Fuel for Fraud for Fraud<p>​A U.S. federal court has convicted a Pennsylvania biofuel entrepreneur of fraudulently receiving $5 million in government subsidies and claiming $9 million in environmental tax credits, <a href="" target="_blank"> <em>The Morning Call</em> reports</a>. Greenworks Holdings, owned by David Dunham Jr. and his business partner Ralph Tommaso, collected used cooking oil to produce fuel for vehicles and buildings. </p><p>Witnesses at Dunham's U.S. federal court trial testified that Dunham and Tommaso inflated the amount of fuel the company produced in reports to the Department of Agriculture, Environmental Protection Agency (EPA), and Internal Revenue Service. Moreover, witnesses alleged that the two men claimed environmental credits for wastewater from the refining process and claimed loads of fuel that Greenworks did not process. Tommaso, who pleaded guilty in 2017 to a conspiracy charge, testified against Dunham.</p><h2>Lessons Learned</h2><p>Whenever a new technology, process, or program emerges, fraudsters are never far behind in finding ways to illegally profit. In this case, government-funded biofuel subsidy programs already have a lengthy history of fraudulent activity. </p><p>One does not need to look much farther than the <a href="" target="_blank">Advanced Biofuels Association's website</a> to find more than 100 cases of fraud. There is even a case where a Canadian company used railway cars to ship biofuels multiple times back and forth across the U.S. border. Each time the company illegally claimed the biofuel subsidy for the same shipment.</p><p>The overall design and controls over the U.S. subsidy program are not working well. Recent news stories report that the EPA will reduce ambitious biofuel targets for oil refiners that were set in 2007. Part of the reasoning behind the revised targets is that the biofuel industry is lagging in meeting them. </p><p>However, the EPA also has recognized that there are insufficient program controls over the $9 billion market in biofuel compliance credits, particularly a lack of transparency and the potential for manipulation. Fixes involve imposing stricter limits on a key program eligibility control — who can trade renewable identification numbers (RINs). RINs are the credits refiners use to prove they have satisfied the U.S. biofuel mandate.</p><p>Increased reliance on audit work to verify biofuel subsidies also is needed. Commendably, the biofuel industry is now taking steps toward self-policing and regulation. Small biodiesel producers, who comprise a large proportion of producers, have brought in an outside audit firm to authenticate fuel production in hopes of reducing the amount of fraud occurring in the RIN market. </p><p>This RIN integrity program offers a subscription service to biodiesel producers and buyers to verify that RINs come from biofuel plants that actually produce the alternative fuel. Among the control measures, producers must sign up for independent verification of their RINs and consent to a site visit by an outside auditor to verify the producer is capable of generating the biofuel it reports. Voltage monitors and camera surveillance techniques also are used to verify biofuel production. These results are published to a website where buyers can access information on the producer of prospective RINs.</p><p>These measures may help turn around the fraud problem. It is worth noting that Canada's Natural Resources department cancelled a similar biofuel subsidy program in 2017, citing some of the same fraud issues the U.S. has experienced. The department's assessment of the program may yield lessons that could help the U.S. program prevent further fraud, including:</p><ul><li> <em>Risk:</em> Programs should strengthen risk identification and mitigation regularly to assess emerging risk areas. In managing grants and subsidies, they should ensure that project-level risk assessments reflect changes attributable to the performance of those being subsidized.<br><br></li><li> <em>Program design:</em> When designing a program in support of a nascent industry, where market determinants are difficult to predict and control, officials should build in and clearly communicate periodic checkpoints and opportunities to make corrections. Agreements to fund projects should be specific, precise, and supported by verifiable information. Program officials also should formally update performance frameworks.<br><br></li><li> <em>Program monitoring:</em> Programs should customize their monitoring to the nature and type of organization that is being subsidized. </li></ul>Art Stewart0
The Social Engineering Fraud Social Engineering Fraud<p>​Kai Tang was working late on Dec. 25. It was year-end, so activity in the company was picking up, keeping the controller of the thriving Singapore distributor of a large U.S. manufacturer busy. Because it was a holiday in the U.S., Tang knew he would not be interrupted by inquiries and requests from corporate headquarters. Although the corporate controller and the chief financial officer (CFO) rarely visited him in person, they frequently emailed him with questions, but only called on urgent matters due to the time difference. Additionally, his subsidiary was visited by internal auditors the month before — which didn't raise issues — and they were due for a visit from external auditors in January.</p><p>Tang suddenly received an email from the company CEO notifying him of a building purchase for a new office location in Asia. The email expressed urgency in wiring money to close the deal. Tang rarely communicated with the CEO directly, but he knew he had a bad temper and did not tolerate being questioned or challenged. </p><p>As Tang contemplated how to contact his general manager — who was on a plane — and how and whether to reach the company's CFO at home on Christmas, his phone rang. The man introduced himself as a senior manager at the company's external audit firm. He stated that he was working with the CEO on this urgent purchase and that Tang's delay of the wire would jeopardize the whole deal. Though his head was spinning, and he had lingering questions, Tang hurriedly prepared the $100,000 wire, confirmed the account information, and clicked "send." This turned out to be a scam and the funds were never recovered by the company.</p><p>The next month in the boardroom, as the multinational company tried to understand how it became the victim of such a trite, albeit somewhat sophisticated, scam, board members asked, "What questions did we not ask that could have prevented this?" Several reasons were named in creating this perfect storm of a failure, including national culture, which was brought up more than once.</p><p>Dutch social psychologist Geert Hofstede found that six cultural dimensions are at play in the global marketplace. One of them is the Power Distance Index (PDI) that measures the distribution of power — and wealth — between individuals in a business, culture, or nation. In a country like Singapore, where a stronger hierarchy of authority exists, it is common for subordinates to follow the whims of an authoritative figure. As a general rule, in higher PDI cultures, subordinates are less likely to question their superiors than in low PDI cultures and organizations where authority figures work more closely with subordinates and it is more acceptable to challenge authority.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​Lessons Learned</strong></p><ul><li>Following the letter of the control description is not enough. Ask questions regardless of whether the goal of the control is accomplished and revise the description, if necessary.</li><li>Company management should work with outside vendors, such as banks, to automate controls. </li><li>Employee training should be conducted by management or expert consultants to recognize and identify phishing schemes. The training should be comprehensive and frequent. </li><li>When working in a multinational environment, learn about national culture, identify traits that might facilitate fraud, design more robust controls, if needed, and provide additional coaching to employees.</li><li>Management should create a support structure and invest time to establish personal relationships with foreign employees to cultivate trust. </li></ul></td></tr></tbody></table><p>Dessalegn Getie Mihret of Deakin University in Australia conducted a study of 66 countries testing the association between national culture dimensions and exposure to fraud. His research suggests high fraud risk exposure in countries with high PDI. This was a case of external fraud but a fraud, nonetheless. In Tang's case, this cultural dimension had a double effect. Tang, being from Singapore, a high PDI culture, was uncomfortable challenging the request of the person he perceived to be the high authority. The CEO of the company was from Albania, another high PDI culture, and was infamous for not tolerating any challenge to his authority. This created a culture of fear within the company. Nobody wanted to be reprimanded by the CEO, who was known to yell and belittle his employees in public.</p><p>Another factor in this perfect storm of breakdowns was the absence of trusted advisors within the company with whom Tang could consult in the time of doubt. Because it was a holiday, Tang did not feel comfortable contacting any of his supervisors in the U.S. He did not have a close enough relationship with any of them and felt he'd be bothering them. Trust is paramount in relationships, especially in Asia, and it takes an investment of time to build it. None of the U.S. managers invested time in creating close connections with their Singaporean colleagues. </p><p>Whaling is a type of attack that uses email or website spoofing to trick the target into performing a specific action, which in this case was having the controller transfer money to an account. Cybercriminals pose as senior players within an organization targeting other important individuals at the organization with the goal of stealing money or sensitive information, or gaining access to the computer systems. Specifically, whaling targets key people with what appears to be communication from someone senior or influential — such as the CEO — with a request that staff are reluctant to refuse.</p><p>Internal controls help prevent such things from happening, but the existing system proved ineffective in overcoming such a strong cultural influence. In fact, the controls proved to be poorly designed for any kind of culture. The only control over bank wires was written as:</p><p><span class="ms-rteStyle-BQ">Wire transfers are submitted on the bank website. For wire payments, all the backup is given to an authorized signer, the controller/general manager/finance manager for electronic approval on the bank website.</span></p><p>Every time this control was tested during an internal audit, the controller was able to produce the documents of the secondary approval by the general manager. The letter of the control was followed. The internal auditors never asked, "Would it be theoretically possible for one person to approve and send the wire on the banking website?" Evidently, the bank website did not require a secondary approval, which allowed one person to send the wire out. </p><p>Additionally, there was a breakdown in IT security controls. The email was clear evidence of a successful phishing scheme where an attacker posed as a reputable person with the intent to defraud the organization. Adequate training to educate employees is critical to prevent these attacks and was obviously lacking in Tang's case. </p>Anna Howard1
Books Bring Down the Mayor Bring Down the Mayor<p>​Baltimore Mayor Catherine Pugh resigned last week amid an investigation into deals involving her self-published children's books, <a href="" target="_blank"> <em>The Baltimore Sun</em> reports</a>. The newspaper has published a series of articles detailing allegedly inappropriate deals. For example, Pugh sold tens of thousands of copies of books to the University of Maryland Medical System (UMMS) while she was a member of that organization's board. More recently, the paper found evidence that health insurer Kaiser Permanente had purchased Pugh's books at a time when the company was bidding for a $48 million city contract, which it eventually won. </p><p>Pugh is the second Baltimore mayor to resign from office following a scandal in this decade. In her rise to the office, Pugh was "once seen as a more ethical option in a city with a history of wrongdoing by politicians," <em>The Sun</em> noted.</p><h2>Lessons Learned</h2><p>In the wake of Mayor Pugh's resignation, Maryland's Office of the State Prosecutor has launched an investigation. In the meantime, the Baltimore City Council, UMMS, and those companies that bought copies of Pugh's books should review and strengthen policies and controls that may have contributed to the allegedly inappropriate sales. Internal auditors in  those organizations can assist and advise by reviewing these areas:</p><ul><li> <strong>Organizations should review and strengthen conflict of interest/code of conduct rules, processes, and compliance testing. </strong>How was it possible that a board member was able to sell copies of her book to UMMS without raising any red flags? How was the mayor able to sell books to companies that had contractual relationships with the City of Baltimore and UMMS? <br> <br>If such questions were asked, those two organizations should have thoroughly reviewed these situations in accordance with a clear ethics office/code of conduct regime, supported by audit work as necessary. Perhaps an additional question for the Maryland State Prosecutor's Office to consider is whether there may be similar situations within other state and municipal institutions where conflict of interest/ethics rules need strengthening.<br> </li><li> <strong>UMMS and the state prosecutor should review grants and contracting regimes and practices. </strong> <a href="" target="_blank">An Associated Press article</a> reports that Pugh and UMMS did not have a contract in place for the $500,000 purchase of copies of her books. Also, some book purchases were classified as "grants" in filings to the federal government. <br> <br>Again, the question of whether other state institutions have similar control weaknesses is in need of review and investigation. Recognizing the systemic nature of the problem, the State of Maryland passed a new law in April that bars board members of state institutions from receiving contracts without a bidding process. That law also prohibits board members from leveraging their position on the board for personal gain.<br><br>Other companies reportedly purchased significant numbers of copies of Pugh's books. While no particular wrongdoing has been disclosed thus far, those companies should review their own ethics, conflict of interest, and contracting regimes for potentially inappropriate relationships, conduct, and "pay for play" schemes.<br></li> <br> <li> <strong>There need to be consequences for wrongdoing, including negligence and poor management, when and where it is found. </strong>Those consequences, where applied, also need public dissemination as a deterrent. Baltimore Mayor Pugh has already resigned and UMMS' CEO and President Robert Chrencik also has stepped down. Other individuals may face consequences as federal and state investigations are completed. These investigations may extend beyond the direct circumstances involving former Mayor Pugh. </li></ul>Art Stewart0
Diagnosing Health-care Fraud Health-care Fraud<p>​A U.S. federal court jury has convicted a Florida nursing home operator of carrying out the largest health-care fraud scheme prosecuted in the U.S., <a href="" target="_blank">Bloomberg reports</a>. Federal prosecutors charged Philip Esformes with 20 counts of bribing doctors to admit patients to facilities he operated, laundering money, and receiving kickbacks. Prosecutors say Esformes' facilities fraudulently billed Medicare and Medicaid more than $1.3 billion between 1998 and 2016, with Esformes receiving at least $37 million.</p><h2>Lessons Learned</h2><p>Another attempt to reform the U.S. health-care regime appears to be on the horizon. Whatever system is adopted, it needs a strong focus on continuously strengthening controls over fraudulent activity, whether from physicians, health-care professionals, operators of health-care facilities, or patients.</p><p>The U.S. Department of Health and Human Services (HHS) and its Office of the Inspector General are taking a disciplined, systematic approach to the department's fraud risk assessment and detection activities. Here are some suggestions to strengthen these efforts.</p><ul><li> <strong>Enhanced Data Analysis and Data Quality.</strong> Medicare and Medicaid are making billing and claims data available more quickly and efficiently, providing law enforcement increased access to data — including real-time data. This data also helps focus enforcement resources on high-risk geographic, organizational, and individual cluster groups. <br> <br>Authorities perform risk scoring of Medicare claims billing and payment, and test predictive models. This kind of data needs to be assessed carefully to identify cases where clusters of physicians refer patients to the same health-care provider. <br> <br>Moreover, investigators, data analysts, clinicians, and subject-matter experts work on cases in a multidisciplinary environment. There also needs to be a continuing emphasis on enterprisewide improvements of the accuracy and availability of data for Medicaid program integrity and oversight.<br> </li><li> <strong>Whistleblower programs. </strong>While the HHS clearly has whistleblower programs in place, it is not clear to what extent these programs are contributing to its overall fraud prevention and detection effectiveness. It also is not apparent how the programs might be reviewed for improvements. Results from a recent pilot program to estimate the overall probable level of program fraud have been delayed.<br> </li><li> <strong>Enrollment and Payment Controls.</strong> HHS should continue to implement stronger measures to screen providers and suppliers on the basis of fraud risk, with three risk levels for providers (limited, moderate, and high). The department should add the target population to this determination of risk level. For example, elderly and infirm individuals are typically more susceptible to fraudulent exploitation. <br> <br>One goal of such assessments is to identify ineligible providers or suppliers before they are enrolled or revalidated by conducting provider site visits. HHS can do this by increasing the scope and coverage of high-risk providers and suppliers such as nursing home and assisted-living facilities, independent diagnostic testing facilities, and outpatient rehabilitation providers. <br> <br>Matching billing data to payment data also is important. Increasing the frequency of surprise out-of-cycle site visits will enhance the effectiveness of this element in detecting potential fraud. And, more than just surprise visits need to happen. HHS should audit facilities and their records, particularly where the provider has been operating over a long time.<br> </li><li> <strong>Human Resources Management. </strong>Related to inspections, surprise or not, there should be policies and processes in place to review the placement and rotation of inspectors according to a risk-based assessment. In addition, HHS should regularly update background checks of inspectors to uncover suspicious lifestyle changes. </li><ul></ul></ul>Art Stewart0
Whistleblower Shines Light on Fake Data Shines Light on Fake Data<p>​Duke University has settled a whistleblower lawsuit alleging that university researchers falsified data to win U.S. government research grants, <a href="" target="_blank">National Public Radio reports</a>. The lawsuit brought by researcher Joseph Thomas accused a Duke University Health Services clinical director of faking data from a lung function study between 2006 and 2018. That data enabled the university to win and retain grants from the Environmental Protection Agency and the National Institutes of Health (NIH). Further, the lawsuit alleged that university officials ignored signs of possible fraud. To settle the suit, Duke will pay the federal government $112.5 million, with Thomas receiving $33.75 million. </p><h2>Lessons Learned</h2><p>Whistleblower programs are among the most effective fraud-detection methods, but a $33 million payout to one individual is a steep price to discover research and data fraud. Here are some other measures that research organizations and grant providers could take to reduce fraud risk.</p><ul><li> <strong>Increasing understanding of how statistics and methodologies can be misused. </strong> <strong> </strong>Combining this understanding with random audits of research labs could be an affordable way to help deter data fraud and improve research quality.<strong> </strong>An October 2018 article, <a href="/2018/Pages/The-Fall-of-the-Food-Researcher.aspx">"The Fall of the Food Researcher,"</a> discussed how internal auditors can better equip themselves to detect the misuse of research data and methodology.<br><br>Further insight into this risk comes from a 2018 <a href="" target="_blank">study</a> by the Queensland University of Technology School of Public Health and Social Work, in Brisbane, Australia. The study discusses how the "publish or perish" incentive drives many researchers to increase the quantity of their papers at the cost of quality. That, in turn, increases the number of false positive errors that make it challenging for other researchers to reproduce those findings. The study, using simulation techniques, found that auditing just 1.35% of papers avoided the competitive spiral of false positives in 71% of cases. While fraud was not the primary focus of the research, this type of audit could be a worthwhile investment in fraud deterrence. <br> </li><li> <strong>Regulators, overseers, and professional organizations should continuously update their guidance, enforce laws, and promote awareness of the false research problem. </strong>In March 2018, the NIH began subjecting Duke's grants to stricter oversight, including requiring Duke researchers to obtain prior approval for any modifications to new and existing grants. Moreover, any application for a grant worth less than $250,000 per year must include detailed budgets justifying the costs. <br> <br>University organizations, themselves, could do more to highlight and take action against false research. For example, the Association of College & University Auditors' website currently does not have information about the research fraud issues of the Duke case.<br><br></li> <li><strong>The consolidation of research and knowledge-sharing capacity about academic fraud must be strengthened continually. </strong>One useful resource for internal auditors is the <a href="" target="_blank">Audit Research Summary<em> </em>(ARS) Database</a>, developed and maintained by the American Accounting Association. ARS contains executive summaries of approximately 700 academic audit research studies that have been published in peer-reviewed academic journals since 2005. The free database is intended to disseminate research findings to audit stakeholders timely and foster a productive dialogue about issues facing the academic and audit professions. Additionally, it can help identify new and persistent issues that need further investigation.<br><br> ARS is organized topically and can be searched using keywords. The summaries are written to facilitate quick and easy consumption, and avoid academic jargon and statistical analyses. The database is available via Facebook, LinkedIn, and Twitter. </li></ul>Art Stewart0
Every "Where Was Internal Audit" Moment Presents an Opportunity "Where Was Internal Audit" Moment Presents an Opportunity<p><img src="/2019/PublishingImages/Open%20Door%20Clouds_445x300.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​One of the constant challenges for internal audit is to overcome being the unwelcome guest at the party. So, it is not a common occurrence when internal audit is actually invited. I bring this up in the context of the recent college admissions scandal in the United States. </p><p>In the wake of this shocking breech of admissions processes and controls, there is a growing chorus of voices saying that, based on the risks that are obviously present, it's time to include the admissions process at colleges and universities in internal audit plans. The profession should eagerly accept the invitation to step up and show the value of independent assurance. Indeed, we should see every "where was internal audit" moment as an opportunity. </p><p>Let's examine what lessons we can take from the recent scandal and how internal audit could have made a difference. But first, allow me to offer some important background.</p><p>Federal prosecutors have indicted more than 50 people — including high-profile celebrities — over a scheme to get applicants who lacked the qualifications accepted to highly competitive colleges. Authorities say the elaborate deception included bribes to coaches, cheating on college entrance examinations, and million-dollar "guarantees" of admission. </p><p>The fallout has been rapid and significant. Several coaches have been fired, admissions have been rescinded for some students, and the U.S. Department of Education has opened an investigation into the eight colleges named in the federal investigation, including Yale, Stanford, the University of Southern California, and Georgetown.</p><p>So what can we learn from the scandal?</p><p><strong>Managing admission to any group can be risky. </strong>Practices that involve weighing qualifications for inclusion must have controls and processes, and historically the desire to be admitted has led to people trying to get around those controls and processes. Indeed, there is an expression in English that describes this practice. "Gaming the system" is manipulating the rules and procedures to achieve a desired outcome. The admissions scandal is a perfect example of gaming the system. In a process that involves some level of subjectivity, manipulation can take on many forms, including bribery, fraud, and corruption.</p><p><strong>There are risks associated with relying on outside testing organizations. </strong>In the current scandal, several parents are accused of paying to have others take standardized college tests for their children or to have test answers provided to them. </p><p>Most colleges and universities in the United States rely on standardized test scores as part of their admissions criteria. The two most prominent are the Scholastic Aptitude Test (SAT) and the American College Test (ACT). Both measure high school graduates' ability to do college-level work, and about 4 million students take these tests annually. Both tests are run by independent, nonprofit companies.</p><p>From a control perspective, internal audit would likely question the reliance on a third party for entrance examinations without some level of oversight. Colleges and universities are not involved in the test creation, administration, or scoring, yet they rely heavily on the test scores in the admissions process.</p><p><strong>Formal exceptions to the rules create opportunities for abuse. </strong>Formal exceptions to admissions processes have been created to allow for members of any number of groups, including minorities and athletes, to gain access to higher education. The latter has created an entire subculture of risk associated with college sports.</p><p>In the current admissions scandal, authorities say college coaches were bribed to get candidates admitted. One high-profile example involves a celebrity couple allegedly paying $500,000 to have their daughters designated as recruits for the University of Southern California crew team, even though neither daughter had ever participated in the sport. </p><p>Internal audit can provide assurance on the effectiveness of controls and processes for any formal exception to the admissions process, including how applicants are designated as team recruits and verifying those who actually play the sport.</p><p><strong>Informal exceptions send mixed messages.</strong><strong> </strong>The scandal reflects the extreme lengths to which some parents will go to ensure their children are accepted to elite universities and colleges. This effort to "get in through a side door" clearly crosses legal lines when bribery and fraud are employed. </p><p>However, there have long been two informal "back doors" to the admissions process. One involves special consideration for the children of donors to colleges and universities. These instances, known as "developmental cases," are an understood but generally unspoken part of most university admissions processes. Similarly, "legacy preference" or "legacy admission" is a widespread practice where admissions preference is given to applicants who have a familial relationship to alumni of the college or university.</p><p>Providing assurance over such practices would be awkward and contentious for internal audit in that the exceptions are not entirely based on objective criteria about the strengths or weaknesses of an applicant. But they do effectively support college and university endowments.</p><p>It is unclear whether the current admissions scandal will lead to substantive changes in admissions processes driven by a genuine desire for transparency and accountability. What is clear is that such transparency and accountability would require significant changes in admissions practices — some dating back centuries.</p><p>As always, I look forward to your comments.<br></p>Richard Chambers0
Big Scam on Campus Scam on Campus<p>​Corporate executives and entertainment celebrities are 50 individuals charged with bribing university administrators and coaches, and cheating on entrance exams to get their children admitted to elite U.S. universities, according to <a href="" target="_blank">news reports</a>. Admissions consultant William Singer <a href="" target="_blank">has pleaded guilty</a> to charges that he took in $25 million through a charitable foundation that was a front for guaranteeing acceptances. </p><p>One part of the scheme involved bribing college entrance exam administrators to facilitate cheating on those tests and paying other individuals to take the exams for their children, the U.S. Justice Department alleges. Other parents allegedly paid coaches to designate their children as athletic recruits to increase their chances of being admitted. Some of those "athletes" had not played the sports competitively. Several of the universities have fired or suspended coaches and administrators charged in the scheme.</p><h2>Lessons Learned</h2><p>Most of the attention on this story has focused on the perpetrators of admissions application fraud: wealthy parents, college coaches, and admissions consultants. Looking at what happened more systematically, however, it is the academic institutions that need to re-evaluate their admissions policies and procedures to ensure that all applicants are assessed adequately. Colleges should strive toward as transparent and purely merit-based an admissions system as possible. </p><p>This kind of review and re-assessment also should be an opportunity to both streamline the applications process and make it more probable to spot admissions fraud earlier. The application process in the U.S. is complicated, with varying requirements by school, program, and level of education for both domestic and international students. Universities require many documentation types such as letters of recommendation, SAT scores, personal essays and statements, and high school transcripts with grade point averages.</p><p>Here are some elements for review, with the help of internal auditors:</p><ul><li> <strong>Review how applicant documentation and testing is conducted to better authenticate who the applicants are. </strong>Admissions assessors need to gain as much insight into an applicant as possible, but admissions consultants can make that job nearly impossible. Universities should maximize the use of video or in-person interviews of applicants to detect impersonation, plagiarism, or other forms of fraud.<br><br>There are specialized types of software that add an interactive video and written component to the admissions application. A typical assessment comprises three to five video and written questions, presented in random order, that are randomly selected by assessors from a pool. Applicants only have one chance to answer each question. The interviews can be conveniently done via webcam or smartphone. <br> <br>Assessors can compare these timed responses with other materials applicants submitted earlier in the application process. A large discrepancy may indicate that the applicant used a consultant or other substitute for his or her admissions essay or other documentation. If group or individual testing is conducted, universities should cross-match required proof of identification to prevent substitutes. This should include checking whether documentation such as a driver's license has been tampered with.<br> </li><li> <strong>Scrutinize applications material carefully for signs of plagiarism. </strong>Universities and auditors can use software and other techniques to efficiently scan large quantities of information. Such techniques have been used in other types of organizations to detect fraudulent internet sellers and reviewers. <br> <br>Universities should scan all — not just suspicious looking — applicant résumés, personal statements, and written essays to identify similarities with other written work on the web. Such scans are particularly important now that it is easy to access this material online and admissions consultants have become prevalent. The software can assemble a report containing samples of different suspect types to aid assessors and supervisors in deciding what steps to take next.<br> </li><li> <strong>Set, monitor, and enforce clear standards for the role of admissions consultants and essay-writing services. </strong>There are many legitimate services that can be provided, such as proofreading and editing student essays, but having a third party write an admissions essay or recommendation letter is fraud. Writing students' entire admissions application for them or coaching them through the application from start to finish is unacceptable. For example, less scrupulous consultants will ask applicants where they are applying and help them develop a custom, often perfect-looking strategy to apply for that school.<br><br>Putting in place more rigorous requirements for these services could help reduce the problem. Examples of requirements are background checks on consultants, certification, and specific declarations in the applications process.<br> </li><li> <strong>Communicate anti-fraud and anti-plagiarism measures to the public, particularly at the start of the application process.</strong> Such communication could include an "admissions fraud" page on the university's website. This page could discuss admissions policies and procedures in relation to how the university defines fraud and plagiarism in an application. It also could detail the appropriate uses of admissions consultants and other advisors.<br> </li><li> <strong>Ensure that all academic staff members are aware of the code of ethics/conduct requirements relating to admissions fraud. </strong>The university should enforce these requirements with significant penalties for violations. Also, the requirements should be supported by regular background checks of staff.<br> </li></ul><p>One step in dealing with this kind of fraud is to consider whether a college credential is the only prerequisite to a productive life. Perhaps the problem is not that too few students are going to college, but that too many are. Placing greater value on vocational training and hands-on work experience could help alleviate the drive for admissions fraud and solve workforce skills shortages. </p>Art Stewart0
The Phony Customer Fraud Phony Customer Fraud<p>​Brightstar Corp. is a solar panel company with an annual revenue of $4.5 billion. It had recently acquired Solarstar Inc., a smaller competitor. Both companies employ commission-only sales representatives; however, commission plans vary between the companies. Brightstar pays sales representatives upon the installation of a solar panel system, while Solarstar’s commission plan pays half a commission upon the signing of a customer contract. The remaining commission is paid after installation of the system. If the customer cancels the installation, the commission already paid is clawed back against future commissions.</p><p>Robert Schull and Alysa Cayden, Brightstar’s forensic audit team, were conducting a training session with the recently hired director of compensation, Lisa Myers, on fraud schemes perpetrated by sales representatives. At the end of the presentation, Myers approached Schull and Cayden to discuss her concerns about Eddie Fogbottom, a sales representative in the Austin, Texas, market.</p><p>Fogbottom was a rising superstar at Solarstar. Before joining the company, he was an executive in loss prevention at several large publicly traded companies. He had incredible success as a sales representative and was recently promoted into a highly sought-after manager role within the company’s national sales team. Shortly after accepting his new position, 39 of Fogbottom’s sales were cancelled, representing $10,000 in commissions that would need to be clawed back. Because it was such a large amount, Myers contacted him to discuss a repayment plan.</p><p>Fogbottom told Myers that the company could not claw back the commissions. When he was promoted, he had a clause written into his offer letter allowing him to keep all commissions for prior sales, even if customers cancelled their accounts. Myers suspected fraud.</p><p>Solarstar uses electronic contracts, which are emailed to the customer when completed. The customer reviews the contract, and electronically signs and returns it. Contracts are not legally binding until the contract is returned and a down payment is received. An electronic time and date stamp is recorded on the contract as well as the customer’s computer internet protocol (IP) address.</p><p>Schull and Cayden began reviewing the cancelled contracts. The team identified several days where Fogbottom sold products to multiple customers in what appeared to be strip malls in the Austin market. What caught the attention of Schull and Cayden was the fact that the contracts were signed and returned within several minutes of each other. Even more perplexing, the contracts were returned from the same IP address. </p><p>The team began conducting customer service calls to the alleged customers to determine why they cancelled their purchases. Surprisingly, none of the phone numbers documented on the contracts were in service. In addition, an internet review of the customers revealed that not a single customer had an internet presence. </p><p>The investigation team turned their attention to the down payments received on the contracts. Solarstar required its sales representatives to collect a down payment when a customer signed a contract. The sales representative would document the collection in the company’s order system. If the down payment was paid with a check, the sales representative would bring the check into the local sales office to be compiled and sent to the company’s lockbox. A review of the order system revealed that Fogbottom documented that checks were obtained during the contracting process, but none of them had been received in the lockbox.</p><p>Cayden reviewed the customer sites using Google Earth. The review revealed that many of the customer locations did not appear to exist or had been constructed after Google’s last update. Schull enlisted the assistance of Brightstar’s area general manager, Michael Gonzalez. A 25-year Brightstar veteran and lifelong resident of Austin, Gonzalez accompanied Schull to the customer locations. It came as no surprise when Schull and Gonzalez found themselves standing in empty fields. Schull documented the visits with photos of the alleged customer sites.</p><p>Schull then reviewed Fogbottom’s employment history. An internet search revealed that Fogbottom had, in fact, worked for the organizations he had listed on his résumé. However, no references were listed in his employment file. Schull was suspicious about why a former loss prevention executive would accept an entry-level sales position.</p><p>Fogbottom was asked to come to the Austin office for an interview with Schull and Karol Vesey from human resources. Schull believed the interview would be challenging as Fogbottom had extensive interviewing experience in his loss prevention role. During the initial stages of the interview, Fogbottom presented himself as a professional loss prevention executive turned successful national sales manager. He bragged about his experience and connections to the community. </p><p>When presented with the photographs of the empty fields, Fogbottom’s demeanor changed. He alleged that a general contractor named Sal was constructing all three strip malls, and that the customers met him at a local coffee shop where they all completed their contracts in succession. Fogbottom could not remember Sal’s last name or produce a contact number for him or any of the alleged customers. Initially, Fogbottom refused to admit that he falsified the contracts in question. However, after an extensive interview, Fogbottom admitted that he was having personal problems and was fired from his former employer. He also admitted that he falsified the contracts for the commissions because he had taken a substantial pay cut from his previous role and was having trouble making ends meet. </p><p>Fogbottom was terminated, but no charges were brought, and the money was clawed back. Solarstar updated its commission plans to only pay sales representatives upon installation. Two weeks after Fogbottom’s termination, Schull received a call from Brightstar’s Fresno, Calif., office where the same fraud scheme was suspected and later validated.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><strong>​Lessons Learned</strong><br><ul><li>A combination of fundamental internal control activities helps minimize fraud.</li><li>Conduct and update a fraud risk assessment regularly. In this case, a fraud risk assessment should have identified the control weakness in the backlog report, commission payment process, and revenue reconciliation process.</li><li>Conduct appropriate background checks on key employees to identify any red flags for possible unethical behavior.</li><li>Perform regular reviews of installation backlog reports to identify irregular activities. Detecting any potential exploitation is the best approach to minimizing negative unintended consequences. </li><li>Conduct monthly reconciliations of revenue collections. Discrepancies should be researched immediately and escalated if unresolved. </li></ul></td></tr></tbody></table><p></p>Grant Wahlstrom1
When You Spot Fraud, Don't Break the Eggs You Spot Fraud, Don't Break the Eggs<p><img src="/2019/PublishingImages/Foot%20Over%20Eggshells.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​The <em>International Standards for the Professional Practice of Internal Auditing </em>are clear: Internal auditors must possess the knowledge, skills, and competencies needed to carry out their responsibilities. Some internal auditors also have the knowledge and skills to carry out a fraud examination effectively, but <em>most do not</em>. And in an upcoming position paper, The IIA emphasizes that internal auditors should not be expected to have the expertise of those professionals whose primary responsibility is to investigate fraud. The IIA believes fraud investigations are best carried out by those experienced to undertake such assignments.<br></p><p>Hopefully, your organization has a fraud response plan that assigns specific duties and responsibilities. But if not, don't automatically assume that, as an internal auditor, you should undertake a fraud investigation single-handedly or that you should lead a fraud investigation team yourself.  <br></p><p>We all need to be familiar with the indicators of fraud, and we need to be able to evaluate anti-fraud controls. But few internal auditors are fully equipped to be fraud investigators. An interrogation is very different from an audit interview, and there can be great risk between reviewing evidence and contaminating it. When fraud is suspected, a simple mistake can easily become a costly and career-limiting move.<br></p><p>I have seen too many instances during my career where well-intentioned internal auditors inadvertently damaged the chances of a successful fraud investigation because they were either careless or simply didn't understand the risks of their actions. I always cautioned my teams to be careful not to "break the eggs" when they came upon a potential fraud during the course of an internal audit. From my experience, the following are just a few types of mistakes that internal auditors can make when they encounter evidence of fraud.<br></p><ol><li><strong>Do not discuss the situation with anyone who does not have a need to know.</strong><strong> </strong>Even the existence of an investigation should be kept confidential. Keep in mind that the scope of an occupational fraud is often bigger than it first appears, and you may not yet have identified everyone who is involved in the crime. Our profession's Code of Ethics requires confidentiality, and it's not appropriate to chat about new or ongoing investigations even with other internal auditors. </li><li><strong>Do not make accusations or rush to judgment.</strong><strong> </strong>The evidence may appear to indicate that someone has committed a crime, but accusations can lead to charges of slander, libel, or wrongful termination. It should rarely be an internal auditor's job to accuse anyone of fraud, so contact your supervisor before saying something you might later regret.</li><li><strong>Do not disrupt operations.</strong><strong> </strong>If you do, you may tip off potential fraudsters that they are under suspicion. Your actions may cause them to destroy important evidence, to warn accomplices, or to take other actions that can undermine an investigation.</li><li><strong>Do not disturb a potential crime scene or do anything that might contaminate or destroy digital evidence.</strong><strong> </strong>Internal auditors are good at examining evidence, but special care must be taken during investigations. For example, it may seem appropriate to examine a suspect's computer records or to make a backup copy of his or her files. But computer forensics experts never perform analysis on original media. Simply by turning on a suspect's computer, opening a file, or making a backup, you are changing digital time stamps and hash values, potentially compromising important evidence. At times, action is unavoidable: It may be necessary to isolate a computer to prevent connections into and out of the system, for example. But preserving digital evidence is tricky. Unless you have specialized training in computer forensics, call for help before proceeding.</li><li><strong>Do not fail </strong><strong>to swiftly alert legal counsel and human resources professionals. </strong>It's likely your fraud response plan states that it's necessary to brief legal counsel and a human resources (HR) representative before a formal investigation is launched. HR input can be especially important if termination or other disciplinary actions might result from the investigation. Depending upon the circumstances, your organization may be required to make disclosures about criminal activities to regulators, law enforcement, clients, shareholders, or other parties. Legal counsel can help to ensure that regulatory requirements are not overlooked; and attorney-client privilege can help protect your organization from disclosure of details that it might not want to make public immediately. </li><li><strong>Do not assume you should perform interrogations.</strong><strong> </strong>When performed with expertise, interrogations can be an excellent source of information. Without that expertise, an investigation can be irreparably damaged. Internal audit interviews and discussions often employ collaborative approaches that are not necessarily appropriate during investigations; but an accusative approach can also be a big mistake. Nobody wants a hostile or defensive suspect.</li><li><strong>Do not neglect your files</strong><strong>. </strong>It's never a good idea to leave internal audit workpapers unsecured, but when fraud is involved, keeping documentation safe and confidential is particularly important. Having a copy of a document is not as good as having the original.</li></ol><p>Fraud investigations can be high-risk engagements. If you think there is a possibility of fraud, don't break the eggs. You should not take any action that might tip off potential fraudsters or compromise evidence so that it can't be investigated later. I don't mean to imply that internal audit should never be involved in fraud investigations, but if the internal auditors are not fully trained investigators, it's time to seek help from specialists. A wise internal auditor understands the limits of his or her own knowledge and knows when to ask for help.</p><p>I look forward to your thoughts on this important subject.<br></p>Richard Chambers0
Glowing Reviews Reviews<p>​In a first-ever case, the U.S. Federal Trade Commission (FTC) announced that a supplement company has agreed to settle charges of paying for false product reviews on Amazon, <a href="" target="_blank">The Verge reports</a>. Cure Encapsulations Inc. paid third-party website <span>amazonverifiedreviews</span><span>.</span><span>com</span> to write reviews for its garcinia cambogia weight-loss supplement. To settle with the FTC, the company agreed to stop making claims about the health benefits of its products unless they are supported by "competent and reliable" scientific evidence. The settlement bars Cure Encapsulations from misrepresenting endorsements, and it directs the company to inform Amazon and customers who purchased the product that it paid for reviews. </p><h2>Lessons Learned</h2><p>The ubiquity of e-commerce has attracted much fakery — both on the part of sellers and users. Faked reviews using techniques such as "opinion spamming," "shilling," and "astroturfing" represent part of a much larger and still growing worldwide trend. One example is how people have come to consider reviews of travel sites and experiences as often not real. Similarly, people should be skeptical of many seller claims, particularly where these involve promises of better health and wealth. </p><p>Previous fraud stories have covered faked user reviews, fraudulent scientific research, and the scamming of authors who pay to have their work published in fake scientific journals. Some of the relevant advice is worth restating here. Meanwhile, the FTC is making strides against this kind of fraud and sending an appropriate message to its perpetrators. But what more can be done?</p><p>E-commerce companies such as Amazon have established quality standards — particularly when health and wealth-making claims are made by sellers. In this case, Cure Encapsulations violated Amazon's rules about promotional content. E-commerce sites also may demand and review verifiable supporting evidence. But, where such evidence is not forthcoming or sufficiently definitive, sellers' advertisements and offerings should be required to include a clear and suitable disclaimer that the product or service has not been independently verified. </p><p>Setting a stricter bar to require this kind of disclaimer would further discourage fraudulent claims and reviews. Signed disclosure agreements should be mandatory and should include identifying relationships among vendors, reviewers, and entities such as products and stores. This is particularly necessary where there may be compensation, either in kind or financially. Companies should conduct regular spot checks and audits of both disclosure agreements and disclaimers.</p><p>To look for this type of fraud, companies that host sellers, and their internal auditors, need to use statistical and artificial intelligence-based fraud-detection methodologies. Quantitative, web-based data mining such as pattern discovery and relational modeling can be particularly effective at finding red flags, including: </p><ul><li> <strong>Reviewer behaviors that should be further scrutinized.</strong> Public data available from websites can be data-mined, including user profile/reviewer IDs, time of posting, frequency of posting, instances of first reviewers of products, and posting of the same or similar reviews at other locations of the same company. For example, a username that has more than three numbers at the end could indicate an automated program is at work. <br> <br>Also, search website private/internal data, such as internet protocol and media access control addresses, time taken to post a review, the number of reviewers who created accounts around the same time — including at the time a domain name was registered — and physical location of the reviewer. Follow up on any behavioral red flags detected.<br><br></li> <li><strong>The content of reviews.</strong> This includes obvious content and style similarities among reviews by different reviewers, and copying and pasting reviews by other reviewers. Patterns in the use of overly positive, and negative, language or marketing jargon normally not used by most people also can be signs of made-up reviews. Finally, look for unique phrasings such as word n-grams and part-of-speech n-grams — contiguous sequences of <em>n</em> items from a given sample of text or speech — which can be searched via data mining. </li></ul>Art Stewart0

  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3