The Secret Fund Secret Fund<p>​An internal audit has revealed that senior staff members of the Brampton city government set up a secret fund that paid nonunion employees CAN$1.25 million between 2009 and 2015, <a href="" target="_blank">the <em>Brampton Guardian</em> reports</a>. The audit report noted that these payments were difficult to monitor because they were not appropriately coded under the suburban Toronto city's transactions procedure and were made without consent from the city council. The council voted in June to request a criminal investigation to uncover who authorized the payments and whether they broke any rules. The internal audit itself was notable because it took place over a two-year period, during which the head auditor who had launched the investigation left her position.</p><h2>Lessons Learned</h2><p>This is not the typical fraud story. Indeed, fraudulent activity has neither been alleged nor proven yet. The essence of the case is that the City of Brampton council has requested a police investigation into a secretive, unapproved bonus program. Based on additional reporting I've reviewed, an audit report notes that the bonus scheme was devised by senior staff members, who allegedly kept elected officials in the dark for years. These senior employees used an obscure mechanism called an "outside policy request" (OPR) to make "discretionary salary increases determined by the operating department heads" that were "outside of council-approved policies and documented procedures." But these reports note that the objective of the OPR was to "align the salaries within the respective grades to achieve fairness and equity."</p><p>The facts of this case are not all clear yet. Whether or not Brampton Council has made the best choice in calling in the police — it had considered conducting an internal forensic investigation instead — a formal investigation to uncover everything behind the bonus payment scheme will be needed to determine whether fraud and criminal activity took place. That investigation should include who approved the program, when it was approved, who received payments, and whether any of these activities contravened policies or laws. And if ultimately fraud has been committed, those found guilty should be held responsible, no matter whether they are an employee or politician. </p><p>In the meantime, there are several actions internal auditors can and should recommend to address the many gaps in management and controls revealed by this story. At the heart of these are:</p><ul><li> <strong>Make key governance and accountability changes,</strong> such as appointing an independent auditor general at city hall with powers to investigate and report on a wide range of financial and management issues. Some Brampton councillors are already calling for this measure. Many cities have an auditor general already. Officials should review and revise delegations of authority to senior and other managers to prevent unnecessary discretion in approving financial payments — including to employees in unusual or special circumstances — unless there is full council approval. Council and its committees, especially for budgeting and audit, should review their mandates and how they operate to ensure more thorough scrutiny to detect unusual practices — this would be helped by a city audit department and auditor general.<br> </li></ul><ul><li> <strong>Address gaps in compensation policies and financial controls.</strong> Brampton's council has dropped the OPR mechanism, but it also needs to address the underlying weaknesses in its compensation policies and systems that gave rise to the use of such a mechanism. (I've learned that the city will conduct a separate audit of its compensation structure.) That should include how compensation policies and systems deal with both union and nonunion employees, and a more general examination of how current and relevant those policies are today.<br> <br>Brampton's auditors said the bonuses were not authorized under relevant rules and that over time OPR "requests were approved for reasons beyond its initial intention." "Scope creep" in policy interpretations can occur over time in situations where original policies become out of date in relation to current practices. Often, those in charge simply ignore the rules because it is difficult and time consuming to formally change them.<br><br>In addition, OPR payments to nonunion staff could not be tracked because there was a "lack of coding" that would have allowed internal controls to monitor this activity. This also is a common internal control gap organizations create for themselves when deciding how far to extend formal controls over "special" transactions — it should be included in tracking, reporting, and monitoring systems scope.</li></ul><p></p>Art Stewart0
Motivated to Steal to Steal<p>​An Indiana bookkeeper has agreed to plead guilty to charges of stealing $1.8 million from her employer over more than four years, <a href="" target="_blank">according to <em>Inc.</em> magazine</a>. The U.S. Department of Justice says Julie Ann Ashman wrote more than 400 checks to herself, in amounts between $3,000 and $5,000, from the accounts of her employer, a small, medical equipment repair company. Ashman then covered up the theft by understating the company's revenues in reports to its management and outside accountant. Moreover, she did not report the money as income in her federal income tax forms, leading her to face prosecution for tax evasion in addition to fraud charges. </p><h2> Lessons Learned</h2><p>This column has covered several frauds committed by apparently trusted, long-term employees (see <a href="/2017/Pages/Powered-Down-by-Fraud.aspx">"Powered Down by Fraud"</a> and <a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx">"The Tech Know-how for Fraud."</a>) Particularly for smaller businesses, resource constraints can be an enormous challenge in establishing comprehensive controls, such as segregation of duties and management vigilance in monitoring cash flows, inventor​y, and check writing. The absence of these controls can provide opportunities for employees to commit fraud. </p><p>This time, though, let's discuss one of the root causes, or a major contributing factor, of employee theft: motivation. Specifically, internal auditors should consider whether the organization has a toxic work environment that could motivate an employee to commit fraud.</p><p> <strong>Look for </strong> <strong>si</strong><strong>gns of a toxic work environment. </strong>Instances of employees stealing money, stealing or destroying assets, and taking information for personal gain are on the rise. As this story suggests, a common fraud scenario may involve employees who appear to be highly dedicated to their job by working continuously, with little or no holiday or sick days. Such "dedication" can be a sign of a cover up by a disaffected or disgruntled employee. </p><p>Although it is difficult to quantify, within a typical organization, there is likely to be a small minority of employees who wouldn't steal from their employer regardless of the circumstances, another small minority who will steal at any opportunity, and a majority who may go either way. Employees in this last group may be waiting to see how serious the employer is about theft and the risks, or they may be influenced to steal by a toxic work environment. </p><p>Examples of toxic behaviors by either management or employees include:</p><ul><li>Arbitrary management decision making, including disciplinary actions and being overly critical of others. Employees who perceive they have been wronged may use theft to get back at the business.</li><li>Business processes and procedures that are perceived as overly burdensome, arbitrary, and not well-understood by employees.</li><li>Harassment, bullying, and racism in all its forms.</li><li>Excessive, hostile, and obsessive behaviors, such as employees who appear to live beyond their means. This could have been a way to uncover the fraud in this story.</li><li>Failure to address immature or troubled employees. In addition to those mentioned previously, this might include employees with other problematic behaviors such as signs of substance abuse and chronic lying. Theft may result in an emotional release for anti-social behavior.</li><li>Differential treatment, including pay and benefits for the same work. This may involve employee perception that management is receiving a disproportionate share of profits and benefits.</li><li>The presence of 'in favor" and "out of favor" employees and groups.<br> </li></ul><p> <strong>Don't take employee honesty for granted. </strong>Employers — and auditors through their findings and recommendations — must demonstrate to employees that fraud prevention is important by setting an example. This can involve establishing a code of conduct for all staff members, encouraging communication, and promoting trust and fair treatment. Employers should reinforce these measures by implementing appropriate procedures and policies to ensure compliance. And, where they have uncovered fraud, organizations should take firm action to address the crime as a deterrent to future incidents.</p><p> <br> </p>Art Stewart0
Cheap Cars Court Trouble Cars Court Trouble<p>Kentucky's state auditor is reviewing how the state's court system manages its finances in the wake of an attorney general's investigation into the system's "employees only" sale of surplus vehicles, <a href="" target="_blank">the <em>Herald-Leader</em> reports</a>. According to news reports, the Administrative Office of the Courts (AOC) sold four vehicles during the 2014 sale for prices that were 70 percent below their value. One vehicle was later resold for more than three times the price the employee had paid for it. The AOC has not released information on its employees only sales, which began in 2013, and the courts are not covered by the Kentucky Open Records Act.</p><h2>Lessons Learned</h2><p>That Kentucky's AOC has requested an audit of its financial operations is to be commended. A more narrow audit of its disposal of surplus assets might not have been sufficient to completely identify all of the root issues and recommendations needed to fully address the abuses identified in this story. However, I will focus more specifically on some of the main failings that can be exploited by fraudsters in the area of disposal of surplus assets and what can be done about them.</p><p> <strong>An asset disposals policy and related processes are a must. </strong>These should cover several internal control best practices that can help prevent frauds in the assets area:</p><ul><li> <strong></strong>Physical counts performed at least yearly.</li><li>Analysis of unusual patterns in the value of fixed assets. For example, the depreciation schedule should be checked to identify any unusual pattern in the depreciation amounts. The disposals schedule is used to analyze write-offs and scrap sales transactions, which might hide fraudulent activity. Reviewing the acquisition schedule can assess whether new assets acquired are legitimate and meet the requirements to be capitalized.</li><li> <strong></strong>Fixed assets procedures. This review should at least cover accounting and reconciliations, additions and disposals, and physical counts.</li><li> <strong></strong>Approval of additions, disposals, and related documentation. This should<strong> </strong>include details of the approval steps required for new and obsolete fixed assets, and an approval chain with at least two levels of approvals. Additional approvals should be considered for fixed assets with higher value.</li><li> <strong></strong>Reviews and random spot checks. A senior finance person and auditors should periodically review the additions and disposals, and spot-check the supporting documentation to assess its completeness and accuracy. </li><li> <strong></strong>Asset tags. Each fixed asset should be tagged and should be recorded in a fixed asset register to ensure traceability. Typically, companies with large amounts of fixed assets use barcode systems for this. </li><li> <strong></strong>Up-to-date fixed assets register. Including descriptions and cost and location details of each asset, updated regularly. </li><li>Reconciliations with the general ledger<strong> </strong>to ensure accuracy of the financial statements. This should be performed monthly and be accompanied by a review by supervisory/management staff.</li><li>Periodic evaluation of assets' condition<strong>, </strong>including adjustment to the value of damaged or deteriorated assets.</li><li> <strong></strong>Physical controls such as closed-circuit television systems.</li></ul><p></p><p>A good example of an asset disposal policy that integrates fraud prevention, but does not address roles and responsibilities, is maintained by the <a href="" target="_blank">University of Wollongong Australia</a>.<br></p><p> <strong>Halt "employees only" asset sales.</strong> More specifically related to this story, the AOC's management should reconsider the use of "employees only" auctions to dispose of assets such as automobiles. Not only is this practice inherently more susceptible to employee fraud, if the AOC made certain improvements in its practices, it could increase the amount of revenue it earns from the sale and disposal of surplus assets and better ensure that certain assets are valued appropriately when they are disposed of. For example, the AOC could generate additional revenue if it sold surplus assets on the internet, as many states and municipalities do. The AOC may be prohibited by state law from using the internet to sell surplus assets, but permission could be sought. </p><p>Minimum bids based on assessment of the current value of assets being disposed of also should be implemented. A further related consideration is the decision to sell at a minimal price versus selling for scrap. Frequently, the latter choice will yield better revenue results than selling at a low price. Of course, documentation of assessments is needed to support decision-making and to avoid the fraudulent territory of deliberate over, under, or misrepresentation of value.</p><p> <br> </p>Art Stewart0
The “Free Trial” Scam“Free-Trial”-Scam.aspxThe “Free Trial” Scam<p>​I specialize in high-crime, low-income areas, where the average household is on government assistance.” These were the exact words of Erin Turner, one of the top sales representatives at a home security company who was now under investigation for fraud. Bruce Dwyer, the company’s forensic auditor, sat baffled by the comment, wondering how so many people living on government assistance could afford a home security and automation system with a $50 monthly monitoring fee. During the interview, Turner produced a purse full of prepaid credit cards and explained to Dwyer how she obtained them, what they were used for, and how she provided the numbers to some of her customers to facilitate installation of a security system. <br></p><p>Dwyer’s investigation was the result of an analysis of a national summer promotion. The premise of the offer was a limited time, deeply discounted installation with a three-year monitoring agreement. The marketing analysis had produced mixed results. The company had made a lot of deeply discounted sales but many of the units were already being discontinued for nonpayment. Some of the sales representatives had disproportionate disconnect rates. Management suspected fraud. Dwyer was tasked with conducting the investigation. He decided to start with what appeared to be the largest offender, Turner, who also happened to be one of the top sales representatives. <br></p><p>Turner built her book of business using the company’s promoter program, where sales representatives are encouraged to develop a network of professionals and small businesses — promoters — that would refer potential customers to them. If a referral turned into a sale, the sales representative earned a commission and the promoter earned a referral fee. Turner was working with one primary promoter in a handful of large apartment complexes. A quick review of her personnel file revealed the promoter to be Turner’s sister. <br></p><p>During the interview, Turner told Dwyer that her sister was going door to door and convincing the neighbors to install a security system. Her sales pitch was that the system was free to install, they could try it for six months without making a payment, and if they were not satisfied with the service they could simply stop making payments. There were no strings attached. Turner’s sister provided customers with a prepaid credit card to get the installation completed. <br></p><p>On Dwyer’s flight home, he made a list of all the sales representatives and wondered if they also were abusing prepaid credit cards. A prepaid credit card is activated when the cardholder pays a small fee and “loads” the card by putting a set amount of money on it. Once a prepaid credit card is activated, the number is live until the card’s expiration date or the holder cancels the card. When a transaction occurs, the balance on the card is reduced. Dwyer discovered that the company’s billing and collection system could only validate that a credit card presented was “live.” In other words, the system could not determine if the credit card presented for installation charges and recurring payments was a credit card, gift card, or prepaid credit card. Furthermore, if it was a prepaid credit card they could not validate that enough funds were available for the installation charges, let alone the recurring monthly monitoring fees.<br></p><p>As luck would have it, Thomas Border, the IT specialist responsible for credit card transactions, had noticed a pattern of abuse with prepaid credit cards. Together, Dwyer and Border analyzed all credit card transactions for a six-month period to identify and quantify a pattern of abuse. To conduct the investigation, credit card transactions had to be matched to a bank identification number (BIN) database to identify prepaid credit card usage. The 16 digits on credit cards are the result of a complex algorithm. The first six digits are referred to as the BIN. The BIN can determine what institution issued the card and the type of card it is. Dwyer and Border obtained the customer account numbers associated with the cards and the names of the sales representatives who made the sales to identify who had either provided or accepted prepaid credit cards.<br></p><p>Based on the findings, Dwyer then conducted investigations of the other sales representatives and discovered a similar pattern of abuse. In some cases, Dwyer identified sales representatives who signed up 25 to 30 customers on a single prepaid credit card. Most of these accounts would immediately default on their payments, but the sales representatives collected commissions on each sale, regardless. At one point, Dwyer estimated that the scheme was costing the company almost $5 million annually over the course of two years. The sales representatives involved in the scheme were immediately terminated. <br></p><h2>Lessons Learned</h2><p></p><ul><li>Prepaid credit card usage is a common fraud scheme among commissioned sales forces, so internal auditors should compare all credit card transactions against a BIN database to identify prepaid credit card transactions, find out which customer accounts used a prepaid credit card as payment, look at the payment history while focusing on customers who have made zero or a single payment, and identify the sales representatives on the account to uncover any wrongdoing.  </li><li>The many-to-one test identifies how many customer accounts are associated with a single credit card number. After identifying a target list, internal auditors should look at the customer content (name, address, and location) to see if they are family members or small businesses that might be legitimately sharing a credit card. If no commonality can be identified, internal auditors should investigate. Incidentally, this procedure also works for checking accounts. </li><li>The scheme could have been caught sooner if the finance department was working more closely with the company’s credit card processor. Processors can assist with identifying prepaid credit cards in their transaction database.</li><li>Companies can decide not to accept prepaid credit cards for recurring monthly payments, but it must first check its agreement with its credit card processor as it may be legally required to accept prepaid credit cards as a form of payment.</li><li>Exception reports identifying sales representatives accepting prepaid credit cards should be produced monthly and distributed to area general managers to review for fraudulent activity. Internal audit should be notified of any apparent fraudulent activity and engaged to conduct an investigation.</li><li>As a result of this investigation, and several other observations, the company began conducting enhanced customer screenings in the form of credit checks on all prospective customers. Customers who have low credit scores are now required to make several months of recurring payments before system installation can occur. Requiring several months of recurring payments up front helps reduce fraudulent use of prepaid credit cards.  </li></ul>Grant Wahlstrom1
Cleaning Up Financial Crime Up Financial Crime<p>​Citigroup will pay $97 million to settle U.S. Justice Department charges against its Banamex subsidiary, the <a href="" target="_blank"> <em>Los Angeles Times</em> reports</a>. According to the Justice Department, a lack of internal controls at Banamex USA may have enabled customers to launder money through payments sent to Mexico. The Justice Department says the bank's two-person compliance staff only conducted a small number of investigations of the 18,000 suspicious transaction alerts involving money sent to Mexico between 2007 and 2012. As part of the settlement, the Justice Department will not prosecute the bank. However, the bank has agreed to shut down Banamex USA to comply with an earlier deal with the U.S. Federal Deposit Insurance Corp. and the California Department of Business Oversight to settle a separate investigation of the suspicious payments.</p><h2>Lessons Learned</h2><p>Over the last three decades, <a href="" target="_blank">U.S. Bank Secrecy Act (BSA) Anti Money Laundering (AML)</a> regulations have been expanded to cover not only banks and credit unions, but also a wide array of financial institutions. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, maintains web pages for <a href="" target="_blank">money services businesses</a> (MSBs), <a href="" target="_blank">depository institutions</a>, <a href="" target="_blank">the insurance industry</a>, <a href="" target="_blank">securities and futures</a>, and <a href="" target="_blank">casinos</a>. These institutions are required to have a BSA/AML compliance program in place that is commensurate with its respective BSA/AML risk profile. The program must include four components — a solid risk profile foundation, a thorough internal controls review, independent testing/audits, and a BSA/AML compliance officer. To these components, I will add a fifth — a thorough and evergreen risk profile. </p><p>A 2016 Grant Thornton benchmarking report, <a href="" target="_blank">Anti-money Laundering Compliance in the Money Services Business Industry</a> (PDF), also provides some interesting trends regarding the issues and challenges faced in meeting compliance obligations, which are relevant to this story. These two sources help highlight some lessons that should be learned from the Citigroup case, with a particular emphasis on the importance of the first three of these BSA/AML program components.</p><p><strong>1. A solid risk profile foundation.</strong> Banks and other kinds of financial institutions frequently do not approach the development of their risk profile with sufficient discipline. A thorough risk assessment is the crucial first step in developing a compliance program, and careful identification of risks inherent in their business is needed, distinguishing between products and services, customers, and geographic locations. A risk profile must not only be operationally implemented, it also must be updated as changes occur for the institution. The MSB benchmarking report notes, "While all of the MSBs in the benchmarking population had a documented risk assessment, the majority (61 percent) were still in the process of making the risk assessment a practical reality of their business operations."</p><p>As this story notes, Citigroup set up Banamex USA, the former California Commerce Bank, as an arm of its Banco Nacional de Mexico subsidiary to make it easier for businesses and individuals to transfer funds across the border. That is a significant business change, and one wonders whether Citigroup updated its risk profile, at least for its Banco Nacional de Mexico subsidiary.</p><p> <strong>2. A thorough internal controls review.</strong> Particular aspects of FinCen's guidance regarding what is needed for an internal controls review seem relevant to Citigroup's acknowledged weaknesses, including:</p><ul><li>Whether the board of directors, or a committee thereof, and senior management were adequately informed of BSA/AML compliance initiatives, identified compliance deficiencies, and took corrective action. That would include notifying directors and senior management of suspicious activity reports filed with regulators.</li><li>Compliance with requirements for establishing a person or office responsible for BSA/AML compliance, including providing for program continuity despite changes in management, employee composition, or structure. According to the news report, Banamex USA "conducted fewer than 10 investigations and filed only nine suspicious activity reports stemming from the alerts because its compliance unit was seriously understaffed with only two employees."</li><li>Providing for dual controls and segregation of duties. For example, employees who complete the reporting forms, such as suspicious activity reports, should not also be responsible for the decision to file the reports or grant the exemptions.</li><li>Providing sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.</li><li>Ensuring there is sufficient document and record keeping regarding transactions, particularly those with higher risks. </li></ul><p><br></p><p>The MSB benchmarking report notes several observations relating to deficiencies found in several of these areas, including transaction processing, record keeping, and the handling of suspicious transactions.<br></p><p> <strong>3. Independent Testing (Audit).</strong> According to FinCen's guidance, independent, third-party audits of BSA/AML compliance should be conducted at least every 12 to 18 months — and more frequently for higher-risk financial institutions. These audits should include:</p><ul><li>An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program's overall adequacy, effectiveness, and compliance with applicable regulatory requirements. The audit should at least contain sufficient information for the reviewer, such as an examiner, review auditor, or BSA officer, to reach a conclusion about the overall quality of the BSA/AML compliance program.</li><li>A review of the bank's risk assessment for reasonableness given its risk profile (products, services, customers, entities, and geographic locations).</li><li>Appropriate risk-based transaction testing to verify the bank's adherence to the BSA record-keeping and reporting requirements.</li><li>An evaluation of management's efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.</li><li>A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include suspicious activity monitoring reports, large currency aggregation reports, monetary instrument records, funds transfer records, non sufficient funds reports, large balance fluctuation reports, and account relationship reports. <br></li></ul><p><br></p><p>Additionally, Grant Thornton's benchmarking study found that while deficiencies in AML compliance programs continue to be prevalent (incidences of around 60 percent of MSBs overall), "for those MSBs that had more than one review of their program completed, there was a decrease in documentation deficiencies such as risk assessments, policy, and procedures (66 percent deficient in 2012 and 57 percent in 2016)." We do not know whether regular audit work had been conducted on Banamex's BSA/AML compliance program. However, if such audits took place, and included the above scope, it would be surprising that senior management and regulators would not have known about the program's serious deficiencies sooner.<br><br><strong>4. BSA/AML Compliance Officer. </strong>Every institution's board should designate a BSA/AML compliance officer. While this person may not be part of the executive team, he or she should be expert in BSA/AML regulations, have the ability and resources to design and implement a program, and ensure that both the board and senior management are aware of the organization's compliance status. While one needs to exercise caution in comparing MSBs to banks in this regard, the Grant Thornton benchmarking study found that of the MSBs studied, only "18 percent (down from 23 percent in 2012) had a compliance officer that was supported by a team providing assistance to oversee and meet the compliance program requirements."</p><p> <strong>5. BSA/AML Compliance Training.</strong> MSBs should train employees in appropriate parts of the BSA/AML program and communicate the organization's anti-money laundering responsibility to them. Employees whose jobs place them in a specific risk category should be aware of how mandated reporting and responsibilities apply. This training should be reviewed periodically, especially when people change jobs. BSA compliance also should be incorporated into the job descriptions and performance evaluations of bank personnel, as appropriate.</p><p> <br> </p>Art Stewart0
Red Card for Corruption Card for Corruption<p>​Global soccer governing body FIFA has suspended a member of its audit and compliance committee for 90 days following his guilty plea to U.S. charges of bribery, <a href="" target="_blank">Reuters reports</a>. Richard Lai, a U.S. citizen who is president of the Guam Football Association, admitted to taking almost $1 million in bribes to gain his influence with FIFA. Prosecutors noted that FIFA's audit and compliance committee should play an important role in combatting the corruption that has come to light since 2015. In a separate case, FIFA's ethics committee has launched an investigation into alleged conflict of interest and financial mismanagement by the president of the Caribbean Football Union. </p><h2>Lessons Learned          </h2><p>Behind the immediate headlines of this story are revelations of two decades of corruption in which FIFA officials rigged World Cup bids and steered marketing and broadcast contracts in exchange for bribes paid out through convoluted financial deals or briefcases full of cash. Globally, football officials have been accused of match-fixing and money laundering, as well.</p><p>In response to stakeholder pressure and corruption charges brought against many senior FIFA officials, the organization announced a series of reforms to its governance and decision-making processes. <a href="" target="_blank">The proposed reforms</a> (PDF) include limiting top officials to three four-year terms, a defined division of powers between FIFA's day-to-day operational division and its strategic leaders, and increased gender diversity rules to promote women in the game, such as a requirement that each of FIFA's confederations elect at least one woman to the confederation's governing board. Although there will be independent members on selected advisory committees, reforms do not include adding independent members to a new executive committee.</p><p>Here are a few suggestions FIFA could follow to address corruption:</p><ul><li><strong>Eliminate governance gaps.</strong> First and foremost, in an organization that has been subject to widespread corruption activities, there should be independent members on every committee, including the executive committee. Individuals from government, regulatory/oversight bodies, academia, and professional organizations are among examples of potential independent members. Criteria for independence should include background checks to ensure members or their families do not have connections (paid or not) to particular soccer or media organizations. Audit, ethics, and financial oversight committees must have the powers and resources to independently investigate and report on suspicious matters of any kind, and to turn over their results to regulators and lawmakers. The executive committee also must set a tone of "zero tolerance" of corruption through its words, actions, and policies. The executive committee should not have control over the release of investigative reports.<br><br> </li><li><strong>Implement measures to prevent bid rigging and vote buying. </strong>Expand the list of bidders and voters to make it more difficult for collusion to be effective. Buyers should solicit bids from as many suppliers as economically possible. Having more voters increases the chances that one party will not be able to control the outcome of the vote as easily as it was done in the past. Both bid and voting packages should require bidders and voters to sign and submit a noncollusion affidavit. The packages also should inform bidders and voters of the penalties both for violating laws such as the U.S. Sherman Antitrust Act and for signing a false noncollusion affidavit. These statements should be verified routinely through audit and review processes. <br><br>FIFA also should ensure that all purchasing department and voting oversight employees are familiar with the indicators of bid and vote rigging, price fixing, and other types of collusion. Employees also should be empowered to ask questions and raise flags when collusion is suspected. Voting and bidding processes should be well-documented and records should be maintained in the event they are needed for review when collusion is suspected.<br><br> </li></ul><ul><li><strong>Leverage the deterrence/detection effects of whistleblower mechanisms and tough sanctions for corrupt behaviors. </strong>The corruption in this story was in some significant ways<strong> </strong>uncovered by a whistleblower. FIFA should do more to support and protect whistleblowers. Moreover, its sanctions of proven perpetrators of corruption probably could be much<strong> </strong>stronger — a 90-day suspension from soccer sends a much less decisive message of deterrence than a ban of several years or a lifetime. </li></ul>Art Stewart0
Life of Luxury of Luxury<p>Candace Smith is a member of the internal audit staff at Ace Ltd., a large, diversified company with subsidiaries in numerous industries. While reviewing prior audit plans, Smith realized that one subsidiary, CRL Ltd., had not been subject to an internal audit since its acquisition five years before. When Smith was reviewing the financial results for CRL, she noted that actual expenditures were much higher than budgeted and historic figures. She met with the chief audit executive (CAE) and recommended that this subsidiary be included in the current-year audit plan. The CAE agreed with her assessment, and auditors began to look into CRL's history. </p><p>CRL was founded by Wayne Boyd when he was in his early 30s. Boyd had a larger-than-life personality and earned a reputation for lavishly entertaining customers and prospects. Seven years after founding CRL, he sold a majority interest to Ace for more than US$30 million. He remained president of the division, received a generous salary, and was given a US$500,000 annual st​ipend to cover his entertaining expenses at his various properties. He also had access to a corporate credit card and made frequent use of his expense account.</p><p>Accounting and other core business processes remained under Boyd's control and were performed by CRL personnel. Boyd was used to having total control over all aspects of CRL, which allowed him to play fast and loose with the accounting records. He regularly pushed his personal expenses through the company. When Ace took over, it implemented a budget, but day-to-day operations remained in the control of Boyd and his family. </p><p>When the internal auditors arrived, they identified many over-budget accounts and requested supporting documentation. Many of the supporting documents did not appear to relate to either CRL or Ace, but to Boyd's personal purchases. Internal audit began to interview CRL employees who were hesitant to speak with Ace representatives. While CRL's accounting personnel were not forthcoming, Boyd's personnel assistant, Mary White, was a wealth of information. She told Smith and the other internal auditors about Boyd and his personal financial habits. </p><p>After the acquisition, Boyd went on a spending spree, buying a plane, hunting lodges throughout the region, and a custom vehicle made for his daughter as a birthday present. Because CRL was located 750 miles away an​d its accounting staff was segregated from the rest of Ace, management at Ace was unaware of these extravagant purchases. </p><p>Boyd had numerous groundskeepers and housekeepers who worked at his personal properties on CRL's payroll. Over the course of two years, CRL paid its staff US$610,000. Boyd also charged a variety of additional personal property expenses to CRL for fish to fill his private lake, a grill for cooking for clients, and a taxidermist for stuffing animals killed on hunting trips with customers.</p><p>In addition to his wife and children, Boyd also had a girlfriend. She received an annual salary from CRL of US$175,000, though she didn't actually work for the company. In his attempts to conceal the relationship from his wife, Boyd used his corporate credit card to pay for their meals and travel. When his wife became wise to these tricks, Boyd began to use his assistant's credit card. </p><p>Boyd also used some of the proceeds from his windfall to flip condominiums. He jointly owned some of these properties with a CRL employee who wrote a check to Boyd every month for his portion of the mortgage. As Boyd became desperate for cash, he stopped remitting those checks to the mortgage company and pocketed the money. The employee's credit score declined dramatically. Later, Boyd refused to pay any portion of the outstanding mortgage. Instead, he arranged to have the employee's pay increased to provide additional funds to pay it. </p><p>When Boyd purchased the plane and hired a pilot who didn't know how to fly, he had CRL pay for the pilot's salary and training. He prepared invoices and billed CRL for all of the flights, including those that were personal in nature. Fictitious invoices were submitted for flights that never occurred and wages that were already being paid by CRL to generate additional cash flow for Boyd. </p><p>Within five years, Boyd spent almost all of the money that he received in the majority sale of his business, but he continued to live a lavish lifestyle. When a collection agency started calling his office and he was desperate for cash, he began to use his business credit card and his assistant's to cover even more personal expenses. Boyd also would submit duplicate reimbursement requests through an expense report, despite the fact that they were already on his corporate credit card. In an attempt to conceal his fraud, Boyd damaged his receipts to remove the credit card number listed on the bottom. In just two years, he charged more than US$700,000 of personal expenses on CRL's credit cards. </p><p>Thanks to the internal audit team, Ace realized that it had a major problem with Boyd and CRL. Ace sent one of its executives to CRL's headquarters to get things in order. When the forensic accounting team was done evaluating the records, it appeared that Boyd embezzled more than US$2.2 million from CRL. He was terminated from the company but no charges were filed.</p><h2>Lessons Learned</h2><ul><li>When designing the internal audit plan, it is important to ensure that riskier business units receive adequate attention. In CRL's case, there were many red flags that should have drawn the internal audit team's attention sooner, including its geographic distance from Ace, the recent acquisition, and the fact that many key processes remained in the hands of CRL and its former management. </li><li>When performing their work, internal auditors should consider interviewing employees and asking questions about their company's anonymous reporting hotline. Do employees know about the hotline and do they feel comfortable using it? Many employees at CRL knew about Boyd's fraud, but were unwilling to tell Ace until Boyd was terminated. </li><li>Internal audit should consider performing random checks between personnel files and payroll records. All employees receiving a paycheck should have a personnel file. It is also important to perform periodic audits to ensure that all employees are receiving the appropriate rates of pay. Internal audit should determine if policies exist that govern who is allowed to adjust compensation and if those policies are being followed. </li><li>Consider distributing paper paychecks (rather than direct deposit) randomly. This practice would have helped Ace identify ghost employees such as the girlfriend, pilot, housekeepers, and groundskeepers. </li><li>Internal audit should determine if employees with corporate credit cards are also permitted to submit expense reports. If so, it may be beneficial to test some credit card purchases to determine if they are also inappropriately included on expense reports.</li><li>Internal audit should review the acceptable use policy for all corporate-issued credit cards. This policy should clearly state the consequences for misuse of the card. Internal audit also should consider who was involved in designing this agreement — was legal counsel involved to ensure it is enforceable? If no such policy exists, internal audit should consider making a recommendation to management about its adoption and design. </li><li>When reviewing existing processes and procedures, internal audit should determine if the accounts payable staff has had adequate training to spot questionable invoices. Internal audit should also evaluate the processes for resolving unusual items.</li></ul>Jenell West1
Ecclesiastical Crime Crime<p>​U.S. federal prosecutors have charged the rector of the Villa St. Joseph nursing home for priests with embezzling more than $500,000 from the Philadelphia Archdiocese facility over a nine-year period, the <a href="" target="_blank" style="background-color:#ffffff;"><em>Philadelphia Inquirer</em> reports</a>. Prosecutors say the facility's bank discovered the theft last year when it flagged suspicious transactions at Harrah's Casino in Chester, Pa., from the private account that supports the nursing home. An investigation found that Monsignor William Dombrow had sole access to the private account and had used it for casinos, dinners, and tickets to Philadelphia Pops concerts. The account is funded from bequests from parishioners and life insurance payouts of priests who had resided at Villa St. Joseph. Dombrow remains rector at Villa St. Joseph, but the archdiocese says his administrative duties and handling of finances have been restricted since the theft was discovered.​</p><h2>Lessons Learned</h2><p>I've written about this kind of fraud before, both a specific case involving a Canadian priest, and more generally about the many ways nonprofit and charitable organizations could better protect themselves against fraud perpetrated by employees and volunteers. Not much has changed since the last time I wrote about "ecclesiastical crime" in 2013. This kind of crime amounted to more than $39 billion worldwide in 2014, more than the $35 billion spent on mission work to promote Christianity, according to the Center for the Study of Global Christianity. The center forecasts the amounts involved will balloon to $60 billion by 2025. </p><p>Culture change toward greater transparency — much of the fraud committed in church settings apparently goes unreported — and decisive action to redress weak or nonexistent financial controls are two fundamental improvements that need to be made. Here are nine more steps churches and other nonprofit organizations can take to help prevent and detect fraud from within. These steps are all about establishing and maintaining basic accounting, payroll, and finance functions, including oversight, monitoring, and auditing.​</p><ul><li><strong>Establish financial policy and procedures.</strong> Church organizations, particularly at the local level, should think about how the organization would like to control the handling of, and access to, church funds. These policies need not be elaborate, and can be adapted from available sources and resources. Basic policies covering matters such as cash handling, bank accounts, credit cards, security of money and financial records, two-person accountability, oversight and monitoring processes, and rotation of employees and volunteer roles should be starting points.<br></li></ul><p></p><p> </p><ul><li><strong>Put appropriate supervision and oversight in place.</strong> Church leaders are responsible for managing operations and practices. Whether that oversight is of employees or volunteers, it is critical to have good supervision of those who deal with church funds. The natural leadership tendency is to empower people with the freedom to work independently, but there always should be some form of accountability or check and balance to that freedom. A finance committee also should be established with authority to review documents and transactions, as well as ask questions of all employees and volunteers. That committee should meet regularly and review financials, including bank statements. If it is difficult to get a financial summary from a person who handles money, it is likely a red flag.<br></li></ul><p></p><p> </p><ul><li><strong>Train employees and volunteers who help with handling financial matters at least annually on the policies and procedures that relate to church funds. </strong>This training should cover the measures that the church takes to safeguard its financial resources. This step could make would-be perpetrators think twice because they will see that the organization is actively protecting its resources.<br></li></ul><p></p><p> </p><ul><li><strong>Control access to bank accounts, credit cards, and bank statements. </strong>Never allow an individual who has direct access to bank accounts, such as access to blank check stock, check-signing authorization, and reconciling the bank statement, to create a new account without authorization from above. This is one of the easiest ways for fraud to go undiscovered. All bank account statements at least should be copied to a financial official or a trusted individual such as a senior or administrative pastor, or better yet, a board member. This person should not have any access to the organization's bank accounts.<br></li></ul><p></p><p> </p><ul><li><strong>Establish authorization limits and require dual approvals on transactions for larger dollar amounts.</strong> For example, require that any purchase or transaction over $500 be signed by two people. Ideally, the two authorized signors of large checks should be the individual in charge of finance and accounting and a board member. Furthermore, the board member chosen to co-sign large checks should not be the same board member selected to review bank statements. The two people should not be related and should not have personal financial issues. Create a sign-off sheet that is submitted regularly to the same individual entrusted to receive the bank statements.<br></li></ul><p></p><p> </p><ul><li><strong>Conduct reviews and a</strong><strong>udits</strong><strong> where possible.</strong> Most frauds go on for 18 months or longer before they are detected. Although church audits are expensive, it is important that the church conduct thorough audits by an independent auditor regularly. Internal auditors also can help in less formal ways, as part of their participation in their church community, by volunteering their services to help ensure it runs smoothly and free of fraud. <br></li></ul><p></p><p> </p><ul><li><strong>Rotat</strong><strong>e employees and volunteers in their roles.</strong> According to U.S. insurance industry statistics, the average tenure of a church thief is eight years. Volunteers and employees who approve transactions and handle money should be rotated regularly. No one should stay in the role indefinitely, and the use of multiple, unrelated people will make it more difficult to steal.<br></li></ul><p></p><p> </p><ul><li><strong>Conduct periodic background and credit checks. </strong>In today's society, it is sensible to perform a background check periodically on all church employees and volunteers. Such checks should not be limited to just when individuals are first hired, because circumstances can and will change. In addition, people who have access to church funds should be subjected to a credit check. While this practice may seem invasive, it can provide information that can ultimately protect the church. Moreover, church officials should watch for warning signs of employee fraud, such as employees with access to money who are living beyond their means, have personal financial issues, or don't take vacations and guard against someone else doing their job.<br></li></ul><p></p><p> </p><ul><li><strong>​​Encourage people to report suspected behavior. </strong>As much as 40 percent of frauds are caught through a tip, according to the Association of Certified Fraud Examiners.​<br><br></li></ul>Art Stewart0
Powered Down by Fraud Down by Fraud<p>​Rural electric co-operative Naknek Electric Association (NEA) has filed suit against its former general manager, accusing her of using the company credit card for personal expenses ov​er more than 10 years, <a href="" target="_blank" style="background-color:#ffffff;">Alaska Public Radio reports</a>. The lawsuit alleges that as the only employee with oversight of the company's spending, Donna Vukich embezzled $970,359 between 2004 and 2016 by burying her spending under codes in various NEA business accounts. After being confronted by NEA's board last year, Vukich paid back $398,000, but negotiations to recover the remaining amount have fallen through, prompting NEA's lawsuit. NEA has spent $60,000 in auditing and attorney fees. The NEA board said it has put safeguards in place to guarantee spending accountability in the future. Vukich retired from her position in March 2016.</p><h2>Lessons Learned</h2><p>This story is the classic case of a trusted employee gone bad who exploits fundamental gaps and weaknesses of a small organization to steal for personal gain. NEA says new policies and controls are in place to better prevent this theft from occurring again. But what are those measures? They might not be a comprehensive solution to prevent and deter this kind of fraud. Here are three areas to act on:</p><ul><li><strong>Establish a strong governance and accountability regime that is "fraud smart."</strong> Even small organizations should be expected to have board directors who are equipped and required to identify and act upon early signs of fraudulent behavior. That includes integrating fraud competencies into the hiring framework for directors and director fraud prevention training. Another director competency is appropriate knowledge of accountability mechanisms and organizational roles and responsibilities — including segregation of duties requirements — financial controls, accounting systems, and the role of audit/fraud risk assessment. Directors also must be able to engage in independent, critical thinking, and actively challenge management with penetrating questions, when necessary. There also should be performance expectations set for directors that include consequences for failures to identify and address preventable fraud events, such as performance assessments, remuneration, and even director dismissal.<br><br></li><li><strong>Ensure basic gaps in financial controls, policies, and accounting processes are fixed.</strong> To start, it is fundamental to close the gap where there was no segregation of duties over purchasing. In this case, one person was authorized to approve an expense, rather than having a different person be responsible for overseeing that expense. Even the smallest organizations can set up such a system — and NEA was not that small. Additionally, expenditures must be monitored, reviewed, and periodically audited to ensure they are appropriate. This would include a requirement that original invoices be provided. Even online and telephone purchases can be required to be supported by documentation. Moreover, the money allegedly stolen in this case each year was material enough that scrutiny of budget versus actual expenditures would have revealed discrepancies. Regular audits of financial controls, policies, and systems also are essential in detecting signs of fraudulent activity. These three measures alone may have disclosed the fraudster's activities at an early stage.<br><br></li><li><strong>Adopt human resource management policies that balance trust with safeguarding organizational interests.</strong> Hiring, performance management, ethics, conflict of interest, training, compensation, and termination policies and systems all need to be aligned to be "fraud aware." It's nice to think that all long-term employees doing the same job can always be trusted, but for critical jobs where material assets are under their control, there should be safeguards in place such as job rotation policies and regular background checks to determine whether there have been lifestyle changes that were potentially driven by employee theft. Where fraudulent activity is suspected or discovered, it's possible that circumstances might warrant a negotiated settlement, such as in this case, but generally it's better to act decisively to discipline, terminate, and prosecute the employees found responsible. This sends a better message of deterrence and zero fraud tolerance both to employees and to clients and stakeholders.<br></li></ul><div><br></div>Art Stewart0
Internal Audit and Fraud Risk Audit and Fraud Risk<p>​Are internal au​ditors obsessed with fraud?</p><p>Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"</p><p>There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?</p><p>Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?</p><p>In fact, few organizations are brought down or even materially impacted by fraud.</p><p>Let's consider some sources of risk that may be found at many, if not most, organizations:</p><ul><li>The effectiveness of risk management.</li><li>The quality of information used in decision-making.</li><li>Strategy-setting.</li><li>The decision to acquire or divest a business.</li><li>The ability to develop and introduce successfully new products and services.</li><li>The ability to identify the value of and then deploy new technology.</li><li>Cybersecurity.</li><li>Customer satisfaction and product/service quality.</li><li>Marketing.</li><li>Hiring, retention, and development of people.</li><li>The effectiveness of the management team.</li><li>The effectiveness of the board.</li><li>The ability of IT to meet the needs of the business.</li><li>The completion of major projects on time and within budget.</li><li>Efficient procurement.</li><li>Management of the sales pipeline.</li><li>Sales contracting.</li><li>Revenue recognition.</li><li>Tax.</li></ul><p> <br> </p><p>Now where would fraud risk rank among these <span style="font-size:12pt;line-height:115%;font-family:"times new roman", serif;">—</span>​ and I am sure your organization would have other high-risk areas?</p><p>Have a look at the following from The IIA:</p><ul><li> <a href="" target="_blank">The Definition of Internal Auditing</a>.</li><li> <a href="" target="_blank">The Mission of Internal Audit</a>.</li><li> <a href="" target="_blank">The Core Principles for the Professional Practices of Internal Auditing</a>.</li></ul><p> <br> </p><p>Can you find the word​ "fraud" in any of the above?</p><p>Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.</p><p>If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.</p><p>I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.</p><p>Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, <a href="" target="_blank"> <em>Auditing That Matters</em></a>, as enterprise risk-based auditing.</p><p>Do you agree or disagree?</p><p>I welcome your comments.​</p><p> <br> </p><p>If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.</p><p> <br> </p>Norman Marks0

  • MNP_Natonal Can Conf_July2017_Premium 1
  • LockPath2_July2017_Premium 2
  • IIA_GRC_July2017_Premium 3



Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z