The Light Paychecks Light Paychecks<p>​​<a href="" target="_blank">An investigation</a> by the Australian Broadcasting Corp.'s <em>Four Corners</em> program has found that 7-Eleven Australia franchisees have systematically underpaid their store employees by submitting false time sheets that underreported the number of hours they actually had worked, among other methods. According to the<em><a href="" target="_blank"> Herald Sun</a></em>, the company, which owns the Australian license for the convenience store chain, condu​cted its own review of 225 franchises and found 69 percent of stores had payroll compliance issues, including falsified records. Franchisees withheld holiday pay, paid employees as little as AU$10 an hour (US$7.02) — the employee wage was AU$24 an hour (US$16.86) — and confiscated an employee's passport and driver's license. 7-Eleven Australia Chairman Russ Withers has vowed to reimburse all shortchanged employees.</p><h2>Lessons Learned</h2><p>I wrote about time theft by employees in an <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=93860d42-cf0b-4a3d-a7b1-048b31107c22">earlier column</a>, so it is fitting that we now have an opportunity to see how time theft fraud can be perpetrated by the employer. Here are some audit recommendations that could help to deter and prevent the kind of fraudulent activity found at 7-Eleven Australia. A key theme in these recommendations is to ensure that the head office has the means ​to know what is going on in a franchise environment and is held accountable for how it deals with balancing profitability, efficiency, and fraudulent activity.</p><ul style="list-style-type:disc;"><li> <strong>Implement a modern, efficient, and readily monitored time management system.</strong> Closed-circuit TV as a basis for time management appears to be quite a 1990s solution, yet that is how 7-Eleven Australia monitored payroll activities at its stores. In 2015, there are numerous cost-effective, software-based solutions that enable employees to clock in and out from traditional time clocks, any computer with Internet access, mobile devices, or telephones. Time clocks are cloud-based and can be configured to record information in a variety of ways, including through fingerprints, magnetic strips, bar codes, proximity badges, and touch screens. All of the data is automatically and immediately transferred as soon as employees clock in or out, which saves the employer the work of getting the times in and out of video. More importantly, these solutions easily can be networked so that the head office has fast and accurate access to the data.</li></ul><ul style="list-style-type:disc;"><li> <strong>Establish and monitor an effective whistleblower program, along with a "no reprisals" policy.</strong> The various news stories about this fraud show that a local citizen became concerned about the potential payroll abuse of foreign worker employees on visas and became an advocate and an important factor in uncovering the 7-Eleven Australia fraud. But a large number of these employees expressed deep concern that if they came forward, they would face reprisals including firing and deportation. A corporate whistleblower program, established and enforced by head office, that includes mechanisms for local franchise employees to report abuses to a neutral central office would help to counteract employee concerns about reprisals and catch fraudulent activity earlier.</li></ul><ul style="list-style-type:disc;"><li> <strong>Raise the stakes with regard to deterring fraud and increase the consequences of getting caught. </strong>It is clear in this case that there is a long-term systemic problem that needs to be addressed. Australian Fair Work Ombudsman investigations going back as far as 2009 have found numerous violations. With regard to materiality, one franchisee was found to have underpaid four workers almost AU$90,000 (US$62,915) over four years. The Melbourne Magistrates Court penalized that franchisee AU$150,000 (US$104,858) in 2011, but even that is a relatively small amount compared to the kinds of revenues and profits 7-Eleven Australia creates regularly. And, certainly fines and penalties should strike an effective balance between franchise profitability/survival and consequences for violations. However, given that 7-Eleven Australia operates within a corporate franchise business model that relies on an overall franchise agreement — which it claims cannot be altered once signed — perhaps bigger fines and penalties should be assigned to head office as an incentive for positive change. Certainly, 7-Eleven Australia at least should be encouraged to change its franchise agreements going forward so that franchisees who systematically commit fraud lose their license. The company has claimed it did not have the necessary information to either report or deal with franchisee violations, so an appropriate remedial measure would be to require head office reporting to regulators of all franchise violations, at least until the systemic problems are addressed. </li></ul><ul style="list-style-type:disc;"><li> <strong>Finally, governments need to regularly review labor laws, along with the roles, powers, and enforcement mechanisms available to regulators. </strong>That seems to be happening in Australia now. To that I would add that this kind of fraud is a problem requiring international cooperation and alignment, given how many countries 7-Eleven operates in. 7-Eleven itself, or governments if necessary, should review and act upon knowledge of the state of franchise theft from employees in all of the countries in which it operates.​</li></ul>Art Stewart01005
Volkswagen Scandal: The Undoing of a Corporate Icon Scandal: The Undoing of a Corporate Icon<p>​<span style="line-height:1.6;">My first car was a used 1967 Volkswagen Beetle. It was a great little "starter" car, but only a couple of months after I bought it, the car was stolen. Last week, I relived that loss when Volkswagen was stolen from all of us.</span></p><p>The venerable automaker's shocking admission that it developed and installed software designed to circumvent U.S. emissions rules will forever change how the company is perceived by the public. The phrase "German engineering," once synonymous with quality, will now be the butt of jokes on late-night talk shows.</p><p>What's more, the scandal once again raises serious questions about the inner workings, and possibly ethical practices, of a respected corporation. As with FIFA, Hertz, and Toshiba, we can expect details of this debacle to trickle out in a painful and public unveiling of failure in corporate culture.</p><p>It remains to be seen how pervasive the scheme was to make Volkswagen's diesel vehicles appear to run cleaner in emissions tests than they do on the road. But one thing is perfectly and immediately clear: This is an extraordinary example of how a company's reputation, particularly one built over many decades, can be severely damaged — if not decimated — in mere days.</p><p>Already, Volkswagen has seen the resignation of its CEO against the backdrop of criminal and U.S. Environmental Protection Agency investigations, which could lead conservatively to fines of as much as US $18 billion. The company already announced it would take a charge to earnings topping US $7 billion. Not surprisingly, Volkswagen's stock price has plummeted.</p><p>On the horizon, one can expect to see lawsuits from car owners, shareholders, and others directly and indirectly affected by Volkswagen's actions. And one thing is certain, the impact won't be limited to Volkswagen. Like a devastating tsunami after an earthquake, the scandal's ripple effect already is striking stock prices of other automakers and parts suppliers.</p><p>The fallout conceivably could spread to other consumer sectors, where claims about product performance or quality will understandably be viewed more cynically. Is gluten-free really free of glutens? </p><p>Ultimately, the consequences of this misdeed might topple the world's second largest car company, according to some analysts. Whether Volkswagen can survive the storm, from an internal audit perspective, the scandal must be placed at the catastrophic end of the risk spectrum.</p><p>It remains to be seen if Volkswagen's top managers knew about the scheme or contemplated the risk of its discovery. But the lesson for internal audit is that virtually all risk carries a component of potential reputational damage to the organization. In the case of Volkswagen and many other failures of iconic companies, it would seem unimaginable that management or the internal audit function would condone potentially criminal behavior in support of boosting the company's value. The risks associated with such behavior — reputational, share value, corruption, fraud, corporate culture — are unacceptable to me, and presumably unacceptable to most shareholders and consumers. </p><p>This brings up another lesson to be drawn from the Volkswagen episode: Internal auditors must be keenly aware of the pressures associated with performance within their organizations. In a nutshell, they must understand that what gets measured/rewarded also can get manipulated.</p><p>Whether it's about profits, bonuses, or reducing the emission of nitrogen dioxide, internal audit must be attuned to pressures that management, regulators, or stakeholders place on measurable metrics. Typically, this is where an organization is most vulnerable to bending or breaking the rules.</p><p>I am encouraged by the comments of new Volkswagen CEO Matthias Müller upon his being named to the top post. Müller, who worked his way up the corporate ladder over a 38-year-career that began with Audi, a unit of Volkswagen, said winning back trust is his most urgent task. He promised to accomplish this, "by leaving no stone unturned and with maximum transparency, as well as drawing the right conclusions from the current situation."</p><p>It will be a good first test for Müller to see if he can truly determine whether creation of the emissions "defeat device" was an isolated instance of overzealous engineers succumbing to compliance pressures — or a product of a broader corporate culture willing to do anything to achieve results. </p>Richard Chambers03488
Ignoring Red Flags Red Flags<p>​The U.S. Securities and Exchange Commission (SEC) announced fraud charges against the former chairman and two former CEOs of staffing firm General Employment Enterprises, as well as audit firm BDO. According to the <a href="" target="_blank">FCPA Blog</a>, General Employment told BDO during a 2009 audit that its bank had not repaid the company when a US$2.3 million nonrenewable certificate of deposit (CD) matured — the amount represented about half of the company's assets at the time. Despite an investigation that received conflicting reports from management and board members about the CD's status, BDO issued unqualified opinions on the company's financial statements for 2009 and 2010. The SEC alleges that during this time General Employment's board chairman, Mike Pence, acted as an agent of Wilber Huff, who had funded Pence's acquisition of a controlling stake in the company, in exchange for US$500,000. Huff was sentenced in June to 12 years in prison for bribery and fraud, including receiving the money purportedly used to purchase the CD. The SEC charged BDO with ignoring red flags and issuing false and misleading audit opinions. BDO has admitted to wrongdoing and settled with the SEC. The case against Pence is ongoing.</p><h2>Lessons Learned</h2><p>This story offers many lessons for auditors, audit firms, businesses, and banks. The most interesting aspect of this story is the role of the audit firm, BDO, in enabling fraud by ignoring the standards for audit opinions established by the U.S. Public Company Accounting Oversight Board (PCAOB), as well as the breadth and depth of sanctions imposed by the SEC as a consequence.</p><p>The SEC's <a href="" target="_blank">administrative cease and desist order</a> (PDF) contains numerous constructive "dos and don'ts" to which I add a few of my own. The SEC's judgment can be summarized as follows: "BDO's conduct in the 2009 and 2010 audits of [General Employment] involved repeated instances of unreasonable conduct, each resulting in violations of PCAOB standards and indicating a lack of competence, and also satisfies the standard of highly unreasonable conduct resulting in violations of PCAOB standards in circumstances in which heightened scrutiny was warranted." </p><p>What should have happened, but didn't, is instructive to auditors in similar situations before issuing unqualified audit opinions on financial statements. These include: </p><ul><li>Full disclosure of source documents such as bank statements showing the flow of funds from the closing of special or unusual transactions through the date the funds were fully transferred, including for any related third-party situations. Although General Employment told BDO that the amount in the CD wasn't repaid by the bank upon the maturity date, the company eventually received a series of deposits totaling US$2.3 million from three entities unaffiliated with the bank. BDO never received "reasonable and coherent explanations" about why the US$2.3 million went missing and why an equivalent amount was later wired to the company under suspicious circumstances.</li><li>Explanation of why the funds in the above situation were being transferred from entities other than those expected or defined in financial relationships with the company. </li><li>Agreement that a meeting with officials at these other entities may be requested to corroborate this documentation, and to understand the nature of the transaction.</li><li>A written report by management or others to fully explain the circumstances surrounding what steps management took to gain its understanding of what transpired.</li></ul><p>What should not have happened, and are definite "red flags," include:</p><ul style="list-style-type:disc;"><li>The company CEO signing off on financial statements, rather than the treasurer, and indications that the treasurer was either unaware or not in agreement.</li><li>Allowing the company to hold an audit committee meeting where BDO was prevented from being present for the discussion of the irregular financial transaction, on the recommendation of the company's general counsel and one audit committee member.</li><li>The external auditor wavering on its responsibility to clearly interpret and adhere to audit standards. Despite the existence of multiple, unanswered questions, BDO ultimately agreed to drop its demand for an independent investigation, based on the rationale that the audit committee chair, who had initially supported the independent investigation, no longer believed that it was required. Moreover, the firm reasoned that a new CEO — in whom BDO apparently had confidence — had replaced the former one who had been involved in several dubious actions. As cited in the <a href="" target="_blank">SEC judgment</a> (PDF, Paragraph 86), "PCAOB standards require auditors to exercise due professional care in the planning and performance of the audit and the preparation of the report. Auditors must maintain an attitude of professional skepticism, which includes 'a questioning mind and a critical assessment of audit evidence.' In addition, the auditor should 'consider the competency and sufficiency of the evidence.' Since evidence is gathered and evaluated throughout the audit, professional skepticism should be exercised throughout the audit process. The commission and courts have held that related-party transactions require heightened scrutiny."</li></ul><p>Finally, the question of effective deterrence measures in cases where the auditor has failed to meet standards and expectations is particularly important. It's noteworthy that the SEC, in addition to imposing suspensions and fines of more than US$2 million, has ordered BDO to complete several actions, such as: </p><ul><li>Completing a review of the sufficiency and adequacy of BDO's quality controls set forth in its audit manual, including its policies and procedures for audit and interim reviews. </li><li>Submitting a report to the SEC, signed by its CEO, on changes resulting from that review.</li><li>Hiring an independent consultant to review whether BDO's policies are adequate and sufficient to provide reasonable assurance of compliance with all relevant SEC regulations and PCAOB standards and rules. </li><li>Providing audit training to all BDO audit professionals who serve on public company audits that covers potential illegal acts and Section 10A of the Exchange Act, identification and disclosure of related-party transactions, and fraud detection.</li><li>Annually certifying that BDO has assessed whether the firm's policies are adequate and sufficient to provide reasonable assurance of compliance with all relevant SEC regulations and PCAOB standards and rules by testing the firm's implementation of BDO's policies, among other things.</li></ul><p>Are these enough to deter BDO and other audit firms from engaging in similar behavior in the future? Perhaps. For example, Canadian courts currently are looking at imposing a penalty on SNC Lavalin for bribery and corruption infractions that would see the company banned from bidding on public contracts for 10 years. Also, although the General Employment case involves an external auditor, I wonder what might happen if an internal auditor or organization were facing revocation of its certification in comparable circumstances or what other sanctions might be involved. What do you think?​</p>Art Stewart0801
Bribes for Tech for Tech<p>The <a href="" target="_blank">IT Pro Portal website</a> reports that a former SAP executive has pleaded guilty to bribing government officials in Panama to win technology contracts for the German software company. According to the U.S. Department of Justice, Vicente Eduardo Garcia, former vice president of global and strategic accounts, paid US$145,000 in bribes to one Panamanian official and promised bribes to two other officials to influence the country's social security agency to purchase US$14.5 million in technology from an SAP reseller based in​ Panama. Moreover, Garcia admitted to setting up a slush fund that enabled the reseller to purchase software from SAP at a steep discount and then sell the software for a higher profit. In addition to the DOJ charges, Garcia has agreed to a settlement with the U.S. Securities and Exchange Commission in which he will pay back US$85,965 in profits that he gained from the scheme.​</p><h2>Lessons Learned</h2><p>Most large international organizations, in an effort to prevent bribery, corruption, and the contravention of the growing number of anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), have made significant investments to establish ethics and compliance programs. These programs typically include:</p><ul><li>Creating the position of chief compliance officer, who reports to the board of directors.</li><li>Appointing compliance officers in all of the organization's business units and regional offices worldwide.</li><li>Establishing a dedicated ethics and compliance team.</li><li>Strengthening internal controls and procedures, especially in areas susceptible to manipulation in a bribery or corruption scheme.</li><li>Implementing a code of ethics and an ethics and compliance hotline.</li><li>Producing a dedicated anti-corruption manual.</li><li>Conducting annual compliance training for all employees, along with a special focus on those working in strategic roles.</li><li>Performing periodic audits of compliance and assessments of the adequacy of controls in key areas. </li></ul><p>The DOJ and SEC websites list an ever-growing list of large international companies and executives that have been charged with FCPA violations. The Garcia case raises several concerns for organizations:</p><ul><li>A senior SAP vice president, in a 2013 <a href="" target="_blank"> article</a> declared, "Compliance programs like the SAP Governance, Risk, and Compliance solution should be a company's first line of defense, especially considering that many employees aren't even aware they are breaking the law. Nevertheless, when it comes to FCPA compliance, the buck stops with you: your organization, your employees, your compliance program." That's well stated, if a little ironic given this case. It also highlights the fact that companies that sell computer hardware, software, or other technology solutions are just as likely to receive scrutiny for FCPA violations as any other type of company, and they should be prepared to demonstrate they have a good grasp on this fraud problem. <br></li></ul><ul><li>More generally, boards of directors and executive suites should be particularly attentive. Most FCPA cases involve charges against companies, not individuals. While it appears that the DOJ organized its case against Garcia on the premise that he deliberately circumvented SAP's internal controls, the DOJ and SEC have not declared whether they will pursue charges against the company. Corporate culture and standards of business practices are critical factors in setting expectations for ethical behavior, and when a high-level official commits a fraudulent act, it would be fair to assess whether those factors were a systemic influence.<br></li></ul><ul><li>At a minimum, bribery and corruption is a high-risk category for companies doing business in foreign countries, and a continuous review of internal controls, effective monitoring, and regular audit work should be a priority focus. The role of third parties, such as consultants, agents, channel partners, and distributors, in the conduct of sales and financial transactions is a particularly high risk deserving attention. Indeed, the DOJ and SEC have identified the use of third parties as a significant factor in most of their cases.<br></li></ul><ul><li>​In the Garcia case, it's hard to accept that for more than four years sham contracts and false invoices were used to disguise bribes and that a slush fund was used to sell software to a reseller at an 82 percent discount without raising a red flag. The standard for robust third-party due diligence needs to keep evolving as part of an organization's compliance program. That should include both strengthened controls over executive delegations of financial authority, financial funding structures, onboarding, third-party background checks, and monitoring processes, as well as attention from the organization's CAE when the topics of fraud and risk assessments are discussed.​​</li></ul>Art Stewart0468
A Matter of Life and Death Matter of Life and Death<p>​Tina Graham had worked as a records clerk in the county clerk’s office for two years. She was primarily responsible for processing applications for birth and death certificates. When the office’s senior clerk left for another job, Graham’s subsequent promotion to the position provided the opportunity that she needed to embezzle nearly US$10,000 in fees paid for copies of birth and death certificates.<br></p><p>To obtain a copy of either a birth or a death certificate, individuals would complete and submit an application and a processing and copy fee. The payment was supposed to be receipted at the time the application was processed. The receipts were written in duplicate form, with the original going to the person submitting the application and the duplicate left in the receipt book as support for the payment received. Receipts were summarized weekly or more often if a large number of payments had been collected. A summary sheet of the payments was prepared and taken to the Treasurer’s Office, along with the cash and checks to be deposited in the bank. The Treasurer’s Office did not normally verify receipt numbers when accepting the deposits.<br></p><p>The county clerk’s office was small, had little or no segregation of duties, and had lax internal controls. This combination allowed Graham to easily void receipts and keep cash fees paid by customers. In some cases, Graham would write receipts for customers, give them a copy for their records, void the receipt copy — leaving it intact in the receipt book — and pocket the money. In other instances, she would write receipts for customers, give them a copy for their records, and then shred or otherwise destroy the original and keep the money. Sometimes she pocketed the money without preparing a receipt at all. In these cases, she also destroyed the birth or death certificate application so it wouldn’t be as obvious that the money was missing.<br></p><p>Because of poor performance on the job unrelated to the then-unknown embezzlement, Graham was eventually demoted to receptionist after having served as the senior clerk for only six months. While she no longer had primary responsibility for processing applications and receipting payments, she did occasionally do so while the new senior clerk, Molly Roper, was on lunch break or out sick. Again, this opportunity gave her access to cash. One day, upon returning from lunch, Roper noticed a birth certificate application on Graham’s desk. When she returned to her office, Roper expected to see a receipt for the money that would have been paid when the application was accepted. The receipt book was on her desk, but there was not a new receipt written in it. Roper then checked the cash drawer but found no additional money in it. Thinking Graham had not had time to write the receipt, she took the receipt book to her to complete the process. Receipts were supposed to be written while applicants were still in the office, and a copy was supposed to be given to them. Graham explained that the woman completing the application said her husband had cancer and could not work and they were barely getting by, so she let the woman submit the application without a payment. While Roper sympathized with the situation, she knew it was not their right to accept applications without payment. She returned to her office and called Barbara Jameson, the county clerk and her boss, who was at a training event.  <br></p><p>When Jameson returned to the office the next day she discussed the situation with Roper and then asked Graham about it. Jameson and Roper then played the tape from the office surveillance camera. Fortunately, the tape included both video and audio. In reviewing the tape, they noticed that the woman who Graham claimed she had not charged actually did hand her cash with her application. In addition, it was clear from the audio that she never mentioned anyone having cancer and not being able to pay. In addition to the suspicions generated from the missing payment, the review of the video made Jameson consider the possibility that this might not be a one-time situation. Graham was again called into Jameson’s office where she denied any wrongdoing. When Jameson told her that they had the tape, Graham refused to discuss the issue further. She was immediately put on suspension without pay while the county auditor and Jameson investigated. The investigation revealed the multiple ways Graham embezzled from the office and how she altered or destroyed the source documents:<br></p><ol><li>Receipts were never written for some cash payments although applications were processed, which was verified by checking all the applications and reviewing the receipt book for the applicant’s related payment.</li><li>Receipts were written for cash payments and then later voided even though the applications were processed, which also was verified by checking the applications and comparing them to the receipt book. Most of the receipts that had been marked “void” had related applications that had, in fact, been processed.</li><li>Receipts were written for cash payments but then later destroyed or removed from the receipt book. The timing of previous and subsequent receipts as reconciled to applications supported this finding.</li></ol><p></p><p>During the investigation, Graham resigned from her position. She was later indicted and ordered to pay restitution in lieu of jail time.<br></p><p>Following the investigation, Jameson put new procedures in place to provide better control over funds related to birth and death certificate applications and payments. The first change involved switching from a duplicate to triplicate receipt book. As before, the original was to be given to the applicant, the second copy was to stay intact in the receipt book, and the third copy was to be taken with the deposit to the treasurer’s office. The treasurer’s office was required to check the beginning number to the previous day’s ending number and verify that all receipts were received in sequence and that none were missing. The deposits were required to be made daily so that no cash was on hand in the county clerk’s office for more than a day. Also, Jameson modified the birth and death certificate applications to include a place to write the related receipt number, which would reduce the chance of an application being processed without a receipt. In addition, a second clerk was made responsible for reconciling the receipts and applications that the other clerk processed, and then preparing the deposit to be taken to the treasurer’s office. On an intermittent basis, Jameson would reconcile the applications to the receipt book and then to the deposits. In addition, she reviewed the receipt book weekly to ensure there were no missing receipts and that all voids were substantiated. Finally, Jameson rotated the duties of the two clerks on occasion.<br></p><h3>Lessons Learned <br></h3><ul><li>The use of prenumbered applications and receipts, and procedures to check for missing numbers, will make it more obvious when receipts have been destroyed. Any missing numbers should be investigated immediately as they may indicate fraud.</li><li>Staff duties should be rotated on occasion to ensure fraud is more difficult to carry out and conceal. </li><li>Accounting documents should be linked to source documents so that it is more obvious when items are missing.</li><li>Deposits should be made daily to decrease the likelihood of money being lost or stolen.</li><li>Cash handling procedures such as receipting and deposits should be segregated and reconciled to each other daily. Segregation of duties would require collusion for fraud to occur. Daily reconciliations make it more obvious if receipts are not being deposited or are being deposited for less than intended. </li></ul><p> <span class="ms-rteiaStyle-authorbio">Linda Kapp, EdD, CPA, is a manager at McClanahan & Holmes LLP in Paris, Texas. <br> Gordon Heslop, DBA, LLB(Hons), CIA, CMA, is an associate professor, professional track, in the department of accounting at Texas A&M University–Commerce. </span> <br></p>Linda Kapp11012
Profiting off HOAs off HOAs<p>​<span style="line-height:1.6;">A Las Vegas construction firm owner faces sentencing after pleading guilty for his part in a scheme to defraud area home owner associations (HOAs), the </span><em style="line-height:1.6;">Las Vegas Review-Journal</em><span style="line-height:1.6;"> reports. U.S. Justice Department prosecutors say Leon Benzer and attorney Nancy Quon conspired to rig elections in order to take over HOA boards of directors, obtain construction defect contracts for Quon, and secure repair work for Benzer's company. At one HOA, Quon's firm obtained more than US$5.2 million in fees from a construction defect settlement, while Benzer's company was awarded US$7 million to perform repairs. After an FBI raid in 2008, Benzer was charged; Quon, who was never charged, killed herself in 2012. Prosecutors are seeking nearly 20 years in prison for Benzer and US$13.4 million in restitution.</span></p><h3>Lessons Learned</h3><p>Unfortunately, the HOA fraud seen in this story is substantial, but not unique. HOAs are common in the U.S. and typically are formed as corporations by a real estate developer to market, manage, and sell homes and lots in a residential subdivision. Later, they transition to homeowner control after a predetermined number of lots have been sold. In 2010, the Community Associations Institute trade association estimated that HOAs governed 24.8 million U.S. homes and 62 million residents. In Nevada, there are more than 3,000 HOAs. Most HOAs are incorporated and are subject to state statutes that govern nonprofit corporations and homeowner associations. However, state oversight of HOAs is minimal and varies from state to state. </p><p>Here are some strategies that HOAs and their regulators should consider to help reduce the risk of the kind of fraud committed by the Las Vegas fraudsters.</p><ul><li><strong>State and Local governments.</strong> Governments benefit from the existence of HOAs because they handle some traditional functions such as road maintenance, streetlights, and parks, helping to contain rising government costs as growth continues. They should support strong HOA organizations and exercise greater scrutiny to ensure that HOA boards adhere to minimum standards. Board directors have a legal, fiduciary duty to HOA members and violation of that duty may result in liability for individual directors. </li><li><strong style="line-height:1.428571429;">Regulation.</strong><span style="line-height:1.428571429;"> One matter local and state regulators should oversee is whether directors actually own and reside in a unit within the specific HOA, which has been required in Nevada since 2009. The lack of such a law before that time enabled the perpetrators of the Las Vegas fraud to secure a seat on HOA boards and direct money and work to their own companies. </span><span style="line-height:1.428571429;">I</span><span style="line-height:1.428571429;">n most cases, day to day operations of HOAs are in the hands of management companies hired by their boards. Education requirements for these managers varies from state to state, with some requiring certification under all circumstances and others less. Greater consistency in these requirements would increase the probability of competent, fraud-free management. Many states, including Nevada, have established processes to handle HOA complaints such as violations of law, or set up an alternative dispute resolution process to deal with administrative violations. But given the apparent volume and impact of HOA fraud, a whistleblower system would be a useful anti-fraud addition.</span><span style="line-height:1.428571429;"> </span></li><li><strong>HOAs, directors, and managers.</strong> Robust governance by board directors is fundamental in preventing fraud. The association should adopt an ethics code for board members to ensure they act ethically and in accordance with their responsibilities. All board members and employees should be thoroughly vetted and any election or hiring process should be transparent, not secretive. The board should exercise vigilance to ensure its directors are not being paid and do not have any kind of employment contract with the HOA. Even if part time and volunteer, directors need to be engaged in monitoring HOA activities, including questioning any delays in circulating financial statements and other organizational documents.<br></li><li><strong>Internal control.</strong> Putting an effective system of controls in place is critical, even in a volunteer-based, not-for-profit organization. That should include appropriate segregation of  responsibilities, authority delegation limits, regular spot checks of financial transactions and invoices, and having HOA accounts independently and professionally audited at least once a year, preferably more often. Finally, becoming better educated about the nature, sources, and tactics of fraudulent behavior, in the context of how this impacts not-for-profit organizations, is essential. There is a wealth of resources, often free, available to boards. For example, Preventing Fraud: How to Safeguard Your Organization is a guide aimed specifically at-not-for profits, produced by BoardSource, formerly the National Center for Nonprofit Boards.​​</li></ul>Art Stewart01378
Gold Business Turns to Empty Shell for Investors Business Turns to Empty Shell for Investors<p></p><p>A Calgary judge recently sentenced two men to 12 years in prison for one of the largest Ponzi schemes in Canadian history, the <a href="">Calgary Herald</a> reports. The pair left thousands of victims in their wake, with total losses estimated up to CA​$400 million. Investors were promised an annual return of 34 percent, with low risk, that would grow their initial CA$99,000 investment to more than CA$1 million in eight years. They were told the business involved selling gold for refining. The judge said that some of the victims were left homeless, became suicidal, and suffered rejection by friends and family.  </p><h2>​Lessons Learned<br></h2><p>This is not a typical Ponzi scheme — it's worse. Typically, the fraudsters take money from investors and form shell companies, moving the money offshore to an account that feeds those companies before moving it again. A portion of that money will go to an actual operation or toward building something that looks real. In this case, it was all shell companies and nothing was produced. It is also not unlike another famous Canadian gold mining scandal, Bre-X Minerals, where there appeared to be a viable mining opportunity but no production. At no time did Bre-X officials say they would be producing gold.</p><p>Vigilance on the part of regulators, as well as a highly proactive whistleblower, were critical elements in detecting this fraud. A red flag was raised when one of the Alberta Security Commission's own staff members spotted a newspaper ad promising investors a fantastic rate of return from the fraudsters' company. The son of an elderly investor couple, also an accountant, detected the fraud and launched a campaign to expose the ringleaders Milowe Brost and Gary Sorenson.</p><p>​​Much has been written about strategies that individuals, organizations, and auditors can use to prevent Ponzi schemes. Here are a few more that come to mind, related to this case:</p><ul><li><strong style="line-height:1.428571429;">Be skeptical of</strong><span style="line-height:1.428571429;"> </span><strong style="line-height:1.428571429;">pitches to get financially involv​ed in exotic, obscure, or "too good to be true" investments</strong><span style="line-height:1.428571429;">. If you get a pitch for an asset class you're not familiar with, make sure you understand the process by which it achieves returns. If you don't understand it or your advisor cant explain it clearly, you probably shouldn't be get involved. Also beware of unusual and/or secretive conditions for getting involved. For example, those promoting the Merendon investments encouraged people to mortgage their own homes. Another example: the two fraudsters in our story used fear to build their empire, demanding that investors sign privacy agreements that later made them nervous about talking to police. Also, be especially wary if your adviser downplays or denies risk. Don't be fooled by "salting" techniques regarding the rewards of investing. Brost and Sorenson, for example, were known for showing off enticing evidence of their success: little plastic bags containing silver and gold. Finally, a key question not asked often enough in these situations and before investing is, "How and when can I get my money out?"</span><br></li><li><strong style="line-height:1.428571429;">Be prepared to commit some time and effort to deeper research before you invest.</strong><span style="line-height:1.428571429;"> Put on your gumshoes and find out how long the company has been in the business, as well as the career histories of key senior company officials. The other investors you may learn are also involved aren't necessarily a good indication of whether you should be confident. One Merendon investor was finally convinced after his accountant said he, too, had put money into the company. Check the logic of what is being claimed as the basis for good returns on an investment. In our story, Stone Mountain Resources was spending hundreds of thousands dollars putting infrastructure into a location in which no precious metals/minerals had been located. There was no indication that the area was economically viable, yet roads, a bridge, and several buildings were put in. A site visit could be very helpful (but not necessarily welcomed by fraudsters – they frequently also place sites in far-off locations).  Some of those defrauded in our story were offered trips — at their cost — to see the mine and refinery in Belize, but they declined.</span><br></li><li><strong style="line-height:1.428571429;">Those nearing or in retirement are especially at risk and need to protect themselves</strong><span style="line-height:1.428571429;">. A large portion of the investors in our story were retirees. According to a recent study by the North American Securities Administrators Association, nearly half of all investor complaints submitted to state securities agencies came from seniors. It's alway tempting to seek higher returns, but seniors are likely best advised to stick to well-known investments, investment companies, and financial advisors. Wide circulation of the results of this story and others like it perhaps will help awareness.​​</span><br></li></ul>Art Stewart01173
The Phantom Employee Phantom Employee<p>​A senior official with the U.S. Bureau of Land Management (BLM) has been convicted of covering up that a former subordinate was still being paid by the agency, <a href="" target="_blank">the Associated Press reports</a>. Federal investigators say John G​rimson Lyon, the BLM's Eastern States Region director, aided his former deputy Larry Denny in receiving US$112,000 in wages and benefits after Denny left the age​ncy for a job in Montana in July 2012. They say Lyon certified Denny's work hours and sick leave until March 2013 and pressured BLM employees who raised questions about Denny. A federal judge in Montana sentenced Lyon to six months in prison and ordered him to pay US$74,000 in restitution. Denny has pleaded guilty to theft and fraud, and awaits sentencing. </p><h2>Lessons Learned</h2><p>This story involves a form of payroll fraud, albeit a very sizable single example. Making the story that much worse is the deliberate, sustained collusion between the former employee and his supervisor that enabled this fraud to go undetected for many months. When employees are paid for time they have not actually worked, it's a form of fraud and theft. It is estimated that the average employee "steals" between four and five hours a month from his or her employer — committing time sheet fraud, break abuse, or conducting personal business on company time — which adds up to one full work week every year, costing businesses hundreds of billions of dollars a year worldwide. According to the Association of Certified Fraud Examiners, payroll fraud is the No. 1 source of accounting fraud and employee theft:</p><ul style="list-style-type:disc;"><li>Payroll fraud happens in 27 percent of businesses.</li><li>Payroll fraud occurs nearly twice as often (14.2 percent) in small organizations with fewer than 100 employees than in large ones (7.6 percent).</li><li>The average instance of payroll fraud lasts about 36 months.</li></ul><p>Internal auditors should check that their organization has taken steps to address payroll fraud and time theft:</p><ul style="list-style-type:disc;"><li>Internal controls are the first line of defense against payroll fraud. In the case of the BLM, clearly the soundness of those controls should be questioned. In writing this article, I checked the BLM's website for audits conducted, going back several years, but I didn't find any related to payroll and employee time theft issues. Payroll audits should be conducted regularly in all areas of the organization and cover all types of employment situations. Using computers, it is relatively easy to flag anyone who receives certain categories of pay such as sick leave, temporary employment with another organization, overtime, and standby time. An identified subpopulation of employees can then be stratified based on materiality and risk for further investigation.</li></ul><ul style="list-style-type:disc;"><li>Senior management and its related human resources and financial management oversight function also need to be engaged in the review of salary expenditure and employee performance reports, including talking to employees from time to time. An effective human resources function should be able to scrutinize employee time and leave reporting for unusual patterns and to report these incidents to senior management. </li></ul><ul style="list-style-type:disc;"><li>Another check and balance on potential long-term time theft fraud is to periodically conduct "desk audits" of employee work functions as detailed in job descriptions vs. how the employee actually performs the work. This practice is useful both in periods of organizational change and relative stability where productivity improvements may be desirable. </li></ul><ul style="list-style-type:disc;"><li>Rigorous background and security checking before recruitment takes place is always a good practice, but given the evidence of ever-increasing fraud committed by long-term employees and managers, it also is important to periodically re-check employee backgrounds to establish whether their personal circumstances and predilections for fraudulent behavior may have changed. In an environment where younger employees change jobs more frequently, employers need to be able to share relevant background information more readily. </li></ul><ul style="list-style-type:disc;"><li>Essential controls should be in place regarding time reporting, including that line managers must send time reports directly to the payroll function, rather than to the employee, who could gain an opportunity to falsify them. </li></ul><ul style="list-style-type:disc;"><li>As in this story, managers and employees may conspire to commit fraud. With today's tight corporate budgets, raises may be small or nonexistent, so even a well-meaning manager who has staff retention in mind may give an employee a raise by allowing questionable overtime charges or leave requests. With this in mind, some potential red flags to look out for in the behavior of managers include:</li></ul><ul><ul><li>Being overly protective or exclusive about their organizations, employees, and workspaces.</li><li>Preferring to work on sensitive matters such as human resource issues after hours or take work home.</li><li>Gaps in financial records or missing records.</li><li>Unexplained debt or wealth gains in the individual's personal life.​</li></ul></ul>Art Stewart01163
Charity Begins in the Home Begins in the Home<p>​It was a hot Friday afternoon in the Atlanta airport. John Rigby’s flight was delayed four hours, and he wanted to fill that time productively. He remembered he still had an unresolved audit exception on a routine match of vendor and employee addresses. The match was for the supervisor, Marilyn Bell, at his client’s graphics department only a few miles away from the airport.<br></p><p>After a 15-minute taxi ride, Rigby opened the door to the small office and announced himself.<br></p><p>“I’m an outside contractor for the audit team at headquarters,” Rigby explained to Bell. “I just need to follow up on an exception we had on some routine audit testing of vendor files last month. Tell me a little about your supplier, Charity Smith.”<br></p><p>The blood drained from Bell’s face as her eyes started watering. Rigby knew he was on to something.<br></p><p>“Tell me what happened,” Rigby instructed.<br></p><p>“Charity is a longtime friend of mine since high school,” Bell began to explain. “She’s a single mom with two young children, and she helps me out from time to time when we have excess work and tight deadlines.”<br></p><p>During the course of his conversation with Bell, Rigby learned a lot about Smith. During the last three years, when the need arose for new print materials — from training manuals to quarterly product catalogues to promotional posters and banners — Smith was often called on to handle the design work. <br></p><p>Smith worked from her home office, often clocking late night hours so she could better juggle the demands of client work and caring for her children. She sent her finished work and weekly time sheet by email, which were reviewed by Bell, approved by Bell’s manager, and sent to accounts payable for payment.<br></p><p>After listening silently for almost 10 minutes, Rigby thanked Bell and asked one follow-up question: “Why are Smith’s payments mailed to your home address and deposited into your checking account?”<br></p><p>Bell replied without any hesitation, “Charity lives out in the country, and with taking care of the kids all day she has a hard time getting to the bank in the nearest town to make her deposits. It’s an hour of driving round trip to get to the bank and back, so once a month I deposit her checks into my account, withdraw the cash, and meet her half way for coffee and to give her the money.”<br></p><p>Bell said she had always intended to speak to her boss about the arrangement, just to make sure he was aware of the situation, but she never got around to it. Rigby asked her to write down everything she told him. He explained that he needed something for his audit files to explain the exception, and that her write-up would take care of that.<br></p><p>As Bell wrote, Rigby called a manager in charge of the office from the next room and asked for permission to send Bell home. They agreed and called a manager from another office in Atlanta to come immediately to assist Rigby.<br></p><p>Bell wrote a 12-page report and confirmed verbally and in writing that it was all true. Before sending Bell home, Rigby asked her to get Smith on speakerphone so she could corroborate the report. Again, the blood drained from Bell’s face and her eyes teared up. She froze at the request.<br></p><p>Bell said she did not have the phone number with her in the office, so Rigby suggested she quickly drive home and get it so they could call Smith together in the office. Bell didn’t move.<br></p><p>Rigby realized that during the car ride, Bell could call someone to help her by pretending to be Smith, but it was a calculated risk that paid off. Bell continued to sit still and stare at the desk.<br></p><p>“It’s not true, is it?” Rigby inquired, while holding up Bell’s written statement.<br></p><p>“No,” she answered. “I made it all up to cover the amount I’ve taken from the company.”<br></p><p>Rigby then called the office manager back and asked him to pull Bell’s personnel file and look for any other addresses she had provided, regardless of how old they were or why they might be in the file. Two more matches with vendors were found — her parents’ address and her boyfriend’s business address (he was her emergency contact). The total paid to the three fake vendors over three years was almost US$600,000.<br></p><p>Bell’s boyfriend’s address was a retail store. Further investigation revealed that he was taking the checks mailed to his business and to Bell’s parents’ address and including them in the store receipts for the day. An identical amount of cash was removed from the deposits. He was later charged and found guilty of money laundering.<br></p><p>Bell began her scheme to recover from extreme pressures at home after a messy divorce. She fell months behind in her mortgage payments, and she and her children were going to lose their home. Once she put her ethics aside to get up-to-date on her mortgage, she found it much easier to do it again to meet other needs that came up in her life. These included a new car, paying off credit cards and a US$25,000 line of credit, new clothes, vacations, and a custom home with expensive high-end finishes and a custom spa room.<br></p><p>Bell’s manager was held responsible for signing dozens of fabricated time sheets and invoices from the three fake vendors. He trusted Bell and never checked the details.<br></p><p>Bell agreed to cooperate with the investigation and to make restitution. Her parents mortgaged their paid-off house to help, and her church took up a special collection as well. Just before her trial, Bell agreed to a plea arrangement that kept her out of jail.</p><h3>Lessons Learned</h3><p></p><ul><li>Fake vendor schemes are common. Procurement teams will assure they have adequate controls over new vendors, but fraudsters will tell you exactly how — and how easy it is — to circumvent those controls.</li><li>Address matches are a standard audit test. Unfortunately, they often lead to false positives and inefficient follow-up work. But auditors shouldn’t let down their guard. There’s a reason why procedures like this are so standard — they produce that needle in a haystack that deserves immediate attention. Auditors should always check every address they can find related to that person to see if they have been busier than first suspected.</li><li>Even well-liked, trusted employees can perpetrate fraud. Bell’s work was excellent — she was reliable and she always went the extra mile to serve her many in-house graphics clients. But financial pressures at home caused her to come up with a scheme to help her pay the mortgage and, eventually, finance a lavish lifestyle.</li><li>Nonverbal reactions can often indicate that a fraud is likely occurring. Bell’s surprise at Rigby’s visit and her attempt to cover her tracks with a complicated story about her fictitious friend were clumsy and full of obvious holes. Auditors should make a point to follow up on audit exceptions in a way that they can see the face of the person as they ask. Get trained in what to look for at this critical moment.</li><li>The command, “Tell me what happened,” can be used to pivot from an audit query to a fraud-based interview. Don’t set limits on the subject matter or time frame. Let the interviewee decide where to begin the story and what details to include. </li></ul>John Hall1749
Caught in the Medicare Fraud Sweep in the Medicare Fraud Sweep<p>​In what it calls its largest criminal health-care fraud sweep, the U.S. Department of Justice (DOJ) has charged 243 people — including 43 doctors, nurses, and other medical professionals — with submitting false bills to the U.S. Medicare program totaling US$712 million. The charges involve schemes such as false claims for treatments that were medically unnecessary or never provided, <a href="" target="_blank">Reuters reports</a>. In one case, a Miami ment​al health facility billed nearly US$64 million for psychotherapy sessions, when it actually just moved patients to a different location, the DOJ said. With these arrests, the DOJ has charged more than 2,300 people with Medicare billing fraud totaling more than US$7 billion since 2007.</p><h2>Lessons Learned</h2><p>According to numerous sources, the U.S. spends about 17 percent of its gross domestic product on health care annually. In 2012, this amounted to approximately US$3.8 trillion. The sizable US$712 million lost to fraudulent activity in this story is part of an overall total of US$3.3 billion in fraud uncovered in 2014. While losses in this case represent less than 0.1 percent of that total, it appears that the DOJ may have only uncovered the tip of the iceberg of health-care fraud. In 2014 alone, the U.S. Department of Health and Human Services' (HHS') Office of the Inspector General (OIG) undertook 867 criminal and 529 civil actions against individuals and organizations for false claims, penalty recoveries, and other related matters, according to the <a href="" target="_blank">2014 DOJ/HHS annual report</a> (PDF) on the Health Care Fraud and Abuse Control Program.</p><p>It seems evident that HHS and its OIG are taking a disciplined, systematic approach to its fraud risk assessment and detection activities. Let's take a closer look at the key elements of that approach, along with some suggestions on how it might be even further strengthened in light of ongoing implementation of the U.S. Patient Protection and Affordable Care Act (ACA).</p><ul style="list-style-type:disc;"><li> <strong>Data Analysis and Data Quality.</strong> Enhanced data analysis made possible the impressive enforcement results in this story. Claims data is being made available more quickly and efficiently, providing law enforcement increased access to data — including real-time data — and helping focus enforcement resources on high-risk geographic, organizational, and individual cluster groups. Risk scoring of Medicare claims prepayment is performed and predictive models are being tested. Moreover, investigators, data analysts, clinicians, and subject-matter experts work on cases in a multidisciplinary environment. There also is an emphasis on enterprisewide improvements in the accuracy and availability of data for Medicaid program integrity and oversight.<br><br>An area for further attention by the OIG and HHS is to ensure that it is capable of handling the changing pattern and volume of new fraud referrals that can be expected from ongoing implementation of the ACA. Also, while the HHS clearly has whistleblower programs in place, it is not clear to what extent these programs are contributing to its overall fraud prevention and detection effectiveness. Results from a new pilot program to estimate the overall probable level of program fraud are expected beginning in 2016, which may provide a clearer indication of the overall size of the health-care fraud "iceberg." ​</li></ul><ul style="list-style-type:disc;"><li> <strong>Enrollment and Payment.</strong> Since the adoption of the ACA, stronger provisions concerning screening of providers and suppliers on the basis of fraud risk have been implemented, with three risk levels for providers (limited, moderate, and high). A goal is to identify ineligible providers or suppliers before their enrollment or revalidation through provider site visits by increasing the scope and coverage of high-risk providers and suppliers such as home health providers, independent diagnostic testing facilities, and outpatient rehabilitation providers. Increasing the frequency of surprise out-of-cycle site visits could enhance the effectiveness of this element in detecting potential fraud. A temporary new enrollment moratorium for certain types of providers in high-risk geographic areas such as Florida and Texas, has been instituted but may need expansion. </li></ul><ul style="list-style-type:disc;"><li> <strong>Monitoring Benefits Delivered by Third Parties.</strong> Third-party sponsors and state governments comprise a large part of the risk landscape for delivery of health-care benefits and services. Greater oversight has resulted from auditing sponsors' compliance plans and strengthening their program integrity training responsibilities. More recent assessments have reviewed the states' performance in meeting regulatory requirements and ensuring that managed care systems deliver accessible, available, and appropriate services to Medicaid beneficiaries. Federal health-care agencies are issuing clear regulations and guidance for mandatory provider compliance plans under the ACA, but these have not been completed. Another gap to be filled is requiring state contracts with managed care entities to include a method to verify with beneficiaries whether services billed by providers were actually received.</li></ul><ul style="list-style-type:disc;"><li> <strong>Accountability.</strong> Payment suspensions are one example of an increased focus on using administrative tools to ensure accountability. Each year, HHS' OIG excludes thousands of individuals and entities from participating in federal health-care programs for a variety of reasons ranging from health-care fraud convictions to loss of medical license for professional incompetence. Since the adoption of the ACA, some 1.5 million providers have been asked to resubmit for validation of their eligibility, some 470,000 enrollments have been deactivated, and nearly 28,000 enrollments have been revoked to prevent these providers from billing the Medicare program. The HHS' OIG and its law enforcement partners also investigate suspected fraud and refer cases to the DOJ for criminal and civil adjudication. The HHS should continue to focus on accountability for fraud. In addition, its OIG should continue to use its exclusion authority to protect the department's programs and beneficiaries, including considering cases in which excluding responsible corporate officers of sanctioned providers and suppliers is appropriate and monitoring the effect of such exclusions on recidivism.</li></ul>Art Stewart0840

  • Ideagen_Oct2015
  • KPMG_Oct2015
  • IIA CBOK_Oct2015



From Trusted Adviser to Double Agent: Are Regulators Trying to Redefine Internal Audit? Trusted Adviser to Double Agent: Are Regulators Trying to Redefine Internal Audit?2015-10-05T04:00:00Z2015-10-05T04:00:00Z
Twelve Assumptions Auditors Can Never Make Assumptions Auditors Can Never Make2015-09-28T04:00:00Z2015-09-28T04:00:00Z
Volkswagen Scandal: The Undoing of a Corporate Icon Scandal: The Undoing of a Corporate Icon2015-09-28T04:00:00Z2015-09-28T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z