Rent a Vet a Vet<p>​A Kansas City-area construction company made false claims to obtain $13.8 million in government contracts through a program aimed at assisting businesses owned and operated by U.S. military veterans, the <a href="" target="_blank" style="background-color:#ffffff;"> <em>Kansas City Star</em> reports</a>. Patriot Construction Co. won 20 government contracts by claiming that it was partially owned by a veteran. However, although co-owner Paul Salavitch was a service-disabled veteran, he actually was not involved in its day-to-day operations, as required by the U.S. Veterans Administration's Service-Disabled Veteran-Owned Small Business (SDVOSB) program. Instead, he was a full-time U.S. Department of Defense employee. Jeffrey Wilson, the co-owner who ran the business, was not a veteran. Federal prosecutors say the scheme prevented legitimate veteran-owned businesses from winning those contracts. Wilson has pleaded guilty to government program fraud, while Salavitch pleaded guilty to making a false writing.</p><h2>Lessons Learned</h2><p>Front and center among the lessons learned from this news story is that both the design and controls over well-intended government programs for special groups must be robust, adapt to changing environments and threats, and verified regularly for effectiveness. The consequences of failing to assess the design and controls are substantial. According to a 2011 VA Office of the Inspector General (OIG) <a href="" target="_blank">report on the program</a> (PDF) — the most recent report I have found — "76 percent of businesses reviewed were ineligible for either the program and/or the specific [Veteran-Owned Small Business (VOSB)] or SDVOSB contract award, potentially resulting in $2.5 billion awarded to ineligible businesses over the next five years." </p><p>Here are the major kinds of issues and recommendations internal auditors should be thinking about when auditing these kinds of programs:</p><ul><li> <strong>Eligibility.</strong><strong> </strong>To be eligible to pursue contracts under the SDVOSB program, a service-disabled person has to own at least 51 percent of the business, control its management and daily operation, and hold its highest officer position. The application process and eligibility requirements for this VA program <a href="" target="_blank" style="background-color:#ffffff;">are available online</a>. However, verification of program eligibility relies heavily on the documentation applicants submit. According to the VA, this includes the resumes of all owners, directors, partners, officers, and other key personnel. The one- to two-page chronological resume should list the person's current and previous occupation, job description and duties, education, personally identifying information, dates, skills, and abilities. <br><br></li><li> <strong>Program Controls.</strong> Unfortunately, it does not appear that these documents are fully scrutinized and verified. The VA's OIG report found that the program's oversight and verification controls were inadequate. Relevant to this news story, the report noted that businesses were ineligible because the veteran owners subcontracted more work to nonveteran-owned businesses than allowed under regulations. In other cases, veterans did not really control or own the businesses. These program control problems have been longstanding issues for the VA. Tighter controls over verification of the status of subcontractors involved in SDVOSB applications is needed, along with better oversight and staff training, as noted by the VA's OIG.​<br><br></li><li> <strong>Remedies.</strong> The VA has taken steps to redress the program's control weaknesses, including making several changes to program controls, policies, and human resources competencies. It also conducts unannounced site visits to companies that have been awarded contracts to catch fraud. This is how Salavitch was found to be working 40 miles away at his full-time job as a federal employee. More recently, the VA announced it will launch the "Seek to Prevent Fraud, Waste, and Abuse (STOP FWA)" initiative, which will leverage departmental activities that prevent or identify FWA and ensure a consistent approach to FWA risk management. More relevant to this story, the VA's Office of Small and Disadvantaged Business Utilization will roll out a new system to more effectively manage all aspects of verification as well as provide a single entry point for information, resources, and online applications.<br><br>Given all these changes, it will be interesting to see what the next full audit of the SDVOSB program looks like compared to the 2011 report.​</li></ul><p> <br> </p>Art Stewart0
The Beef With the Accountant Beef With the Accountant<p>​A federal court has sentenced a former Oklahoma Beef Council (OBC) accountant who was found guilty of embezzling $2.68 million from the O​klahoma Beef Council to 57 months in prison, <a href="" target="_blank" style="background-color:#ffffff;"> <em>The Oklahoman</em> reports</a>. Prosecutors say Melissa Day Morton forged organization checks to steal from the nonprofit trade association from 2009 to 2016. The OBC has filed suit against a local accounting firm that had performed external audits of its finances. The organization alleges the firm's audit opinions were "incorrect and misleading" and did not comply with applicable audit standards.</p><h2>Lessons Learned</h2><p>The twin sides to this​ story illustrate that management and the auditor could have done more to prevent the theft of $2.68 million by a trusted employee.</p><p>For the OBC's management, it is telling that it now has taken steps to prevent this kind of fraud, including contracting with a third-party accounting firm, implementing a five-step financial review process, and instituting an audit/risk committee with an independent audit advisor to the committee. To that list, there are additional measures that the OBC could take, including:</p><ul><li>Human resource management policy and systems changes, including a clear conflict of interest code and anti-fraud policies that clearly communicate expectations of employees and consequences of noncompliance. Another change is stronger emphasis on rotation of staff members in sensitive or responsible positions. In this case, the fraudster had done the same job for at least seven years while she stole the OBC's money.<br></li><li>Rigorous background/security checks, at least for those in sensitive jobs, not only before hiring but also throughout their employment. These checks should ascertain whether significant unexplained employee lifestyle changes are occurring.<br></li><li>A tips/whistleblower program that encourages employees to come forward to identify suspicious and potentially fraudulent behaviors without fear of reprisal.<br></li></ul><p> ​<br> </p><p>For the auditor, we don't have all of the facts to judge whether the OBC's accounting firm failed to perform its audit work in compliance with audit standards. Moreover, it is debatable whether the OBC demonstrated "management's responsibility to design and implement programs and controls to prevent, deter, and detect fraud," as stated in the U.S. Public Company Accounting Oversight Board's (PCAOB's) Accounting Standard (AS) 2401: Consideration of Fraud in a Financial Statement Audit.</p><p>An interesting aspect of this issue, which is increasingly becoming part of large financial fraud cases following the 2008 financial crisis, is the role of the external auditor in finding fraud. PCAOB guidance, Responsibilities and Functions of the Independent Auditor, states in paragraph 2 that: "The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud." </p><p>Much good advice for auditors can be found in the PCAOB's guidance. In particular, two key and balancing points from AS 2401 may be relevant for determining whether the OBC's auditor failed to perform its work within acceptable standards:</p><ul><li>"However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud. A material misstatement may not be detected because of the nature of audit evidence or because the characteristics of fraud as discussed above may cause the auditor to rely unknowingly on audit evidence that appears to be valid, but is, in fact, false and fraudulent. Furthermore, audit procedures that are effective for detecting an error may be ineffective for detecting fraud." (paragraph 12)<br> </li><li>"Due professional care requires the auditor to exercise professional skepticism. <em>See</em> AS 1015.07 through .09. Because of the characteristics of fraud, the auditor's exercise of professional skepticism is important when considering the fraud risks. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should conduct the engagement with a mindset that recognizes the possibility that a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor's belief about management's honesty and integrity. Furthermore, professional skepticism requires an ongoing questioning of whether the information and evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor should not be satisfied with less-than-persuasive evidence because of a belief that management is honest." (paragraph 13)</li></ul><p></p> <p>This second issue is a discussion for another article. What do readers think? ​​</p>Art Stewart0
When Good Accountants Go Bad, More Questions Are Raised Than Answered Good Accountants Go Bad, More Questions Are Raised Than Answered<p>​</p><p>I'm sure I visibly cringed when I read news accounts of criminal charges being brought against former U.S. Public Company Accounting Oversight Board (PCAOB) and KPMG employees, who are accused of using leaked PCAOB information to help the Big Four firm improve its audit results.</p><p>These charges are unproven in a court of law and all of those charged deserve the presumption of innocence at this point. However, the mere allegation that such a betrayal of ethics took place is painful, and it delivers a black eye on the accounting/auditing professions. Yet, it certainly is not without precedent. I've written many times that good people do bad things, and smart people do stupid things. It is part of the human condition — that imperfection that makes us who we are. However, what is alleged in this instance takes us a step beyond simple human error or irresponsibility. It actually raises more questions than it answers.</p><p>Details of the scandal came to light through federal criminal charges brought against three former PCAOB employees and three former KPMG employees. On his final day at work, one PCAOB employee is alleged to have copied a list of accounting firm audits scheduled to be inspected by the regulator in 2015. He then shared the list with employees of his new employer, KPMG. The two other PCAOB employees are accused of leaking PCAOB inspection plans through February 2017. KPMG hired the second PCAOB employee while the third allegedly courted the company by offering additional insider information.</p><p>If what is described is accurate, the extent of the ethical lapses exhibited by the accused is appalling. The KPMG employees, who include a national managing partner for audit quality, a partner-in-charge for inspections, and a banking and capital markets group co-leader, were allegedly willing to accept and use highly confidential information to avoid detection of audit deficiencies and the internal fallout (and public scrutiny) that comes with them. The alleged ethics violations by their PCAOB accomplices were, in my view, even more disturbing. One expects that regulatory employees have some personal commitment — if not genuine zeal — to make sure the rules they oversee are being followed. To actively work against the organization you represent for personal gain is despicable.</p><p>Despite the reputational damage to both organizations created by this evolving scandal, based on information disclosed thus far, there may be some encouraging lessons to be taken from it. KPMG's U.S. entity appears to have acted swiftly in notifying authorities when it discovered the issue last year. It hired outside legal counsel to investigate the incident and fired the employees involved. Having worked for and with Big Four firms for many years, this does not surprise me. I have personally seen their commitment at the most senior levels to promoting and supporting legal and ethical behavior. By the same token, the U.S. Securities and Exchange Commission has also brought charges against employees of the PCAOB, which resides under its jurisdiction. In other words, neither organization seems to be shrinking from responsibility at this point. </p><p>Overshadowing the encouraging lessons, however, the burgeoning scandal raises a number of troubling questions:</p><ul><li>Why would obviously gifted accountants who have risen to the pinnacle of their profession willingly risk it all to traffic in illicit information?</li><li>Has the PCAOB inspection process become so onerous and unforgiving that the schedule of upcoming inspections would be worth such risks on the part of accounting professionals?</li><li>Have the consequences of failed inspections become so dire that even national partners are willing to risk unthinkable consequences in order to mitigate the risks of failed inspections?</li><li>Why would the value of an upcoming PCAOB inspection schedule be worth a potential job in a Big Four firm?</li><li>Are the revolving doors between the PCAOB (and other federal regulators) too lax? </li><li>Should there be an extended cooling off period between assignments at the regulators and the regulated?</li><li>How does the accounting/auditing profession sustain public trust in the face of such serious allegations?</li></ul><p>I would encourage officials at the firms and the regulators to address these questions even as the wheels of justice turn on the charges.</p><p>One of the reasons I cringed upon hearing about this scandal is that I know many extraordinary professionals at both KPMG and the PCAOB. I do not for one minute believe that their reputations should be tarnished by the alleged behavior of these six individuals. One of the lessons to be taken from this scandal is that professional ethics live and die at the personal level. In other words, the moral compass is ultimately steered by the individual. Just as the medical profession should not be judged by the unspeakable behavior of the recently sentenced U.S. gymnastics doctor, neither should the accounting/auditing profession be judged overall by the alleged behavior of a few.</p><p>As always, I look forward to your comments.</p>Richard Chambers0
Internal Audit’s Role in Anti-money Laundering’s-Role-in-Anti-money-Laundering.aspxInternal Audit’s Role in Anti-money Laundering<p>​The cost of running a compliance function for anti-money laundering and countering<em> </em>the financing of terrorism (AML/CFT) in an organization is far less than the price it may pay for noncompliance. Because of increased regulatory focus, penalties levied affect the bottom line and become a going-concern issue with license suspensions or cancellations. Given the social, economic, and political ramifications of money laundering and terrorism financing, it is becoming more difficult for organizations to consciously ignore AML/CFT compliance. The next 10 years could witness enhanced regulatory compliance across jurisdictions, so internal audit's role in ensuring strict AML/CFT compliance assumes greater importance.</p><p>Money laundering is about channeling illegal, "dirty" money through a legitimate means to make it appear as "clean" money within the system. This can be explained in three phases: placement, layering, and integration. In the placement phase, illegal money physically enters into the financial system, such as huge bank account deposits via bank tellers or ATMs. The layering phase involves executing complex transactions with the sole intention of concealing the origin of the funds and diluting the audit trail for further investigations. In the integration phase, the proceeds re-enter the financial system as apparent legitimate funds. Money laundering is a derivative crime; in other words, it is a crime that derives out of another crime. Its nature as a crime depends on the genesis of the funds. </p><h2>Internal Audit's Role</h2><p>The money launderer's objective is to convert illegally obtained money into legal tender through inappropriate methods, and in the process avoid the attention of prosecutors or auditors. A clear understanding of AML/CFT helps internal auditors conduct reviews more effectively. At a minimum, internal audit should focus on these areas:</p><p><strong>Top management intent. </strong>Conduct interviews with key top management individuals. Internal control questionnaires, checklists, and management letters are commonly used in these interviews. However, also assess the willingness and commitment of top management to protect the organization from the threat of money laundering and terrorism financing. This critical exercise should become the basis for review and the depth of sample coverage.​</p><p><strong>Business operations. </strong>Understand the business operations of the organization in detail. Without a thorough understanding, auditors will not be able to identify a transaction that is abnormal to the course of business. </p><p><strong>Customers. </strong>In financial institutions, ensure that the organization is complying with know-your-customer procedures both in form and spirit. Policies and procedures should provide measures for updating know-your-customer forms annually, which establish the identity of the customer, the nature of the customer's activities, and money laundering risks, if any, associated with that customer. Check whether the declarations made by customers in their undertakings are being followed in reality. For example, a customer might declare that he may invest up to $25,000 per year in portfolio management. However, during the year he invests almost $50,000 from undisclosed income. The organization may not raise it as a red flag because of commissions on those transactions. </p><p><strong>Risk assessments.</strong> Ensure the organization has conducted a risk assessment of customers, geographic affiliations, company products, channels of product routing, etc. Review the nature and volume of transactions and types of products the organization deals with. </p><p><strong>Suspicious transactions. </strong>By nature, suspicious transactions are more complex and obscure. Internal auditors should get to the bottom of these transactions to ensure they are genuine and should not check them off their list unless they are completely convinced about their purpose. Enhanced due diligence measures should be taken for non-face-to-face business transactions when the customer has not been seen or the business site has not been visited.</p><p><strong>Reporting culture.</strong> Review the number of suspicious transaction reports raised by the compliance officer during the review period and assess which ones were not reported to the financial intelligent units in the respective countries. These could be false alarms, but scrutinizing those unreported suspicious transactions that could potentially be money laundering transactions may reveal suppression by management and whistleblower silencing.</p><p><strong>From and to.</strong> All transactions should have the required documentation, including originator and beneficiary details. Missing information in cross-border transactions has caused some of the largest money laundering cases to take a decade or more to resolve, so review all cross-border wire transfers in detail. AML systems also should be reviewed to ensure that the application does not have options to suppress data. </p><p><strong>Blacklisted names.</strong> Review the AML system and test its capability of capturing data on time, and identifying and red flagging the blacklisted and Specially Designated Persons lists provided by the United Nations and the U.S. Office of Foreign Assets Control, respectively. Determine whether the system is capable of correctly identifying blacklisted names in English and local languages.</p><p><strong>Politically exposed persons.</strong> People with diplomatic immunity, defined under the politically exposed persons category, are entrusted with a prominent public function and are at higher risk of getting involved in money laundering and terrorism financing transactions. Ensure the organization has mechanisms to identify customers of this category and conducts enhanced due diligence.</p><p><strong>Nonprofit organizations.</strong> In many countries, organizations with an exempt status become the front-end and most misused vehicles to launder money. Review the grants received, nature and origin of receipts, and ultimate beneficiaries of grants, if it is a recipient organization.<strong> </strong>In donor organizations, determine whether the donations are made to genuine and reliable nonprofits for a purpose and that those monies are not routed to terrorist networks.</p><p><strong>High-risk countries.</strong> Engaging with AML/CFT noncompliant countries (assigned as such by the intergovernmental Financial Action Task Force) poses a greater threat for noncompliance. Review how the organization is complying with procedures while dealing with subsidiaries or associates situated in such countries.​</p><p><strong>Employee protection.</strong> Review the whistleblower protection policy and protection to employees raising red flags. Internal sources are many times the strongest lead for an internal auditor in helping detect malpractices in money laundering.</p><h2>Think Outside the Box</h2><p>Detecting money laundering and terrorism financing transactions is a challenge for internal auditors because perpetrators bringing ill-gotten money into the system actively conceal the audit trail to avoid prosecution. Because of this, internal auditors conducting AML/CFT reviews should be more vigilant, attentive, and creative to find wrongdoing and ensure compliance. ​</p>K.V. Hari Prasad1
Profiting From Auctions From Auctions<p>​Sheriff's deputies in Broward County, Fla. have arrested individuals who allegedly used the county's tax office to defraud property owners, the <a href="" target="_blank" style="background-color:#ffffff;"> <em>Sun Sentinel </em>reports</a>. According to detectives, tax office employee Roberto Martinez used forged power-of-attorney documents to collect proceeds from the tax deed auctions of homes belonging to people who had failed to pay property taxes. In such auctions, the property owner receives the remaining funds, after the unpaid taxes and accrued interest have been subtracted, unless the owner signs over the right to collect those funds. Detectives say Martinez and associates outside the tax office — including the president of a local funding company — used forged documents in 28 sales between 2014 and 2016, and a recent audit has uncovered 22 additional fraudulent sales, bringing the total of allegedly stolen funds to $2.4 million.</p><h2>Lessons Learned</h2><p>Municipal tax collection agencies and their internal auditors should review and strengthen four areas, based on the events in this news story:</p><ul><li> <strong>Ensure that legal notifications requirements and processes are followed. </strong>Agencies should notify the legal titleholder of record and all lien holders, including mortgage companies, of a tax deed sale. Failure to strictly comply with the mandatory notice requirements is a violation of due process and may void the tax deed sale. In this case, following this procedure could have helped identify deceased or falsified property owners. The procedure would have been particularly helpful if the agency required a response from the property owner before the property auction and if this part of the process was conducted by a different tax office official, which may have prevented the fraudster from hiding this information. Another effective measure is requiring that copies of all power of attorney documents be sent to property owners, which would be an obvious tip-off of fraudulent activity, including forgery. Furthermore, requiring that a third party, such as an official in the Sheriff's office or the municipal finance department, review documentation of tax deed sales would be an effective deterrent and detection measure.</li></ul> <br> <ul><li> <strong>Tighten controls over power of attorney agreements in tax deed sales. </strong>Measures could include requiring a lawyer to be involved in developing these agreements, as well as certifying the qualifications of companies involved in tax deed sales and their employees.<br> ​</li><li> <strong>Encourage property owners to be vigilant and proactive in protecting themselves. </strong>Many municipalities have notification programs, including online, that notify property owners any time a document is recorded related to their property. Property owners also should check the municipal register's records often to ensure that there are no liens, deeds, or mortgages they are not aware of recorded on their property. With regard to ensuring legal notification processes are followed, property owners should keep all relevant offices informed, in writing, of any change of address. Property owners also need to learn about their legal rights and obligations in these situations, and governments at all levels must help them stay educated. Parenthetically, investors in the related area of tax lien speculation also should learn about the fraud risks to their investments. <br> </li><li> <strong>Consider changing the rules. </strong>Local governments in every U.S. state assess taxes against all types of real property. Some states allow local county tax collectors to sell tax lien certificates, while other states sell the tax deeds and allow investors to own the properties after purchasing the tax deeds. However, real estate investors who purchase tax lien certificates only purchase the liens against the properties and the authority to enforce the liens against the property owners. Unlike purchasers of tax deeds in tax deed states, tax lien certificate purchasers do not immediately own the properties upon purchasing tax lien certificates. They may not acquire possession of the properties or evict property owners. The homeowners may remain in the properties during the redemption period set by state statutes. They also have the opportunity to pay the back taxes plus interest paid by the tax lien investors. The time frame for the redemption period varies from state to state — from six months to four years. That adds an extra measure to help prevent the kind of fraud in this story.​<br></li></ul><p></p>​Art Stewart0
Factoring on Fraud on Fraud<p>​​U.S. federal prosecutors have charged two top executives of a South Florida-based company with orchestrating a fraudulent investment scheme that allegedly raised more than $150 million, <a href="" target="_blank" style="background-color:#ffffff;">the <em>Miami Herald</em> reports</a>. Antonio Carlos de Godoy Buzaneli and Jose Manuel Ordoñez Jr. offered a factoring investment that would generate a high rate of return through their firm, Providence Holdings International, according to the indictment. The company advertised that it would purchase accounts receivables at a discount from Brazilian retailers, paying $820 to retailers for $1,000 in post-dated receivables from each customer and retaining $180 in returns once the checks matured. Using unlicensed brokers in the U.S., the company sold investors $64 million in promissory notes at between 12 percent and 24 percent annual interest rates. Prosecutors allege that Buzaneli and Ordoñez diverted investor funds to a series of other companies they owned. A third principal of the company pleaded guilty to one count of mail fraud in November.</p><h2>Lessons Learned</h2><p>Knowledge and inquisitiveness are the main keys to better prevention and detection of the type of fraud in this case — certainly sooner than the seven years and large financial losses incurred before the scheme ended in 2016. While accounts receivable, or debt, factoring has existed since the early 1400s as a way for businesses to manage uneven revenue cycles, few people outside of the factoring industry are familiar with the associated processes and fraud risks. <a href="">A blog post</a> by investment firm United Capital Funding estimates factoring is a more than $130 billion industry in the U.S., and the size of related fraud activity totals more than $230 million. To learn more about factoring, internal auditors and investors should focus on two aspects.</p><p> <strong>Learn about factoring industry markets, sources of expected profits, and their associated risks. </strong>On the surface, the highly concentrated Brazilian banking system would appear to be promising. As credit expanded in Brazil over the past 20 years, real interest rates and lending spreads have stayed among the highest in the world. Historically, small and medium-sized companies paid 10 percent monthly for their financing. </p><p>However, factoring firms offer varying discounts depending on the duration, chosen industry segment, level of direct retail exposure, credit quality, payment history, and many other considerations. That brings the cost for the better prospective debtors down to 2 percent to 3 percent. That's just one risk factor among many for a country such as Brazil, with less stable political and economic systems compared to some other countries. In this case, investors should have been skeptical about Providence's promised 48 percent annual rate of return.</p><p> <strong>Understand the gaps and inconsistencies in the factoring industry's legal, regulatory, and structural framework.</strong> As one recent industry report notes (currently available in English and Portuguese at <a href="" target="_blank"></a> and <a href="" target="_blank"></a>), "It is evident in transactions that inadequate checks and balances, with over reliance on a single, low-rated party to perform credit origination, collection, and special servicing exists. ... Proper segregation and transparency among originator and servicing responsibilities are paramount in a moment where many small-sized factoring companies have employed aggressive growth strategies, levering up their operations via securitization." </p><p>As with many industries, there are significant legal, compliance, and tax risks accentuated by the large number of widely varying applicable laws and regulations in different countries. In some cases, governments have intervened to regulate the factoring industry. In addition, the industry's International Factoring Association has addressed the need to mitigate risks related to smaller or higher risk factoring companies, such as by applying rating caps to some or all of their receivables transactions. These parties could always do more to cooperate, share knowledge and intelligence, and provide greater legal and regulatory consistency across borders to help prevent these crimes.</p><p>Equipped with more knowledge about the factoring industry, auditors should look out for two red flags:</p><ul><li> <strong>The factoring company is reluctant to provide essential identifying information about the debtors and clients with whom it is dealing.</strong> Ask to see examples of the invoices or debt notices upon which the factoring company is basing its expected investment profits. One commonly used fraud tactic is for the factoring company and the client to create a false or inflated invoice. This is easy to do with inexpensive digital printers. Invoices appear as if they have been issued by a legitimate debtor similar to others already factored in the past by the client or the factoring company. The fake invoices are added to the pile of valid accounts receivables to be factored by the client in the hope that no one is paying attention or  verifying each unique invoice. If the factoring company cannot demonstrate that it is verifying each individual invoice, this is also a red flag. Collusion between the debtor and the client providing fraudulent verification to the factoring company may also be going on at the same time.<br>​</li><li> <strong>The factoring company is unable to provide key business documents such as financial statements.</strong> These include:</li><ul><li>​​Articles of incorporation.<br></li><li>​​Previous years' tax returns.<br></li><li>​Balance/profit/loss sheet.<br></li><li>​Previous audits of company operations and financial statements.<br></li><li>​Signed contracts between the debtor and client. Also, disclosure of any contractual disputes with debtors and clients.<br></li><li>​Proof that the factoring company deals only with licensed brokers.<br></li><li>​Evidence the company has a fraud insurance policy that covers investors, and potentially debtors and their clients.<br></li><li>​​Disclosure of any Internal Revenue Service liens associated with payroll taxes.<br></li></ul></ul>Art Stewart0
Stealing Wellness Wellness<p>​While attending a conference, Angus Munro, the CEO of a large academic medical center, heard from colleagues about their experiences with drug diversion, something he was increasingly concerned about within his hospital. Drugs represented almost 20 percent of his costs and were increasing annually. Conversations with his director of pharmacy left him unsatisfied with the rigor of controls in place for these multimillion-dollar inventory stores. While his primary concern was centered on the e​xceptionally expensive noncontrolled drugs, he also was aware of the growing opioid abuse problem in the community. If a newspaper story implicated the hospital in contributing to the crisis through poor internal controls, it would be devastating. He immediately contacted Mary Nicholls, the chief audit executive (CAE), to test internal controls. </p><p>After some research, Nicholls learned that pharmaceutical diversion was on the rise nationally, and the methods had become more sophisticated. Recent diversion rings involved multiple hospitals and several actors actively collaborating at numerous levels of the organization. Historically, prescription drug diversion from pharmacies almost exclusively involved controlled substances (narcotics and other commonly abused drugs), primarily schedule II narcotics and other opioids that have a high potential for abuse and dependence. These medications were sold on the street directly to addicted individuals. </p><p>Also contributing to diversion was the emergence of "pill parties" and "rave parties." These were common among middle and high school students who raided their parents' medicine cabinets or worked in areas to obtain access to random medications for party guests. </p><p>Even more troubling to Nicholls were reports of amateur chemists making illegal drugs using noncontrolled prescription drugs and over-the-counter (OTC) drugs. For example, the commonly used OTC cold medication pseudoephedrine can be used to make methamphetamine or crystal meth. Because of this, some OTC medications became available only via prescription, and some prescription drugs were made controlled. Nicholls concluded that there was sufficient risk to perform a rigorous audit of controls around medication use. </p><p>While Nicholls knew she may not detect any active diversion, she also knew that people often compromise their ethics out of necessity during times of distress, uncertainty, and economic hardship. Many healthcare insurance plans do not cover new, high-cost biologic, HIV, and chemotherapy medications. This, combined with loss of employment, has resulted in the emergence of a black market for high-cost, noncontrolled pharmaceuticals. In these cases, the patrons are not addicted individuals, but rather sick patients or family members who are unable to afford their medications. </p><p>The largest diversion ring discovered in the U.S. began with a pharmacy inventory employee stealing a noncontrolled bone marrow drug for a relative with cancer who was unable to pay for it. The employee soon discovered a black market for patients in need and recruited other employees within his hospital and surrounding hospitals. </p><p>Ironically, the discovery was made when the truck carrying the diverted drugs was hijacked by thieves expecting to steal pharmaceutical-grade narcotics. The hijackers deserted the truck when they discovered it was filled with HIV, cancer, and biologic medications. The hijackers were caught, which led police to the diversion ring. Eventually, it was discovered that some of the stolen medications were being sold back to the wholesalers for redistribution to the same hospitals. </p><p>Within her hospital, Nicholls found that controlled substances had stronger controls (automation, double counts and checks, and segregations of duties) than noncontrolled substances, which can cost tens of thousands of dollars per dose. In the pharmacy, she found that there was one person assigned to create purchase orders (POs), place orders, receive medications, and reconcile orders to POs. The lack of segregation of duties demonstrated a significant opportunity for diversion. Nicholls also learned that due to the unique nature of medication-use oversight, the pharmacy was exempt from the safeguards that were in place within the materials management department and other areas of supply chain oversight. </p><p>An audit of the purchasing records found high-cost chemotherapy medications and other drugs that were no longer in inventory and for which dispensing records did not support their use in patient care. A select audit of the two highest-cost drugs against their recorded use showed significant discrepancies, suggesting a material and pervasive problem that approximated 20 percent of purchases. </p><p>Within the pharmacy, noncontrolled<strong><em> </em></strong>medications are generally stored on open shelves and in unlocked refrigerators because of the mindset that only drugs of abuse would be targeted for theft. Inventories were only taken annually, but not reconciled against purchases, usage, or waste. As a result, it was not possible to determine shrinkage by theft or other causes. In addition, hospital computer systems are not designed to reconcile medications administered with hospital purchases, as one might reconcile sales to purchases in a retail operation. </p><p>Nicholls quickly concluded that insufficient levels of controls for pharmacy and medication-use systems, combined with the high street value of these medications, provided a significant opportunity for a diversion ring within the hospital. She recommended a comprehensive audit to scope the material impact on the hospital's financial statements. </p><p>Furthermore, any diverted medications could create a potential source of litigation for the hospital. Background research revealed several high-profile medication diversion rings around the country at medical institutions such as the University of Colorado, the University of Maryland, and Georgetown University, which resulted in fines, jail time, and public embarrassment. The settlement in the case at Georgetown University Hospital resulted in the sale of the hospital by the university to settle the claims. Here, the diverters replaced unused medications with used vials, exposing patients to infectious diseases. The judgment in the class-action lawsuit exceeded the ability of the hospital to pay the claim.</p><table class="ms-rteTable-4" width="880" height="209" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p>​<strong>Lessons Learned</strong><br></p><ul><li>While professional practices in health care may not traditionally control medications that have low abuse potential, the risk and inventory controls still need to be placed on high-cost items.<br></li><li>CAEs and risk managers play a key role in assuring that hospitals and health systems comply with audit and control standards, regardless of traditional professional practices.<br></li><li>Health-care professional practices need to be rigorously tested against audit and compliance standards to evaluate risk and vulnerabilities.<br></li><li>Health-care professionals rarely review operational practices through an audit, compliance, and accounting lens, and benefit greatly from the expertise of a CAE.   <br></li><li>Pharmaceutical drugs represent an average of 20 percent of hospital costs, and failure to control their diversion can have a material impact on financial statements.<br></li><li>Poor medication control can lead to medication diversion and represents a significant risk to hospital reputations when reported in the media. ​</li></ul><p></p></td></tr></tbody></table>Scott Mark1
The E-Pirates E-Pirates<p>​The Royal Canadian Mounted Po​lice (RCMP) have seized more than CAN$9 million as part of a multinational money-laundering investigation dubbed E-Pirate, <a href="" target="_blank" style="background-color:#ffffff;">the <em>Vancouver Sun</em> reports</a>. Government documents allege that Paul King Jin, who owns a British Columbia spa, orchestrated a CAN$500 million money laundering service involving casinos and underground banks in Canada, China, and Macau. Investigators say Jin helped wealthy Chinese individuals gamble in British Columbia casinos using suspected drug cash he supplied through underground banks linked to Chinese organized crime groups. The RCMP seized more than CAN$2 million during a raid of Silver International Investment, an unlicensed British Columbia-based bank that allegedly funneled money to gamblers, and another CAN$1 million in suspected drug money when it stopped two individuals seen entering Silver's offices. According to ledgers uncovered during its raids, Silver laundered CAN$220 million in cash and sent more than CAN$300 million offshore in a single year.​</p><h2>Lessons Learned</h2><p>Money laundering doesn't necessarily involve fraud, but the two are linked because the proceeds from fraud often need to be laundered in order to be kept or spent. The amounts of money involved can be enormous, and the laundering schemes are complex, making their deterrence and detection challenging. The RCMP's E-Pirate investigation illustrates how money laundering works. In this case, investigators say drug dealers laundered their profits — $1 million, for example — through underground banks in Canada and then in China. In turn, the Chinese bank lent the $1 million to a gambler who went to a legitimate casino and converted the money into chips. The gambler then cashed in the chips for $1 million, now "laundered," which was available for investment or other uses.</p><p>To combat such money laundering schemes, regulators and gambling institutions must establish rigorous anti-money laundering (AML) programs and thoroughly monitor them to keep them up to date. In <a href="" target="_blank">a similar case in Australia</a> involving wagering company Tabcorp, a federal court judge cited the "insufficient resourcing together with insufficient processes for consistent management oversight, assurance, and operational execution" in approving a AUS$45 million fine against the company for violations of Australia's Anti-Money Laundering and Counter-Terrorism Financing Act between 2010 and 2014, according to <em>The Sydney Morning ​Herald</em>. Casinos and other gambling-related businesses can address such concerns by making these improvements:</p><ul><li>Undertake a risk-based approach and assessment. Many countries have laws requiring companies to have a policy and procedure in relation to assessing and managing money laundering risks. This involves discrete steps for assessing the most proportionate way to manage and mitigate the specific money laundering and terrorist financing risks the organization faces. These methods include policies, procedures, controls, monitoring, and review. <br> </li><li>Conduct customer due diligence inquiries. These inquiries should confirm the identity of customers engaged in large or frequent transactions by examining valid, government-issued photo identification documents. Casinos also should look into a player's source of wealth and funds to measure risk. For customers who are assessed as higher risk, casinos should limit the types of permitted transactions.<br> </li><li>Monitor and report large cash transactions and payments to customers. Canada requires reporting of transactions of CAN$10,000 or more as well as of suspicious transactions of any amount. Unlike banks, casinos don't refuse many money transactions because of revenue considerations. However, they should stop suspicious transactions to help prevent money laundering. Moreover, political will is needed to require casinos to report large transactions. <br> </li><li>Report suspicious activity. Casino employees should be required to report information that comes to them within the course of business where they know or where they have reasonable grounds for suspecting that a person is engaged in money laundering or terrorist financing. Employees should report these activities to the nominated officer — a member of senior management responsible for dealing with anti-money laundering issues. If the nominated officer determines that a report provides grounds for knowledge or suspicion, he or she should report the matter to regulators. Additionally, lawmakers and regulators should review and strengthen penalties where they find this reporting is deficient.<br> </li><li>Clearly mark all checks as a return of gaming funds or as a payout of a verified win to make clear whether funds actually are from gambling wins versus chip-to-cash conversion.<br> </li><li>Control the exchange of currencies. Where there is minimal play, casino policy should result in a refusal to issue a check or even a ban on future play for the individual involved if money laundering is suspected.<br> </li><li>Promote or require the use of cash alternatives such as debit cards and customer accounts through which bank drafts and electronic funds transfers may be used, especially for large money transactions. These alternatives are somewhat easier to implement with online gambling, where transaction limits are more common.<br> </li><li>Provide mandatory AML training for casino staff that is updated regularly.<br> </li><li>Establish a dedicated unit consisting of members who are Certified Anti-Money Laundering Specialists and have expertise in AML investigations, programs, and intelligence. This unit should work with police and regulatory agencies, and share information regarding individuals it believes may be engaged in criminal activity, including money laundering and terrorist financing-related offenses.<br> </li></ul><p>Governments can help address money laundering by making it easier to prosecute cases. It also would help if authorities could seize assets believed to be directly connected to money laundering.</p>Art Stewart0
Card Abuse Runs Rampant Abuse Runs Rampant<p>​S​​ome of Australia's largest government agencies are plagued by credit card fraud and abuse, <a href="" target="_blank" style="background-color:#ffffff;"> <em>The Sydney Morning Herald</em></a> reports. According to analysis by Fairfax Media, the Australian Bureau of Statistics, Health Department, and Bureau of Meteorology had the highest rates of misspending with government-issued credit cards last year — each topped 20 percent of charges. Fairfax found staff members had used credit cards to pay for accounting courses, personal bills, and private travel.</p><h2>Lessons Learned</h2><p>The Association of Certified Fraud Examiners' (ACFE's) 2016 <a href="" target="_blank">Report to the Nations on Occupational Fraud and Abuse</a> estimates organizations around the world lose 5 percent of revenues to occupational fraud. Employee credit card fraud is one part of this problem. <em>Internal Auditor</em> magazine and have featured numerous articles on this subject, most recently <a href="/2017/Pages/On-the-Hook-for-Fraud.aspx">"On the Hook for Fraud"</a> and <a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx">"The Tech Know-how for Fraud."</a> These stories, the persistence of employee credit card fraud activity, and recent trends in online credit use are reminders to auditors of what comprises an effective approach to preventing employee credit card fraud. Recommendations auditors can make to address gaps they find during their audit work include:​</p><ul><li> <strong>Establish an employee credit card use policy. </strong>The policy should spell out appropriate and inappropriate card uses, how uses will be monitored, and consequences of policy noncompliance, including fraud. Policies should hold employees responsible for the activity on their card and for reviewing the statement for activity during each period. Those who violate the policy — especially fraudsters — should face zero tolerance consequences such as termination and prosecution. Moreover, there must be regular monitoring and auditing of policy compliance and uses, including surprise audits.<br><strong> </strong></li><li> <strong>Encourage a culture of trust, honesty, and awareness among employees</strong><strong>.</strong> This should include "open door" measures that facilitate employees coming forward with their concerns about suspicious behaviors. The most recent ACFE report notes that organizations most often detect fraud through tips (43.5 percent in large organizations). Internal audits (18.6 percent in large organizations) are a distant second. <br>Employees should know the organization's fraud prevention procedures. One of the biggest deterrents to employee credit card fraud is simply knowing that people are watching, are aware, and will report fraudulent activity, if necessary. <br>Organizations also should train employees on how to recognize signs of credit card fraud, such as how to tell whether a credit card terminal, ATM, or gas pump has been tampered with. Employees should know how to recognize a stolen card. The major credit card companies all have procedures for handling such situations, and these should be learned. Similarly, organizations should work with their suppliers and customers to ensure they are familiar with both legitimate and illegitimate kinds of purchases made by employees. Subscribe to credit card company alerts of significant or unusual transactions and investigate them immediately.<br> </li><li> <strong>Establish multiple controls over credit card use and authorizations.</strong> That includes obvious controls such as a limit to the number of credit cards and authorized card users, as well as using as few providers and cards as possible. Establish credit limits to reduce the organization's risk exposure. Establish low or no ability to obtain cash advances. All authorized users should have their own unique cards that they are responsible for, and cards should not be loaned or be available to others. Establish procedures for reimbursements, including to prevent double dipping — employees can submit expense receipts for reimbursement, or they can use the company card, but not both. Collect and cancel cards when employees leave the organization. Also, have the capacity to quickly report loss, theft, or unauthorized use. Maintain in a secure area a list of credit cards by issuers, account numbers, authorized users, and issuer phone numbers so that contact can be made quickly. Prompt notification can reduce or eliminate responsibility for fraudulent charges.<br><strong> </strong></li><li> <strong>Monitor credit card activity closely — and let employees know the organization is watching.</strong> Receive and review credit card statements intact because these can be altered, revised, or edited. Establish a credit card statement cut-off date for all cards that facilitates the organization's ability to obtain, review, and post credit card activity once a month and before month-end to facilitate accounting. Review credit card activity for the type of expenditure, the vendor, and the reasonableness of the amount. As the credit card is used, insist that original receipts be obtained as part of the documentation for the expenditure. Do not let the invoice, the credit card receipt, or the credit card statement be the only supporting piece of documentation. Review expense reimbursement claims and compare the expense report activity to the organization's credit card statement, scrutinizing for the same vendor and amounts. Be alert to altered amounts and claims, as well as expense report claims made months after the original charge was made. Analyze expenses, compare them to budget, and investigate variances.<br> </li><li> <strong>Keep up to date with technological advances, such as online payments, and the fraudulent activity that is occurring with them.</strong> There has been a massive increase in online credit card fraud, with transactions made using stolen card details estimated to have more than doubled since 2011. Card skimming, including via ghost terminals, is a particular example. Many organizations are now using chip technology that protects from incurring liability resulting from counterfeit fraud that occurs at their point of sale. Also, password protection (including regular changes to passwords) of accounting and point of sale software, and administrative controls to assign specific functions to only the employees who need them are common. Biometrics (Apple's iPhone X Face ID is a recent example), geolocation, and social media all are either being used or researched in the roll-out of risk-based customer authentication. Organizations need to learn and implement these technologies as they evolve.​<br></li></ul>Art Stewart0
The Script-boosting Bribery Scheme Script-boosting Bribery Scheme<p>​John Kapoor, the majority shareholder at pharmaceutical company Insys Theraputics who stepped down as chief executive in January, was arrested and charged with engaging in conspiracies to commit racketeering, mail fraud, and wire fraud. Kapoor and six other chief executives who have been charged participated in a scheme to bribe doctors to prescribe Subsys, an under-the-tongue spray cancer pain drug that contains fentanyl, an addictive synthetic opioid. The defendants also tried to defraud insurers who were reluctant to pay for Subsys when it was prescribed to patients who did not have cancer.</p><p><strong>Lessons Learned</strong></p><p><strong></strong>For fraudsters, the worldwide crisis related to opioid drugs is another opportunity to profit. Not only do we need to worry about drug cartels and dealers, but also drug companies, "bad apple" doctors, and even some hospitals. What can auditors learn from this story?</p><p>Regulators, enforcement agencies, and auditors need to keep the pressure on detecting and uncovering these kinds of fraud schemes, and shed light on the practices that support them. That includes:</p><ul><li><strong>Requiring and enforcing better monitoring and reporting from companies involved in the sale of higher risk drugs, such as fentanyl. </strong>Recent U.S. Department of Justice cases show that these companies knowingly and/or negligently supplied opioid drugs such as OxyContin to obviously suspicious physicians and pharmacies and enabled the illegal diversion of them into the black market, including to drug rings, pill mills, and other dealers. These companies are supposed to set up monitoring programs to make sure that opioid drugs do not get into the wrong hands, and to watch out for shady physicians and pharmacies, unusually large orders, or suspiciously frequent orders. Better scrutiny of these monitoring programs on a regular basis could help deter fraudulent practices. And bigger penalties for gaps in these programs could help prevent larger fraud schemes and a deeper crisis. </li><li><strong>Insurers need to take a tougher stand in questioning and rejecting payments to companies where prescriptions do not clearly meet established criteria.</strong> In our story, Insys executives pushed for approval of payment for Subsys when it was prescribed to patients who did not have cancer. </li><li><strong>By writing factual audit reports with balanced recommendations, auditors can help the medical profession improve its self-regulation against bribery. </strong>There are several key areas for improvement. Doctors often decide which medications to prescribe based on which drug is the most popular choice of their colleagues, and, in turn, the effectiveness of drug company's marketing and advertising efforts. Those efforts frequently constitute bribery, such as when pharmaceutical companies offer financial kickbacks for prescribing medicines and drugs (as in our story). The form of the bribe can be subtler though, such as schemes to pay doctors in the form of speaker fees and food and entertainment to medical practitioners. Or physicians will be sent on exotic vacations in exchange for listening to lectures about the companies' drugs for a few hours of the day. Also, hospitals can be involved — some entice physicians by offering special incentive deals that give doctors valuable gifts if they schedule surgeries when the hospitals are looking for business. All of these practices deserve better scrutiny and perhaps tighter regulation within the medical profession.</li></ul>Art Stewart0

  • MNP_Feb2018 IAO_Premium 1
  • IIA Training_Feb2018_Premium 2
  • IIA CIA_Feb2018_Premium 3