Fraud

 

 

The Bogus Bosshttps://iaonline.theiia.org/2016/Pages/The-Bogus-Boss.aspxThe Bogus Boss<p>​Etna Industrie is one of thousands of French companies that have fallen prey to a scheme in which perpetrators impersonate a company's CEO to defraud the organization, <a href="http://www.bbc.com/news/business-35250678" target="_blank">the BBC reports</a>. Fraudsters impersonating Etna Industrie CEO Carole Gratzmuller emailed the company's accountant with instructions for a confidential transaction to purchase a company in Cyprus. After multiple emails and phone calls in less th​an one hour, the accountant authorized wire transfers of €500,000 (US$542,000) to foreign bank accounts. The company's banks held up three of the transfers, but a fourth fo​r €100,000 went through. Authorities in France say French businesses have lost €465 million from such scams since 2010, which they say have been perpetrated mostly by French-Israeli gangs. </p><h2>Lessons Learned</h2><p>It is not surprising to hear about successful and harmful cases of CEO or executive impersonation fraud. It's all part of the broader category of phishing attacks. Here is how they work: </p><ul><li> <em>Define your goal.</em> What do you want to gain? Money, information, and PIN and credit card numbers often are chosen goals.<br><br></li><li> <em>Choose your target.</em> In the case of CEO fraud, the president usually is targeted, but the correct vice president, director, or executive can work just as well.<br><br></li><li> <em>Do your research.</em> Fraudsters perform a background check, using social media and company websites, which can reveal the target's marital status, number of children, interest in playing golf, travels to Europe, favorite car, upcoming anniversary, and whether he or she has liked Jewelry.com or Music.com on social media. Company websites can reveal examples of the target's style of communication.<br><br> </li><li> <em>Launch your attack.</em> It could be an urgent request to forward money to complete a suppos​​ed business deal, but it also can take on many other forms. For example, it might be a congratulatory email from Music.com including a link for a free anniversary gift. The idea is to gain the target's trust by using information with which he or she feels secure. A free gift with a malicious link often can result in a successful spear phishing attack. That link could then download a piece of malware for financial or espionage purposes, or it could trick the target into giving out sensitive information.</li></ul> ​​​ <p>​​Internal auditors can suggest that organizations and their executives be careful about what they post to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details. Moreover, they can advise employees to be suspicious of requests for secrecy or pressure to take action quickly, even if one knows the sender. But what else can auditors look for and recommend to protect organizations? Some strategies include:</p><p> <strong>1. Use multifactor authentication and dual authorization techniques.</strong></p><ul style="list-style-type:disc;"><li>Many organizations unknowingly increase the fraud risk related to executive impersonation by assigning financial decision-making to a single individual, such as the comptroller. Regardless of size, employee tenure, and kind of business, organizations should always require dual authorization and separation of duties to mitigate outside risk from penetrating the organization.<br></li></ul><ul style="list-style-type:disc;">​ <li>In addition, any emails requesting the creation or change of wire payment instructions should be verified by phone or another means. Employees should use a dependable verification channel, such as a telephone number from an employee directory, to validate new wire payment instructions because hacked emails could contain fraudulent contact information. If the email comes directly from an acquaintance or source that the employee would typically trust, he or she should forward the message to that same person directly to ensure that individual indeed was the correct sender. Employees should not simply reply to the email with whatever information was requested.<br></li></ul><ul style="list-style-type:disc;">​ <li>Take steps to protect the organization's corporate identity and information by acquiring domain names similar to the one used by the organization and taking them off the market. For example, the marketing or IT teams at Fortune.com might buy "F0rtune.com," where the "o" has been replaced by a zero. Phishing emails are frequently sent from look-alike domains. Access to corporate directories and sensitive corporate information also should be strongly protected behind firewalls that are tested and updated regularly.<br></li></ul><ul style="list-style-type:disc;">​ <li>Establish additional IT and financial security procedures and two-step verification processes, including use of other communication channels such as telephone calls, to verify significant transactions. Implement this second-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker. Use digital signatures where possible and automatically delete unsolicited e-mail (spam) from unknown parties. Also, beware of sudden changes in business practices. If a current business contact suddenly asks to be contacted via his or her personal e-mail address, when all previous official correspondence has been through a company e-mail address, the request could be fraudulent. Employees should always verify through other channels that they are still communicating with a legitimate business partner.<br><br></li></ul><p> <strong>2. Take a look at corporate culture and focus on educating employees.</strong></p><ul style="list-style-type:disc;"><li>Companies with an authoritarian hierarchy run more risk for phishing attacks, because employees tend to cooperate with schemes that sound authoritative. This also is true in some organizational cultures where it's frowned on to ask for help, there's some degree of mutual distrust, or a less collaborative work model is used. Asking for IT help might create a backlash, so someone clicks on an email link — it only takes one vulnerable recipient to give a phishing expedition what it needs to succeed. Mitigating this fraud risk requires both cultural change in the organization and maintaining a standard of technical literacy for all employees and contractors with access to organizational resources.<br><br></li></ul><ul style="list-style-type:disc;"><li>Implementing security controls and enhanced authentication can help stop these attacks, but educating employees against these socially-engineered schemes is one of the best ways to defend against this form of fraud. Fraudsters prey on organizations with a lack of fraud knowledge. Educating all employees about the latest fraud trends is key to preventing fraud before it occurs or recognizing it quickly to reduce an organization's potential for loss. That should include educating employees about the tactics of phishers, which continually evolve, and going beyond the email-related admonitions to include more subtle advice. One specific example is the need to read all URLs from right to left: the last address is the true domain. Secure URLs that don't employ https are fraudulent, as are sites that begin with IP addresses.<br><br></li></ul><ul style="list-style-type:disc;"><li>Part of education should include sending test phishing emails to employees to gather metrics about the effectiveness of the organization's anti-phishing training programs.<br><br></li></ul><p> <strong>3. Establish a relationship with the right financial/audit partner.</strong></p><ul style="list-style-type:disc;"><li>It is key for organizations to partner with a financial/audit institution that keeps the organization informed about fraud developments and is invested in helping to protect that organization from fraud. The partner should inform the organization about relevant fraud industry data, provide help in identifying fraudulent activities early to reduce financial losses, and advise about fraud prevention best practices.​</li></ul>​​​Art Stewart0626
The Contracting Conspiracyhttps://iaonline.theiia.org/2016/Pages/The-Contracting-Conspiracy.aspxThe Contracting Conspiracy​​ <p>Two former Ottawa Hospital directors are accused of conspiring with contractors to defraud the hospital, <a href="http://www.cbc.ca/news/canada/ottawa/ottawa-hospital-files-lawsuit-against-former-directors-contractors-1.3392100" target="_blank">CBC News reports</a>. Frank Medwenitsch, the hospital's former director of planning and capital projects, and Brock Marshall, former director of engineering and operations, allegedly gave several contractors inappropriate advantages, such as advanced copies of procurement documents and internal communications about projects and competing bids, according to the hospital. They also approved invoices for work that wasn't performed or completed, the hospital alleges. Moreover, the hospital claims Medwenitsch and two contractors "essentially" extorted Marshall to pay for inappropriate invoices. The hospital listed five contractors as​ defendants in its legal claim, which resulted from a 2015 external audit that noticed irregularities in its planning ​and facilities department. Marshall retired from the hospital in April 2015, while Medwenitsch resigned in October.</p><h1>Lessons Learned</h1><p>While this case of fraud allegedly committed by former Ottawa Hospital staff is still unfolding, its significance and impact are being revealed. Hospital administrators were initially tight-lipped about the case, but they now are focused on emphasizing that the fraud was relatively minor in dollar terms and that they now have things under control by taking measures such as:</p><ul><li>Engaging an independent third-party forensic investigator.</li><li>Making appropriate changes to planning and facilities personnel.</li><li>Reviewing the prequalification list of vendors and related processes.</li><li>Putting additional layers of oversight and signing authority in place.</li><li>Initiating a best practices review to ensure the hospital is among the leaders in its processes and controls.<br><br></li></ul><p>Are these measures an adequate response on the part of management, or is there more it could do to prevent this kind of fraud? Here are some suggestions:</p><ul style="list-style-type:disc;"><li> <strong>Hospitals should have a strong internal audit function. </strong>Most Ontario hospitals don't have an internal audit function to help them prevent and detect fraud sooner. The Ottawa Hospital has a CA$1.3 billion annual operating budget and close to 12,000 employees, equivalent to a large corporation, so it should have an internal audit function. The materiality of the alleged fraudulent activity has not yet been revealed, but just one of the contracts alleged to have been funneled to favored construction companies was worth over CA$125 million. Furthermore, any money lost through alleged fraud or embezzlement at The Ottawa Hospital is the responsibility of the hospital's board of governors and not the provincial government, because Ontario hospitals are independent corporations run by their boards of directors. <br>​</li><li> <strong>The governance structure and processes of hospital boards of directors need to be regularly reviewed and strengthened, wherever needed. </strong>Such reviews should assess questions about whether board composition is optimal from a skills perspective. Hospital boards naturally tend to emphasize a medical background and experience as prerequisites, but financial, business, and audit skills also should be sought. Where the board experiences a lapse due to fraud, and particularly where the hospital lacks an internal audit function, there can be calls made for the removal of board directors for failing to adequately address such weaknesses. The problem is compounded where boards decide to stay silent and not communicate proactively with clients and stakeholders about a potential fraud, even where there are concerns around the legal implications of public statements. These can be addressed with appropriate legal and public relations advice. On a positive note, the Ottawa hospital's audit committee appears to have appropriately structured roles, with both the CEO and chief financial officer involved only on an "ex-officio" basis.<br>​​</li></ul><ul style="list-style-type:disc;"><li> <strong>As publicly funded institutions, hospitals need to establish the most rigorous possible policies and standards regarding internal controls. </strong> That would include its procurement model, policies, and processes — which I have detailed in previous articles. Particularly relevant in this case is the need to establish strict conflict of interest policies to prevent employees from accepting any kind of gift or favor. For example, one of the accused Ottawa Hospital employees, Medwenitsch, went on a luxury fishing trip as a guest of PCL Constructors Canada Inc., a company that later won bids for two construction projects worth more than CA$100 million each. Similarly, robust conflict of interest rules must also clearly prohibit a person responsible for a public procurement from doing business with the people he or she is supervising and awarding contracts. In this case, a senior hospital official was found to have hired — and paid for — personal services from a company that had also won a major construction contract with the hospital, creating the appearance of a conflict of interest.​​</li></ul>Art Stewart02491
Who's Keeping Your Books?https://iaonline.theiia.org/2015/whos-keeping-your-booksWho's Keeping Your Books?<p>​<span style="line-height:1.6;">P</span><span style="line-height:1.6;">hil Stewart owned a heating, ventilation, and air conditioning business that employed 286 people. He trusted his employees and, unfortunately, did not feel the need to put controls in place. As a result, Stewart became a victim of embezzlement by a trusted employee.</span></p><p>Because of the lack of segregation of duties in the company’s accounting department, a tax consultant suggested to Stewart that the company evaluate its accounting and financial internal control procedures. This meant a complete review of all the policies and procedures designed to protect the company’s assets and financial information. </p><p>Stewart was adamant that an internal control review would be a waste of the company’s time and money. His bookkeeper, Shirley Thompson, had been faithfully taking care of the company’s accounting duties for many years. Because he trusted her, he also had her doing his personal accounting and banking. However, after some persuasion, he decided to move forward with the review. </p><p>What the auditor found was that Thompson had stolen nearly US$50,000 from the company over five years. The fraud was easy to commit because her duties included preparing the daily bank deposit slips, making deposits at the bank, and preparing the monthly bank reconciliations. She would take between US$100 and US$500 — sometimes more — from the daily bank deposits and cover the shortages by adjusting journal entries to various accounts in the accounts receivable ledger. No one reviewed Thompson’s work or questioned her recordkeeping.   </p><p>The company’s receptionist, Sally Newberry, would open up the mail each day and list the received check payments on a daily log of cash receipts. Newberry would then make two photocopies of the daily cash receipts log and give one copy to Thompson and one to the office manager. There were obvious problems with this cash control procedure. Newberry filed her copy of the daily cash receipts log in her cabinet and never compared the list with any bank deposit slips or the deposits on a bank statement. In addition, the office manager filed his copy and never compared it with any bank deposit slips or the deposits on the bank statement. Thompson, too, filed her copy away and never looked at it again. In addition, no one reviewed the bank reconciliations prepared by Thompson, nor was there a review of the activity in the ledger.</p><p>Stewart was devastated to learn what Thompson had been doing. He terminated her but decided not to press charges when he found out why she was taking the money. Thompson was a single parent with a young daughter who was ill and in need of medical attention. Even with the company’s insurance plan, she could not afford to pay for her medical costs. </p><h2>Lessons Learned</h2><p>A strong system of internal control is key for any business owner to avoid a situation like this. The purpose of internal controls is to foster reliable financial reporting, safeguard assets, and promote ethical conduct. For example, controls must exist over the maintenance of vendor lists, and user access to the accounting systems must be monitored and restricted by the use of passwords and user activity logs. </p><p>Ensuring segregation of duties in the cash receipts and cash disbursements area is a critical internal control that no organization should overlook. For example, a small-business owner should ensure that the requisition, approval, and processing of all cash disbursement transactions are not performed by the same individual. </p><p>A cashier should open remittances in the presence of a responsible employee and immediately endorse checks with a stamp stating, “For Deposit Only.” Cash and checks should be kept in a locked and secure area until they can be deposited. Furthermore, the use of budgeting is not only a great planning tool for measuring actual results with forecasts, but unusual variances in business activity also provide a red flag that may require a follow-up inquiry.</p><p>Establishing a company culture with an effective control environment is also an effective tool that a small-business owner should use to deter fraudulent activity, as the mere suggestion of a future investigation can reduce the occurrence of fraudulent behavior among employees. While time may not always permit a 100 percent review of all recorded transactions and related supporting documentation, the business owner should project his or her active oversight of the bookkeeping process by regularly requesting copies of the cash disbursement journals or of all checks and bank reconciliations.   </p>Danny Coston1921
The Pastor and the Pop Starhttps://iaonline.theiia.org/2016/Pages/The-Pastor-and-the-Pop-Star.aspxThe Pastor and the Pop Star<p>​The pastor of a Singapore megachurch will pay a high price for using church funds to promote his wife's singing career, <a href="http://www.dw.com/en/singapore-megachurch-leaders-jailed-in-corruption-case/a-18863692?adbsc=IAO55488746&adbid=667734225316020225&adbpl=tw&adbpr=390782790" target="_blank">Deutsche Welle</a> reports. Kong Hee, pastor of City Harvest Church, was sentenced to eight years in prison for diverting US$35 million from the church to advance Ho Yeow Sun's pop music endeavors, which included a video featuring Wyclef Jean. Kong claimed the initiative was part of a "crossover project" intended to promote the church. Five other church officials received prison sentences of 21 months to six years. Ho, who is also a church official, was not prosecuted. The case has been widely followed by the public in Singapore, where corruption cases are rare.</p><h2> Lessons Learned</h2><p>Although it's hard to get a clear sense of how much church fraud, or ecclesiastical crime, there is, most articles on the subject report the amounts of money involved are well in the billions of dollars worldwide. Moreover, there is a significant degree of underreporting — as much as 95 percent according to some sources. For example, in a recent study by the Association of Certified Fraud Examiners (ACFE), a researcher interviewed those responsible for overseeing finances at 132 U.S. houses of worship. Among those church leaders, 13.4 percent reported their organization had been defrauded during the previous five years. But the ACFE researcher also suspected these leaders were vastly un​​derreporting fraud — either because they were deluded or were lying to interviewers.</p><p>Here are five practices that can help safeguard against church fraud, with particular emphasis on those practices that are most relevant to this story:​</p><ul style="list-style-type:disc;"><li> <strong>Effective oversight. </strong>Church leaders are responsible for establishing policies and managing operational practices within the church. Whether that oversight is of employees or volunteers, it is critical to have good supervision of those who deal with church funds. The natural leadership tendency may be to empower leaders and trust that they will be good stewards of God's money, but when it comes to church finances, that leadership principle should be challenged, even in instances where the leadership possesses "rock star" qualities. The countless cases of church fraud speak to the critical need for church boards and leadership to wake up, do their job, and safeguard the money. Church boards and congregation members need to make their presence known, ask questions, and insist on timely and transparent financial reporting. Reporting and accountability within the church by church leaders is particularly important because in most cases churches are tax exempt and do not have to file tax returns with government agencies.</li></ul><ul style="list-style-type:disc;"><li> <strong>Policy and Procedures. </strong>Fundamental to any effort of control is to spend some time thinking through how the church would like to control the handling of, and access to, church funds, including for projects and missions. There should be clearly stated policies for matters such as church governance (including the accountability of church leaders), project and mission management (including what kinds of costs and amounts are permissible), and financial management (including cash management, two-person accountability, rotation of volunteers and staff who handle money, and the use of safes to store money). Paying particular attention to financial management, such as enforcing the practice of keeping financial records in the church office and having several people look at the books, makes it more likely that someone will notice irregularities.</li></ul><ul style="list-style-type:disc;"><li> <strong>Training</strong> Employees and volunteers who help with the financial management of the church, such as counting the offering or assisting in the church office, should be trained at least annually on the policies and procedures that relate to church funds. This training should discuss the measures that the ministry takes to safeguard its financial resources. This simple step may make would-be perpetrators think twice because they will see that the organization is diligent in its efforts to protect its resources.</li></ul><ul style="list-style-type:disc;"><li> <strong>Audits. </strong>Church audits are unquestionably expensive, but it is critical that the church conducts thorough audits regularly. Even the Vatican is not immune to the need to perform audit work, as the Pope recently has ordered audits of its finances. These audits should be performed by an independent outside auditor. This is another measure that alerts a potential fraudster that the books will be reviewed and that misappropriation of funds will be discovered.</li></ul><ul style="list-style-type:disc;"><li> <strong>Background/Credit Checks. </strong>In today's society it is wise to perform background checks on all church employees and volunteers. Those people who have access to church funds also should be subjected to a credit check. While this practice may seem invasive, it can provide information that can ultimately protect the church.​</li></ul> ​Art Stewart01432
Misleading Remedieshttps://iaonline.theiia.org/2015/misleading-remediesMisleading Remedies<p>​The U.S. Justice Department has filed 11 charges against USPlabs for unlawful sale of dietary supplements, <em>USA Today</em> reports. Prosecutors allege the Dallas-based company misled customers and regulators by labeling their supplements as made from "natural plant extracts" when they actually contained synthetic Chinese ingredients. Prosecutors charged the company with wire and m​​​​ail​ fraud, as well as conspiracy. The charges are the result of a joint investigation by the U.S. Food and Drug Administration (FDA) and five other federal agencies. </p><h1>Lessons Learned</h1><p>​The dietary supplements business, which is a $30 billion industry in the U.S., appears to be rife with fraudulent activity well beyond that documented in this story. A December 2013 <a href="http://www.usatoday.com/story/news/nation/2013/12/19/dietary-supplements-executives-criminal-records-spiked/4114451/" target="_blank"> <em>USA Today</em> investigation</a> found about 100 companies that have been caught selling supplements secretly spiked with drugs, such as amphetamines, and potentially dangerous chemicals since 2007. The examination also found that at least 14 supplement companies were run by people with criminal records beyond traffic infractions. In Canada, a recent <a href="http://www.cbc.ca/marketplace/episodes/2015-2016/supplements" target="_blank"> <i>CBC Marketplace</i> investigation</a> involving specific testing of various dietary supplements such as fish oil, vitamin C, and protein powder found that many of the products failed to meet claims on their labels. For example, one vitamin C single-serve supplement contained only about one-third of the claimed 1000mg of vitamin C. </p><p>From a fraud prevention perspective, a comprehensive strategy seems warranted, including:</p><ul><li> <strong>Regulators need to increase the level of oversight and scrutiny. </strong>Many industry watchers say both the FDA and Canada's Health Department rules are antiquated for today's environment and under-regulate supplements. For example, both organizations must show that a product is unsafe before it can take any action to restrict its use or seek its removal from the market. Although supplements often are sold and used as remedies for various conditions, they are treated as food items, and supplement companies aren't required to prove their safety and effectiveness before putting them on the market, as is required with medications. Also, they are not required to register with either agency. Regulators also need to increase resources and the frequency of testing of products within this industry, backed up by taking enforcement action wherever violations are found.<br> </li><li> <strong>The dietary supplement industry needs to increase its self regulation. </strong>That should include, in consultation with regulators, an industry registration system with criteria to address quality controls of supplement production and testing, particularly where ingredients originate from countries with less rigorous regulatory and enforcement regimes. Regular reporting of the results of quality testing to government agencies also could help. Additionally, measures such as some form of accreditation and background checking of senior company managers, could decrease the chances of former criminals being involved with company activity. Requirements for more rigorous declaration of the ingredients in products and their amounts could help improve the level of trust by consumers and regulators in supplement products. <br> </li><li> <strong>Consumers must better educate themselves on the benefits and risks of dietary supplements. </strong>Although there is no foolproof way to protect consumers, there are a few strategies that can be employed. Consumers should look for <a href="http://www.usp.org/" target="_blank">United States Pharmacopeial</a> (USP) certified supplements, which is the industry's attempt at self-regulation. Talking to a medical professional before starting to take a supplement may result in useful insights. Several websites also offer information and advice to help distinguish the good from the bad when it comes to supplements. <a href="http://www.consumerreports.org/cro/health/index.htm" target="_blank">ConsumerReportsHealth.org</a>, which provides information on optimal doses and safe maximum doses, also has a list where consumers can see which of the most popular herbal remedies might have contraindications with traditional medications. ​<a href="http://www.nutrition.gov/" target="_blank">Nutrition.gov</a> has information on dietary supplements. <a href="http://mayoclinic.com/health/drug-information/DrugHerbIndex" target="_blank">MayoClinic.com</a> has a guide titled "Nutritional Supplements: What to Know Before You Buy."​</li></ul>Art Stewart01430
Internal Audit and Fraudhttps://iaonline.theiia.org/blogs/marks/2015/internal-audit-and-fraudInternal Audit and Fraud<p>​The IIA is releasing a series of papers that comment on different aspects of ​internal auditing, based on their <em>Global Internal Audit Common Body of Knowledge</em> (CBOK) study.</p><p> <a href="http://theiia.mkt5790.com/CBOK_2015_Responding_Fraud_Risks/?adbsc=ACTVFeature54078186&adbid=10153389661603191&adbpl=fb&adbpr=43046323190&webSyncID=a822301b-e005-8022-5550-b626d83d0d3e&sessionGUID=37da2c74-2cd2-1aae-87b4-7c1ce0dc1280" target="_blank">Responding to Fraud Risk: Exploring Where Internal Audit Stands</a>, by Farah G. Araj, has some interesting content.</p><p>I think everybody would agree that the risk of fraud merits serious attention by internal audit, whether we are talking about financial statement fraud (the filing of fraudulent statements with government agencies), theft, or bribery and corruption.</p><p>It is my experience that many internal audit departments, their managers and staff, are fascinated or even obsessed with fraud. It is similarly my experience that many management teams and boards set the expectation that internal audit <em>should</em> be obsessed with fraud — both its prevention and its detection. Some commentators seem to believe that fraud should be the primary concern of internal audit,</p><p>Yet, it is very unusual for fraud to bring down a company or even to have a significant effect on its results.</p><p>It happens, but not as often as people think.</p><p>The Association of Certified Fraud Examiners has studied the level of fraud for many years. Their latest (2014) <a href="http://www.acfe.com/rttn-summary.aspx" target="_blank">Report to the Nations on Occupational Fraud And Abuse</a><em> </em>estimates that "the typical organization loses 5% of revenues each year to fraud." That's a lot, but is it enough to justify obsession? Surely, every organization has more critical risks — that can lead the company to fail.</p><p>In fact, the ACFE reports that the median theft is US$130,000; corruption losses average US$200,000; and the median loss from financial statement fraud is just US$1 million.</p><p>The CBOK report discusses this in an important chart, which compares board and executive views of top risks to those of internal audit.</p><p>While 31 percent of internal audit respondents identified fraud as one of the top five risks that internal audit should focus on (there was a huge range of responses when you look at this by region), just 19 percent of executives agreed.</p><p>The IIA report lists a number of standards that require internal audit to consider fraud risk — but the key is that there should be <em>consideration</em> of fraud, not that fraud must always rise to the top of the internal audit agenda.</p><p>My view is that internal audit should consider fraud risk together with all enterprise risks, and dedicate time and resource accordingly. If the risk is high (in terms of the likelihood of a fraud that would be significant to the success of the organization), do more than if the risk is not among the top risks to the enterprise.</p><p>The IIA study also looks at ownership of fraud-related responsibilities. It says:</p><p><span class="ms-rteiaStyle-BQ">"About 3 out of 10 of all survey respondents say internal audit has 'all or most of the responsibility' for detecting or preventing fraud at their organizations, with about another 6 out of 10 saying they have 'some of the responsibility' …….. [and] internal auditors are slightly more likely to be responsible for <em>detecting </em>fraud than <em>preventing </em>fraud."</span></p><p>As the report points out, <em>management</em> and not internal audit should have responsibility for both fraud prevention (i.e., the design and operation of related internal controls, including ethics policies, training, and whistleblower lines) and detection (i.e., detective internal controls). However, with the approval of the audit committee, internal audit can take on, as an advisory service, the operation of the whistleblower line. Internal audit can also, depending on the level of risk, decide it is appropriate to perform some degree of fraud detection — without absolving management of that responsibility.</p><p>The last point I want to make concerns investigations. In <a href="http://www.amazon.com/World-Class-Internal-Audit-Tales-Journey/dp/1500791962/ref=la_B00IZAOOW2_1_2_title_0_main?s=books&ie=UTF8&qid=1409235067&sr=1-2" target="_blank"> <em>World-Class Internal Auditing: Tales From My Journey</em></a>, I share a number of stories about frauds I and/or my team investigated over the years. I also share some of the principles that drive my approach to fraud investigation. One is:</p><p><span class="ms-rteiaStyle-BQ">"Investigations should only be performed by individuals who have been sufficiently trained and experienced. When I formed a team at Tosco, one of the requirements was that the investigators hold a Certified Fraud Examiner (CFE) credential and had demonstrated, to my satisfaction, their abilities by performing investigations under the direct supervision of a CFE."</span></p><p>The CBOK study points out that "Only 6% of internal auditors globally (5% in 2010) have a fraud examiner certification, such as the ACFE's certified fraud examiner (CFE) certification". However, the 2010 CBOK study (the question was not asked in the recent study) found that "71% of [internal audit] respondents said they carried out 'investigations of fraud and irregularities' as part of their activities."</p><p>This worries me. When investigations are performed by people without the requisite training and experience, the risk to the organization can be greater than the fraud itself!</p><p>Do you agree?</p><p>I welcome your comments.</p>Norman Marks03012
Slick Dealingshttps://iaonline.theiia.org/2015/slick-dealingsSlick Dealings<p>The CEO of Indonesian energy company Pertamina announced that an outside forensic audit has discovered fraud in its former trading unit, <a href="http://www.reuters.com/article/2015/11/09/indonesia-pertamina-probe-idUSL3N13435T20151109#8lcD0TZWtmhEG7Al.99" target="_blank">Reuters reports</a>. Indonesia's energy minister says auditors found that third parties had rigged tenders and leaked the Petral unit's price calculations, leading Pertamina to pay higher prices to import fuel and crude oil. Auditors also reported that Petral had prearranged traded volumes to limit competition and given preference to national oil companies. State-owned Pert​amina is dismantling Petral, which had been suspected of corruption, and is replacing it with a new group that has yielded US$103 million in cost savings in the third quarter.</p><h2>Lessons Learned</h2><p>This case is a good reminder about the risks, control failures, and the need to prevent and detect price-fixing, bid rigging, and corruption in market allocations. Although many developed countries such as the U.S. have extensive and rigorous laws, regulations, and oversight bodies for this purpose — the U.S. Sherman Antitrust Act is a good example — others including Indonesia do not have such safeguards in place. Consumers, no matter where they live in the world, should have the right to expect the benefits of free and open competition. Public and private organizations often rely on a competitive bidding process to achieve that end. The competitive process works, however, when competitors set prices honestly and independently. When competitors collude, prices are inflated and the customer is cheated. Collusion and related fraudulent activities also are more likely to occur in industries such as the energy sector if there is a monopoly or few sellers.</p><p>In several previous columns I have advised on the types of controls​ that both auditors and key guardians such as procurement agents can use to decrease the chances of fraud. This column looks at the major types of fraud schemes and the red flags auditors should focus on to detect them:</p><ul><li> <strong>Bid Rigging. </strong>The most common fraud schemes involve bid suppression, complementary bidding, bid rotation, or market allocation. Bid suppression occurs when one or more competitors agree not to bid, or withdraw a previously submitted bid, so that a designated bidder will win and in return, the nonbidder may receive a subcontract or payoff. In complementary bidding, co-conspirators submit token bids that are intentionally high or fail to meet all of the bid requirements in order to lose a contract. Bid rotation happens when all co-conspirators submit bids, but by agreement, take turns being the low bidder on a series of contracts. Market allocation occurs when co-conspirators agree to divide up customers or geographic market areas and will only submit bids when a solicitation for bids is made by a customer or in a market not assigned to them. A top 10 "red flag" list for these schemes should include:</li><ul><li>Identical bids from different companies either as individual line items or lump sum bids.</li><li>Bids that come in above the estimate for the value of the contract or comparable bids by the same companies in other areas.</li><li>The winning bidder subcontracts part of the business to one or more losing bidders.</li><li>Indications that a physical alteration of bids has occurred, particularly at the last minute.</li><li>Particular line items for some bidders are much higher than for others and seem out of sync with costs.</li><li>Bids of companies are very close, indicating that bidders knew each others' prices.</li><li>Physical evidence of collusion such as different companies submitting bids with the same handwriting, or in the same envelopes, with the same mathematical or spelling errors, or the same fax number.</li><li>Significant increases by bidders over previous prices when there have been no substantial cost increases.</li><li>Prices drop when a new bidder appears on the scene.</li><li>Competitors meet shortly before or after the bids are submitted.<br> </li></ul><li> <strong>Price Fixing. </strong>This occurs when competitors agree to raise or fix prices they will charge for their goods or services, set a minimum price that they will not sell below, or reduce or eliminate discounts. Major red flags include:</li><ul><li> Circumstances where competitors announce their price increases at the same time for the same amount or have staggered price increases with a pattern, such as appearing to take turns going first.<br></li><li> When competitors reduce or eliminate discounts at the same time.</li><li> Situations in which prices seem to be uniform and suppliers refuse to negotiate those prices.<br>​</li></ul><li> <strong>Market Allocation. </strong>Such schemes involve bidding or quoting prices for services or goods after there has been a behind-the-scenes agreement as to who will bid for what part of the market. Major red flags include:</li><ul><li>The same company seems to get the organization's business over and over, and its competitors never bid for it or they may refuse to offer a quote. And, if they do, the quote may be ridiculously high to discourage the organization from changing suppliers.</li><li>Conversely, circumstances where companies that should want the organization's business are not interested.</li></ul></ul>​ <p>​The above red flag list cannot be considered exhaustive nor definitive evidence of fraud. Instead, it provides indicators that can be used for further investigation and potential reporting to management, oversight, and regulatory bodies.</p>Art Stewart01838
The Abuse of Executive Powerhttps://iaonline.theiia.org/2015/the-abuse-of-executive-powerThe Abuse of Executive Power<p>​​It was 9:35 on a Wednesday morning in New York at the board meeting of a multi-billion-dollar, publically traded company. The CEO, Richard Tompkins, was in a rage. The chairman of the board had just told him to resign or he would be fired. Tompkins’ reaction was classic, immediate, and violent. He was the shareholders’ greatest nightmare. <br></p><p>Tompkins was brought in to execute the turnaround of the company and initially had done a reasonable job. He claimed he needed a team he could trust and did not have time to evaluate the existing group, so he brought in a new chief operating officer, chief financial officer (CFO)/controller, chief information officer, human resources (HR) director, general counsel, purchasing agent, CAE, and external auditor — all friends and former colleagues. The board, anxious for the company to be saved, voted in favor of every organizational change Tompkins steamrolled through. But over the next several years, rumors of executive abuse began, including insider land deals and related-party transactions, excessive equipment and service purchases from related parties, unusual consulting contracts, inappropriate personal expenses, personal use of the company airplane, extravagant golf outings and parties, unnecessary foreign travel, and company vehicle abuse.<br></p><p>During this period, even the chairman, who was busy with other ventures, took little time to fully understand what was going on inside the company. Meanwhile, the internal auditors, while formally reporting to the audit committee, were under the day-to-day control of the CFO, Tompkins’ close friend. As long as the earnings looked good, the board was happy to show up and vote “present.” <br></p><p>When the recession took hold and revenues dried up, multiple frauds began to surface, rounds of layoffs commenced, and whistleblower calls started pouring in to the HR director, with no effective or independent follow-up. The calls then were diverted to corporate counsel, who wrote them off as disgruntled former employees, assuring the chairman that there was no basis to these unfounded allegations. The audit committee chairman, an outside member of the board brought in by Tompkins, put his faith in the audit system and did not give the disgruntled former employees adequate consideration. <br></p><p>All these activities finally came to light because of Harriet Stevens, a quiet and humble accounts payable employee who identified a US$2.5 million bridge construction project over the company’s pond that was awarded to the CEO’s son, a building contractor. Stevens first called the company’s ethics hotline. When nothing happened after her report, she called the chairman of the board. <br></p><p>The chairman was independent of management and the largest shareholder in the company. His interests were well aligned with the shareholders. He called in independent investigators, which he initially paid for out of his own pocket. As the inside business process consultants reviewed company operations, they fed the outside team with various leads, which allowed the investigators to identify and target various companies and individuals for investigation and approach. This effort, combined with the numbers coming from the inside team, allowed the investigators to identify and document numerous serious irregularities and outright frauds perpetrated by Tompkins and his cohorts. <br></p><p>Tompkins’ multiple frauds were successful — at least for a time — because he had complete and unquestioned control over the day-to-day operations of the business, including the ability to circumvent existing weak controls. Tompkins was able to pack the company with yes-men and friends — some of whom actively participated, enabled, or otherwise conspired with him in several frauds. The external auditors were completely ineffective in probing deeply enough to ferret out the misdeeds. They were eager to maintain their new Fortune 100 client and did not want to rock the boat. Consequently, they failed to recommend a stronger and tighter business control structure to prevent some of the shenanigans. While the outside auditors were aware of the internal control weaknesses surrounding Tompkins’ inappropriate activities, they failed repeatedly to directly confront these issues. <br></p><p>The board was little more than a rubber stamp for Tompkins. Whatever he did in the name of saving and running the company was always approved. All of the independent directors sat on multiple boards, leaving them insufficient time to direct and monitor the company’s executives. Several lacked the depth of skill to understand the company’s operations and competitive position. In particular, the audit committee chairman placed far too much reliance on the work and opinions of the outside auditors and the CFO. <br></p><p>During the early phases of the CEO’s irregular activities, the magnitude of the transactions fell far below the “materiality levels” of the outside auditors. This fact, combined with the CFO’s willingness to hide questionable spending within the forest of the company’s transactions, effectively camouflaged the CEO’s activities.<br>The board was faced with a vexing dilemma. It needed to decide whether to pursue criminal or civil action against the CEO or let him go quietly to avoid a scandal, which would negatively affect the shareholders. In the end, it chose the quiet path.<br></p><h2>Lessons Learned</h2><p></p><ul><li>The chairman is, or should be, the chief advocate for the shareholders, and completely independent of management. It is the chairman’s primary job to direct the company’s executives and drive oversight of their activities in the name of the shareholders. </li><li>An independent and highly skilled audit committee chairman is essential to maintain a robust system of checks and balances over all operations. To be truly effective, the chairman must be independent of those he or she is charged with watching. </li><li>The CAE must report to the audit committee and have his or her budget, compensation, mission, career path, and hiring/firing authority fully insulated from executive management.   </li><li>The chairmen of the board and the audit committee must devote material time to their duties. While the board can use the company’s oversight functions to maintain a checks and balances process, there is no substitute for personal, direct involvement.</li><li>The board must be willing to direct inquiries into allegations of misconduct, and have unquestioned confidential spending authority to conduct reviews and investigations as it deems necessary.</li><li>One of the most effective compliance tools available to the board is the day-to-day vigilance of the company’s employees. When an individual employee detects wrongdoing, he or she must have an effective and safe method to report observations, such as a third-party ethics hotline that reports to the chairman of the board and audit committee. All employees must be protected from retribution to avoid any possibility of corrupting the process. </li><li>A zero-based budgeting process — requiring that the individual elements of the company’s budget be built from the bottom up, reviewed in detail, and justified — would have facilitated the identification of unusual spending in numerous corporate and operating units. This provides an in-depth view of spending as opposed to basing the current year’s spending, in aggregate, on last year’s spending, where irregularities may be buried and overlooked.  <br></li></ul><p><span class="ms-rteiaStyle-authorbio">John L. Verna, CBA, CPA, CFE, is founder and executive director of the Center for Strategic Business Integrity in Washington, D.C.  <br>Christopher T. Marquet, CBA, is managing director and head of research for the Center for Strategic Business Integrity and the CEO and founder of Marquet International Ltd. in Wellesley, Mass.</span></p>John L. Verna11230
Fleecing the Crowdhttps://iaonline.theiia.org/2015/fleecing-the-crowdFleecing the Crowd<p>Las Vegas-based Ascenergy LLC and its CEO Joseph Gabaldon are facing charges of running a deceptive crowdfunding scheme that allegedly defrauded investors of US$5 million, <a href="http://petroglobalnews.com/2015/10/las-vegas-firm-ceo-charged-with-5m-oil-and-gas-crowdfunding-scheme/?adbsc=IAO54686296&adbid=660093820097265664&adbpl=tw&adbpr=390782790" target="_blank"><em>Petro Global News</em> reports</a>. The U.S. Securities and Exchange Commission (SEC) says Ascenergy used crowdfunding websites to raise investments in underdeveloped oil and gas wells, but it alleges that Ascenergy misrepresented the company and the nature of the investment. Moreover, the SEC says Ascenergy has only spent a few thousand dollars on oil and gas-related expenses out of the US$1.2 million the company has spent so far from the money it raised. Instead, most of the money has gone to Gabaldon and companies he controls, the SEC says. The U.S. District Court for Nevada has issued a temporary restraining order to halt the offering as well as an order freezing Ascenergy and Gabaldon's assets.</p><h2>Lessons Learned</h2><p>Crowdfunding has exploded as a new way of attracting funding and financing for individuals, small businesses, and entrepreneurs around the world. In 2013, the global crowdfunding industry was responsible for between US$3 billion and US$5 billion in funding, according to a January 2014 report from TD Bank Economics, Crowdfunding: A Kick Starter for Startups. A 2013 World Bank report, Crowdfunding's Potential for the Developing World, states that there is a significant number of crowdfunding investment platforms in develope​d countries — for example, the U.S. has 344 different platforms, the U.K. has 87, and France has 53 — and developing countries won't be far behind in establishing their own versions. The report also cites the 2008 financial crisis as one of the main catalysts to interest in crowdfunding and specifically equity crowdfunding in the U.S. Another catalyst is the growth in the availability of lower cost broadband Internet to a much greater number of individuals.</p><p>Crowdfunding is truly one of those game-changing concepts that disrupts the traditional industries and players, but because it is built on trust, it's ripe for fraud. The fraud can manifest itself in many different ways. Misappropriation can be easy to pull off through false websites. As with any online financial transaction, phishing schemes can be used to illegally gain access to personal and financial information such as credit card and banking information. The funds raised can be used for purposes other than what was initially disclosed. The creator also may claim that he or she owns the idea, but this may or may not be true. </p><p>Not surprisingly, many of the anti-fraud measures for preventing crowdfunding fraud are similar to those that should be adopted to counter most kinds of financial fraud. These include:</p><ul style="list-style-type:disc;"><li> <strong>Potential investors need to dig into the creator's business background.</strong> Has he or she launched other projects successfully or supported such projects? Is there a professional online profile that demonstrates expertise in this area? Is the person trying to fund the same project on multiple crowdsourcing sites? That could show an attempt to raise as much money from as many people as possible — not necessarily a fraud red flag per se but potentially an indicator of increased risk. Also, check the creator's credentials. Many crowdfunding sites state that the person has a Facebook or similar social media page, but anyone can make a Facebook page. Analyze the page: Are the friends real or just "filler?" Are there real-time comments? Does the person have just one social media site, or is he or she listed on other sites? A short time line might indicate the page was created just before asking for funding. </li></ul><ul style="list-style-type:disc;"><li> <strong>Crowdfunding platforms need to adopt basic anti-fraud strategies and techniques, </strong>both in their own interests and to protect consumers and investors. Many crowdfunding platforms assert a commitment to integrity and ethics. For example, Kickstarter deploys an "integrity team" that uses complex algorithms and automated tools to identify and investigate suspicious activity on projects. However, Kickstarter doesn't make public data on the actions it has taken to report or file a complaint about such suspicious activity with the U.S. Federal Trade Commission (FTC) or a state attorney general. The community of "backers" are more of a de facto protector against fraud, because they report on what project creators are pitching and whether they are following through.</li></ul><ul style="list-style-type:disc;"><li> <strong>Expect more regulatory scrutiny of crowdfunding as the crowdfunding industry grows and grapples with fraud</strong>. To the crowdfunding community, external regulatory oversight may be an anathema to be resisted, but the reality is that fraud such as that described in this story must be addressed. Measures do not necessarily have to impinge harmfully on the flexibility and speed desired by the crowdfunding community. For example, the FTC has launched a program called FinTech, aimed at protecting consumers in the rapidly expanding and evolving high-tech markets. Additionally, the SEC recently issued regulations to enable companies to offer and sell securities through crowdfunding, as well as to make it easier — within financial transaction size limits — for startup companies to attract financing in accordance with the Jumpstart Our Business Startups Act of 2012 (JOBS Act). The crowdfunding world appears happy about these changes. <br> <br>​The rules also include numerous requirements that should be of particular interest to auditors who might advise on ways the crowdfunding industry could protect itself more generally from fraud activity. Companies that want to conduct a crowdfunding offering need to file certain information with the SEC and provide this information to investors and the intermediary facilitating the offering, including:</li></ul><ul> <ul style="list-style-type:disc;"> <li>​The price to the public of the securities or the method for determining the price, the target offering amount, the deadline to reach the target offering amount, and whether the company will accept investments in excess of the target offering amount.</li><li>A discussion of the company's financial condition.</li><li>Financial statements of the company that, depending on the amount offered and sold during a 12-month period, are accompanied by information from the company's tax returns, reviewed by an independent public accountant, or audited by an independent auditor. A company offering more than US$500,000 but not more than US$1 million of securities relying on these rules for the first time would be permitted to provide reviewed rather than audited financial statements, unless financial statements of the company are available that have been audited by an independent auditor.</li><li>A description of the business and the use of proceeds from the offering.</li><li>Information about officers and directors as well as owners of 20 percent or more of the company.</li><li>Certain related-party transactions.</li></ul></ul>Art Stewart0549
Swipe Once for Fraudhttps://iaonline.theiia.org/2015/swipe-once-for-fraudSwipe Once for Fraud<p>​​A single seller defrauded online payments company Square​ out of US$5.7 million, <a href="http://www.businessinsider.com/square-fraud-risks-2015-10" target="_blank"> <em>Business Insider</em> reports</a>. Omaha, Neb.-based event planner, Creative Creations, allegedly used its Square card reader to sell worthless travel vouchers, according to the <a href="http://www.omaha.com/money/creative-creations-voucher-fraud-case-dents-square-s-ipo-filing/article_2cf4a026-ae45-5d97-b1ba-1259bcd78768.html" target="_blank"> <em>Omaha World-Herald</em></a>. Square revealed that such fraud is a big risk in an initial public offering filing with the U.S. Securities and Exchange Commission (SEC). The company notes that the automated nature of its payment services makes it an attractive target for fraudulent and illegal activities. Moreover, Square acknowledged that it could be liable for losses associated with chargebacks and refunds connected to illegitimate transactions. Chargebacks occur when a person notices a charge for something he or she didn't purchase and the credit card company refunds the amount to the cardholder. Square, as the processor, may be liable for reimbursing the credit card company if the seller is unwilling or unable to do so.</p><h2>Lessons Learned</h2><p>As various forms of businesses targeting lower-cost electronic financial transactions proliferate, so too do the associated risks of fraud. In Square's business model, the company charges a fee of 2.75 percent on every credit card transaction but does not charge sellers monthly fees or set-up costs. Square claims  its costs are, on average, lower than the costs charged by conventional credit card processors. Square is regarded as a useful application for entrepreneurs, such as consultants, food truck operators, and other small retailers. Swiped payments are deposited directly into a user's bank account within one or two business days. </p><p>By its own admission, Square's business model puts it at a high level of risk for fraud. Its SEC filing notes, "The highly automated nature of, and liquidity offered by, our payments services make us a target for illegal or improper uses, including fraudulent or illegal sales of goods or services, money laundering, and terrorist financing. Identity thieves and those committing fraud using stolen or fabricated credit card or bank account numbers, or other deceptive or malicious practices, potentially can steal significant amounts of money from businesses like ours." </p><p>So what might Square do to balance its flexible payment services model while combatting fraudulent activity such as with chargebacks?</p><ul style="list-style-type:disc;"><li> <strong>Implement a robust anti-fraud regime, tailored to its business model and customers.</strong> That would include a fraud risk assessment of high-risk customers (for example, those with little or no credit history, sellers who only provide future delivery of goods/services, and sellers with links to foreign or unknown origins), and transactions (for example, a higher dollar/higher volume value). As it did with an outright ban on firearms-related transactions, Square could set out other kinds of transactions and customers it will give closer scrutiny to or ​simply not accept, based on that fraud risk assessment. Certainly, testing the legitimacy of potentially high-risk or suspicious transactions and customers periodically is a good practice. This should be done in combination with various electronic testing, such as verifying the IP address of the customer/seller, checking whether sellers have a legitimate presence on Facebook or other social media, and verifying whether the billing and selling addresses match.</li></ul><ul style="list-style-type:disc;"><li> <strong>Consider introducing stronger controls over transactions that do not compromise either its business model or financial viability. </strong>These could include: </li><ul><ul><li>Establishing a reasonable waiting period before a customer or seller is reimbursed in a chargeback situation to allow time to confirm the validity of the transaction.</li><li>Investing in EMV chip card technology for all of its card readers to increase overall security over transactions.</li><li>Requiring high-risk sellers, identified in the fraud risk assessment, to maintain a financial reserve to cover losses such as from chargebacks.</li><li>Avoiding higher-risk transactions, such as what can happen when a purchase is sent to a freight company. For example, such companies can send goods overseas and still do a chargeback.</li></ul></ul></ul>Art Stewart01796

  • TeamMate Feb2016_Prem1
  • ISACA_Feb 2016_Prem2
  • IIA Standards_Feb2016_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
What 2015's Top 10 Blogs Tell Us About Internal Audithttps://iaonline.theiia.org/blogs/chambers/2016/Pages/What-2015s-Top-10-Blogs-Tell-Us-About-Internal-Audit.aspxWhat 2015's Top 10 Blogs Tell Us About Internal Audit2016-01-25T05:00:00Z2016-01-25T05:00:00Z
The Contracting Conspiracyhttps://iaonline.theiia.org/2016/Pages/The-Contracting-Conspiracy.aspxThe Contracting Conspiracy2016-01-19T05:00:00Z2016-01-19T05:00:00Z