The Taxing Season of Fraud Taxing Season of Fraud<p>Two former SunTrust Bank employees have been convicted of attempting to defraud the U.S. Internal Revenue Service (IRS) of more than US$2.8 million, the <a href="" target="_blank"> <em>Atlanta Journal-Constitution</em> reports</a>. Federal authorities say Jeoffrey Jenkins and Vaughn Chambers opened bank accounts using stolen personal information and listed those accounts in more than 2,000 tax filings between February 2013 and March 2014. The IRS paid about US$500,000 into those accounts until a SunTrust investigator noticed that one of the employees was involved in anomalous banking activity and contacted law enforcement. Jenkins received a six-year prison sentence, while Chambers will serve two years.</p><h2>Lessons Learned</h2><p>Identity theft and its use in false tax returns has become a problem of staggering proportions. In a 2015 American Institute of Chartered Public Accountants (AICPA) survey, 63 percent of CPAs said at least one of their clients was a victim of tax identity theft in the 2015 filing season. Sensitive taxpayer information is also being stolen at large retailers, insurers, and other entities across the U.S., and recently there have been significant breaches of the IRS's online filing systems. </p><p>On a personal note, I, like many thousands of taxpayers do at this time of year, just received an electronic notice from the Canada Revenue Agency (CRA) — my tax refund of CA$468.27 was ready for me to collect. All I needed to do was log into my tax return account by clicking on the link provided in the email. All of the logos, language, and apparent details looked authentic, except that I knew I was not entitled to such a refund this year and that the CRA does not issue tax refunds in this manner. But think about the many others who could be fooled by such authentic-looking messages and would click on the email link, rendering their electronic identities wide open to tax fraudsters.</p><p>In several of my columns, I've written about specific kinds of tax-related identity theft and offered advice and suggestions for preventing and detecting them (for example, tax preparers and bank employees who stole the identities of children, legitimate taxpayers, and investors to claim significant tax refunds). In the context of the current story, I'd like to add a few more suggestions that focus on the need for better controls from lawmakers and regulators. These measures are contained in a piece of legislation called the Taxpayers Protection Act of 2016,<strong> </strong>recently passed by the U.S. Senate Finance Committee. Among the measures that may help prevent and detect tax-related identify theft are:</p><ul style="list-style-type:disc;"><li>Providing a sole point of contact for identity theft victims to help them recover their stolen or unfairly suspended tax refunds. </li><li>Requiring the IRS to issue a report, in consultation with the U.S. Federal Communications Commission and the Federal Trade Commission, to protect consumers from phone scams in which criminals pretend to be IRS agents.</li><li>Reforming the IRS's communications with whistleblowers to allow the exchange of information with whistleblowers when doing so would be helpful in an investigation, as well as to require the IRS to notify whistleblowers of the status of their claims. </li></ul><p> </p><p>That said, there should be no illusions that this legislation will solve the problem entirely. The AICPA, while supporting the legislation, wants to elevate the competency and ethical conduct of tax preparers. A provision in the legislation giving the IRS authority to regulate tax preparers has been blocked, in part because federal courts ruled the IRS lacks the statutory authority from Congress to mandate tax preparer testing and continuing education. The IRS has established a voluntary Annual Filing Season Program, but it doesn't allow for minimum standards to crack down on fraudulent return preparers.​​</p><p>Other control measures, including some identified by the AICPA, that should be front and center in battling tax-related identity fraud include: </p><ul style="list-style-type:disc;"><li>Making it a felony for a person to use a stolen identity to file a return. </li><li>Increased mandated electronic filing of returns by paid tax return preparers. </li><li>Required reports to Congress by the U.S. Government Accountability Office about identity theft and tax refund fraud. </li><li>Authorizing the IRS to revoke Preparer Tax Identification Numbers.</li></ul>​ <p></p>​Art Stewart0289
Proactive Fraud Analysis Fraud Analysis<p>​Today’s digital world has created new growth opportunities for organizations — but also new fraud risks. Cyber breaches, insider threats, and corruption are among the risks forcing inte​rnal auditors to ask ne​w fraud risk questions and seek appropriate technologies to address them. For internal audit departments, forensic data analytics can be a powerful tool for preventing, detecting, and investigating fraud, corruption, and other noncompliant behavior in their organizations.</p><p>Investments in such tools are paying off. According to the Association of Certified Fraud Examine​rs’ 2014 Report to the Nations on Occupational Fraud and Abuse, organizations that have proactive data analytics in place have a 60 percent lower median loss because of fraud — roughly US$100,000 lower per incident — than organizations that do not use such technology. Further, use of proactive data analytics cuts the median duration of fraud in half, from 24 months to 12 months. </p><p>Integrating more mature forensic data analytics capabilities into an organization’s audit and compliance monitoring program can improve risk assessment, detect potential misconduct earlier, and enhance audit planning or investigative field work. Moreover, forensic data analytics is a key component of effective fraud risk management as described in The Committee of Sponsoring Organizations of the Treadway Commission’s most recent Fraud Risk Management Guide, issued in 2016 — particularly around the areas of fraud risk assessment, prevention, and detection. </p><h2>A Big Data Approach to Fraud</h2><p>Fraud prevention and detection is an ideal big data-related organizational initiative. With the growing speed at which they generate data, specifically around the financial reporting and sales activity process, organizations — particularly the internal audit function — need ways to prioritize risks and better synthesize information using big data technologies, enhanced visualizations, and statistical approaches to supplement traditional rules-based tests performed in spreadsheet or database applications. </p><p>Before jumping into any specific technology or advanced analytics technique, it is crucial to first ask the right risk or control-related questions to ensure the analytics will produce meaningful output for the business objective or risk being addressed. When deciding which tests to evaluate, and the corresponding data that will need to be mapped, internal auditors should consider: </p><p> <strong>What</strong> business processes pose a high fraud risk? High-risk business processes include the sales (order-to-cash) cycle and payment (procure-to-pay) cycle, as well as payroll, accounting reserves, travel and entertainment, and inventory processes.</p><p> <strong>What </strong>high-risk accounts within the business process could identify unusual account pairings, such as debit to depreciation and an offsetting credit to a payable, or accounts with vague or open-ended “catch all” descriptions such as a “miscellaneous,” “administrate,” or blank account names?</p><p> <strong>Who </strong>recorded or authorized the transaction? Posting analysis or approver reports could help detect unauthorized postings or inappropriate segregation of duties by looking at the number of payments by name, minimum or maximum accounts, sum totals, or statistical outliers.</p><p> <strong>When</strong> did transactions take place? Analyzing transaction activities over time could identify spikes or dips in activity such as before and after period ends or weekend, holiday, or off-hours activities.</p><p> <strong>Where </strong>do internal auditors see geographic risks, based on previous events, the economic climate, cyberthreats, recent growth, or perceived corruption? Further segmentation can be broken down by business units within the regions and by the accounting systems on which the data resides.</p><h2>Success Factors</h2><p>The benefits of implementing a forensic data analytics program must be weighed against challenges such as obtaining the right tools or professional expertise, combining data (both internal and external) across multiple systems, and the overall quality of the analytics output. To mitigate these challenges and build a successful program, internal auditors should consider five success factors:</p><p> <strong><img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Misra_Walden_chart.jpg" alt="" style="margin:5px;" />Focus on the Low-hanging Fruit</strong>​ The priority of the initial project matters. Because the first project often is used as a pilot for success, it is important that the project addresses meaningful business or audit risks that are tangible and visible to the business. Further, this initial project should be reasonably attainable, with minimal capital investment and actionable results. It is best to select a first project that has big demand, has data that resides in easily accessible sources, with a compelling, measurable return on investment. Areas such as insider threat, anti-fraud, anti-corruption, or third-party relationships make for good initial projects.</p><p> <strong>Go Beyond the Descriptive Analytics </strong>​​​One of the key goals of forensic data analytics is to increase the detection rate of noncompliance, while reducing the risk of false positives. From a capabilities perspective, organizations need to embrace both structured and unstructured data sources that consider the use of data visualization, text mining, and statistical analysis tools, as shown in the maturity model.</p><p> <strong>Communication Is Key </strong>Internal audit should demonstrate the first success story, then leverage and communicate that success model widely throughout the organization. Results should be validated before successes are communicated to the broader organization. For best results and sustainability of the program, auditors should involve a multidisciplinary team that includes IT, business users, and functional specialists — such as data scientists — who are involved in the design of the analytics and day-to-day operations of the forensic data analytics program. It helps to communicate across multiple departments to update key stakeholders on the program’s progress under a defined governance regime. Auditors shouldn’t just report noncompliance; they should seek to improve the business by providing actionable results. </p><p> <strong>Involve End-users</strong> Leadership support can get forensic data analytics programs funded and set the tone, but the business users — particularly those doing internal audit field work or who are on the front lines of the business — need to adopt it in their daily operations to make the program successful and sustainable. The forensic data analytics functional specialists should not operate in a vacuum; every project needs one or more business champions who coordinate with IT and the business users. Keep the analytics simple and intuitive — don’t include too much information in one report so that it isn’t easy to understand. Finally, invest time in automation, not manual refreshes, to make the analytics process sustainable and repeatable. The best trends, patterns, or anomalies often come when multiple months of vendor, customer, or employee data are analyzed over time, not just in the aggregate.</p><p> <strong>Set a Realistic Timetable</strong><strong></strong> Enterprisewide deployment takes time. While quick-hit projects may take four to six weeks, integrating the program can take more than one or two years. Programs need to be refreshed as new risks and business activities change, and people need updates to training, collaboration, and new technologies. </p><h2>An Opportunity for Internal Audit</h2><p> As a framework for evaluating the maturity of an organization’s use of forensic data analytics, the “Forensic Data Analytics Maturity Model” (see above right) demonstrates the progression of an organization’s maturity journey, starting from rules-based, descriptive tests and reports, to statistical and predictive techniques. Organizations that have implemented forensic data analytics are making strides along the maturity path, according to EY’s 2016 Global Forensic Data Analytics Survey of 665 internal audit, legal/compliance, and financial professionals in 17 countries. Respondent organizations conducting forensic data analytics completely in-house increased from 45 percent in 2014 to 67 percent today. Moreover, many of these organizations are expanding their advanced capabilities, such as doubling their use of data visualization tools and incorporating social media and statistical analysis. </p><p> Such findings provide evidence of the benefits of integrating advanced forensic data analytics techniques into internal audits. By helping increase their organization’s maturity in this area, internal audit has the opportunity to deliver an audit program that is highly focused on preventing and detecting fraud risks.</p><p> <span class="ms-rteiaStyle-authorbio">​​​Aditya Misra, CFE, CPA, is senior manager of corporate audit with Johnson & Johnson in New Brunswick, N.J.​ </span></p> <span style="line-height:1.42857;"> <em>Vincent Walden, CFE, CPA, CITP, is a partner in Ernst & Young LLP’s Fraud Investigation and Dispute Services group in Atlanta.​​</em></span><br>​Aditya Misra11088
The Sham Charities Sham Charities<p>The U.S. Federal Trade Commission (FTC) has announced that two Tennessee-based cancer charities have agreed to a US$75.8 million settlement of charges that they had spent donations on executive salaries and luxury vacations rather than on cancer patients, <a href="" target="_blank">CBS News reports</a>. Cancer Fund of America and Cancer Support Services allegedly spent only 3 percent of donor contributions on cash and services for cancer patients and nonprofits. The two charities, along with the Children's Cancer Fund of America and The Breast Cancer Society, were named in a federal lawsuit brought by the FTC and law enforcers from all 50 states. Altogether, those charities raised more than US$187 million between 2008 and 2012. </p><h2>Lessons Learned​</h2><p>This is not the first time I've written about fraud committed by charities, nor do I think it will be the last. According to a 2013 CNN study, the problem has systemic roots in the way charities are often managed. For example, even without any evidence of fraud, collectively the 50 worst charities raised more than US$1.3 billion over the past decade and paid nearly US$1 billion of that directly to the companies that raise their donations. These same charities also devote less than 4 percent of donations raised to direct cash aid. More generally, hundreds of charities that run donation drives across the country regularly give their fundraisers at least two-thirds of the take. Experts say good charities should spend about half that much — no more than 35 cents to raise a dollar. </p><p>What can auditors learn from this story? How can they help?</p><ul><li> <strong style="line-height:1.6;">There is oversight and regulation of charities, both at the state and federal levels, but is it enough of the right kind? </strong> <span style="line-height:1.6;">There is no single, consistent regulatory framework for charities across the U.S. Each charity must annually submit a Form 990 PF to the U.S. Internal Revenue Service (IRS) covering its financial statements, activities, and assets, but the rules established at state levels vary as to the scope and depth of requirements of charities, mainly focusing on the life cycle "bookends" — registration of a charity, and mergers and dissolutions. Oversight of the ongoing activities of charitable organizations, particularly to scrutinize whether funds collected are actually being passed on to those intended to benefit from the charity's work, seem to be minimal, unless someone spots something wrong later on, and calls for the U.S. Federal Bureau of Investigation to step in.<br><br>​​​There simply may be too many charities nationwide to look at them all every year — particularly for the IRS — but individual states could do more by relying on auditors to take regular, targeted looks at what their charitable sectors are doing to ensure fraud is detected earlier and more effectively. The targeting should include examining what percentage of funds raised are given to fundraisers and what percentage of funds raised are actually passed on to the charity's intended beneficiaries. Of course, there will be instances where charities falsify these numbers in their reporting, so spot-checking audits of randomly selected charities also would be needed. There is a cost to doing this, but it would result in better fraud prevention and fewer dollar losses down the line.</span>​</li></ul>​ <ul><li> <strong style="line-height:1.6;">Continuing to increase the level of education, research, and due diligence performed by all those involved with charitable organizations is a must. </strong> <span style="line-height:1.6;">There are several excellent sources of relevant information and advice to help avoid fraud by charities, including tips to help make sure charitable contributions are being put to good use, such as </span> <a href="" target="_blank">the FTC's website</a><span style="line-height:1.6;">. The state of Tennessee has a useful guide on the duties and responsibilities of charitable organizations' board members, </span> <a href="" target="_blank">What Every Board Member and Officer Should Know: A Guidebook for Tennessee Nonprofits</a><span style="line-height:1.6;"> (PDF), and the National Association of State Charities Officials maintains a </span> <a href="" target="_blank">comprehensive website of resources</a><span style="line-height:1.6;"> relating to both national and state organizations involved with charities. In particular, all parties must do their own research about:</span><br></li><ul><li>Detailed information on the charity, including mandate, officers, and contribution methods and major contributors. They also should check whether the charity is trustworthy by contacting the <a href="" target="_blank">Better Business Bureau's Wise Giving Alliance</a>, <a href="" target="_blank">Charity Navigator</a>, <a href="" target="_blank">Charity Watch</a>, or <a href="" target="_blank">GuideStar</a>.</li><li>The percentage of a donation that will go to the charity.</li><li>How much will go to the actual cause to which someone is donating.</li><li> <span style="line-height:1.6;">How much will go to the fundraiser.</span></li></ul></ul><p>​​</p>Art Stewart0467
Overpayments and Fake Ex-employers and Fake Ex-employers<p>​Iowa's unemployment insurance program paid US$909,000 in inappropriate payments and uncollected penalties between 2013 and 2015, the <a href="" target="_blank"> <em>Des Moines Register</em> reports</a>. Following an Iowa Senate Government Oversight Committee hearing and inquiry, a review by the state auditor found more than US$700,000 in overpayments resulting from a phone system malfunction. The Workforce Development agency that manages the unemployment program also paid nearly US$100,000 to people who made false claims, such as claiming to have been terminated by companies that were fictitious. The audit notes that Workforce Development did not independently verify information reported by employers or suppos​edly unemployed workers.</p><h2>Lessons Learned</h2><p>This story details several significant failures by Workforce Development to put in place anti-fraud measures that may have prevented or detected fraudulent behavior at an earlier stage. Let's take a look at the most important failures — those that auditor​s likely would observe using tools readily available to them, including fraud risk assessments, risk-based audit plans, and regular auditing and reporting.​​</p><ul><li> <span style="line-height:1.6;"><strong>Weak program design and controls.</strong> In this case, there was an imbalance between the state's desire to provide easy program accessibility and a need to establish effective controls over disbursement of public funds. The vast majority of public institutions that disburse public funds and benefits to qualified individuals, groups, or organizations do so by designing and implementing eligibility criteria and service delivery mechanisms that aim to exclude nonqualifiers effectively. Moreover, most public institutions delivering social benefits include some form of validated master list of program founders/contributors — in this case, Iowa employers, who would be readily identifiable as legitimate contributors — and an eligibility verification process/cross-checking system to independently verify information reported by employers or supposedly unemployed workers. It should have been easy for program officials/monitors to check whether a bogus employer name was being used. </span><br> </li><li> <span style="line-height:1.6;"><strong>Poor overpayment recovery.</strong> Social service agencies typically establish an overpayment recovery function to get back inappropriately or falsely issued payments. In the case of Workforce Development, little of this seems to have been put in place. Even when some illegal activities were identified, the agency failed to follow through to uncover the extent of the problem, according to auditors.</span><br><br></li><li> <span style="line-height:1.6;"><strong>Weak program delivery systems.</strong> Few modern public institutions rely on a single mode of program delivery such as the telephone. Most now use some form of online application system as well. Each service delivery mode needs specific attention to ensure the systems used to screen applicants are designed and maintained appropriately. In Iowa, better controls should have been in place to prevent such a major system breakdown and deal with the handling of questionable claims resulting from the telephone system breakdown.</span><br> </li><li> <span style="line-height:1.6;"><strong>Lapses in management oversight, delegation of authority, and monitoring.</strong> The only part of this element that seems to have worked is the role of the Iowa Senate Government Oversight Committee, which asked the tough questions and called senior Workforce Development officials to account for their behavior. Other levels of oversight and checks and balances were either weak or nonexistent. Program managers were able to act alone to attempt to hide the fraud. Workforce Development flouted requirements to report the problems to state auditors and did not keep adequate supporting documentation that would have enabled auditors to perform a more complete assessment of the extent of the problem. A weak accountability regime also needed attention. Many involved staff members have left the agency, and it's unclear whether they will face any consequences for their actions. Similarly, there should be clear policies and procedures in place to deal with fraudulent client behavior.​​</span></li></ul>​Art Stewart01846
The Phantom Tickets Phantom Tickets​ <p>An internal audit and internal affairs investigation have revealed that some Ottawa police officers were issuing fake traffic warnings, <a href="" target="_blank"><em>Ottawa Citizen</em> reports</a>. According to the audit of all traffic warnings issued by district patrol and emergency operations officers, the officers from the traffic escort and enforcement unit allegedly issued the warnings after traffic stops, but didn't actually give them to the motorists. As a result, the infractions appeared in a police database along with the drivers' names, without their knowledge. Two officers have been suspended with pay and nine others have be​en assigned desk duty. The internal affairs investigation is still in progress.​</p><h2>Lessons Learned</h2><p>The more typical kind of policin​g fraud relates to bribes, extortion, or more mundane transactions such as ticket fixing. This story illustrates a different kind of fraud: phantom ticketing. One might consider this trivial and administrative, but it is much more harmful than one might think because it undermines the public's trust in the integrity of law enforcement. The suspected Ottawa police officers allegedly were issuing fake tickets to pad their performance statistics, which in turn calls into question the validity of the city's human resources performance management system. Exaggerations to supposed levels of traffic enforcement actions increase the pressure on city politicians to sustain or increase police budgets. Just as bad, in some cases notations of false citations were added to police databases, even though the individuals were innocent.</p><p>While it's positive that the Ottawa police uncovered the fraudulent behavior as a consequence of an internal audit and are considering new quality control measures, here are some strategies auditors can proactively recommend to prevent and detect this kind of fraud early:</p><ul style="list-style-type:disc;"><li> <strong>Review and strengthen controls over police ticketing procedures. </strong>Beyond warnings, other types of enforcement transactions should be included. High volumes of transactions should be watched for regularly and should be subject to review and validation. Substantiation requirements also need to be reviewed to ensure they strike an effective balance between efficiency and sufficient detail that could also serve as dissuasive to falsification. This story also notes that mechanical issues with printers and a new e-ticketing system may have played a role in some warnings being printed inappropriately, so there should be a solid quality-assurance review process in place to regularly inspect existing and new equipment. Having duplicate copies of enforcement warnings immediately sent to a central review repository also might dissuade officers from faking transactions. In addition, there should be a strict control in place over where and when these documents are stored — officers should not be riding around in their patrol cars with a stack of them, as was the case in Ottawa.</li></ul>​​ <ul style="list-style-type:disc;"><li> <strong>Increase the use of body cameras on police officers during patrols, </strong>with a particular focus on the periods where warnings and enforcement actions are taken. A risk-based sampling approach should be applied to regularly review digital recordings to ensure appropriate procedures are being followed.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Allow citizens to have easier access to police information that personally relates to them and to be able to seek changes where justified. </strong>Citizens who receive a warning, or any form of enforcement action, could be allowed to sign th​e warning or enforcement to acknowledge its receipt, thus reducing the chances of such a document being entirely faked. This should be implemented in tandem with a strong whistleblower program that allows citizens to report inappropriate or unauthorized police behavior anonymously and without fear of reprisal.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Review human resources performance management incentives and procedures </strong>to reduce reliance on performance measures that can readily be "gamed," such as the warnings in this story, in order to give officers unwarranted access to recognition and career advancement. If it is not already being done, greater weight should be given to the more serious enforcement actions taken by officers, rather than to warnings. Quotas should be avoided.<br><br></li></ul><ul style="list-style-type:disc;"><li> <strong>Regularly monitor, report, and encourage senior management discussion of data</strong> that relates to erroneous or false policing transactions. ​<br></li></ul>Art Stewart0761
The False Dependents False Dependents<p>​A U.S. District Court judge in New York sentenced a former tax preparer to nine years in prison for using stolen identities of children to file fraudulent tax returns, <em> <a href="" target="_blank">Accounting Today</a></em> reports. Noel Cuello was convicted of using stolen Social Security numbers and other information to file federal tax returns that enabled his clients to falsely claim minor dependents. He obtained the information by bribing a former fraud investigator with the New York City Human Resources Administration, which runs 12 public assistance programs in the city.​</p><h2>Lessons Learned</h2><p>While the vast majority of tax professionals provide honest, quality services, there are other dishonest preparers who set up shop each filing season with the intention of perpetrating refund fraud, identity theft, and other scams. These preparers may act on their own or in collusion with others. In some cases, taxpayers may deliberately seek out preparers who are ready to conspire to file false tax returns. Many taxpayers unwittingly fall for the promise of inflated refunds obtained by the shady preparer. Taxpayers should be wary of anyone who asks them to sign a blank return, promises a big refund before looking at their records, or charges fees based on a percentage of the refund. And everyone doing business with a tax preparer should exercise due diligence about that preparer's credentials and background.</p><p>Faking the existence of children as dependents is just one of many tactics dishonest tax preparers use. Falsely inflating deductions or expenses on tax returns to underpay what is owed or to receive larger refunds is one of the most common gambits. Others include frivolous schemes where taxpayers are encouraged to make unreasonable and outlandish claims even though they are wrong and have been repeatedly thrown out of court (there is a US$5,000 penalty for filing a "frivolous" return). Inventing income to erroneously qualify for tax credits, such as the Earned Income Tax Credit, is another fraudulent tactic. The research credit, for example, frequently is misused to file inappropriate claims where qualified research activities cannot be substantiated or do not satisfy the requirements related to qualified research expenses.</p><p>Tax season is a good opportunity to be reminded of the great variety of tax-related fraud tactics to guard against. I've written on several occasions about how to spot and avoid these kinds of fraud, so take a look at previous columns to learn more. </p><ul style="list-style-type:disc;"><li> <strong>Identity theft</strong><strong>.</strong> In fiscal year 2015, the U.S. Internal Revenue Service (IRS) initiated 776 identity theft-related investigations, which resulted in 774 sentencings. While the fraudster in this case received a nine-year sentence, penalties can be even more severe. One thief was sentenced to more than 27 years, or roughly three years for each digit in a phony Social Security number.</li><br> </ul><ul style="list-style-type:disc;"><li> <strong>Electronic tax scams. </strong>Telephone tax scams, typically involving criminals impersonating IRS officials, is a significant fraud threat to taxpayers. The elderly are particularly susceptible to threats and intimidation of police arrest, jail time, huge fines, deportation, and license revocation. Phishing scams, typically involving fake e-mails or websites looking to steal personal information, can be sophisticated-looking. The IRS never sends taxpayers an email about a bill or refund out of the blue, so taxpayers should never click on one.</li><br> </ul><ul style="list-style-type:disc;"><li> <strong>Illegal tax shelters. </strong>Tax shelters<strong> </strong>that sound too good to be true often are — from those involving foreign banks or companies to dream-come-true beachfront property in some sunny, faraway land. Enforcement actions against offshore tax cheats — and the financial organizations that help them — are on the rise as well. ​</li></ul>Art Stewart0553
The "Anti-fraud" Moment "Anti-fraud" Moment<p>​<span style="line-height:1.6;">C</span><span style="line-height:1.6;">ybercrime, wire transfer schemes, fake vendors, purchase card abuse, kickbacks, contractor overcharges, journal entries that manipulate financial results, and dozens of additional old and emerging fraud threats come to life every day. Just when one exposure is under control, another one pops up somewhere else in the organization. It feels like a never-ending process of putting ou​t fires with little time or energy left to focus on meaningful prevention.</span></p><p>The most important element organizations must address to make a measurable difference in their anti-fraud efforts — regardless of the specific fraud scheme or exposure — is meaningful skills training of all employees. Many organizations provide awareness training — often a one-hour annual review of their anti-money laundering, code of conduct, or ethical behavior policies — but very few go deep enough into the red flags, symptoms, and indicators of fraud schemes employees and managers might actually see in their work. Awareness is the first step. Knowing exactly what to look for in documents is what enables employees to block fraud and wrongdoing before damage occurs.​</p><p>The “anti-fraud moment” is the moment when a supervisor or control employee has a transaction document and a pen in hand. The task in that moment is to review the transaction for reasonableness, accuracy, completeness, and compliance with policy. It’s at this moment that fraud is prevented or allowed to occur. Effective anti-fraud skills training emphasizes the information needed at the moment of transaction review and approval. Fraud prevention theory is nice; lists of red flags from organization documents are critical.</p><p>Do the organization’s employees know what to look for to block fraud schemes? Do its executives? How about board members? If not, here are a few ideas to help prepare employees and plug this hole in the organization’s fraud defenses.</p><p><strong>Create simple articles to share with employees.</strong> Stick to topics that have a wide audience and are present throughout the organization, such as “Good Questions to Ask Before Approving Invoices,” “What Fraud Looks Like in Travel Expenses,” and “Eight Red Flags of Purchase Card Abuse.” </p><p><strong>Record five-minute training videos.</strong> There is no need for elaborate opening and closing graphics. Just jump right in with the content. For example, “Hi everyone, I’m John from the Corporate Audit Services Team. Have you ever wondered what questions you should ask yourself as you are approving invoices from your suppliers? In this short video, I’ll give you seven suggestions to get you started. Question No. 1…” </p><p><strong>Take advantage of live formal and informal skills training opportunities.</strong> These can include new employee orientation, new supervisor training, staff meetings, regional management conferences, and board meetings. Minimize the theoretical and cut right to the actual schemes and observable indicators that managers and employees will see in the documents they handle. That’s the information they need to act.</p><p>Knowing exactly what to look for at the moment of transaction approval is the critical difference in preventing fraud. Internal auditors often know more about fraud prevention than any department in the organization, so it is up to them to make sure that every employee is equipped with this information, as well.  ​</p>John Hall0544
Shuttered by Audit Findings by Audit Findings<p>Findings from independent audits have resulted in the closure of 15 New Mexico-based nonprofit agencies that provided behavioral health services in that state, according to <a href="" target="_blank"> <em>Nonprofit Quarterly</em></a>. In each case, the state cut off Medicare funding to those agencies after audits by outside consulting firm Public Consulting Group (PCG) found evidence of fraud. The firm estimates that the agencies mishandled US$36 million in state Medicaid funds. However, the New Mexico attorney general's office has disposed of most of the cases and announced that it did not find a pattern of fraud in 10 nonprofits that had been part of PCG's audits. Three agencies had overpayments but no fraud, the office found. Following the agency closures, New Mexico transferred its Medicaid funds for behavioral health to providers based in Arizona.​</p><h2> Lessons Learned</h2><p>Readers of the fraud column will recognize, if not have memorized, the typical steps in the internal audit process (it's similar for an external audit as well):</p><p></p><ol><li> <span style="line-height:1.6;">Notification.</span><br></li><li> <span style="line-height:1.6;">Planning.</span><br></li><li> <span style="line-height:1.6;">Opening meeting.</span><br></li><li> <span style="line-height:1.6;">Fieldwork.</span><br></li><li> <span style="line-height:1.6;">Communication.</span><br></li><li> <span style="line-height:1.6;">Report drafting.</span><br></li><li> <span style="line-height:1.6;">Management response.</span><br></li><li> <span style="line-height:1.6;">Closing meeting.</span><br></li><li> <span style="line-height:1.6;">Report distribution.</span><br></li><li> <span style="line-height:1.6;">Follow-up.</span><br></li></ol><p>Although some of these steps may be combined or labeled differently, the 10 elements are addressed in some fashion. Yet if the audit process was followed correctly in this case, why is there such a discrepancy between the conclusions of PCG's audit work and those of the New Mexico state attorney general's office? I have reviewed both the PCG audit and the attorney general's office report, and note that at least two critical audit steps were not followed appropriately:​<span style="line-height:1.42857;"> </span></p><ul style="list-style-type:disc;"><li> <strong>At the Fieldwork stage,</strong> the audit appears to have included mistakenly flagged claims, based on two main observations: that "unqualified staff" had performed services, and that there was missing documentation for several claims, indicating a pattern of billing without supporting documentation. But the attorney general's report found that most of the credentials issues were resolved by reviewing the credentialing files and speaking with staff. For example, PCG flagged numerous claims because it thought one therapist wasn't credentialed to provide rehabilitation services. But the attorney general's office carefully reviewed that employee's credentialing file and found that the individual did have the necessary qualifications. With regard to the second issue, the attorney general's investigators noted they had located paperwork for most of the missing documentation so that there did not appear to be a pattern of billing without supporting documentation. Overall, the attorney general's office found that the costs associated with errors and discrepancies within the New Mexico nonprofits amounted to a small fraction of the amount asserted in the PCG audit.​<br><br></li></ul><ul style="list-style-type:disc;"><li>Perhaps the biggest lapse in the audit process occurred at the <strong>Management Response stage</strong> and in the process the Human Services Department (HSD) and PCG used to ensure the audit was accurate before deciding to suspend Medicaid funds to the nonprofit orga​nizations. PCG and HSD did not share the audit's findings with any of the 15 organizations whose Medicaid payments HSD froze. It also is unclear whether HSD did a systematic check itself to make sure claims that were flagged weren't mistakenly identified as inappropriate. It is critical that auditors present findings to staff of audited organizations to give them an opportunity to refute findings or address misunderstandings. The damage that can be caused by a failure to do so is evident in this story. HSD used the overbilling claim made in the PCG audit, in part, to find "credible allegations of fraud," a finding that led to the payment freeze that put the 15 organizations out of business and sparked criminal investigations by the attorney general and other state and federal agencies.<br>​</li></ul><p>Auditors should take heed of the perils of not fully understanding and following the audit process.​<span style="line-height:1.42857;">​​​</span></p>Art Stewart04176
The Bogus Boss Bogus Boss<p>​Etna Industrie is one of thousands of French companies that have fallen prey to a scheme in which perpetrators impersonate a company's CEO to defraud the organization, <a href="" target="_blank">the BBC reports</a>. Fraudsters impersonating Etna Industrie CEO Carole Gratzmuller emailed the company's accountant with instructions for a confidential transaction to purchase a company in Cyprus. After multiple emails and phone calls in less th​an one hour, the accountant authorized wire transfers of €500,000 (US$542,000) to foreign bank accounts. The company's banks held up three of the transfers, but a fourth fo​r €100,000 went through. Authorities in France say French businesses have lost €465 million from such scams since 2010, which they say have been perpetrated mostly by French-Israeli gangs. </p><h2>Lessons Learned</h2><p>It is not surprising to hear about successful and harmful cases of CEO or executive impersonation fraud. It's all part of the broader category of phishing attacks. Here is how they work: </p><ul><li> <em>Define your goal.</em> What do you want to gain? Money, information, and PIN and credit card numbers often are chosen goals.<br><br></li><li> <em>Choose your target.</em> In the case of CEO fraud, the president usually is targeted, but the correct vice president, director, or executive can work just as well.<br><br></li><li> <em>Do your research.</em> Fraudsters perform a background check, using social media and company websites, which can reveal the target's marital status, number of children, interest in playing golf, travels to Europe, favorite car, upcoming anniversary, and whether he or she has liked or on social media. Company websites can reveal examples of the target's style of communication.<br><br> </li><li> <em>Launch your attack.</em> It could be an urgent request to forward money to complete a suppos​​ed business deal, but it also can take on many other forms. For example, it might be a congratulatory email from including a link for a free anniversary gift. The idea is to gain the target's trust by using information with which he or she feels secure. A free gift with a malicious link often can result in a successful spear phishing attack. That link could then download a piece of malware for financial or espionage purposes, or it could trick the target into giving out sensitive information.</li></ul> ​​​ <p>​​Internal auditors can suggest that organizations and their executives be careful about what they post to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details. Moreover, they can advise employees to be suspicious of requests for secrecy or pressure to take action quickly, even if one knows the sender. But what else can auditors look for and recommend to protect organizations? Some strategies include:</p><p> <strong>1. Use multifactor authentication and dual authorization techniques.</strong></p><ul style="list-style-type:disc;"><li>Many organizations unknowingly increase the fraud risk related to executive impersonation by assigning financial decision-making to a single individual, such as the comptroller. Regardless of size, employee tenure, and kind of business, organizations should always require dual authorization and separation of duties to mitigate outside risk from penetrating the organization.<br></li></ul><ul style="list-style-type:disc;">​ <li>In addition, any emails requesting the creation or change of wire payment instructions should be verified by phone or another means. Employees should use a dependable verification channel, such as a telephone number from an employee directory, to validate new wire payment instructions because hacked emails could contain fraudulent contact information. If the email comes directly from an acquaintance or source that the employee would typically trust, he or she should forward the message to that same person directly to ensure that individual indeed was the correct sender. Employees should not simply reply to the email with whatever information was requested.<br></li></ul><ul style="list-style-type:disc;">​ <li>Take steps to protect the organization's corporate identity and information by acquiring domain names similar to the one used by the organization and taking them off the market. For example, the marketing or IT teams at might buy "," where the "o" has been replaced by a zero. Phishing emails are frequently sent from look-alike domains. Access to corporate directories and sensitive corporate information also should be strongly protected behind firewalls that are tested and updated regularly.<br></li></ul><ul style="list-style-type:disc;">​ <li>Establish additional IT and financial security procedures and two-step verification processes, including use of other communication channels such as telephone calls, to verify significant transactions. Implement this second-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker. Use digital signatures where possible and automatically delete unsolicited e-mail (spam) from unknown parties. Also, beware of sudden changes in business practices. If a current business contact suddenly asks to be contacted via his or her personal e-mail address, when all previous official correspondence has been through a company e-mail address, the request could be fraudulent. Employees should always verify through other channels that they are still communicating with a legitimate business partner.<br><br></li></ul><p> <strong>2. Take a look at corporate culture and focus on educating employees.</strong></p><ul style="list-style-type:disc;"><li>Companies with an authoritarian hierarchy run more risk for phishing attacks, because employees tend to cooperate with schemes that sound authoritative. This also is true in some organizational cultures where it's frowned on to ask for help, there's some degree of mutual distrust, or a less collaborative work model is used. Asking for IT help might create a backlash, so someone clicks on an email link — it only takes one vulnerable recipient to give a phishing expedition what it needs to succeed. Mitigating this fraud risk requires both cultural change in the organization and maintaining a standard of technical literacy for all employees and contractors with access to organizational resources.<br><br></li></ul><ul style="list-style-type:disc;"><li>Implementing security controls and enhanced authentication can help stop these attacks, but educating employees against these socially-engineered schemes is one of the best ways to defend against this form of fraud. Fraudsters prey on organizations with a lack of fraud knowledge. Educating all employees about the latest fraud trends is key to preventing fraud before it occurs or recognizing it quickly to reduce an organization's potential for loss. That should include educating employees about the tactics of phishers, which continually evolve, and going beyond the email-related admonitions to include more subtle advice. One specific example is the need to read all URLs from right to left: the last address is the true domain. Secure URLs that don't employ https are fraudulent, as are sites that begin with IP addresses.<br><br></li></ul><ul style="list-style-type:disc;"><li>Part of education should include sending test phishing emails to employees to gather metrics about the effectiveness of the organization's anti-phishing training programs.<br><br></li></ul><p> <strong>3. Establish a relationship with the right financial/audit partner.</strong></p><ul style="list-style-type:disc;"><li>It is key for organizations to partner with a financial/audit institution that keeps the organization informed about fraud developments and is invested in helping to protect that organization from fraud. The partner should inform the organization about relevant fraud industry data, provide help in identifying fraudulent activities early to reduce financial losses, and advise about fraud prevention best practices.​</li></ul>​​​Art Stewart01118
The Contracting Conspiracy Contracting Conspiracy​​ <p>Two former Ottawa Hospital directors are accused of conspiring with contractors to defraud the hospital, <a href="" target="_blank">CBC News reports</a>. Frank Medwenitsch, the hospital's former director of planning and capital projects, and Brock Marshall, former director of engineering and operations, allegedly gave several contractors inappropriate advantages, such as advanced copies of procurement documents and internal communications about projects and competing bids, according to the hospital. They also approved invoices for work that wasn't performed or completed, the hospital alleges. Moreover, the hospital claims Medwenitsch and two contractors "essentially" extorted Marshall to pay for inappropriate invoices. The hospital listed five contractors as​ defendants in its legal claim, which resulted from a 2015 external audit that noticed irregularities in its planning ​and facilities department. Marshall retired from the hospital in April 2015, while Medwenitsch resigned in October.</p><h1>Lessons Learned</h1><p>While this case of fraud allegedly committed by former Ottawa Hospital staff is still unfolding, its significance and impact are being revealed. Hospital administrators were initially tight-lipped about the case, but they now are focused on emphasizing that the fraud was relatively minor in dollar terms and that they now have things under control by taking measures such as:</p><ul><li>Engaging an independent third-party forensic investigator.</li><li>Making appropriate changes to planning and facilities personnel.</li><li>Reviewing the prequalification list of vendors and related processes.</li><li>Putting additional layers of oversight and signing authority in place.</li><li>Initiating a best practices review to ensure the hospital is among the leaders in its processes and controls.<br><br></li></ul><p>Are these measures an adequate response on the part of management, or is there more it could do to prevent this kind of fraud? Here are some suggestions:</p><ul style="list-style-type:disc;"><li> <strong>Hospitals should have a strong internal audit function. </strong>Most Ontario hospitals don't have an internal audit function to help them prevent and detect fraud sooner. The Ottawa Hospital has a CA$1.3 billion annual operating budget and close to 12,000 employees, equivalent to a large corporation, so it should have an internal audit function. The materiality of the alleged fraudulent activity has not yet been revealed, but just one of the contracts alleged to have been funneled to favored construction companies was worth over CA$125 million. Furthermore, any money lost through alleged fraud or embezzlement at The Ottawa Hospital is the responsibility of the hospital's board of governors and not the provincial government, because Ontario hospitals are independent corporations run by their boards of directors. <br>​</li><li> <strong>The governance structure and processes of hospital boards of directors need to be regularly reviewed and strengthened, wherever needed. </strong>Such reviews should assess questions about whether board composition is optimal from a skills perspective. Hospital boards naturally tend to emphasize a medical background and experience as prerequisites, but financial, business, and audit skills also should be sought. Where the board experiences a lapse due to fraud, and particularly where the hospital lacks an internal audit function, there can be calls made for the removal of board directors for failing to adequately address such weaknesses. The problem is compounded where boards decide to stay silent and not communicate proactively with clients and stakeholders about a potential fraud, even where there are concerns around the legal implications of public statements. These can be addressed with appropriate legal and public relations advice. On a positive note, the Ottawa hospital's audit committee appears to have appropriately structured roles, with both the CEO and chief financial officer involved only on an "ex-officio" basis.<br>​​</li></ul><ul style="list-style-type:disc;"><li> <strong>As publicly funded institutions, hospitals need to establish the most rigorous possible policies and standards regarding internal controls. </strong> That would include its procurement model, policies, and processes — which I have detailed in previous articles. Particularly relevant in this case is the need to establish strict conflict of interest policies to prevent employees from accepting any kind of gift or favor. For example, one of the accused Ottawa Hospital employees, Medwenitsch, went on a luxury fishing trip as a guest of PCL Constructors Canada Inc., a company that later won bids for two construction projects worth more than CA$100 million each. Similarly, robust conflict of interest rules must also clearly prohibit a person responsible for a public procurement from doing business with the people he or she is supervising and awarding contracts. In this case, a senior hospital official was found to have hired — and paid for — personal services from a company that had also won a major construction contract with the hospital, creating the appearance of a conflict of interest.​​</li></ul>Art Stewart02826

  • IAO_CaseWare_May2016Prem1
  • SCCE_May2016_Prem2
  • IIA RFCollabAuditing_Prem3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Deloitte Suggests 10 Questions to "Embrace Risk and Lead Confidently" Suggests 10 Questions to "Embrace Risk and Lead Confidently"2016-04-18T04:00:00Z2016-04-18T04:00:00Z
Internal Audit Should Be on Alert for "Phishy" Business Audit Should Be on Alert for "Phishy" Business2016-04-18T04:00:00Z2016-04-18T04:00:00Z