The Phony Customer Fraud Phony Customer Fraud<p>​Brightstar Corp. is a solar panel company with an annual revenue of $4.5 billion. It had recently acquired Solarstar Inc., a smaller competitor. Both companies employ commission-only sales representatives; however, commission plans vary between the companies. Brightstar pays sales representatives upon the installation of a solar panel system, while Solarstar’s commission plan pays half a commission upon the signing of a customer contract. The remaining commission is paid after installation of the system. If the customer cancels the installation, the commission already paid is clawed back against future commissions.</p><p>Robert Schull and Alysa Cayden, Brightstar’s forensic audit team, were conducting a training session with the recently hired director of compensation, Lisa Myers, on fraud schemes perpetrated by sales representatives. At the end of the presentation, Myers approached Schull and Cayden to discuss her concerns about Eddie Fogbottom, a sales representative in the Austin, Texas, market.</p><p>Fogbottom was a rising superstar at Solarstar. Before joining the company, he was an executive in loss prevention at several large publicly traded companies. He had incredible success as a sales representative and was recently promoted into a highly sought-after manager role within the company’s national sales team. Shortly after accepting his new position, 39 of Fogbottom’s sales were cancelled, representing $10,000 in commissions that would need to be clawed back. Because it was such a large amount, Myers contacted him to discuss a repayment plan.</p><p>Fogbottom told Myers that the company could not claw back the commissions. When he was promoted, he had a clause written into his offer letter allowing him to keep all commissions for prior sales, even if customers cancelled their accounts. Myers suspected fraud.</p><p>Solarstar uses electronic contracts, which are emailed to the customer when completed. The customer reviews the contract, and electronically signs and returns it. Contracts are not legally binding until the contract is returned and a down payment is received. An electronic time and date stamp is recorded on the contract as well as the customer’s computer internet protocol (IP) address.</p><p>Schull and Cayden began reviewing the cancelled contracts. The team identified several days where Fogbottom sold products to multiple customers in what appeared to be strip malls in the Austin market. What caught the attention of Schull and Cayden was the fact that the contracts were signed and returned within several minutes of each other. Even more perplexing, the contracts were returned from the same IP address. </p><p>The team began conducting customer service calls to the alleged customers to determine why they cancelled their purchases. Surprisingly, none of the phone numbers documented on the contracts were in service. In addition, an internet review of the customers revealed that not a single customer had an internet presence. </p><p>The investigation team turned their attention to the down payments received on the contracts. Solarstar required its sales representatives to collect a down payment when a customer signed a contract. The sales representative would document the collection in the company’s order system. If the down payment was paid with a check, the sales representative would bring the check into the local sales office to be compiled and sent to the company’s lockbox. A review of the order system revealed that Fogbottom documented that checks were obtained during the contracting process, but none of them had been received in the lockbox.</p><p>Cayden reviewed the customer sites using Google Earth. The review revealed that many of the customer locations did not appear to exist or had been constructed after Google’s last update. Schull enlisted the assistance of Brightstar’s area general manager, Michael Gonzalez. A 25-year Brightstar veteran and lifelong resident of Austin, Gonzalez accompanied Schull to the customer locations. It came as no surprise when Schull and Gonzalez found themselves standing in empty fields. Schull documented the visits with photos of the alleged customer sites.</p><p>Schull then reviewed Fogbottom’s employment history. An internet search revealed that Fogbottom had, in fact, worked for the organizations he had listed on his résumé. However, no references were listed in his employment file. Schull was suspicious about why a former loss prevention executive would accept an entry-level sales position.</p><p>Fogbottom was asked to come to the Austin office for an interview with Schull and Karol Vesey from human resources. Schull believed the interview would be challenging as Fogbottom had extensive interviewing experience in his loss prevention role. During the initial stages of the interview, Fogbottom presented himself as a professional loss prevention executive turned successful national sales manager. He bragged about his experience and connections to the community. </p><p>When presented with the photographs of the empty fields, Fogbottom’s demeanor changed. He alleged that a general contractor named Sal was constructing all three strip malls, and that the customers met him at a local coffee shop where they all completed their contracts in succession. Fogbottom could not remember Sal’s last name or produce a contact number for him or any of the alleged customers. Initially, Fogbottom refused to admit that he falsified the contracts in question. However, after an extensive interview, Fogbottom admitted that he was having personal problems and was fired from his former employer. He also admitted that he falsified the contracts for the commissions because he had taken a substantial pay cut from his previous role and was having trouble making ends meet. </p><p>Fogbottom was terminated, but no charges were brought, and the money was clawed back. Solarstar updated its commission plans to only pay sales representatives upon installation. Two weeks after Fogbottom’s termination, Schull received a call from Brightstar’s Fresno, Calif., office where the same fraud scheme was suspected and later validated.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​Lessons Learned</strong><br><ul><li>A combination of fundamental internal control activities helps minimize fraud.</li><li>Conduct and update a fraud risk assessment regularly. In this case, a fraud risk assessment should have identified the control weakness in the backlog report, commission payment process, and revenue reconciliation process.</li><li>Conduct appropriate background checks on key employees to identify any red flags for possible unethical behavior.</li><li>Perform regular reviews of installation backlog reports to identify irregular activities. Detecting any potential exploitation is the best approach to minimizing negative unintended consequences. </li><li>Conduct monthly reconciliations of revenue collections. Discrepancies should be researched immediately and escalated if unresolved. </li></ul></td></tr></tbody></table><p></p>Grant Wahlstrom1
When You Spot Fraud, Don't Break the Eggs You Spot Fraud, Don't Break the Eggs<p><img src="/2019/PublishingImages/Foot%20Over%20Eggshells.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​The <em>International Standards for the Professional Practice of Internal Auditing </em>are clear: Internal auditors must possess the knowledge, skills, and competencies needed to carry out their responsibilities. Some internal auditors also have the knowledge and skills to carry out a fraud examination effectively, but <em>most do not</em>. And in an upcoming position paper, The IIA emphasizes that internal auditors should not be expected to have the expertise of those professionals whose primary responsibility is to investigate fraud. The IIA believes fraud investigations are best carried out by those experienced to undertake such assignments.<br></p><p>Hopefully, your organization has a fraud response plan that assigns specific duties and responsibilities. But if not, don't automatically assume that, as an internal auditor, you should undertake a fraud investigation single-handedly or that you should lead a fraud investigation team yourself.  <br></p><p>We all need to be familiar with the indicators of fraud, and we need to be able to evaluate anti-fraud controls. But few internal auditors are fully equipped to be fraud investigators. An interrogation is very different from an audit interview, and there can be great risk between reviewing evidence and contaminating it. When fraud is suspected, a simple mistake can easily become a costly and career-limiting move.<br></p><p>I have seen too many instances during my career where well-intentioned internal auditors inadvertently damaged the chances of a successful fraud investigation because they were either careless or simply didn't understand the risks of their actions. I always cautioned my teams to be careful not to "break the eggs" when they came upon a potential fraud during the course of an internal audit. From my experience, the following are just a few types of mistakes that internal auditors can make when they encounter evidence of fraud.<br></p><ol><li><strong>Do not discuss the situation with anyone who does not have a need to know.</strong><strong> </strong>Even the existence of an investigation should be kept confidential. Keep in mind that the scope of an occupational fraud is often bigger than it first appears, and you may not yet have identified everyone who is involved in the crime. Our profession's Code of Ethics requires confidentiality, and it's not appropriate to chat about new or ongoing investigations even with other internal auditors. </li><li><strong>Do not make accusations or rush to judgment.</strong><strong> </strong>The evidence may appear to indicate that someone has committed a crime, but accusations can lead to charges of slander, libel, or wrongful termination. It should rarely be an internal auditor's job to accuse anyone of fraud, so contact your supervisor before saying something you might later regret.</li><li><strong>Do not disrupt operations.</strong><strong> </strong>If you do, you may tip off potential fraudsters that they are under suspicion. Your actions may cause them to destroy important evidence, to warn accomplices, or to take other actions that can undermine an investigation.</li><li><strong>Do not disturb a potential crime scene or do anything that might contaminate or destroy digital evidence.</strong><strong> </strong>Internal auditors are good at examining evidence, but special care must be taken during investigations. For example, it may seem appropriate to examine a suspect's computer records or to make a backup copy of his or her files. But computer forensics experts never perform analysis on original media. Simply by turning on a suspect's computer, opening a file, or making a backup, you are changing digital time stamps and hash values, potentially compromising important evidence. At times, action is unavoidable: It may be necessary to isolate a computer to prevent connections into and out of the system, for example. But preserving digital evidence is tricky. Unless you have specialized training in computer forensics, call for help before proceeding.</li><li><strong>Do not fail </strong><strong>to swiftly alert legal counsel and human resources professionals. </strong>It's likely your fraud response plan states that it's necessary to brief legal counsel and a human resources (HR) representative before a formal investigation is launched. HR input can be especially important if termination or other disciplinary actions might result from the investigation. Depending upon the circumstances, your organization may be required to make disclosures about criminal activities to regulators, law enforcement, clients, shareholders, or other parties. Legal counsel can help to ensure that regulatory requirements are not overlooked; and attorney-client privilege can help protect your organization from disclosure of details that it might not want to make public immediately. </li><li><strong>Do not assume you should perform interrogations.</strong><strong> </strong>When performed with expertise, interrogations can be an excellent source of information. Without that expertise, an investigation can be irreparably damaged. Internal audit interviews and discussions often employ collaborative approaches that are not necessarily appropriate during investigations; but an accusative approach can also be a big mistake. Nobody wants a hostile or defensive suspect.</li><li><strong>Do not neglect your files</strong><strong>. </strong>It's never a good idea to leave internal audit workpapers unsecured, but when fraud is involved, keeping documentation safe and confidential is particularly important. Having a copy of a document is not as good as having the original.</li></ol><p>Fraud investigations can be high-risk engagements. If you think there is a possibility of fraud, don't break the eggs. You should not take any action that might tip off potential fraudsters or compromise evidence so that it can't be investigated later. I don't mean to imply that internal audit should never be involved in fraud investigations, but if the internal auditors are not fully trained investigators, it's time to seek help from specialists. A wise internal auditor understands the limits of his or her own knowledge and knows when to ask for help.</p><p>I look forward to your thoughts on this important subject.<br></p>Richard Chambers0
Glowing Reviews Reviews<p>​In a first-ever case, the U.S. Federal Trade Commission (FTC) announced that a supplement company has agreed to settle charges of paying for false product reviews on Amazon, <a href="" target="_blank">The Verge reports</a>. Cure Encapsulations Inc. paid third-party website <span>amazonverifiedreviews</span><span>.</span><span>com</span> to write reviews for its garcinia cambogia weight-loss supplement. To settle with the FTC, the company agreed to stop making claims about the health benefits of its products unless they are supported by "competent and reliable" scientific evidence. The settlement bars Cure Encapsulations from misrepresenting endorsements, and it directs the company to inform Amazon and customers who purchased the product that it paid for reviews. </p><h2>Lessons Learned</h2><p>The ubiquity of e-commerce has attracted much fakery — both on the part of sellers and users. Faked reviews using techniques such as "opinion spamming," "shilling," and "astroturfing" represent part of a much larger and still growing worldwide trend. One example is how people have come to consider reviews of travel sites and experiences as often not real. Similarly, people should be skeptical of many seller claims, particularly where these involve promises of better health and wealth. </p><p>Previous fraud stories have covered faked user reviews, fraudulent scientific research, and the scamming of authors who pay to have their work published in fake scientific journals. Some of the relevant advice is worth restating here. Meanwhile, the FTC is making strides against this kind of fraud and sending an appropriate message to its perpetrators. But what more can be done?</p><p>E-commerce companies such as Amazon have established quality standards — particularly when health and wealth-making claims are made by sellers. In this case, Cure Encapsulations violated Amazon's rules about promotional content. E-commerce sites also may demand and review verifiable supporting evidence. But, where such evidence is not forthcoming or sufficiently definitive, sellers' advertisements and offerings should be required to include a clear and suitable disclaimer that the product or service has not been independently verified. </p><p>Setting a stricter bar to require this kind of disclaimer would further discourage fraudulent claims and reviews. Signed disclosure agreements should be mandatory and should include identifying relationships among vendors, reviewers, and entities such as products and stores. This is particularly necessary where there may be compensation, either in kind or financially. Companies should conduct regular spot checks and audits of both disclosure agreements and disclaimers.</p><p>To look for this type of fraud, companies that host sellers, and their internal auditors, need to use statistical and artificial intelligence-based fraud-detection methodologies. Quantitative, web-based data mining such as pattern discovery and relational modeling can be particularly effective at finding red flags, including: </p><ul><li> <strong>Reviewer behaviors that should be further scrutinized.</strong> Public data available from websites can be data-mined, including user profile/reviewer IDs, time of posting, frequency of posting, instances of first reviewers of products, and posting of the same or similar reviews at other locations of the same company. For example, a username that has more than three numbers at the end could indicate an automated program is at work. <br> <br>Also, search website private/internal data, such as internet protocol and media access control addresses, time taken to post a review, the number of reviewers who created accounts around the same time — including at the time a domain name was registered — and physical location of the reviewer. Follow up on any behavioral red flags detected.<br><br></li> <li><strong>The content of reviews.</strong> This includes obvious content and style similarities among reviews by different reviewers, and copying and pasting reviews by other reviewers. Patterns in the use of overly positive, and negative, language or marketing jargon normally not used by most people also can be signs of made-up reviews. Finally, look for unique phrasings such as word n-grams and part-of-speech n-grams — contiguous sequences of <em>n</em> items from a given sample of text or speech — which can be searched via data mining. </li></ul>Art Stewart0
The Politics of Corporate Corruption Politics of Corporate Corruption<p>​The ongoing SNC-Lavalin scandal has reached Canada's government with the recent resignation of Veterans Affairs Minister Jody Wilson-Raybould, <a href="" target="_blank">according to Global News</a>. The engineering and construction company faces charges of attempting to bribe government officials in Libya and defrauding Libyan companies. </p><p>Last year, when Wilson-Raybould was justice minister, federal prosecutors refused SNC-Lavalin's request to avoid a criminal trial by making a financial payment under a new remediation agreement law. A <em>Globe and Mail</em> report alleges that SNC-Lavalin lobbied the prime minister's office to pressure Wilson-Raybould to convince prosecutors to change their decision, but she refused.</p><p>In January, Wilson-Raybould was named Veterans Affairs minister, but she later resigned. Prime Minister Justin Trudeau has called the <em>Globe and Mail</em> allegations "false."</p><h2>Lessons Learned</h2><p>Two previous articles on have covered this long-running fraud case (see <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=aa811411-b59e-4e6f-91ed-e7f6c9d522df">"Constructing Fraud"</a> and <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=f8ac1edc-76e5-4883-855f-d6e0734fd33e">"Foreign Bribery"</a>). With no resolution in sight, events have taken an unexpected and politically charged turn. </p><p>These events underscore the need for companies and governments to establish and maintain strong legislative, regulatory, and business controls against the threat of corruption and bribery activities abroad. That said, governments also should consider whether only those found guilty of such crimes, or also their companies, should face tough penalties. A particular concern is whether those penalties would cause the business to shut down, harming innocent lives. In a country such as Canada, with a small number of very large companies employing thousands of people, that is an important balancing act.</p><p>That is partly why the Canadian federal government recently changed the Criminal Code to establish a remediation agreement regime that allows companies that face being barred from bidding on government contracts — upon which SNC-Lavalin heavily relies — to pay financial penalties instead. Whether there was political pressure applied to Department of Justice officials and their minister to agree to a deal remains unclear. However, it appears that prosecutors were not convinced that the facts of SNC-Lavalin's case merited approval of such an agreement. This may be because of the repeated and widespread nature of the alleged bribes and corruption, especially in Libya. There are a few lessons internal auditors, government officials, and regulators can learn:</p><ul><li>The prosecutors' decision supports an important principle — applicable to internal auditors — that there must be independence of advice and decision-making in dealing with fraud cases. Moreover, auditors need to be confident that their advice and recommendations will be taken seriously by decision-makers and not compromised.<br><br></li><li>SNC-Lavalin needs to demonstrate accountability and publicly show it has made a major shift in its culture and business practices. On its website, the company states it "has developed and built a world-class ethics and compliance framework" and changed some board and management leaders. The company should back up those statements by cooperating fully with enforcement authorities to bring to justice individuals with significant involvement in bribery and corruption activities. <br> <br></li><li>To demonstrate a permanent, systemic change in its culture and business practices, SNC-Lavalin should plan and implement regular anti-fraud, corruption, and bribery-related audits. These audits should be part of a top-down, bottom-up approach to a balanced compliance program. <br> <br></li><li>Better yet, SNC-Lavalin should make the results of these audits publicly available, along with management's response. The audits should address the related controls, as well as their strengths and weaknesses. These include controls over funds, unauthorized use of bank accounts, high-risk procurement and payment mechanisms, inappropriate use of intermediaries and payments, and the adequacy of cost accounting and accounting records. </li></ul>Art Stewart0
Fraud Fliers Fliers<p>​Multiple employee fraud cases may cost Chinese drone manufacturer SZ DJI Technology Co. $150 million in losses, <a href="" target="_blank">Bloomberg reports</a>. An internal probe discovered extensive corruption and a lapse in internal controls at the company, which is the world's largest consumer drone maker. DJI says it has fired multiple employees as a result of the ongoing investigation by the company and Chinese authorities. Among its remedies, DJI says it has established channels for employees to confidentially report workplace conduct violations.  </p><h2>Lessons Learned</h2><p>A statement from DJI's management sums up the essential reason why this fraud may have occurred: "While mature companies have established the training, controls, and management protocols to limit these issues, DJI has in the past emphasized corporate growth over new internal processes." If so, this is a critical lesson for startup companies in rapidly developing business environments: balance speed with control.</p><p>DJI has acknowledged it needs to strengthen its internal controls, establish clear policies governing employee ethical behavior, and implement effective whistleblower programming. However, at the heart of the corrective measures needed may be those aimed at detecting and deterring purchasing price manipulations and outright theft. While DJI has not reported the specifics of the frauds committed, the company may need to address these apparent types of asset misappropriation and vendor fraud. Measures DJI should implement include:</p><ul><li>Train all employees on bribery and corruption prevention.</li><li>Reward employees for ethical behavior and discipline employees — including senior managers — who breach the company's code of ethics.</li><li>Conduct thorough background checks on new employees and renew those checks periodically.</li><li>Conduct a risk assessment, including fraud risk, to identify areas to watch more closely.</li><li>Implement checks and balances and use data mining to uncover anomalies and patterns in product purchasing and pricing. These areas should have strict financial and systems controls that specify purchase pricing and contract limits, and raise flags about pricing anomalies. For example, if invoices reflect significantly higher prices over negotiated contract prices, previous contracts, or industry standards, the invoices may not be legitimate. Running spending analysis reports also can help identify unusual or excessive spending.</li><li>Separate the functions of the company's purchasers and check signers, and rotate the duties of employees in these areas.</li><li>Conduct random audits of company purchasing accounts and vendor files.</li><li>Implement checks and balances on purchasers and payments to vendors. This includes not paying invoices unless goods or services have been delivered, and verifying invoices, including pricing — preferably using three-way matching and periodic audits. Look out for fake orders. While it may seem impossible for this type of fraud scheme to work, it can be accomplished easily in organizations with decentralized purchasing and a disorganized process. This is especially the case where there is no procurement software to verify orders from purchase order though delivery, invoice, and payment.</li><li>Conduct due diligence on vendors by verifying information such as business name, tax identification number, phone number, post office box and street address, and bank account.</li><li>Look for signs of vendor/employee conflicts of interest or collusion, including bid rigging, preferred supplier schemes, kickbacks, and bribes. Scrutinize unusual bid patterns and business relationships by comparing vendor addresses with employee addresses.</li><li>Implement a dual-review process for master vendor file management. Also review the master vendor file to check that the volume and pricing of billing is reasonable and consistent.</li></ul>Art Stewart0
Fleecing the Crowd the Crowd<p>​What started as a feel-good story has turned into accusations of fraud. An October 2017 story about a homeless veteran who gave his last $20 to a couple whose car had run out of gas prompted the couple to launch a crowdfunding campaign that raised $400,000 to help the man. The problem is he didn't receive the money. </p><p>In November 2018, prosecutors in Burlington County, N.J., charged the couple, Katelyn McClure and Mark D'Amico, and the homeless man, Johnny Bobbitt Jr., with fraud, <a href="" target="_blank"> <em>USA Today</em> reports</a>. Prosecutors say the couple made up the story and had actually met Bobbitt at a casino the month before they launched the campaign. McClure and D'Amico allegedly used the money raised from about 14,000 donations to buy luxury items and for casino trips. Although Bobbitt did not receive the money, prosecutors say he willingly participated in the alleged scheme. GoFundMe has refunded donations to everyone who contributed to the fund.</p><h2>Lessons Learned</h2><p>GoFundMe is one of several crowdfunding platforms that have emerged in recent years, alongside Indiegogo, Kickstarter, and Patreon. The crowdfunding industry is growing rapidly. Statistics research portal Statista estimates that more than 5 million crowdfunding campaigns raised close to $4 billion in donations worldwide in 2017. </p><p>GoFundMe has raised about $5 billion since 2005, with more than 2 million campaigns and 50 million donors. The platform primarily serves personal projects and donation pages, or other campaigns that otherwise don't fit the more common commercial model of companies such as Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief to education and medical care. </p><p>With so many campaigns, fraudulent activity is not surprising, although GoFundMe's website claims that fraud occurs in less than one-tenth of one percent of its campaigns. Indeed, although crowdsourced funding opportunities have removed many structural roadblocks for people to access capital quickly and conveniently, they also have lowered the barrier to entry for many old scams.</p><p>What can crowdfunding companies do to reduce the threat of fraud? One solution is establishing and consistently applying standards for evaluating funding campaigns for fraud before they are allowed to collect donations.<strong> </strong></p><p>GoFundMe's website has some warnings about fraudulent activity and lists several categories that it won't allow, such as hate speech. However, the company's terms of service effectively disclaim any responsibility for control over the conduct or information provided by a campaign organizer. Moreover, GoFundMe does not appear to significantly vet campaigns, which is the most obvious and potentially effective method of deterring the kind of fraud in this story. Even some form of random spot-checking would help. By comparison, Kickstarter has a vetting process before allowing campaigns to go live on its website. </p><p>Several types and sources of information about a campaign and its creators may raise red flags for both crowdfunding companies and potential donors. Internal auditors should consider several measures aimed at identifying fraudulent activity:</p><ul><li>Search the web and social media platforms for information about the campaign creators and the project to assess the creators' background and track record. Red flags include a new page, many recent followers, and pages with only a few posts or comments, especially by the same few people.</li><li>Find out how long the group's website has existed and learn the history of the group's accomplishments. If the campaign is similar to past campaigns, or is posted on several crowdfunding platforms, this is another red flag.</li><li>Beware of campaigns posted just after a tragedy, seemingly heroic events, or natural disasters. The classic example of this is the large number of people who have been prosecuted for raising money for illnesses such as cancer treatments when they were not ill. Examine how the organizer will distribute and account for the money donated. If the campaign is ongoing, the creators should be giving regular updates to donors. The fact that the campaign may have links to broader regional, national, or global campaigns — such as those that appear after tornadoes, floods, hurricanes, and earthquakes — does not necessarily protect against fraud. Actually, such campaigns can be hotbeds for fraud.</li><li>Always be skeptical. Visit websites devoted to crowdsourcing fraud, such as <a href="" target="_blank"></a> and <a href="" target="_blank"></a>. Be especially diligent in researching a campaign about an individual supporting a "worthy cause." </li></ul>Art Stewart0
Penalizing Corruption Corruption<p>Since its inception, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program has fined wrongdoers more than $1.7 billion. “Whistleblowers have played a crucial role in the progression of many investigations and the success of enforcement actions,” said Jane Norberg, SEC chief of the Whistleblower Program, following the $16 million payout to two whistleblowers in November 2017.<br></p><p>The SEC’s 2017 Annual Report to Congress on the Whistleblower Program provides insights for internal auditors and audit committees into the program’s scope, focus, and results. In 2017, the SEC awarded approximately $50 million to 12 individuals for various whistleblower actions. These reports included providing information about a fraud arrangement that was difficult to detect, disrupting investment schemes that targeted unsophisticated investors, and supplying industry-specific information. Norberg stressed the three key features of the program are monetary rewards for information that leads to successful enforced actions, anti-retaliation protections, and confidentiality safeguards. </p><p>Given the growing impact of the SEC Whistleblower Program, internal auditors should encourage executives and directors who oversee governance to understand the key elements of the program. Moreover, auditors should ensure internal processes and controls are in place to effectively resolve whistleblower concerns and build employee trust.</p><h2>Whistleblower Incentives</h2><p>The SEC Whistleblower Program was created in 2011, as directed by Section 922 of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, to provide incentives to whistleblowers to report federal securities law violations. Section 21F allows rewards for individuals who provide information that leads to a successful SEC enforcement action resulting in sanctions greater than $1 million. Whistleblowers may be an employee, an insider such as a consultant, or an outsider of the company. </p><p>Whistleblowers are eligible for payments of 10 percent to 30 percent of the monetary sanctions collected. To receive payment, the whistleblower must complete the award application within 90 days of when the SEC Notice of Covered Action is posted. Factors that could increase the payment amount include how vital the information is to the SEC action, higher level of cooperation, and evidence the violation was first reported through the company’s internal network. Inversely, factors that could decrease payment include the whistleblower’s involvement in the violation and significant delay in reporting the violation.</p><h2>Program Growth</h2><p><img src="/2018/PublishingImages/Gaydon-whistleblower-tips.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:320px;" />Since the whistleblower rules took effect in 2011, the SEC has received more than 22,000 tips, complaints, and referrals (TCRs). “Whistleblower Tips,” at right, shows that TCRs have risen 49 percent since 2012, reaching an all-time high in 2017. The categories that have remained the highest over the life of the program include corporate disclosure, offering fraud, and manipulation (see “Whistleblower Allegation Types” below). </p><p>Approximately 68 percent of TCRs submitted in 2017 came from the U.S., 20 percent from international locations, and 12 percent from a location not disclosed. The annual number of TCRs submitted internationally has grown 75 percent since 2012.</p><p>Although the Dodd-Frank Act prohibits the SEC from disclosing the identity of the whistleblower, the commission does publish the roles in which the whistleblowers served in aggregate. In 2017, most award recipients were current (30 percent) or former employees (25 percent). The remaining recipients included harmed investors (19 percent), outsiders (15 percent), other insiders (7 percent), and industry professionals (4 percent). </p><p>Not only are the TCRs up, the amount paid to whistleblowers from the Investor Protection Fund also has been increasing. The SEC has awarded more than $60 million to whistleblowers since 2012 (see “The Top Whistleblower Awards” at the end of this article). </p><h2>Protecting Whistleblowers<br></h2><p>With the monetary awards and payouts growing each year, the SEC has emphasized whistleblower protection since 2017. In separate instances, the SEC levied $2.4 million in penalties against publicly listed companies that retaliated against or hindered employees’ ability to report potential violations to the commission.</p><p><img src="/2018/PublishingImages/Gaydon-whistleblower-tips.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:320px;" />Specifically, Section 21F(h)(1) of the Dodd-Frank Act provides whistleblowers with protection against retaliation. In addition, Exchange Act Rule 21F-17(a) forbids employers from not allowing employees to report securities violations to the SEC. The act states that “no person may take any action to impede an individual from communicating directly with the commission staff about a possible securities violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.” The SEC can take legal action against employers that retaliate against employees for reporting federal securities law violations. </p><p>In 2017, the SEC found numerous violations of Rule 21F-17(a). For example, Washington, D.C.-based financial service firm Homestreet Inc. agreed to pay a $500,000 penalty for attempting to identify a whistleblower following an SEC inquiry into accounting violations. Moreover, the SEC found that Homestreet employees were only eligible for severance benefits if they signed an agreement waiving potential whistleblower rewards. </p><p>The SEC also brought actions against companies for implementing restrictive covenants in their severance and termination agreements. In January 2017, BlackRock Inc. agreed to pay a $340,000 penalty for including inappropriate language in its separation contracts. In exchange for monetary payments, more than 1,000 former employees signed agreements waiving “any right to recovery of incentives for reporting misconduct, including, without limitation, under the Dodd-Frank Wall Street Reform and Consumer Protection Act.” <br></p><p>In another example, the SEC found Oklahoma energy company SandRidge Energy Inc. had violated both Rule 21F-17(a) and the whistleblower anti-retaliation provisions of Section 21F(h). SandRidge terminated an employee after the whistleblower expressed concerns regarding a reserve calculation. In addition, more than 500 former SandRidge employees signed separation agreements from August 2011 to April 2015 that prevented them from disclosing information to any governmental agency regarding company investigations. SandRidge agreed to pay $1.4 million in penalties. </p><p>Internal auditors may help the organization define, monitor, and manage elements of the whistleblower process to ensure an effective and appropriate avenue is provided to report claims. Auditors also can review whether claims were resolved appropriately. </p><h2>Internal Audit Implications </h2><p>With more than $1 billion in penalties levied so far against companies, the SEC Whistleblower Program is having a significant impact in monetary terms. Moreover, these penalties could result in a scandal that causes reputational damage to the companies involved. In an August 2014 press release, former SEC Whistleblower Office Chief Sean McKessy stressed the importance of internal auditors. “Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption,” he said. “They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one.” </p><p>In some cases, internal auditors, themselves, may be whistleblowers. In 2014 and 2015, the SEC awarded whistleblower rewards to employees within compliance and internal audit functions. According to Section 21F-4, if internal auditors come across a violation, they should first report it internally to the appropriate officer or board member. If action is not taken within 120 days, the internal auditor becomes eligible for an award and may begin the whistleblower process by reporting either through the SEC’s online questionnaire or by completing a hard copy Form-TCR.</p><p>Because more than half of whistleblower reports come from company insiders, chief audit executives (CAEs) should work closely with the audit committee to ensure the appropriate tone, policies, and diligence are in place to support a whistleblower who first reports internally. In “Whistleblowers: What the Board Needs to Know,” The IIA’s Tone at the Top newsletter lists six steps that boards and CAEs should take to oversee a whistleblower program:</p><ul><li>Build employee trust of int-ernal policies.<br></li><li>Consider all sources, including hotlines, anonymous email, lawsuits, exit interviews, and social media.<br></li><li>Ensure adequate triage of the report based on understanding the legal and accounting implications.<br></li><li>Enlist internal audit in managing the whistleblower process, managing the investigative process, or reviewing whistleblower activities.<br></li><li>Understand the entire whistleblower program process.<br></li><li>Remain vigilant by continually reviewing and updating whistleblower policies.<br></li></ul><p><br>The SEC Whistleblower Program has resulted in increased tips, fines, awards, and whistleblower protections. With the monetary rewards increasing, reports to the SEC’s Whistleblower Program are likely to grow. Against this backdrop, internal auditors can help their organization’s whistleblower program through education, communication, and monitoring. Given their knowledge of the organization’s governance, policies, and procedures, internal audit’s involvement can add credibility to the whistleblower program. However, auditors should remain objective and leave decision-making responsibility about specific whistleblower cases to management. </p><p><img src="/2018/PublishingImages/Gaydon-top-whistleblower-awards.jpg" alt="" style="margin:5px;width:750px;height:935px;" /> <br></p>Daniel Gaydon1
A Case of Misplaced Trust Case of Misplaced Trust<p>Jane Dosh was the comptroller and a trusted employee at Smith Interior Design Co. (SID), a small and close-knit professional services firm catering to high net-worth families and individuals, for almost 15 years. As comptroller, she managed many aspects of SID’s financials — such as paying bills, managing payroll, and purchasing supplies for the company and clients — with oversight from Robert Smith, the company’s co-founder. Smith was responsible for monitoring the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload, which meant she handled every aspect of the company’s finances with no oversight. She continued in that role for the next few years until she unexpectedly resigned on Dec. 31, 2016. </p><p>Internal Audit Manager Heather Dittman was the sole internal auditor at SID and did not have the resources to provide a routine set of reviews aligned with a regular risk assessment. As part of her annual plan, Dittman performed a standard review of the accounts payable process. The audit program included sampling transactions, checking support, and ensuring appropriate authorizations. During her review in early 2017, she documented several unsupported and unexplained transactions. </p><p>During the validation process, Dittman interviewed several employees for supporting explanations and documents, but they were unaware of the expenses and could not retrieve the records. Having exceptions in the validation process was a typical event for Dittman, but a large number of unexplained exceptions was unusual — plus there was no supporting documentation. </p><p>Dittman reached out to Dosh, who insisted that the records must be misplaced and that she would find them and send them to Dittman. However, as days turned into weeks, Dosh did not send the records. Dittman sent numerous follow-up emails and voicemails, which went unanswered. After weeks of no response, Dittman went to the file room to search for the records, herself, but the room was empty. </p><p>Unable to obtain answers from Dosh and concerned about missing records, Dittman escalated her concerns to the CEO and chief financial officer and recommended a forensic review. Given Dosh’s control of the financial processes, it appeared possible that she had defrauded the company and was now covering it up. Management was concerned about the extent of the fraud and the company’s ability to recoup the money. As a result, management agreed to a forensic review. </p><p>The forensic review began with traditional surveillance of Dosh to uncover the facts necessary to figure out the fraud. During lunch on the second day of surveillance, Dosh went to a local boutique. This piece let the investigators assemble the rest of the puzzle. </p><p>Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, was granted a company credit card, and Dosh saw her chance. She had access to the new card’s information and knew nobody would be monitoring the credit card activity but her. Dosh then contacted Alexandra Johnson, an acquaintance who worked at a luxury clothing store nearby, and the two began a joint business venture. Dosh went to the store where Johnson worked, and they set up a store account using Brown’s company credit card. Johnson later quit her job at the boutique and got a job at another clothing store. There, she set up another account with Dosh using Brown’s credit card. Dosh also bought expensive jewelry and clothing from other boutiques on the card. She would pay off her purchases on the company card every month from SID’s checking accounts. </p><p>When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a boutique clothing and accessory business owned by Dosh and Johnson. Private investigators followed Dosh for weeks to locate where she was storing the fraudulent purchases. She also forged the signature of the second company co-founder on multiple fraudulent checks to purchase personal goods and services, including payments to family-owned businesses. Investigators went through years of company financial documents to find that she had embezzled more than $4 million from the company in just five years. </p><p>SID and the investigators turned the case over to federal law enforcement. Dosh pleaded guilty and is awaiting sentencing for charges related to identify theft and fraud. SID implemented several policies and procedures to prevent the company from getting defrauded again, including: </p><ul><li>Dispersing cash only after appropriate management authorization and only with dual approvals over certain threshold amounts to ensure company funds were being spent for approved business purposes. <br></li><li>Reviewing all cash receipts and disbursements as part of a monthly bank reconciliation.<br></li><li>Separating financial duties so no one person would handle all of the responsibilities. <br></li><li>Backing up all financial transaction source documents to multiple locations so the documents would not be lost if any one location was compromised. <br></li><li>Developing a risk assessment program to allow internal audit to review, assess, and identify weaknesses in the internal controls and point out areas of high risk concerning fraud. <br></li></ul><p>SID realized that internal controls do not have to be an impediment that slows down work processes. While there is no such thing as a one-size-fits-all system of internal controls, getting the focus of their internal controls right helped safeguard and develop their business. </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>Lessons Learned</strong></p><ul><li>No company is immune to fraud. Internal audit needs to help the organization prevent and minimize fraud risks. Small companies that are reluctant to invest the money to provide more internal audit coverage should consider the return on investment in comparison to a $4 million embezzlement. It is imperative for companies to set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and counter all potential risk.<br></li><li>Internal audit should perform a fraud risk assessment to help leadership in small companies understand the extent of their vulnerability to fraud. Significant procedural or segregation of duties gaps can be identified during the process without requiring substantial investment in audit resources. Many of the control weaknesses in this case would have been uncovered during the assessment process. <br></li><li>Internal auditors should include a fraud risk assessment as a standard for their work plans. It applies to every company and is the most compelling method of educating management about fraud vulnerabilities. The act of communicating this tool throughout management is sometimes enough to prevent fraud. <br></li><li>Internal audit needs to know when to involve a forensic investigator. Forensic experts can provide different tools, such as recovering erased hard drives and surveillance, and will preserve the chain of evidence in a fraud case. <br><br></li></ul></td></tr></tbody></table>Frank Rudewicz1
The Case for Due Diligence Case for Due Diligence<p>​Two former executives of U.K.-based Autonomy have been indicted on criminal fraud charges stemming from the software company's 2011 acquisition by Hewlett Packard (HP), <a href="" target="_blank"><em></em></a> reports. U.S. prosecutors allege former CEO Mike Lynch and Stephen Chamberlain, former vice president of finance, used fraudulent accounting practices to inflate Autonomy's value. A year after completing the purchase, HP took a $8.8 billion write down of Autonomy's assets and later sold those assets to Micro Focus. Last April, a U.S. federal court jury found former Autonomy CFO Sushovan Hussain guilty of wire and securities fraud. Also, Hewlett Packard Enterprise, which spun off from HP in 2015, has sued Lynch and Hussain in the U.K. Lynch's attorneys claim HP made mistakes in integrating Autonomy's assets that reduced their value. </p><h2>Lessons Learned</h2><p>This story illustrates the need for a thorough due diligence process for a major acquisition. Internal auditors can view advice and resources about the due diligence process provided by organizations such as The IIA, the U.S. Securities and Exchange Commission (SEC), and the Association of Certified Fraud Examiners. Two key aspects of the process may have helped reveal the core issues in dispute in this alleged fraud: due diligence risk assessment and the potential impact of differing international accounting standards.</p><p> <strong>Due Diligence Risk Assessment</strong> A thorough risk assessment of the company targeted for acquisition is essential. Furthermore, the SEC and U.S. Department of Justice (DOJ) have issued A Resource Guide to the U.S. Foreign Corrupt Practices Act (the FCPA Guide), which recommends companies conduct<strong> </strong>pre-acquisition due diligence<strong> </strong>on merger and acquisition deals. Uncovering fraud after the deal is completed can have damaging consequences for an acquirer. Two key parts of this due diligence are:</p><ul><li> <em>Assessing the validity, accuracy, and integrity of the financial statements.</em> This assessment should include related internal and external financial reporting, significant estimates and accounting policies, regulatory changes and their impact on financial statements, past and recent findings of internal and external auditors, and staff competency and training.<br><br></li><li> <em>Examining the organization's internal controls, using a risk-based approach.</em> This examination should review internal control procedures and documentation, and analyze gaps in internal control structures and the adequacy of management's corrective action plans. Moreover, it should review related internal and external audit reports and findings on internal control deficiencies, along with remediation strategies. Depending on the results of these reviews in terms of risk, a further internal audit or external audit of internal controls may be warranted. <br><br>According to the DOJ/SEC FCPA Guide, companies do not examine the target company's internal control environment in detail before completing an acquisition. Consequently, internal control weaknesses that may exist are left to be identified during the post-acquisition integration process. These weaknesses may lead to an increase in the risk of fraud. <br><br></li><li> <em>Applying data mining techniques to uncover potential fraud.</em> At a minimum, the acquiring company should obtain as much transactional data as possible from the target company's accounting system. Analyzing this data using a data mining tool can identify potential anomalies in the operation of internal controls and unusual transactions that may be evidence of fraudulent activity.<br>  </li></ul><p>Other aspects of a risk assessment include a review of the target company's compliance and ethics program, its ethical culture, and background checks on key executives and employees.</p><p> <strong>Financial Accounting Standards</strong> In the Autonomy case, there is a potential issue around the differences among financial accounting standards that exist internationally. Lynch has stated that the claims of fraud come down to a dispute over the application of U.K. accounting standards. The U.K. and many other countries use International Financial Reporting Standards (IFRS) as their accounting method. IFRS has some key differences from the Generally Accepted Accounting Principles (GAAP) approach used in the U.S. Lynch and his attorneys argue that differences in interpretation between them could have contributed to the view that Autonomy inflated its value before its acquisition.</p><p></p><p>A major difference between IFRS and GAAP is the methodology used to assess the accounting process. GAAP focuses on research and is rules-based, whereas IFRS looks at the overall patterns and is based on principles. With an IFRS-based accounting method, potentially different interpretations could result in higher values being included in financial statements in five areas: </p><ul><li> <em>Inventory reversal</em><em>.</em> GAAP specifies that if the market value of the asset increases, the amount of the write down cannot be reversed. Under IFRS, however, the amount of the write down can be reversed. In other words, GAAP is cautious of inventory reversal and does not reflect any positive changes in the marketplace.<br> </li><li> <em>Development costs</em><em>.</em> A company can capitalize its development costs under IFRS, as long as certain criteria are met. This allows a business to leverage depreciation on fixed assets. Under GAAP, development costs must be expensed in the year they occur and are not allowed to be capitalized.<br> </li><li> <em>Intangible assets such as research and development or advertising costs.</em><strong> </strong>IFRS accounting takes into account whether an asset will have a future economic benefit as a way of assessing the value. Intangible assets measured under GAAP are recognized at the fair market value only.<br> </li><li> <em>Income statements</em><em>.</em><strong> </strong>Under IFRS, extraordinary or unusual items are included in the income statement and not segregated. Under GAAP, they are separated and shown below the net income portion of the income statement.<br> </li><li> <em>Fixed assets</em><em> </em><em>such as property, furniture, and equipment.</em><strong> </strong>Companies using GAAP accounting must value these assets using a cost model. This takes into account the historical value of an asset minus any accumulated depreciation. IFRS uses a different model, called the revaluation model, based on the fair value at the current date minus any accumulated depreciation and impairment losses. </li></ul>Art Stewart0
The Unscrupulous Advisor Unscrupulous Advisor<p>​A federal grand jury has indicted the CEO of an investment management firm on 23 counts of fraud, <a href="" target="_blank">the <em>Idaho State Journal</em> reports</a>. Federal prosecutors say David Hansen, majority owner of Yellowstone Partners LLC, headquartered in Idaho Falls, Idaho, overbilled client accounts by submitting false billing requests to a brokerage firm. Last year, former Yellowstone Partners employees told the <em>Post Register</em> newspaper they had found "significant irregularities" in some customer accounts in 2016. Prosecutors estimate Hansen's alleged scheme defrauded clients of more than $9 million. The indictment also charges Hansen with aiding in preparing false corporate and personal income tax returns that underreported the company's revenue and his own income in 2012 and 2013.</p><h2>Lessons Learned</h2><p>The CEO of the investment management firm in this story allegedly has run afoul of the U.S. Securities and Exchange Commission (SEC) and more particularly Section 206 of the Investment Advisers Act of 1940 (the "Advisers Act"). In part, Section 206: </p><p> <span class="ms-rteStyle-BQ">"prohibits misstatements or misleading omissions of material facts and other fraudulent acts and practices in connection with the conduct of an investment advisory business. As a fiduciary, an investment adviser owes its clients undivided loyalty, and may not engage in activity that conflicts with a client's interest without the client's consent."</span> </p><p>In addition to the general anti-fraud prohibition of Section 206, other sections of the act regulate several practices relevant to the alleged fraud in this story. These include disclosure of fees, investment advisor advertising, custody or possession of client funds or securities, and disclosure of investment advisors' financial and disciplinary backgrounds. All of these rules were allegedly broken in one way or another in this case. </p><p>Internal auditors should consider measures to help their organization prevent and detect the kind of fraud represented in this story. Two main areas of concern surround disclosure obligations:</p><ul><li>"The Brochure Rule" (Advisers Act Rule 204-3), requires every SEC-registered investment advisor to deliver to each client or prospective client a Form ADV Part 2A (brochure) and Part 2B (brochure supplement) describing the advisor's business practices, conflicts of interest, background, and its advisory personnel. Advisors must deliver these documents to a client before or at the time the advisor enters into an investment advisory contract with a client. In addition, advisors must provide them whenever there is a material change to the advisor's profile. <br> <br>Both investors and auditors need to be aware of how business practices and conflicts of interests can be hidden or manipulated. Hansen is a partner at Elite Advisor Institute, a company that trains and coaches investment advisors. Was this partnership disclosed, and were some of the people involved in the overbilling scheme at Yellowstone Partners trained there? <br> <br>A further step that needs to be taken is to cross-check an investment advisor's background with those who regulate and accredit them such as the SEC (registration information is available on <a href="" target="_blank">the SEC's website</a>). The Financial Industry Regulatory Authority also offers information about the professional designations used by advisors as well as measures that investors can take to avoid investment fraud. </li> <br> <li>The SEC mandates that an investment advisor disclose to clients all material information regarding its compensation such as whether the advisor's fee is higher than the fee typically charged by other advisors for similar services. In most cases, this disclosure is necessary if the annual fee is three percent of assets or higher. <br> <br>Investors and auditors should be proactive in regularly reviewing investment transactions to determine what fees are being incurred, as an early way to detect overbilling. The investment industry should continue to be obligated to regularly and transparently disclose fees to clients. A good practice would be to disclose such fees monthly, although often this is only done annually. <br> <br>A further part of this transparency is to carefully monitor the use of other mechanisms that incur fees such as performance fees and referral to third-party fees. Another mechanism susceptible to overbilling is a "wrap fee program" where advisory and brokerage services are provided for a single fee that is not based on the client's account transactions. </li></ul>Art Stewart0

  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3