The Phony Vendor Fraud Phony Vendor Fraud<p>​Hunter Miller and Thomas Wynne had been friends since high school. They met up at a local bar to reminisce about their high school days and, eventually, their conversation took on a more serious tone.<br></p><p>"Once you send me the drilling pipe inspection information, I'll copy and paste it into an email using my Clean Pipe account to throw anyone off our trail," Miller said after sipping his beer. Wynne nodded in agreement.<br></p><p>The next morning, Miller reported to his job as a policeman and logged into his Clean Pipe email. He found Wynne's email waiting, copied its contents into a new message with his signature and Clean Pipe logo, and hit "send." If caught, he knew he could be charged with wire fraud.<br></p><p>That same morning, Wynne entered True Resources' headquarters, one of Calgary's largest oil exploration and production operators, and sat at his desk. He had advanced rapidly within the company and was making good money, but felt he had stalled and deserved more. He logged into the intranet and initiated the process to request that Clean Pipe be added as a new vendor. It was simple: Enter the vendor name, address, point of contact, and business case.<br></p><p>Wynne then forwarded Miller's email to the drilling superintendent with a note at the top: "This company came highly recommended." Two days later, Wynne received an automated email from the procurement department letting him know Clean Pipe was approved as a vendor. He called Miller and told him that he could submit an invoice in a few weeks.<br></p><p>Wynne also convinced his father-in-law to use JX Oilfield Services, a now defunct business that he kept for tax purposes, as a vendor in the scheme. He was given access to JX Oilfield Services' email account, where he carefully crafted a message that he again forwarded to the drilling superintendent after he completed the process to add a new vendor.<br></p><p>For the next few months, Clean Pipe and JX Oilfield Services submitted invoices through the online invoicing system and Wynne approved them for payment. After they were paid, Wynne's portion was sent to him via Venmo. He and his accomplices couldn't believe how easy it was.<br></p><p>While celebrating at an expensive restaurant, Wynne, Miller, and their wives decided to include additional materials on Clean Pipe's invoices to increase the amount of money they'd be paid. Wynne planned to tell the drilling superintendent that Clean Pipe was giving them a discount on pipe, knowing that the company was stocking most of the pipe on location and the superintendent wouldn't be able to check inventory.<br></p><p>On the test run, Clean Pipe sent an invoice that included line items for inspection services and 25 pieces of pipe measuring 32' by 2 7/8". The invoice also indicated that the pipe was being shipped to a pipe-coating company to be treated before arriving on location. This was normal practice for True Resources, so anyone scrutinizing the invoices wouldn't see it as an issue unless someone called to confirm the pipe's whereabouts. Wynne approved the invoice, and the payment came a week later.<br></p><p>While the couples were on a lavish vacation over the holidays, True Resources' auditor, Kristin Jones, found herself reviewing notes from a third-party audit firm assigned to audit the company's vendors. Jones couldn't believe what she read. She called Matthew Downs, the auditor in charge. She apologized for disturbing him during the holidays but explained that she needed to review his notes.<br></p><p>"I didn't think anyone would get back to us until January," he said, before launching into his laundry list of findings. "We don't normally review invoices from recently-approved vendors, but Clean Pipe and JX Oilfield Services hit our radar." While performing a risk assessment of vendors appearing in certain general ledger accounts, they'd noticed that Clean Pipe seemed like an outlier, so they did a bit of due diligence. First, its website only listed residential work and nothing about oil was mentioned. Second, using background investigation software, they traced the listed principal, Miller, to the Calgary Police Service (CPS). This furthered their hunch that Clean Pipe was not<em> </em>an oilfield services company, so they started reviewing their invoices.<br></p><p>The audit team called Namkoong Pipe, the original supplier of the 32' by 2 7/8" pipe listed on Clean Pipe's invoices, and discovered that it didn't manufacture that size. Also, each invoice included shipping instructions to Shepherd Pipe Coating, so the auditors called the company's owner and inventory manager to verify. Both men stated that they had not conducted business with True Resources in some time, and they never received pipe from a company called Clean Pipe.<br></p><p>Downs then explained that they ran a duplicate invoice check of Clean Pipe field tickets against other vendors, and noted that the invoice numbers were almost identical to those from JX Oilfield Services. Moreover, the look and feel of the invoices from both companies was almost identical, as if the same person created both.<br></p><p>Downs continued, "When we ran JX Oilfield Services in our investigation software, we were able to connect the principal of that company to your company's vice president of Drilling, Mike Wynne."<br></p><p>After the call, Jones called the vice president of Internal Audit, which set off a rapid chain of events with True Resources' executive team, the CPS, and the Royal Canadian Mounted Police (RCMP).<br></p><p>Within six months, the couples raked in almost $1.5 million, which they split 50/50. After multiple interviews with the RCMP, Wynne, Miller, and their wives, and a forensic audit of Clean Pipe's and JX Oilfield Services' invoices and backup, multiple charges were brought against the two men and their wives, including wire fraud, embezzlement, and racketeering. Wynne and Miller were sentenced to four years in prison and ordered to pay restitution in the amount of $250,000 each. Their wives were each sentenced to two years in prison.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>Lessons Learned<br></strong><br><ul><li>Before onboarding a new vendor, perform a thorough due diligence review of its financial and operational background. Due diligence includes reviewing the vendor's website, blogs, YouTube channel, and LinkedIn posts to confirm the business case for onboarding reflects the online sources.</li><li>Vendor audits should be conducted as part of every organization's vendor management program. A vendor audit is performed to validate billing and contract compliance, and it can be enhanced with a visit to the vendor's work site and headquarters.</li><li>Vendor monitoring is a must. Consider using analytics to keep an eye on vendor spending trends, regulatory compliance, and adherence to company policies. Anomalies or red flags should be shared with internal audit, supply chain management, or the company's vendor representative.</li><li>Three-way matching is a critical procedure that helps prevent overspending or paying for an item never received. Many companies ensure there is a two-way match (a purchase order matched up against an invoice), but fraudsters can avoid detection if they both create the purchase order and approve the invoice. The important piece of the puzzle is the independent person who inspects and receives the goods. Segregation of duties is a key element in this process.<br></li></ul></td></tr></tbody></table><p></p>Rick Roybal1
The Diesel Fuel Heist Diesel Fuel Heist<p>​Veronica Vanatamm was the internal auditor for East Mining Co. (EMC), an underground mining company that relied on heavy machinery powered by diesel fuel it purchased from Best Fuel Plc. Vanatamm was assigned to audit whether the diesel fuel consumed by EMC’s machinery was accounted for correctly and whether fraud risks were mitigated. </p><p>When Vanatamm began the audit, she learned that the main refueling facility was located at EMC’s mine site, but the equipment and diesel fuel in the tanks were owned by Best Fuel. EMC drivers purchased diesel fuel in the same way as at an ordinary gasoline station. After refueling, EMC drivers received receipts that they would submit to EMC accounting. Best Fuel transferred information about refueling electronically to EMC at the end of each month. <br></p><p>EMC vehicles had the capacity to carry 5,000 liters of diesel. After refueling, they transported diesel fuel to the underground mine and dispatched it to 12 underground tanks for trucks, loaders, and stationary mining machinery. Carrying vehicles had fuel pistols with meters and underground tanks had fuel counters. </p><p>EMC became the owner of the diesel fuel when the vehicle used to transport diesel underground tanked at Best Fuel’s main on-land facility. So, Vanatamm had to trace diesel from the time it was purchased until its usage was recorded and reported. She decided to test whether the balancing equation worked. Namely, whether the monthly end balance equaled the balance at the beginning of the month plus the purchased amount, minus the amount consumed by the machines. </p><p>EMC performed a physical inventory of the underground fuel tanks every Sunday and the first day of the month, and compared actual measurements to expected calculated results. The calculated results were based on sales receipts from Best Fuel and meter readings from the underground tanks. Vanatamm extracted data for three months and discovered the physically measured balance of diesel fuel was always precisely the same as the calculated end balance. There never was a single liter difference. She became suspicious and extracted a new data set looking at two years’ worth of data. Still, there was always an exact match.</p><p>Vanatamm discussed her concern with Peter Kirs, the mine’s main engineer. He told her that EMC reconciled the physical inventory balance with the calculated inventory balance. However, the reconciliation required an additional adjustment. During this step, any differences between the measured physical end balance and calculated end balance were solved. Kirs explained that diesel fuel contracts and expands depending on the temperature of the environment. The mine maintains a temperature of 8 degrees Celsius, so, during winter months when it is colder outside, the diesel expands in the underground tanks. However, during summer months, when it is warmer outside, the diesel contracts in the underground tanks. As a result, Kirs explained to Vanatamm, it was not possible to conduct precise verifications without automated corrections that took into account those peculiarities. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Lessons Learned</strong></p><ul><li>When conducting an operational audit, technical nuances and peculiarities of business processes must be investigated so that auditors fully understand what the purpose of each procedure is. It could indicate that a claimed control is an actual control or a smart workaround to conceal process deficiencies.</li><li>Understand the data. Data that is perfect or close to perfect may have another story to tell. Internal auditors should pay attention and try to comprehend the story behind it. </li><li>Sometimes it is more convenient for managers not to see fraud, even if it takes place on their watch. Management might be content with explanations of anomalies as long as the reasoning is plausible. The role of any diligent auditor is to work closely with management, and advise and train them on fraud risks and anomalies.<br></li></ul></td></tr></tbody></table><p>Vanatamm decided to verify Kirs’ statements. She inquired with the IT department on exactly how the automatic algorithm worked and obtained data before corrections. From data and algorithm analysis, she found that Kirs’ statement regarding contraction and expansion of diesel due to changes in temperature was not the main reason automatic corrections were introduced into the process. </p><p>Vanatamm discovered that almost every month, the physical inventory of diesel fuel measured considerably less than it was supposed to, according to expected, receipts-based calculations. In addition, the variances existed in both winter and summer months. The algorithm always neatly enlarged the amount of diesel issued from underground tanks so that figures would equal the calculated ones. </p><p>Vanatamm observed that there were substantial differences between purchased amounts and the diesel month-end balance that could not be fully explained either by temperature changes or by imprecise counters. Her recommendation was to inspect all tanks and vehicles and calibrate all meters that belonged to EMC. </p><p>Three months later, Anton Pavlovski was appointed as the new main mining engineer. He implemented Vanatamm’s audit recommendations and spoke to her about their shared feelings that diesel fuel was possibly being stolen. Vanatamm pointed out that because there was video surveillance near the underground tanks, she did not think fuel was being stolen there. She believed that the weakest point in the process was in the transportation of fuel from the ground facility to the underground tanks. Pavlovski placed the refueling facility under video surveillance, which captured one of the drivers making a strange gesture near the diesel pistol. He conducted a site visit of the refueling facility with representatives of Best Fuel, where they discovered a backflow pipe with a tap. </p><p>The team found that EMC drivers would open the backflow tap during the fueling process, allowing diesel fuel to flow back into Best Fuel’s tank. The backflow was not recorded. For example, while fueling a 5,000 liter tank, the driver opened the backflow tap, allowing 300 liters of diesel fuel to flow back into Best Fuel’s tank. The driver would close the tap, collect the receipt for 5,000 liters, and transport 4,700 liters underground.</p><p>The investigation found that the backflow scam had been in place for more than 10 years and every EMC vehicle driver was involved. Each driver would report how many liters were pumped back to a “cashier” at Best Fuel and would be paid for each liter. Shortages were concealed with the help of the work-around algorithm, shrinkage and expansion explanations, and imprecise underground meters. </p><p>The investigation results were submitted to the authorities, and a criminal investigation was initiated. Management at Best Fuel claimed to have no knowledge of any diesel surplus and said that there was never any intention to defraud EMC. EMC drivers involved in the scam were fired and investigated by police. Financial loss was estimated to be in the hundreds of thousand of dollars; however, not all of it was possible to prove.  <br></p>Anna Kon1
A Jackpot Win Jackpot Win<p>​When Jenny Smith, a store manager for Australian retail chain Kangaroo Konvenience, realized she could easily defraud her employer by exploiting its point-of-sale (POS) system, she seized the opportunity. Her unsegregated sale and reconciliation duties allowed her to validate lottery tickets for herself without logging the sale in the system, leading to sizeable losses for the chain.</p><p>As in many countries, lotteries in Australia are state-run as a way of raising state revenues. Typically, about half of ticket sales are spent on marketing, administration, and gaming taxes, while the remainder is returned to the prize pool. While low-value prizes are mathematically frequent, the possibility of winning millions, despite its low probability, engenders player loyalty. On average, players win 30% to 40% of their ticket spend, leading players to believe that a jackpot win is imminent. Acting as a lottery agent can be profitable for retailers that benefit from lottery customer foot traffic, as well as earning a commission of about 10% on each ticket sold. </p><p>Lottery tickets have several controls to prevent cheating the state, including electronic codes that guard against counterfeiting, alteration, or duplication. In Australia, each ticket sold by the retailer must be validated and time stamped in the state government's independent POS system to participate in the game. After game validation, the retailer must enter the sale into its own POS system and collect payment. </p><p>Although the two systems should record identical lottery transactions, the risk falls to the retailer if they do not. The retailer sells the ticket at 100% of its face value, retains approximately 10% as commission income, and remits the remaining 90% of the ticket price back to the state. So, the theft of a single lottery ticket costs the retailer nine times the amount of the earned commission. Under The IIA's Three Lines Model, Kangaroo's first-line function includes a daily reconciliation of all lottery transactions between the two systems to ensure that every ticket activated in the state's POS system is also paid for in full in Kangaroo's POS system. </p><p>Second-line head office monitoring controls provide additional assurance that in-store controls log all ticket sales. Monitoring by the head office was slightly complicated by the different lottery games across Kangaroo's store portfolio, occasional keying errors by staff when entering transactions, low-value cash payouts to in-store customers, and the sale of syndicated tickets to groups of customers that required unsold portions to be charged back to the retailer by the state. Second-line controls were difficult for new head office staff to grasp unless they had in-store experience or were adequately briefed during induction. </p><p>By not logging the sale in Kangaroo's POS system, Smith knew the absent ticket sales would not appear on Kangaroo's end-of-day cash till, so an end-of-day cash variance would not arise. This first-line failure meant Kangaroo was charged by the state for the validated tickets even though the tickets had not been paid for. </p><p>It was second-line control lapses at Kangaroo's head office during a finance supervisor's maternity leave that enabled Smith's fraud to go unnoticed. A replacement staff member spotted the control failure, but she also went on leave before it could be remedied. Against earlier advice from Kangaroo's internal auditors, job handover during staff changeovers remained poor and controls undocumented, so new staff members did not understand the in-store risk or the absence of second-line controls.</p><p>Even worse, Smith figured she could outsmart the head office by entering fake lottery winnings into Kangaroo's POS system to steal cash from the till, which she fraudulently logged as genuine prize payouts. Her stolen lottery tickets and the 30% to 40% average winnings per fake player were further supplemented by direct cash thefts from the till masked as genuine prize payouts, which allowed her to pocket more than AU$100,000 (US$77,000) over a two-year period. </p><p>The declining lottery commission margin was finally noticed after another staff change at Kangaroo's head office, which led to the discovery that the lottery control account was not oscillating around zero as expected. An after-hours visit to the store by management revealed the first-line store controls had lapsed under Smith. When interviewed, she confessed to what she was doing. <br></p><p>Smith first realized the opportunity when she erroneously processed a ticket sale that was never investigated by the head office. A gambling addiction and the intent to repay the money after she won the jackpot was how she rationalized her actions, which grew in intensity when she realized she could win 30% to 40% of the payouts built into the lottery system on tickets she obtained free of charge. </p><p>Management engaged internal audit to research and explain the control failures to it and the audit committee. The auditors used data mining to identify specific theft occurrences by matching state government lottery transactions to the retailer's sales and payouts. They also used the technology to cross match staff time sheets to check whether other store staff may have been involved and determine if similar frauds occurred at other stores. This enabled internal audit to piece together the make-believe lottery cash payouts and ticket theft fraud.</p><p>Smith was immediately fired and forfeited all accrued employment benefits, but she was not prosecuted as police and lawyers determined Kangaroo was at fault through failing to exercise first-line and second-line controls. </p><p>Matt Knight, the financial controller, was fired because he failed to spot second-line control lapses by the finance supervisors in his charge. Plus, Knight had several actions from unrelated internal audits that were overdue. The area manager also was dismissed for failing to oversee in-store reconciliations, along with the dubiously titled loss prevention manager.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>As Kangaroo Konvenience's smallest out-of-town store, duties were not segregated and visits by management and internal audit were infrequent. Staff members were reminded of the importance of segregating duties and carrying out supervisory visits, or otherwise repurposing small stores if their risks cannot be controlled. <br><br></li><li>Control accounts are designed to oscillate around zero as reversing transactions self-cancel, or otherwise show a growing imbalance. In this case, the financial controller's team had ignored the control account imbalance warning.<br><br></li><li>Staff turnover in head office second-line oversight, combined with undocumented controls, was a red flag. Updated controls should be recorded in process playbooks that can help sustain control continuity when someone is filling in for another employee on leave or when training new staff members. <br><br></li><li>Head office staff members with no in-store experience should be required to visit stores at least twice per year to participate in, and better understand, first-line controls.<br><br></li><li>The fraud prompted management to improve controls and make staff changes resulting in reduced salary costs and promotion of capable juniors into the newly vacant roles. These enhancements recouped Kangaroo's losses by refreshing and strengthening the head office finance and loss prevention teams.</li></ul></td></tr></tbody></table><p></p>Christopher Kelly1
Where Were the Internal Auditors? Were the Internal Auditors?<p>​Most internal auditors dread hearing management ask, “Where were the auditors?” — particularly when it relates to fraud. The moment fraudulent activity is uncovered, organizational stakeholders often blame the auditors even before holding perpetrators accountable. As a result, auditors can find themselves on the defensive and fail to engage in valuable activities such as consulting — they lack trust and fear reprisal in the event of any unforeseen fraud or operational errors in the areas for which they provided services. So rather than covering their organizations against fraud, internal auditors frequently seek to cover their backs. It is time for that to change.</p><p>Clinging to a fear-based approach represents a disservice to the organization and its stakeholders, depriving them of internal audit’s expertise and assurance. Auditors need to help ensure systems are established throughout the organization to manage fraud risks effectively. They can accomplish that by addressing several areas.</p><p>First, internal auditors need to partner with the board and management to fraud-proof their organizations. Developing relationships with these stakeholders is critical to identifying potential risks, as they possess key information regarding where those risks may lie. Additionally, practitioners need to share their knowledge and ensure stakeholders have the benefit of internal audit’s unique purview of the organization. </p><p>They also must help ensure anti-fraud controls are strong and robust. Auditors play an important role in assessing the effectiveness of key anti-fraud controls, such as the presence of an effective code of conduct, whistleblowing system, and external audit selection and oversight process. Auditors should proactively diagnose process weaknesses; they should also push for the implementation of preventive automated controls. </p><p>Furthermore, auditors must take governance considerations into account. They should conduct a governance audit with a specific focus on conflicts of interest, segregation of duties, and related-party transactions. They also should audit culture and provide recommendations that can help align the organization’s value system with the behaviors of all stakeholders. Moreover, conducting a thorough assessment of nomination and remuneration policies can enhance the organization’s ability to hire qualified, ethical board members and executives and help ensure remuneration policies do not incentivize fraud.</p><p>Although internal auditors are not responsible for identifying a specific fraud, they may be held accountable for not addressing foundational weaknesses that can enable and promote fraud within the organization. Helping to fortify anti-fraud controls and ensure the organization constructs processes with the potential for fraud in mind is essential to organizational health. Once auditors address fraud risk effectively, they can answer the question “Where were the auditors?” with a simple reply: “We were here all along.”  <br></p>Mohamad Kaissi1
The Lucrative Library Fraud Lucrative Library Fraud<p></p><p>This is a very surprising allegation,” said the library manager during an interview with auditors. When the Office of the City Auditor in Austin, Texas, initially looked into an accusation that a staff member of the Austin Public Library was buying printer toner with the library’s credit card and reselling it out of his garage, library staff reported that nothing appeared to be particularly out of place. The auditors were repeatedly told that Randall Whited, the accounting associate who, according to auditors, allegedly stole at least $1.3 million in printer toner while employed with the library, was very well liked. </p><p>The Office of the City Auditor received an anonymous tip in March 2019 with few details. The City Auditor’s Integrity Unit had a name, a job title, and knowledge that Whited had access to a city credit card. The investigation began by sifting through purchase records, which allegedly revealed that Whited spent hundreds of thousands of dollars on one particular brand of printer toner. The auditors wondered if this was too much toner or an appropriate amount for a library with more than 20 locations, so they set out to learn more about the library’s purchasing system and the amount of toner used by staff. </p><p>Library employees told the auditors their branches used just a few cartridges a year. However, the public-facing printers, which received the bulk of use, used a different brand of toner than Whited’s purchases. Auditors took the printer’s usage history from each printer’s memory and combined it with manufacturer printer cartridge capacity data to estimate how much toner was needed. It appeared that Whited was overbuying hundreds of boxes of toner every year. So where were the extra boxes going? </p><p>Despite his 8 a.m. start time and instructions from his supervisor to arrive no more than 30 minutes early, camera footage allegedly revealed that Whited often came in as early as 6:30 a.m. and would take boxes of toner from the library and hide them in his vehicle. </p><p>Once the auditors had evidence that Whited was stealing toner, the focus shifted to determining how much he may have stolen during his employment. The initial review of purchase transactions was expanded to encompass Whited’s entire tenure with the library starting in 2007. The analysis uncovered more than $1.5 million in printer toner purchases dating back to 2010. Through printer usage data, auditors estimated that the library would have needed about 15% — roughly $200,000 — of that amount, at most. </p><p>The expanded review also found other ways that Whited allegedly was defrauding the city, including dozens of purchases totaling at least $18,000 that were reportedly shipped to Whited’s home address or to Amazon lockers located outside of Austin. The auditors were able to find backup documentation for these purchases — ranging from video games to drones to robotic vacuums — which clearly indicated some of the items were never sent to the library. Additionally, some of the documents lacked detail, only including descriptions such as “supplies,” which made it nearly impossible for the people responsible for approving Whited’s purchases to know what they were signing off on. Library managers trusted him, so they never questioned him on the purchases or why they were being shipped to his home. To make matters worse, the approvers had no idea how much toner was appropriate to buy, so Whited’s daily purchases of toner did not raise any concerns. Nor did the fact that the library overspent its budget for office supplies by roughly 400% for several years in a row. As long as the library was under its total allocated budget, management did not look into details.</p><p>According to auditors, a lack of segregation of duties also contributed to Whited’s alleged fraud. He reportedly received most of the items he ordered, so he controlled both ends of the process for the library. He also was assigned multiple roles in the purchase tracking system, so he could more easily redirect questions about the purchasing process or his purchases.</p><p>After evidence allegedly confirmed the audit findings, auditors wanted to know what Whited was doing with the goods he appeared to be purchasing using city credit cards. The answers starting trickling in through social media. Auditors found Whited allegedly was using online marketplaces to sell some of the items he stole from the library. Auditors also found evidence that suggested Whited was selling toner to online grey market websites that specialized in selling pre-owned toner. </p><p>Ultimately, the City Auditor’s report in October 2020 detailed Whited’s alleged enormous fraud, as well as the waste that the City of Austin incurred as a result of the purchases and management’s failure to catch on sooner. Whited resigned in August 2019, before the conclusion of the investigation. He was arrested in September 2020 and is awaiting trial. <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​LESSONS LEARNED</strong><ul><li>Segregation of duties works for a reason. The same person should not be allowed to order and receive items. Just as importantly, employees should not be able to approve their own purchases. When investigating, auditors should look for individuals who hold dual roles like these that could be exploited.</li><li>Empower reviewers. Purchase approvers or reviewers in an organization should know they are more than just a rubber stamp. They should be trained on the importance of their role and their ability to say “yes” or “no” in the purchase approval process. Additionally, auditors should make sure these individuals have appropriate operational knowledge about the area of the organization for which they approve purchases so they understand what needs are real. When investigating, auditors should listen for witnesses who say they “just trust” someone to take care of things.</li><li>Don’t rely solely on witness testimony. In this investigation, like many, witnesses were interviewed to learn more about library operations before auditors knew what records or other evidence might be useful. The initial witnesses shot down the idea that Whited might be defrauding the City. He was a “great employee” who had been in the job for years and knew what the library needed. Had auditors stopped the investigation after witnesses contradicted the allegation, the fraud might still be occurring today.</li><li>Keep an open mind about evidence. Auditors never know what they are going to find during an investigation or where evidence will come from. When this investigation started, no one on the audit team knew much about printers or printer usage. They worked with IT staff to review printer manufacturer information and learned that most printers have enough memory to keep a record of everything they ever printed. By combining the printed page records with manufacturer toner data, they were able to calculate how much toner the library needed over a given time period. That was a huge step in the investigation and allowed auditors to determine how much excess toner Whited allegedly was buying and stealing.<br></li></ul></td></tr></tbody></table><p></p>Michael Yamma1
Procurement Fraud: 12 Common Pitfalls Fraud: 12 Common Pitfalls<p>​<span style="text-align:justify;">Fraud can occur during any stage within the procurement life cycle, resulting in recurring and significant losses. Organizations may be at risk of fraudulent activities conducted by internal staff, collusion between internal staff and external service providers, or collusion among suppliers. Procurement fraud can be perpetrated in many ways, and it can be difficult to detect. </span></p><p style="text-align:justify;">Twelve common pitfalls, in particular, can increase the risk of fraud in the procurement process. By remaining alert to these areas, internal auditors can help protect their organizations from procurement-related losses. </p><p style="text-align:justify;"><strong>1.</strong> <strong>Weak control environment.</strong> When formalized policies are inadequate or ineffective, and staff training to help the organization prevent and detect procurement fraud is insufficient, employees may write off fraudulent or unethical activities as cultural norms. They might assume, for example, that receiving gifts and entertainment from vendors — regardless of value — is always acceptable. These perceptions can result in widespread control weaknesses and increased potential for fraud.</p><p style="text-align:justify;">Procurement policies and procedures that lack comprehensive review, approval, and monitoring of scenarios will also increase the risk of procurement fraud. For instance, in the absence of well-defined guidelines and controls, purchases can be designated as "urgent" or "emergencies" to bypass the need to compare competitive quotes.  </p><p style="text-align:justify;"><strong>2.</strong> <strong>Incompetent purchase budget review or approval.</strong> Reviewers and approvers may not have been equipped with relevant antifraud skills to ask the right questions before requested items are approved in the purchase budget. After budget approval, users or requestors can make purchases much more easily. Effective budget reviews are therefore especially critical to fraud prevention. </p><p style="text-align:justify;"><strong>3.</strong> <strong>Inadequate purchase request scrutiny.</strong> In the absence of proper scrutiny, staff members might be able to request and make excessive or unnecessary purchases. It is therefore essential for those charged with evaluating the validity of purchase requests to carefully review and assess the justifications for items to be purchased. </p><p style="text-align:justify;"><strong>4.</strong> <strong>Inadequate review of purchase specifications</strong>. Organizations require specific expertise to evaluate the validity and appropriateness of purchase specifications indicated for sourcing.  Without this resource, purchase specifications can be customized to favor certain vendors and cause unnecessary financial losses to the organization. </p><p style="text-align:justify;"><strong>5.</strong> <strong>Ineffective quote reviews.</strong> Without effective assessment of quotes or bids before contract award, intentional favoritism of a particular vendor might not be easily detected. It is easy to enable a particular vendor to be selected when limited criteria are used to assess competing vendors. Management should carefully review and decide on vendor assessment criteria and then evaluate the competing quotes or bids received accordingly.  </p><p style="text-align:justify;"><strong>6.</strong> <strong>Insufficient background checks.</strong> The organization may fail to conduct effective background checks on new vendors. It may approve vendors without requiring them to provide appropriate documentation, such as business registration details. This deficiency creates, for example, the potential for staff members or their relatives to set up a shell company to make excessive or fictitious purchases that benefit themselves or their relatives at the expense of the organization. </p><p style="text-align:justify;"><strong>7.</strong> <strong>Ineffective conflict-of-interest declaration procedures.</strong> Periodic conflict-of-interest declaration procedures may become a check-the-box exercise instead of a meaningful control activity to prevent and detect inappropriate transactions. For example, the procedures may lack adequate vendor details to help staff identify the companies with which their organization is transacting. Without well-designed procedures, employees may perceive the conflict-of-interest declaration as routine and fail to recognize its importance. </p><p style="text-align:justify;"><strong>8.</strong> <strong>Ineffective inspection of goods and services received.</strong> If goods and services are delivered to the organization without being checked and acknowledged by independent, competent parties, intentional underdelivery, damaged goods, or inferior goods could go undetected. </p><p style="text-align:justify;"><strong>9.</strong> <strong>Ineffective project monitoring.</strong> Without robust controls in place to monitor ongoing projects — including periodic reviews of percentage-of-completion, estimated costs-to-complete, etc. — the organization may not detect warning signs of fraud such as excessive change orders and cost mischarging. </p><p style="text-align:justify;"><strong>10.</strong> <strong>Ineffective three-way matching.</strong> Those responsible for reviewing invoices submitted for payment may lack the expertise to recognize potentially fraudulent items, such as personal purchases, inflated invoices, and fictitious purchases. Moreover, they may neglect to perform a three-way match among the purchase order, receipt of goods, and supplier invoice. As a result, procurement fraud schemes may go undetected prior to vendor payment. </p><p style="text-align:justify;"><strong>11.</strong> <strong>Absence of robust procurement analytics.</strong> Highly irregular one-time payments may be relatively easy to spot with periodic checking and basic review procedures. But when irregularities occur more frequently, with lower dollar amounts that seem insignificant in isolation, they might easily go unnoticed without more sophisticated analytics. The organization can perform analytics with indicators that reflect repeated purchase orders with amounts just below the approval threshold limits, excessive purchases made from particular vendors, etc., to facilitate the identification of irregular activity. </p><p style="text-align:justify;"><strong>12.</strong> <strong>Inadequate criteria for evaluating vendors.</strong> Once a vendor is hired, the organization may neglect to monitor its performance on an ongoing basis. Robust criteria, such as applicable quantitative and qualitative performance criteria and indicators (e.g., price competitiveness, timeliness of delivery, product or service quality, and customer service responsiveness), should be evaluated periodically to ensure staff make value-for-money purchases, instead of excessive or fraudulent purchases, on the organization's behalf. <br></p><h2>Avoiding the Pitfalls</h2><p>Opportunities for procurement fraud abound in nearly every organizational setting. With awareness of the potential pitfalls, internal auditors can take steps to equip themselves with crucial knowledge to review and provide advice on control procedures that can prevent unnecessary procurement fraud losses. <br></p>Sylvia Lim1
Hush Money Fraud Money Fraud<p>​In early 2020, Lauren George was promoted to director of internal audit at the Pier Ten Group, a management company for a hotel chain in Southern California. George was interested in innovation and had training in robotic process automation, which she was eager to bring to her new role to increase productivity and expand risk coverage.</p><p>Before her promotion, Pier Ten’s internal audit department typically performed smaller audits using manual processes. George’s first goal as director was to improve coverage without increasing staffing. She started by adapting a pre-built reconciliation bot to compare expenses to receipts and reperform all bank reconciliations starting with the company’s San Diego property.</p><p>The expense reimbursement bot was simple. Receipts were already stored in a shared folder by date and titled by date and dollar amount. The bot downloaded expenses for the year into one Excel file. It then went into the receipts folder and copied the date, description, and amount for the expense into the same file. Finally, the bot sorted the expenses by date and amount and flagged any unsupported expenses and receipts not matching an expense. </p><p>Before she reviewed the flagged items, George manually checked a sample of matched items to confirm the bot was working correctly. In the first pass, it identified 22 mismatches where expenses matched but the date on the receipt was off by a day. To be certain, she reviewed some of the receipts to make sure they matched the descriptions. The bot also flagged 12 expenses for $500 without receipts totaling $6,000. George thought the bot wasn’t picking up the receipts until she saw there were no receipts in the folders, just a blank sheet titled by day and dollar amount. </p><p>When George pulled the expense reports filed for each of these, she identified three commonalities: The receipts were missing, the description on the expense report was labeled “business expense reimbursement,” and the reimbursements were made to Skip Townes, the hotel controller.</p><p>The reconciliation bot was deployed next. It was pre-built, but required some modifications to make certain it was accessing the bank systems to retrieve bank account and credit card information. It also downloaded information into Excel and compared dates and amounts and flagged items that did not match. The results were messier than the expense reimbursement bot. Although many items matched, several items remained unreconciled. </p><p>George pulled the monthly reconciliations and started comparing line items with the bot’s reconciliation. She identified better rules that would help the bot perform more effectively next time, including pulling different reports to help reconcile some items. After her review, she was left with 12 credit card overpayments totaling $87,321.53. </p><p>Satisfied with a successful first pass, George documented her results and met with Walter Banning, the property manager, and Townes. To her surprise, Banning and Townes did not share her enthusiasm about the bot’s performance. George’s questions about the undocumented receipts and credit card payments were met with challenges about the technology. When she showed the source documents supporting the outstanding questions, both men expressed concern and insisted they would investigate and get back to her. </p><p>George suspected she was being stalled after weeks passed with no answers. The questions she asked could easily be answered with a little digging, so she contacted Wilson Kon, the audit committee chair, for guidance. George explained to Kon how the bots reperformed manual repetitive tasks, just like having an audit staff member who did exactly what he or she was told over and over. The work still needs to be reviewed and source documents pulled to investigate, but the observations are validated just like any other audit. Convinced by George’s explanation, Kon encouraged her to expand her review of the property’s financial processes, and assured her that Banning and Townes would provide her answers. </p><p>The next day, George met with Banning and Townes to discuss the observations. Both men were on edge and kept changing their answers. According to Banning, it was an IT issue that they were exploring. When George asked them to explain, they could not. Townes suggested it was a performance issue with the employee performing the reimbursements and reconciliation. George pointed out that Townes approved the reconciliation and Banning approved the expense reimbursement. She followed by asking why they did not flag these issues in their review. Banning went back to blaming the issues on the bot. George again left the meeting with no answers. </p><p>George first called Kon with an update and then the district manager and human resources (HR). With their support, she expanded her review to all financials for a month and went directly to the staff member performing the reconciliations. Several flagged items appeared, which were validated. The hotel accountant quickly identified the flagged items as bonus checks, reimbursements for Banning’s credit card, and car allowances for Townes. Surprised and curious, George dug in deeper.</p><p>She discovered that shortly after Banning was promoted to property manager, the corporate office cut the bonus program. He felt this was unfair and that he should be compensated for the success of his property, so he instituted his own bonus program. With the help of Townes, Banning found various ways to issue the bonuses, including a $500 monthly reimbursement to the controller to keep quiet about the bonuses. An expanded review found that the expenses for $87,321.53 were payments to Banning’s personal credit card company, and that extra manual payroll checks were issued to the controller, front desk manager, and housekeeping manager. In total, George identified nearly $485,000 in unsupported and suspicious payments, payroll checks, and reimbursements spanning three years. </p><p>George turned over her results to HR and local authorities. Pier Ten terminated Banning and Townes and brought charges against them. They claimed that the bonus program was sanctioned by the corporate office through a handshake deal.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4" style="height:30px;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Lessons Learned</strong><ul><li>Robotic process automation (RPA) is a useful tool for enhancing internal audit capabilities. Simple and quick bots can immediately enhance department productivity when applied to repetitive processes relying on digitized data and tasks. </li><li>Fraud risk always exists, but internal audit must balance risk and resources. Deploying RPA can significantly lower the cost of certain fraud detection procedures. These procedures would mitigate many difficult-to-close internal control gaps in small- and medium-size companies. Initially, this could lead to fraud detection, but over time, these inexpensive procedures would become preventative. </li><li>When developing bots for audit work, internal audit should consider passing them off to the business units. Reconciliation bots make useful audit tools, but once hardened, they are capable of performing the regular control function, providing additional value and capacity to the business departments. Just like analytics, later reviews can include regularly testing the bot’s performance and, when convinced, relying on the bot’s results. <br></li></ul></td></tr></tbody></table><p></p>Bryant Richards1
Billed Around the Clock Around the Clock<p>​Two years ago, Future Energy Corp. (FEC), based in Finland, decided there was a need for flexibility and cost-cutting, so it changed its payment for services from a fixed fee to an hourly fee and implemented an IT system to track hours. Future Power, a subsidiary of FEC, relied heavily on BX Solutions OY, a subsidiary of BX Ltd., to maintain and repair its production equipment. After FEC conducted an annual risk assessment of its subsidiaries, internal audit decided to schedule a review of the equipment maintenance and repair process. </p><p>The audit revealed Future Power’s high dependency on BX Solutions OY and a lack of competition in the region. The audit report also outlined the potential risk for overbilling fraud because of insufficient verification of hours reported by BX Solutions OY personnel. The subsidiary was renting office space for its personnel on the premises of Future Power, so logs from entrance systems did not provide any insight on whether its employees were working on Future Power equipment or doing other tasks. The audit team concluded that the risk of overbilling existed, but no proof could be provided. Future Power management chose to accept the risk and stated additional controls were not needed. Internal auditors insisted they were and escalated the issue to FEC’s board of directors. Finally, as a compromise, Future Power management allocated one employee to conduct independent checks of hours reported by BX Solutions OY.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>LESSONS LEARNED</strong><br>​<ul><li>When it comes to the purchasing of services per hour — lawyers, IT developers, consultants — how often are organizations overbilled? How can an organization find the right balance of trust and control? Organizations risk playing a “catch me if you can game” with contractors unless the environment encourages fair reporting of spent hours. Internal audit’s role is to review the process of hour validation and determine whether hours can be verified, at least to a reasonable extent. </li><li>Operational-level management is usually overwhelmed with important daily issues, so it is difficult to get managers to take an interest in a potential fraud risk. When they read an internal audit report that raises a red flag about something that has not happened — but might — they might not care nor understand the seriousness of the risk. Rather than point out lack of caring, internal auditors should suggest additional controls or work toward reaching a compromise that satisfies both parties.</li><li>Collaboration with a contractor that acknowledges fraud is unlikely to happen often — if at all. If the contractor has already made up its mind about how much it is going to reimburse, any collaboration promises are likely to be empty declarations. Also, internal audit should keep in mind that there is likely a specific reason why a contractor wants to acknowledge fraud. The best-case scenario is that the contractor is embarrassed of its findings and wants to avoid bad publicity. The worst case is that it is trying to cover up something much bigger and wants to voluntarily return a small part of what was stolen from the company to avoid litigation and prosecution.</li><li>When circumstances require internal audit to collaborate with outside parties where conditions or other information is exchanged, it should include legal counsel to avoid any unwanted damage to the company, such as disclosure of confidential information. It’s important for internal audit to know when to step back as a trusted partner.</li></ul><br></td></tr></tbody></table><p>One year later, Future Power’s CEO emailed FEC’s audit manager, Alicia Cohen, after he received a letter from BX Ltd.: “I am forwarding to you a weird letter from our main maintenance and repair partner, BX Ltd. I told them you will handle it from here.” </p><p>Cohen could barely believe what she read in the forwarded letter. BX Ltd. reported that its local subsidiary was defrauding FEC: “Due to a mistake and misbehavior, working hours have been overbilled since our last contract renewal. Corrective action has been taken and a credit for €2.3 million ($2.7 million) will be issued to you immediately. We suggest a regular review to ensure a robust hourly recording process moving forward.” </p><p>The audit team felt vindicated. The potential fraud risk scheme they described to management a year before was realized. The team set out to investigate how the overbilling happened. </p><p>Initially, BX Ltd. willingly cooperated. Via web-based meetings, BX Ltd.’s compliance representative, Pierre Brodeur, explained that its investigation was triggered by an anonymous whistleblower complaint from BX Solutions OY. The investigation revealed that remuneration for BX Solutions OY management depended on the profitability of Future Power’s maintenance and repair contract, as it was its biggest and most important client in the region. The change from fixed pricing to an hourly based system caused BX Solutions OY management to become concerned about profitability levels, so employees were instructed to bill Future Power for as many hours as possible. After the conclusion of the internal investigation, BX Solutions OY management and the employees who participated in the scheme were fired. </p><p>Brodeur handed over internal time sheets of BX Solutions OY employees involved in maintenance and repair activities. FEC’s internal auditors compared the time sheets against billed hours, determined the number of overbilled hours, and multiplied the difference by the hourly rate to calculate the value of the hours. When FEC’s investigative team reported an amount two times higher than the €2.3 million, cooperation between the parties ended. BX Solutions OY misled BX Ltd.’s compliance team, claiming repairs were still priced at a fixed rate, so BX Ltd.’s compliance department calculated overbilled hours for maintenance services and disregarded hours spent on repairs. FEC’s internal auditors, however, reviewed repair contract terms with legal counsel and concluded that repairs had to be billed on an hourly basis, as well. </p><p>The internal controls assessment did not take long. Internal audit tried to reconcile time sheets of BX Solutions OY personnel with hours recorded in the system, but there were no names or employee identification numbers. Moreover, BX Solutions OY personnel could record their hours monthly rather than on an ongoing basis. As a result, Future Power supervisors issued and accepted work orders without knowing how many people were on site on any specific day. </p><p>An analysis of work orders for the previous two years found that more than 40% of annual maintenance expenses were for regularly conducted visual inspections of equipment. It was impossible to determine whether inspections were actually carried out because there was no paper trail. </p><p>Though Future Power appointed an employee to conduct independent checks of hours reported by BX Solutions OY the year before, management never touched base with the employee to determine whether he had suitable tools to conduct those checks. The employee was overloaded with other duties and preferred to keep a low profile without interfering, controlling, or suggesting improvements. </p><p>Future Power eventually received €2.3 million from BX Ltd. and filed a legal dispute for additional amounts owed. <br></p>Anna Kon1
The Seducer's Game Seducer's Game<p>​Intelligent, innovative, witty, charming, persistent, optimistic, bold, adaptable, and business savvy — these often are the key traits of a leader. But what if those traits mask other, less exemplary characteristics, such as being manipulative, deceptive, fearless, and thinking he or she is untouchable, while also lacking any sense of integrity, honesty, and empathy? Unfortunately, these traits can coincide within the same person. </p><div><p>The unique combination of these personality traits defines a seducer, which can be seen in modern-day fraudsters such as Theranos’ Elizabeth Holmes and Fyre Festival’s Billy McFarland. Within the Seduction of Fraud methodology, seduction refers to a psychological process that often plays a significant role in contemporary frauds. Therefore, it is important for internal auditors to understand the seduction of fraud and how it relates to fraud prevention, detection, and investigation within their own organizations.</p><h2>The Seduction of Fraud Diamond</h2><p> For decades, internal auditors have relied on the elements of the Fraud Triangle — pressure, opportunity, and rationalization — to understand fraud and develop internal controls that limit the risk of fraud to their organizations. While experts have provided alternatives to the Fraud Triangle, a new approach can be used to understand and prevent the latest variations of fraud, what we call Big Frauds, from occurring. These Big Frauds — such as Fyre Festival, Theranos, Volkswagen, and Wells Fargo — are similar to their traditional counterparts, yet stark differences become apparent under evaluation. It was through this evaluation that we realized the limitations of the Fraud Triangle and developed a tool to replace it — The Seduction of Fraud Diamond (See “The Seduction of Fraud Diamond” below).</p><p><img src="/2020/PublishingImages/Seduction-of-Fraud-diamond.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:500px;height:273px;" />There are differences between the Fraud Triangle approach and the Seduction of Fraud methodology. First, it is important to understand the original intent of Donald Cressey, who is attributed as the creator of the Fraud Triangle. As a criminologist, Cressey wanted to understand why trusted employees without a history of unethical or illegal behavior would decide to betray their employers. So, after excluding from his study anyone with a criminal record or a history of unethical behaviors, Cressey interviewed inmates who were first-time embezzlers to determine any similarities among them and try to understand their motivations. His observations and key takeaways resulted in the well-known attributes of the Fraud Triangle. But the study’s objectives and parameters point out obvious limitations in applying the Fraud Triangle to a wide array of modern white-collar schemes and perpetrators. </p><p>The Fraud Triangle’s primary weakness is its basis of starting with an honest person — a person who needs a combination of specific motivations and circumstances to commit fraud. The Fraud Triangle fails to explain why most people involved in the Big Frauds had no history of criminal activity or unethical behaviors, yet committed fraud even though there were no circumstances that justified their behavior. </p><h2>The Psychology of Fraud</h2><p>The Seduction of Fraud methodology examines human behavior and ethical decision-making related to fraud. Using this methodology, auditors not only rely on traditional understanding within the anti-fraud and audit community, but they also reach into the fields of analytical psychology, psychiatry, literature, philosophy, and religious studies. Combining these divergent areas of study can bridge the gap between fraud prevention, ethics, and human behavior. </p><p>As a psychological process, seduction has existed since the beginning of time. It is described in religious scripture in the Garden of Eden; historical chronicles of Cleopatra’s power and control; and 18th century Giacomo Casanova’s detailed use of seduction as a tool to commit frauds, cons, and social engineering. From an early age, Casanova understood the importance of reading the emotions of others, which allowed him to manipulate and deceive, and become one of the most infamous con artists in history. </p><p>Understanding the true meaning of the Seduction of Fraud requires removing the veil of normal human behavior to look earnestly at the inner core of humans to realize their true motivations. The Seduction of Fraud Diamond starts with a temptation, which might involve some sort of pressure, but does not require it. Once the temptation is set, the next part of the psychological process begins: deception. The goal of seduction is to gain power and control over the person being defrauded — not through force, but by subtle coercion. The seducer’s aim is to make victims feel as if they are in control and making decisions on their own, for their own benefit. It is only after the fraud is exposed that the illusion becomes apparent. Therefore, seducers can either use the Seduction of Fraud to commit fraud themselves, or they can use it to convince other people to commit fraud or perform unethical actions without their full knowledge or understanding. </p><h2>Attributes of the Seducer<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Common Seducer Personality Traits</strong> <p>The personality traits that historical seducers and modern-day fraudsters share include being:<br></p><ul><li>Improvisational</li><li>Flexible</li><li>Innovative</li><li>A risk taker</li><li>Intelligent</li><li>Charming</li><li>Bold</li><li>Assertive</li><li>Discerning</li><li>Persistent</li><li>Witty<br></li><li>Reinventive</li><li>Business savvy</li><li>Adaptable</li><li>Manipulative</li><li>Deceptive</li><li>Fearless</li></ul></td></tr></tbody></table><p>Understanding the attributes of the Seduction of Fraud Diamond and their application through audit procedures can help in the design of effective internal controls. While simple frauds still exist — such as the trusted bookkeeper who steals to pay for her husband’s gambling addiction — they are no longer the largest risks to the organization. It is the modern-day seductive fraudsters who will more likely cause turmoil in an organization at a multitude of levels — financial, reputational, legal, compliance, etc. </p><p>While many of the seducer’s personality traits are positive attributes, it’s the traits that are missing that cause problems (See “Common Seducer Personality Traits” at right). For example, integrity, loyalty, and empathy are all missing, which should be a huge red flag for an auditor. Boldness without integrity can easily turn villainous. Additionally, when boldness is combined with any other negative personality attribute or personality disorder, such as narcissism or psychopathy, it can be a considerable threat to an organization. While opportunity is the most self-explanatory attribute of the Seduction of Fraud Diamond and the Fraud Triangle, the main difference is that in the Fraud Diamond, opportunity can be created, whereas the Fraud Triangle implies that opportunity must already exist. It is unchecked boldness that allows a potential fraudster to exploit existing opportunities or, if needed, create new opportunities. Furthermore, in many of today’s social engineering schemes, fraudsters use psychological manipulation to reach their goals. </p><h2>Investigation and Analysis</h2><p>Another weakness inherent to the Fraud Triangle is that it relies on a functioning conscience. The conscience is meant to warn a person when making questionable decisions before violating an internal boundary. Even when a person has a conscience, his or her moral compass might be faulty. For example, when during a research study we asked fraudsters to explain whether their conscience bothered them when they were planning the fraud, there were recurring responses: “Yes, but only for a few minutes.” Therefore, internal auditors must consider the possibility that a perpetrator’s conscience may prohibit his or her moral compass from functioning correctly. </p><p>A faulty conscience may be a sign of narcissism, but not every person who is narcissistic or has narcissistic personality traits is a fraudster, and vice versa. Therefore, it is crucial to be conscientious about conclusions that are not substantiated through factual evidence. This is where an auditor’s investigative skills can affirm or dispel any initial concerns. </p><p>Alongside narcissism, a faulty moral compass explains an increase in entitlement, a key attribute of the Seduction of Fraud Diamond. Self-aggrandizing behavior, which recent studies show is increasingly more common in today’s society, often leads to entitlement — a criterion used to diagnose a person with narcissistic personality disorder. </p><p>The Fraud Triangle’s final weakness is that an employee’s privacy makes it impossible for internal auditors and management to understand or analyze external pressures on that employee. This does not mean organizations need to or should conduct psychological profiles on every employee within the organization, but, at the very least, internal auditors should sharpen their skills of discernment using the Seduction of Fraud approach. Using the Seduction of Fraud Diamond will enable auditors to be attentive to potential behavioral red flags. If a person is under careful observation, and the number of red flags begins to accumulate, auditors can then consider what actions, if any, should be taken. </p><h2>Update Your Toolbox</h2><p>Internal auditors need to understand that individuals do not necessarily fit into the framework as defined by the Fraud Triangle. By updating their professional toolbox to improve their analysis, internal auditors can better understand human behavior and detect potential behavioral red flags that could be indicators of the next Big Fraud. Internal auditors can use the insights provided by the Seduction of Fraud Diamond to prevent similar scandals at their own organizations.  <br></p></div>Sanya Morang1
Schoolhouse Fraud Fraud<p>When the Wellington School District budget crisis hit the local newspaper, citizens were shocked. The superintendent, Tina Franken, and business manager, William McKenzie, implemented innovative programs that improved employee morale and productivity — not only for the central office, but also for the eight schools within the district. Before Franken’s arrival, the school district was often an embarrassment to the town, as employee issues led to frequent firings or resignations and the airing of dirty laundry in the local news. When the longtime district accountant resigned and filed a legal complaint against McKenzie, which consisted of fraud, abuse of town policies, and violations of state laws, gossip among district employees and citizens implied there were ties between the legal complaint and the budget crisis.</p><p> With a school budget shortfall of $2 million at fiscal year-end and a legal complaint, the select board for the town had no choice but to act. It asked the town’s internal auditor, Denise Silva, to review the school district’s budget process. </p><p> Silva knew town government issues could get messy and complicated. So she prepared a high-level audit program and planned to spend a lot of time exploring. First, she reviewed the district’s budget policies and procedures and requested the previous year’s approved budget with all planning comments and 12 months of results by month and account. She planned to interview employees involved in the process and take deeper dives into any areas with significant overruns. After receiving the budget documents, she realized that she needed to clear her calendar. </p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>Lessons Learned</h3><ul><li>The budget process should be included in the risk assessment and reviewed regularly, especially in regulated environments like municipalities. A quick review would have caught many of these issues in the first year. </li><li>Removing key controls from important processes should raise red flags. If the controls had been reviewed regularly, the budget crisis and fraud could have been avoided. </li><li>Small internal audit departments should consider rotational reviews that provide greater coverage across the organization. In this example, reviews of petty cash, budget, vendors, payroll, or accounting would have identified smaller issues that would have raised red flags and the need for additional reviews.</li><li>Messy situations may require internal audit to shut down the audit schedule for the rest of the year. Not only is it important to focus internal audit resources on high-risk areas, but it is critical to those responsible for oversight that they receive the clearest picture possible to make the most informed decisions about how to move forward.<br><br></li></ul></div><p>Silva detected several red flags in her initial review of the budget documents. First, McKenzie put the budget together under four large categories — instructional supplies, curriculum, payroll, and equipment — with lump sum amounts under each. Once the town approved it, the business manager arbitrarily assigned amounts to line item accounts in each category. Silva could not discern any reason for the assignment of funds. The second thing that stood out to her were hundreds of transfers throughout the line item accounts each month that were not approved by the school committee or board. Lastly, there were no budgets in place for revenue accounts, even though large amounts of money were collected for sports fees, bus fees, and student activities. These collections were recorded as petty cash for the school district to use on purchases. </p><p> Silva first interviewed McKenzie about his budget process. He explained that the budget process was cumbersome and a source of significant productivity issues, so he streamlined the two-month planning cycle to one week. Instead of providing a detailed number for each line item, McKenzie broke the accounts down into four categories based on prior years and departmental needs, and assigned each category a lump number. The school committee and board voted on and approved the categories. The town approved this process because it trusted Franken and McKenzie. </p><p> When Silva asked about missing revenue accounts in the process, McKenzie insisted that the district accountant required that all cash collections be received into petty cash, so budget figures weren’t necessary. Adjustments were made at the end of the year to reflect the accounting. McKenzie blamed the district accountant for many of the budget challenges. </p><p> Silva’s findings list was filled with broken policies, regulations, and accounting rules, but she knew more data was needed. Some basic analytical testing found that administrators in the central office were using funds to purchase large flat screen televisions, office equipment, and laptops. However, these items could not be located anywhere in the district, so Silva assumed that administrators were taking them home. She began testing invoices, which showed that the district often reimbursed administrators for conferences and travel more than once. On several of the travel reimbursements, spouses were included and paid for by the district. The amounts submitted for reimbursement exceeded the threshold specified in the district’s policy. </p><p> When Silva conducted interviews with staff in the central office, she found there were relatives of administrators on the payroll who never showed up for work. And though the office was open until 5 p.m., many administrators left at 2 p.m. Lastly, an employee who worked in disbursements revealed that administrators received kickbacks from vendors for large purchases and the awarding of contracts. </p><p> Silva identified $2 million of fraud and abuse while reviewing five years of data. But she was unable to quantify much of the activity, such as the vendor kickbacks. A reasonable comparison of the actual costs of big-ticket items and what was paid by the school district added another $2 million to the total. </p><p> As a result of Silva’s investigation, Franken and McKenzie were forced to resign and are currently serving jail time for their part in the fraud schemes. Silva quantified the known abuses — like the technology gifts, no-show jobs, time theft, and travel and expense violations — per administrator, and found that nearly every one of them received, on average, an additional $10,000 per year on top of their salary. Those in higher levels of administration received more. The district accountant received none and acted as a whistleblower by filing a legal complaint. Franken and McKenzie were making significant money with kickback and petty cash schemes, using gifts, no-show jobs, and abridged schedules to keep staff from complaining or noticing, and covering their tracks with a convoluted budget process.<br></p>Deanna Polli Foster1

  • AuditBoard-September-2021-Premium-1
  • FastPath-September-2021-Premium-2
  • All-Star-September-2021-Premium-3