Fraud

 

 

Reuse Abusehttps://iaonline.theiia.org/2018/Pages/Reuse-Abuse.aspxReuse Abuse<p>​The U.K.'s national recycling system is prone to fraud and error, the National Audit Office (NAO) reports. Although the U.K. government previously estimated the nation had exceeded its overall packaging target each year since 1997, businesses may be overstating how much paper, plastic, and other materials they recycle, <a href="https://www.telegraph.co.uk/news/2018/07/22/uk-recycling-system-open-fraud-error-watchdog-warns/" target="_blank">according to <em>The Telegraph</em></a>.</p><p>The NAO estimates that 10 percent of packaging sent to recycling plants cannot be recycled because of contamination. Meanwhile, some materials are shipped to other countries where it is likely they will not be recycled, and worse, may be thrown into the sea. </p><p>Plastic recycling is particularly susceptible to fraud because of financial incentives. In addition, the NAO report found some of the U.K.'s largest companies have not paid into the recycling system — some for more than a decade.</p><h2>Lessons Learned</h2><p>There is at least one striking comment made within the NAO's review of the U.K.'s plastics recycling programs: "The government should have a much better understanding of the difference this system makes and a better handle on the risks associated with so much packaging waste being recycled." </p><p>Based on reviewing the limited number of audits conducted of recycling programs in Canada, Europe, the U.K., and the U.S., not only are there issues with potential overstatement of recycling levels, but also the measured achievement of program goals are declining over time. This observation extrapolates to recycling programs more generally. </p><p>While recycling programs are not new, the scope and scale of modern approaches to this societal issue certainly is. Moreover, auditors' involvement and experience in helping governments identify risks such as fraud and recommending improvements to these programs appears to still be emerging. Here are some key elements of an effective recycling audit program, with a particular eye to the issues the NAO identified.</p><ul><li> <strong>Define the scope of recycling programs. </strong>Even the basic definition of <em>recycling</em> is important to clarify. A Canadian Standards Association (CSA) definition is among the clearest and most comprehensive:<br> <br>"The amount of material recycled as a percentage of the amount of targeted material collected (inbound) minus reuse and shrinkage. The recycling efficiency rate must reflect the net mass balance of all processing of that material, not simply one service provider's gate-to-gate efficiency rate."<br> <br>The current reality is that these definitions vary, at times considerably, from country to country and within particular country jurisdictions. Adding to this is the need to clearly identify the policy goals and expected outcomes of recycling programs. Prevention and reuse are commonly articulated policy goals, but they are not necessarily consistently defined or scoped among jurisdictions. Program components such as composting, separating, processing, and disposal services need clear definition and alignment with other relevant jurisdictions to permit useful comparisons.<br> </li><li> <strong>Establish, monitor, and report on a recycling program performance measurement framework. </strong>This work needs to address performance measures adequately enough to provide sufficient and reliable information to conclude on the effectiveness and efficiency of the program. It should cover the completeness, measurability, and consistency across the entire recycling program. <br> <br>Public transparency in communicating and reporting results also is critical. For example, many recycling programs identify and measure both gross and net recycling targets. But as this story notes, a considerable percentage of recycled materials cannot be used as intended. <br> <br>There are even better measures of recycling system performance that also support improvement of program and policy objectives. Rather than setting percentage recycling targets based on weight measures, a kilogram/capita disposal target may be better. According to the recycling policy literature, reduction is more important than recycling. Therefore, reducing waste should decrease total quantities for disposal, even if there is no increase in recycling rates. <br>Auditors also need to review performance measure calculation methodologies to ensure they provide reliable, comparable, and consistent information to demonstrate achievement of program goals and support management decision-making.<br> </li><li> <strong>Monitor the cost-effectiveness of recycling program operations</strong><strong>.</strong> Formal and regularly conducted operational performance monitoring and reporting processes must be in place that allow management to ensure recycling operations are meeting cost performance expectations. Rather than adopting a simple cost–benefit analysis perspective, organizations also must consider policies such as the need to influence behavior toward conservation and reduced use/disposal. <br> </li><li> <strong>Recommend an effective process to plan for and manage the recycling program and its projects. </strong>This process should include business cases for new strategies and projects. Business cases must provide assurance that information presented is complete, accurate, and supported. <br> <br>The process should include project management practices such as regular inspections of all facilities (whether contracted or owned) to ensure standards are being met. Project management considerations should incorporate strategies to manage and maintain the recycling facilities (including equipment), on-site mobile equipment, and asset management processes. Such assets include any equipment used to classify, sort, construct, and demolish recycled materials. <br> <br>A further component is research and development to support future strategies and ensure capacity remains sufficient to meet evolving requirements.</li></ul>Art Stewart0
Unsafe Inspectionshttps://iaonline.theiia.org/2018/Pages/Unsafe-Inspections.aspxUnsafe Inspections<p>​Toronto's auditor general (AG) says poor record keeping by city officials may have enabled three vendors to commit multiple frauds related to fire safety inspections, according to a <a href="https://toronto.citynews.ca/video/2018/07/06/fraud-probe-exposes-city-hall-incompetence/" target="_blank">Toronto City News report</a>. AG Beverly Romeo-Beehler alleges three companies controlled by the same individual — Advance Fire Control, Advanced Detection Technologies Corp., and York Fire Protection — engaged in double billing, overcharged for work, double bid for city contracts, and used multiple false identities in their business with the city over a decade, the <a href="https://nationalpost.com/opinion/christie-blatchford-toronto-fire-inspection-paper-trail-so-bad-police-cant-start-fraud-probe" target="_blank"><em>National Post</em></a> reports. The AG's report notes a missing audit trail, and only about half of invoices were documented by the city's Facilities Management division. A lack of a documented inspection trail may mean fire alarm inspections were not carried out and those buildings are not safe. </p><h2>Lessons Learned</h2><p>Because of poor or nonexistent record keeping and management controls at the city of Toronto's Facilities Management division, it is not clear whether this case will result in criminal charges. Nevertheless, auditors should take note of the many measures the city could have taken to help prevent what happened.</p><p>First among other measures, the city should pay for a comprehensive new audit of fire and safety at city facilities, as noted in the <em>National Post</em> story. That is likely to reveal a great deal about what went wrong and why, even if the audit trails are weak. This should have been done a long time ago. </p><p>According to public records relating to audits of city services and administration conducted over the past several years, Toronto Fire Services was last audited in September 2013, with a focus on "improving the administration and effectiveness of firefighter training and recruitment." However, under these circumstances of apparent poor management controls, the proposed new audit and its results should be managed and received by Toronto's city manager — or, even better, by the mayor and council, themselves. And the city and its AG should take a good look at its fraud risk assessments and priorities. Seemingly lower value, repeating activities that are contracted out often are overlooked as higher risk for fraud.</p><p>Secondly, it appears managers within the city's facilities management department needed much better training in the awarding and management of contracts, documentation and related controls, and fraud awareness and fraud risk assessment techniques. The long list of specific improvements needed includes:</p><ul><li>Probing the backgrounds of companies bidding on contracts to verify ownership and qualifications, including of key employees. For the city of Toronto, this measure might need to include face-to-face meetings with vendor company officials to ensure they are distinct and have real employees. In fairness, this also is somewhat of a Province of Ontario matter, as the certification of fire safety inspection technicians falls under its jurisdiction.<br><br></li><li>Reviewing contract-bidding policies and procedures to avoid, restrict, and scrutinize situations where the same companies successfully obtain the same contracts year after year. <br><br></li><li>Regular review and updating of contract performance standards for the quality, completeness, and timeliness of expected work and its documentation. The city also should more rigorously monitor the inspection work as it is being performed and require interim progress reporting by the successful bidding companies.<br><br> </li><li>Enforced requirements for full and accurate invoicing of work performed. The city needs verification routines and other internal controls to help avoid and detect fake, duplicate, overbilled, and other illegal practices. Partial information is not sufficient, and cut-and-paste sign-offs for the work are unacceptable.<br><br></li><li>Where performance or other standards, such as for work documentation, are not being met, clear and timely sanctions are needed, along with documentation of these events.<br></li></ul><p> <br> </p><p>Third, the city's oversight, accountability, and management culture seem overdue for improvement. Management of the city's Facilities Management division appears to have been aware of many issues in this case, but it continued to award the contracts to the vendors in the same way. Inspection reports and related documentation were not reviewed closely enough. This would have enabled the division to uncover faked signatures by nonexistent inspectors, inspections of facilities where sprinklers supposedly existed (but didn't), and other fraudulent activity much earlier. Expectations for accountability and consequences where these expectations are not met seem badly needed.</p>Art Stewart0
The CFO Check Scamhttps://iaonline.theiia.org/2018/Pages/The-CFO-Check-Scam.aspxThe CFO Check Scam<p>​Assigned to what appeared to be a routine audit, internal auditors Juan Morales and Jim Burton were sent to the Ottawa office of Smith Construction Inc. (SCI), an engineering and construction subsidiary whose parent company, U.S. Constructors Inc. (USCI), was headquartered in New Jersey. SCI made most of its profits from manufacturing boilers and associated products for electric power generation plants and oil and gas refineries. </p><p>Generating approximately $200 million in annual sales, SCI was in good standing with USCI. However, it began to struggle when senior management at USCI started implementing highly aggressive sales targets. Once sales numbers could not keep up with anticipated goals, SCI began to spiral toward disaster. </p><p>SCI was faced with significant charges against earnings based on poor business decisions that led to several cutbacks and layoffs at the Canadian operations. Employees responsible for managing the vendor master file — a list of all the company's suppliers — were laid off as a cost-cutting measure and the accounting department was reduced from seven to four people. The aggressive layoffs inevitably led to a potential lack of segregation of duties. A task or process previously performed and reviewed by several people became the responsibility of one individual. In many cases, the responsibility fell to the company's chief financial officer (CFO), Paul Fournier. </p><p>After a few more significant charges against earnings, senior management terminated Fournier and the business unit CEO. Per company policy, every time a high-level employee left the company, internal auditors were assigned to check the critical general ledger accounts, including cash. Burton's position was his first audit job after working in the accounting field for just under one year. Du​e to his lack of experience, Morales, his supervisor, assigned him to look over the company's liability accounts, which included accounts payable and accruals, as it was considered the most routine part of internal auditing.</p><p>Reviewing the details of the company's liabilities requires a simple, step-by-step process that even an inexperienced auditor could perform. By following each step of standard internal audit procedures, Burton was able to uncover an enormous fluctuation in liabilities. He noticed that around $30,000 was being made payable every month to a law firm in Boston. He mentioned this to Morales and the two decided to look into it further. An engineering and construction company making regular payments in significant amounts to a law firm outside of the country was suspicious. </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Lessons Learned</strong></p><ul><li>Segregation of duties is crucial for every company and is the easiest way to prevent fraud from occurring. Even when faced with major cutbacks, it is important to make sure duties within the accounting department are performed and reviewed by different personnel. This internal control separates key processes to make fraud more difficult to attempt.</li><li>Companies should always keep an updated vendor master file. The process of updating it should go through several employees to ensure accuracy and prevent fraudulent payments to fictitious vendors. Employees responsible for issuing payments should never be able to modify the vendor master file. </li><li>Employing internal audit after a high-level employee leaves the company is a good practice and should be the case for all companies. A post-departure audit review helps companies catch fraud that may have otherwise gone completely undetected and prevent new hires from getting involved in the actions of the previous employee in their position. </li><li>A strong and trusted audit program with clearly documented procedures can help even a rookie auditor discover fraud. Though this will not guarantee that a fraud will be detected, even if procedures are followed with due care, internal auditors can be a deterrent for employees looking to commit fraud. </li></ul></td></tr></tbody></table><p>They discovered that the law firm specialized in international trade issues related to the North American Free Trade Agreement (NAFTA), but it had been several years since the company required legal expertise related to NAFTA issues. This fact prompted them to look into the situation even further. Morales contacted the law firm and asked to speak to the accounting manager, who revealed that SCI had not been an active client for four years and there was no record of the company in their accounts receivables records. Burton also found a check made out for $12,000 to the law firm that had not been cashed for two months, which created more suspicion. </p><p>Because the review had occurred before any sort of electronic records existed, Burton and Morales had to retrieve physical canceled checks from boxes in the record storage area of the basement to see who had endorsed them. They found most checks were signed "for deposit only" and written by hand instead of stamped with the company's name. After hours of going through boxes, they found a check endorsed with Fournier's signature. When they pulled the vendor master file, they realized that check payments to the law firm were being sent to an address in Canada, not the U.S. </p><p>After the layoffs, Fournier became the only one in charge of the vendor master file and was able to change data with no other type of review. This allowed Fournier to manipulate the information on the vendor master file on his own, without co-workers noticing. He changed the firm's address to one in Canada so he would be able to cash the checks on his own behalf. He copied and pasted data from legitimate invoices from the law firm, presented them for payment, noted them in the accounting records, and filed them.</p><p>Realizing this case could require third-party expertise, Morales and Burton called the CAE and controller at USCI to recommend a forensic investigation. The forensic investigators recreated all of the accounting books to reveal what they should look like and exactly how much was missing. Ultimately, this effort revealed a total of $1.1 million in checks from the U.S. cashed in Canada over three years. Morales and Burton remained on site assisting with procedures such as cash reconciliation and overhead analysis. </p><p>Based on recommendations from USCI's general counsel and outside counsel, Fournier was issued a Form 1099 that recorded the $1.1 million he had stolen from the Canadian subsidiary and notified the U.S. Internal Revenue Service of his compensation received through the fraud. Fournier was eventually convicted of the fraud and sentenced to a U.S. federal prison for 18 months.</p>John Ney1
Targeting Health-care Fraudhttps://iaonline.theiia.org/2018/Pages/Targeting-Health-care-Fraud.aspxTargeting Health-care Fraud<p>​The U.S. Justice Department (DOJ) has charged 601 people with health-care fraud, as part of the department's annual takedown of fraudulent health-care activities, <a href="https://www.reuters.com/article/us-usa-justice-healthcare/u-s-charges-hundreds-in-healthcare-fraud-opioid-crackdown-idUSKBN1JO26B" target="_blank"> <em>Reuters</em> reports</a>. Officials estimate the frauds amounted to more than $2 billion in losses. This year's takedown announcement focused on the opioid crisis, with more than 160 doctors and other suspects charged with prescribing and distributing addictive painkillers. </p><h2>Lessons Learned</h2><p>This story represents both good and bad news. The good: An impressive series of successful fraud investigations — the largest single medical fraud enforcement action in DOJ history — resulted in hundreds of charges across the U.S. The bad: The announcement illustrates how health-care fraud remains a persistent and costly problem for governments, the private sector, and taxpayers. </p><p>To address health-care fraud, the U.S. Congress and the Center for Medicare & Medicaid Services (CMS) have developed a variety of approaches in recent years to audit Medicare and Medicaid claims and detect fraud. Two of these programs, the Fraud Prevention System (FPS) and Comprehensive Error Rate Testing (CERT), appear to have been instrumental in the government's latest efforts to uncover fraudulent activities. Here is a closer look at how they work.</p><p> <strong>FPS.</strong> CMS' advanced analytics system, FPS, uses predictive analytics to identify troublesome billing patterns and outlier claims for action, similar to systems used by credit card companies. Predictive analytics is a branch of advanced statistics that uses historical data to make predictions about future events. FPS uses predictive analytics based on detection methods such as coding rules, anomaly detection, and link analytics involving specific algorithms (based on regression routines, nearest neighbor and neural networks, and similar algorithms) to associate scores to likely matches that indicate fraud issues.</p><p>Reviews may be fully automated, such as analyzing 100 percent of Medicare fee-for-service claims. Alternatively, they may be semi-automated. For example, for high-scoring claims, FPS may link the National Provider Identifier to Tax Identification Number codes to identify a specific entity and associated billing and taxation activity, and detect anomalies.</p><p> <strong>CERT.</strong> This program randomly selects a sample of claims submitted to insurance carriers and Medicare Administrative Contractors (MACs) during each reporting period. CERT then requests medical records from the health-care providers that submitted those claims. By reviewing claims in the sample and the associated medical records, CERT can see whether these claims complied with Medicare coverage, coding, and billing rules. If they did not, it assigns errors to the claims. </p><p>Although there are a substantial number of types of claims, globally error rates are in the 10 percent to 12 percent range, amounting to billions of dollars each year. This does not necessarily mean there is fraud involved. Where the provider did not submit medical records, CERT classifies the case as a no-documentation claim and counts it as an error. It then sends providers overpayment letters or makes adjustments for claims that were overpaid or underpaid. In some cases, CERT may notify providers that further investigation — including for fraud — may be underway. Some of the key red flags include:</p><ul><li>An invoice with a modified date.</li><li>An entire family claiming similar supplies or services.</li><li>A history of frequent or high-value claims.</li><li>Many plan members in one group using the same health-care provider or trends.</li><li>A plan member consulting many health-care providers or buying drugs at numerous pharmacies.</li><li>Vague or evasive answers to questions by plan members or health-care providers. <br></li> </ul><p><br></p><p>Beyond the FPS and CERT programs, the medical and pharmaceutical industries, associations, professionals, and patients, as well as potential fraudsters should take note of the DOJ's recent enforcement action. They should continue to improve their fraud awareness and compliance behavior — or risk getting caught. </p>Art Stewart0
Stealing From Authorshttps://iaonline.theiia.org/2018/Pages/Stealing-From-Authors.aspxStealing From Authors<p>​Perhaps the first rule of fight club should be "make sure you get paid," after a bookkeeper at the literary agency that represents <em>Fight Club</em> novelist Chuck Palahniuk and other famous authors was arrested for allegedly stealing authors' royalties. <a href="https://www.theguardian.com/books/2018/may/30/chuck-palahniuk-agent-accountant-faces-charges-fight-club" target="_blank"> <em>The Guardian</em> reports</a> that Darin Webb, an accountant at Donadio and Olson in New York, allegedly took more than $3.4 million from the firm's clients over a two-year period. </p><p>According to the charges, Webb made false and fraudulent representations in monthly financial reports and emails to clients. The alleged fraud came to light after another client of the firm complained about not receiving an expected $200,000 payment and Webb responded to the author with false explanations. Instead, the charges claim Webb converted the funds to his own use. Webb allegedly confessed to the charges during a video interview.</p><h2>Lessons Learned</h2><p>Many people aspire to or have become authors and artists. These individuals need to protect themselves from the particular fraudulent activity represented in this story and other publishing-related frauds. Additionally, literary agents and publishers need to implement controls to prevent and detect fraud to better safeguard their authors' interests.</p><p>The accused fraudster in this story is an example of a classic deadbeat thief<strong> </strong>— a person or company that hires an author and never pays that individual for his or her work or pays the author erratically. In some cases, the firm grudgingly pays a far lower amount than was originally promised. Demanding full payment up front is an arrangement to which few publishers or agents will ever agree. Making matters worse in this case, Webb was using his position at a well-known agency to steal from its clients, illustrating that this type of fraud happens at reputable firms.  </p><p>Here are two areas of concern for agents, publishers, and the authors they represent:</p><ul><li> <strong>Legitimacy of the business.</strong> Literary agents and publishers are represented by organizations such as the <a href="http://aaronline.org/" target="_blank">Association of Authors' Representatives</a> (AAR) in the U.S. or similar associations operating in other countries. Membership in these organizations is one indication of reputability, because agents must meet competency requirements to join and must abide by a code of practice that excludes some common abuses such as referral kickback schemes. <br> <br>Organizations such as AAR and the <a href="https://asja.org/" target="_blank">American Society of Journalists and Authors</a> (ASJA) also report on complaints against association members. ASJA offers advice on dealing with unfair provisions in book, periodical, and online publishing agreements, as well as strategies for dealing with late payers and nonpayers. <br> <br>However, membership in one of these associations is not an infallible guarantee against fraud. Like any company, literary agents and publishers may have employees who commit fraud. As such, authors and artists cannot focus only on their content. Instead, they should take control as much as possible. Many authors and artists manage the business aspects of their careers and intellectual property, including copyright, publishing, distribution, and royalty/fee management. <br> <br></li><li> <strong>Business operations.</strong> Authors typically inquire about how publishers or literary agencies will distribute and publicize their work, rather than how they will be protected. These firms should have financial controls in place. For example, the firm should regularly scrutinize its accountants' management of client and accounts activities — including requiring dual authorizations of checks and payments. Who provides this oversight and how, including audits? <br> <br>One way to protect authors from fraud is to establish a clear contract that specifies the financial arrangements of the author's agreement in writing. This contract should include measures such as regular or interim installment payments and schedules, and consequences when deadlines are not met.</li></ul><p><br></p><p>Going beyond this story, here are other publishing fraud schemes:</p><ul><li> <strong>Pay-to-publish companies.</strong> Such companies charge excessive fees to print a book, produce a shoddy product or no product at all, or make misleading claims about their capabilities to market the book, distribute it to bookstores, and have it reviewed. Few authors make decent money by publishing their own books, and most never come close to earning back their investment in such arrangements. Most authors are well-advised to focus their efforts on honing their craft and finding a reputable agent.<br> </li><li> <strong>Agents who charge up-front fees. </strong>Some disreputable literary agents charge fees for "reading," "representation," "evaluation," "retainers," or "marketing." Whatever they are called, agents should make their money by selling an author's work, not by charging him or her to do other things.<br><strong> </strong></li><li> <strong>Pay-to-play writing and anthology </strong> <strong>contests. </strong>There are many writing contests where the sponsor is trying to make a profit on entry fees. Some of these contests require authors to assign to the contest operator any publishing rights in their work — sometimes exclusive rights — even if the work is not the winner. <br> <br>Anthology contests pose similar problems. Authors submit a poem or short story, then they are notified that their work has been selected for inclusion. At that point, contest organizers pressure them to buy several copies of the (expensive) book in which their piece is presumably going to appear.  </li></ul>Art Stewart0
The Priest's New Househttps://iaonline.theiia.org/2018/Pages/The-Priest's-New-House.aspxThe Priest's New House<p>​An audit alleges that an Okemos, Mich. priest embezzled $5.4 million from his church over 26 years, <a href="https://www.detroitnews.com/story/news/local/michigan/2018/04/30/audit-okemo-priest-embezzlement-grows/34424783/" target="_blank">the <em>Detroit News</em> reports</a>. Rev. Jon Wehrle will go on trial next week to face six embezzlement charges. Prosecutors accuse him of stealing from St. Martha's Church to pay for the construction of a $3 million mansion in 2007. The audit further alleges that Wehrle spent church funds on a previous house, tuition and medical bills for his adopted children, and to pay bills, taxes, and insurance expenses. </p><h2>Lessons Learned</h2><p>The case against the clergyman in this story is only now going to trial, but one can discern that so much money going missing is primarily attributable to a toxic combination of a highly manipulative fraudster and ineffective oversight. Few controls existed over the way in which Wehrle handled church money. He was able to write checks to himself without receipts and regularly take entire Sunday collections, while the Catholic Diocese of Lansing, Mich. failed to ask any serious questions for many years. </p><p>So, how can churches reduce fraud risk? Fundamentally, operating a church needs to be thought of as running a business. Churches need effective oversight and financial controls, qualified accounting and financial personnel, and regular reviews to ensure things are working as intended. More specifically, here are four areas for attention:</p><ol><li> <strong>Ensure that </strong> <strong>appropriate </strong> <strong>oversight and supervision is in place. </strong>Church leaders are responsible for managing operations and practices. Whether that oversight is of employees or volunteers, it is critical to have good supervision of those who deal with church funds. The natural leadership tendency is to empower people with the freedom to work independently, but there always should be some form of accountability, or check and balance, for that freedom. <br> <br>A finance committee also should review financial documents and transactions regularly, as well as ask questions of all clergy, employees, and volunteers. If it is difficult to get a financial summary from a person who handles money, it is likely a red flag. Allowing a church official to use significant amounts of money for personal purposes is another warning sign. <br> </li><li> <strong>Actively manage the church governance and workforce to protect the institution from fraud risks</strong><strong>.</strong> It is sensible to perform background checks periodically on all church staff and employees. Such checks should not be limited to just when individuals are first hired, because circumstances can change.<br> <br>In addition, people who have access to church funds should be subjected to particular scrutiny, including lifestyle changes. While this practice may seem invasive, it can provide information that ultimately protects the church. Wehrle had a construction industry background, which reasonably would make him an attractive person to help the diocese with its building projects. However, that should not have prevented scrutiny of his activities. <br> <br>The diocese should regularly rotate church officials and employees in their roles — particularly those who approve transactions and handle money. No one should stay in the role indefinitely, and the use of multiple, unrelated people will make it more difficult to steal. <br> <br>Given the apparent absence of effective oversight by the diocese, both the diocese and St. Martha's Church should renew the leaders who are responsible for that oversight. Even in a church environment of faith and trust, it would be wise to encourage everyone to pay attention to fraud red flags and report suspected behavior. For example, the one church secretary employee who appears to have known about Wehrle's allegedly inappropriate use of church checks for personal use should have shared her concerns.<br> </li><li> <strong>Establish and monitor basic accounting, payroll, and finance functions, including controls over delegations of authority for financial transactions</strong><strong>.</strong> Of particular importance is a requirement that there be dual signatures on checks for larger dollar amounts. For example, the diocese could require that any check for more than $500 be signed by two people, and that the two authorized signors of large checks should be the individual in charge of finance and accounting and a diocese or board member. Furthermore, the member chosen to co-sign large checks should not be the same board member selected to review bank statements. The diocese should never have allowed Wehrle such latitude in handling church funds.<br> <br>Moreover, the broader church hierarchy failed to follow up on several unusual financial arrangements, including Wehrle's claim that the diocese had agreed to allow him to live in private homes, rather than a rectory. Also, the diocese did not independently verify the church's financial statements, which may have revealed the fraud at an earlier stage. Regular audits — more often than just when there is a change in parish leadership — are needed. <br> </li> <li> <strong>Control access to bank statements and other financial information. </strong>Wehrle had direct and sole access to bank accounts — such as access to blank check stock, check-signing authorization, and reconciling the bank statement — to initially receive and open the monthly bank statements, and he successfully prevented anyone else from having access. This is one of the easiest ways for fraud to go undiscovered. The diocese should change the mailing address on all bank statements to the address of a trusted individual such as a senior financial officer or member of the oversight body. </li></ol>Art Stewart0
The Lottery Loserhttps://iaonline.theiia.org/2018/Pages/The-Lottery-Loser.aspxThe Lottery Loser<p>​U.S. federal prosecutors have charged the CEO of New York state's oldest credit union with swindling the institution out of $6 million since 2013, <a href="https://www.cnbc.com/2018/05/08/kam-wong-credit-union-ceo-charged-with-fraud-spent-cash-on-lottery.html" target="_blank">CNBC reports</a>. According to the U.S. Attorney for the Southern District of New York, Municipal Credit Union CEO Kam Wong deposited hand-written checks from the credit union into his personal account. He also allegedly obtained reimbursements for fake dental work and a long-term disability insurance policy. Prosecutors say Wong spent most of the money on lottery tickets by writing checks to local convenience stores. Moreover, he sought money from other sources to feed his lottery habit, prosecutors claim.</p><h2>Lessons Learned</h2><p>Previous articles have discussed the specific risks, types of employee fraud, and ways to detect and prevent fraud in the not-for-profit sector (see box at right). Given the significant amounts of money involved in this story, it is a good opportunity to review some of the most relevant lessons for internal auditors.</p><p>Laws and regulations for credit unions vary from state to state. Generally, they are required to have appropriate internal financial controls in place and regularly audit their financial statements and reporting. It appears that was not enough in the case of Municipal Credit Union.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <p> <strong>Sidebar: Not-for-Profit Fraud</strong></p><p>Here are additional stories about preventing and detecting fraud in not-for-profit organizations.</p><ul><li> <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=89a3c70c-d0eb-498c-a994-0d1b66ab020a"><span class="ms-rteForeColor-8">"Governing Nonprofit Fraud"</span></a></li><li> <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=f7d71715-7be9-474c-af5d-95df5b66e2f6"><span class="ms-rteForeColor-8">"Pinching the PTA for Thousands of Dollars"</span></a></li><li> <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=b6f823f3-5a9f-45d3-8e18-3daf045c8750"><span class="ms-rteForeColor-8">"Embezzlement in the Tribe"</span></a></li><li> <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=153e93a3-7bd1-46ee-9a9a-a0a6d686a4df"><span class="ms-rteForeColor-8">"The Gambling Priest"</span></a></li><li> <a href="/2017/Pages/Powered-Down-by-Fraud.aspx"><span class="ms-rteForeColor-8">"Powered Down by Fraud"</span></a></li></ul></td></tr></tbody></table><p>In the many cases and research about fraud in the not-for-profit sector, the most often cited critical control measures to help prevent fraud are regular and active board oversight and clear roles and responsibilities regarding financial controls. These include:</p><ul><li> <strong>Oversight. </strong>In this story, it does not appear that the credit union's board exercised sufficient oversight. Boards should monitor financial assets, budgets, and expenditures, and question any large amounts, patterns, and irregularities in financial accounting activities. In particular, boards of not-for-profit and similar organizations should demand that the structure of financial controls and reporting be appropriate for the organization's mandate and business focus.<br> <br>The scope of these controls should include the financial activities of the organization's executives. Boards should require fraud risk assessments, or similar external assessments of the organization's financial situation and risk, to identify irregularities and unclear policies, procedures, or practices. Then, the organization should conduct regular audits that go well beyond the standard assessment of the reliability of information used in financial statements and reporting. <br> </li><li> <strong>F</strong><strong>inancial controls</strong><strong>.</strong> It seems that few controls existed or were followed governing the way in which money was handled by the credit union's CEO, nor did the organization have sufficient controls over invoices and receipts submitted. In addition to allegedly receiving and depositing $6 million in hand-written checks over five years, Wong was able to write checks to himself without sufficient documentation or receipts.<br><br> Organizations should establish rigorous controls to govern access to bank accounts and to scrutinize withdrawals, including by executives. Measures should be in place such as requiring dual signatures for checks involving large dollar amounts. Such controls could have enabled the credit union to flag the $6 million involved in this case for further scrutiny, even if it was stolen over many years.<br> </li></ul><ul><li> <strong>HR </strong> <strong>management </strong> <strong>policies and whistleblower mechanisms. </strong>It's nice to think that all long-term and senior employees doing the same job can always be trusted. However, for critical jobs where material assets are under their control, safeguards are needed such as regular background checks and updates to determine lifestyle changes that could have been driven by employee theft. <br> <br>In this story, Wong allegedly wrote close to 300 checks amounting to more than $3.5 million — an average of over $12,000 per check — to cover his lottery ticket purchases. This should have raised a red flag. <br> <br>Where fraudulent activity is discovered, circumstances might warrant a negotiated settlement, but it is better to act decisively to discipline, terminate, and prosecute the employees found responsible. This sends a message of deterrence and zero fraud tolerance to employees, clients, and stakeholders. </li></ul>Art Stewart0
Health-care Fraud Is No Accidenthttps://iaonline.theiia.org/2018/Pages/Health-care-Fraud-Is-No-Accident.aspxHealth-care Fraud Is No Accident<p>​A South Florida man has pleaded guilty to racketeering charges stemming from a $23 million personal injury claim scheme, <a href="http://www.sun-sentinel.com/news/crime/fl-reg-insurance-fraud-chiropractors-felix-filenger-20180419-story.html" target="_blank">the <em>Sun Sentinel</em> reports</a>. U.S. federal prosecutors say between 2010 and 2018 Felix Filenger paid kickbacks to body shop workers and tow truck drivers who referred accident victims to chiropractic clinics he secretly owned. The clinics then billed auto insurance companies for 15 or more required visits. Additionally, clinic staff exaggerated pain levels to obtain the maximum benefit for emergency treatment allowed under Florida law. After raiding Filenger's offices in 2015, the Federal Bureau of Investigation used a wiretap to record him issuing orders to his co-conspirators. Filenger received a 6-and-a-half-year sentence in federal prison.</p><h2>Lessons Learned</h2><p>Health-care fraud and abuse cases cost the industry and taxpayers billions of dollars annually. More specifically, the U.S. Department of Health and Human Services' (HHS') Office of Inspector General (OIG) <a href="https://oig.hhs.gov/oas/reports/region9/91602042.pdf" target="_blank">reported in February</a> (PDF) that the chiropractic services sector showed significantly high levels of problems. The report is based on a review of program vulnerabilities identified in previous OIG audits, evaluations, investigations, and legal actions related to chiropractic services in the Medicare program. The report notes that the Centers for Medicare & Medicaid Services' (CMS') Comprehensive Error Rate Testing program, which measures inappropriate Medicare fee-for-service payments annually, identified chiropractic services as having the highest improper payment rates among Medicare Part B services from 2010 to 2015. Improper payment rates ranged from 43.9 percent to 54.1 percent, and the estimated overpayments per year ranged from $257 million to $304 million. </p><p>Providers face multiple challenges in preventing and detecting health-care fraud and abuse laws at the local, state, and federal levels. Complying with the myriad regulations can be difficult for providers who already focus on a range of priorities, including care delivery, payer compliance, medical billing, and revenue cycle management. So what more can be done?</p><p>First and foremost, the OIG report recommends: </p><blockquote><p>"... that CMS implement our prior recommendations that remain unimplemented or have been implemented ineffectively. In addition, to further strengthen program integrity and facilitate the full implementation of our prior recommendations, CMS should:</p><ul><li>Work with its contractors to educate chiropractors on the training materials that are available to them;</li><li>Educate beneficiaries on the types of chiropractic services that are covered by Medicare, inform them that massage and acupuncture services are not covered by Medicare, and encourage them to report to CMS chiropractors who are providing non-Medicare-covered services; </li><li>Identify chiropractors with aberrant billing patterns or high service-denial rates, select a statistically valid random sample of services provided by each chiropractor identified, review the medical records for the sampled services, estimate the amount overpaid to each chiropractor, and request that the chiropractors refund the amounts overpaid by Medicare; and</li><li>Establish a threshold for the number of chiropractic services beyond which medical review would be required for additional services."</li> <br> </ul></blockquote><p>This entire report is worth reading. To the measures it suggests, here are a few more targeted to Filenger's activities in this case: </p><ul><li> <strong>Measures related to the education of chiropractors and </strong><strong>beneficiaries</strong><strong>also should include the legislative requirements that must be followed. </strong>The U.S. False Claims Act provides incentives and protection for witnesses who report fraudulent activity. These measures should be better publicized.<br> </li><li> <strong>Be aware of potentially increased fraud risks from "value-based" purchasing of health services.</strong> HHS has repeatedly reiterated its commitment to preventing health-care fraud and abuse. In 2017, the department stated that CMS implemented a proactive approach to fraud protection, eliminating its previous "pay-and-chase" method, which Filenger was able to exploit in this case. However, as value-based purchasing takes hold of the health-care industry, providers also are seeing claims reimbursement rates drop in favor of incentive payments. Efforts to maximize revenue may push some providers to engage in health-care fraud and abuse activities without necessarily intending to do so. Examples include failing to correct a billing clerk who assumes a provider performed specific services, billing for medications that the patient never picked up, and coordinating with other provider organizations under value-based agreements.<br> </li><li> <strong>Work to prevent false medical bills.</strong> HHS, the CMS, and providers should use targeted risk assessments and predictive analytics to prevent false medical bills before providers receive payments. Also, they should continue increased efforts to screen providers for enrollment in federal health-care programs.<br> </li><li> <strong>Target kickbacks and conflicts of interest.</strong> The U.S. Anti-Kickback Statute and Stark Law expose care providers who invest in other practices to increased risk of scrutiny. Authorities also should probe and question provider business relationships, such as the chiropractic clinics' relationships with the tow truck and body shop companies in this story. Settlements with pharmaceutical companies under the U.S. Affordable Care Act regulations have resulted in physician-industry transparency requirements, where medical drug, equipment, and biological companies must disclose all gifts to care providers. The Pharmaceutical Research and Manufacturers Association and the Advanced Medical Technology Association have created codes to guide care provider and manufacturer ethics. Still, more pressure and scrutiny of disclosure of conflicts of interest is needed. </li></ul>Art Stewart0
The Holiday Bonushttps://iaonline.theiia.org/2018/Pages/The-Holiday-Bonus.aspxThe Holiday Bonus<p>​Grant Gabriel was hired by a small regional gift store chain to start an internal audit function for the growing company. His first task was to perform a risk assessment. As part of the assessment, Gabriel looked a​t store-by-store comparative financials. In doing so, he noticed that monthly sales and margins for each store seemed consistent, except in one case. The Springfield store had lower margins and sales growth during the holiday season for the previous three years. Gabriel decided to visit the Springfield store and meet with the manager, Mark Adams. </p><p>Adams had been the Springfield store manager for seven years. He was a valued employee who led by example with his work ethic and dependability. Often operating without an assistant manager, Adams was known for handling the store on his own. </p><p>Upon arrival, Gabriel asked Adams about the lower seasonal margins and revenues. Adams indicated that it was tough to find good help during the holiday season and new, seasonal people make mistakes. He also noted that margins might be a little lower during the holidays because Springfield has many frugal shoppers and the redemption rate of seasonal coupons is high. Adams boasted, "Our redemption rate has been the highest in the company for the last four years." </p><p>Adams then explained, "We have a group of five retired women who work the holiday season for us each year. They are great because they are trained, dependable, can handle the customers, and do not need supervision every second." The women had become friends over the years and referred to this job as their "holiday bonus." So, each year before the holidays, Adams would call and ask them if they wanted their holiday bonus. He also said he paid them 75 cents more an hour than other seasonal employees because they were so good. </p><p>Adams went on to explain that since the women started working for him, their shrinkage in gum and candy always dropped during the holidays. Oddly enough, they even had a small overage this year. He attributed it to the seasonal employees deterring kids from stealing gum and candy. "The ladies are shrewd and probably do a good job of keeping watch."</p><p>Gabriel asked Adams if he noticed any unusual transactions in the point-of-sale (POS) system. Adams indicated that he was too busy to dig deep into the reports, but didn't notice any major trends in his monthly scan. He mostly checked for a high number of "no rings" — when the cash register is opened but a transaction is not entered — to see if cash was being pocketed instead of deposited in the cash register. He did notice more no rings during the holiday season, but that was likely due to higher volume and the inexperienced seasonal employees. </p><p>After his interview with Adams, Gabriel performed his own detailed analysis. He looked at three years of data and found two irregularities worthy of follow-up:</p><ul><li>No rings occurred, but were consistently two to three times per day with the seasonal help and less than one per day with full-time employees. <br></li><li>Store coupon redemption was 5 percent higher, but 20 percent higher on cash transactions and normal for credit card transactions, when compared to other stores. <br>​</li></ul><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Lessons Learned</strong></p><ul><li>Using detailed analysis within the risk assessment process can help quickly direct internal audit toward fraud risk areas. <br></li><li>Data analytics cannot solve all problems by itself. Analytics and fieldwork are a powerful combination. Consistent irregularities can always be explained. Whether the answer is fraud or something else, internal audit should never be satisfied without an explanation. <br></li><li>Never underestimate the value of objectivity. Many frauds go undetected because management would never believe a certain person would steal. Being open to the possibility and following the data to its conclusion is the job of internal audit. <br></li><li>Detecting fraud early prevents significant future losses as they often continue over time and grow in scale. In addition, it is often difficult to identify the extent of the fraud. Assuming what has been identified is the minimum amount of the fraud keeps the value of fraud detection in perspective. <br></li><li>It is always useful to an organization to detect frauds of any size as it allows management to adapt the internal control environment based on the discovered weaknesses.<br></li></ul></td></tr></tbody></table> <p>Gabriel returned to the store to observe and ask questions of the employees. Unfortunately, the holiday season was over and the seasonal employees left, so Gabriel didn't expect to uncover much during his observations and discussions with full-time employees. Luckily, one of the seasonal employees, Michele Webster, accepted a part-time position and was working during Gabriel's observation. </p><p>​"Is this about the cash register scanning problem?" she asked. Gabriel requested an explanation of what she meant. Webster said she saw Caren, one of the holiday employees, scanning gum one day while she was ringing up Tina, another woman from the group of five, and asked her about it. Caren told her the scanner acts up sometimes and could be reset by scanning something, like gum or candy. She also told Webster she could prevent the scanning problem by pressing the no ring button a few times during her shift. </p><p>Remembering the inventory variances in gum and candy, Gabriel began to realize why the holiday bonus comment was funny. After interviewing Adams, the loss prevention director, and numerous employees, a significant and coordinated fraud effort was uncovered. The group of "holiday bonus" employees was running a series of small and difficult-to-detect fraud sche​mes. </p><p>The women would help each other with holiday shopping by ringing up gum or candy for other higher dollar items. The false sales of gum and candy did not create a flag until there was an inventory overage. Holiday shrinkage, or theft, explained the other items. </p><p>To avoid detection, they would hit the no ring button on cash transactions and then pocket the cash, but no more than twice a day. If the customer asked for the receipt, they would apologize and claim it was a system error. The transactions were masked by telling other seasonal employees — who they called "kids" — to hit the no ring button twice a day to prevent scanner problems.</p><p>Items were then returned at higher values than paid. Appare​​​ntly, the women would identify an unsuspecting new employee who did not know how to process a return. One would step in to help the new employee by handling the return for him or her on the register. The item was purchased at a significant discount, sometimes fraudulently, and then returned at full price. </p><p>Given how carefully the scams were concealed, it was difficult to quantify the total amount. Based on some estimates, though, it appeared that $18,000 was stolen each year during the holiday season. </p>Bryant Richards1
Internal Audit's Role in Fighting Bribery and Corruptionhttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Audits-Role-in-Fighting-Bribery-and-Corruption.aspxInternal Audit's Role in Fighting Bribery and Corruption<p>​I recently spent two days in Paris participating and speaking at the Organisation for Economic Co-operation and Development's (OECD's) annual Global Anti-Corruption and Integrity Forum. Surrounded by world leaders, anti-corruption experts, and transparency activists, one couldn't help but become invigorated by the participants' passion and drive for battling corruption. I was especially proud of the recognition and respect shown for internal audit's role in this worthy battle.</p><p>There is little argument that dedicating resources to fighting corruption is necessary to sound risk management, but it's still shocking to consider how much is lost to it annually. The World Economic Forum estimates corruption adds 10 percent to the cost of doing business. The World Bank estimates that 20 percent to 40 percent of official development assistance is stolen through high-level corruption.</p><p>The cost of corruption isn't just about money. Corruption correlates to higher child and infant mortality rates, the latter being doubled in nations that rate highest on corruption indices, according to the study, <a href="https://www.imf.org/external/pubs/ft/wp/2000/wp00116.pdf"><em>Corruption and the Provision of Health Care and Education Services</em></a>.</p><p>Battling dishonesty in business and government is a constant struggle, but in today's hyper-competitive atmosphere, having anti-corruption and anti-bribery programs in place is no longer optional. When well-designed and well-run, such programs benefit organizations no matter the organization's size, sector, industry, or location. Internal audit can play a vital role in providing assurance, not just on the effectiveness of such programs, but also in helping organizations understand the potential for serious financial and reputational harm from failing to address corruption.</p><div>However, fighting corruption effectively is more than simply creating programs and hoping for the best. Indeed, success is rooted in organizational behaviors and practices that support sound governance. This is where internal audit can play a vital role. First, internal audit should assess the effectiveness of anti-bribery and anti-corruption programs to help, 1) anticipate the risk, and 2) identify the existence of potential and actual incidents. The IIA recommends that internal auditors take two different but complementary approaches:</div><div><br></div><div><ul><li><span style="font-size:12px;">    Incorporate an assessment of anti-bribery and anti-corruption measures in all audits, as appropriate.</span><br></li><li><span style="font-size:12px;">    Audit each component of the anti-bribery and anti-corruption program.</span><br></li></ul></div><div><br></div><div>In undertaking the second approach, it is vital for internal auditors to recognize the foundational elements of effective anti-bribery and anti-corruption programs. Hallmark components of such programs begin​ with tone at the top, thriving when organizations set high ethical standards and are consistent in their application. Other components internal auditors should assess include:</div><div><br></div><ul><li>Governance structure.</li><li>Risk assessment</li><li>Policies and procedures.</li><li>Training and communications.</li><li>Enforcement and sanctions.</li><li>Reviews and updates.</li></ul><div><br></div><p>The IIA recognizes the extraordinary challenges public sector auditors and internal auditors in companies around the world face when rooting out bribery and corruption. It continuously seeks ways to provide encouragement and tools for those facing this daunting task. The IIA's Practice Guide, <a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Anti-bribery-and-Anti-corruption-Programs-Practice-Guide.aspx">Auditing Anti-Bribery and Anti-Corruption Programs,​</a> provides a thorough analysis on the subject and includes sample audit procedures.​</p><p>I'll close by mentioning that the recent OECD event included the launch of a new group, the Auditors Alliance. This is a forum for public-sector internal and external auditors whose aim is to facilitate the sharing of insights and expertise in audit practices. I was honored to be included among a number of accomplished professionals invited to speak at the launch.</p><div><p>Collaboration and cooperation fostered by the OECD Integrity Forum and the new Auditors Alliance will go a long way in waging war on corruption.</p></div><p>As always, I look forward to your comments. </p>Richard Chambers0

  • SCCE2018_August2018_Premium 1
  • IIA FSACACGABookstore_August2018_Premium 2
  • IIA EHS2018_August 2018_Premium 3