Fraud

 

 

The Unscrupulous Advisorhttps://iaonline.theiia.org/2018/Pages/The-Unscrupulous-Advisor.aspxThe Unscrupulous Advisor<p>​A federal grand jury has indicted the CEO of an investment management firm on 23 counts of fraud, <a href="https://www.idahostatejournal.com/news/local/former-owner-and-ceo-of-yellowstone-partners-investment-firm-indicted/article_bedc9214-f7eb-5fd0-a5fc-aa743fde6362.html" target="_blank">the <em>Idaho State Journal</em> reports</a>. Federal prosecutors say David Hansen, majority owner of Yellowstone Partners LLC, headquartered in Idaho Falls, Idaho, overbilled client accounts by submitting false billing requests to a brokerage firm. Last year, former Yellowstone Partners employees told the <em>Post Register</em> newspaper they had found "significant irregularities" in some customer accounts in 2016. Prosecutors estimate Hansen's alleged scheme defrauded clients of more than $9 million. The indictment also charges Hansen with aiding in preparing false corporate and personal income tax returns that underreported the company's revenue and his own income in 2012 and 2013.</p><h2>Lessons Learned</h2><p>The CEO of the investment management firm in this story allegedly has run afoul of the U.S. Securities and Exchange Commission (SEC) and more particularly Section 206 of the Investment Advisers Act of 1940 (the "Advisers Act"). In part, Section 206: </p><p> <span class="ms-rteStyle-BQ">"prohibits misstatements or misleading omissions of material facts and other fraudulent acts and practices in connection with the conduct of an investment advisory business. As a fiduciary, an investment adviser owes its clients undivided loyalty, and may not engage in activity that conflicts with a client's interest without the client's consent."</span> </p><p>In addition to the general anti-fraud prohibition of Section 206, other sections of the act regulate several practices relevant to the alleged fraud in this story. These include disclosure of fees, investment advisor advertising, custody or possession of client funds or securities, and disclosure of investment advisors' financial and disciplinary backgrounds. All of these rules were allegedly broken in one way or another in this case. </p><p>Internal auditors should consider measures to help their organization prevent and detect the kind of fraud represented in this story. Two main areas of concern surround disclosure obligations:</p><ul><li>"The Brochure Rule" (Advisers Act Rule 204-3), requires every SEC-registered investment advisor to deliver to each client or prospective client a Form ADV Part 2A (brochure) and Part 2B (brochure supplement) describing the advisor's business practices, conflicts of interest, background, and its advisory personnel. Advisors must deliver these documents to a client before or at the time the advisor enters into an investment advisory contract with a client. In addition, advisors must provide them whenever there is a material change to the advisor's profile. <br> <br>Both investors and auditors need to be aware of how business practices and conflicts of interests can be hidden or manipulated. Hansen is a partner at Elite Advisor Institute, a company that trains and coaches investment advisors. Was this partnership disclosed, and were some of the people involved in the overbilling scheme at Yellowstone Partners trained there? <br> <br>A further step that needs to be taken is to cross-check an investment advisor's background with those who regulate and accredit them such as the SEC (registration information is available on <a href="http://www.sec.gov/" target="_blank">the SEC's website</a>). The Financial Industry Regulatory Authority also offers information about the professional designations used by advisors as well as measures that investors can take to avoid investment fraud. </li> <br> <li>The SEC mandates that an investment advisor disclose to clients all material information regarding its compensation such as whether the advisor's fee is higher than the fee typically charged by other advisors for similar services. In most cases, this disclosure is necessary if the annual fee is three percent of assets or higher. <br> <br>Investors and auditors should be proactive in regularly reviewing investment transactions to determine what fees are being incurred, as an early way to detect overbilling. The investment industry should continue to be obligated to regularly and transparently disclose fees to clients. A good practice would be to disclose such fees monthly, although often this is only done annually. <br> <br>A further part of this transparency is to carefully monitor the use of other mechanisms that incur fees such as performance fees and referral to third-party fees. Another mechanism susceptible to overbilling is a "wrap fee program" where advisory and brokerage services are provided for a single fee that is not based on the client's account transactions. </li></ul>Art Stewart0
Crimes of the Centuryhttps://iaonline.theiia.org/2018/Pages/Crimes-of-the-Century.aspxCrimes of the Century<p>Fraud will flourish until human beings and money are removed from the mechanics of the international economy. In fact, all that separates a determined criminal and a company's cash flow is a control regime developed by imperfect human beings, often operating with insufficient manpower and limited technological assistance. So there's a decent chance that somebody will come up with a way to scam any new system. Indeed, most of the worst frauds ever have played out in the last 20 years, because the prize money is growing and the playing field is expanding. <br></p><p>"The fraud climate has greatly improved over the past few decades," says financial analyst Harry Markopolos, who battled unconvinced U.S. Securities and Exchange Commission (SEC) staffers in Boston and New York when he tried to disclose one of the biggest schemes in recent years. "Unfortunately, it's improved for the fraudsters, not the victims." Internal audit functions are doing their best — and they're sometimes the heroes when crimes are uncovered. But a look back at some of the biggest headline-grabbing scandals of the 21<sup>st</sup> century confirms his contention that fraud fighting is, increasingly, a 24/7 responsibility. <br></p><h2>Enron</h2><p>In 2001, former vice president of corporate development, Sherron Watkins blew the whistle on executives at once-giant energy company Enron Corp. for "inventing revenue and hiding losses via elaborate partnerships with dummy companies," as CBS News reported at the time. Enron went bankrupt, taking down Arthur Andersen, its main audit firm, with it. In all, 21 people pleaded or were found guilty in the $74 billion fraud; charges included insider trading, conspiracy, bank fraud, making false statements to auditors, and securities and wire fraud. Former chair and CEO Kenneth Lay, former CEO and chief operating officer Jeffrey Skilling, and former chief financial officer (CFO) Andy Fastow were among the convicted, but Lay died before serving any time. <br></p><p>Watkins played a key role in exposing the fraud, though it proved an uphill battle and took significant time for the scandal to fully come to light. Evidence that fighting fraud is an increasingly titanic endeavor is evident in the numbers, Markopolos says — the dollar amounts of the damage the criminals do keep going up. "You can see the growing problem by the size of the frauds," he says. "They're becoming increasingly larger decade by decade."<br></p><h2>WorldCom</h2><p>Early in the last decade, former CEO Bernie Ebbers' $180 billion WorldCom fraud included underreporting line costs by capitalizing rather than expensing them and inflating revenues with fake accounting entries. The monumental scheme was discovered by the company's then vice president of internal audit, Cynthia Cooper, who along with Watkins was named one of <em>Time</em> magazine's 2002 Persons of the Year for her efforts. WorldCom went bankrupt and is now part of Verizon Communications.<br></p><p>WorldCom's CFO was fired and the controller resigned. Ebbers was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents with regulators; he's still in jail, despite his widely reported "begging" for a presidential pardon. U.S. Congress passed the Sarbanes-Oxley Act of 2002 just weeks after news of the WorldCom scandal broke. <br></p><h2>Bernie Madoff<br></h2><p>A few years after Sarbanes-Oxley went into effect, the fraud case Markopolos tried to expose — involving now-80-year-old Bernie Madoff, the former Nasdaq chair who pleaded guilty in 2009 to federal felonies — racked up an estimated $65 billion price tag in the 10 years Markopolos attempted to convince the SEC that something didn't add up. Madoff's charges included securities, investment advisor, mail, and wire fraud; money laundering; perjury; making false filings with the SEC; and theft from an employee benefit plan. <br></p><p>He's still in prison, with an expected release date of 2139. The former head of Bernard L. Madoff Investment Securities LLC forfeited $17 billion before starting the 150-year sentence for running the largest Ponzi scheme in history — basically, investors' returns came from their own money, not from profits. The case, Markopolos points out, is a sad example of the outcome of most financial fraud scandals. "Unfortunately, when it comes to economic crimes," he explains, "usually only the top tier of planners and architects of the scheme end up serving significant prison sentences." In this instance, "no one at Madoff's hundreds of feeder funds was ever prosecuted, just like no bank executives went to jail for the global financial crises from 2007 to 2009."  <br></p><h2>Olympus</h2><p>In 2011, a low-level Olympus Corp. employee blew the whistle on executives concealing $1.5 billion in investment losses. The brand new CEO, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=1dde819e-8404-419b-88f7-e1c12fb86673">Michael Woodford</a>, exposed the scandal; he got fired and Olympus denied everything.<br></p><p>Ultimately, 11 executives were arrested, much of the board resigned, and the company lost 80 percent of its value. But just three got suspended sentences — two for three years, the other for 30 months. Within a couple years the company returned to profit, and its shares recovered most of their losses.<br></p><h2>FIFA</h2><p>Just three years ago, U.S. officials charged nine executives at the Fédération Internationale de Football Association (FIFA), four sports marketers, and an accused intermediary with racketeering, wire fraud, and money laundering, saying they conspired to solicit and receive $150 million in bribes and kickbacks for rights to televise the quadrennial World Cup and to sway FIFA's decisions on who hosts it. Charles Blazer, former executive committee member, pleaded guilty and forfeited $2 million; he faces a maximum of 10 years in prison. José Hawilla, head of the Traffic Group, a sports marketing conglomerate, and two of his companies, Traffic Sports International Inc. and Traffic Sports USA Inc., also pleaded guilty; he forfeited $151 million. The individuals face maximum terms of 20 years in prison; the corporate defendants face fines of $500,000 and one year of probation.<br></p><p>Since then, the organization has struggled to implement internal reforms — but reminders of the scandal keep surfacing. In 2017, former member Richard Lai pleaded guilty to FIFA-related charges, and this summer, a corporate defendant pleaded guilty to fraud in the case — and paid $25 million in fines and forfeitures.<br></p><h2>Little Restitution for Victims</h2><p>Those fines and forfeitures, unfortunately, rarely make victims whole. For example, in most Ponzi schemes, Markopolos points out, "recoveries range from 20 cents to 50 cents of every initial dollar invested, varying by geographical location, size and type of the scheme, and too many other variables that affect just how much investors will eventually get back." He also notes that it takes a long time to unwind such complex schemes — so when victims finally do receive partial restitution, it's often as much as five to 10 years after the scheme has collapsed. <br></p><p>Indeed, <em>The</em> <em>New York Times</em> reported in April that victims would receive another $504 million from Madoff assets the government seized a decade ago. "With that distribution," the <em>Times</em> reported, "21,000 victims have received more than $1.2 billion." But the theft tally ranged from a conservative $15 billion or so to the widely reported $65 billion; in the better case scenario, in other words, victims haven't yet gotten back 10 percent of their losses. Says Markopolos: "The one constant truth is there are no happy endings for victims."<br></p><p>He blames a regulatory and corporate culture that has its head in the sand, that struggles to take the threat of another shocking scandal seriously, and that gives finance industry titans too much credit for good behavior. Indeed, he famously complained to the SEC for a decade that the Madoff firm's returns weren't mathematically possible, but he was turned away more than once; two SEC executives ultimately resigned, but no one was fired and few were sanctioned. "Investor due diligence on Wall Street is very lax," Markopolos says, and "doesn't come close to The IIA's standards of what a real audit would entail. If financial due diligence professionals would join The IIA and attend chapter meetings, they'd learn enough to be much harder to fool." <br></p>Russell A. Jackson1
Cash-transfer Schemeshttps://iaonline.theiia.org/2018/Pages/Cash-transfer-Schemes.aspxCash-transfer Schemes<p>​Cash-transfer company MoneyGram International has agreed to pay $125 million to settle charges that it covered up weaknesses in its anti-fraud program, <a href="https://www.ocregister.com/2018/11/08/moneygram-to-pay-125-million-in-penalties-tied-to-fraud-case/" target="_blank"><em>The Orange County Register</em> reports</a>. Those weaknesses resulted in $125 million in fraudulent transactions between April 2015 and October 2016. Moreover, MoneyGram violated a 2012 settlement with the U.S. Justice Department. It also violated a 2009 U.S. Federal Trade Commission (FTC) order that required the company to put anti-fraud measures in place. Both of those actions stemmed from a six-year investigation that found the company had been aware that its agents had tricked customers into sending money to fake accounts.  </p><h2>Lessons Learned</h2><p>MoneyGram's website compiles advice on how consumers can avoid being defrauded when sending money (see <a class="vglnk" href="https://bit.ly/1jR6xLu" rel="nofollow" target="_blank"><span>https</span><span>://</span><span>bit</span><span>.</span><span>ly</span><span>/</span><span>1jR6xLu</span></a>). Although MoneyGram may provide this advice to meet regulatory compliance requirements, it also may offer the information because the company has been implicated in such fraud.<strong> </strong>However, none of these examples warn that the culprit of the attempted fraud could be a MoneyGram employee or agent.</p><p>What measures should MoneyGram and other cash-transfer companies consider to prevent and detect employees who try to perpetrate fraud on their clients? MoneyGram has more than 150,000 employees and agents around the world, so a comprehensive internal anti-fraud regime is essential. Here are three measures that could help:</p><ul><li> <strong>Increase the frequency and thoroughness of employee background checks before and after hiring. </strong>MoneyGram allegedly ignored thousands of complaints about a group of agents in the U.S. and Canada who handled hundreds of millions of dollars in transfers annually. Also, court findings in other fraud cases have alleged that many of MoneyGram's agents previously had been fired or suspended by competitor Western Union over fraud allegations. Yet, MoneyGram performed few background checks on those individuals.<br><br></li><li> <strong>Implement, monitor, and publicly report on the results of a complete whistleblower program for employees. </strong>In documenting its cases against MoneyGram going back many years, the FTC found that company managers often told employees to be quiet if they raised concerns about potential fraud by outsiders or employees. In some cases, employees who expressed concerns were disciplined or fired. <br><br>The FTC has alleged that MoneyGram "typically rejected or ignored employee concerns, claiming that they were too costly or that consumer fraud prevention was not the [company's] responsibility." The company operates a hotline through which employees and agents can report violations of its anti-fraud policies. MoneyGram should audit the program regularly to determine its effectiveness.<br><br></li><li> <strong>Institute a meaningful culture and practice of accountability.</strong> The FTC has repeatedly fined MoneyGram, saying the company knew its system was being used to defraud people but did nothing to stop it. As far back as 2009, U.S. investigators found that 131 of its 1,200 agents in Canada and the U.S had solicited consumers to send them deposits via MoneyGram for lottery entries, guaranteed loans, and other schemes. These deposits accounted for more than 95 percent of fraud complaints MoneyGram received in 2008 regarding money transfers to Canada. The FTC further alleged that the employees responsible were never terminated.<br><br>Real accountability calls for moving beyond financial fines to discipline and potentially termination of individuals who perpetuate this kind of fraud. These individuals could include employees, supervisors, managers, senior executives, or board directors. MoneyGram has instituted anti-fraud accountability measures such as creating an ethics and compliance committee reporting to its board, as well as establishing two related executive positions. However, these actions have not generated enough results. <br></li></ul>Art Stewart0
An Injection of Fraudhttps://iaonline.theiia.org/2018/Pages/An-Injection-of-Fraud.aspxAn Injection of Fraud<p>​The CEO of a Michigan-based health-care group has pleaded guilty to charges of paying doctors to administer medically unnecessary injections "that resulted in patient harm," according to <a href="https://www.wxyz.com/news/west-bloomfield-health-care-ceo-pleads-guilty-to-fraud-involving-harmful-injections" target="_blank">WXYZ</a> in Detroit. In the $300 million scheme, Mashiyat Rashid, CEO of pain clinic operator Tri-County Wellness Group, rewarded doctors based on the number of back pain injections Medicare paid for. Many of the patients were addicted to opioids and agreed to receive the shots to obtain pills. As part of his plea, Rashid will forfeit more than $51 million as well as commercial and residential property he owns.</p><h2>Lessons Learned</h2><p>Medicare fraud continues to grow in size and scope, and now encompasses the widespread opioid crisis. Since 2007, the U.S. Medicare Fraud Strike Force has charged more than 4,000 defendants with billing the Medicare program for more than $14 billion collectively. </p><p>Fraudsters such as Rashid aim to profit illegally from schemes that harm taxpayers and expose patients to the dangers of opioid drugs. Internal auditors and regulators can help prevent these abuses by focusing on controls in several areas.</p><ul><li> <strong>Always look out for the "shell game." </strong>Fraudsters often cover up fraud by operating a seemingly innocent activity. Rashid owned, controlled, and operated numerous pain clinics, laboratories, and other providers in Michigan and Ohio. For nine years until his arrest in 2017, Rashid conspired with physicians to require Medicare beneficiaries who wished to obtain controlled substances to submit to expensive, medically unnecessary, and painful back injections. <br> <br>While it isn't known how many of these injections were forced on patients, U.S. Justice Department officials say Rashid and the doctors associated with his clinics distributed more than 6 million doses. Medicare eventually determined that 100 percent of the injection claims were not eligible for reimbursement. Auditors could have detected these red flags earlier using data mining techniques.<br> </li><li> <strong>Establish</strong><strong> robust controls over Medicare enrollment by fake companies.</strong> Shifting and multiple corporate registrations that trace back to the same owners is another red flag that might have been detected and investigated earlier in this case. The fraudsters created new shell companies that they enrolled in Medicare to keep the fraudulent billing going. Often, they only changed the name of the company on the door and invented new suite numbers to conceal themselves. <br> </li><li> <strong>Enhance whistleblower programs and incentives. </strong>Many patients implicated in Rashid's scheme were motivated by gaining access to opioid drugs. Publicizing these Medicare frauds and providing ways for patients to report their concerns to authorities without fear of reprisal can help uncover these crimes. Financial incentives can motivate whistleblowers to come forward. But the fraudsters offer incentives, too. Rashid paid kickbacks to obtain patients and bribed physicians to refer Medicare beneficiaries to specific third-party home health agencies.<br> </li> <li> <strong>Pay attention to significant lifestyle changes of senior executives.</strong> Even in the medical industry, where many people are highly compensated, there are lifestyle clues that can lead the U.S. Internal Revenue Service and financial fraud trackers to illegal activities. Rashid pleaded guilty to money laundering in connection with a $6.6 million wire transfer. He used the money to live extravagantly, purchasing a mansion and other real estate, as well as luxury clothes, rare watches, and exotic automobiles </li></ul>Art Stewart0
The Fall of the Food Researcherhttps://iaonline.theiia.org/2018/Pages/The-Fall-of-the-Food-Researcher.aspxThe Fall of the Food Researcher<p>​A well-known food researcher has stepped down from his university teaching and research posts following the retraction of six of his papers, the <a href="https://nationalpost.com/news/world/cornell-review-finds-academic-misconduct-by-food-researcher" target="_blank"><em>National Post</em> reports</a>. The JAMA medical journals retracted the papers published by Cornell University professor Brian Wansink, after the university could not produce original data to verify the results of his research on consumer behavior. Reviews of Wansink's previous work allege that he had cherry-picked data points in his research to make the findings more likely to be published. Those reviews resulted in seven other papers being retracted. </p><h2>Lessons Learned</h2><p>According to Cornell, Wansink's academic misconduct also included misreporting data, problematic statistical techniques, failure to appropriately document and preserve research results, and inappropriate authorship. Researchers are not the only ones who engage in such practices. This kind of deception can arise from any sector of society, including corporations, governments, journalists, and educators.  </p><p>Internal auditors need to know about the various inappropriate ways data can be collected and used. They should maintain a skeptical stance regarding what they see in their audit work, including financial statements, management reporting of results, assessments of program effectiveness/efficiency, and compliance with standards. Here are some observations about three of the most relevant issues to this story — misreporting data, methodology, and data quality and integrity — along with a few suggestions about how to fix the problems.</p><ul><li> <strong>Misreporting data.</strong> The practice of <a href="https://www.theatlantic.com/science/archive/2015/08/psychology-studies-reliability-reproducability-nosek/402466/" target="_blank">"p-hacking,"</a> in which researchers slice and dice a data set until an impressive-looking pattern emerges, has become prevalent. Also common is publication bias, which is the tendency to favor publication of studies with positive results. The increased presence of the internet and social media has further accentuated the problem. <br><br>Misreporting data can take various forms, from tweaking variables to show a desired result, to pretending that a finding proves an original hypothesis — in other words, uncovering an answer to a question that was only asked after the fact. For example, in psychology research, a result usually is considered statistically significant when a calculation called a p-value is less than or equal to 0.05. But excessive data massaging can produce a p-value lower than 0.05 just by random chance, making a hypothesis seem valid when it's actually a chance result. An insightful paper on this topic can be found <a href="http://journals.sagepub.com/doi/abs/10.1177/0956797611417632" target="_blank">here</a>. <br><br>Sample sizes also matter in survey data analysis. They always should be reported — or at least made available — along with confidence levels and the methodologies applied to the data. Additionally, sample design and the avoidance of sample bias are important considerations in judging the validity of survey sample results.<br></li> <br> <li> <strong>Weak statistical methods. </strong>A related issue is the choice of statistics to represent the findings, and the importance of having a baseline/benchmark for expected results. A basic but prime example of the former is the bell curve. If you read that "the average of a group's score was five out of 10," that does not necessarily mean most scored a 5 — an "upright" bell curve. But the actual range of scores may be quite different. For example, half the group may have scored zero or one out of 10, and the other half nine out of 10 — which means that an "inverted" bell best represents the result. On the latter, understanding the differences between correlation and causation, and the use of a relevant baseline are important. <br><br>Here is a famous example: There is a strong positive correlation between the number of Nobel prizes the people of a country have earned and the quantity of chocolate eaten annually in that country. But this does not show that eating more chocolate will earn you a Nobel prize. Correlation does not imply causation. The countries that eat the most chocolate are the wealthier ones where chocolate is inexpensive and that tend to have more money to invest in education and research — resulting in more Nobel prizes.<br></li> <br> <li> <strong>Poor data quality and documentation.</strong> In many instances, researchers do not do enough to appropriately identify and categorize the quality of data used. This is particularly true where data sets originate from disparate systems or sources, historical data is used, and data definitions have not been validated for comparability. A systematic measurement of data quality and a disclosure against a standard (even a scorecard green, red, yellow type) alongside the published results would help alleviate problems of misinterpretation. And as data increasingly is captured electronically, it should be retained, along with its documentation, coding, and methodological routines.<br> </li></ul><p>Overall, pre-approval and pre-registration, including publicly, of research plans can help to address these three problems. That is especially the case when the specifics are addressed by stating exactly what the hypothesis is and what plans there are to test it and how. When these requirements are in place, there is less room for cherry-picking the most eye-catching results after the study is completed.</p><p>Wherever possible, more efforts should be made to run larger studies or replications, which are less likely to produce spurious results that get published. Researchers should describe their methods in more detail, and upload any materials or code to open databases, making it easier to review the basis of their work. Declaring the quality of the data used against a standard or benchmark also would help. And, journal editors should collaborate to establish and enforce consistently high standards for accepting and publishing research results.</p>Art Stewart0
The Creative Card Fraudhttps://iaonline.theiia.org/2018/Pages/The-Creative-Card-Fraud.aspxThe Creative Card Fraud<p>​The finance department at a Midwest university issued 28 purchasing cards (P-cards) to the university’s IT department so it could more easily purchase electronics and technology items and deliver them to the departments IT supported. P-card use at the university was decentralized, and all supporting purchase documents were maintained in each department. Every month, the university required the cardholder to provide supporting invoices and receipts for purchases, as well as the P-card statement, to his or her direct supervisor for review and approval before submitting. </p><p>Within IT, Lisa Moore recently was promoted from supply technician to operations support manager. Soon after her promotion, Michael Graham was hired as a supply technician within the department, reporting directly to Moore. The two were friends before they became co-workers in the same office.</p><p>Campus internal audit conducted regular reviews of departmental P-card transactions, which looked for risk factors such as high-dollar and high-volume purchases. In one such audit, the auditor in charge, Heath Crocker, noted that departmental cards’ activity as stated in the monthly bill did not match the supporting receipts in several instances. When Crocker questioned the IT department about the discrepancy, it insisted that the information on the bill was not accurate. Crocker then queried the university’s P-card coordinator, who confirmed that the information on the monthly bill is sometimes not accurate. The auditor accepted this explanation and did not take additional action — nor was this information provided to the auditor’s supervisor. As a result, internal audit missed the opportunity to uncover a fraud that lasted 15 months and cost the university $292,371. </p><p>Six months after the audit, an employee noticed a transaction on his P-card that he did not make and notified his manager of the discrepancy. Management conducted an internal review, and the university hired an accounting firm to review the P-card program and evaluate the internal control environment. Information about the theft was then handed over to the State Attorney General’s Office for further investigation and action. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​</strong><strong>Lessons Learned</strong></p><ul><li>Internal audit risks losing credibility when fraud activities go unnoticed. As a result, management will look to cosourced and outsourced relationships to ensure it has the resources necessary to protect the organization from fraud. <br> <br></li><li>Simply accepting that the monthly P-card statements may contain merchant errors on an ongoing basis led to a lack of detailed review and a breakdown of the approval process. Control improvements could have minimized or prevented the fraud.<br><br></li><li>Functional oversight can identify suspicious activities. Without additional reviews from individuals not directly connected to employees, red flags may not be identified and the fraud may be allowed to continue in plain sight. In this case, the director’s “review” was not an effective internal control in detecting discrepancies. <br> <br></li><li>Standardized budget analyses of purchases coded to categories of consumable inventories can identify increases in purchases that do not have an apparent business need. This type of review was not conducted in this case. <br> <br></li><li>The use of electronic software and appropriate system access set-up could have ensured effective segregation of duties — in this case, for the initiation, approval, and reconciliation of purchases.</li></ul></td></tr></tbody></table> <p>The investigation found that Moore and Graham were colluding to manipulate the system. They created fictitious purchase requests for merchandise in the office’s electronic purchasing tracking system. The items were generally office consumables that would not be tracked by the department’s inventory control system. Moore and Graham created false documents, including receipts and invoices for monthly P-card statement approval. They manipulated the receipts to retain the vendor’s main information while adjusting the merchandise itemizations. In addition, they created false receiving documents and logged into the software to update the false purchases as received in the tracking system. </p><p>Actual items purchased consisted of electronic/IT merchandise sourced from various vendors. Moore and Graham collected the items and resold them online. The falsified receipts sometimes listed items that were no longer available from the vendor listed on the P-card statement. </p><p>Moore’s P-card statements were reviewed by a director who provided oversight for several university departments. The director, Emily Darrough, noticed that the merchant information on the monthly P-card statements often did not reconcile with the receipts provided for support. However, Darrough was under the impression that the statements’ vendor information was often inaccurate and did not further question those discrepancies. Because Moore reviewed and approved Graham’s P-card statements, they went unquestioned. </p><p>By circumventing multiple internal controls, the employees were able to conceal the fraud for many months. Because the university had single transaction limits and monthly purchasing limits on P-cards in place, the fraudsters had to get creative. Once the monthly purchase amount on Moore and Graham’s cards had been reached, Moore used her influence to coerce her subordinates into giving her their P-cards to make additional, supposedly legitimate, purchases for the university. Moore also had access to the P-card numbers issued to all employees within the department. She and Graham used these numbers, without the physical P-card, to make additional purchases in their scam. </p><p>A combination of the decentralized nature of the business culture and the manual nature of the purchase review process led to the standard practice of reviewing the monthly card statements and supporting receipts/invoices just once, with document retention left to the cardholder. This placed responsibility on the single supervisory review of the card’s monthly statements. In addition, random undisclosed reviews by internal audit and other oversight functions cannot occur with this type of document retention methodology, as the documents cannot be viewed without the cardholder’s knowledge.</p><p>After an investigation that lasted almost two years, Moore was sentenced to 24 months to 60 months in state prison. A separate case was filed for Graham for a lesser dollar value of fraud, but, to date, he has not been sentenced. In addition, Moore was ordered to pay $292,371 in restitution to the university.<br></p>Emily E. Kidd1
The CEO and Social Mediahttps://iaonline.theiia.org/2018/Pages/The-CEO-and-Social-Media.aspxThe CEO and Social Media<p>​In the U.S. Securities and Exchange Commission (SEC) fraud suit against Tesla Inc. CEO Elon Musk, the SEC alleged Musk issued "false and misleading" statements and failed to notify regulators of "material company events." <a href="https://www.cnbc.com/2018/10/11/reuters-america-update-6-ft-says-james-murdoch-in-line-for-tesla-chair-musk-reply-incorrect.html?&qsearchterm=Tesla" target="_blank">CNBC reports</a> that in August, Musk tweeted, "Am considering taking Tesla private at $420. Funding secured." The tweet sent Tesla stock spiraling for weeks. Among other remedies, the SEC wanted Musk barred from serving as an officer or director of a publicly traded company. On Oct. 10, the SEC, Tesla, and Musk submitted a joint filing with the U.S. District Court, Southern District of New York, in support of a settlement, claiming the terms were in the best interest of investors. According to the settlement, Musk must pay a $20 million fine, and step down as Tesla's chairman for three years. Although not charged with fraud, Tesla agreed to accept a $20 million fine.</p><h2>Lessons Learned</h2><p>Since early 2014, the SEC enforcement division has increased its focus on internal control-related cases. The charges brought against Musk clearly illustrate how the scope of the SEC's focus on internal control rules is much broader than the typical questions that surround the completeness and accuracy of financial reports. It also brings up new questions about the appropriate use of social media by corporate leaders.</p><p>Board chairmen, CEOs, and chief financial officers, along with other senior company officials, are considered "control persons" for purposes of liability under various securities laws and SEC rules enforcing those laws. As such, they possess certain responsibilities regarding internal controls, which the SEC takes very seriously. As in this article, the consequences for failure to meet these responsibilities can be severe. However, auditors and management can help put in place precautions to help prevent running afoul of SEC rules.  </p><ul><li>Developing, implementing, maintaining, and auditing/testing the effectiveness of a comprehensive set of internal controls is a fundamental requirement. There is considerable guidance available on this, including that which has been explicitly developed to reflect SEC requirements. One good example is The IIA's Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners. Internal controls clearly must address corporate governance, including communications — encompassing social media — regarding not only financial records and reports, but also business and investment related matters, past, current, and future.<br> </li><li>With particular regard to the circumstances surrounding Musk's use of social media, it is a little less clear what types of internal controls are required. In 2013, the SEC made clear that companies can use social media outlets like Facebook and Twitter to announce key information in compliance with Regulation Fair Disclosure so long as investors have been alerted about which social media will be used to disseminate such information. Netflix's CEO was investigated for a potentially improper release of a statement related to subscription sales, which in turn had an impact on the company's stock price, but the SEC did not pursue the matter. Presumably, Tesla has done its homework on this aspect. However, internal controls typically presume segregation of duties, but that can be quite powerless against a management override. It seems clear Musk did not consult anyone before musing on the possibility of taking Tesla private. </li></ul><p> </p><p>Short form social media vehicles such as Twitter and Facebook represent a convenient means of communications available to all. They also represent a modern fraud risk to be assessed and mitigated, including through social media policies, board director training, and performance monitoring. </p>Art Stewart0
Taking the City for a Ridehttps://iaonline.theiia.org/2018/Pages/Taking-the-City-for-a-Ride.aspxTaking the City for a Ride<p>The former head of the Phoenix area's transit service has pleaded guilty to fraud charges of misusing public funds for personal purposes, <a href="https://www.azcentral.com/story/news/local/phoenix/2018/09/10/ex-valley-metro-ceo-stephen-banta-pleads-guilty-fraud-after-republic-inquiry/1249374002/"><em>The Arizona Republic</em> reports</a>. The plea comes three years after <em>The Republic</em>'s 2015 investigation alleged that then-Valley Metro CEO Stephen Banta's spent public funds for first-class air travel and dinners. The state auditor general and attorney general allege that the amount of funds was ​more than $32,000. Moreover, a 2015 city of Phoenix audit found $315,000 in "questionable expenses" by Banta and the Valley Metro staff. The plea deal calls for Banta to serve one year of probation, but he could be sentenced to up to one year in prison and ordered to pay a $150,000 fine.</p><p><strong>Lessons Learned</strong></p><p>An effective combination of investigative journalism and internal auditing by the Phoenix city auditor has uncovered flagrant abuse and fraud involving several hundreds of thousands of dollars in travel, business and relocation expenses, and other benefits received by former CEO Stephen Banta. <a href="https://drive.google.com/viewerng/viewer?url=http://archive.azcentral.com/persistent/icimages/watchdog/valleymetroaudit04282016.pdf">The auditors' report</a> (PDF) contains several appropriate recommendations concerning major control weaknesses in Valley Metro's management of travel and business expenses that should help address and prevent future such occurrences. Here are the most important ones, along with some additional suggestions.</p><p><strong>Governance review.</strong> There should be a thorough review and adjustment, where necessary, of  Valley Metro's board governance and accountability regime along with its control framework and policies. This is particularly necessary as it relates to ethics, the performance of board directors and executives, executive compensation, and controls over executive travel and benefits activities. Note that the internal auditors found that Banta and several other employees were in violation of several policies. This would be an opportunity to remedy several gaps found by internal auditors, including:</p><ul><li><span style="font-size:12px;">Specific language and compliance monitoring to ensure coverage of all executives by ethics and travel/business expense policies. For example, the agency had an ethics policy, but no one ensured that the CEO signed it.</span><br></li><li><span style="font-size:12px;">Increasing rigor in segregation of duties over approvals of travel and business expenses to prevent cronyism. Two senior staff members working directly for Banta authorized $115,000 in additional pay so he could avoid paying taxes on relocation travel expenses.</span><br></li><li><span style="font-size:12px;">Enforcement of requirements to provide documentation before and after approvals. The organization also should ensure that compliance with allowable persons and maximums of travel, relocation, and business expenses are enforced. One particular example of the former is that Banta and staff did not comply with policy requirements to submit itemized receipts for meals, including those they had together. This resulted in questionable dining expenses, which were wasteful and represented preferential treatment or a conflict of interest. An example of the latter is that Banta flew first class and paid higher hotel room rates than allowed. He also misused travel expenses by registering his wife and unidentified guests at conferences, traveling for no business purpose, or having no documentation. Furthermore, Banta and his wife took more than 50 relocation-related trips between Phoenix and Portland, Ore., where they had another home.</span><br></li><li><span style="font-size:12px;">Written policies and procedures regarding the process of awarding bonus pay. This gap resulted in overpayments to </span><span style="font-size:12px;">Banta.</span><br>​</li></ul><p><span style="font-size:12px;"><strong>Vacation and leave policy. </strong>Vacation and other types of leave policies must be consistently enforced for all employees, including executives. Banta took at least 50 days off and did not count it as vacation time, but no one challenged this. Similarly, all employees should account for all absences from the office. Banta went golfing many times during the workday, and most of the outings were found to not have a business purpose. <br></span></p><p><span style="font-size:12px;"></span><strong style="font-size:12px;">Board performance reviews.</strong><span style="font-size:12px;"> Regular and transparent reviews of board and executive performance are also essential. In this story, it appears that the performance of the chief financial officer, who approved many of Banta's questionable expenses, went unnoticed for too long.</span></p><p><span style="font-size:12px;"></span></p>Art Stewart0
AML Negligence Proves Costlyhttps://iaonline.theiia.org/2018/Pages/AML-Negligence-Proves-Costly.aspxAML Negligence Proves Costly<p>​Netherlands-based bank ING is paying for lax anti-fraud measures, <a href="https://www.bbc.com/news/business-45406007" target="_blank"> <span style="text-decoration:underline;">the BBC reports</span></a>. The bank agreed to pay €775 million in fines after Dutch investigators found that errors in its policies failed to stop financial crimes. Investigators said "collective shortcomings" by management enabled customers to use their accounts for money laundering and other frauds between 2010 and 2016. </p><h2> Lessons Learned</h2><p>This story involving ING illustrates that it is vigilance and diligence that are needed to fight criminal activity, not negligence. It also is important to remember the dire consequences of such negligence: the link between money laundering and terrorist financing of terrible events such as the 9/11 attacks.</p><p>So much has been written about money laundering and how to detect and avoid it. Internal auditors should consider some recent leading practices in anti-money laundering (AML) when providing assurance on the adequacy and reliability of AML regimes.</p><p>First, most large multinational financial institutions, including ING, are covered by tough AML legislative and regulatory requirements. For example, the Dutch government has kept pace with European Union directives by adopting requirements for banks to conduct an AML risk analysis. It also has established detailed rules and authorities for banks to require specific ownership information about accounts and money. These rules carry the threat of sizeable financial penalties or even withdrawal of licensing to operate.</p><p>Most large banks face significant challenges in succeeding in the fight against money laundering. Most rely on legacy compliance processes to fight financial crimes that have grown so complex as to be barely manageable. Multiple iterations, multiple handovers, and too many manually controlled processes prevent banks from maintaining effective compliance systems. </p><p>This complexity has led to greater operational risks. Ironically, several large fines have resulted in part from the need for banks to spend time investigating what turned out to be false alarms or to escalate a decision about a potential problem to higher levels of management.</p><p>Four areas of leading practice for auditors to pay attention to are:<strong><br></strong></p><ul><li> <strong>An experienced, well-trained financial intelligence unit to analyze AML reports and data.</strong> If banks staff transaction-monitoring processes with inexperienced employees — especially when dealing with foreign or multi-country transactions — the amount of investigative effort will continue to increase. This could lead the bank to either emphasize risk reduction over efficiency, or the reverse — miss risks and the root causes of problems in more complex cases.<br><br>The financial intelligence unit also needs the authority and capacity to communicate frequently among other teams, such as due diligence analysts and transaction-monitoring teams. Moreover, the unit should release information to intelligence and law enforcement agencies when appropriate.<br><br> </li><li> <strong>A</strong><strong> streamlined, end-to-end AML compliance </strong> <strong>process.</strong> Banks have better AML results when they review their processes to define the desired future state of compliance, identify the gap between the future and current states, and mobilize the organization to redesign processes. To do this, some banks use a start-from-scratch view to set the baseline for compliance activities and roles, rather than starting from existing activities. <br> <br>An integrated AML compliance process can help address other dilemmas, such as when compliance questions are not aligned with regulatory objectives. Banks also can link the process to a system that would provide a better understanding of clients.<br> </li><li> <strong>A single source for all compliance processes.</strong> This source should consist of internal structured data that goes through a rules-based cleanup and is integrated into a database. That data should be enhanced with unstructured and external data such as text, voice, and pictures, some of which may come from web pages and search-engine results. Predefined algorithms then would process and score the data for relevance. <br> <br>This approach contrasts with the fragmented, siloed nature of many current compliance processes that require frequent manual interventions and delays. Low-quality and unstructured data resides within most banks without being fully integrated. This situation  creates difficulties with client reference data and documentation sharing, as well as data extraction or aggregation from flawed databases. <br> <br>When data quality suffers, so does the quality of the compliance process. The rigidity of hard-coded monitoring algorithms makes it difficult to adjust for policy changes or client behaviors that drive up the volume of investigations, resulting in high false-positive rates.<br> </li><li> <strong>Advanced analytics and algorithms. </strong>Artificial intelligence increasingly uses enhanced databases to support a proactive compliance model. Human intervention remains valuable where machines cannot make better decisions. However, a growing number of tasks blend machines and people — data collection and analysis by the former; assessment of unclear data points by the latter. <br> <br>Regulatory technology companies may provide expertise to assist banks, ranging from know-your-customer or AML specialists, to customer on-boarding and workflow process services. These partnerships have their own risks, including knowledge transfer complexities and business/customer data privacy considerations. </li></ul>Art Stewart0
The Slice and Dice Fraudhttps://iaonline.theiia.org/2018/Pages/The-Slice-and-Dice-Fraud.aspxThe Slice and Dice Fraud<p>​Hanzo Enterprises was a global operation that produced fine cutlery for sophisticated consumers. While assisting government authorities during a routine tax audit, the Asia-Pacific controller, Jane O'Ren, discovered that company policies on the retention of support documentation for invoices was not being followed and details behind these invoices were raising red flags. O'Ren soon determined that the exceptions were related to invoices processed by the Okinawa location controller, Bill Tripp. However, Tripp had left the company during a downsizing process more than a year earlier.</p><p>O'Ren reached out to Tripp via email to ask about the invoices in question. Tripp responded almost immediately, apologized, and indicated he would take care of it. He later sent a payment of $10,000. During the intervening time, O'Ren felt a knot forming in the pit of her stomach and reached out to Hanzo's chief financial officer, Brad Gates, about what she'd found. Gates listened and determined legal and internal audit needed to be contacted. Beatrix Hales, Hanzo's new chief audit executive (CAE), was subsequently asked to meet with corporate counsel to discuss the situation. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <strong>​Lessons Learned</strong><br> <ul><li>Hanzo Enterprises didn’t perform a fraud risk assessment, relying instead on its enterprise risk assessment, which allowed potential red-flag situations to go unaddressed.</li><li>Internal audit was structured to focus on Sarbanes-Oxley compliance, allowing attention to nonmaterial operations to slip. In essence, the third line of defense had governance failures.</li><li>Budget analyses were not performed at an appropriate level of detail to note excessive spending around renovations that were taking place at the subsidiary during Tripp’s tenure, and to question such.</li><li>Tripp’s fraudulent activity could have been detected earlier, or even prevented, if the review controls, such as invoice reviews, in place were executed appropriately.</li><li>Controls that were missing at the Okinawa location, including secondary review, segregation of duties, and exception reporting, were validated or implemented at all locations that were previously included within the scope of Sarbanes-Oxley controls testing.</li><li>Hanzo’s detective controls over third-party service providers, such as its third-party payroll provider, did not include validation of transmitted files by an individual independent of the process, so Tripp was able to easily manipulate the system. </li><li>Detective controls also were not in place to ensure the approved payment register tied — in vendor name and payment amount — to the actual bank payment register, allowing Tripp to alter payment amounts and create vendors.</li><li>Due diligence efforts during the hiring process were insufficient given the importance of the controller position and its breadth of responsibility. Because Hanzo Enterprises did not conduct due diligence during the new-hire process, it didn’t know that Tripp was a career criminal. Japan had strict privacy guidelines, but there were ways to ask the right questions to validate a candidate’s responses with governing agencies and that was not done. Had Hanzo followed through and confirmed the candidate’s background, it would have learned of Tripp’s past.</li></ul></td></tr></tbody></table> <p>After the meeting, a course of action was determined. The invoices at the Okinawa office needed to be reviewed for anomalies, discrepancies, support, and payment trails. Okinawa was a small operation and had not been included within the scope of U.S. Sarbanes-Oxley Act of 2002 controls testing. In fact, internal audit's focus had been primarily Sarbanes-Oxley testing at larger, in-scope locations, so it had not covered small operations globally. </p><p>The chief financial officer, internal audit, and corporate counsel selected a third-party firm based on language skills necessary to review and translate documents. Hales made sure the external auditors were kept informed of the progress of the review as the discovery was close to the completion of the company's quarterly financials. </p><p>The review started with invoices from the Okinawa operation to ensure issues weren't prevalent in other locations. The invoice review soon spread to human resources (HR) and payroll once it revealed that Tripp had wide control on that side of the operation, as well. The scope of the issues grew exponentially as the review proceeded, but internal audit and the third-party team were able to determine the issues were confined to the Okinawa operation.</p><p>The fraud review identified numerous control deficiencies that allowed Tripp to carry out different methods of theft. In the small operation, Tripp was the only person in charge of financial operations and HR. As such, he took advantage of his position in several ways.</p><p>As the Okinawa controller, Tripp was the only approver of invoices. The biweekly check run was sent as a file with supporting invoices to O'Ren for approval. Invoice review was not done at a level of precision to detect anomalies or even glaring fraudulent activity. Some paid invoices were for items Tripp purchased for his personal property or services provided.</p><p>Once the check run was approved, Tripp would log into the online bank account and change payment recipients. In many cases, payments were being sent to Tripp's credit card companies. He also easily created false vendors by editing the vendor master list. He was able to do both of these things without a requirement of secondary review.</p><p>Tripp also was in charge of the third-party payroll service interface and added extra funding to the file to get additional pay or expenses reimbursed without the requirement of secondary review. Lastly, he manipulated the funds sent to the company's pension administrator by convincing her to not only return erroneous overpayments, but to return them to an account different than the source — his own personal account. </p><p>The fraud review determined that over two years, Tripp stole more than $1 million. The efforts made by Hales to keep the audit committee and external auditors informed via status calls and check-ins kept worries at a minimum during the six-week investigation, and the interaction between legal and external audit helped build cooperation and coordination. Legal found that Hanzo's insurance policy had provisions for loss due to fraud, so the company was able to file a claim for most of the losses.</p><p>Oddly, Tripp cooperated during the fraud review, answering questions and admitting guilt whenever presented with proof. Authorities arrested Tripp and his wife, who also had a criminal past, and confiscated cash, property, and vehicles. <br></p>Michael McShea1

  • Gleim_Nov 2018_Premium 1
  • Temple_ITACS_Nov 2018_Premium 2