find a way. </p><p>Although controls are a vital part of fraud deterrence, they need to be considered in a larger context. Economic crime ultimately is perpetrated through either force or deception. Recent U.S. crime statistics indicate that force is declining as a cause, while deception is increasing. Robbery, theft, and other crimes of force are the bailiwick of the young and undereducated. On the other end of the demographic spectrum, both older and more educated individuals have come to understand a valuable proposition: The best way to rob a bank is to work in or own one. </p><p>Further complicating this trend is the fact that one of the most important factors in deterring fraud is the degree of certainty that those who are caught will be punished, as compared to other factors such as how quickly or severely they will be dealt with. Criminal justice systems in the U.S. and other nations frequently punish corporate fraudsters much more lightly than street criminals even though the financial and operational damage to organizations is much greater. </p><p>Here are three strategies that could help organizations:</p><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Organizations — particularly public-sector entities — and internal auditors should use the unique skills of anti-fraud specialists proactively.</strong> Many organizations employ such specialists, but they often are used reactively instead of proactively. Rather than using these specialists to solely investigate allegations of fraud once they have been reported, anti-fraud specialists also should be involved in fraud risk assessments to help identify key risk areas and help investigate them before fraud occurs. Moreover, awareness that the organization has anti-fraud specialists in place could increase the perception that illegal activity will be detected. </span><br><br> </li><li> <span style="line-height:1.6;"><strong>Ensure financial transparency where it counts.</strong> Since the Enron scandal, a distinct pattern has emerged: A growing number of corporate executives, insiders, and board members have lined their pockets at the expense of shareholders, customers, and taxpayers. Their methods vary and are often cloaked behind complex transactions that are not readily apparent to the organization's auditors. However, profits from illegal schemes nearly always find their way into the personal finances and spending habits of those involved, including large illegal profits being declared on personal tax returns. Corporate insiders have a fiduciary duty to act in their shareholders' best interests. Part of this duty should include their financial transparency. Auditors should be given full access to any financial information that bears on this issue, including personal tax returns and detailed banking records. Having such access makes financial transparency a significant and powerful deterrent, and it makes it more difficult for insiders to conceal ill-gotten gains.</span><br><br></li><li> <span style="line-height:1.6;"><strong>Auditors and their organizations need to better understand and adopt deterrence methods, including through research. </strong>There has been useful research into the psychological profiling related to human resources management decision-making and income tax compliance. Organizations have applied that research to better screen potential employees and target types of industries, groups, and individuals that are more likely to attempt income tax fraud. However, such research could never completely identify all of the factors involved in deterrence, and more research is needed into the many categories of occupational fraud. For example, when presented with seemingly identical opportunities and motives, why does one person or organization turn to fraud and another does not? More knowledge about fraud deterrence is likely to lead to different audit practices, compared to fraud detection, and it could encourage organizations to adopt better fraud-prevention strategies.</span>​​</li></ul>Art Stewart05530
The Fraud Responsehttps://iaonline.theiia.org/2015/the-fraud-responseThe Fraud Response<p>​Despite efforts by businesses in all industries to tighten security, occupational crime and fraud remain a significant and growing exposure. Today, prevention and timely detection of such crimes is critical.<br></p><p>Internal audit often assists with detecting, reporting, and remedying fraud, or helping with recovery. Given their skills and access to information, auditors can help their organization understand and manage occupational crime and fraud risks. Accordingly, some knowledge of how these risks are evolving and the best practices for dealing with them — as called for in Section 1210.A2: Proficiency of the <em>International Standards for the Professional Practice of Internal Auditing</em>  — will equip auditors to become more effective participants in their organization’s efforts to fight crime.<br></p><h2>A Culture of Integrity and Vigilance</h2><p>The U.S. Securities and Exchange Commission’s (SEC’s) Whistleblower Program has alerted U.S.-listed companies to their responsibility to strengthen their internal anti-crime initiatives. A good starting place is fostering vigilance among all employees and promoting a culture of honesty and transparency. Moreover, employees need assurance that they can report internally without fear of retaliation and that the organization will respond promptly and appropriately.<br></p><p>Instilling a culture based on integrity involves:<br></p><ul><li>Having senior leadership establish the overall tone by citing integrity as a core value in company meetings, employee discussions, town halls, memos, emails, videos, and presentations.</li><li>Having supervisors and team leaders remind employees they are partners in the firm’s success and integrity is a core value.</li><li>Requiring all employees to participate in ethics training.</li><li>Encouraging employees to be guardians of the firm’s integrity. As a result, employees may report wrongdoing to appropriate people internally before contacting outside agencies such as the SEC.</li><li>Establishing a tip line. Anonymous telephone tip lines account for nearly 40 percent of all fraud discoveries, according to the Association of Certified Fraud Examiners (ACFE).</li><li>Looking internally to assess, control, and correct wrongdoing. Robust discussions about the whistleblower program underscore the organization’s emphasis on transparency and can encourage internal remedies.</li><li>Recognizing that the company’s leadership may have to reinforce its focus on integrity following mergers or acquisitions to indoctrinate new employees or during significant workforce reductions.</li><li>Establishing and communicating a zero tolerance policy that applies to all fraudulent activity, including the organization’s intent to prosecute all perpetrators.</li></ul><p></p><h2>The Crime Insurance Market</h2><p>Insurance is a significant potential financial remedy for occupational crime and fraud. Although in many cases internal auditors may not be aware of their organization’s insurance coverage, they typically become involved in the event of a loss.<br></p><p>The best time to meet with those responsible for such insurance coverage — usually finance, treasury, and risk management — is before an event occurs. Auditors should learn about their organization’s crime or fidelity insurance policy or coverage under its cyberrisk or property insurance. This gives them the opportunity to strategize with the risk manager about what they can expect from internal audit.<br></p><p>In turn, the risk manager can brief internal audit on coverage and the potential for outside, independent forensic accounting support that may be included in coverage as “investigations or professional fee coverage.” This outside help can further investigate a crime and pursue recovery. The partnership between such external resources and internal audit staff can be both cost-effective and optimal for gathering required internal documentation of the loss.<br></p><h2>When Fraud Is Suspected</h2><p>Investigators and risk advisers typically prepare for the worst. If an occupational crime or fraud incident is suspected, absent of urgent issues or threats to life or property, organizations should take these steps, which can be completed simultaneously:<br></p><ul><li>Conduct a preliminary investigation before notifying their insurer. This typically is performed by internal audit alongside the organization’s security function and general counsel.</li><li>Ensure the risk management function analyzes the company’s crime or fidelity insurance policy.</li><li>Give appropriate notice to their crime and property insurance carriers.</li><li>Note the time on their insurance policy to file “proof of loss.”</li><li>Note the time to file suit against the insurance carrier for nonpayment of a loss.</li><li>Follow up the preliminary investigation by conducting a thorough internal investigation, including efforts to identify all perpetrators and any conspirators and their method, as well as to determine the full extent of the loss.</li><li>Work with human resources, communications, operations, and other internal functions, as well as employment attorneys and outside counsel, to take steps to deal with potential employee issues.</li><li>Consider civil litigation against the perpetrators.</li><li>Consider criminal prosecution.</li></ul><p></p><p>Typically, the risk manager is directly responsible for arranging and coordinating insurance coverage and helping to marshal internal and external resources to address exposures to crime.  Still, a fraudulent event leading to a loss may not be communicated promptly to the risk manager. Because any delays can compromise an organization’s ability to collect its insurance recovery, it’s critical that internal audit share its initial findings with the general counsel and appropriate executives in finance, and include the risk manager as soon as a crime or fraud event is suspected.<br></p><p>Along with internal audit and risk management, members of an organization’s “crime team” may include in-house and outside counsel, security, an investigative specialist and forensic accountant, a broker claims advocate, and representatives from different business units. The principal roles leading an internal investigation include:<br></p><ul><li>The risk manager, who oversees the process and communicates directly with the organization’s insurance broker and carriers.</li><li>The in-house counsel, who manages the internal audit, investigation, litigation, and law enforcement activities, and controls costs.</li><li>The investigator and forensic accountant, who conduct the investigation under the external counsel (i.e., privilege) umbrella, working with in-house resources such as internal audit.</li><li>All members of the crime team, especially internal audit and risk management, should recognize that the organization’s fidelity and crime insurer has its own claims team — including the insurer’s in-house adjuster, external counsel, and a forensic accountant — that represents the insurer’s interests.</li></ul><p></p><h2>Proof of Loss</h2><p>An organization’s insurance policy dictates — and its insurer expects — the organization’s full cooperation in gathering all information necessary with respect to its loss. This response is always subsequent to the organization having filed an appropriate proof of loss in support of a claim. The proof of loss is a series of documents describing what happened and who did what to whom. That is followed by a well-documented calculation of the loss, including supporting documentation.<br>The internal audit staff will be tasked to supply information, documents, and data during this phase. In putting together this documentation, auditors should consider how much evidence is sufficient. The insurer will incur considerable expense to validate and develop the facts. Moreover, any proof provided must be objective and credible.<br></p><h2>Working With Law Agencies</h2><p>If any of the circumstances of the organization’s loss is remotely dangerous, the local police should be contacted. If danger is not suspected, internal auditors should work with the organization’s in-house counsel, security, and risk management functions to discern what the organization needs to do before acting.<br></p><p>Often, leadership or senior executives want the police to investigate right away. While that may be the correct decision, it is not always in the organization’s best interest to involve law enforcement immediately. Nonetheless, the organization may be required to involve law enforcement earlier in the process if its crime insurance policy dictates it. Auditors should check whether the policy requires simple notice or whether the organization must file a report and refer the matter. These two actions are vastly different.<br></p><p>Once the organization decides to involve law enforcement, it sets in motion a series of activities likely to affect its internal investigation. Law enforcement investigators generally are more open to accepting a new matter when a great amount of information is provided. They may be receptive toward the victim’s internal audit team upon understanding its methodology and seeing documentation. In collaboration with the organization’s forensic accounting team and investigators, the law enforcement efforts likely will be accelerated.<br></p><p>Law enforcement involvement also can affect the organization’s ability to gather evidence, identify collaborators, and bring perpetrators to justice. The organization should take care about which employees it suspends or terminates, and when, because  valuable information is at risk. A mistake here could prevent the organization from uncovering critical evidence. Furthermore, the organization may not be able to ascertain the full extent of its loss or identify any individuals who may have participated in the fraudulent activity or helped facilitate the crime. This may complicate efforts to fully recover any losses incurred from the crime or to avoid a recurrence of the problem in the future. Often, law enforcement expects the organization has done all it can within its administrative constraints to gather evidence and conduct interviews. Internal audit should document everything and preserve all notes, which may prove to be critical.<br></p><p>Once the case has been referred to law enforcement, even though the organization may be the victim with certain rights, investigators will likely make communication a one-way street. Moreover, if the matter goes to a grand jury, the organization will not be able to learn about information obtained by law enforcement through the grand jury.<br></p><h2>Who to Call</h2><p>Two crucial decisions are determining the appropriate time to call law enforcement and, more importantly, determining which agency to call. Referring the organization’s investigation to the wrong law enforcement agency or prosecutorial office can cause significant frustration, so it’s critical to understand the complexity and reach of the loss to avoid a misstep. Calling the wrong agency not only could delay the resolution of the matter, but it may result in lost evidence, a compromised or stalled investigation, unanticipated and adverse news coverage, business disruption, and employee distress.<br></p><p>Any investigation or search for assets may be outside the jurisdiction of local and state police. In the United States, matters reaching across state lines or outside the country may require federal assistance from the Federal Bureau of Investigation, Internal Revenue Service, Secret Service, Immigration and Customs Enforcement, Marshals Service, or Postal Inspectors. Although internal auditors should understand the issues associated with reporting a crime, identifying the appropriate law enforcement agency or prosecutorial office requires expertise that goes beyond the scope of the general counsel and typically requires the involvement of an outside criminal attorney or investigator.<br></p><p>Regardless of which agency is involved, the organization’s forensic accounting and internal investigation will provide law enforcement with the amount of loss, witnesses, statements, evidence, and a road map. A solid forensic investigation also can provide law enforcement with leads toward assets that may be vital for alternative restitution, such as recovery of investments and purchases the perpetrators made with stolen funds.<br></p><h2>Civil Litigation</h2><p>As a practical matter, investigative firms and risk advisers generally do not advocate filing law suits. However, there may come a time when the organization’s investigators will need bank records and other documents. For example, internal audit may determine early in the investigation that it wants to see the credit card or bank records of a current or former employee. A civil filing is the only option the organization has to obtain financial records without the account holder’s cooperation. In a U.S. criminal investigation, law enforcement would be able to obtain such records using search warrants and grand jury subpoenas.<br></p><p>Typically, civil litigation follows the investigation in the form of a subrogation action by the insurance carrier, which will seek to recover stolen funds or related assets and properties from the perpetrators. If litigation is inevitable, getting the process started sooner may be in the organization’s best interest.<br></p><h2>Vital to Anti-fraud Efforts</h2><p>Although internal auditors may not be experts in crime and fraud detection, they should be aware of these issues and the resources needed to address them. Ultimately, auditors are critical to their organization’s overall crime prevention initiatives and response activities.<br></p><p>Preparation is as important as prevention. The internal audit function should align with the risk management and legal departments to understand and anticipate potential occupational crime risks. Effective crime prevention should include quantifying worst-case scenarios as they typically would do for physical damage and business interruption exposures. Quantification also can help determine appropriate insurance coverage limits.<br></p><p>Finally, internal audit should collaborate within the organization to create an incident-response team for instances when fraud is suspected or substantiated. Auditors should be well read, provide appropriate notice, and help their organization recover any crime loss to the fullest extent. <br></p>Christopher J. Giovino13968

  • TeamMate_May2015
  • Ideagen_Pentana_May2015
  • IIA Audit Awareness_May15

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Internal Audit's Work With General Counsel Doesn't Have to Be a Privilegehttps://iaonline.theiia.org/blogs/chambers/2015/internal-audits-work-with-general-counsel-doesnt-have-to-be-a-privilegeInternal Audit's Work With General Counsel Doesn't Have to Be a Privilege2015-05-18T04:00:00Z2015-05-18T04:00:00Z
Are You Getting a Quality External Audit?https://iaonline.theiia.org/blogs/marks/2015/are-you-getting-a-quality-external-auditAre You Getting a Quality External Audit?2015-05-18T04:00:00Z2015-05-18T04:00:00Z