Fraud

 

 

A Boost to Fraud Risk Assessmentshttps://iaonline.theiia.org/2015/a-boost-to-fraud-risk-assessmentsA Boost to Fraud Risk Assessments<p>​Daily headlines of pilfered passwords and stolen credit card data have put fraud at the top of management’s risk management agenda. This concern coincides with new guidance in The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the <em>Internal Control–Integrated Framework</em> that directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. <br></p><p>Now is an opportune time for internal auditors to help their organization re-examine its approach to fraud risk. For organizations that have not formally documented processes and controls to address fraud risk, adopting COSO 2013 can jump-start a fraud risk prevention program. Organizations that have a more mature fraud risk assessment can use it to strengthen their fraud prevention processes and procedures.  <br></p><h3>COSO’s Guidance</h3><p>The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. <br></p><p>In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. <br>Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of nonfinancial reporting is a significant change that covers sustainability, health and safety, employment activity, and similar reports. Because internal auditors frequently provide assurance in this area, they can provide insights into fraudulent nonfinancial reporting.<br></p><p>One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, the Association of Certified Fraud Examiners, and The IIA. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls.<br></p><h3>Fraud Risk Governance </h3><p>Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. <br></p><p>But even organizations with committed senior leadership may have inadequate fraud risk assessment programs. Most organizations have some written policies to manage individual fraud components, but many don’t concisely summarize these documents and activities so they can communicate and evaluate the completeness of their fraud management processes. Internal audit can help with this evaluation and address the areas of fraud described in Principle 8.<br></p><h3>The Assessment Process</h3><p>Although a fraud risk assessment should ordinarily be conducted as part of a broader evaluation of organizational risk in an enterprise risk management program, it may initially be done on a stand-alone basis. Regulatory and legal misconduct, such as U.S. Foreign Corrupt Practices Act violations, as well as reputation risk, also should be considered. Internal auditors can help ensure the fraud risk assessment is sufficiently robust.<br><br><strong>Assess and Identify Inherent Risk</strong> The fraud risk assessment starts with a brainstorming session to uncover the organization’s potential fraud risks, without consideration of mitigating controls. The review should be shaped by the organization’s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, business practices, and business conditions. <br></p><p>Each risk area should be examined, including fraudulent reporting, possible loss of assets, and corruption. The assessment should consider:<br></p><ul><li>All types of fraud schemes and scenarios.</li><li>The incentives (such as compensation programs), pressures (such as a chief financial officer who needs to hit an earnings estimate), and opportunities (such as a senior executive with override ability) to commit fraud.<br></li><li>The IT fraud risks specific to the organization, which may become pervasive without appropriate controls. </li></ul><p>Additionally, the fraud risk assessment needs to consider the potential bypass of controls, as well as areas where controls are weak or there is a lack of segregation of duties.<br><br><strong>Assess Likelihood and Significance of Fraud Risk</strong> This review of identified fraud risks should be based on staff interviews — including business process owners — known fraud schemes, and historical information, both internal and external to the organization. In assessing fraud risk significance, organizations should consider not only exposures to assets and financial statements, but also risk to their operations, brand value, and reputation, as well as criminal, civil, and regulatory liability.<br></p><h3>Fraud Prevention and Detection</h3><p>Fraud prevention requires both preventive and detective controls, but the Managing the Business Risk of Fraud guide points out these are not mutually exclusive: “If effective preventive controls are in place, working, and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company’s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.”<br></p><p>Segregation of duties in small organizations can be difficult because of limited resources and personnel. These organizations need compensating controls such as periodic budget-to-actual analysis at a precise-enough level to flag and investigate unusual activity. <br></p><h3>Fraud Investigation and Corrective Action</h3><p>The fraud investigation and response system should include a process for categorizing issues, communicating within the organization — including with the audit committee or those charged with governance — conducting the investigation and fact-finding, monitoring the status of fraud cases, and resolving the investigation with a recommendation for prosecution. Standards, regulations, or laws may require parties such as legal counsel, the board, the audit committee, and external auditors to be notified if the allegation involves senior management or affects the financial statements.<br></p><h3>An Opportunity for Improvement</h3><p>Organizations that already have adopted COSO 2013 can continue to build on that foundation to prepare for the fraud challenges ahead. For those organizations that haven’t yet implemented the framework, the opportunity to improve their fraud risk assessment should motivate them to adopt it soon. In either case, internal auditors who are well-versed in COSO 2013 can help the organization’s fraud risk assessment initiative by facilitating the assessment itself or helping align policies and fraud mitigation activities. <span class="ms-rteiaStyle-authorbio">Michael Rose, CIA, CPA, CISA, CISM, is a Business Advisory Services partner at Grant Thornton LLP in New York.<br>Priya Sarjoo, CIA, is a Governance, Risk, and Compliance practice leader at Grant Thornton in Dallas. <br> Kevin Bennett, CFE, CICA, is managing director of Forensic and Valuation Services at Grant Thornton in Minneapolis.</span></p>Michael Rose1403
Bankers Caught in Currency Schemehttps://iaonline.theiia.org/2015/bankers-caught-in-currency-schemeBankers Caught in Currency Scheme<p>A routine audit last year uncovered a US$40 million currency fraud scheme in Nigeria, according to <a href="http://www.theguardian.com/global-development/2015/jun/02/nigeria-central-bank-officials-accused-of-40m-fraud?CMP=share_btn_tw&adbid=605811179328405504&adbsc=social_20150602_46827796&adbpl=tw&adbpr=390782790" target="_blank"> <em>The Guardian</em></a>. Nigeria's Economic and Financial Crimes Commissi​on has charged six central bank officials and 16 commercial bank employees with stealing Nigerian naira notes intended for destruction. According to the report, Nigeria's central bank withdraws old or torn notes from circulation regularly and replaces them with new notes. The audit last September discovered irregularities with this process at a bank branch in Ibadan, a city in the southwest of Nigeria. Further investigation revealed that mutilated notes of higher denominations were swapped with lower denomination currencies, with box labels indicating they contained a higher value than their true content. </p> <h2> Lessons Learned</h2><p>Many banks around the world carry out the function of currency management, including the disposal of old or worn-out currencies, typically through a network of offices and some form of secure storage. A huge amount of money is involved: In 2012, the U.S. Federal Reserve ordered nearly 8.4 billion individual notes with a face value of more than US$358 billion to replace old currencies on a one-to-one basis. Typically this disposal work takes place under a statutory framework and a tight security regime. Bank notes and coins that are unfit, cannot be issued for further circulation, or are not needed immediately by the branches are deposited into a designated secure storage area. When sufficient quantities of these currencies have accumulated, they are remitted to a central bank office for inventory, scanning for counterfeits, and disposal. The local–central secure storage system combination is intended to remove the necessity for frequent physical movement of currency and enable banks and treasuries to work with a minimum cash balance of their own.</p><p>At least that is how it is supposed to work. Bearing in mind the potentially limited resources available in many countries, what can be done to enhance the controls and protect the security of these funds?</p><ul style="list-style-type:disc;"><li><strong>Continually work to improve the efficiency of currency management</strong> and closely monitor the printing capacity of bank note presses with a view to closing the demand–supply gap in currency and lessening the risk materiality.</li></ul><ul style="list-style-type:disc;"><li><strong>Automate the currency-processing operations</strong> in the local offices as much as possible. Many countries have installed currency verification and processing (CVP) systems for bank notes received for examination. These systems are capable of sorting the notes on the basis of denomination, design, and condition. Generally, the system sorts the notes into Fit, Unfit, Reject, and Suspect categories. Notes in the Suspect category are received in separate stacks and must be inspected manually for the presence of counterfeit notes. CVP systems also have security measures that enable the bank to provide graduated access rights, capture and store data, and produce security reports. </li></ul><ul style="list-style-type:disc;"><li><strong>Enhance physical security measures</strong> in areas where these currencies are being held. For example, install closed-circuit television (CCTV) cameras at all such facilities and retain recordings up to 90 days for appropriate monitoring by security staff. This can be enhanced by networking CCTVs from local to central offices. While there would be upfront investment costs, installing suitable biometric access systems at all currency storage locations can ensure only authorized staff members are able to enter. Banks also should consider requiring officials to present a pre-validated photograph to enter the storage area. Electronic locking of all storage bins/vaults also should be explored, along with linking them to a central server to ensure easy monitoring of transactions.</li></ul><ul style="list-style-type:disc;"><li><strong>Use tamper-proof shrink-wrapping</strong> — or similar materials — of bank notes to be disposed of, with the details of the source branch bar-coded on the bundles. This can facilitate easy identification of the branch from which the notes were received so that accountability for shortages, defects, counterfeits, theft, and fraud can be attributed precisely, which can reduce the possibility of such incidents.</li></ul><ul style="list-style-type:disc;"><li><strong>Conduct periodic security audits of secure storage areas</strong> at bank branches on a risk-based frequency, at least more often than annually. Comprehensive guidelines for such audits should be developed and well-communicated to branches. A system of surprise inspections also would be useful.</li></ul><p>Human resource measures should include rotation of staff employed at currency disposal locations and heightened background checks before hiring staff.</p>Art Stewart0355
Hedge Fund Executives Sentencedhttps://iaonline.theiia.org/2015/hedge-fund-executives-sentencedHedge Fund Executives Sentenced<p>​Th​e chief financial officer and two managing partners of a U.S. hedge fund firm have been sentenced to prison for defrauding investors of more than US$46 million, WTNH-TV in New Haven, Conn. <a href="http://wp.me/p4ySuM-tjZ" target="_blank">reports</a>. Their firm, New Stream Capital LLC, launched two feeder funds in November 2007, based in the U.S. and the Cayman Islands, and announced that its Bermuda Fund would close and its investments would move to the Cayman Fund, according to court documents and testimony. When the Bermuda Fund's largest investor decided to redeem its investment in March 2008, prosecutors say the defendants secretly kept the Bermuda Fund open and prioritized investors who stayed in the fund. The firm did not inform other existing and prospective investors that the Bermuda Fund was still open and would be a priority. Each of the ​​defendants pleaded guilty to conspiracy to commit wire fraud in 2014.</p><p> <strong>Lessons Learned</strong></p><p>When it comes to offshore hedge funds, the Cayman Islands is the world leader, with estimates ranging from 45 percent to 85 percent of global market share and as much as US$1.4 trillion in assets and liabilities. Included in these funds are institutional investments, such as pension funds.</p><p>To tackle criminal and fraudulent behavior, such as in this story, we need to look beyond the individual circumstances of the case and address systemic problems from two different directions: governance/regulatory and investor awareness. Internal auditors can help with both.</p><ul style="list-style-type:disc;"><li> <strong>Governance/regulatory. </strong>Some economists consider the relative lack of oversight of the hedge fund industry by Cayman Island authorities to be a significant threat to the global economy. The Cayman Islands Monetary Authority (CIMA) is responsible for regulating and supervising financial services. It says officials on its board of directors can have contractual relationships with entities they are charged with regulating, creating inevitable conflict of interest possibilities. More independence between these two roles would help protect investors.​</li> <br> Cayman Islands-based hedge funds are not directly subject to U.S. Securities and Exchange Commission (SEC) regulation. However, in 2012, the SEC established a cooperation arrangement with CIMA as part of the commission's long-term plan to improve oversight of regulated entities that operate internationally. This type of cooperation arrangement "generally establishes mechanisms for continuous and ongoing consultation, cooperation, and the exchange of supervisory information … to monitor risk concentrations, identify emerging systemic risks, and better understand a globally active regulated entity's compliance culture," according to an SEC press release. In addition, such memorandums of understanding enable the SEC and regulators in other nations to conduct on-site examinations of registered entities located abroad. Results of these on-site examinations should be reviewed closely for further governance improvements.<br><br><a href="http://dealbook.nytimes.com/2012/07/01/in-caymans-its-simple-to-fill-a-hedge-fund-board/" target="_blank">A 2012 analysis</a> of thousands of U.S. securities filings by <em>The New York Times</em> also showed that many directors sit on the boards of 24 or more funds based in the Caymans, which "individually are supposed to be overseeing tens of billions of dollars in assets." Some of these individuals hold more than 100 directorships, and one director sits on the boards of about 260 hedge funds. Notably, this data does not include boards of hedge funds with non-U.S. ownership. Greater disclosure of how many boards directors serve on is obviously needed. And, allowing for some flexibility, limits should be placed on the number of board positions that one director can take on in the interests of investors, fiduciary responsibility, due diligence, and professionalism. A <a href="http://www.cimoney.com.ky/WorkArea/DownloadAsset.aspx?id=2147484008" target="_blank">2013 CIMA survey</a> (PDF) of hedge fund corporate governance stakeholders points to these same needed changes.<br> </ul>​​ <ul><li> <strong>​Investor awareness. </strong>As a general rule, investors must take responsibility for the oversight of funds in which they invest. That includes educating themselves on the nature and risks of hedge funds and offshore banking and investing. They also should apply scrutiny to drive up standards by careful and informed selection of service providers and directors, either directly or through the use of due diligence professionals, including auditors. Where red flags are noticed with regard to lapses in due diligence, class action and other forms of legal redress are likely to be pursued.​​​</li></ul>Art Stewart0469
The FIFA Scandal: Five Lessons for Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/the-fifa-scandal-five-lessons-for-internal-auditThe FIFA Scandal: Five Lessons for Internal Audit<p>The global soccer community was rocked this past week when the U.S. Department of Justice (DOJ) announced charges and arrests for "rampant, systemic, and deep-rooted" corruption by high-ranking members of FIFA, the sport's global governing body. Using the U.S. Foreign Corrupt Practices Act (FCPA) as its legal hammer, the DOJ outlined in its 47-count indictment a disturbing history of alleged bribes and racketeering by top FIFA officials dating back as far as two decades. It is evident that more troubles lie ahead for the global soccer body, as Swiss officials have announced that they are also investigating potential improprieties.</p><p>The relevance of the events of the past week are obvious to our profession, but it goes well beyond an acknowledgement of internal audit's role in providing assurance on anti-bribery and anti-corruption programs and its role in detecting and deterring fraud and corruption. </p><p>Indeed, this unfolding spectacle touches on no less than five significant aspects of the internal audit function, and we can draw a number of lessons from this sad affair.</p><p>1.     <strong>Internal audit must raise a yellow card when corporate culture creates susceptibility to corruption</strong>. It did not take long for fallout from the indictments to reach the top of the FIFA hierarchy with almost immediate calls for the ouster of FIFA President Sepp Blatter. Blatter was reaffirmed as the organization's president in a Friday vote, and he has said he knew nothing of the alleged corruption.</p><p>But allegations of corruption within FIFA were not unheard of before the DOJ indictments, and I have to wonder if they were ever brought to Blatter's attention. The bottom line is that no organization can afford to practice "willful ignorance" about serious challenges for long without paying a high price.</p><p><em>The lesson for internal audit:</em> A frank and honest analysis of corporate culture must be part of internal audit's purview, and it must raise its voice when erosion of the culture becomes an organizational risk.</p><p>2.     <strong>Internal audit must act quickly to address reputational risk. </strong>A number of media accounts of the evolving scandal have described long-held concerns about corruption at FIFA. I have no insight into the efforts of FIFA's internal audit function, but the potential for significant reputational harm should have been identified and brought to management and the board of directors by those charged with providing assurance to management and governance officials.</p><p><em>The lesson for internal audit:</em> The internal audit function cannot afford to allow risks to organizational reputation to go unchallenged.</p><p>A secondary lesson is one that FIFA's sponsors are learning. Reputational risk is not just about your organization. The behavior of the organizations you partner with can impact your reputation, as well.</p><p>3.     <strong>Internal audit must play a significant role in crisis planning and execution.</strong> Internal audit's role in crises cannot be one of simply grading after the fact how a crisis plan was carried out. Internal audit can and must provide insight into the development of such plans and be consulted even as a crisis is unfolding. Having good communications protocols in place can help an organization mitigate reputational and other potential risks in a crisis. But proper execution of the plan also plays a vital role in its success.</p><p><em>Lesson for internal audit: </em>Internal audit must assess all risks — including the risks of not addressing adversity swiftly and effectively.</p><p>4.     <strong>Internal audit must stay current with anti-corruption legislation</strong>. While the FIFA crackdown was facilitated by the strength of the FCPA, internal audit functions must be cognizant of growing anti-corruption efforts worldwide. This is especially important for businesses that operate globally. The June issue of <em>Internal Auditor </em>magazine offers an excellent article, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=70e4bb0b-d8ac-4aa3-a4ba-0eb49775025d">"Beyond the FCPA"</a>, on the topic.</p><p>According to the article, Canada and Brazil each passed anti-bribery legislation in 2013 that aligns more closely to the FCPA and the United Kingdom's 2010 Bribery Act is even broader in scope. The latter not only penalized the bribe payer, but the bribe receiver, as well.</p><p><em>Lesson for internal audit: </em>Changing legal landscapes in the countries where we do business can develop into risks if the organization does not keep abreast of those changes. </p><p>5.     <strong>Internal audit must be courageous.</strong> It is not hard to imagine that anyone within FIFA charged with assurance on the effectiveness of compliance and controls must have been under great pressure. The issue of courage for heads of audit has been a recurring theme in a number of my blogs.<em><br></em></p><p><em>Lesson for internal audit: </em>Those aspiring to be heads of audit must have the courage to do what needs to be done or say what needs to be said no matter the consequences.</p><p><span style="line-height:1.6;">A final thought about the FIFA issue. A quote from FBI Director James Comey widely reported by media struck a chord with me. Comey said, "If you touch our shores with your corrupt enterprise, whether that is through meetings or through using our world-class financial system, you will be held accountable for that corruption."</span><br></p><p><span style="line-height:1.6;">FIFA officials deserve the presumption of innocence until proven guilty in a court of law, but Comey's message is loud and clear. No corruption is acceptable, and nothing is off limits. This may be the most important lesson from the FIFA scandal, and one internal audit must embrace.</span><br></p><p>As always, I welcome your thoughts.</p>Richard Chambers012841
Beyond the FCPAhttps://iaonline.theiia.org/2015/beyond-the-fcpaBeyond the FCPA<p>​Recent aggressive, anti-bribery actions by various governments are indicative of new challenges that businesses with global operations or supply chains are encountering. Although the U.S. Foreign Corrupt Practices Act (FCPA) has been the preeminent anti-corruption law for most companies with international operations or financial ties, in recent years other countries have become assertive in enforcing their own regulations, further complicating an organization’s governance, risk management, and compliance efforts (see “Sharper Focus on Foreign Bribery” below).</p><p>This growing complexity reinforces the importance of a system of strong internal controls backed by an effective, independent internal audit function. An internal auditor supplies to an organization’s governing body and senior management comprehensive assurance that anti-bribery controls are in place, designed appropriately, and operating as prescribed.<br></p><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> (<em>Standards</em>) points out that although internal auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, they must possess the requisite knowledge to evaluate the potential for fraud — including corruption — to occur, along with the methods the organization uses to manage fraud risk. Enforcement actions by authorities in several nations provide valuable insight into the tools, processes, and procedures regulators expect organizations to follow to manage fraud risk. By reviewing such actions in the context of recent global anti-corruption trends, internal auditors can build the knowledge needed to meet their professional responsibilities.<br></p><h3>Growing Roster of Enforcers</h3><p>The U.S. has pursued foreign bribery cases more actively than other countries in recent years. U.S. authorities imposed sanctions against individuals and companies in 128 foreign bribery cases during the 15-year period covered by the Organisation for Economic Co-operation and Development’s (OECD’s) 2014 Foreign Bribery Report. Germany sanctioned individuals and companies in 26 cases, South Korea imposed sanctions in 11 cases, and Italy, Switzerland, and the U.K. each imposed sanctions in six cases. Four anti-bribery laws are notable. <br> <br>U.S. The authority for most U.S. anti-corruption cases is the FCPA, which applies to all U.S.-based businesses, citizens, and residents. Moreover, the FCPA also governs any “U.S. issuer,” a broad term that encompasses all foreign companies trading on U.S. exchanges as well as any other company that is required to file periodic reports with the U.S. Securities and Exchange Commission (SEC). It also applies to foreign subsidiaries of U.S. companies and U.S. subsidiaries of foreign companies.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>Sharper Focus on Foreign Bribery</strong><br><br>In its 2014 Foreign Bribery Report, the OECD observed that “enforcement of anti-bribery laws has drastically increased” since the organization’s Convention on Combating Bribery of Foreign Public Officials in International Business Transactions took effect in 1999. The report examined 427 cases of bribery involving foreign officials over the past 15 years. Prison sentences were handed down to 80 individuals in connection with those schemes, and another 38 individuals received suspended sentences. Sixty-nine percent of the cases in the report were settled by sanctions imposed through plea agreements, nonprosecution agreements, corporate probation, or similar settlement arrangements.<br>Altogether, 261 individuals and companies were fined, the report notes. The highest combined fine against a single company totaled US$1.95 billion, while the highest monetary sanction against an individual amounted to US$149 million.<br><br>Clearly, the stakes are high, but as OECD Secretary-General Angel Gurría notes in the report’s preface, “With bribes averaging 10.9 percent of the total transaction value, and combined monetary sanctions ranging from 100 percent to 200 percent of the proceeds of the corrupt transaction in 41 percent of cases, the business case against corruption is clear.”<br><br>Another factor behind today’s greater focus on corruption is the updated <em>Internal Control–Integrated Framework</em> released in 2013 by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Among the 17 principles spelled out in the revised COSO framework is the requirement that an organization consider the potential for fraud when it is assessing risks associated with the achievement of its objectives. These include possible acts of corruption by the organization’s personnel, outsourced service providers, and other third parties.</td></tr></tbody></table><p>In addition to the anti-bribery requirement, publicly traded companies are subject to FCPA accounting provisions that mandate that the books and records accurately reflect all transactions and internal control provisions that require companies to have appropriate internal controls to prevent, detect, and remedy FCPA violations. Internal audit has a separate role in testing the books and records, as well as in assisting with designing and implementing internal controls and then testing them.<br></p><p>German-based Siemens AG and Daimler AG, U.K.-based BAE Systems, France’s Total S.A., and Japan’s JGC Corp. are among the prominent companies that have been required to pay steep FCPA-related fines in recent years. As of the end of 2014, eight of the 10 largest penalties imposed by the U.S. government in FCPA cases were assessed on companies headquartered outside the U.S. Moreover, the <em>Latin American Law & Business Report </em>newsletter notes that, “foreign individuals and foreign companies that do not trade on U.S. exchanges can also violate the FCPA if they cause an act in furtherance of a corrupt payment within the U.S.”<br><br><strong>U.K.</strong> Several other countries’ laws are even broader in scope. For example, the U.K.’s Bribery Act of 2010 applies to a wider range of companies and makes a greater array of conduct illegal than the FCPA does. It has authority over any company that engages in any business or part of a business in the U.K. In addition to prohibiting the bribery of both government officials and nongovernment individuals, the Bribery Act penalizes the bribe receiver, not just the bribe payer, as the FCPA does.<br></p><p>The U.K. act also prohibits <em>de minimis</em> “facilitation payments” for certain routine government actions that do not provide the payer with an unfair competitive advantage. A common example is the payment of a fee to speed up installation of telephone service by a state-owned telephone company. Practices such as this, regarded as a routine cost of doing business in some countries, are afforded an exemption under the FCPA but not under the Bribery Act.<br><br><strong>Canada</strong> In 2013, changes Canada made to its Corruption of Foreign Public Officials Act aligned it more closely with the FCPA. However, in some respects, such as the prohibition of facilitation payments, the Canadian law is more similar to the U.K. Bribery Act.<br><br><strong>Brazil</strong> Also in 2013, Brazil’s congress passed the Clean Company Act, which went into effect in January 2014. It is similar to the FCPA in that it targets only public corruption and not commercial bribery. But other aspects, such as those covering defendants’ state of mind and knowledge, are more similar to the U.K. Bribery Act.<br></p><p>The Brazilian law is particularly significant in that companies — not just individuals — are now subject to prosecution for bribery. Companies found guilty could face fines of up to 20 percent of their gross annual revenue, along with possible suspension of operations, confiscation of assets, and even dissolution. The law covers both bribery of foreign officials by Brazilian companies and bribery of local officials by any company. <br></p><p>The Clean Company Act also spells out a particularly strong oversight role by a company’s internal audit function. Under the law, having strong compliance programs in effect is not an affirmative defense against corruption charges, but authorities can consider compliance efforts to reduce penalties. These compliance efforts can be evaluated on three factors: 1) the structure of the program, including reporting mechanisms, training, policies and procedures, and periodic risk assessments; 2) specifics about the legal entity, including specific compliance risks; and 3) an evaluation of the program’s efficiency, including a case-by-case verification of the program’s effectiveness by internal audit.<br></p><h3>High-profile Enforcement Actions</h3><p>In addition to expanding their statutory authority, governments are undertaking more vigorous anti-corruption enforcement actions. Several recent cases provide useful insights into the internal controls that must be in place and internal auditors’ responsibilities for helping their organizations maintain compliance.<br><br><strong>GlaxoSmithKline PLC (GSK)</strong> One of the highest-profile actions in recent years has been an ongoing corruption investigation in China. The case culminated in September 2014 in the conviction of U.K.-based GSK for paying bribes to boost its business. China fined GSK a record US$491 million — the amount of the alleged bribery — and the former top GSK executive in China, four other company managers, and two ancillary GSK-hired investigators received criminal convictions.<br></p><p>The Chinese government’s entry into the international fight against corruption and bribery is a game changer. Foreign companies are now on notice: Doing business the old way will no longer be tolerated, and companies operating in China have a new risk to consider — possible prosecution under domestic Chinese law.<br></p><p>The Chinese example also could encourage additional anti-corruption enforcement around the globe. When other countries with endemic corruption issues see that they can attack their domestic corruption issues by prosecuting international businesses operating within their borders, there may be an appetite for additional prosecutions.<br></p><p>The GSK case also offers lessons about the potential cost of internal audit failures. Ironically, as various news sources have noted, GSK had more compliance officers in China than in any country except the U.S. and has conducted up to 20 internal audits a year in China. Nevertheless, the company was unprepared when Chinese officials accused it of using travel agencies to funnel bribes to doctors and officials under the guise of medical conferences and other events.<br></p><p>Although the cost of monitoring such payments would be high and would involve the tedious work of verifying numerous receipts and scrutinizing countless transactions for signs of fraud, the use of practices such as GSK’s to hide payments to doctors was a well-recognized risk. One lesson internal auditors can draw from the case is clear: If the risks for a certain pattern of corruption are well-known, a company must devote whatever resources are necessary to verify its compliance with relevant laws.<br><br><strong>Avon</strong> Another case of bribery allegations involved cosmetic maker Avon Products Inc. According to settlement agreements with the SEC and the U.S. Department of Justice, the company’s Chinese subsidiary paid US$8 million in bribes to Chinese officials in 2004 in the form of cash, gifts, travel, and entertainment. The purpose was to gain access to officials who were drafting and implementing new direct-selling regulations in China.<br></p><p>The Avon case demonstrates the high cost of a failure by the internal audit function — in this case fines and investigative costs of more than US$500 million. The bribes reportedly were detected by Avon’s internal audit function in 2005 and 2006, but the company’s CAE at the time was persuaded to withdraw the internal audit report and destroy all evidence. This information was never presented to Avon’s board, which learned of the corruption only because of an internal whistleblower.<br><br><strong>Petrobras</strong> The GSK case in China might be a harbinger of international anti-corruption enforcement actions based on domestic anti-bribery laws, but a case now underway in Brazil could turn out to be even larger. In fact, the investigation into Brazil’s state-owned energy company Petrobras eventually could become the world’s largest corruption investigation.<br></p><p>Petrobras CEO Maria das Gracas Foster and five board members have been forced to resign, and Brazilian President Dilma Rousseff has come under pressure because of her former role as minister of energy and president of the Petrobras board. The company’s former head of refining operations has told prosecutors that construction budgets for new projects were routinely inflated by 3 percent of their value to cover bribes and kickbacks, some of which were then routed to major Brazilian political parties. Another defendant has testified that more than a dozen of Brazil’s largest construction companies paid bribes to obtain contracts.<br></p><p>The case also has significant global implications. In addition to banks in Switzerland and the Cayman Islands, where funds allegedly were deposited, companies ranging from shipyards in Singapore to U.K.-based Rolls-Royce plc also have been accused of paying bribes.<br></p><p>Although the allegations in the Petrobras case occurred before the passage of Brazil’s Clean Company Act, the prosecution of the case is being watched closely for any precedents that could affect the new law’s implementation.<br></p><h3>Internal Audit’s Approach</h3><p>Examples such as Avon, GSK, and Petrobras can provide useful lessons for internal audit functions to help their organizations fight bribery and corruption. The IIA practice guide, Auditing Anti-bribery and Anti-corruption Programs, recommends internal audit assess the effectiveness of anti-bribery and corruption programs to help anticipate the risk and identify the existence of potential and actual incidents.<br></p><p>Two different, but complementary, approaches may be used, either separately or together: 1) auditing each component of the anti-bribery and corruption program, and 2) incorporating an assessment of anti-bribery and corruption measures in all audits, as appropriate. With the latter approach, bribery and corruption risks are incorporated into the risk assessment and scoping process of each audit. This process may:<br></p><ul><li>Include procedures to assess bribery and corruption risks.</li><li>Evaluate potential bribery and corruption scenarios.</li><li>Evaluate the control environment and anti-bribery and corruption programs in that audit area.</li><li>Link the scope of an audit area’s procedures to its assessed risks.</li></ul><p></p><p>In some situations, management may not want internal audit’s findings about potential corruption brought to the board’s attention. This is why any compliance program must include structural protection that allows internal audit to share its concerns with the board or, at a minimum, the audit committee.<br></p><p>Moreover, it is a best practice in compliance programs for the board or audit committee to seek out and ask the tough questions about whether internal audit has uncovered any evidence of FCPA violations. There must be internal audit independence, an independent reporting channel to the board, and board fulfillment of its role in a compliance regime.<br></p><h3>Corruption Fighters</h3><p>Internal audit’s role in anti-bribery and corruption programs depends on an organization’s governance structure. In addition, internal audit’s level of involvement should be recommended by the CAE and approved by the board. In all cases, however, it is critical that the function has the independence from senior management necessary to report directly to the board when violations of law are uncovered. By adhering to the <em>Standards</em> — and by understanding and applying the lessons from recent enforcement actions — internal auditors can be better prepared to provide the crucial third line of defense against fraud and corruption. <br> <span class="ms-rteiaStyle-authorbio">Jonathan T. Marks, CPA, CFE, is a partner with Crowe Horwath LLP in New York, where he leads fraud, ethics, and anti-corruption services.<br>Thomas R. Fox, JD, has practiced law in Houston for 32 years and recently launched Advanced Compliance Solutions LLC.</span></p>Jonathan T. Marks02618
Robbing the Poorhttps://iaonline.theiia.org/2015/robbing-the-poorRobbing the Poor<p>The founder and former president of Native Relief Charities was sentenced to three years in prison for stealing US$4 million from the organization, which provides college scholarships for poor Native American students, <a href="http://www.oregonlive.com/portland/index.ssf/2015/05/oregon_charity_chiefs_4_millio.html" target="_blank"> <em>The Oregonian</em> reports</a>. A U.S. District Court judge in Portland, Ore. found Brian J. Brown guilty last year of conspiring with one of the charity's board members to commit mail and wire fraud and money laundering. According to prosecutors, board member William Peters set up a US$4 million endowment at Native Relief Charities between 2006 and 2009, from which Brown took US$3 million and Peters received nearly US$1 million. Brown produced tax statements showing that Native American students were receiving the money. Brown was arrested after federal agents received a tip about the fraud, which prevented 650 students from attending college, prosecutors say. </p><h2>Lessons Learned</h2><p>The size of the nonprofit sector and the fraud activity related to it are substantial. According to the <a href="http://nccs.urban.org/" target="_blank">National Center for Charitable Statistics (NCCS)</a>, there are more than 1.5 million nonprofit organizations in the United States, including more than 1 million public charities, 101,558 private foundations, and 369,176 other nonprofits such as chambers of commerce, fraternal organizations, and civic leagues. These organizations reported more than US$1.65 trillion in total revenues and US$1.57 trillion in total expenses in 2012, the last year when figures were available. </p><p>The 2014 Association of Certified Fraud Examiners (ACFE) <a href="http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf" target="_blank">Report To The Nations On Occupational Fraud And Abuse</a> (PDF) reports that fraud in nonprofit organizations has been growing steadily since 2010 and represented 10.8 percent of the cases reported in 2014. Median losses for nonprofits have grown from US$90,000 in 2010 to US$108,000 in 2014. </p><p>The reputational damage may be far worse. According to a recent report by the London-based Centre For Investigative Journalism, the 50 worst charities collectively raised more than US$1.3 billion over the past decade and paid nearly US$1 billion of that directly to the companies that raise their donations. This story of insider fraud and theft committed against Native American students adds to this grim picture. </p><p>Nonprofit organizations and their directors can consult a vast amount of guidance to better equip themselves to detect and prevent fraud, including from sources such as the ACFE, The IIA, and the National Council of Nonprofits. But what else can internal auditors learn from this situation?</p><ul><li> <strong>Get up to speed regarding new "single audit" requirements for nonprofit organizations. </strong>U.S. regulations (albeit complicated regulations) require nonprofits to conduct an independent financial audit if the organization receives federal funds above a specified amount in a single fiscal year. The U.S. government passed the Single Audit Act in 1984 to ensure that those organizations receiving substantial federal funds use the funds in compliance with the federal government's funding requirements. "Single audit" refers to one of the objectives of that law: to replace the need for the federal government to audit the same nongovernmental organization multiple times. <br> <br>In December 2013, the U.S. Office of Management and Budget issued new guidance, called <a href="https://www.whitehouse.gov/omb/financial_fin_single_audit" target="_blank">"Uniform Guidance,"</a> that applies to audits of nonprofit organizations that receive federal grants, effective for Dec. 31, 2015 year-end audits. All non-federal government agencies and nonprofit organizations that expend US$750,000 or more in federal awards in a fiscal year are required to conduct a single audit (the previous threshold was US$500,000). The overall single audit scope may focus on ensuring that the organization's financial statements are presented fairly, have an adequate internal control structure, and comply with any special government regulations and laws that apply to the specific type of federal funding. However, a single audit is significantly more detailed than a regular independent audit. Auditors performing single audits are required to receive an enhanced level of certification, and they must conduct higher levels of testing on expenses to ensure that federal funds have been used appropriately and are documented and reported correctly in the nonprofit's financial statements. <br></li></ul><ul style="list-style-type:disc;"><li> <strong>Advise on governance and regulatory oversight. </strong>Auditors can go beyond compliance issues by making observations and providing recommendations to help improve the governance and regulatory framework surrounding nonprofit organizations.<strong> </strong>This framework is so fractured it is difficult to know who is in charge and who is watching whom. In the Native Relief Charities case, the U.S. Internal Revenue Service (IRS) was able to catch the fraudster. But the regulatory approach taken is either "front-end loaded" (e.g., to grant tax-exempt status) or focused on catching up to the thief after the crime has been committed. Setting up a subsidiary or parallel nonprofit structure to hide fraudulent activity, as in this story, does not seem to receive particular scrutiny. Once nonprofits start raising money or spending grants, oversight is largely left to state governments. In a December 2014 <a href="http://www.gao.gov/assets/670/667595.pdf" target="_blank">report</a> (PDF), the U.S. Government Accountability Office (GAO) critiqued the IRS for failing to track how well its regulators are doing their jobs in this area. The GAO also observed that the IRS doesn't have the manpower to go after charities that flout the law and could do more to help state regulators target the crooks operating within them.<br> <br> The situation at the state level also needs improvement. The authorities in charge vary significantly. For example, in Pennsylvania the Department of State is responsible; in California it is the Attorney General; and in Florida the Department of Agriculture and Consumer Services has this authority. Moreover, the rules from state to state are even harder to follow. Various state and local laws may also require an independent financial audit for charitable nonprofits that receive funds from state and local governments, but only 23 states require charities to undergo an annual audit. Regulatory offices nationwide are overflowing with information on charities, but they may not be able to analyze it deeply for signs of fraud. Penalties, including for multiple violations, also vary enormously and often are small compared to the impact of the fraud. Regulators have yet to create a national list to track violators or a formal system to share information, and a fraudster forced out of one state can readily move to another state. </li></ul>Art Stewart01377
Fraud Sewed Uphttps://iaonline.theiia.org/2015/fraud-sown-upFraud Sewed Up<p>California authorities have charged two jeans company subcontractors and their accountant with workers' compensation insurance fraud, <a target="_blank" href="http://abcnews.go.com/US/wireStory/jeans-company-subcontractors-accused-79m-payroll-fraud-30371664">the Associated Press reports</a>. Sisters Su​​ng Hyun Kim and Caroline Choi, who owned separate sewing companies, allegedly conspired to underreport US$78 million in payroll, which caused the loss of more than US$1 million in premiums to insurers. California insurance officials began their investigation after discovering a significant gap between the payroll amount the sisters reported to them and the amount they reported to the California Employment Development Department. Officials say the sisters also paid some employees under the table.</p><h2>Lessons Learned </h2><p>Workers' compensation insurance premium fraud has a significant dollar impact on the operations of insurance companies and workers themselves. Yet this amount pales in comparison to the staggering size and growth of the overall "underground economy" in the U.S. Although difficult to measure, economists estimate that as much as US$2 trillion in unreported economic activity takes place annually — double what it was in 2009. That amounted to an estimated US$500 billion in revenue losses for the U.S. government in 2013, up from US$385 billion in 2006, according to a U.S. Internal Revenue Service study.</p><p>What's behind this trend? Answers include the severity of the 2008 recession and the weakness of the recovery from it, general distrust of governments and taxation, the growth of casual work arrangements and cash wage payments in many types of jobs, immigration growth and illegal workers, and U.S. Affordable Care Act mandates to provide health insurance to employees. And, as illustrated in this story, some businesses and people commit fraud to keep more money for themselves.</p><p>Employers commit three basic types of premium fraud: </p><ul style="list-style-type:disc;"><li> <strong>Underreporting of payroll</strong> occurs when a policyholder fails to accurately report its entire work staff to the insurance company, often by paying employees off the books or presenting employees as subcontractors or independent contractors rather than as actual employees.</li><li> <strong>Misclassification of employees</strong> occurs when a high-risk employee, such as a construction worker, is classified as a person with low-risk clerical duties, enabling the company to pay lower workers' compensation premiums.</li><li> <strong>Experience modification evasion</strong> occurs when a company closes, then attempts to re-emerge as a new company on paper to obtain a lower experience-modification factor — and lower premiums — but the new business is actually unchanged from the original business.</li></ul><p>Regulators, organizations, and internal auditors can take several steps to deter or detect payroll and workers' compensation fraud:</p><ul style="list-style-type:disc;"><li> <strong>Strengthen and make more consistent use of regulatory tools. </strong>Many states have insurance funds and laws that prohibit workers' compensation insurance fraud schemes and grant the states audit and punitive powers including financial restitution, penalties, and criminal prosecutions. States like California go a step further by publishing all of the pertinent information associated with the crime committed by an employer convicted of premium fraud to the state's Department of Insurance website.</li></ul><ul style="list-style-type:disc;"><li> <strong>Educate employers regarding the need for diligence, compliance, and accurate reporting.</strong> Employers must understand the implications of good reporting, such as for the classification of jobs, as well as the fact that reporting statements could be used in fraud investigations.</li></ul><ul style="list-style-type:disc;"><li> <strong>Regularly exercize the audit provisions of workers' compensation insurance policies.</strong> The standard workers' compensation insurance policy will contain a provision allowing the insurance company to audit the insured's records at its discretion. Auditors can use certain industries, geographical locations, economic circumstances, and other factors to better target potential employer fraud abuse before it takes hold. If the auditor finds potential irregularities at an early stage, with the employer's cooperation, the typical result may be a simple reassessment and correction of the premium actually owed.</li></ul>Art Stewart0700
The “Fake President” Fraudhttps://iaonline.theiia.org/2015/the-fake-president-fraudThe “Fake President” Fraud<p>​This is urgent,” “this needs to remain confidential,” and “I’m relying on you.” These were the phrases that the man on the other end of the phone repeated to Catherine Martin, an accounts payable clerk in the Belgian branch of Evergreen Inc., a Toronto-based company. Once she hung up, she corresponded with the man via their personal email accounts, per his instructions.<br></p><p>Martin believed she was speaking with Fraser Durand, the chief financial officer (CFO) of their medium-sized manufacturing company, and that she was helping to resolve payment to a subcontractor because Evergreen’s usual account was in overdraft. In truth, Durand had no knowledge of this transaction and had not spoken to anyone in the Belgium division in more than a week. “Durand” was actually the perpetrator of an increasingly common deception known as the “fake president” fraud.<br></p><p>The perpetrator emailed Martin an invoice for €612,000 (US$694,000) from a Moldovan company with details of a bank account in Moldova. Martin had not heard of Evergreen doing any business in Moldova, but as the orders came directly from “Durand,” she was not as suspicious as she might have ordinarily been. The email was flagged as important, and, while the message had grammatical and spelling mistakes, it clearly explained that the money was to be transferred immediately and payment was to be divided into increments of approximately €15,000 (US$17,000).<br></p><p>For the next few hours, Martin received several other calls from “Durand” inquiring about the transfer. Payment was delayed because Martin needed the approval of Michel Lemaire, her supervisor in Brussels. Lemaire was out of the office, so Martin contacted him on his mobile phone, indicating the amount and purpose of the transfers, and urged him to act quickly. Lemaire accessed the company’s banking website from home and approved the transfers without asking for supporting documentation.<br></p><p>The following morning in Toronto, Liz Bertrand, Evergreen’s controller, logged onto the company’s banking website as she did every morning before the start of the workday. Between sips of coffee, she noticed a series of transfers to an account in Moldova. As these transfers had been initiated and approved in Brussels, she called Martin. Martin told Bertrand that the transfers had been done at the request of Durand and provided the invoice. Bertrand then spoke to Durand, and they quickly realized the company had been the victim of a fraud.<br></p><p>Bertrand and Martin scrambled to call their bank and halt or recall the transfers, but it was too late: Transfers totaling €186,000 (US$211,000) had been successfully sent to Moldova. The Belgium office filed a police report and began to prepare an insurance claim. Ultimately, the perpetrator was able to successfully withdraw the proceeds of the fraud and escape justice.<br></p><p>This fraud was successful for a variety of reasons. First, the perpetrator had done his homework by researching Evergreen thoroughly. Information about Evergreen executives was publicly displayed on the organization’s website, and company promotional videos may have helped the perpetrator to perfect Durand’s accent and mannerisms. Knowing details such as reporting lines, names, and titles of employees helps perpetrators avoid arousing suspicion. This practice is known as social engineering, and it is an increasingly powerful tool available to perpetrators in the digital era.<br></p><p>The second factor behind the perpetrator’s success was his knowledge of corporate policy. He had an invoice on hand to justify the payment to a “subcontractor,” adding legitimacy to the transaction, and asked for the payment to be split into increments — a practice known as structuring. By splitting the amounts into smaller increments, the perpetrator was able to avoid the usual authorization limits and approval process around cash disbursement. A perpetrator may not know the exact authorization limits, but may specifically ask the target or simply guess at common limits for an employee based on his or her title. Perpetrators also have been known to assume the identity of a genuine supplier or vendor, while providing the targeted employee with new, fraudulent banking details and asking him or her to pay all unpaid invoices. Additionally, some perpetrators will add legitimacy to their email communication by copying an unwitting external professional in email communications — perhaps a partner in a law or accounting firm.<br></p><p>The biggest advantage that perpetrators of this fraud have is that it is easily repeatable with other companies. If discovered, a perpetrator will likely just hang up and move on to the next target. Perpetrators typically use a prepaid, disposable mobile phone and operate out of jurisdictions with lax enforcement, minimizing the chance of being caught. As the dollar values involved in these schemes are high, perpetrators only need to be successful once to make it worth their while.<br></p><p>In this situation, the targeted employee did not notice, or failed to act upon, several red flags. The use of bogus personal email accounts designed to spoof the details of the person the perpetrator is attempting to impersonate such as “Fraser@gmail.com” is common. Alternatively, perpetrators may use email accounts designed to approximate genuine corporate email accounts such as “CFO@comp<span style="text-decoration:underline;">a</span>any.com” (often with extra vowels or other small misspellings). Spelling and grammatical mistakes are another red flag. Company or banking details in countries that are known to be at risk for fraud or not known to be areas where the company does business are also indicators that the transaction may not be genuine. Finally, a sense of urgency from the caller and a desire for confidentiality and to circumvent controls are common in such schemes.<br></p><h2>Lessons Learned</h2><p></p><ul><li>Employees should be educated about the “fake president” fraud and similar schemes. Internal auditors can help by offering formal training that ensures employees are aware of the red flags and are encouraged to be skeptical. Upper management should visibly buy into these efforts by publicly stating their approval, and show potentially targeted employees that it is acceptable to challenge suspicious requests for payment.</li></ul><p></p><ul><li>Internal auditors can perform an internal controls review of the cash disbursement function in light of the “fake president” fraud. Payments should not be made to an organization or bank account not already in the vendor master file. Changes or additions should always be approved by more than one employee and confirmed with a known contact at the payee. Controls on approval limits should be adjusted to prevent the structuring of payments or transactions to pass beneath limits.</li></ul><p></p><ul><li>Every company should have a financial authority limits policy that provides employees clear direction with respect to the approval process. Internal auditors can perform a review to ensure that the policy is followed.</li></ul><p></p><ul><li>Employers should be aware of the information employees make public via social networking websites — especially LinkedIn. Formal training offered by the internal audit department should cover the risks posed by social media.</li></ul><p></p><ul><li>Internal auditors should consider reviewing information the firm makes public on its website, such as employee positions, email addresses, and phone numbers. </li></ul><p><br></p>Alistair Beauprie03494
Municipal Fraudhttps://iaonline.theiia.org/2015/municipal-fraudMunicipal Fraud<p>The former utility manager for South Whitehall, Pa. has pleaded guilty to stealing US$854,000, according to <a target="_blank" href="http://www.mcall.com/news/breaking/mc-tonkins-plead-guilty-south-whitehall-embezzlement-20150408-story.html"> <em>The Morning Call</em></a> newspaper. Prosecutors say Nancy Tonkin pocketed cash payments made by utility customers and then manipulated accounting records to hide the missing money. The funds went undetected for several years until Tonkin's supervisor retired and the township's finance department was restructured. Prosecutors allege Tonkin and her husband spent the money at area casinos. As part of a plea deal, Tonkin was sentenced to a minimum of two years in prison, and she and her husband must forfeit their township retirement savings and pay US$333,032 in restitution.</p><h2>Lessons Learned</h2><p>Many of the columns I've written for InternalAuditor.org have profiled the lessons learned from frauds committed by public servants against taxpayer-funded public organizations. Typically in these cases, a long-employed and trusted public official — benefiting from a position of financial authority and a lack of oversight, controls, and an internal audit function — steals a significant amount of public funds over many years. This time I'd like to step back from the specifics of the story and provide a broader, yet more systematic perspective on what local governments, state and federal regulators, and internal auditors could do to help prevent and detect this kind of fraudulent behavior. </p><p>In making my observations, I found helpful <a href="http://www.theiia.org/bookstore/product/emerging-strategies-for-performance-auditing-insights-from-city-auditors-in-major-cities-in-the-us-and-canada-1873.cfm" target="_blank">a 2014 research study</a> conducted for The IIA Research Foundation (IIARF), Emerging Strategies for Performance Auditing: Insights From City Auditors in Major Cities in the U.S. and Canada. The study is based on surveys of numerous U.S. and Canadian municipalities. Although focused on performance auditing, this report provides insights — and potential remedies — into why local governments don't have the fundamental elements of an effective audit function in place that would allow them to protect against fraud. </p><p>Among the gaps the report discusses, four are noteworthy:</p><ul><li> <strong>A lack of legislation or mandate for audit. </strong>A patchwork of state and municipal legislation still exists for many local governments regarding internal audit functions, with some having a very general mandate, and others none at all. For example, a search of the South Whitehall website for topics related to audit returned no results. Where a mandate does exist, it often is unclear about internal audit's roles and responsibilities, including for fraud and performance audit issues.</li><br> <li> <strong>A lack of funding. </strong>In both the U.S. and Canada, federal and state/provincial authorities generally have not established clear funding parameters or formulas for the funding of audit functions. This has been exacerbated by current government fiscal pressures. Interestingly, the IIARF study includes examples of U.S. cities that have established minimum funding standards for audit functions. Moreover, the report suggests guidelines for funding audit relative to the size of the municipal organization's budget.</li><br> <li> <strong>Inadequate or immature governance processes.</strong> In organizations that have them, audit functions may report to a wide variety of authority structures, including a city manager, treasurer, or chief financial officer, raising questions regarding conflict of interest. Audit committees, where they exist, may have different mandates and compositions.</li><br> <li> <strong>A lack of understanding and support for internal audit on the part of officials, the media, and citizens. </strong>Misunderstandings and misrepresentations about internal audit's mandate, function, and value continue to persist. This is particularly common in local government environments where internal audit has few resources and may be perceived as a threat or an unnecessary bureaucratic burden.</li></ul>Art Stewart0612
Financial Reporting and the Audit Committeehttps://iaonline.theiia.org/blogs/marks/2015/financial-reporting-and-the-audit-committeeFinancial Reporting and the Audit Committee<p>​I recently came across <a href="http://www.financialmirror.com/blog-details.php?nid=1511" target="_blank">an excellent article by Rakis Christoforou in the U.K.'s <em>Financial Mirror</em></a>. It does a fine job of summarizing both the drivers of financial statement fraud and the role of the audit committee.</p><p>Here are some excerpts with my comments.</p><p> <span class="ms-rteiaStyle-BQ">A financial misstatement usually involves senior management of public companies, who are in a unique position to perpetrate financial misstatement by overriding controls.</span> </p><p>This is absolutely true when it comes to the deliberate material misstatement of the financials (which includes deliberate omissions). It is very hard for the Sarbanes-Oxley program to detect deliberate misstatements by senior management; perhaps the most that can be done is to examine period-end journal entries for unusual amounts or postings. However, the external audit team should be (and usually is) sensitive to the possibility.</p><p> <span class="ms-rteiaStyle-BQ">As a consequence, the role of the board of directors, audit committees, external and internal auditors is critical in properly addressing financial misstatements and override of controls.</span> </p><p>It is also hard for internal audit to detect senior management fraud, but they should be alert to the indicators that the risk is greater (such as concerns about the tone at the top, pressure by senior management on lower levels of management (especially finance) to "make the numbers," and so on).</p><p>The audit committee should also be alert to red flags and question the external and internal audit teams on the topic.</p><p> <span class="ms-rteiaStyle-BQ">At times of negative economic environment, when targets are much harder to achieve, increased pressure is imposed at corporate level for better results and this creates incentives for financial misstatement and fraud. </span></p><p>This is, again, very true.</p><p> <span class="ms-rteiaStyle-BQ">But financial misstatement and fraud could also occur at lower levels of management when middle corporate managers may claim that they did not realize that they were committing a financial misstatement or fraud, but saw themselves as simply doing what was expected of them by senior management. Middle managers and other employees committing this type of fraud may not be doing it for a direct personal gain, but because senior management created the impression that the manipulation (or omission of adjustment/action) is needed, it is for the best interests of all, and after all this is what is expected of them by senior management.</span></p><p>I have seen this happen. When a division or unit fears for its survival, it may resort to accounting fraud.</p><p> <span class="ms-rteiaStyle-BQ">Audit committee members should … be in a position to challenge senior management with questions on risks that could potentially create incentives for financial misstatement. Such probing questions should be addressed to senior management, external and internal auditors. Audit committee members are expected to have an active role, and not a passive one, when dealing with significant financial statement reporting issues.</span></p><p>​​​​This is a very good point. But what should the audit committee do beyond this?</p><p>I suggest the following:</p><ul><li>If the company is doing better than its competitors, according to the financial statements, ask why. Be aware of indicators, such as analyst or other media comments, that do not support the company excelling while others falter.</li><li>Meet with management at levels below the CEO and chief financial officer (CFO). Listen to whether their comments on operations they run are consistent with the financial results.</li><li>Talk to the internal and external audit teams. Understand which accounts are most likely to contain deliberate misstatements and ensure they, between them, have done enough work to satisfy the audit committee.</li><li>Be aware of any senior financial managers who leave the company unexpectedly.</li><li>Challenge management if it does not run an employee survey, providing employees an opportunity to indicate their level of trust in the integrity of management.</li><li>Make sure all whistleblower calls/messages get to the audit committee without the opportunity for management to filter them.</li><li>Consider meeting with finance personnel below the CFO. Provide them a way to contact the audit committee should they have concerns about pressure being placed on them, or on entries being made at the corporate level that are not consistent with results at theirs.</li></ul><p>I welcome your thoughts.</p>Norman Marks01358

  • IdeagenAuditMngt_July2015_
  • IIA_eLearning_July2015
  • IIA_FSA Center_July2015

 

 

Internal Audit Should Never Belong to the CFOhttps://iaonline.theiia.org/blogs/chambers/2015/internal-audit-should-never-belong-to-the-cfoInternal Audit Should Never Belong to the CFO2015-06-29T04:00:00Z2015-06-29T04:00:00Z
Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Internal Audit's Role in the Too-big-to-fail Debatehttps://iaonline.theiia.org/blogs/chambers/2015/internal-audits-role-in-the-too-big-to-fail-debateInternal Audit's Role in the Too-big-to-fail Debate2015-06-22T04:00:00Z2015-06-22T04:00:00Z