The Phantom Employee Phantom Employee<p>​A senior official with the U.S. Bureau of Land Management (BLM) has been convicted of covering up that a former subordinate was still being paid by the agency, <a href="" target="_blank">the Associated Press reports</a>. Federal investigators say John G​rimson Lyon, the BLM's Eastern States Region director, aided his former deputy Larry Denny in receiving US$112,000 in wages and benefits after Denny left the age​ncy for a job in Montana in July 2012. They say Lyon certified Denny's work hours and sick leave until March 2013 and pressured BLM employees who raised questions about Denny. A federal judge in Montana sentenced Lyon to six months in prison and ordered him to pay US$74,000 in restitution. Denny has pleaded guilty to theft and fraud, and awaits sentencing. </p><h2>Lessons Learned</h2><p>This story involves a form of payroll fraud, albeit a very sizable single example. Making the story that much worse is the deliberate, sustained collusion between the former employee and his supervisor that enabled this fraud to go undetected for many months. When employees are paid for time they have not actually worked, it's a form of fraud and theft. It is estimated that the average employee "steals" between four and five hours a month from his or her employer — committing time sheet fraud, break abuse, or conducting personal business on company time — which adds up to one full work week every year, costing businesses hundreds of billions of dollars a year worldwide. According to the Association of Certified Fraud Examiners, payroll fraud is the No. 1 source of accounting fraud and employee theft:</p><ul style="list-style-type:disc;"><li>Payroll fraud happens in 27 percent of businesses.</li><li>Payroll fraud occurs nearly twice as often (14.2 percent) in small organizations with fewer than 100 employees than in large ones (7.6 percent).</li><li>The average instance of payroll fraud lasts about 36 months.</li></ul><p>Internal auditors should check that their organization has taken steps to address payroll fraud and time theft:</p><ul style="list-style-type:disc;"><li>Internal controls are the first line of defense against payroll fraud. In the case of the BLM, clearly the soundness of those controls should be questioned. In writing this article, I checked the BLM's website for audits conducted, going back several years, but I didn't find any related to payroll and employee time theft issues. Payroll audits should be conducted regularly in all areas of the organization and cover all types of employment situations. Using computers, it is relatively easy to flag anyone who receives certain categories of pay such as sick leave, temporary employment with another organization, overtime, and standby time. An identified subpopulation of employees can then be stratified based on materiality and risk for further investigation.</li></ul><ul style="list-style-type:disc;"><li>Senior management and its related human resources and financial management oversight function also need to be engaged in the review of salary expenditure and employee performance reports, including talking to employees from time to time. An effective human resources function should be able to scrutinize employee time and leave reporting for unusual patterns and to report these incidents to senior management. </li></ul><ul style="list-style-type:disc;"><li>Another check and balance on potential long-term time theft fraud is to periodically conduct "desk audits" of employee work functions as detailed in job descriptions vs. how the employee actually performs the work. This practice is useful both in periods of organizational change and relative stability where productivity improvements may be desirable. </li></ul><ul style="list-style-type:disc;"><li>Rigorous background and security checking before recruitment takes place is always a good practice, but given the evidence of ever-increasing fraud committed by long-term employees and managers, it also is important to periodically re-check employee backgrounds to establish whether their personal circumstances and predilections for fraudulent behavior may have changed. In an environment where younger employees change jobs more frequently, employers need to be able to share relevant background information more readily. </li></ul><ul style="list-style-type:disc;"><li>Essential controls should be in place regarding time reporting, including that line managers must send time reports directly to the payroll function, rather than to the employee, who could gain an opportunity to falsify them. </li></ul><ul style="list-style-type:disc;"><li>As in this story, managers and employees may conspire to commit fraud. With today's tight corporate budgets, raises may be small or nonexistent, so even a well-meaning manager who has staff retention in mind may give an employee a raise by allowing questionable overtime charges or leave requests. With this in mind, some potential red flags to look out for in the behavior of managers include:</li></ul><ul><ul><li>Being overly protective or exclusive about their organizations, employees, and workspaces.</li><li>Preferring to work on sensitive matters such as human resource issues after hours or take work home.</li><li>Gaps in financial records or missing records.</li><li>Unexplained debt or wealth gains in the individual's personal life.​</li></ul></ul>Art Stewart0557
Charity Begins in the Home Begins in the Home<p>​It was a hot Friday afternoon in the Atlanta airport. John Rigby’s flight was delayed four hours, and he wanted to fill that time productively. He remembered he still had an unresolved audit exception on a routine match of vendor and employee addresses. The match was for the supervisor, Marilyn Bell, at his client’s graphics department only a few miles away from the airport.<br></p><p>After a 15-minute taxi ride, Rigby opened the door to the small office and announced himself.<br></p><p>“I’m an outside contractor for the audit team at headquarters,” Rigby explained to Bell. “I just need to follow up on an exception we had on some routine audit testing of vendor files last month. Tell me a little about your supplier, Charity Smith.”<br></p><p>The blood drained from Bell’s face as her eyes started watering. Rigby knew he was on to something.<br></p><p>“Tell me what happened,” Rigby instructed.<br></p><p>“Charity is a longtime friend of mine since high school,” Bell began to explain. “She’s a single mom with two young children, and she helps me out from time to time when we have excess work and tight deadlines.”<br></p><p>During the course of his conversation with Bell, Rigby learned a lot about Smith. During the last three years, when the need arose for new print materials — from training manuals to quarterly product catalogues to promotional posters and banners — Smith was often called on to handle the design work. <br></p><p>Smith worked from her home office, often clocking late night hours so she could better juggle the demands of client work and caring for her children. She sent her finished work and weekly time sheet by email, which were reviewed by Bell, approved by Bell’s manager, and sent to accounts payable for payment.<br></p><p>After listening silently for almost 10 minutes, Rigby thanked Bell and asked one follow-up question: “Why are Smith’s payments mailed to your home address and deposited into your checking account?”<br></p><p>Bell replied without any hesitation, “Charity lives out in the country, and with taking care of the kids all day she has a hard time getting to the bank in the nearest town to make her deposits. It’s an hour of driving round trip to get to the bank and back, so once a month I deposit her checks into my account, withdraw the cash, and meet her half way for coffee and to give her the money.”<br></p><p>Bell said she had always intended to speak to her boss about the arrangement, just to make sure he was aware of the situation, but she never got around to it. Rigby asked her to write down everything she told him. He explained that he needed something for his audit files to explain the exception, and that her write-up would take care of that.<br></p><p>As Bell wrote, Rigby called a manager in charge of the office from the next room and asked for permission to send Bell home. They agreed and called a manager from another office in Atlanta to come immediately to assist Rigby.<br></p><p>Bell wrote a 12-page report and confirmed verbally and in writing that it was all true. Before sending Bell home, Rigby asked her to get Smith on speakerphone so she could corroborate the report. Again, the blood drained from Bell’s face and her eyes teared up. She froze at the request.<br></p><p>Bell said she did not have the phone number with her in the office, so Rigby suggested she quickly drive home and get it so they could call Smith together in the office. Bell didn’t move.<br></p><p>Rigby realized that during the car ride, Bell could call someone to help her by pretending to be Smith, but it was a calculated risk that paid off. Bell continued to sit still and stare at the desk.<br></p><p>“It’s not true, is it?” Rigby inquired, while holding up Bell’s written statement.<br></p><p>“No,” she answered. “I made it all up to cover the amount I’ve taken from the company.”<br></p><p>Rigby then called the office manager back and asked him to pull Bell’s personnel file and look for any other addresses she had provided, regardless of how old they were or why they might be in the file. Two more matches with vendors were found — her parents’ address and her boyfriend’s business address (he was her emergency contact). The total paid to the three fake vendors over three years was almost US$600,000.<br></p><p>Bell’s boyfriend’s address was a retail store. Further investigation revealed that he was taking the checks mailed to his business and to Bell’s parents’ address and including them in the store receipts for the day. An identical amount of cash was removed from the deposits. He was later charged and found guilty of money laundering.<br></p><p>Bell began her scheme to recover from extreme pressures at home after a messy divorce. She fell months behind in her mortgage payments, and she and her children were going to lose their home. Once she put her ethics aside to get up-to-date on her mortgage, she found it much easier to do it again to meet other needs that came up in her life. These included a new car, paying off credit cards and a US$25,000 line of credit, new clothes, vacations, and a custom home with expensive high-end finishes and a custom spa room.<br></p><p>Bell’s manager was held responsible for signing dozens of fabricated time sheets and invoices from the three fake vendors. He trusted Bell and never checked the details.<br></p><p>Bell agreed to cooperate with the investigation and to make restitution. Her parents mortgaged their paid-off house to help, and her church took up a special collection as well. Just before her trial, Bell agreed to a plea arrangement that kept her out of jail.</p><h3>Lessons Learned</h3><p></p><ul><li>Fake vendor schemes are common. Procurement teams will assure they have adequate controls over new vendors, but fraudsters will tell you exactly how — and how easy it is — to circumvent those controls.</li><li>Address matches are a standard audit test. Unfortunately, they often lead to false positives and inefficient follow-up work. But auditors shouldn’t let down their guard. There’s a reason why procedures like this are so standard — they produce that needle in a haystack that deserves immediate attention. Auditors should always check every address they can find related to that person to see if they have been busier than first suspected.</li><li>Even well-liked, trusted employees can perpetrate fraud. Bell’s work was excellent — she was reliable and she always went the extra mile to serve her many in-house graphics clients. But financial pressures at home caused her to come up with a scheme to help her pay the mortgage and, eventually, finance a lavish lifestyle.</li><li>Nonverbal reactions can often indicate that a fraud is likely occurring. Bell’s surprise at Rigby’s visit and her attempt to cover her tracks with a complicated story about her fictitious friend were clumsy and full of obvious holes. Auditors should make a point to follow up on audit exceptions in a way that they can see the face of the person as they ask. Get trained in what to look for at this critical moment.</li><li>The command, “Tell me what happened,” can be used to pivot from an audit query to a fraud-based interview. Don’t set limits on the subject matter or time frame. Let the interviewee decide where to begin the story and what details to include. </li></ul>John Hall1520
Caught in the Medicare Fraud Sweep in the Medicare Fraud Sweep<p>​In what it calls its largest criminal health-care fraud sweep, the U.S. Department of Justice (DOJ) has charged 243 people — including 43 doctors, nurses, and other medical professionals — with submitting false bills to the U.S. Medicare program totaling US$712 million. The charges involve schemes such as false claims for treatments that were medically unnecessary or never provided, <a href="" target="_blank">Reuters reports</a>. In one case, a Miami ment​al health facility billed nearly US$64 million for psychotherapy sessions, when it actually just moved patients to a different location, the DOJ said. With these arrests, the DOJ has charged more than 2,300 people with Medicare billing fraud totaling more than US$7 billion since 2007.</p><h2>Lessons Learned</h2><p>According to numerous sources, the U.S. spends about 17 percent of its gross domestic product on health care annually. In 2012, this amounted to approximately US$3.8 trillion. The sizable US$712 million lost to fraudulent activity in this story is part of an overall total of US$3.3 billion in fraud uncovered in 2014. While losses in this case represent less than 0.1 percent of that total, it appears that the DOJ may have only uncovered the tip of the iceberg of health-care fraud. In 2014 alone, the U.S. Department of Health and Human Services' (HHS') Office of the Inspector General (OIG) undertook 867 criminal and 529 civil actions against individuals and organizations for false claims, penalty recoveries, and other related matters, according to the <a href="" target="_blank">2014 DOJ/HHS annual report</a> (PDF) on the Health Care Fraud and Abuse Control Program.</p><p>It seems evident that HHS and its OIG are taking a disciplined, systematic approach to its fraud risk assessment and detection activities. Let's take a closer look at the key elements of that approach, along with some suggestions on how it might be even further strengthened in light of ongoing implementation of the U.S. Patient Protection and Affordable Care Act (ACA).</p><ul style="list-style-type:disc;"><li> <strong>Data Analysis and Data Quality.</strong> Enhanced data analysis made possible the impressive enforcement results in this story. Claims data is being made available more quickly and efficiently, providing law enforcement increased access to data — including real-time data — and helping focus enforcement resources on high-risk geographic, organizational, and individual cluster groups. Risk scoring of Medicare claims prepayment is performed and predictive models are being tested. Moreover, investigators, data analysts, clinicians, and subject-matter experts work on cases in a multidisciplinary environment. There also is an emphasis on enterprisewide improvements in the accuracy and availability of data for Medicaid program integrity and oversight.<br><br>An area for further attention by the OIG and HHS is to ensure that it is capable of handling the changing pattern and volume of new fraud referrals that can be expected from ongoing implementation of the ACA. Also, while the HHS clearly has whistleblower programs in place, it is not clear to what extent these programs are contributing to its overall fraud prevention and detection effectiveness. Results from a new pilot program to estimate the overall probable level of program fraud are expected beginning in 2016, which may provide a clearer indication of the overall size of the health-care fraud "iceberg." ​</li></ul><ul style="list-style-type:disc;"><li> <strong>Enrollment and Payment.</strong> Since the adoption of the ACA, stronger provisions concerning screening of providers and suppliers on the basis of fraud risk have been implemented, with three risk levels for providers (limited, moderate, and high). A goal is to identify ineligible providers or suppliers before their enrollment or revalidation through provider site visits by increasing the scope and coverage of high-risk providers and suppliers such as home health providers, independent diagnostic testing facilities, and outpatient rehabilitation providers. Increasing the frequency of surprise out-of-cycle site visits could enhance the effectiveness of this element in detecting potential fraud. A temporary new enrollment moratorium for certain types of providers in high-risk geographic areas such as Florida and Texas, has been instituted but may need expansion. </li></ul><ul style="list-style-type:disc;"><li> <strong>Monitoring Benefits Delivered by Third Parties.</strong> Third-party sponsors and state governments comprise a large part of the risk landscape for delivery of health-care benefits and services. Greater oversight has resulted from auditing sponsors' compliance plans and strengthening their program integrity training responsibilities. More recent assessments have reviewed the states' performance in meeting regulatory requirements and ensuring that managed care systems deliver accessible, available, and appropriate services to Medicaid beneficiaries. Federal health-care agencies are issuing clear regulations and guidance for mandatory provider compliance plans under the ACA, but these have not been completed. Another gap to be filled is requiring state contracts with managed care entities to include a method to verify with beneficiaries whether services billed by providers were actually received.</li></ul><ul style="list-style-type:disc;"><li> <strong>Accountability.</strong> Payment suspensions are one example of an increased focus on using administrative tools to ensure accountability. Each year, HHS' OIG excludes thousands of individuals and entities from participating in federal health-care programs for a variety of reasons ranging from health-care fraud convictions to loss of medical license for professional incompetence. Since the adoption of the ACA, some 1.5 million providers have been asked to resubmit for validation of their eligibility, some 470,000 enrollments have been deactivated, and nearly 28,000 enrollments have been revoked to prevent these providers from billing the Medicare program. The HHS' OIG and its law enforcement partners also investigate suspected fraud and refer cases to the DOJ for criminal and civil adjudication. The HHS should continue to focus on accountability for fraud. In addition, its OIG should continue to use its exclusion authority to protect the department's programs and beneficiaries, including considering cases in which excluding responsible corporate officers of sanctioned providers and suppliers is appropriate and monitoring the effect of such exclusions on recidivism.</li></ul>Art Stewart0657
A Boost to Fraud Risk Assessments Boost to Fraud Risk Assessments<p>​Daily headlines of pilfered passwords and stolen credit card data have put fraud at the top of management’s risk management agenda. This concern coincides with new guidance in The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the <em>Internal Control–Integrated Framework</em> that directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. <br></p><p>Now is an opportune time for internal auditors to help their organization re-examine its approach to fraud risk. For organizations that have not formally documented processes and controls to address fraud risk, adopting COSO 2013 can jump-start a fraud risk prevention program. Organizations that have a more mature fraud risk assessment can use it to strengthen their fraud prevention processes and procedures.  <br></p><h3>COSO’s Guidance</h3><p>The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. <br></p><p>In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. <br>Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of nonfinancial reporting is a significant change that covers sustainability, health and safety, employment activity, and similar reports. Because internal auditors frequently provide assurance in this area, they can provide insights into fraudulent nonfinancial reporting.<br></p><p>One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, the Association of Certified Fraud Examiners, and The IIA. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls.<br></p><h3>Fraud Risk Governance </h3><p>Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. <br></p><p>But even organizations with committed senior leadership may have inadequate fraud risk assessment programs. Most organizations have some written policies to manage individual fraud components, but many don’t concisely summarize these documents and activities so they can communicate and evaluate the completeness of their fraud management processes. Internal audit can help with this evaluation and address the areas of fraud described in Principle 8.<br></p><h3>The Assessment Process</h3><p>Although a fraud risk assessment should ordinarily be conducted as part of a broader evaluation of organizational risk in an enterprise risk management program, it may initially be done on a stand-alone basis. Regulatory and legal misconduct, such as U.S. Foreign Corrupt Practices Act violations, as well as reputation risk, also should be considered. Internal auditors can help ensure the fraud risk assessment is sufficiently robust.<br><br><strong>Assess and Identify Inherent Risk</strong> The fraud risk assessment starts with a brainstorming session to uncover the organization’s potential fraud risks, without consideration of mitigating controls. The review should be shaped by the organization’s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, business practices, and business conditions. <br></p><p>Each risk area should be examined, including fraudulent reporting, possible loss of assets, and corruption. The assessment should consider:<br></p><ul><li>All types of fraud schemes and scenarios.</li><li>The incentives (such as compensation programs), pressures (such as a chief financial officer who needs to hit an earnings estimate), and opportunities (such as a senior executive with override ability) to commit fraud.<br></li><li>The IT fraud risks specific to the organization, which may become pervasive without appropriate controls. </li></ul><p>Additionally, the fraud risk assessment needs to consider the potential bypass of controls, as well as areas where controls are weak or there is a lack of segregation of duties.<br><br><strong>Assess Likelihood and Significance of Fraud Risk</strong> This review of identified fraud risks should be based on staff interviews — including business process owners — known fraud schemes, and historical information, both internal and external to the organization. In assessing fraud risk significance, organizations should consider not only exposures to assets and financial statements, but also risk to their operations, brand value, and reputation, as well as criminal, civil, and regulatory liability.<br></p><h3>Fraud Prevention and Detection</h3><p>Fraud prevention requires both preventive and detective controls, but the Managing the Business Risk of Fraud guide points out these are not mutually exclusive: “If effective preventive controls are in place, working, and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company’s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.”<br></p><p>Segregation of duties in small organizations can be difficult because of limited resources and personnel. These organizations need compensating controls such as periodic budget-to-actual analysis at a precise-enough level to flag and investigate unusual activity. <br></p><h3>Fraud Investigation and Corrective Action</h3><p>The fraud investigation and response system should include a process for categorizing issues, communicating within the organization — including with the audit committee or those charged with governance — conducting the investigation and fact-finding, monitoring the status of fraud cases, and resolving the investigation with a recommendation for prosecution. Standards, regulations, or laws may require parties such as legal counsel, the board, the audit committee, and external auditors to be notified if the allegation involves senior management or affects the financial statements.<br></p><h3>An Opportunity for Improvement</h3><p>Organizations that already have adopted COSO 2013 can continue to build on that foundation to prepare for the fraud challenges ahead. For those organizations that haven’t yet implemented the framework, the opportunity to improve their fraud risk assessment should motivate them to adopt it soon. In either case, internal auditors who are well-versed in COSO 2013 can help the organization’s fraud risk assessment initiative by facilitating the assessment itself or helping align policies and fraud mitigation activities. <span class="ms-rteiaStyle-authorbio">Michael Rose, CIA, CPA, CISA, CISM, is a Business Advisory Services partner at Grant Thornton LLP in New York.<br>Priya Sarjoo, CIA, is a Governance, Risk, and Compliance practice leader at Grant Thornton in Dallas. <br> Kevin Bennett, CFE, CICA, is managing director of Forensic and Valuation Services at Grant Thornton in Minneapolis.</span></p>Michael Rose11388
Bankers Caught in Currency Scheme Caught in Currency Scheme<p>A routine audit last year uncovered a US$40 million currency fraud scheme in Nigeria, according to <a href="" target="_blank"> <em>The Guardian</em></a>. Nigeria's Economic and Financial Crimes Commissi​on has charged six central bank officials and 16 commercial bank employees with stealing Nigerian naira notes intended for destruction. According to the report, Nigeria's central bank withdraws old or torn notes from circulation regularly and replaces them with new notes. The audit last September discovered irregularities with this process at a bank branch in Ibadan, a city in the southwest of Nigeria. Further investigation revealed that mutilated notes of higher denominations were swapped with lower denomination currencies, with box labels indicating they contained a higher value than their true content. </p> <h2> Lessons Learned</h2><p>Many banks around the world carry out the function of currency management, including the disposal of old or worn-out currencies, typically through a network of offices and some form of secure storage. A huge amount of money is involved: In 2012, the U.S. Federal Reserve ordered nearly 8.4 billion individual notes with a face value of more than US$358 billion to replace old currencies on a one-to-one basis. Typically this disposal work takes place under a statutory framework and a tight security regime. Bank notes and coins that are unfit, cannot be issued for further circulation, or are not needed immediately by the branches are deposited into a designated secure storage area. When sufficient quantities of these currencies have accumulated, they are remitted to a central bank office for inventory, scanning for counterfeits, and disposal. The local–central secure storage system combination is intended to remove the necessity for frequent physical movement of currency and enable banks and treasuries to work with a minimum cash balance of their own.</p><p>At least that is how it is supposed to work. Bearing in mind the potentially limited resources available in many countries, what can be done to enhance the controls and protect the security of these funds?</p><ul style="list-style-type:disc;"><li><strong>Continually work to improve the efficiency of currency management</strong> and closely monitor the printing capacity of bank note presses with a view to closing the demand–supply gap in currency and lessening the risk materiality.</li></ul><ul style="list-style-type:disc;"><li><strong>Automate the currency-processing operations</strong> in the local offices as much as possible. Many countries have installed currency verification and processing (CVP) systems for bank notes received for examination. These systems are capable of sorting the notes on the basis of denomination, design, and condition. Generally, the system sorts the notes into Fit, Unfit, Reject, and Suspect categories. Notes in the Suspect category are received in separate stacks and must be inspected manually for the presence of counterfeit notes. CVP systems also have security measures that enable the bank to provide graduated access rights, capture and store data, and produce security reports. </li></ul><ul style="list-style-type:disc;"><li><strong>Enhance physical security measures</strong> in areas where these currencies are being held. For example, install closed-circuit television (CCTV) cameras at all such facilities and retain recordings up to 90 days for appropriate monitoring by security staff. This can be enhanced by networking CCTVs from local to central offices. While there would be upfront investment costs, installing suitable biometric access systems at all currency storage locations can ensure only authorized staff members are able to enter. Banks also should consider requiring officials to present a pre-validated photograph to enter the storage area. Electronic locking of all storage bins/vaults also should be explored, along with linking them to a central server to ensure easy monitoring of transactions.</li></ul><ul style="list-style-type:disc;"><li><strong>Use tamper-proof shrink-wrapping</strong> — or similar materials — of bank notes to be disposed of, with the details of the source branch bar-coded on the bundles. This can facilitate easy identification of the branch from which the notes were received so that accountability for shortages, defects, counterfeits, theft, and fraud can be attributed precisely, which can reduce the possibility of such incidents.</li></ul><ul style="list-style-type:disc;"><li><strong>Conduct periodic security audits of secure storage areas</strong> at bank branches on a risk-based frequency, at least more often than annually. Comprehensive guidelines for such audits should be developed and well-communicated to branches. A system of surprise inspections also would be useful.</li></ul><p>Human resource measures should include rotation of staff employed at currency disposal locations and heightened background checks before hiring staff.</p>Art Stewart01172
Hedge Fund Executives Sentenced Fund Executives Sentenced<p>​Th​e chief financial officer and two managing partners of a U.S. hedge fund firm have been sentenced to prison for defrauding investors of more than US$46 million, WTNH-TV in New Haven, Conn. <a href="" target="_blank">reports</a>. Their firm, New Stream Capital LLC, launched two feeder funds in November 2007, based in the U.S. and the Cayman Islands, and announced that its Bermuda Fund would close and its investments would move to the Cayman Fund, according to court documents and testimony. When the Bermuda Fund's largest investor decided to redeem its investment in March 2008, prosecutors say the defendants secretly kept the Bermuda Fund open and prioritized investors who stayed in the fund. The firm did not inform other existing and prospective investors that the Bermuda Fund was still open and would be a priority. Each of the ​​defendants pleaded guilty to conspiracy to commit wire fraud in 2014.</p><p> <strong>Lessons Learned</strong></p><p>When it comes to offshore hedge funds, the Cayman Islands is the world leader, with estimates ranging from 45 percent to 85 percent of global market share and as much as US$1.4 trillion in assets and liabilities. Included in these funds are institutional investments, such as pension funds.</p><p>To tackle criminal and fraudulent behavior, such as in this story, we need to look beyond the individual circumstances of the case and address systemic problems from two different directions: governance/regulatory and investor awareness. Internal auditors can help with both.</p><ul style="list-style-type:disc;"><li> <strong>Governance/regulatory. </strong>Some economists consider the relative lack of oversight of the hedge fund industry by Cayman Island authorities to be a significant threat to the global economy. The Cayman Islands Monetary Authority (CIMA) is responsible for regulating and supervising financial services. It says officials on its board of directors can have contractual relationships with entities they are charged with regulating, creating inevitable conflict of interest possibilities. More independence between these two roles would help protect investors.​</li> <br> Cayman Islands-based hedge funds are not directly subject to U.S. Securities and Exchange Commission (SEC) regulation. However, in 2012, the SEC established a cooperation arrangement with CIMA as part of the commission's long-term plan to improve oversight of regulated entities that operate internationally. This type of cooperation arrangement "generally establishes mechanisms for continuous and ongoing consultation, cooperation, and the exchange of supervisory information … to monitor risk concentrations, identify emerging systemic risks, and better understand a globally active regulated entity's compliance culture," according to an SEC press release. In addition, such memorandums of understanding enable the SEC and regulators in other nations to conduct on-site examinations of registered entities located abroad. Results of these on-site examinations should be reviewed closely for further governance improvements.<br><br><a href="" target="_blank">A 2012 analysis</a> of thousands of U.S. securities filings by <em>The New York Times</em> also showed that many directors sit on the boards of 24 or more funds based in the Caymans, which "individually are supposed to be overseeing tens of billions of dollars in assets." Some of these individuals hold more than 100 directorships, and one director sits on the boards of about 260 hedge funds. Notably, this data does not include boards of hedge funds with non-U.S. ownership. Greater disclosure of how many boards directors serve on is obviously needed. And, allowing for some flexibility, limits should be placed on the number of board positions that one director can take on in the interests of investors, fiduciary responsibility, due diligence, and professionalism. A <a href="" target="_blank">2013 CIMA survey</a> (PDF) of hedge fund corporate governance stakeholders points to these same needed changes.<br> </ul>​​ <ul><li> <strong>​Investor awareness. </strong>As a general rule, investors must take responsibility for the oversight of funds in which they invest. That includes educating themselves on the nature and risks of hedge funds and offshore banking and investing. They also should apply scrutiny to drive up standards by careful and informed selection of service providers and directors, either directly or through the use of due diligence professionals, including auditors. Where red flags are noticed with regard to lapses in due diligence, class action and other forms of legal redress are likely to be pursued.​​​</li></ul>Art Stewart0516
The FIFA Scandal: Five Lessons for Internal Audit FIFA Scandal: Five Lessons for Internal Audit<p>The global soccer community was rocked this past week when the U.S. Department of Justice (DOJ) announced charges and arrests for "rampant, systemic, and deep-rooted" corruption by high-ranking members of FIFA, the sport's global governing body. Using the U.S. Foreign Corrupt Practices Act (FCPA) as its legal hammer, the DOJ outlined in its 47-count indictment a disturbing history of alleged bribes and racketeering by top FIFA officials dating back as far as two decades. It is evident that more troubles lie ahead for the global soccer body, as Swiss officials have announced that they are also investigating potential improprieties.</p><p>The relevance of the events of the past week are obvious to our profession, but it goes well beyond an acknowledgement of internal audit's role in providing assurance on anti-bribery and anti-corruption programs and its role in detecting and deterring fraud and corruption. </p><p>Indeed, this unfolding spectacle touches on no less than five significant aspects of the internal audit function, and we can draw a number of lessons from this sad affair.</p><p>1.     <strong>Internal audit must raise a yellow card when corporate culture creates susceptibility to corruption</strong>. It did not take long for fallout from the indictments to reach the top of the FIFA hierarchy with almost immediate calls for the ouster of FIFA President Sepp Blatter. Blatter was reaffirmed as the organization's president in a Friday vote, and he has said he knew nothing of the alleged corruption.</p><p>But allegations of corruption within FIFA were not unheard of before the DOJ indictments, and I have to wonder if they were ever brought to Blatter's attention. The bottom line is that no organization can afford to practice "willful ignorance" about serious challenges for long without paying a high price.</p><p><em>The lesson for internal audit:</em> A frank and honest analysis of corporate culture must be part of internal audit's purview, and it must raise its voice when erosion of the culture becomes an organizational risk.</p><p>2.     <strong>Internal audit must act quickly to address reputational risk. </strong>A number of media accounts of the evolving scandal have described long-held concerns about corruption at FIFA. I have no insight into the efforts of FIFA's internal audit function, but the potential for significant reputational harm should have been identified and brought to management and the board of directors by those charged with providing assurance to management and governance officials.</p><p><em>The lesson for internal audit:</em> The internal audit function cannot afford to allow risks to organizational reputation to go unchallenged.</p><p>A secondary lesson is one that FIFA's sponsors are learning. Reputational risk is not just about your organization. The behavior of the organizations you partner with can impact your reputation, as well.</p><p>3.     <strong>Internal audit must play a significant role in crisis planning and execution.</strong> Internal audit's role in crises cannot be one of simply grading after the fact how a crisis plan was carried out. Internal audit can and must provide insight into the development of such plans and be consulted even as a crisis is unfolding. Having good communications protocols in place can help an organization mitigate reputational and other potential risks in a crisis. But proper execution of the plan also plays a vital role in its success.</p><p><em>Lesson for internal audit: </em>Internal audit must assess all risks — including the risks of not addressing adversity swiftly and effectively.</p><p>4.     <strong>Internal audit must stay current with anti-corruption legislation</strong>. While the FIFA crackdown was facilitated by the strength of the FCPA, internal audit functions must be cognizant of growing anti-corruption efforts worldwide. This is especially important for businesses that operate globally. The June issue of <em>Internal Auditor </em>magazine offers an excellent article, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=70e4bb0b-d8ac-4aa3-a4ba-0eb49775025d">"Beyond the FCPA"</a>, on the topic.</p><p>According to the article, Canada and Brazil each passed anti-bribery legislation in 2013 that aligns more closely to the FCPA and the United Kingdom's 2010 Bribery Act is even broader in scope. The latter not only penalized the bribe payer, but the bribe receiver, as well.</p><p><em>Lesson for internal audit: </em>Changing legal landscapes in the countries where we do business can develop into risks if the organization does not keep abreast of those changes. </p><p>5.     <strong>Internal audit must be courageous.</strong> It is not hard to imagine that anyone within FIFA charged with assurance on the effectiveness of compliance and controls must have been under great pressure. The issue of courage for heads of audit has been a recurring theme in a number of my blogs.<em><br></em></p><p><em>Lesson for internal audit: </em>Those aspiring to be heads of audit must have the courage to do what needs to be done or say what needs to be said no matter the consequences.</p><p><span style="line-height:1.6;">A final thought about the FIFA issue. A quote from FBI Director James Comey widely reported by media struck a chord with me. Comey said, "If you touch our shores with your corrupt enterprise, whether that is through meetings or through using our world-class financial system, you will be held accountable for that corruption."</span><br></p><p><span style="line-height:1.6;">FIFA officials deserve the presumption of innocence until proven guilty in a court of law, but Comey's message is loud and clear. No corruption is acceptable, and nothing is off limits. This may be the most important lesson from the FIFA scandal, and one internal audit must embrace.</span><br></p><p>As always, I welcome your thoughts.</p>Richard Chambers014084
Beyond the FCPA the FCPA<p>​Recent aggressive, anti-bribery actions by various governments are indicative of new challenges that businesses with global operations or supply chains are encountering. Although the U.S. Foreign Corrupt Practices Act (FCPA) has been the preeminent anti-corruption law for most companies with international operations or financial ties, in recent years other countries have become assertive in enforcing their own regulations, further complicating an organization’s governance, risk management, and compliance efforts (see “Sharper Focus on Foreign Bribery” below).</p><p>This growing complexity reinforces the importance of a system of strong internal controls backed by an effective, independent internal audit function. An internal auditor supplies to an organization’s governing body and senior management comprehensive assurance that anti-bribery controls are in place, designed appropriately, and operating as prescribed.<br></p><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> (<em>Standards</em>) points out that although internal auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, they must possess the requisite knowledge to evaluate the potential for fraud — including corruption — to occur, along with the methods the organization uses to manage fraud risk. Enforcement actions by authorities in several nations provide valuable insight into the tools, processes, and procedures regulators expect organizations to follow to manage fraud risk. By reviewing such actions in the context of recent global anti-corruption trends, internal auditors can build the knowledge needed to meet their professional responsibilities.<br></p><h3>Growing Roster of Enforcers</h3><p>The U.S. has pursued foreign bribery cases more actively than other countries in recent years. U.S. authorities imposed sanctions against individuals and companies in 128 foreign bribery cases during the 15-year period covered by the Organisation for Economic Co-operation and Development’s (OECD’s) 2014 Foreign Bribery Report. Germany sanctioned individuals and companies in 26 cases, South Korea imposed sanctions in 11 cases, and Italy, Switzerland, and the U.K. each imposed sanctions in six cases. Four anti-bribery laws are notable. <br> ​<br><strong>U.S.</strong> The authority for most U.S. anti-corruption cases is the FCPA, which applies to all U.S.-based businesses, citizens, and residents. Moreover, the FCPA also governs any “U.S. issuer,” a broad term that encompasses all foreign companies trading on U.S. exchanges as well as any other company that is required to file periodic reports with the U.S. Securities and Exchange Commission (SEC). It also applies to foreign subsidiaries of U.S. companies and U.S. subsidiaries of foreign companies.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>Sharper Focus on Foreign Bribery</strong><br><br>In its 2014 Foreign Bribery Report, the OECD observed that “enforcement of anti-bribery laws has drastically increased” since the organization’s Convention on Combating Bribery of Foreign Public Officials in International Business Transactions took effect in 1999. The report examined 427 cases of bribery involving foreign officials over the past 15 years. Prison sentences were handed down to 80 individuals in connection with those schemes, and another 38 individuals received suspended sentences. Sixty-nine percent of the cases in the report were settled by sanctions imposed through plea agreements, nonprosecution agreements, corporate probation, or similar settlement arrangements.<br>Altogether, 261 individuals and companies were fined, the report notes. The highest combined fine against a single company totaled US$1.95 billion, while the highest monetary sanction against an individual amounted to US$1​49 million.<br>​​<br>Clearly, the stakes are high, but as OECD Secretary-General Angel Gurría notes in the report’s preface, “With bribes averaging 10.9 percent of the total transaction value, and combined monetary sanctions ranging from 100 percent to 200 percent of the proceeds of the corrupt transaction in 41 percent of cases, the business case against corruption is clear.”<br><br>Another factor behind today’s greater focus on corruption is the updated <em>Internal Control–Integrated Framework</em> released in 2013 by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Among the 17 principles spelled out in the revised COSO framework is the requirement that an organization consider the potential for fraud when it is assessing risks associated with the achievement of its objectives. These include possible acts of corruption by the organization’s personnel, outsourced service providers, and other third parties.</td></tr></tbody></table><p>In addition to the anti-bribery requirement, publicly traded companies are subject to FCPA accounting provisions that mandate that the books and records accurately reflect all transactions and internal control provisions that require companies to have appropriate internal controls to prevent, detect, and remedy FCPA violations. Internal audit has a separate role in testing the books and records, as well as in assisting with designing and implementing internal controls and then testing them.<br></p><p>German-based Siemens AG and Daimler AG, U.K.-based BAE Systems, France’s Total S.A., and Japan’s JGC Corp. are among the prominent companies that have been required to pay steep FCPA-related fines in recent years. As of the end of 2014, eight of the 10 largest penalties imposed by the U.S. government in FCPA cases were assessed on companies headquartered outside the U.S. Moreover, the <em>Latin American Law & Business Report </em>newsletter notes that, “foreign individuals and foreign companies that do not trade on U.S. exchanges can also violate the FCPA if they cause an act in furtherance of a corrupt payment within the U.S.”<br><br><strong>U.K.</strong> Several other countries’ laws are even broader in scope. For example, the U.K.’s Bribery Act of 2010 applies to a wider range of companies and makes a greater array of conduct illegal than the FCPA does. It has authority over any company that engages in any business or part of a business in the U.K. In addition to prohibiting the bribery of both government officials and nongovernment individuals, the Bribery Act penalizes the bribe receiver, not just the bribe payer, as the FCPA does.<br></p><p>The U.K. act also prohibits <em>de minimis</em> “facilitation payments” for certain routine government actions that do not provide the payer with an unfair competitive advantage. A common example is the payment of a fee to speed up installation of telephone service by a state-owned telephone company. Practices such as this, regarded as a routine cost of doing business in some countries, are afforded an exemption under the FCPA but not under the Bribery Act.<br><br><strong>Canada</strong> In 2013, changes Canada made to its Corruption of Foreign Public Officials Act aligned it more closely with the FCPA. However, in some respects, such as the prohibition of facilitation payments, the Canadian law is more similar to the U.K. Bribery Act.<br><br><strong>Brazil</strong> Also in 2013, Brazil’s congress passed the Clean Company Act, which went into effect in January 2014. It is similar to the FCPA in that it targets only public corruption and not commercial bribery. But other aspects, such as those covering defendants’ state of mind and knowledge, are more similar to the U.K. Bribery Act.<br></p><p>The Brazilian law is particularly significant in that companies — not just individuals — are now subject to prosecution for bribery. Companies found guilty could face fines of up to 20 percent of their gross annual revenue, along with possible suspension of operations, confiscation of assets, and even dissolution. The law covers both bribery of foreign officials by Brazilian companies and bribery of local officials by any company. <br></p><p>The Clean Company Act also spells out a particularly strong oversight role by a company’s internal audit function. Under the law, having strong compliance programs in effect is not an affirmative defense against corruption charges, but authorities can consider compliance efforts to reduce penalties. These compliance efforts can be evaluated on three factors: 1) the structure of the program, including reporting mechanisms, training, policies and procedures, and periodic risk assessments; 2) specifics about the legal entity, including specific compliance risks; and 3) an evaluation of the program’s efficiency, including a case-by-case verification of the program’s effectiveness by internal audit.<br></p><h3>High-profile Enforcement Actions</h3><p>In addition to expanding their statutory authority, governments are undertaking more vigorous anti-corruption enforcement actions. Several recent cases provide useful insights into the internal controls that must be in place and internal auditors’ responsibilities for helping their organizations maintain compliance.<br><br><strong>GlaxoSmithKline PLC (GSK)</strong> One of the highest-profile actions in recent years has been an ongoing corruption investigation in China. The case culminated in September 2014 in the conviction of U.K.-based GSK for paying bribes to boost its business. China fined GSK a record US$491 million — the amount of the alleged bribery — and the former top GSK executive in China, four other company managers, and two ancillary GSK-hired investigators received criminal convictions.<br></p><p>The Chinese government’s entry into the international fight against corruption and bribery is a game changer. Foreign companies are now on notice: Doing business the old way will no longer be tolerated, and companies operating in China have a new risk to consider — possible prosecution under domestic Chinese law.<br></p><p>The Chinese example also could encourage additional anti-corruption enforcement around the globe. When other countries with endemic corruption issues see that they can attack their domestic corruption issues by prosecuting international businesses operating within their borders, there may be an appetite for additional prosecutions.<br></p><p>The GSK case also offers lessons about the potential cost of internal audit failures. Ironically, as various news sources have noted, GSK had more compliance officers in China than in any country except the U.S. and has conducted up to 20 internal audits a year in China. Nevertheless, the company was unprepared when Chinese officials accused it of using travel agencies to funnel bribes to doctors and officials under the guise of medical conferences and other events.<br></p><p>Although the cost of monitoring such payments would be high and would involve the tedious work of verifying numerous receipts and scrutinizing countless transactions for signs of fraud, the use of practices such as GSK’s to hide payments to doctors was a well-recognized risk. One lesson internal auditors can draw from the case is clear: If the risks for a certain pattern of corruption are well-known, a company must devote whatever resources are necessary to verify its compliance with relevant laws.<br><br><strong>Avon</strong> Another case of bribery allegations involved cosmetic maker Avon Products Inc. According to settlement agreements with the SEC and the U.S. Department of Justice, the company’s Chinese subsidiary paid US$8 million in bribes to Chinese officials in 2004 in the form of cash, gifts, travel, and entertainment. The purpose was to gain access to officials who were drafting and implementing new direct-selling regulations in China.<br></p><p>The Avon case demonstrates the high cost of a failure by the internal audit function — in this case fines and investigative costs of more than US$500 million. The bribes reportedly were detected by Avon’s internal audit function in 2005 and 2006, but the company’s CAE at the time was persuaded to withdraw the internal audit report and destroy all evidence. This information was never presented to Avon’s board, which learned of the corruption only because of an internal whistleblower.<br><br><strong>Petrobras</strong> The GSK case in China might be a harbinger of international anti-corruption enforcement actions based on domestic anti-bribery laws, but a case now underway in Brazil could turn out to be even larger. In fact, the investigation into Brazil’s state-owned energy company Petrobras eventually could become the world’s largest corruption investigation.<br></p><p>Petrobras CEO Maria das Gracas Foster and five board members have been forced to resign, and Brazilian President Dilma Rousseff has come under pressure because of her former role as minister of energy and president of the Petrobras board. The company’s former head of refining operations has told prosecutors that construction budgets for new projects were routinely inflated by 3 percent of their value to cover bribes and kickbacks, some of which were then routed to major Brazilian political parties. Another defendant has testified that more than a dozen of Brazil’s largest construction companies paid bribes to obtain contracts.<br></p><p>The case also has significant global implications. In addition to banks in Switzerland and the Cayman Islands, where funds allegedly were deposited, companies ranging from shipyards in Singapore to U.K.-based Rolls-Royce plc also have been accused of paying bribes.<br></p><p>Although the allegations in the Petrobras case occurred before the passage of Brazil’s Clean Company Act, the prosecution of the case is being watched closely for any precedents that could affect the new law’s implementation.<br></p><h3>Internal Audit’s Approach</h3><p>Examples such as Avon, GSK, and Petrobras can provide useful lessons for internal audit functions to help their organizations fight bribery and corruption. The IIA practice guide, Auditing Anti-bribery and Anti-corruption Programs, recommends internal audit assess the effectiveness of anti-bribery and corruption programs to help anticipate the risk and identify the existence of potential and actual incidents.<br></p><p>Two different, but complementary, approaches may be used, either separately or together: 1) auditing each component of the anti-bribery and corruption program, and 2) incorporating an assessment of anti-bribery and corruption measures in all audits, as appropriate. With the latter approach, bribery and corruption risks are incorporated into the risk assessment and scoping process of each audit. This process may:<br></p><ul><li>Include procedures to assess bribery and corruption risks.</li><li>Evaluate potential bribery and corruption scenarios.</li><li>Evaluate the control environment and anti-bribery and corruption programs in that audit area.</li><li>Link the scope of an audit area’s procedures to its assessed risks.</li></ul><p></p><p>In some situations, management may not want internal audit’s findings about potential corruption brought to the board’s attention. This is why any compliance program must include structural protection that allows internal audit to share its concerns with the board or, at a minimum, the audit committee.<br></p><p>Moreover, it is a best practice in compliance programs for the board or audit committee to seek out and ask the tough questions about whether internal audit has uncovered any evidence of FCPA violations. There must be internal audit independence, an independent reporting channel to the board, and board fulfillment of its role in a compliance regime.<br></p><h3>Corruption Fighters</h3><p>Internal audit’s role in anti-bribery and corruption programs depends on an organization’s governance structure. In addition, internal audit’s level of involvement should be recommended by the CAE and approved by the board. In all cases, however, it is critical that the function has the independence from senior management necessary to report directly to the board when violations of law are uncovered. By adhering to the <em>Standards</em> — and by understanding and applying the lessons from recent enforcement actions — internal auditors can be better prepared to provide the crucial third line of defense against fraud and corruption. <br> <span class="ms-rteiaStyle-authorbio">Jonathan T. Marks, CPA, CFE, is a partner with Crowe Horwath LLP in New York, where he leads fraud, ethics, and anti-corruption services.<br>Thomas R. Fox, JD, has practiced law in Houston for 32 years and recently launched Advanced Compliance Solutions LLC.</span></p>Jonathan T. Marks12945
Robbing the Poor the Poor<p>The founder and former president of Native Relief Charities was sentenced to three years in prison for stealing US$4 million from the organization, which provides college scholarships for poor Native American students, <a href="" target="_blank"> <em>The Oregonian</em> reports</a>. A U.S. District Court judge in Portland, Ore. found Brian J. Brown guilty last year of conspiring with one of the charity's board members to commit mail and wire fraud and money laundering. According to prosecutors, board member William Peters set up a US$4 million endowment at Native Relief Charities between 2006 and 2009, from which Brown took US$3 million and Peters received nearly US$1 million. Brown produced tax statements showing that Native American students were receiving the money. Brown was arrested after federal agents received a tip about the fraud, which prevented 650 students from attending college, prosecutors say. </p><h2>Lessons Learned</h2><p>The size of the nonprofit sector and the fraud activity related to it are substantial. According to the <a href="" target="_blank">National Center for Charitable Statistics (NCCS)</a>, there are more than 1.5 million nonprofit organizations in the United States, including more than 1 million public charities, 101,558 private foundations, and 369,176 other nonprofits such as chambers of commerce, fraternal organizations, and civic leagues. These organizations reported more than US$1.65 trillion in total revenues and US$1.57 trillion in total expenses in 2012, the last year when figures were available. </p><p>The 2014 Association of Certified Fraud Examiners (ACFE) <a href="" target="_blank">Report To The Nations On Occupational Fraud And Abuse</a> (PDF) reports that fraud in nonprofit organizations has been growing steadily since 2010 and represented 10.8 percent of the cases reported in 2014. Median losses for nonprofits have grown from US$90,000 in 2010 to US$108,000 in 2014. </p><p>The reputational damage may be far worse. According to a recent report by the London-based Centre For Investigative Journalism, the 50 worst charities collectively raised more than US$1.3 billion over the past decade and paid nearly US$1 billion of that directly to the companies that raise their donations. This story of insider fraud and theft committed against Native American students adds to this grim picture. </p><p>Nonprofit organizations and their directors can consult a vast amount of guidance to better equip themselves to detect and prevent fraud, including from sources such as the ACFE, The IIA, and the National Council of Nonprofits. But what else can internal auditors learn from this situation?</p><ul><li> <strong>Get up to speed regarding new "single audit" requirements for nonprofit organizations. </strong>U.S. regulations (albeit complicated regulations) require nonprofits to conduct an independent financial audit if the organization receives federal funds above a specified amount in a single fiscal year. The U.S. government passed the Single Audit Act in 1984 to ensure that those organizations receiving substantial federal funds use the funds in compliance with the federal government's funding requirements. "Single audit" refers to one of the objectives of that law: to replace the need for the federal government to audit the same nongovernmental organization multiple times. <br> <br>In December 2013, the U.S. Office of Management and Budget issued new guidance, called <a href="" target="_blank">"Uniform Guidance,"</a> that applies to audits of nonprofit organizations that receive federal grants, effective for Dec. 31, 2015 year-end audits. All non-federal government agencies and nonprofit organizations that expend US$750,000 or more in federal awards in a fiscal year are required to conduct a single audit (the previous threshold was US$500,000). The overall single audit scope may focus on ensuring that the organization's financial statements are presented fairly, have an adequate internal control structure, and comply with any special government regulations and laws that apply to the specific type of federal funding. However, a single audit is significantly more detailed than a regular independent audit. Auditors performing single audits are required to receive an enhanced level of certification, and they must conduct higher levels of testing on expenses to ensure that federal funds have been used appropriately and are documented and reported correctly in the nonprofit's financial statements. <br></li></ul><ul style="list-style-type:disc;"><li> <strong>Advise on governance and regulatory oversight. </strong>Auditors can go beyond compliance issues by making observations and providing recommendations to help improve the governance and regulatory framework surrounding nonprofit organizations.<strong> </strong>This framework is so fractured it is difficult to know who is in charge and who is watching whom. In the Native Relief Charities case, the U.S. Internal Revenue Service (IRS) was able to catch the fraudster. But the regulatory approach taken is either "front-end loaded" (e.g., to grant tax-exempt status) or focused on catching up to the thief after the crime has been committed. Setting up a subsidiary or parallel nonprofit structure to hide fraudulent activity, as in this story, does not seem to receive particular scrutiny. Once nonprofits start raising money or spending grants, oversight is largely left to state governments. In a December 2014 <a href="" target="_blank">report</a> (PDF), the U.S. Government Accountability Office (GAO) critiqued the IRS for failing to track how well its regulators are doing their jobs in this area. The GAO also observed that the IRS doesn't have the manpower to go after charities that flout the law and could do more to help state regulators target the crooks operating within them.<br> <br> The situation at the state level also needs improvement. The authorities in charge vary significantly. For example, in Pennsylvania the Department of State is responsible; in California it is the Attorney General; and in Florida the Department of Agriculture and Consumer Services has this authority. Moreover, the rules from state to state are even harder to follow. Various state and local laws may also require an independent financial audit for charitable nonprofits that receive funds from state and local governments, but only 23 states require charities to undergo an annual audit. Regulatory offices nationwide are overflowing with information on charities, but they may not be able to analyze it deeply for signs of fraud. Penalties, including for multiple violations, also vary enormously and often are small compared to the impact of the fraud. Regulators have yet to create a national list to track violators or a formal system to share information, and a fraudster forced out of one state can readily move to another state. </li></ul>Art Stewart01460
Fraud Sewed Up Sewed Up<p>California authorities have charged two jeans company subcontractors and their accountant with workers' compensation insurance fraud, <a target="_blank" href="">the Associated Press reports</a>. Sisters Su​​ng Hyun Kim and Caroline Choi, who owned separate sewing companies, allegedly conspired to underreport US$78 million in payroll, which caused the loss of more than US$1 million in premiums to insurers. California insurance officials began their investigation after discovering a significant gap between the payroll amount the sisters reported to them and the amount they reported to the California Employment Development Department. Officials say the sisters also paid some employees under the table.</p><h2>Lessons Learned </h2><p>Workers' compensation insurance premium fraud has a significant dollar impact on the operations of insurance companies and workers themselves. Yet this amount pales in comparison to the staggering size and growth of the overall "underground economy" in the U.S. Although difficult to measure, economists estimate that as much as US$2 trillion in unreported economic activity takes place annually — double what it was in 2009. That amounted to an estimated US$500 billion in revenue losses for the U.S. government in 2013, up from US$385 billion in 2006, according to a U.S. Internal Revenue Service study.</p><p>What's behind this trend? Answers include the severity of the 2008 recession and the weakness of the recovery from it, general distrust of governments and taxation, the growth of casual work arrangements and cash wage payments in many types of jobs, immigration growth and illegal workers, and U.S. Affordable Care Act mandates to provide health insurance to employees. And, as illustrated in this story, some businesses and people commit fraud to keep more money for themselves.</p><p>Employers commit three basic types of premium fraud: </p><ul style="list-style-type:disc;"><li> <strong>Underreporting of payroll</strong> occurs when a policyholder fails to accurately report its entire work staff to the insurance company, often by paying employees off the books or presenting employees as subcontractors or independent contractors rather than as actual employees.</li><li> <strong>Misclassification of employees</strong> occurs when a high-risk employee, such as a construction worker, is classified as a person with low-risk clerical duties, enabling the company to pay lower workers' compensation premiums.</li><li> <strong>Experience modification evasion</strong> occurs when a company closes, then attempts to re-emerge as a new company on paper to obtain a lower experience-modification factor — and lower premiums — but the new business is actually unchanged from the original business.</li></ul><p>Regulators, organizations, and internal auditors can take several steps to deter or detect payroll and workers' compensation fraud:</p><ul style="list-style-type:disc;"><li> <strong>Strengthen and make more consistent use of regulatory tools. </strong>Many states have insurance funds and laws that prohibit workers' compensation insurance fraud schemes and grant the states audit and punitive powers including financial restitution, penalties, and criminal prosecutions. States like California go a step further by publishing all of the pertinent information associated with the crime committed by an employer convicted of premium fraud to the state's Department of Insurance website.</li></ul><ul style="list-style-type:disc;"><li> <strong>Educate employers regarding the need for diligence, compliance, and accurate reporting.</strong> Employers must understand the implications of good reporting, such as for the classification of jobs, as well as the fact that reporting statements could be used in fraud investigations.</li></ul><ul style="list-style-type:disc;"><li> <strong>Regularly exercize the audit provisions of workers' compensation insurance policies.</strong> The standard workers' compensation insurance policy will contain a provision allowing the insurance company to audit the insured's records at its discretion. Auditors can use certain industries, geographical locations, economic circumstances, and other factors to better target potential employer fraud abuse before it takes hold. If the auditor finds potential irregularities at an early stage, with the employer's cooperation, the typical result may be a simple reassessment and correction of the premium actually owed.</li></ul>Art Stewart0756

  • KPMG_Aug2015
  • CaseWare Analytics_Aug2015
  • IIA All Star_Aug2015



KPMG Advises on the Top Risks for Internal Audit in 2015 Advises on the Top Risks for Internal Audit in 20152015-07-20T04:00:00Z2015-07-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
FIFA Needs Internal Audit Now Needs Internal Audit Now2015-07-20T04:00:00Z2015-07-20T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z