Fraud

 

 

On the Hunt for Payroll Fraudhttps://iaonline.theiia.org/2016/Pages/On-the-Hunt-for-Payroll-Fraud.aspxOn the Hunt for Payroll Fraud<p>Payroll can amount to 40 percent or more of an organization’s total annual expenditures. Payroll taxes, Social Security, Medicare, pensions, and health insurance can add several percentage points in variable costs on top of wages. So for every payroll dollar saved through audit identification, bonus savings arise automatically from the on-top costs calculated on base wages.  ​</p><p>Different industries will exhibit different payroll risk profiles. For example, firms whose culture involves salaried employees who work longer hours may have a lower risk of payroll fraud and may not warrant a full forensic approach. Organizations may present greater opportunity for payroll fraud if their workforce patterns entail night shift work, variable shifts or hours, 24/7 on-call coverage, and employees who are mobile, unsupervised, or work across multiple locations. Payroll-related risks include over-claimed allowances, overused extra pay for weekend or public holiday work, fictitious overtime, vacation and sick leave taken but not deducted from leave balances, continued payment of employees who have left the organization, ghost employees arising from poor segregation of duties, the vulnerability of data outputted to the bank for electronic payment, and roster dysfunction. </p><p>Yet the personnel assigned to administer the complexities of payroll are often qualified by experience more so than by formal finance, legal, or systems training, thereby creating a competency bias over how payroll is managed. On top of that, payroll is normally shrouded in secrecy because of the inherently private nature of employee and executive pay. Underpayment errors are less probable than overpayment errors because they are more likely to be corrected when the affected employees complain; they are less likely to be discovered when employees are overpaid. These systemic biases further increase the risk of unnoticed payroll error and fraud. </p><p>All these factors make assuring payroll controls entail a great deal of audit work that can easily leave auditors disoriented in details. Payroll risk’s silver lining is that it can provide opportunities for auditors to uncover actual cost savings and labor productivity gains.  </p><h2>Helicopter Analysis</h2><p>It is tempting to start a payroll review by auditing payroll compliance, such as checking that salary rates are in accordance with appropriately authorized contracts or checking that time sheets agree with clock in/out times. However, internal auditors may add greater value by launching the audit with a top-down analysis of total payroll cost and using that perspective to inform the detailed tests needed to provide assurance about the effectiveness of controls around the most crucial risks. If auditors omit a helicopter overview of payroll data and the payroll process, they risk performing detailed work where it is less needed while missing out on significant discoveries.<span style="line-height:1.6;">​</span></p><p> <img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Distribution-of-total-payroll-costs.jpg" alt="" style="margin:5px;" />One way to analyze payroll cost is through a distribution analysis of aggregate salary data. This can be obtained by stratifying 12 months of earnings by individual employees in a distribution chart, to show the composition of salaries across the entire workforce, from the small number of highly paid executives to lower-paid, unskilled labor (see “Distribution of Total Payroll Costs,” right). Typically the distribution will skew to the left because not all employees will have worked a full 12 months. Some employees may have joined or departed the organization during the year, and not all employees will be employed full-time. What this chart shows is how the mean salary level compares to the industry and whether or not the shape of the distribution is what management would expect.  </p><p> ​​​An insightful audit test can be to ask management how it expects salaries to be distributed above and below the average. For instance, the two peaks shown in the chart reveal that many employees were paid close to the average (the left peak), while a significant number were paid well above average (the right peak). Further analysis will reveal how this is attributed to additional earnings such as overtime, late night or weekend pay, and allowances. </p><p>Using the same source, departmental data concentrations can be graphed in a bubble chart where each bubble represents a department or cost center (see “Average Total Payroll Cost by Department,” below right). These charts highlight areas for audit questioning, such as where weaknesses in internal control may have permitted some employees to be overpaid.  </p><p> <strong>Remuneration </strong>Payroll data analysis can reveal individuals or entire teams who are unusually well-remunerated because team supervisors turn a blind eye to payroll malpractice, as well as low-remunerated personnel who represent excellent value to the organization. For example, it can identify the night shift worker who is paid extra for weekend or holiday work plus overtime while actually working only half the contracted hours, or workers who claim higher duty or tool allowances to which they are not entitled. In addition to providing management with new insights into payroll behaviors, which may in turn become part of ongoing management reporting, the total payroll cost distribution analysis can point auditors toward urgent payroll control improvements.  </p><p> <strong>Rosters</strong> Process analysis also can help steer the detailed audit test program. A payroll process overview can encompass how staff duty rosters, or schedules, are kept updated with operational needs, daily time and attendance controls, overtime approval, time sheet data entry, employee sick leave, leave approval, and how internal controls can potentially be overridden. The data on which pay is calculated originates in these often manual subprocesses, which are reliant on employee honesty and are vulnerable to error and fraud, translating into real payroll dollars.  </p><p>Rosters should be designed to optimize the allocation of employees to operational needs. If done well, rosters should eliminate, or at least minimize, the need for overtime and weekend work. Therefore, if the analysis of earnings across the workforce shows departments where overtime, holiday, or weekend bonus pay is higher than expected, this might indicate roster dysfunction, neglect of internal controls, or under-staffing. The helicopter overview may identify business units that require special audit examination.​</p><p> <strong>Process Efficiency </strong>Similarly, the efficiency of the payroll process can be considered. Organizations sometimes run multiple payroll processes across different sites such as between white-collar and blue-collar workforces or arising from historic business mergers. Efficiency savings may be achievable through collapsing multiple payrolls into a single cycle. At one organization, auditors found that the monthly executive mid-month payroll cycle was easily collapsed into the biweekly cycle, which canceled 12 pay cycles per annum and eliminated risks around paying executive employees half a month’s wages in advance. The changeover also increased the accuracy of the attendance and leave recording, because all employees went onto the same fortnightly pay cycle. Permanent efficiency savings like this are a tangible way for internal audit to add value.  </p><h2>Discovering Diamonds in the Detail</h2><p>Using the helicopter overview to generate insights into the payroll subprocesses most vulnerable to fraud and error can position internal audit to mine the rich payroll data to either assure the board that all is well or otherwise expose potential wrongdoing. Available data likely includes each employee’s start time, finish time, hours worked, location worked, vacation dates, sick time, standard pay rates, night-shift pay rates, overtime pay rates, and allowances. To accommodate the volume of data, payroll systems typically contain a job position master file, employee master file, and time sheet transaction history holding all hours worked as well as leave, which in turn update balances across all leave types. Additionally, the organization’s human resource systems may hold data on performance appraisals, competencies, and disciplinary history that frequently is linked to the employee number used for payroll purposes.  </p><p> <img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Kelly-chart2.jpg" alt="" style="margin:5px;" />The detail inside these databases can reveal hidden information. Who are the highest earners of overtime pay and why? Which employees gained the most from weekend and public holiday pay? Who consistently starts late? Finishes early? Who has the most sick leave? Although most employees may perform a fair day’s work, the audit analysis may point to those who work less — sometimes considerably less — than the time for which they are paid.  </p><p>Joined-up query combinations to search payroll and human resources data can generate powerful insights into the organization’s worst and best outliers, which may be overlooked by the data custodians. An example of a query combination would be: employees with high sick leave + high overtime + low performance appraisal scores + negative disciplinary records. Or, auditors could invert those factors to find the unrecognized exemplary performers. </p><p>Where audit findings suggest fraud concerns about identified employees, internal audit can add value by triangulating time sheet claims against external data sources such as site access biometric data, company cell phone logs, phone number caller identification, GPS data, company email, Internet usage, company motor fleet vehicle tolls, and vehicle refueling data — most of which contain useful date and time-of-day parameters (see “Data Mining Tips,” below). Before taking this approach, CAEs should consider the audit committee’s risk appetite, internal audit’s data access rights, and local privacy laws.  </p><p>The data buried within these databases can reveal employee behavior, including what they were doing, where they were, and who they were interacting with throughout the work day. Common findings include:</p><ul class="p5"><li> <span style="line-height:1.6;">Employees who leave work wrongfully during their shift.  </span><br></li><li> <span style="line-height:1.6;">Employees who work fewer hours and take sick time during the week to shift the workload to weekends and public holidays to maximize pay.  </span><br></li><li> <span style="line-height:1.6;">Employees who use company property excessively for personal purposes during working hours.  </span><br></li><li> <span style="line-height:1.6;">Employees who visit vacation destinations while on sick leave.  </span><br></li><li> <span style="line-height:1.6;">Employees who take leave but whose managers do not log the paperwork, thereby not deducting leave taken and overstating leave balances.  </span><br></li><li> <span style="line-height:1.6;">Employees who moonlight in businesses on the side during normal working hours, sometimes using the organization’s equipment to do so.  ​</span><br>​</li></ul><p>The problems are magnified where supervisors collude with their employees by approving exaggerated time sheets and perpetuate the culture by inducing others to engage in what auditors may see referred to as “custom and practice.” When analyzed systematically and corroborated with other intelligence such as whistleblower information, these disparate data sources can reveal systemic fraud.</p><h2>Making a Difference</h2><p>Often management welcomes audit findings that reveal specific wrongdoing because they provide hard-to-dispute evidence with which to remedy low-performing teams, discipline or terminate unproductive personnel, and sharpen finance and management focus on cost control. These are audits that make an impact.  </p><p>Well-researched and documented audit fieldwork can support management action against those who may have defrauded the organization or work teams that may be taking inappropriate advantage of the payroll system. Simultaneously, internal auditors can partner with management to recover historic costs, quantify future savings, reduce reputational and political risk, improve the organization’s policies, and boost the productivity and morale of employees who knew of the wrongdoing but felt powerless to stop it.​​</p><p><br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-6" style="height:57px;"><tbody><tr class="ms-rteiaTableEvenRow-6"><td class="ms-rteiaTableEvenCol-6" style="width:100%;">​​ <p> <span class="s1"> <strong>Data Mining Tips</strong></span></p><p>Downloading and analyzing data across multiple sources is not easy, but doing so can be a worthwhile investment in enhancing audit effectiveness. Depending on internal audit’s organizational status, access to data may need to be negotiated with the relevant custodians, subject to local privacy restrictions and audit right of access.  </p><p>Once obtained, downloaded data usually arrives in disparate formats, most commonly text (TXT, RTF) or comma-separated values (CSV), which in turn may be variously imported into Microsoft Excel or other spreadsheet software in ways that impede audit analysis. For example, data containing numbers with slashes or hyphens ​may be converted into dates, and numbers and colons may be converted into time values. </p><p>Data containing characters deemed as wildcards by Excel, such as “*” and “?” may need to be replaced (using “~”) to ensure Excel does not treat the character as a wildcard. Numbers with leading zeros such as telephone numbers may be imported as integers with the leading zeros truncated, making them difficult to cross-match with a telephone directory.  </p><p> <strong>Time</strong> Data mining envisaged here often involves the analysis of time, which can be complicated in Excel. For analyzing time sheets and clock in/out data, Excel’s DATEVALUE() and TIMEVALUE() functions can assist with converting cells containing a mix of date and time into date-only or time-only values either in AM/PM or 24-hour clock format, which can then be sorted and analyzed. Excel does this by dividing each second into one 86,400th of a day — that is 60 seconds x 60 minutes x 24 hours. So 1/86,400 is one second after midnight, 86,399/86,400 is one second before midnight, and 0.5 is midday. Complementary to that, dates in Excel are numbered in positive integer sequence from 1 (Jan. 1, 1900). So logically, the date value is the positive integer and the time value is the decimal component. Both dates and times can then be sorted and used in calculations and pattern-seeking, which can then be presented back to management as a candlestick chart showing actual hours worked compared to the day-by-day rostered shift over a period of several weeks or months.  </p><p> <strong>Telephone numbers </strong>Telephone numbers can present another challenge because Excel automatically imports numeric strings as numbers, whereas auditors may prefer to use telephone numbers as text strings for sorting and lookup. When importing, Excel can also misinterpret the international telephone dialing symbol “+” as a mathematical operator. If telephone call logs are being matched against an electronic telephone directory, the auditor may need to convert all telephone log data into text format to preserve leading zeros; otherwise they will be truncated and mismatched if the imported telephone data is converted to numeric format. To avoid Excel stripping the leading zeros, telephone numbers can be preceded by an apostrophe (‘), using the CONCATENATE() formula, or by using Excel’s TEXT(cell_ref, “#”) formula where “#” can be substituted with a variety of syntaxes. Parsing is another technique if data fields contain consistent patterns of numeric and alphabetic data. If all else fails, it may be easier to trim all leading zeros in both the telephone log data and the lookup table by treating both as numeric fields rather than text. Once telephone call data is obtained, it can be traced to available phone number lists. Even Google yields a surprising amount of information if auditors type in a telephone number.  </p><p> <strong>Email</strong> Data associated with email can provide both date and time of day transactional information as well as the content of the written messages, themselves. Email software such as Microsoft Outlook often enable users to export entire mailboxes as plain text, comma-separated files, Excel-readable files, and other formats for advanced searching.  </p><p> <br> </p><p>The above are just some of the ways to scrub data before audit analysis. In the event the data needs to be recreated at a later date — for example, if a legal situation arises — it is helpful to ensure the data-scrubbing methodology is documented in the internal audit workpapers. Over time, this array of cleansed data can become a valuable research lab kept up to date to support future audits. </p><p>Compiling and analyzing data is worth the effort. Findings informed by the organization’s own data become harder to refute. Sometimes findings can be sufficiently startling that management will implement audit’s recommendations quickly and decisively to show they have corrected the problems.  </p></td></tr></tbody></table> <span class="ms-rteiaStyle-authorbio">​Christopher Kelly, DProf, FCA, is partner with Kelly & Yang based in Melbourne, Australia. </span>​​<br><span style="line-height:1.6;"><em>Frans Deklepper is senior software engineer at Callista Software Services in Melbourne.​</em></span>Chris Kelly1655
Fraud Preventionhttps://iaonline.theiia.org/2016/Pages/Fraud-Prevention-.aspxFraud Prevention<p> Even in a rapidly changing business environment with emerging technologies and constant challenges, at the core of every organization is its employees — those carrying out operations, executives, administrative personnel, an​d even the board. Employees are faced with an increasing pressure to meet the bottom line at work and at home, and they can be exposed to a variety of ethical dilemmas. These dilemmas can tempt employees to commit fraud against their employer. </p><p>The cost of occupational fraud can be minimized with fraud prevention. Depending on the size and complexity of an organization, internal audit can be called on to recommend improvements or evaluate an organization’s controls and commitment to fraud prevention. An organization’s internal controls are not always specifically designed to prevent fraud; however, often there are fraud prevention components inherent in internal controls related to the control environment, segregation of duties, and monitoring activities. </p><h2>Control Environment </h2><p>The control environment is one of the interrelated components of internal control, and it is vital in establishing an effective fraud-prevention culture within an organization. A visible commitment to fraud prevention can exhibit to employees the importance of anti-fraud measures to the organization. Control activities related to fraud prevention can be evident in the hiring, onboarding, and training of employees, as well as the organization’s policies and procedures. </p><p>During the hiring process, companies may conduct background checks, validate references, or confirm certifications. Certain fields or industries may require background checks, which can serve as a first point of communication regarding an organization’s tolerance of fraudulent activity.  </p><p>The introduction to the organization’s mission and values typically occurs during the onboarding process. This can be an opportune time to distribute and explain the code of conduct, code of ethics, or a separate fraud policy. Taking time to discuss the firm’s policies and procedures thoroughly can be an effective measure in fraud prevention. For example, organizations subject to bid requirements should maintain sufficient documentation to support compliance with established protocols in place. Policies and procedures should be clearly defined, published, readily available, and required to be read and acknowledged annually by employees to correspond with terms of employment. </p><p>Fraud-related training can reinforce the importance of anti-fraud, waste, and abuse meausres to the organization. To be effective, training that promotes fraud prevention should be tailored to the role and duties of the individual employee. Mandatory, continuous training for employees who progress within an organization can be implemented based on individual job responsibilities and within a department’s specific function. This can equip employees with the skills to detect fraud, and also educate employees about what to do when fraud is suspected.</p><p>Companies may opt to use hotlines for fraud reporting. Depending on available resources, an organization’s fraud reporting hotline may be third-party managed, in-house, or a combination of both. Information regarding the fraud reporting hotline should be communicated during training, readily available, and publicly displayed in common areas so it is visible to all employees. To build the trust of employees in the fraud-reporting process, disseminated materials should contain information regarding how hotline tips are evaluated, and what level of anonymity and confidentiality can be assured for the tip-reporting employee. </p><h2>Segregation of Duties </h2><p>The organization should provide employees with the authority to carry out their duties, but no single employee should have the ability to create, execute, and monitor activities within a business function. For example, in payroll processing, there should be separation between the ability to approve payroll, write and sign checks, receive bank statements, and reconcile those bank statements. In this instance, an accountant or other financial personnel could approve payroll, write checks, and reconcile bank statements; whereas an executive director could sign checks, receive and open bank statements, and review bank reconciliations. </p><p>The size of an organization can create complexities related to segregation of duties. Small organizations can experience challenges because of staff size limits. Careful consideration should be made so that no single employee has complete control over all aspects of a process or function. However, large organizations can experience distinct challenges because of the potential overlap of job duties among multiple departments, which can require a more concerted effort to determine whether job responsibilities are adequately segregated. </p><p>Regardless of the size of an organization, controls should be designed and implemented so they cannot be overridden without appropriate authority. Insufficient safeguards and consideration for employee responsibilities can lead to collusion. Segregation of duties should occur at all levels of an organization and be relevant to each specific function. </p><h2>Comprehensive Monitoring</h2><p>Monitoring implemented controls not only provides oversight, but it also can gauge compliance with established policies and determine whether controls are operating as intended. For example, controls established to segregate employee duties will be ineffective if those employees disregard controls in place. Ineffective controls can create the opportunity for an employee to perpetrate fraud. Monitoring should occur at all levels of an organization and not be limited to day-to-day operations. </p><p>Before establishing monitoring procedures, those responsible for monitoring activities should perform a fraud-risk assessment. Analytics are often used, but there are additional resources for an organization to consider. Employees are a valuable resource because they are close to the operations responsible for achieving components of the organization’s goals. Those performing the fraud-risk assessment should use the skills and knowledge of employees to strengthen monitoring activities. Employees can provide insight on how someone might circumvent current controls, which in turn can help an organization strengthen controls designed to prevent the occurrence of fraud. The involvement of employees in the fraud-risk assessment process provides them with increased fraud awareness. They can become more knowledgeable of fraud terms and schemes such as asset misappropriation and procurement fraud. Lastly, involvement of employees fosters continuous training and reinforces the organization’s established policies and procedures. </p><p>Publicizing monitoring activities within the organization can help deter employees from committing fraud because they realize the likelihood of detection is increased. Monitoring can serve as a preventive measure within the organization and can also minimize the duration of fraudulent activity.</p><h2>It Can Happen Here</h2><p>As businesses grow or are redefined, fraud often presents itself unpredictably. Organizations that ignore the occurrence of fraud or maintain the “it can’t happen here” mind-set may find themselves dealing with increasing fraud-related costs. Carefully designed and monitored preventive measures are crucial in the fight against fraud.</p>Louise Henry11061
Citizenship Fraudhttps://iaonline.theiia.org/2016/Pages/Citizenship-Fraud.aspxCitizenship Fraud<p>​Canada's Auditor-General reports that gaps in the nation's citizenship program are leading to fraud, according to <a href="http://www.theglobeandmail.com/news/politics/gaps-in-ottawas-detection-of-citizenship-fraud-auditor-finds/article29830872/" target="_blank"> <em>The Globe and Mail</em></a>. An audit of 700 citizenship cases between July 2014 and October 2015 found that the Immigration Department lacked a method to identify and document fraud risks when dealing with suspicious immigration documents. Moreover, citizenship officers lacked information needed to identify problem addresses when they made decisions to grant citizenship. The report also cites poor information sharing between the Immigration Department and law enforcement and border control agencies. Canada's immigration minister announced the government will implement all of the Auditor-General's recommendations.​</p><h2>Lessons Learned</h2><p>Immigration policy and whether a country has effective controls in place to prevent immigration fraud are hot topics these days. This story, although it involves an external audit, offers insights into what internal auditors working in immigration agencies also can do to help prevent and detect immigration fraud. Here is a summary of the most important observations and recommendations contained in the Auditor-General's recent audit of Canada's immigration system, to which I've added a few of my own. The full report can be found <a href="http://www.oag-bvg.gc.ca/internet/English/parl_oag_201602_02_e_41246.html" target="_blank">here</a>. </p><p> <strong>Doing a thorough job of identifying and analyzing immigration risk must include a focus on fraud risk. </strong>It's not sufficient to merely identify broad categories of fraud risks, such as residency and document fraud. The information collected during citizenship application processes needs analysis to better understand the types of fraud detected or the extent to which it occurs. Then, departments must apply appropriate mitigation to determine whether a situation improves. Examples include:</p><ul><li style="line-height:1.42857;">Analysis of key information, such as revoked, abandoned, or withdrawn citizenship applications, to identify patterns and improve understanding of program risks.​​​<br>​<br></li></ul><ul><li style="line-height:1.42857;"> ​​Review of applications refused for residency reasons to assess the extent of residency fraud. The audit found examples where the same addresses were used by many different applicants over several years, which none of the citizenship officers who processed their applications noticed. One address was used by at least 50 different applicants during overlapping time periods between 2008 and 2015. Among these applicants, seven became Canadian citizens.​<br></li></ul><p>​<br></p><p>Furthermore, immigration organizations need to develop a systematic, evidence-based approach to identifying fraud risks, including establishing a baseline and monitoring trends. The Auditor-General's report examined whether risk indicators for residency fraud were based on sound evidence and analysis, and found that overall the Immigration Department documented the risk indicators it considered to be associated with residency fraud. However, it did not have sufficient data or analysis to explain how or why it selected some of those indicators.</p><p> <strong>Even if immigration fraud risks are identified appropriately and mitigation is put in place, consistent application of methods is essential to identify and prevent fraud during the citizenship application process.</strong> This includes the need to ensure clear authority to seize problem documents, provide officers with more detailed guidance and training, and ensure that officers implement this guidance. The auditor's report found that due to such inconsistent application, people were granted citizenship based on incomplete information or without all of the necessary checks being completed. Particular areas of concern included:</p><ul><li style="line-height:1.42857;"> <em>Checking for problem addresses.</em> Immigration officers did not consistently have information about problem addresses to support their decisions to grant citizenship due to database factors, such as data entry errors and inconsistent updating. In turn, these officers may not have detected potentially fraudulent residency claims.<br></li></ul>​ <ul><li style="line-height:1.42857;"> <em>Identifying fraudulent and altered documents.</em> Altering passports and other documents to falsely establish residency in Canada, and counterfeit documents, are growing risks. Inconsistent guidance and practices for dealing with suspicious documents, such as one region not seizing documents for years versus another doing so regularly, are examples of inconsistency.</li></ul><p> <strong>​</strong></p><p> <strong>Reliable interagency cooperation and sharing of information is a key part of a robust control system in preventing immigration fraud. </strong> The report found that Canadian partners the Royal Canadian Mounted Police (RCMP) and the Canada Border Services Agency (CBSA) did not consistently share, or did not do so timely, important information on criminal charges and potential residency fraud that citizenship officers need to make informed decisions about granting citizenship. </p><p>The report found the RCMP does not systematically track people's citizenship status, so it is difficult to link citizenship applicants with those charged with crimes. However, using criminal occurrences that included the keywords "permanent resident" and "foreign national," auditors came up with a list of 2,576 cases since 2010. Examining a sample of 38 of these cases (these individuals had been charged by the RCMP with a crime, some serious enough to make an individual ineligible for citizenship, such as drug trafficking and assault), auditors found that the RCMP shared this information with citizenship officers timely in only two cases.</p><p>In the case of the CBSA, if adverse information that might affect a permanent resident's eligibility for citizenship is found, it has a responsibility to advise citizenship officers. In turn, citizenship officers are required to check for these alerts and may decide to carry out additional procedures to make sure the applicant's residency requirements have been met before granting citizenship. Based on a random sample of 38 names out of 4,001 that were associated with seven recent CBSA fraud investigations, auditors found that the CBSA did not consistently provide information to immigration officials when permanent residents were linked to major fraud investigations.</p><p>Readers in the U.K., U.S., and other countries may recognize these immigration fraud issues and may find some of the recommendations helpful.​</p><p>​<br></p>Art Stewart0507
The Ticking Ethical Time Bombhttps://iaonline.theiia.org/2016/Pages/The-Ticking-Ethical-Time-Bomb.aspxThe Ticking Ethical Time Bomb<p>Axel Co. was a manufacturing company that operated a large industrial complex. Because of the size of the plant and its related infrastructure, the company had a significant ongoing investment in maintenance and repair, especially in maintenance supplies. Axel spent millions each year on steel, cable, and similar materials — and now some of it was going missing.</p><p>The primary supplies were maintained in a warehouse, where they were protected by physical access controls. But leftover supplies — for example, when a job used only 900 feet of a 1,000-foot roll of coaxial cable — were left in a less secure, open area called "the Yard." Controls over the Yard were minimal because the supplies needed to be quickly and easily accessed for small maintenance jobs. </p><p>This system appeared to be working efficiently, until a regular audit of the maintenance function revealed that items were disappearing from the Yard without explanation. Based on audit testing, the auditor, Stuart Wathen, estimated that annual losses would be in the tens of thousands of dollars if it wasn't stopped.</p><p>At first, Wathen assumed that Axel maintenance staff was using the supplies and that the jobs simply had not been entered into the maintenance log. This proved not to be the case. He then hypothesized that local college students might have taken the items, possibly as a fraternity initiation prank. This, too, turned out to be incorrect. Finally, Wathen set up a concealed surveillance camera to find out what was really going on. The results were surprising and disturbing.</p><p>Many of Axel's employees were skilled handymen and carpenters, with the ability to build their own garages and cottages. As it turned out, many of these employees were stealing supplies from the Yard to take home for their own projects, and ignoring the posted signs, which clearly stated that these items were not trash but valuable company property.</p><p>On further investigation, the problem got even worse. Not only were the employees unrepentant about stealing company property, but they also bragged to co-workers about the creative ways they snuck their loot back to their cars and trucks past the security guards at the front gate. One worker even liked to boast that the Yard had built his entire garage — he had not paid for even a single nail or foot of wire. And the worst part was the other employees encouraged and supported this behavior, comparing the thieves to modern-day Robin Hoods.</p><p>The company was faced with a dilemma. The financial loss, while real, was clearly secondary to the effect on company culture. Axel was aware of "slippery slope" research, which shows that small frauds frequently lead to larger ones. Having a workforce that celebrated thieves as heroes was a recipe for future disaster. But their alternatives were limited. Shutting down the Yard, and moving the scraps to the warehouse, would be inefficient (that was why the Yard was created in the first place) and would do nothing to address the ethical conundrum. Prosecuting the employees for theft would be difficult and — in Axel's highly unionized environment — would generate more ill will toward management than the issue was worth. Installing security cameras and stationing full-time security guards at the Yard would not be cost-effective. Telling the employees that they could take whatever they liked from the Yard was another option, but one that could lead to employees taking everything whether they needed it or not — and potentially to fights between employees about who could take which items.</p><p>In the end, Axel came up with a simple, elegant solution. The company put price tags on each item in the Yard, at prices substantially lower than market, and installed an honor charity box for the United Way. It put up signs telling employees they could take whatever they wanted, but they were asked to put the appropriate sum into the United Way box. The contents of the box would then be emptied and given to the charity on a regular basis. There would be no guards or security cameras.</p><p>Axel also added a sign that read, "Total contributed to the United Way so far = $xxx." Behavioral psychology studies have found that people tend to behave more positively when they are reminded of their membership in a positive group.</p><p>Axel's innovation was a great success. Employees who would (tacitly or otherwise) support fellow employees who stole from the company were far less willing to condone stealing from the United Way. The bragging about unethical behavior stopped almost immediately, and employees began to take pride in the ever-mounting total contribution to the charity. In many cases, employees even contributed amounts in excess of the price tags on the goods they took and started bragging about that. A ticking ethical time bomb had been transformed into a source of strong ethical reinforcement.</p><h2>Lessons Learned</h2><ul><li>Organizations should be aware of situations that permit — or even encourage — "mini frauds," as considerable research suggests small frauds lead to larger frauds. Such situations can be dangerous beyond their own financial impact.</li></ul><ul><li>It is often easy for otherwise ethical employees to justify taking financial advantage of their employer (the rationalization side of the Fraud Triangle). It is accordingly dangerous to assume that other employees will discourage such behavior, at least on a small scale.</li></ul><ul><li>In the past, many companies attempted to establish an ethical culture by reinforcing penalties for undesired behavior. But it is sometimes more powerful to establish identity in an ethical group as a proactive way to reinforce a positive image.</li></ul><ul><li>Sometimes the most obvious issue is not the more important one. In this case, if Axel had focused on safeguarding the material in the Yard, it would have missed the more important ethical concern. The solution Axel adopted cost them money, but the ethical reinforcement was of far greater value.</li></ul><ul><li>The conventional response to an uncovered fraud is to increase controls. This is often valid, but an auditor should first examine the circumstances that encourage the fraud to see if the controls are unrealistic or inappropriate. Policies and limitations should not just be knee-jerk reactions that all but guarantee noncompliance.</li></ul><ul><li>Controls can be more effective when external parties are involved. If the donation box had just said "money for charity," it is possible that Axel employees would have been less motivated to pay for Yard materials. But by explicitly designating the donations for the United Way — a charity with whose good work the employees were all familiar — Axel made it even harder for employees to continue to justify the thefts.</li></ul><ul><li>It is important for a company to monitor its ethical culture. In this case, Wathen heard about the bragging from friends who worked in the complex. Had he not found out about it, or if he had ignored it, Axel could have missed this ethical issue.</li></ul>James Scott1710
The Taxing Season of Fraudhttps://iaonline.theiia.org/2016/Pages/The-Taxing-Season-of-Fraud.aspxThe Taxing Season of Fraud<p>Two former SunTrust Bank employees have been convicted of attempting to defraud the U.S. Internal Revenue Service (IRS) of more than US$2.8 million, the <a href="http://oak.ctx.ly/r/4eyo7" target="_blank"> <em>Atlanta Journal-Constitution</em> reports</a>. Federal authorities say Jeoffrey Jenkins and Vaughn Chambers opened bank accounts using stolen personal information and listed those accounts in more than 2,000 tax filings between February 2013 and March 2014. The IRS paid about US$500,000 into those accounts until a SunTrust investigator noticed that one of the employees was involved in anomalous banking activity and contacted law enforcement. Jenkins received a six-year prison sentence, while Chambers will serve two years.</p><h2>Lessons Learned</h2><p>Identity theft and its use in false tax returns has become a problem of staggering proportions. In a 2015 American Institute of Chartered Public Accountants (AICPA) survey, 63 percent of CPAs said at least one of their clients was a victim of tax identity theft in the 2015 filing season. Sensitive taxpayer information is also being stolen at large retailers, insurers, and other entities across the U.S., and recently there have been significant breaches of the IRS's online filing systems. </p><p>On a personal note, I, like many thousands of taxpayers do at this time of year, just received an electronic notice from the Canada Revenue Agency (CRA) — my tax refund of CA$468.27 was ready for me to collect. All I needed to do was log into my tax return account by clicking on the link provided in the email. All of the logos, language, and apparent details looked authentic, except that I knew I was not entitled to such a refund this year and that the CRA does not issue tax refunds in this manner. But think about the many others who could be fooled by such authentic-looking messages and would click on the email link, rendering their electronic identities wide open to tax fraudsters.</p><p>In several of my columns, I've written about specific kinds of tax-related identity theft and offered advice and suggestions for preventing and detecting them (for example, tax preparers and bank employees who stole the identities of children, legitimate taxpayers, and investors to claim significant tax refunds). In the context of the current story, I'd like to add a few more suggestions that focus on the need for better controls from lawmakers and regulators. These measures are contained in a piece of legislation called the Taxpayers Protection Act of 2016,<strong> </strong>recently passed by the U.S. Senate Finance Committee. Among the measures that may help prevent and detect tax-related identify theft are:</p><ul style="list-style-type:disc;"><li>Providing a sole point of contact for identity theft victims to help them recover their stolen or unfairly suspended tax refunds. </li><li>Requiring the IRS to issue a report, in consultation with the U.S. Federal Communications Commission and the Federal Trade Commission, to protect consumers from phone scams in which criminals pretend to be IRS agents.</li><li>Reforming the IRS's communications with whistleblowers to allow the exchange of information with whistleblowers when doing so would be helpful in an investigation, as well as to require the IRS to notify whistleblowers of the status of their claims. </li></ul><p> </p><p>That said, there should be no illusions that this legislation will solve the problem entirely. The AICPA, while supporting the legislation, wants to elevate the competency and ethical conduct of tax preparers. A provision in the legislation giving the IRS authority to regulate tax preparers has been blocked, in part because federal courts ruled the IRS lacks the statutory authority from Congress to mandate tax preparer testing and continuing education. The IRS has established a voluntary Annual Filing Season Program, but it doesn't allow for minimum standards to crack down on fraudulent return preparers.​​</p><p>Other control measures, including some identified by the AICPA, that should be front and center in battling tax-related identity fraud include: </p><ul style="list-style-type:disc;"><li>Making it a felony for a person to use a stolen identity to file a return. </li><li>Increased mandated electronic filing of returns by paid tax return preparers. </li><li>Required reports to Congress by the U.S. Government Accountability Office about identity theft and tax refund fraud. </li><li>Authorizing the IRS to revoke Preparer Tax Identification Numbers.</li></ul>​ <p></p>​Art Stewart0853
Proactive Fraud Analysishttps://iaonline.theiia.org/2016/Pages/Proactive-Fraud-Analysis.aspxProactive Fraud Analysis<p>​Today’s digital world has created new growth opportunities for organizations — but also new fraud risks. Cyber breaches, insider threats, and corruption are among the risks forcing inte​rnal auditors to ask ne​w fraud risk questions and seek appropriate technologies to address them. For internal audit departments, forensic data analytics can be a powerful tool for preventing, detecting, and investigating fraud, corruption, and other noncompliant behavior in their organizations.</p><p>Investments in such tools are paying off. According to the Association of Certified Fraud Examine​rs’ 2014 Report to the Nations on Occupational Fraud and Abuse, organizations that have proactive data analytics in place have a 60 percent lower median loss because of fraud — roughly US$100,000 lower per incident — than organizations that do not use such technology. Further, use of proactive data analytics cuts the median duration of fraud in half, from 24 months to 12 months. </p><p>Integrating more mature forensic data analytics capabilities into an organization’s audit and compliance monitoring program can improve risk assessment, detect potential misconduct earlier, and enhance audit planning or investigative field work. Moreover, forensic data analytics is a key component of effective fraud risk management as described in The Committee of Sponsoring Organizations of the Treadway Commission’s most recent Fraud Risk Management Guide, issued in 2016 — particularly around the areas of fraud risk assessment, prevention, and detection. </p><h2>A Big Data Approach to Fraud</h2><p>Fraud prevention and detection is an ideal big data-related organizational initiative. With the growing speed at which they generate data, specifically around the financial reporting and sales activity process, organizations — particularly the internal audit function — need ways to prioritize risks and better synthesize information using big data technologies, enhanced visualizations, and statistical approaches to supplement traditional rules-based tests performed in spreadsheet or database applications. </p><p>Before jumping into any specific technology or advanced analytics technique, it is crucial to first ask the right risk or control-related questions to ensure the analytics will produce meaningful output for the business objective or risk being addressed. When deciding which tests to evaluate, and the corresponding data that will need to be mapped, internal auditors should consider: </p><p> <strong>What</strong> business processes pose a high fraud risk? High-risk business processes include the sales (order-to-cash) cycle and payment (procure-to-pay) cycle, as well as payroll, accounting reserves, travel and entertainment, and inventory processes.</p><p> <strong>What </strong>high-risk accounts within the business process could identify unusual account pairings, such as debit to depreciation and an offsetting credit to a payable, or accounts with vague or open-ended “catch all” descriptions such as a “miscellaneous,” “administrate,” or blank account names?</p><p> <strong>Who </strong>recorded or authorized the transaction? Posting analysis or approver reports could help detect unauthorized postings or inappropriate segregation of duties by looking at the number of payments by name, minimum or maximum accounts, sum totals, or statistical outliers.</p><p> <strong>When</strong> did transactions take place? Analyzing transaction activities over time could identify spikes or dips in activity such as before and after period ends or weekend, holiday, or off-hours activities.</p><p> <strong>Where </strong>do internal auditors see geographic risks, based on previous events, the economic climate, cyberthreats, recent growth, or perceived corruption? Further segmentation can be broken down by business units within the regions and by the accounting systems on which the data resides.</p><h2>Success Factors</h2><p>The benefits of implementing a forensic data analytics program must be weighed against challenges such as obtaining the right tools or professional expertise, combining data (both internal and external) across multiple systems, and the overall quality of the analytics output. To mitigate these challenges and build a successful program, internal auditors should consider five success factors:</p><p> <strong><img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Misra_Walden_chart.jpg" alt="" style="margin:5px;" />Focus on the Low-hanging Fruit</strong>​ The priority of the initial project matters. Because the first project often is used as a pilot for success, it is important that the project addresses meaningful business or audit risks that are tangible and visible to the business. Further, this initial project should be reasonably attainable, with minimal capital investment and actionable results. It is best to select a first project that has big demand, has data that resides in easily accessible sources, with a compelling, measurable return on investment. Areas such as insider threat, anti-fraud, anti-corruption, or third-party relationships make for good initial projects.</p><p> <strong>Go Beyond the Descriptive Analytics </strong>​​​One of the key goals of forensic data analytics is to increase the detection rate of noncompliance, while reducing the risk of false positives. From a capabilities perspective, organizations need to embrace both structured and unstructured data sources that consider the use of data visualization, text mining, and statistical analysis tools, as shown in the maturity model.</p><p> <strong>Communication Is Key </strong>Internal audit should demonstrate the first success story, then leverage and communicate that success model widely throughout the organization. Results should be validated before successes are communicated to the broader organization. For best results and sustainability of the program, auditors should involve a multidisciplinary team that includes IT, business users, and functional specialists — such as data scientists — who are involved in the design of the analytics and day-to-day operations of the forensic data analytics program. It helps to communicate across multiple departments to update key stakeholders on the program’s progress under a defined governance regime. Auditors shouldn’t just report noncompliance; they should seek to improve the business by providing actionable results. </p><p> <strong>Involve End-users</strong> Leadership support can get forensic data analytics programs funded and set the tone, but the business users — particularly those doing internal audit field work or who are on the front lines of the business — need to adopt it in their daily operations to make the program successful and sustainable. The forensic data analytics functional specialists should not operate in a vacuum; every project needs one or more business champions who coordinate with IT and the business users. Keep the analytics simple and intuitive — don’t include too much information in one report so that it isn’t easy to understand. Finally, invest time in automation, not manual refreshes, to make the analytics process sustainable and repeatable. The best trends, patterns, or anomalies often come when multiple months of vendor, customer, or employee data are analyzed over time, not just in the aggregate.</p><p> <strong>Set a Realistic Timetable</strong><strong></strong> Enterprisewide deployment takes time. While quick-hit projects may take four to six weeks, integrating the program can take more than one or two years. Programs need to be refreshed as new risks and business activities change, and people need updates to training, collaboration, and new technologies. </p><h2>An Opportunity for Internal Audit</h2><p> As a framework for evaluating the maturity of an organization’s use of forensic data analytics, the “Forensic Data Analytics Maturity Model” (see above right) demonstrates the progression of an organization’s maturity journey, starting from rules-based, descriptive tests and reports, to statistical and predictive techniques. Organizations that have implemented forensic data analytics are making strides along the maturity path, according to EY’s 2016 Global Forensic Data Analytics Survey of 665 internal audit, legal/compliance, and financial professionals in 17 countries. Respondent organizations conducting forensic data analytics completely in-house increased from 45 percent in 2014 to 67 percent today. Moreover, many of these organizations are expanding their advanced capabilities, such as doubling their use of data visualization tools and incorporating social media and statistical analysis. </p><p> Such findings provide evidence of the benefits of integrating advanced forensic data analytics techniques into internal audits. By helping increase their organization’s maturity in this area, internal audit has the opportunity to deliver an audit program that is highly focused on preventing and detecting fraud risks.</p><p> <span class="ms-rteiaStyle-authorbio">​​​Aditya Misra, CFE, CPA, is senior manager of corporate audit with Johnson & Johnson in New Brunswick, N.J.​ </span></p> <span style="line-height:1.42857;"> <em>Vincent Walden, CFE, CPA, CITP, is a partner in Ernst & Young LLP’s Fraud Investigation and Dispute Services group in Atlanta.​​</em></span><br>​Aditya Misra03936
The Sham Charitieshttps://iaonline.theiia.org/2016/Pages/The-Sham-Charities.aspxThe Sham Charities<p>The U.S. Federal Trade Commission (FTC) has announced that two Tennessee-based cancer charities have agreed to a US$75.8 million settlement of charges that they had spent donations on executive salaries and luxury vacations rather than on cancer patients, <a href="http://www.cbsnews.com/news/sham-cancer-charities-settle-massive-fraud-case" target="_blank">CBS News reports</a>. Cancer Fund of America and Cancer Support Services allegedly spent only 3 percent of donor contributions on cash and services for cancer patients and nonprofits. The two charities, along with the Children's Cancer Fund of America and The Breast Cancer Society, were named in a federal lawsuit brought by the FTC and law enforcers from all 50 states. Altogether, those charities raised more than US$187 million between 2008 and 2012. </p><h2>Lessons Learned​</h2><p>This is not the first time I've written about fraud committed by charities, nor do I think it will be the last. According to a 2013 CNN study, the problem has systemic roots in the way charities are often managed. For example, even without any evidence of fraud, collectively the 50 worst charities raised more than US$1.3 billion over the past decade and paid nearly US$1 billion of that directly to the companies that raise their donations. These same charities also devote less than 4 percent of donations raised to direct cash aid. More generally, hundreds of charities that run donation drives across the country regularly give their fundraisers at least two-thirds of the take. Experts say good charities should spend about half that much — no more than 35 cents to raise a dollar. </p><p>What can auditors learn from this story? How can they help?</p><ul><li> <strong style="line-height:1.6;">There is oversight and regulation of charities, both at the state and federal levels, but is it enough of the right kind? </strong> <span style="line-height:1.6;">There is no single, consistent regulatory framework for charities across the U.S. Each charity must annually submit a Form 990 PF to the U.S. Internal Revenue Service (IRS) covering its financial statements, activities, and assets, but the rules established at state levels vary as to the scope and depth of requirements of charities, mainly focusing on the life cycle "bookends" — registration of a charity, and mergers and dissolutions. Oversight of the ongoing activities of charitable organizations, particularly to scrutinize whether funds collected are actually being passed on to those intended to benefit from the charity's work, seem to be minimal, unless someone spots something wrong later on, and calls for the U.S. Federal Bureau of Investigation to step in.<br><br>​​​There simply may be too many charities nationwide to look at them all every year — particularly for the IRS — but individual states could do more by relying on auditors to take regular, targeted looks at what their charitable sectors are doing to ensure fraud is detected earlier and more effectively. The targeting should include examining what percentage of funds raised are given to fundraisers and what percentage of funds raised are actually passed on to the charity's intended beneficiaries. Of course, there will be instances where charities falsify these numbers in their reporting, so spot-checking audits of randomly selected charities also would be needed. There is a cost to doing this, but it would result in better fraud prevention and fewer dollar losses down the line.</span>​</li></ul>​ <ul><li> <strong style="line-height:1.6;">Continuing to increase the level of education, research, and due diligence performed by all those involved with charitable organizations is a must. </strong> <span style="line-height:1.6;">There are several excellent sources of relevant information and advice to help avoid fraud by charities, including tips to help make sure charitable contributions are being put to good use, such as </span> <a href="http://ftc.gov/charityfraud" target="_blank">the FTC's website</a><span style="line-height:1.6;">. The state of Tennessee has a useful guide on the duties and responsibilities of charitable organizations' board members, </span> <a href="http://attorneygeneral.tn.gov/nonprofit/nonprofitguidebook.pdf" target="_blank">What Every Board Member and Officer Should Know: A Guidebook for Tennessee Nonprofits</a><span style="line-height:1.6;"> (PDF), and the National Association of State Charities Officials maintains a </span> <a href="http://www.nasconet.org/resources" target="_blank">comprehensive website of resources</a><span style="line-height:1.6;"> relating to both national and state organizations involved with charities. In particular, all parties must do their own research about:</span><br></li><ul><li>Detailed information on the charity, including mandate, officers, and contribution methods and major contributors. They also should check whether the charity is trustworthy by contacting the <a href="http://www.bbb.org/charity" target="_blank">Better Business Bureau's Wise Giving Alliance</a>, <a href="http://www.charitynavigator.org/" target="_blank">Charity Navigator</a>, <a href="http://charitywatch.org/" target="_blank">Charity Watch</a>, or <a href="http://www.guidestar.org/" target="_blank">GuideStar</a>.</li><li>The percentage of a donation that will go to the charity.</li><li>How much will go to the actual cause to which someone is donating.</li><li> <span style="line-height:1.6;">How much will go to the fundraiser.</span></li></ul></ul><p>​​</p>Art Stewart0518
Overpayments and Fake Ex-employershttps://iaonline.theiia.org/2016/Pages/Overpayments-and-Fake-Ex-employers.aspxOverpayments and Fake Ex-employers<p>​Iowa's unemployment insurance program paid US$909,000 in inappropriate payments and uncollected penalties between 2013 and 2015, the <a href="http://www.desmoinesregister.com/story/news/investigations/2016/02/03/audit-unemployment-scam-cost-iowa-910000/79763730/" target="_blank"> <em>Des Moines Register</em> reports</a>. Following an Iowa Senate Government Oversight Committee hearing and inquiry, a review by the state auditor found more than US$700,000 in overpayments resulting from a phone system malfunction. The Workforce Development agency that manages the unemployment program also paid nearly US$100,000 to people who made false claims, such as claiming to have been terminated by companies that were fictitious. The audit notes that Workforce Development did not independently verify information reported by employers or suppos​edly unemployed workers.</p><h2>Lessons Learned</h2><p>This story details several significant failures by Workforce Development to put in place anti-fraud measures that may have prevented or detected fraudulent behavior at an earlier stage. Let's take a look at the most important failures — those that auditor​s likely would observe using tools readily available to them, including fraud risk assessments, risk-based audit plans, and regular auditing and reporting.​​</p><ul><li> <span style="line-height:1.6;"><strong>Weak program design and controls.</strong> In this case, there was an imbalance between the state's desire to provide easy program accessibility and a need to establish effective controls over disbursement of public funds. The vast majority of public institutions that disburse public funds and benefits to qualified individuals, groups, or organizations do so by designing and implementing eligibility criteria and service delivery mechanisms that aim to exclude nonqualifiers effectively. Moreover, most public institutions delivering social benefits include some form of validated master list of program founders/contributors — in this case, Iowa employers, who would be readily identifiable as legitimate contributors — and an eligibility verification process/cross-checking system to independently verify information reported by employers or supposedly unemployed workers. It should have been easy for program officials/monitors to check whether a bogus employer name was being used. </span><br> </li><li> <span style="line-height:1.6;"><strong>Poor overpayment recovery.</strong> Social service agencies typically establish an overpayment recovery function to get back inappropriately or falsely issued payments. In the case of Workforce Development, little of this seems to have been put in place. Even when some illegal activities were identified, the agency failed to follow through to uncover the extent of the problem, according to auditors.</span><br><br></li><li> <span style="line-height:1.6;"><strong>Weak program delivery systems.</strong> Few modern public institutions rely on a single mode of program delivery such as the telephone. Most now use some form of online application system as well. Each service delivery mode needs specific attention to ensure the systems used to screen applicants are designed and maintained appropriately. In Iowa, better controls should have been in place to prevent such a major system breakdown and deal with the handling of questionable claims resulting from the telephone system breakdown.</span><br> </li><li> <span style="line-height:1.6;"><strong>Lapses in management oversight, delegation of authority, and monitoring.</strong> The only part of this element that seems to have worked is the role of the Iowa Senate Government Oversight Committee, which asked the tough questions and called senior Workforce Development officials to account for their behavior. Other levels of oversight and checks and balances were either weak or nonexistent. Program managers were able to act alone to attempt to hide the fraud. Workforce Development flouted requirements to report the problems to state auditors and did not keep adequate supporting documentation that would have enabled auditors to perform a more complete assessment of the extent of the problem. A weak accountability regime also needed attention. Many involved staff members have left the agency, and it's unclear whether they will face any consequences for their actions. Similarly, there should be clear policies and procedures in place to deal with fraudulent client behavior.​​</span></li></ul>​Art Stewart01935
The Phantom Ticketshttps://iaonline.theiia.org/2016/Pages/The-Phantom-Tickets.aspxThe Phantom Tickets​ <p>An internal audit and internal affairs investigation have revealed that some Ottawa police officers were issuing fake traffic warnings, <a href="http://ottawacitizen.com/news/local-news/nine-officers-reassigned-amid-phantom-ticket-probe" target="_blank"><em>Ottawa Citizen</em> reports</a>. According to the audit of all traffic warnings issued by district patrol and emergency operations officers, the officers from the traffic escort and enforcement unit allegedly issued the warnings after traffic stops, but didn't actually give them to the motorists. As a result, the infractions appeared in a police database along with the drivers' names, without their knowledge. Two officers have been suspended with pay and nine others have be​en assigned desk duty. The internal affairs investigation is still in progress.​</p><h2>Lessons Learned</h2><p>The more typical kind of policin​g fraud relates to bribes, extortion, or more mundane transactions such as ticket fixing. This story illustrates a different kind of fraud: phantom ticketing. One might consider this trivial and administrative, but it is much more harmful than one might think because it undermines the public's trust in the integrity of law enforcement. The suspected Ottawa police officers allegedly were issuing fake tickets to pad their performance statistics, which in turn calls into question the validity of the city's human resources performance management system. Exaggerations to supposed levels of traffic enforcement actions increase the pressure on city politicians to sustain or increase police budgets. Just as bad, in some cases notations of false citations were added to police databases, even though the individuals were innocent.</p><p>While it's positive that the Ottawa police uncovered the fraudulent behavior as a consequence of an internal audit and are considering new quality control measures, here are some strategies auditors can proactively recommend to prevent and detect this kind of fraud early:</p><ul style="list-style-type:disc;"><li> <strong>Review and strengthen controls over police ticketing procedures. </strong>Beyond warnings, other types of enforcement transactions should be included. High volumes of transactions should be watched for regularly and should be subject to review and validation. Substantiation requirements also need to be reviewed to ensure they strike an effective balance between efficiency and sufficient detail that could also serve as dissuasive to falsification. This story also notes that mechanical issues with printers and a new e-ticketing system may have played a role in some warnings being printed inappropriately, so there should be a solid quality-assurance review process in place to regularly inspect existing and new equipment. Having duplicate copies of enforcement warnings immediately sent to a central review repository also might dissuade officers from faking transactions. In addition, there should be a strict control in place over where and when these documents are stored — officers should not be riding around in their patrol cars with a stack of them, as was the case in Ottawa.</li></ul>​​ <ul style="list-style-type:disc;"><li> <strong>Increase the use of body cameras on police officers during patrols, </strong>with a particular focus on the periods where warnings and enforcement actions are taken. A risk-based sampling approach should be applied to regularly review digital recordings to ensure appropriate procedures are being followed.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Allow citizens to have easier access to police information that personally relates to them and to be able to seek changes where justified. </strong>Citizens who receive a warning, or any form of enforcement action, could be allowed to sign th​e warning or enforcement to acknowledge its receipt, thus reducing the chances of such a document being entirely faked. This should be implemented in tandem with a strong whistleblower program that allows citizens to report inappropriate or unauthorized police behavior anonymously and without fear of reprisal.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Review human resources performance management incentives and procedures </strong>to reduce reliance on performance measures that can readily be "gamed," such as the warnings in this story, in order to give officers unwarranted access to recognition and career advancement. If it is not already being done, greater weight should be given to the more serious enforcement actions taken by officers, rather than to warnings. Quotas should be avoided.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Regularly monitor, report, and encourage senior management discussion of data</strong> that relates to erroneous or false policing transactions. ​<br></li></ul>Art Stewart0855
The False Dependentshttps://iaonline.theiia.org/2016/Pages/The-False-Dependents.aspxThe False Dependents<p>​A U.S. District Court judge in New York sentenced a former tax preparer to nine years in prison for using stolen identities of children to file fraudulent tax returns, <em> <a href="http://www.accountingtoday.com/news/tax-practice/bronx-tax-preparer-sentenced-to-9-years-for-stealing-childrens-identities-77287-1.html" target="_blank">Accounting Today</a></em> reports. Noel Cuello was convicted of using stolen Social Security numbers and other information to file federal tax returns that enabled his clients to falsely claim minor dependents. He obtained the information by bribing a former fraud investigator with the New York City Human Resources Administration, which runs 12 public assistance programs in the city.​</p><h2>Lessons Learned</h2><p>While the vast majority of tax professionals provide honest, quality services, there are other dishonest preparers who set up shop each filing season with the intention of perpetrating refund fraud, identity theft, and other scams. These preparers may act on their own or in collusion with others. In some cases, taxpayers may deliberately seek out preparers who are ready to conspire to file false tax returns. Many taxpayers unwittingly fall for the promise of inflated refunds obtained by the shady preparer. Taxpayers should be wary of anyone who asks them to sign a blank return, promises a big refund before looking at their records, or charges fees based on a percentage of the refund. And everyone doing business with a tax preparer should exercise due diligence about that preparer's credentials and background.</p><p>Faking the existence of children as dependents is just one of many tactics dishonest tax preparers use. Falsely inflating deductions or expenses on tax returns to underpay what is owed or to receive larger refunds is one of the most common gambits. Others include frivolous schemes where taxpayers are encouraged to make unreasonable and outlandish claims even though they are wrong and have been repeatedly thrown out of court (there is a US$5,000 penalty for filing a "frivolous" return). Inventing income to erroneously qualify for tax credits, such as the Earned Income Tax Credit, is another fraudulent tactic. The research credit, for example, frequently is misused to file inappropriate claims where qualified research activities cannot be substantiated or do not satisfy the requirements related to qualified research expenses.</p><p>Tax season is a good opportunity to be reminded of the great variety of tax-related fraud tactics to guard against. I've written on several occasions about how to spot and avoid these kinds of fraud, so take a look at previous columns to learn more. </p><ul style="list-style-type:disc;"><li> <strong>Identity theft</strong><strong>.</strong> In fiscal year 2015, the U.S. Internal Revenue Service (IRS) initiated 776 identity theft-related investigations, which resulted in 774 sentencings. While the fraudster in this case received a nine-year sentence, penalties can be even more severe. One thief was sentenced to more than 27 years, or roughly three years for each digit in a phony Social Security number.</li><br> </ul><ul style="list-style-type:disc;"><li> <strong>Electronic tax scams. </strong>Telephone tax scams, typically involving criminals impersonating IRS officials, is a significant fraud threat to taxpayers. The elderly are particularly susceptible to threats and intimidation of police arrest, jail time, huge fines, deportation, and license revocation. Phishing scams, typically involving fake e-mails or websites looking to steal personal information, can be sophisticated-looking. The IRS never sends taxpayers an email about a bill or refund out of the blue, so taxpayers should never click on one.</li><br> </ul><ul style="list-style-type:disc;"><li> <strong>Illegal tax shelters. </strong>Tax shelters<strong> </strong>that sound too good to be true often are — from those involving foreign banks or companies to dream-come-true beachfront property in some sunny, faraway land. Enforcement actions against offshore tax cheats — and the financial organizations that help them — are on the rise as well. ​</li></ul>Art Stewart0589

  • IAO_CaseWare_May2016Prem1
  • SCCE_May2016_Prem2
  • IIA RFCollabAuditing_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
5 Steps to Agile Project Successhttps://iaonline.theiia.org/2016/Pages/5-Steps-to-Agile-Project-Success.aspx5 Steps to Agile Project Success2016-04-13T04:00:00Z2016-04-13T04:00:00Z
Conditioning the Organization for Risk Agility vs Resiliencyhttps://iaonline.theiia.org/blogs/chambers/2016/Pages/Conditioning-the-Organization-for-Risk-Agility-vs-Resiliency.aspxConditioning the Organization for Risk Agility vs Resiliency2016-05-16T04:00:00Z2016-05-16T04:00:00Z
Regulator Talks About Culturehttps://iaonline.theiia.org/blogs/marks/Pages/Regulator-talks-about-Culture.aspxRegulator Talks About Culture2016-05-14T04:00:00Z2016-05-14T04:00:00Z