Hush Money Fraud Money Fraud<p>​In early 2020, Lauren George was promoted to director of internal audit at the Pier Ten Group, a management company for a hotel chain in Southern California. George was interested in innovation and had training in robotic process automation, which she was eager to bring to her new role to increase productivity and expand risk coverage.</p><p>Before her promotion, Pier Ten’s internal audit department typically performed smaller audits using manual processes. George’s first goal as director was to improve coverage without increasing staffing. She started by adapting a pre-built reconciliation bot to compare expenses to receipts and reperform all bank reconciliations starting with the company’s San Diego property.</p><p>The expense reimbursement bot was simple. Receipts were already stored in a shared folder by date and titled by date and dollar amount. The bot downloaded expenses for the year into one Excel file. It then went into the receipts folder and copied the date, description, and amount for the expense into the same file. Finally, the bot sorted the expenses by date and amount and flagged any unsupported expenses and receipts not matching an expense. </p><p>Before she reviewed the flagged items, George manually checked a sample of matched items to confirm the bot was working correctly. In the first pass, it identified 22 mismatches where expenses matched but the date on the receipt was off by a day. To be certain, she reviewed some of the receipts to make sure they matched the descriptions. The bot also flagged 12 expenses for $500 without receipts totaling $6,000. George thought the bot wasn’t picking up the receipts until she saw there were no receipts in the folders, just a blank sheet titled by day and dollar amount. </p><p>When George pulled the expense reports filed for each of these, she identified three commonalities: The receipts were missing, the description on the expense report was labeled “business expense reimbursement,” and the reimbursements were made to Skip Townes, the hotel controller.</p><p>The reconciliation bot was deployed next. It was pre-built, but required some modifications to make certain it was accessing the bank systems to retrieve bank account and credit card information. It also downloaded information into Excel and compared dates and amounts and flagged items that did not match. The results were messier than the expense reimbursement bot. Although many items matched, several items remained unreconciled. </p><p>George pulled the monthly reconciliations and started comparing line items with the bot’s reconciliation. She identified better rules that would help the bot perform more effectively next time, including pulling different reports to help reconcile some items. After her review, she was left with 12 credit card overpayments totaling $87,321.53. </p><p>Satisfied with a successful first pass, George documented her results and met with Walter Banning, the property manager, and Townes. To her surprise, Banning and Townes did not share her enthusiasm about the bot’s performance. George’s questions about the undocumented receipts and credit card payments were met with challenges about the technology. When she showed the source documents supporting the outstanding questions, both men expressed concern and insisted they would investigate and get back to her. </p><p>George suspected she was being stalled after weeks passed with no answers. The questions she asked could easily be answered with a little digging, so she contacted Wilson Kon, the audit committee chair, for guidance. George explained to Kon how the bots reperformed manual repetitive tasks, just like having an audit staff member who did exactly what he or she was told over and over. The work still needs to be reviewed and source documents pulled to investigate, but the observations are validated just like any other audit. Convinced by George’s explanation, Kon encouraged her to expand her review of the property’s financial processes, and assured her that Banning and Townes would provide her answers. </p><p>The next day, George met with Banning and Townes to discuss the observations. Both men were on edge and kept changing their answers. According to Banning, it was an IT issue that they were exploring. When George asked them to explain, they could not. Townes suggested it was a performance issue with the employee performing the reimbursements and reconciliation. George pointed out that Townes approved the reconciliation and Banning approved the expense reimbursement. She followed by asking why they did not flag these issues in their review. Banning went back to blaming the issues on the bot. George again left the meeting with no answers. </p><p>George first called Kon with an update and then the district manager and human resources (HR). With their support, she expanded her review to all financials for a month and went directly to the staff member performing the reconciliations. Several flagged items appeared, which were validated. The hotel accountant quickly identified the flagged items as bonus checks, reimbursements for Banning’s credit card, and car allowances for Townes. Surprised and curious, George dug in deeper.</p><p>She discovered that shortly after Banning was promoted to property manager, the corporate office cut the bonus program. He felt this was unfair and that he should be compensated for the success of his property, so he instituted his own bonus program. With the help of Townes, Banning found various ways to issue the bonuses, including a $500 monthly reimbursement to the controller to keep quiet about the bonuses. An expanded review found that the expenses for $87,321.53 were payments to Banning’s personal credit card company, and that extra manual payroll checks were issued to the controller, front desk manager, and housekeeping manager. In total, George identified nearly $485,000 in unsupported and suspicious payments, payroll checks, and reimbursements spanning three years. </p><p>George turned over her results to HR and local authorities. Pier Ten terminated Banning and Townes and brought charges against them. They claimed that the bonus program was sanctioned by the corporate office through a handshake deal.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned</strong><ul><li>Robotic process automation (RPA) is a useful tool for enhancing internal audit capabilities. Simple and quick bots can immediately enhance department productivity when applied to repetitive processes relying on digitized data and tasks. </li><li>Fraud risk always exists, but internal audit must balance risk and resources. Deploying RPA can significantly lower the cost of certain fraud detection procedures. These procedures would mitigate many difficult-to-close internal control gaps in small- and medium-size companies. Initially, this could lead to fraud detection, but over time, these inexpensive procedures would become preventative. </li><li>When developing bots for audit work, internal audit should consider passing them off to the business units. Reconciliation bots make useful audit tools, but once hardened, they are capable of performing the regular control function, providing additional value and capacity to the business departments. Just like analytics, later reviews can include regularly testing the bot’s performance and, when convinced, relying on the bot’s results. <br></li></ul></td></tr></tbody></table><p></p>Bryant Richards1
Billed Around the Clock Around the Clock<p>​Two years ago, Future Energy Corp. (FEC), based in Finland, decided there was a need for flexibility and cost-cutting, so it changed its payment for services from a fixed fee to an hourly fee and implemented an IT system to track hours. Future Power, a subsidiary of FEC, relied heavily on BX Solutions OY, a subsidiary of BX Ltd., to maintain and repair its production equipment. After FEC conducted an annual risk assessment of its subsidiaries, internal audit decided to schedule a review of the equipment maintenance and repair process. </p><p>The audit revealed Future Power’s high dependency on BX Solutions OY and a lack of competition in the region. The audit report also outlined the potential risk for overbilling fraud because of insufficient verification of hours reported by BX Solutions OY personnel. The subsidiary was renting office space for its personnel on the premises of Future Power, so logs from entrance systems did not provide any insight on whether its employees were working on Future Power equipment or doing other tasks. The audit team concluded that the risk of overbilling existed, but no proof could be provided. Future Power management chose to accept the risk and stated additional controls were not needed. Internal auditors insisted they were and escalated the issue to FEC’s board of directors. Finally, as a compromise, Future Power management allocated one employee to conduct independent checks of hours reported by BX Solutions OY.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>LESSONS LEARNED</strong><br>​<ul><li>When it comes to the purchasing of services per hour — lawyers, IT developers, consultants — how often are organizations overbilled? How can an organization find the right balance of trust and control? Organizations risk playing a “catch me if you can game” with contractors unless the environment encourages fair reporting of spent hours. Internal audit’s role is to review the process of hour validation and determine whether hours can be verified, at least to a reasonable extent. </li><li>Operational-level management is usually overwhelmed with important daily issues, so it is difficult to get managers to take an interest in a potential fraud risk. When they read an internal audit report that raises a red flag about something that has not happened — but might — they might not care nor understand the seriousness of the risk. Rather than point out lack of caring, internal auditors should suggest additional controls or work toward reaching a compromise that satisfies both parties.</li><li>Collaboration with a contractor that acknowledges fraud is unlikely to happen often — if at all. If the contractor has already made up its mind about how much it is going to reimburse, any collaboration promises are likely to be empty declarations. Also, internal audit should keep in mind that there is likely a specific reason why a contractor wants to acknowledge fraud. The best-case scenario is that the contractor is embarrassed of its findings and wants to avoid bad publicity. The worst case is that it is trying to cover up something much bigger and wants to voluntarily return a small part of what was stolen from the company to avoid litigation and prosecution.</li><li>When circumstances require internal audit to collaborate with outside parties where conditions or other information is exchanged, it should include legal counsel to avoid any unwanted damage to the company, such as disclosure of confidential information. It’s important for internal audit to know when to step back as a trusted partner.</li></ul><br></td></tr></tbody></table><p>One year later, Future Power’s CEO emailed FEC’s audit manager, Alicia Cohen, after he received a letter from BX Ltd.: “I am forwarding to you a weird letter from our main maintenance and repair partner, BX Ltd. I told them you will handle it from here.” </p><p>Cohen could barely believe what she read in the forwarded letter. BX Ltd. reported that its local subsidiary was defrauding FEC: “Due to a mistake and misbehavior, working hours have been overbilled since our last contract renewal. Corrective action has been taken and a credit for €2.3 million ($2.7 million) will be issued to you immediately. We suggest a regular review to ensure a robust hourly recording process moving forward.” </p><p>The audit team felt vindicated. The potential fraud risk scheme they described to management a year before was realized. The team set out to investigate how the overbilling happened. </p><p>Initially, BX Ltd. willingly cooperated. Via web-based meetings, BX Ltd.’s compliance representative, Pierre Brodeur, explained that its investigation was triggered by an anonymous whistleblower complaint from BX Solutions OY. The investigation revealed that remuneration for BX Solutions OY management depended on the profitability of Future Power’s maintenance and repair contract, as it was its biggest and most important client in the region. The change from fixed pricing to an hourly based system caused BX Solutions OY management to become concerned about profitability levels, so employees were instructed to bill Future Power for as many hours as possible. After the conclusion of the internal investigation, BX Solutions OY management and the employees who participated in the scheme were fired. </p><p>Brodeur handed over internal time sheets of BX Solutions OY employees involved in maintenance and repair activities. FEC’s internal auditors compared the time sheets against billed hours, determined the number of overbilled hours, and multiplied the difference by the hourly rate to calculate the value of the hours. When FEC’s investigative team reported an amount two times higher than the €2.3 million, cooperation between the parties ended. BX Solutions OY misled BX Ltd.’s compliance team, claiming repairs were still priced at a fixed rate, so BX Ltd.’s compliance department calculated overbilled hours for maintenance services and disregarded hours spent on repairs. FEC’s internal auditors, however, reviewed repair contract terms with legal counsel and concluded that repairs had to be billed on an hourly basis, as well. </p><p>The internal controls assessment did not take long. Internal audit tried to reconcile time sheets of BX Solutions OY personnel with hours recorded in the system, but there were no names or employee identification numbers. Moreover, BX Solutions OY personnel could record their hours monthly rather than on an ongoing basis. As a result, Future Power supervisors issued and accepted work orders without knowing how many people were on site on any specific day. </p><p>An analysis of work orders for the previous two years found that more than 40% of annual maintenance expenses were for regularly conducted visual inspections of equipment. It was impossible to determine whether inspections were actually carried out because there was no paper trail. </p><p>Though Future Power appointed an employee to conduct independent checks of hours reported by BX Solutions OY the year before, management never touched base with the employee to determine whether he had suitable tools to conduct those checks. The employee was overloaded with other duties and preferred to keep a low profile without interfering, controlling, or suggesting improvements. </p><p>Future Power eventually received €2.3 million from BX Ltd. and filed a legal dispute for additional amounts owed. <br></p>Anna Kon1
The Seducer's Game Seducer's Game<p>​Intelligent, innovative, witty, charming, persistent, optimistic, bold, adaptable, and business savvy — these often are the key traits of a leader. But what if those traits mask other, less exemplary characteristics, such as being manipulative, deceptive, fearless, and thinking he or she is untouchable, while also lacking any sense of integrity, honesty, and empathy? Unfortunately, these traits can coincide within the same person. </p><div><p>The unique combination of these personality traits defines a seducer, which can be seen in modern-day fraudsters such as Theranos’ Elizabeth Holmes and Fyre Festival’s Billy McFarland. Within the Seduction of Fraud methodology, seduction refers to a psychological process that often plays a significant role in contemporary frauds. Therefore, it is important for internal auditors to understand the seduction of fraud and how it relates to fraud prevention, detection, and investigation within their own organizations.</p><h2>The Seduction of Fraud Diamond</h2><p> For decades, internal auditors have relied on the elements of the Fraud Triangle — pressure, opportunity, and rationalization — to understand fraud and develop internal controls that limit the risk of fraud to their organizations. While experts have provided alternatives to the Fraud Triangle, a new approach can be used to understand and prevent the latest variations of fraud, what we call Big Frauds, from occurring. These Big Frauds — such as Fyre Festival, Theranos, Volkswagen, and Wells Fargo — are similar to their traditional counterparts, yet stark differences become apparent under evaluation. It was through this evaluation that we realized the limitations of the Fraud Triangle and developed a tool to replace it — The Seduction of Fraud Diamond (See “The Seduction of Fraud Diamond” below).</p><p><img src="/2020/PublishingImages/Seduction-of-Fraud-diamond.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:273px;" />There are differences between the Fraud Triangle approach and the Seduction of Fraud methodology. First, it is important to understand the original intent of Donald Cressey, who is attributed as the creator of the Fraud Triangle. As a criminologist, Cressey wanted to understand why trusted employees without a history of unethical or illegal behavior would decide to betray their employers. So, after excluding from his study anyone with a criminal record or a history of unethical behaviors, Cressey interviewed inmates who were first-time embezzlers to determine any similarities among them and try to understand their motivations. His observations and key takeaways resulted in the well-known attributes of the Fraud Triangle. But the study’s objectives and parameters point out obvious limitations in applying the Fraud Triangle to a wide array of modern white-collar schemes and perpetrators. </p><p>The Fraud Triangle’s primary weakness is its basis of starting with an honest person — a person who needs a combination of specific motivations and circumstances to commit fraud. The Fraud Triangle fails to explain why most people involved in the Big Frauds had no history of criminal activity or unethical behaviors, yet committed fraud even though there were no circumstances that justified their behavior. </p><h2>The Psychology of Fraud</h2><p>The Seduction of Fraud methodology examines human behavior and ethical decision-making related to fraud. Using this methodology, auditors not only rely on traditional understanding within the anti-fraud and audit community, but they also reach into the fields of analytical psychology, psychiatry, literature, philosophy, and religious studies. Combining these divergent areas of study can bridge the gap between fraud prevention, ethics, and human behavior. </p><p>As a psychological process, seduction has existed since the beginning of time. It is described in religious scripture in the Garden of Eden; historical chronicles of Cleopatra’s power and control; and 18th century Giacomo Casanova’s detailed use of seduction as a tool to commit frauds, cons, and social engineering. From an early age, Casanova understood the importance of reading the emotions of others, which allowed him to manipulate and deceive, and become one of the most infamous con artists in history. </p><p>Understanding the true meaning of the Seduction of Fraud requires removing the veil of normal human behavior to look earnestly at the inner core of humans to realize their true motivations. The Seduction of Fraud Diamond starts with a temptation, which might involve some sort of pressure, but does not require it. Once the temptation is set, the next part of the psychological process begins: deception. The goal of seduction is to gain power and control over the person being defrauded — not through force, but by subtle coercion. The seducer’s aim is to make victims feel as if they are in control and making decisions on their own, for their own benefit. It is only after the fraud is exposed that the illusion becomes apparent. Therefore, seducers can either use the Seduction of Fraud to commit fraud themselves, or they can use it to convince other people to commit fraud or perform unethical actions without their full knowledge or understanding. </p><h2>Attributes of the Seducer<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Common Seducer Personality Traits</strong> <p>The personality traits that historical seducers and modern-day fraudsters share include being:<br></p><ul><li>Improvisational</li><li>Flexible</li><li>Innovative</li><li>A risk taker</li><li>Intelligent</li><li>Charming</li><li>Bold</li><li>Assertive</li><li>Discerning</li><li>Persistent</li><li>Witty<br></li><li>Reinventive</li><li>Business savvy</li><li>Adaptable</li><li>Manipulative</li><li>Deceptive</li><li>Fearless</li></ul></td></tr></tbody></table><p>Understanding the attributes of the Seduction of Fraud Diamond and their application through audit procedures can help in the design of effective internal controls. While simple frauds still exist — such as the trusted bookkeeper who steals to pay for her husband’s gambling addiction — they are no longer the largest risks to the organization. It is the modern-day seductive fraudsters who will more likely cause turmoil in an organization at a multitude of levels — financial, reputational, legal, compliance, etc. </p><p>While many of the seducer’s personality traits are positive attributes, it’s the traits that are missing that cause problems (See “Common Seducer Personality Traits” at right). For example, integrity, loyalty, and empathy are all missing, which should be a huge red flag for an auditor. Boldness without integrity can easily turn villainous. Additionally, when boldness is combined with any other negative personality attribute or personality disorder, such as narcissism or psychopathy, it can be a considerable threat to an organization. While opportunity is the most self-explanatory attribute of the Seduction of Fraud Diamond and the Fraud Triangle, the main difference is that in the Fraud Diamond, opportunity can be created, whereas the Fraud Triangle implies that opportunity must already exist. It is unchecked boldness that allows a potential fraudster to exploit existing opportunities or, if needed, create new opportunities. Furthermore, in many of today’s social engineering schemes, fraudsters use psychological manipulation to reach their goals. </p><h2>Investigation and Analysis</h2><p>Another weakness inherent to the Fraud Triangle is that it relies on a functioning conscience. The conscience is meant to warn a person when making questionable decisions before violating an internal boundary. Even when a person has a conscience, his or her moral compass might be faulty. For example, when during a research study we asked fraudsters to explain whether their conscience bothered them when they were planning the fraud, there were recurring responses: “Yes, but only for a few minutes.” Therefore, internal auditors must consider the possibility that a perpetrator’s conscience may prohibit his or her moral compass from functioning correctly. </p><p>A faulty conscience may be a sign of narcissism, but not every person who is narcissistic or has narcissistic personality traits is a fraudster, and vice versa. Therefore, it is crucial to be conscientious about conclusions that are not substantiated through factual evidence. This is where an auditor’s investigative skills can affirm or dispel any initial concerns. </p><p>Alongside narcissism, a faulty moral compass explains an increase in entitlement, a key attribute of the Seduction of Fraud Diamond. Self-aggrandizing behavior, which recent studies show is increasingly more common in today’s society, often leads to entitlement — a criterion used to diagnose a person with narcissistic personality disorder. </p><p>The Fraud Triangle’s final weakness is that an employee’s privacy makes it impossible for internal auditors and management to understand or analyze external pressures on that employee. This does not mean organizations need to or should conduct psychological profiles on every employee within the organization, but, at the very least, internal auditors should sharpen their skills of discernment using the Seduction of Fraud approach. Using the Seduction of Fraud Diamond will enable auditors to be attentive to potential behavioral red flags. If a person is under careful observation, and the number of red flags begins to accumulate, auditors can then consider what actions, if any, should be taken. </p><h2>Update Your Toolbox</h2><p>Internal auditors need to understand that individuals do not necessarily fit into the framework as defined by the Fraud Triangle. By updating their professional toolbox to improve their analysis, internal auditors can better understand human behavior and detect potential behavioral red flags that could be indicators of the next Big Fraud. Internal auditors can use the insights provided by the Seduction of Fraud Diamond to prevent similar scandals at their own organizations.  <br></p></div>Sanya Morang1
Schoolhouse Fraud Fraud<p>When the Wellington School District budget crisis hit the local newspaper, citizens were shocked. The superintendent, Tina Franken, and business manager, William McKenzie, implemented innovative programs that improved employee morale and productivity — not only for the central office, but also for the eight schools within the district. Before Franken’s arrival, the school district was often an embarrassment to the town, as employee issues led to frequent firings or resignations and the airing of dirty laundry in the local news. When the longtime district accountant resigned and filed a legal complaint against McKenzie, which consisted of fraud, abuse of town policies, and violations of state laws, gossip among district employees and citizens implied there were ties between the legal complaint and the budget crisis.</p><p> With a school budget shortfall of $2 million at fiscal year-end and a legal complaint, the select board for the town had no choice but to act. It asked the town’s internal auditor, Denise Silva, to review the school district’s budget process. </p><p> Silva knew town government issues could get messy and complicated. So she prepared a high-level audit program and planned to spend a lot of time exploring. First, she reviewed the district’s budget policies and procedures and requested the previous year’s approved budget with all planning comments and 12 months of results by month and account. She planned to interview employees involved in the process and take deeper dives into any areas with significant overruns. After receiving the budget documents, she realized that she needed to clear her calendar. </p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>Lessons Learned</h3><ul><li>The budget process should be included in the risk assessment and reviewed regularly, especially in regulated environments like municipalities. A quick review would have caught many of these issues in the first year. </li><li>Removing key controls from important processes should raise red flags. If the controls had been reviewed regularly, the budget crisis and fraud could have been avoided. </li><li>Small internal audit departments should consider rotational reviews that provide greater coverage across the organization. In this example, reviews of petty cash, budget, vendors, payroll, or accounting would have identified smaller issues that would have raised red flags and the need for additional reviews.</li><li>Messy situations may require internal audit to shut down the audit schedule for the rest of the year. Not only is it important to focus internal audit resources on high-risk areas, but it is critical to those responsible for oversight that they receive the clearest picture possible to make the most informed decisions about how to move forward.<br><br></li></ul></div><p>Silva detected several red flags in her initial review of the budget documents. First, McKenzie put the budget together under four large categories — instructional supplies, curriculum, payroll, and equipment — with lump sum amounts under each. Once the town approved it, the business manager arbitrarily assigned amounts to line item accounts in each category. Silva could not discern any reason for the assignment of funds. The second thing that stood out to her were hundreds of transfers throughout the line item accounts each month that were not approved by the school committee or board. Lastly, there were no budgets in place for revenue accounts, even though large amounts of money were collected for sports fees, bus fees, and student activities. These collections were recorded as petty cash for the school district to use on purchases. </p><p> Silva first interviewed McKenzie about his budget process. He explained that the budget process was cumbersome and a source of significant productivity issues, so he streamlined the two-month planning cycle to one week. Instead of providing a detailed number for each line item, McKenzie broke the accounts down into four categories based on prior years and departmental needs, and assigned each category a lump number. The school committee and board voted on and approved the categories. The town approved this process because it trusted Franken and McKenzie. </p><p> When Silva asked about missing revenue accounts in the process, McKenzie insisted that the district accountant required that all cash collections be received into petty cash, so budget figures weren’t necessary. Adjustments were made at the end of the year to reflect the accounting. McKenzie blamed the district accountant for many of the budget challenges. </p><p> Silva’s findings list was filled with broken policies, regulations, and accounting rules, but she knew more data was needed. Some basic analytical testing found that administrators in the central office were using funds to purchase large flat screen televisions, office equipment, and laptops. However, these items could not be located anywhere in the district, so Silva assumed that administrators were taking them home. She began testing invoices, which showed that the district often reimbursed administrators for conferences and travel more than once. On several of the travel reimbursements, spouses were included and paid for by the district. The amounts submitted for reimbursement exceeded the threshold specified in the district’s policy. </p><p> When Silva conducted interviews with staff in the central office, she found there were relatives of administrators on the payroll who never showed up for work. And though the office was open until 5 p.m., many administrators left at 2 p.m. Lastly, an employee who worked in disbursements revealed that administrators received kickbacks from vendors for large purchases and the awarding of contracts. </p><p> Silva identified $2 million of fraud and abuse while reviewing five years of data. But she was unable to quantify much of the activity, such as the vendor kickbacks. A reasonable comparison of the actual costs of big-ticket items and what was paid by the school district added another $2 million to the total. </p><p> As a result of Silva’s investigation, Franken and McKenzie were forced to resign and are currently serving jail time for their part in the fraud schemes. Silva quantified the known abuses — like the technology gifts, no-show jobs, time theft, and travel and expense violations — per administrator, and found that nearly every one of them received, on average, an additional $10,000 per year on top of their salary. Those in higher levels of administration received more. The district accountant received none and acted as a whistleblower by filing a legal complaint. Franken and McKenzie were making significant money with kickback and petty cash schemes, using gifts, no-show jobs, and abridged schedules to keep staff from complaining or noticing, and covering their tracks with a convoluted budget process.<br></p>Deanna Polli Foster1
Officials Call Penalty on Ex-NFL Player Fraud Call Penalty on Ex-NFL Player Fraud<p>​The U.S. Department of Justice has charged six former National Football League (NFL) players with filing $3.9 million in fraudulent health-care claims, according to <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;"> <em>Infosecurity Magazine</em></a>. Prosecutors say the retired players submitted out-of-pocket medical expense claims for expensive medical equipment they never purchased.</p><p>The alleged fraudulent claims — some using forged prescriptions, invoices, and medical orders — were filed between June 2017 and December 2018. Moreover, some of the former players allegedly received kickbacks for recruiting other players into the scheme. Seven other retired players, who were indicted in December as part of the same alleged conspiracy, have pleaded guilty to making fraudulent claims.</p><h2>Lessons Learned</h2><p>There are both lessons to learn and actions to take from this fraud case — not only by all professional sports organizations, but also health insurance providers. These lessons are all the more important in the context of the COVID-19 pandemic and its consequences for the economy and public health.</p><p>The NFL alone has more than 20,000 retired players. Many of them, but not all, qualify for the Gene Upshaw NFL Player Health Reimbursement Plan. The league's plan provides up to $350,000 in benefits, and many retired players covered by it have medical conditions. Most former players lawfully rely on the plan's benefits; they are the real victims of this alleged fraud.</p><p>At its root, this case involves allegations of conspiracy, wire and health-care fraud, and a dose of a pyramid scheme. So what can internal auditors and health insurance providers learn from this case that can help prevent and detect future reimbursement frauds?</p><p>The main message is that health insurance providers<strong> </strong>need to continuously expand and improve their ability to detect potential fraud, including through the use of technology and data analytics, backed by monitoring and audits. Beyond that, here are three specific strategies:<br></p><ul><li> <strong>Monitor for suspicious transactions. </strong>The retired NFL players in this case allegedly used methods similar to those in other health-care fraud cases to deceive the insurance provider. These methods included submitting fabricated supporting documents such as false signatures on faked official letterhead with the names of real doctors.<br><br>The alleged claims frequently involved medical equipment such as hyperbaric oxygen chambers, cryotherapy machines, ultrasound machines, and electromagnetic therapy devices (designed for use on horses), costing as much as $50,000. These kinds of transactions should automatically receive additional scrutiny, including by using data analytics to detect repeating and irregular activity patterns from the same individuals. Internal auditors also should perform spot checks with equipment providers and physicians to verify the authenticity of purchases.</li> <br> <li> <strong>Verify providers.</strong> Health insurers should digitally store verified original signatures of equipment providers' staff physicians and compare them electronically for anomalies when especially large dollar reimbursement amounts are requested.<br><br></li><li> <strong>Implement electronic account controls.</strong> Insurers should use account-control mechanisms, including two-step verification and voice recognition-based account access. The individuals in this case allegedly dialed the telephone number provided on the reimbursement form and impersonated conspiring players to check the status of fraudulent claims and encourage payment as soon as possible. Phone calls to health-care companies should be recorded and monitored, as well.</li></ul><br>Art Stewart0
Where Did All the Payments Go? Did All the Payments Go?<p>​More than $2 billion in missing funds led to the resignation and arrest of Wirecard's CEO last month, <a href="" data-feathr-click-track="true" target="_blank" style="background-color:#ffffff;">CNN reports</a>. The scandal broke when the company's external auditors couldn't find the money in trust accounts and refused to sign off on the digital payment company's financial statements. The missing amount equates to one-fourth of Wirecard's assets and set off a global search for the funds.</p><p>German authorities suspect that former CEO Markus Braun used fake transactions to inflate Wirecard's revenues and balance sheet. The company says the missing money may never have existed and has withdrawn preliminary results for 2019 and the first quarter of 2020. At the time of Braun's resignation, he said the company had been the victim of a massive fraud. Wirecard has since fired its chief operating officer.</p><h2>Lessons Learned</h2><p>This story about Wirecard's financial scandal may bring make memories for internal auditors. The infamous 2001 case of Enron and its CEO, found guilty of accounting fraud, became a major driver of the U.S. Sarbanes-Oxley Act of 2002 financial regulatory reform.</p><p>Germany's finance minister summed up the essence of the Wirecard scandal, saying, "Critical questions arise over the supervision of the company, especially with regards to accounting and balance sheet control. Auditors and supervisory bodies do not seem to have been effective here." So what can internal auditors learn from this case?</p><p>The Association of Certified Fraud Examiners defines <em>accounting fraud</em> as "deception or misrepresentation that an individual or entity makes knowing that the misrepresentation could result in some unauthorized benefit to the individual or to the entity or some other party." Financial statement fraud can take multiple forms, including:</p><ul><li>Overstating revenues through outright falsifications, manipulations such as recording future expected sales, or irregular accounting practices. An example is when a company understates revenues in one accounting period and maintains them as a reserve for future periods with worse performances to reduce the appearance of volatility.</li><li>Inflating an asset's net worth by knowingly failing to apply an appropriate depreciation schedule.</li><li>Hiding obligations and liabilities from a company's balance sheet.</li><li>Incorrectly disclosing related-party transactions and structured finance deals.</li></ul><p> </p><p>Several actions are key to reducing the threat of financial statement fraud.</p><p><strong>Strengthen </strong><strong>and rigorously implement internal controls over balance sheet account reconciliation</strong><strong>.</strong> Efforts to sustain a timely and accurate account reconciliation process should include:</p><ul><li>A strong management focus.</li><li>Sufficient understanding of the process.</li><li>Written policies and procedures.</li><li>Adequate employee training.</li></ul><p> </p><p>Identifying and addressing any weaknesses in this process can help auditors and companies detect and correct errors before they file their reports. Organizations need to reconcile all high- and medium-risk accounts that could contain a significant or material misstatement and make all necessary adjustments to the general ledger timely. Because account reconciliations are so important, organizations also should adopt a continuous improvement process aimed at reconciling all accounts before the post-closing adjustment review process.</p><p><strong>Pay</strong><strong> close attention to the work of external auditors. </strong>That scrutiny should include the audit committee asking questions of the external auditor and regularly reviewing the renewal process for selecting the auditor.<strong> </strong>The company also should be listening to its investors' concerns and complaints.</p><p>The focus in the Wirecard case has turned to its external auditors, who reportedly failed to report the company's unorthodox financial arrangements in the past. Wirecard's missing $2 billion allegedly involved an unconventional measure in which the company used third-party partners to process payments in countries where it wasn't licensed. Those businesses deposited revenue in trust accounts rather than pay it straight to the company. Wirecard explained that the money was kept that way to manage risk, saying it could be saved to provide refunds or chargebacks if needed.</p><p><strong>External auditors need to be vigilant in self-regulating the quality of their work. </strong>The external auditors allegedly did not confirm that Singapore's Banking Corp. held large amounts of cash on Wirecard's behalf. Instead, they relied on documents and screenshots provided by a third-party trustee and Wirecard, itself.<br></p>Art Stewart0
The Fraudulent Finance Officer Fraudulent Finance Officer<p>Fabrina Carr joined CA Clubs, athletic and social clubs scattered throughout the Northeast, in 2012 as a secretary. Soon after, she was promoted to chief financial officer. As the financial director, she had overall control of the company's finances with little oversight, and she managed a small group of employees. </p><p>In late 2017, Carr phoned her work colleague from Bermuda to announce her resignation. This event, like any other unexpected executive departure, triggered an internal audit. The CEO of the company called Gina Cupler, the director of internal audit, whose team quickly started assessing the situation.</p><p>Internal audit requested emails and reports for corporate credit cards, travel expenses, and department expenses for the previous two years. Review of travel found significant and unusual spending activity, an excessive amount of expensive business trips, and a suspicious expense of $7,213. Cupler reviewed Carr's credit card statements and saw that the expense was paid to a funeral home. Public burial records revealed that Carr's sister had passed away and that the burial service was conducted by the funeral home noted in the credit card statement. A keyword search in Carr's email account captured correspondence with the funeral home, as well as an itemized invoice. </p><p>Cupler decided to dig deeper into CA Clubs' banking activity. Records indicated that Carr wrote checks to various people and vendors, yet the vendor master file did list those check recipients. When Cupler asked Carr's employees about the vendor master file, they told her that Carr maintained administrative control of the accounting system. This gave her unrestricted access to manipulate vendor records and transactions without detection. In addition, bank statements revealed five $100,000 wire transfers to an offshore account just before Carr resigned, which she approved herself. </p><p>Cupler notified the CEO of internal audit's findings and asked her team to expand the investigation to all five years of Carr's employment. Internal audit identified 1,464 personal transactions that started one month after Carr joined the company and carried forward for almost five years. Details of her unbelievable spending spree included 51 flights, 56 hotel stays, and 270 shopping transactions. </p><p>Cupler also inquired with the external auditors about their work over the past few years. Because the current external auditors had recently taken over the account, internal audit had to request copies of the audit reports from the previous auditors. The reports included findings about poor record keeping and insufficient evidence to support expenses and vendor payments. However, all interactions with the external auditors were through Carr, who never shared audit reports with the board. And the board never requested to see them. </p><p>Cupler was perplexed at how this could happen, so she instructed her team to perform more research into Carr's background. Her human resources (HR) file included a black and white copy of an accounting degree from Whatsworth College. An inquiry with the college found no record of Carr's attendance. The degree was forged, and HR never reviewed Carr's education or accounting certifications. The team then looked into Carr's criminal and past employment records, which revealed a history of theft and writing of fraudulent checks. </p><p>At the first evidence of fraud, Cupler notified the authorities and kept them abreast of developments. Carr was arrested at the airport upon her return from Bermuda and was questioned by authorities about the money that was missing. Carr claimed she loaned $500,000 to her boyfriend, a Nigerian man who she met online. A subordinate of Carr testified at the court hearing that Carr texted her outside of business hours instructing her to make payments to the man. Despite being suspicious about the payments, she felt bullied and did not want to question her supervisor. The prosecutor argued that these transactions were the reason Carr eventually resigned from CA Clubs — she had taken $500,000 to help her boyfriend leave Nigeria, but he never repaid her. The judge sentenced Carr to six years in jail, but she was not ordered to repay any costs because she declared bankruptcy.</p><p>CA Clubs sent an announcement to its 7,000 members sharing information about Carr's conviction and explaining that a new management structure was put in place with more rigorous financial processes to better protect the company. The incident was a painful reminder of what can go wrong without adequate checks and balances in place.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned<br><br></strong><ul><li>A pre-employment background check is a key preventive control. Verification that a person is who he or she claims to be is important, especially when it comes to meeting the compliance requirements with hiring legally authorized citizens. The background check also provides an opportunity to check a person's criminal record, education, employment history, and other information to confirm its validity.</li><li>Validation checks also should be performed when internal employees are promoted or move into new roles. Just because they have the skills, experience, and qualifications for the roles they were initially hired for does not mean they are immediately qualified for other roles in the company. HR should verify that their education, certifications, and any other skill sets are legitimate to meet the requirements of the new role. </li><li>Reliance on a single person to control all aspects of financial transactions is never a good idea because it creates opportunities to commit fraud. Small organizations may need to get creative when it comes to segregation of duties. Board members for small not-for-profit organizations can take on an active financial governance role by reviewing financial information monthly. </li><li>Thresholds should be in place around bank and credit card transactions with any override of these controls placed with the board. Companies also should work with their bank and credit card vendors to put automatic controls in place to prevent overspending.</li><li>Small companies may not have the resources to look at the cultural aspects of their work environment. However, board leadership can have an active presence and provide employees with an outlet outside of their normal chain of command, such as a whistleblower hotline, to report suspicious or unethical activity.<br><br></li></ul></td></tr></tbody></table>William Byrne1
Exploiting the Crisis the Crisis<p>​Throughout the coronavirus pandemic, the state of Washington has paid out hundreds of millions of dollars in fraudulent unemployment claims, the <a href="" target="_blank" style="background-color:#ffffff;">Associated Press reports</a>. State and U.S. government officials allege that a West African fraud ring is filing false claims using stolen identities. Many of those people still were employed, so they weren't likely to notice that someone had filed an unemployment claim in their name unless their employer contacted them about it.<br></p><p>Like many states, Washington has faced a massive spike in unemployment claims. Since March, 2 million unemployment claims have been filed in the state, with weekly initial claims topping 180,000 compared to the usual amount of 6,000.</p><p>Authorities have tried to recover some of the money paid to false applicants and have blocked some other payments. Since Washington first discovered the fraudulent claims, eight other states have reported similar schemes to defraud their unemployment systems.</p><h2>Lessons Learned</h2><p>Around the world, governments have paid out huge amounts to assist individuals and businesses adversely affected by the COVID-19 pandemic. These payments have supported millions of people who have been laid off or furloughed, as well as assisted businesses of all sizes.</p><p>But in responding to the unpredictability and urgency of the crisis, governments emphasized speed over controls to get money to those in need as quickly as possible. That has created opportunities for fraud.</p><p>The unemployment fraud in this story is one of many schemes seeking to take advantage of growing demand for financial relief. There are several audit-related strategies governments can adopt to help clean up this fraud now and be better prepared to provide aid during a second wave of the pandemic.</p><p><strong>Audits</strong> Internal auditors need to audit the performance of temporary relief programs. These reviews should include looking for ways to achieve a more optimal balance between delivering benefits quickly and accurately.</p><p>Throughout the crisis, government officials in areas such as employment and taxation may have approved payments and not referred suspected abuse to their quality control, integrity, or enforcement functions. For example, Canada Emergency Relief Program staff members were instructed that applicants should still receive benefits even if records indicated they quit voluntarily or were fired for possible misconduct. However, the program's legislation excludes these factors from eligibility for benefits.</p><p>Not only should the departments directly involved in assistance programs perform audits, so should national audit functions, such as the U.S. Government Accountability Office, given the widespread nature of the government's response. Additional funding may be needed to undertake this work.</p><p><strong>Controls</strong> Program controls over emergency financial relief programs should be designed and operate in relation to other existing employment and social support programs such as unemployment insurance. Government agencies need to conduct pre-payment verifications and post-payment reviews to some degree, even during an emergency situation.</p><p>For example, government agencies have discovered a significant number of individuals who were receiving duplicate payments. Some people received this money by mistake, but others were intentionally trying to collect both emergency and unemployment payments at the same time. Uncovering these "double dippers" should be simple because applicants must provide basic identifying information to apply for either program. What is necessary is taking faster action to verify the problem and recover the money.</p><p><strong>Deterrence</strong> Effective fraud deterrence measures include clear warnings to benefit recipients about the consequences of cheating. In the example of a business that falsifies documents to claim a wage subsidy benefit, a deterrent would be penalties that are larger than the amount received through the program.</p><p>Whistleblower mechanisms also are needed. They should be tailored to the design of emergency programs and their eligibility criteria, and should operate via existing taxation agencies. These agencies typically collect reports of tax cheating such as not declaring all income, accepting "under the table" cash payments, or setting up a fake business to claim losses and reduce taxes.</p><p>Adding emergency financial relief programs to the existing whistleblower system may require someone who wants to report a potential fraudster to provide key information about the suspect. These details may include the individual's work or education situation, or his or her employer's number of employees and total payroll.</p><p><strong>Ongoing Assistance</strong> Governments should implement "exit strategies" for assistance programs that balance the ongoing needs of those who still are affected by the COVID-19 crisis with the necessity to reopen economies. Fewer people will require help as businesses reopen and workers are rehired. However, those who still don't have a job, or those who cannot qualify for unemployment insurance, may still need some form of assistance.</p><p>Moving forward, the lessons that governments learn from this crisis about audits, controls, and fraud deterrence could help them design a more effective, less fraud-susceptible relief program.<br></p>Art Stewart0
Police Entangled in Tow-truck Kickbacks Entangled in Tow-truck Kickbacks<p>​A 10-month investigation has uncovered an alleged kickback scheme involving Ottawa police officers and a tow-truck operator. According to the police investigation and reporting by the <a href="" target="_blank"> <em>Ottawa Citizen</em></a>, three officers solicited bribes from a towing service in exchange for information about the locations of vehicle crashes. </p><p>Other towing services had complained to the police about the alleged arrangement since 2018. Moreover, drivers involved in crashes said they had observed money changing hands between police officers and tow-truck drivers. The Royal Canadian Mounted Police (RCMP) has filed criminal charges against the officers, the owner of a tow-truck company, and two other individuals. </p><h2>Lessons Learned</h2><p>This news story and a <a href="" target="_blank">similar investigation involving sheriff's deputies in California</a> highlight two issues that internal auditors can help law enforcement agencies address: 1) establishing and enforcing a strong ethics and conflict-of-interest regime, and 2) implementing better controls over tow-truck operations involving police officers. </p><p>The City of Ottawa's police chief has expressed that the Ottawa Police Service's (OPS') code of conduct and ethics regime must be reviewed and strengthened. That exercise should be informed by the breadth and depth of the allegations against the three officers charged with several crimes by the RCMP, including:</p><ul><li>Giving out police information about vehicle collisions to one towing service and getting a financial kickback. Further, the officers allegedly gave that operator access to confidential OPS databases. Additionally, the RCMP has charged a family member of the towing operator with secret commissions.</li><li>Obstruction of justice and breach of trust.</li><li>Causing a false insurance claim to be made about a collision.</li><li>Using the position of a police officer for personal gain on a dating website.</li><li>Conspiring to break and enter to commit theft.</li></ul><p><br></p><p>From the standpoint of strengthening the OPS code of conduct and ethics regime, one step the department has undertaken is establishing a unit responsible for ethics and code of conduct issues, headed by a senior officer at the superintendent (executive equivalent) level. Other measures that should be in place include:</p><ul><li>A code of conduct and ethics compliance regime, policies, and processes that specifically prohibit the kinds of behaviors listed above, along with disciplinary consequences for noncompliance. The regime should include a "zero tolerance" policy as appropriate for law enforcement officials.</li><br> <li>Regular reporting of cases involving disciplinary, ethics, and conduct issues, such as in the OPS Annual Report. The OPS reports on some professional conduct issues, but this mainly is statistical information. As a deterrent, the OPS should publicize cases where officers are found guilty of inappropriate or fraudulent actions.</li></ul><p><br></p><p>Regarding the issue of controls over police forces and their interactions with towing services, the OPS and city officials should review the department's operations and policies, in part, to determine whether its processes need to change. That should include whether officers should have discretion about which towing service to call.</p> <p>Perhaps a "blind" dispatch system is needed to ensure a better distribution of work among the various tow-truck operators in Ottawa. Making such changes may be complex in cases in which vehicles are involved in possible criminal activities, or where drivers in an accident have their own towing service, such as through the Canadian Automobile Association or a credit card company. </p>Art Stewart0
Breaking Down the Fraud Policy Down the Fraud Policy<p>​Nearly half of all global organizations in PwC's 2018 Global Economic Crime and Fraud Survey admit to having been the victim of fraud and economic crime in the past two years, resulting in more than $7 billion in total losses and a median loss of $130,000 per case. Nearly half of those frauds were because of internal control weaknesses.</p><p>Internal audit plays several key roles in the prevention, detection, and monitoring of fraud risks. First, as internal audit has broad visibility into the different areas of the enterprise, it should be aware of potential red flags of fraud in all audit engagements and identify ones that may warrant further investigation. Also, internal audit should assess the effectiveness of controls designed to mitigate fraud risk. Finally, internal audit can lend valuable expertise in an advisory role to the development of the fraud policy. To do this, internal auditors need to understand the key elements of a strong policy, and who it should involve.</p><h2> The Building Blocks<br></h2><p>Any organization can be a victim of fraud, regardless of its size, industry, or location. The most effective recourse is to develop a strong and implementable fraud policy that defines unacceptable behavior and how the organization will respond to it. While policies can vary depending on the organization's number of employees, industry complexity, and operating environment, the fundamental elements remain the same:</p><ul><li>The policy has top-down support.</li><li>It includes clear, specific language and examples.</li><li>It accurately and effectively defines fraud.</li><li>There is policy ownership, so a specific person or group of people are charged with overseeing the development and implementation of the fraud policy.</li><li>It clearly spells out personnel roles and responsibilities.</li><li>It explains the disciplinary and legal actions the organization will take.</li><li>It makes anonymous hotlines and reporting options available.</li><li><p>There is an effective communication plan around the policy.<br></p></li></ul> <p>While no fraud policy can define every fraudulent action, a well-written policy uses clear language and relatable examples to help reduce uncertainty of what the organization considers illegal activity. It also provides clear instructions regarding the responsibilities and procedures to be followed by all involved when illegal activity is suspected or uncovered. </p><p>However, it doesn't matter how well the fraud policy is written if it sits in a three-ring binder gathering dust. The organization must ensure that the fraud policy is not only created, but also read and understood by all internal personnel and external parties with which it engages. The greater the importance the organization places on this document, the greater the likelihood employees will place an equal amount of importance to it. From regular manager/employee policy reviews to live training to role playing, the same message, stance, and emphasis on eliminating fraud can be reinforced. Regular communication not only promotes understanding, but also can deter potential fraudsters.<br></p><p>Occupational fraud is most efficiently organized into three categories, each of which companies must identify and communicate with personnel. </p><ul><li> <em>Asset misappropriation</em> is the stealing or misuse of enterprise resources by personnel. This occurred in more than 89% of all reported cases and resulted in a median loss of $114,000, according to the Association of Certified Fraud Examiner's (ACFE's) Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.</li><li> <em>Corruption schemes</em> occur when personnel misuse their influence during business transactions to obtain benefit and violate their duties to the employer. According to the ACFE study, this results in 38% of occupational fraud cases with a median loss of $250,000.</li><li><p> Financial statement fraud occurs when personnel intentionally cause misstatements or omit information in enterprise financial reports. It is the least common but most costly, averaging $800,000 per incident.</p></li></ul><h2> Prosecuting Fraud<br></h2><p>While fraud detection and prevention is an organizationwide effort, clearly defined roles must be instituted to promote responsibility and reduce confusion. For example, the board of directors is responsible for corporate fraud governance, and management must be engaged in executing these policies. Internal audit's role should be clearly defined, as well. Auditors must have the authority to ensure fraud controls are appropriate and effective, to investigate instances of possible fraud, and to support management in executing the fraud risk assessment.</p><p>Without the threat of prosecution, a fraud policy is little more than a toothless tiger. Therefore, it's critical that the policy conveys a plan of disciplinary action to all personnel. The fraud policy must include a statement that all appropriate measures to deter fraud will be taken and all instances of suspected fraud will be investigated and reported to the appropriate authorities. </p><p>Generally, organizations have four options when fraud is uncovered: criminal prosecution, civil fraud lawsuit, a mutually agreed upon termination of the perpetrator, or no action. There are varying schools of thought as to which of these actions should apply to different fraud situations. For example, it can be argued that taking no action is one of the surest ways to promote an organization's susceptibility to future fraud because of the perception of impunity. On the other hand, there also are cases when the cost of prosecution exceeds the cost of the fraud and other disciplinary actions may be preferred. Some organizations will prosecute all fraud regardless of monetary value. From the internal auditor's perspective, however, the key question is whether the organization has considered the risks of its disciplinary policy (reputational risk, cost, future fraud risk, etc.) and is comfortable with them.</p><p>The fraud policy must provide personnel with instructions regarding the steps to take when suspecting fraud. The policy should remind personnel that they are not prosecutors of the law and that their job is to report their findings to the organization's appropriate party. The fraud policy should provide anonymous avenues to give employees confidence that they can safely report potential fraud, such as a fraud hotline number. In addition to verifying the existence of a hotline, internal audit also may want to understand whether it is being used and how effectively the company has responded to these tips.</p><h2>A Preventive Measure</h2><p>In the end, a fraud policy is an inexpensive and effective method for reducing the threat of potentially crippling financial losses. Furthermore, all departments, including internal audit, can play major roles in its development. This stand-alone document should be seen by all personnel as playing an integral role in the organization's health and longevity.  <br></p>Chris Errington1

  • CAE-OnRisk-January-2021-Premium-1
  • CIALS-January-2021-Premium-2