Foreign Bribery Bribery<p>​Canadian engineering firm SNC-Lavalin faces charges of paying CA$47.7 million (US$38 million) to Libyan officials to influence government decisions as well as defrauding organizations in that country through two of its subsidiaries, according to a <a href="" target="_blank">Canadian Press report</a>. It is the latest corruption allegation involving the company's operations in Libya. The Royal Canadian Mounted Police (RCMP) previously had charged two former SNC-Lavalin executives as part of a corruption investigation that began in 2011. Also, the company's former construction vice president has testified that he bribed the son of former Libyan dictator Moammar Gadhafi to help the company earn contracts. If convicted in this latest case, the company could face a 10-year ban from bidding on government contracts. </p><h2>​Lessons Learned</h2><p>The prosecution of SNC-Lavalin is the third, and by far the most significant, fraud case the RCMP has pursued under Canada's foreign anti-bribery law, the Corruption of Foreign Public Officials Act (CFPOA). Most of Canada's key trading partners have similar anti-bribery legislation, including the United States (Foreign Corrupt Practices Act) and the United Kingdom (Bribery Act 2010). Nations have enacted such laws in response to a long-term trend toward a global economy and the need to cooperate and establish cross-national legal and regulatory frameworks to protect governments, companies, and their citizens against fraud and corruption.</p><p>The CFPOA makes it a serious criminal offense for Canadian companies and individuals to bribe foreign government officials. Moreover, it is one of the tougher anti-corruption laws because the prohibition against bribery is broadly worded. Under the law, the purpose of the person paying the bribe is defined as obtaining an advantage in the course of business; bribery includes both direct and indirect (third party) bribery activity as well as conspiracy to offer or give bribes; and a bribe is defined as "anything of value." Each offense is punishable by up to 14 years in prison, and companies are liable for fines set at the court's discretion. Thus far, the largest fine imposed on a company under the CFPOA was CA$10.3 million (US$8.2 million) — five times the amount of the bribery involved. Companies that breach the CFPOA also may be banned from bidding on public-sector contracts in Canada and potentially abroad.</p><p>Some of the specifics of Canadian legislation and enforcement actions may not be precisely applicable to U.S. or international circumstances. However, companies that operate abroad and their internal auditors, as well as foreign companies that employ citizens of countries that have such anti-corruption legislation, need to be aware of these laws and take steps to comply. Furthermore, businesses need to be aware of the precise requirements of the anti-corruption laws in all countries in which they operate. This is best done through a compliance program that is based on an assessment of the risks the company faces, supported and verified regularly by the company's leadership, and backed by audit work by internal audit or an equivalent function. </p><p>Particular compliance elements that need attention — and that are relevant to the SNC-Lavalin case — include:</p><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Good policies are a necessary but insufficient protection against bribery and corruption and their consequences.</strong> It's not enough to establish and globally monitor policies on ethics, conflict of interest, financial management — including accounting and reporting — and other areas. Criminal charges are not the only troubles faced by SNC-Lavalin. Class action lawsuits allege that SNC-Lavalin misled investors by claiming that it conducted itself as a "socially responsible citizen," and in compliance with a code of ethics, when it was actually paying bribes to Libyan government officials.</span> <br> <br>​<span style="line-height:1.6;">Cooperation with authorities also will not absolve or exonerate a company from the consequences of fraud and bribery. Although SNC-Lavalin cooperated with the RCMP investigation and strengthened its ethics and compliance policies along the way, the company still has been criminally charged.</span> <br> <br><span style="line-height:1.6;">Specific and detailed examination of on-the-ground practices needs to be conducted regularly. One of SNC-Lavalin's most senior executives already has been found guilty of making illegal payments totaling more than CA$56 million (US$44.7 million) to third-party agents in Libya, which were never appropriately recorded. The CFPOA makes it a criminal offense to falsify books and records for the purpose of bribing a foreign government official or of hiding bribery.</span> <br> <br><span style="line-height:1.6;">Internal auditors also should be looking for signs of other specific prohibitions, including:</span></li><ul><li><span style="line-height:1.6;">Noncompliance with authorized signatories delegations and limits on fees.</span></li><li><span style="line-height:1.6;">Maintaining off-books accounts.</span></li><li><span style="line-height:1.6;">Not recording or inadequately recording transactions, especially those involving large amounts paid to third-party agents on the company's behalf.</span></li><li><span style="line-height:1.6;">Recording nonexistent expenditures.</span></li><li><span style="line-height:1.6;">Inaccurately identifying liabilities.</span></li><li><span style="line-height:1.6;">Knowingly using false documents.</span></li><li><span style="line-height:1.6;">Destroying accounting books and records. </span></li></ul></ul><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Accountability — both intentions a​nd actions count.</strong><strong> </strong>While the prosecutor must prove that the accused intentionally committed the acts constituting the offense, willful blindness also  satisfies the intention element. This means companies, including their senior officers, that deal with agents cannot overlook suspicions that the agent might be paying bribes, and they need to perform due diligence on agents. Using the CFPOA as an example, a company would be guilty of an offense under the act if one of its senior officers, acting within the scope of his or her authority, commits the offense or, knowing that a representative of the company is about to commit the offense, fails to take all reasonable measures to stop the representative from doing so. The law defines <em>senior officer</em> as anyone who plays an important role in establishing the company's policies or who manages an important aspect of its activities. Performance/accountability contracts within companies need to be crystal clear on these elements.</span></li></ul><ul style="list-style-type:disc;"><li> <span style="line-height:1.6;"><strong>Only in Canada, you say? </strong>Increasingly, bribery and corruption charges are being pursued outside the country that enacts legislation, and an anti-bribery compliance regime must address each location where a company operates. In Canada, the CFPOA was strengthened to include a provision for "nationality jurisdiction," which allows the law to apply to bribery offenses by Canadian companies and individuals in any part of the world in which the bribe is paid. This provision effectively creates a "you bring it along in your baggage" scenario for employees working abroad.</span> <br> <br><span style="line-height:1.6;">The crimes allegedly committed by SNC-Lavalin occurred before these provisions were enacted. As such, readers might think prosecutors face the potentially significant hurdle of proving the company committed the offenses in<em> </em>Cana​da — but guess again. In the only case to date dealing with whether bribing a foreign public official outside of Canada is an offense in Canada, the court convicted an Ottawa businessman of agreeing to bribe officials in India. The judge in that case took a broad view of jurisdiction, ruling that there was a real and substantial connection between the offense, its related transactions, and Canada, even though none of the elements of the offense had been committed in that country.​</span>​</li></ul>Art Stewart0145
When the Bill Doesn't Add Up the Bill Doesn't Add Up<p>​​B​ig Boy diner franchisee Frisch's Restaurants Inc. has filed suit against a former accounting executive for allegedly embezzling more than US$3.3 million from the company, the <a href="" target="_blank"> <em>Cincinnati Enquirer</em> reports</a>. An internal a​udit in December discovered cost discrepancies between the company's credit card transaction records and those of the company's assistant treasurer, Michael Hudson, who had worked at Frisch's for 32 years. Hudson then resigned a few minutes before a meeting to go over the discrepancies. Following an investigation in January, Hudson admitted to stealing the money. Although Hudson said he had lost all the money gambling, Frisch's investigation found that he had made large withdrawals from his personal accounts at a Cincinnati area ​casino and had purchased more than​ US$400,000 in land, vehicles, and jewelry.​ </p><h2>Lessons Learned</h2><p>It might be tempting to focus on the specific circumstances, severity of impact, and prospects for recovering losses from a multiyear fraud against a mid-sized local company. However, although I am not familiar with the corporate history of Frisch's, I suspect the bigger lessons may relate to those companies that start small then grow much bigger, but do not pay sufficient attention to implementing the internal controls and processes essential to protecting themselves from fraud. Such companies may be particularly susceptible to fraud by long-serving employees who have been granted unconditional trust.</p><p>Those controls, which frequently are referenced in the pages of <em>Internal Auditor</em>, include: </p><ul><li> <span style="line-height:1.6;">Ethics and financial management policies that state clear expectations for employee behavior.</span><br></li><li> <span style="line-height:1.6;">Appropriate segregation of authorities and duties, especially to limit senior officials from sole or unchecked control and access over large sums of money.</span><br></li><li> <span style="line-height:1.6;">Accounting systems that integrate monitoring and reporting routines to flag unusual, recurring, and large transactions for further scrutiny.</span><br></li></ul><p>Perhaps most importantly in the context of this story — and maybe unfortunately for what lies ahead for Frisch's board of directors, CEO, and chief financial officer — is the question of the strength of the company's governance and control regime. To be effective, that regime must include directors who regularly ask and get satisfactory answers to penetrating questions about the company's operations and financial health. It also requires a senior executive team that is rigorously focused on balancing business interests and profits with maintaining high standards of ethical corporate behavior. </p><p>One additional essential element of an effective corporate governance and control regime is a strong, independent internal audit function — or its equivalent — that systematically and objectively assesses and advises the board and management on what the organization's people and processes are doing against expectations. The IIA's practice guide, <a href="" target="_blank">Assessing Organizational Governance in the Private Sector</a>, provides examples of what internal audit needs to examine. Without such a review, it is doubtful that an organization of any size could realistically expect to avoid the kinds of problems illustrated in the Frisch's case.</p>Art Stewart01396
An “F” for Fraud “F” for Fraud<p>​​The Chicago Public Schools (CPS) inspector general alleges that a former employee stole more than US$870,000 from the district through a fraudulent billing scheme, <a href="" target="_blank"><em>The Chicago Tribune</em></a> reports. According to the inspector general's annual report, an employee at Clark High School conspired with co-workers and vendors to submit fake reimbursements for purchases and file fake purchase orders between 2009 and 2013. The employee also allegedly received kickbacks from vendors for fraudulent purchases from companies. The employee has since resigned, and CPS is moving to bar the companies involved in the scheme from doing business with the district. A criminal investigation is underway.</p><h2>Lessons Learned</h2><p>As this story and the related 2014 Annual Report of the CPS inspector general observe, a wide range of fraudulent activities occur in school systems on a regular basis. The latter report reveals that the top complaints — from about 1,300 filed in 2014 — related to residency, inattention to duty, contractor violations, tuition fraud, and misappropriation of funds. I have not found any report that quantifies the total impact, but if the level of malfeasance found in the CPS case were replicated across all the school boards throughout the United States, it could total more than US$1 billion a year — a significant waste of taxpayer dollars and an affront to trust in public institutions.</p><p>Typically, boards of education in the United States have some kind of fraud prevention and detection policy in place that requires all employees, school board members, consultants, vendors, contractors, and other parties maintaining any business relationship with the district to act ethically, with due diligence and in accordance with all applicable laws. Boards assign a superintendent or equivalent leadership position responsibility for developing internal controls, policies, and procedures to prevent and detect fraud, financial impropriety, or fiscal irregularities within the district. They also expect every member of the district's administrative team to be alert to any indication of fraud, financial impropriety, or irregularity within his or her areas of responsibility. Further, school boards usually have an accountability requirement: District employees who suspect fraud, impropriety, or irregularity in relation to fiscal or other resources are expected to report their suspicions immediately to their supervisor or the superintendent, who then is responsible for initiating necessary investigations, and taking appropriate action, if warranted.</p><p>However, an inevitable complex patchwork of state and district regulations, combined with ongoing budgetary constraints and governance regimes that often rely on local and volunteer resources, among other factors, make it difficult to consistently implement an effective fraud prevention and detection regime. Here are some targeted suggestions to help make these regimes more effective based on a review I conducted of several different state and school district oversight and audit reports:​</p><ul><li> <strong>More thorough school board governance. </strong>Increasing dissatisfaction with the governance of school boards can be found in numerous news stories and state/district inspection/audit reports, particularly related to significant fraudulent activities uncovered in many school districts across the United States. Despite the important role that school boards play in governing schools across the country, virtually no empirical research exists that examines the governance structure — and its effectiveness — with respect to the board's responsibility to address fraud issues. Although several school board inspection reports I found pointed out that external audit programs were legally mandated, few districts had internal auditors and audit committees. School district governance is a partnership between the school board, the school organization, and the community in which it serves. Two specific measures that should be considered are 1) more comprehensive board education on responsibilities and strategies related to fraud and auditing; and 2) more consistent structuring of board audit committees and related internal audit activities, even if they are part of a larger finance committee and supported by volunteer resources. Once these measures are in place, the board then should actively oversee implementation to ensure they are working well. <br></li></ul><ul><li> <strong>​​Consistent, mandatory codes of conduct and ethics training. </strong>Statewide oversight reports I examined often noted that ethics training for teaching and administrative personnel existed but was not applied consistently across districts. The adoption of a code of ethics for all school system staff was more rare. School leaders also should be educated concerning appropriate actions in common fraud prevention areas. They need to understand the importance of internal auditing, know the language in local policy, and rigorously follow up.​​​ </li></ul><ul><li>​<strong>Strengthen internal controls, especially over the most fraud-susceptible risk areas. </strong> Another consequence of budget stresses and a reliance on external auditing, complaints, and whistleblower-driven processes to deal with fraud is that schools are often behind the curve in preventing and detecting fraudulent activities. Inspection reports frequently provided recommendations, but typically only related to the disciplining of employees or contractors, and much less frequently in relation to systematic changes to controls or procedures that should be changed or improved. In addition to educational and accountability related measures, school districts should undertake regular assessment of risk-prioritized fraud activities and direct their targeted prevention and detection efforts to those areas. Given the kinds of fraud, such as employee theft, documented in the Chicago Public Schools case, some specific control measures to consider include: 1) increased segregation of financial approval authorities over more than two employees, and 2) increased monitoring and scrutiny of frequent bidders and contractors for school supplies and services. To help avoid the potential for "stringing" contract bids — falsely splitting an overall contract amount into smaller pieces to avoid limits on noncompetitive contracting — school boards should consider either lowering the dollar limit or eliminating it entirely.​<br></li></ul>Art Stewart013462
Too Good to Be True Good to Be True<p>Investment fund company F-Squared ha​s admitted to defrauding its investors and will pay a US$35 million fine to the U.S. Securities and Exchange Commission (SEC), <a href="" target="_blank"> <em>Fortune</em> reports</a>. F-Squared is the biggest exchange-traded fund (ETF) company, a class of fund traders that use computer models to forecast when their clients should buy and sell ETFs. The SEC says F-Squared had advertised its investment strategy as being based on historical returns, but those returns were actually based on a computer model devised in 2008. Moreover, the SEC says the company's founder, Howard Present, was aware that the computer model had an error that caused it to overinflate​ its performance, but he never investigated the error. Present stepped down as F-Squared's CEO in November.</p><h2>Lessons Learned</h2><p>Fraud has been an issue since the inception of online performance marketing, once labeled as "innovative business practices." In the past few years, as the ETF and performance marketing industry has grown by leaps and bounds, it has become the target of increasingly sophisticated fraudsters, both from within and outside of its firms. Fraud committed against investment companies, investors, and consumers arguably undermines the industry due to increased regulatory scrutiny and enforcement that ultimately chases off investment dollars and forces firms to redress financial losses.</p><p>There have been continuous calls for organizations and investors to implement a fraud protection system, greater regulations — including some who call for an outright ban on investment performance marketing — and auditor scrutiny. Beyond these demands, what can be done to prevent and mitigate this kind of fraud? Auditors should reinforce an overall need for a proactive, self-regulatory culture, covering both the investment industry and investors, that implements best practices and aggressive fraud-prevention solutions. There are three key elements to such a culture:</p><ul><li> <strong>A continuous improvement approach to the educational and professional requirements of and compliance by those working in the investment industry. </strong>There are many different standards in the advisory world, and some differentiation is needed. However, primary focus needs to be placed on the investors and their changing situation and requirements. The importance of asset mix and what is and what is not appropriate for any investor — including the need to address changing risk levels — is a dynamic process. Most small investors do not have regular reviews of their portfolios and their advisers often are not qualified to address this issue. Instead, advisers recommend funds on past performance — as in the F-Squared case — which statistics show is the worst thing one can do. Education and certification standards should include explicit requirements for investment disclosure and reporting. Auditors should have a role in examining whether standards are robust and being complied with across the industry.<br><br></li><li> <strong>Investor responsibility, supported by the investment industry.</strong> Investors should be responsible for ensuring they are dealing with a reputable financial adviser, just as they would ensure they are seeing a good dentist, doctor, or attorney. Education can help investors protect themselves from marketing abuses. This could include requiring investment institutions to provide essential investor training. Before being accepted as investors, individuals should sign off that they clearly understand the risk of absolute loss they are taking, or alternatively they should be encouraged to invest in products that are conservative and balanced. Investors also must understand investment returns and how they are measured, rather than equating annual returns with annualized returns, or subscribing to similar metrics used to market funds.<br><br> </li><li> <strong>Adequate and meaningful disclosure of investment risks and results.</strong> Certain key information regarding investment decisions, risks, and expected results should be available to investors in clear and concise language, rather than in fine print, footnotes, and thick, legal jargon-filled documents that aren't read, understood, or complied with. In the context of the F-Squared case, it is worthwhile to consider the Chartered Financial Analyst (CFA) Institute's <a href="" target="_blank">Principles for Investment Reporting</a>.<br></li> In particular, the CFA's principle 4 — clear and transparent presentation of investment risks and results — states that effective investment reporting reflects these qualities: </ul><ul><ol><li>​​​​​​​Historical information presented in the investment report is not changed without disclosure to the user. </li><li>The investment report is a fair representation of the investments made, results achieved, risks taken, and costs incurred. </li><li>The investment report is relevant and appropriate for the purpose stated and the assets and investment strategies being presented. </li><li>The investment report provides appropriate comparative data — such as index data, a customized benchmark, peer group data, or a Global Investment Performance Standards composite — to allow the report user to assess the relative performance of the investments. </li><li>The investment report provides information on investment risks that have been experienced and are expected, including changes to assumptions previously adopted. </li><li>The investment report reflects the impact of taxes in general and the impact of taxes on performance, where germane. <br> </li></ol> Before an investment is made, a joint sign-off by the investment company representative and the investor that both investments and investment reporting will reflect these clear principles could contribute to preventing and mitigating related fraud activity.​</ul> ​​​​​Art Stewart014076
Plot to Defraud to Defraud<p>​Sam Associates, a real estate development compay located in Pakistan, hired Shamool Khan as a receptionist/office assistant when the company was first established. He was hard working, educated, and had excellent communication skills. After successfully completing several assignments ahead of schedule, he came to earn the trust of the business owners and was eventually promoted to general manager. This gave him the opportunity to learn exactly where internal control weaknesses lied.<br></p><p>In winter 2011, Sam and Associates owners discovered, through an employee complaint, that Khan was abusing his power and embezzling funds from the firm with help from his co-workers. During his two years with the company, he had issued bogus cash installment receipts to customers and misappropriated firm funds to the amount of Rs4 million (the equivalent of US$47,000).<br></p><p>After climbing the company ranks, Khan’s first major project was a low-cost housing development that met strict quality standards and the needs of low-income households. Sam Associates acquired 1,500 kanals (approximately 188 acres) of land and planned to develop approximately 1,200 kanals (150 acres) of it. Several firm partners had made personal investments contributing to the project.<br></p><p>As a trusted employee, Khan was uniquely positioned to run an embezzlement scheme. Traditional business controls, such as separation of accounting duties, delegation of authority, system access, and administrative approvals, were not prescribed in the early phase of the business. Khan also wasn’t monitored by the firm owners, which enabled him to undertake enormous fraudulent activities by taking advantage of several internal control weaknesses:<br></p><ul><li>Lack of appropriate authorization for commission disbursements.</li><li>No clearly defined lines of authority, roles, or responsibilities.</li><li>No independent checks on performance.<br></li><li>Inadequate documentation policies.<br></li><li>Management override of internal controls.<br></li><li>A willingness among employees and third parties, and lower level employees and management, to collude to circumvent controls.<br></li><li>Insufficient written policies and procedures to direct department processing.<br></li></ul><p>To help sell the plots of land, Sam Associates used dealerships — loosely defined principal-agent relationships — which are an integral part of commercial real estate activity in Pakistan. Sam Associates did not follow consistent policies concerning commission, returned plots, and recovery of commission. The commission to dealers was supposed to be paid to the dealers in three stages: after initial deposits, after each monthly installment, and after the final lump-sum payment. But instead of commissions being paid in stages, they were paid in full upon the initial deposit.<br></p><p>Dealers were allowed to charge varying commission under each plot sale arrangement. This provided opportunity for dealers to defraud the firm by collusion with Khan. The records were made to appear as if the first dealer — who received a lower commission percentage — returned the plot to the firm. The plot was then sold by a second dealer, who usually charged a higher commission. In the process, accounting department employees colluded with dealers and received a percentage on the second sale. Because there was no policy to recover commissions already paid to dealers, the firm sustained significant commission loss on returned plots. As a part of the sale agreement, the dealers also took responsibility for helping collect payment from customers. But practically all monthly installment payments were collected late and, in many instances, initial deposits were not fully paid. Land plots were sometimes booked on partial deposits and commissions were then paid in full.<br></p><p>Accounting department employees also colluded with Khan to create fake dealer identities in the accounting system. Khan himself was selling plots to customers, channeling dealer commissions through these fake dealers, and keeping 100 percent of the commissions. A junior accountant was responsible for collecting, recording, communicating, and depositing funds for cash and credit collections. The application-level controls in place gave the accountant access rights that permitted him to enter, approve, and review transactions.<br></p><p>When a newly appointed accounting employee tipped off management to Khan’s scheme, an investigation determined that Khan abused his authority, organizational powers, and managerial control. He spent lavishly and lent company money to his co-workers. During his employment, two more obvious warning signs were overlooked within the company: unexplained margin erosion and cash flow problems. He extracted cash from the firm’s coffers by issuing phony receipts and counterfeiting documents, and then pocketed the money. The embezzlement and asset misappropriation schemes continued for almost two years, with the help of two of his colleagues. The owners were shocked and devastated to discover just how extensively their trust was violated by one of their key employees. By the time Khan’s scheme was exposed, it was too late. He and his accomplices had disappeared.<br></p><p>Sam Associates management took the matter to the authorities. During the civil and criminal proceedings against him in absentia, Khan and his accomplices were found guilty. Police are still looking for him.<br></p><h2>Lessons Learned</h2><ul><li>When an employee exhibits lifestyle changes, it should be a red flag. Going from a modest lifestyle to a lavish one can be an indication that the individual is stealing from the organization.</li><li>Absent or weak internal controls are an invitation for fraud. A set of internal control procedures can help safeguard company assets, ensure adherence to company policies, and promote efficiency and disclosure of reliable financial information. Many internal controls are neither time-consuming nor expensive to put in place, and their benefits can be significant. </li><li>Segregation of duties is an integral part of operational control and can deter collusion among employees. Because frauds with collusion are more difficult to detect, companies should have whistleblower hotlines for reporting indiscretions when employees see them. </li><li>Lack of management review weakens detection of employee misconduct. Management should maintain documentary evidence of its review and approval of all financial information to demonstrate that it has retained effective control over its financial information.</li><li>Regular disbursements, such as commissions, should not be allowed without applying regular authorization processes and closely watching all exception cases.<br></li><li>Customer control accounts should be regularly monitored and reconciled at least monthly. Any discrepancies should be investigated adequately.</li><li>A fraud policy gives the perception among employees that management is serious about deterring fraudulent behavior. It should make clear that violators will be terminated and prosecuted. <br></li></ul>Syed Zubair Ahmed11848
What Segregation of Duties? Segregation of Duties?<p>​​The former chief financial officer (CFO) of an Indiana township took advantage of his position to embezzle more than US$300,000, fueling a spending spree that included a new house, a pickup truck, Caribbean vacations, and jewelry, the <a href="" target="_blank"> <em>Indianapolis Star</em> reports</a>. Alan Mizen was the township's CFO from 2001 to 2011. According to an audit by Indiana's State Board of Accounts, Mizen had authority to write and sign checks, and also balanced the township's books and wrote its annual report. This enabled him to cut a check for US$343,541 to a fictitious attorney general's account, fake an invoice in the accounting system, and then deposit the check into a bank account he had created. Mizen has pleaded guilty to federal corruption charges.</p><h2>Lessons Learned</h2><p>The amount of money embezzled in this case (less than US$500,000) may seem relatively small compared to many other fraud incidents I have written about in previous columns, but the potential impact of fraud committed by local government public officials is enormous. U.S. census statistics indicate that there are more than 16,000 different civil townships, each with its own governance, authority, and accountability structure. At the heart of this case is an almost complete lack of controls over the activities of the Center Township government's CFO during a period of several years, as noted by an Indiana State Board of Accounts audit.</p><p>In numerous other articles, I have shed light on some of the main types of controls and measures that internal auditors should be aware of and use in their work to combat this kind of fraud, including those intended to address gaps in internal controls over financial management, a lack of segregation of duties, and inconsistent background checks on employees. Auditors also need to be vigilant about fraud "red flags" such as changes in an employee's lifestyle that involve significant increases in personal spending on luxury items. For cases involving local governments, it is important for auditors to periodically review the adequacy of the basic governance and authority regime intended to direct the behavior and activities of officials and employees, as well as how well they are being followed, particularly by the lead trustee and the treasurer. </p><ul style="list-style-type:disc;"><li> <strong>The Trustee</strong>: The duties and obligations of county/township officials vary widely from state to state and from one local government to another. For example, in some places, the county trustee has additional duties such as maintaining cemeteries and administering insulin to the sick. In many instances the most senior official, the trustee, has five major functions:</li><ul><ol><li>Collect all state and county taxes on property.</li><li>Keep a fair and regular account of all the money received.</li><li>Receive the county's bills and maintain a record of all bills received and related details.</li><li>Keep regular accounts of all payments made in relation to bills received.</li><li>On leaving office, deliver all books and papers of the office to his or her successor.</li></ol></ul></ul><ul><li> <strong>The Treasurer/CFO:</strong> Duties include the receipt and payment of county/township funds. Typical state legislation governing township/county governments specify at least three major treasurer duties/obligations that are central to this case: </li><ol><li>Monies that the treasurer receives must be allocated to one of the township's approved funds. Other special purpose funds may be established, but they must be authorized by the entire township/county government. </li><li>The treasurer must file a sworn, itemized financial accounting statement, typically monthly, with the county executive. </li><li>All officials, including the treasurer, are prohibited from requiring or allowing checks or other forms of payment to be payable to the official in his or her own name, rather than the name of the governmental entity, the office, or the official's name and title.  </li></ol></ul><p>It is apparent that the Center Township CFO was defrauding its government and citizens with regard to the above obligations. However, the problem may not have been limited to this. Auditors looking into similar cases should consider whether the trustee played a role in the fraud, and whether his or her activities were reviewed.</p>Art Stewart03114
Fraud Behind Bars Behind Bars<p>​Fraudulent tax refund claims by U.S. prison inmates topped US$1 billion in 2012, a six-fold increase since 2007, according to a report by the Treasury Inspector General for Tax Administration (TIGTA). There were more than 137,000 fraudulent claims in 2012, up from 37,000 in 2007. The report faults the U.S. Internal Revenue Service (IRS) for failing to take necessary steps to curb fr​audulent claims. The IRS blocked US$936 million of fraudulent claims, but paid out more than US$64 million. One North Carolina inmate says he has defrauded the federal government of nearly US$4 million by using real names and Social Security numbers, the <a href="" target="_blank"> <i>Fiscal Times</i> reports</a>.​​​​</p><h2>Lessons Learned</h2><p>The scope of the prisoner tax fraud problem is surprisingly large. According to the U.S. Bureau of Justice Statistics, in 2011, 2.26 million adults were incarcerated in federal prisons, state prisons, and county jails — nearly 1 percent of U.S. adults. Combined with an additional 4.81 million adults who were on probation or on parole, that totals more than 7 million adults, or about 2.9 percent of the U.S. population. </p><p>In its 2014 audit of IRS activities, the TIGTA observes that refund fraud associated with prisoner Social Security numbers is a growing problem for tax administration. Although the IRS is making some progress in implementing anti-fraud measures to counter the threat of crimes perpetrated by prisoners, the inspector general says more can be done. The IRS continues to insist it is doing all it can. Based on my review of the TIGTA's audit and the IRS management's response, of the six recommendations the inspector general makes, there are three that the IRS should address more proactively. All three are issues that auditors will see arise in assessing audit issues generally found in diverse organizations.</p><ul><li> <strong>Required annual prisoner fraud reports to Congress are not timely.</strong> Congress (as legislators and overseers) and the public (as taxpayers) should be informed as soon as possible about the state of play of this fraud issue, and delays in reporting may be affecting the identification and implementation of improvements to fraud detection, including additional legislative initiatives.<br><br> </li><li> <strong>IRS annual reports do not adequately address the full extent of fraudulent tax return filings by prisoners.</strong> The IRS' annual report to Congress only includes false and fraudulent tax returns filed using a prisoner's Social Security number. The TIGTA's audit report includes clear examples the IRS could use to better determine the possible extent of the filing of false or fraudulent returns by federal and state prisoners that is not included in its annual reports. For example, the IRS apparently is not able to prevent the issuance of a refund for fraudulent returns that used a direct deposit account. The inspector general found that there were 16,342 unique direct deposit accounts used on 16,449 tax returns. Using these account numbers, the inspector general identified 1,777 accounts that also were used on another 47,321 tax returns, and the tax refunds claimed on these tax returns totaled more than US$102 million. <br><br>While one cannot conclude this entire sum is based on fraudulent activity, it may indicate that one or more prisoners may be perpetrating an identity-theft fraud scheme — hence its relevance to include in statutory reporting. The kind of profiling and matching process the inspector general is advocating is already in place to deal with many categories of noncompliant taxpayers, both in the United States and internationally. Examples include nonfilers, industries and businesses that are high risk for under-reporting income, and those operating within the "underground economy."<br><br></li><li> <strong>​​​The IRS does not consistently and thoroughly assign a prisoner indicator (or unique identifier) for all </strong><strong></strong><strong>prisoners. ​</strong>If this unique identifier is not assigned, it means that the tax return will not be subjected to the IRS' specialized prisoner fraud checks, according to the TIGTA's audit. But this is the kind of measure that is regularly adopted by governments to enable them to identify and interact with clients of a wide range of programs and services, including for child benefits and others. It is not about presuming that the identified population is automatically engaging in illegal behavior; it is about ensuring that the right clients are provided with the services and benefits they deserve while preserving the integrity of compliance with the program/service requirements. <br>​<br>The IRS management response that essentially defended its limited scope of prisoner indicators based on "systemic limitations," "programming issues," or that it is unnecessary in those cases where no refund is being sought — which does not mean that the right amount of tax is being paid — does not seem entirely defensible in light of the IRS' mandates and resources. Further, the IRS response does not seem to identify privacy or personal information protection as a constraint to taking further actions in this area.​​​</li></ul>Art Stewart0765
Fraud at the Top at the Top<h3>What are some of the top red flags indicative of fraud or unethical behavior at the executive level?</h3><p> <strong>Ratley</strong> Statistically, the most common warning sign displayed by frau​dsters at the executive level is living beyond their means. Even those at the top can outspend their incomes, leading some to pad their bank accounts dishonestly. Other red flags that can be troubling and serve as warning signs of potential fraud or other unethical conduct include a willingness to use questionable or overly aggressive tactics to achieve business or personal objectives, a lack of transparency in decision-making and operations, and an attitude that the rules don’t apply to those at the top.</p><p> <strong>Snell</strong> You can look at the expense reports of some leaders and tell whether there is a problem with the tone at the top. These reports can tell you a lot about a person’s respect for the rules, character, and ethical disposition — and the reports are easy to examine. Also, look for evidence of executive leadership’s support of the compliance and ethics program.</p><h3>What are the most common executive-level frauds and ethical lapses seen in corporations today?</h3><p> <strong>Snell</strong> Executive-level fraud often is related to anti-bribery laws and accounting. Leaders should get to know their industry’s specific high-risk regulations and ensure the compliance officer is constantly working on them. The most common ethical lapses seem to be related to human resource issues associated with personal relationships.</p><p> <strong>Ratley</strong> Research from the Association of Certified Fraud Examiners (ACFE) shows the most common fraud schemes perpetrated by executives and upper management involve corruption, a category of fraud that includes bribes and kickbacks, extortion, and conflicts of interest. Anecdotal evidence bears this out, as stories of high-profile bribery cases, growing regulatory scrutiny, and large Foreign Corrupt Practices Act (FCPA) settlements fill the news headlines.</p><p>Other types of schemes that we commonly see perpetrated by those at the top include billing schemes — those that involve manipulation of purchasing and payment functions in an organization — and fraudulent expense reimbursements.</p><h3>What steps can organizations take to ensure an ethical tone at the top?</h3><p></p> <strong>Ratley</strong> Effective governance by the board of directors sets the foundation for the organization’s ethical tone. The board is charged with overseeing management, and it must expect executives not only to behave ethically, but also to incorporate ethical considerations into company strategy and operations. The directors should make it clear that they will not tolerate dishonest practices by management. <p></p><p>Setting realistic performance targets and incorporating measures of ethical performance into executive evaluation and compensation also incentivize ethical behavior. Additionally, executives should be bound by a published ethics policy and required to attend periodic, targeted ethics training. These requirements help remind executives of their ethical duties and the consequences of honest — and dishonest — conduct.</p><p> <strong>Snell</strong> The quickest way to get complete and demonstrable buy-in from leadership is for the organization to suffer an ethical or compliance lapse, get investigated, pay a huge fine, and suffer ridicule in the media for several months. Or, the organization can choose to hire a compliance officer and implement a compliance and ethics program. The board can help drive the ethical tone. Also, setting up compliance bonus incentives for leadership is simple and very effective.</p><h3>What tactics seem to work best to stop fraud or unethical behavior at the top?</h3><p> <strong>Snell</strong> The organization should hire a compliance officer and implement an effective compliance program. The compliance program must be set up correctly with adequate independence and authority to prevent, find, and fix ethical and regulatory issues.</p><p>Additionally, one person from the top level of management and a board member should attend compliance training with their compliance and ethics officer. Also, consider putting an experienced compliance officer from another company on your board.</p><p> <strong>Ratley</strong> We know most frauds are detected by tips; ACFE research shows that 44 percent of the schemes involving executives are revealed by whistleblowers. So perhaps the best tactic is providing employees at all levels with the means to report unethical or dishonest behavior — even when it is displayed by those at the top — and empowering and encouraging individuals to do so without fear of retaliation.</p><p>Additionally, we need to remember that executives are human, and they face many of the same personal challenges as everyone else. Offering support mechanisms to all employees — including top management — to help them deal with personal and financial pressures (such as debts, family problems, or addiction) can greatly reduce the temptation to commit fraud.</p><h3>What is internal audit’s role in fighting fraud at the executive level?</h3><p> <strong>Ratley</strong> Internal auditors have the unique perspective that comes from a close-up and continuous view into the organization’s culture, risks, and controls. This intimate understanding of the organization’s strengths and weaknesses is a huge benefit in assessing and combatting the risk of fraud at the executive level. However, only about 10 percent of frauds committed by executives are uncovered by internal audit, which shows that many warning signs of fraud are being missed.</p><p>Internal auditors should make sure they are asking the tough questions, examining the answers through the context of the tone at the top, and proactively watching for signs that point to potential wrongdoing at the executive level of the organization.</p><p> <strong>Snell</strong> Enron, HealthSouth, and Tyco had problems that were known by several people but not fixed. Compliance professionals should work with other departments, including internal audit, to ensure tasks related to compliance are effective and timely, and that problems are corrected quickly. The compliance department should ensure that a comprehensive process is put in place to prevent the problem from happening again.</p><h3>Are companies saying one thing about fighting fraud at the executive level and doing another?</h3><p></p> <strong>Snell</strong> I was skeptical; however, recent surveys from the Society of Corporate Compliance and Ethics reveal compliance professionals are predominantly satisfied, if not effusive, about their leadership’s support of compliance. Most leaders are trying to do the right thing. There are a few executives hitting the headlines who are making all business leaders look bad. It’s not fair, nor is it representative of executive leadership’s support for compliance and ethics. <p></p><p> <strong>Ratley</strong> Unfortunately, there are still some organizations — more than there should be — that don’t proactively address fraud at the executive level. Many organizations wait until they have been censured by regulators for breaking the law before taking the risk of fraud seriously. However, I have seen an encouraging number of organizations realize the importance of applying anti-fraud programs consistently across the board, setting the same — or even more stringent — ethical expectations and requirements for senior executives as those that are in place for the rest of the staff. In doing so, these organizations not only fight fraud at the executive level, but also strengthen the overall anti-fraud program and ethical tone of the organization.<br></p><p></p><table width="100%" cellspacing="0" class="ms-rteiaTable-7"><tbody><tr class="ms-rteiaTableEvenRow-7"><td class="ms-rteiaTableEvenCol-7" style="width:50%;">​<img src="/2014/PublishingImages/James-Ratley.jpg" class="ms-rteiaPosition-1" alt="" style="margin:5px;" /></td><td class="ms-rteiaTableOddCol-7" style="width:50%;">​James Ratley is the president and CEO of the Association of Certified Fraud Examiners.<br></td></tr><tr class="ms-rteiaTableOddRow-7"><td class="ms-rteiaTableEvenCol-7">​<img src="/2014/PublishingImages/Roy-Snell.jpg" class="ms-rteiaPosition-1" alt="" style="margin:5px;" /></td><td class="ms-rteiaTableOddCol-7">​Roy Snell is CEO of the Society of Corporate Compliance and Ethics.<br></td></tr></tbody></table> <p></p>Staff11825
Bid-rigging Scheme Grounded Scheme Grounded<p>A U.S. Marine Corps chief warrant officer and two executives of a defense contractor have been indicted for allegedly conspiring on a bid to perform maintenance on the Marine Helicopter Squadron helicopters used to transport the U.S. president and vice president, <a href="">Reuters reports</a>. Prosecutors say the Marine Corps officer leaked confidential information on the cost of the proposed bid contract to the CEO and president of Louisiana-based Valour LLC. The officer then participated on a selection board in which he rated Valour higher than other bidders, despite the Marine Corps having concerns about the company's past performance. </p><h3>Lessons Learned</h3><p>Although it is difficult to quantify precisely how big a problem bid-rigging in procurement processes is, numerous independent sources provide some parameters for this fraud threat. The 2014 Association of Certified Fraud Examiners (ACFE) <a href="">Report To The Nations on Occupational Fraud</a> (PDF) cites corruption — within which bid-rigging is conceptually situated — as the single biggest category of fraud observed within the government and public administration sector (36 percent), with a median loss of US$200,000 per incident (see Figure 24 of the report). Furthermore, corruption is consistently the largest fraud type observed across most industries. </p><p>While not as recent, a 2007 Organisation for Economic Co-operation and Development (OECD) document, <a href="">Guidelines for Fighting Bid-rigging in Public Procurement</a> (PDF), states that "In OECD countries, public procurement accounts for approximately 15 percent of gross domestic product. In many non-OECD countries that figure is even higher." And finally, a 2007 evaluation by the Canadian government's Competition Bureau of its anti-bid-rigging activities cites comparative data for the United States: "As of December 2007, the (U.S. Justice Department) Antitrust Division was dealing with 139 grand jury investigations, of which 40 percent were potential cases of bid-rigging and 60 percent were investigations of price fixing or frauds."</p><p>Much has been written on this subject, and both the ACFE Report To The Nations and the OECD anti-bid-rigging guidelines contain excellent information and advice on the red flags and methods internal auditors should be aware of in fighting bid-rigging fraud. Both a systematic approach to identifying and mitigating contract fraud risk, as well as a balanced, accountable, and transparent approach to identifying contract requirements are fundamentally important in reducing this kind of threat to organizations. There are two areas that bear highlighting.</p><p> <strong>Perform a thorough fraud risk assessment of the planned procurement and process. </strong>The first, and probably most important, step in tackling bid-rigging fraud is identifying the risk of fraud. How the procurement is defined is important because this in turn can be linked to the different areas of the procurement cycle that may be exposed to the risk of collusion or manipulation, and to what extent. </p><p>Procurement officers and their collective knowledge are essential to conducting this risk assessment work. They should understand the dynamics of the markets in which major purchases are made and should be able to correctly assess the degree of risk collusion from market behavior that may not arouse suspicions from a less-informed buyer. </p><p>Risk and control considerations include:</p><ul><ul><li><p>With regard to the identification of needs, there should be a clear requirement for the product or service that has been approved by an independent person or board. Individuals inside the fraud victim organization can have hidden relationships with potential suppliers and bidders that they can use to influence or bias the decision-making process around the identification of needs for a procurement. </p></li><li><p>Similarly, any material goods, results, or savings promised to be delivered should be clear, transparent, and auditable. </p></li><li><p>As a key control mechanism, bid packages should require bidders to sign and submit a noncollusion affidavit stating that the bidder has not colluded and informing bidders of penalties should they violate laws or regulations. <br> <br>A thorough risk assessment also will identify areas where training is needed to strengthen the awareness of purchasing department employees with indicators of bid-rigging, price-fixing, and other types of collusion.<br> </p></li></ul></ul><p> <strong>Contract specification and design is a key area where bid-rigging fraud can be engineered or biased.</strong> Is the specification understood and agreed on by the relevant participants of the organization, or is this understanding and agreement only held narrowly, such as by one individual? This is a scenario in which organizations not only find themselves at risk from bid-rigging fraud, but also from unknowingly (or knowingly) tailoring contract specifications to obtain a predetermined procurement outcome. Specific questions include:</p><ul><ul><li><p> <em>Is the specification narrow to favor a particular individual or company? </em>This can happen frequently when the organization and its representatives have had a satisfactory ongoing relationship with the same supplier or bidder, giving rise to a sense that the existing supplier is "best suited" to continue providing the service or goods. As a result, organizations may exclude legitimate bids and could be confronted by legal complaints and challenges.</p></li><li><p> <em>Does the organization adhere to clear rules regarding contract scope changes? </em>Bidders often submit price quotes based on detailed descriptions of services or products the customer wants. Particularly in government operating environments, work often is added to the contract after it has been awarded, including work that was totally unrelated to what was originally proposed. That might make the winning bidder happy to make more money, but other bidders can rightfully complain that they never got a chance to bid on the new work. Changing the scope of the contract requirements after the contract is awarded typically is considered a violation of internal contract rules. Moreover, insiders to the organization awarding the contract may have conspired to make contract changes even before the contract was awarded. Organizations should require changes to contracts to be documented in the form of contract modifications or amendments.</p></li><li><p> <em>Does the organization award contracts without competition when there's an urgent need for critical items without delay?</em> If so, does the urgency really exist or is it the result of poor planning or because of collusion between the vendor and those within the organization to avoid competition? Procurement officers, auditors, and others with oversight roles in the contracting process should be vigilant and closely scrutinize such arrangements to determine how the organization designated the sole source supplier and verify whether that supplier really is a sole source of expertise or supply of goods and services.</p><p></p></li></ul></ul> Other issues to watch for in the contract specification stage include deliberately writing vague specifications to allow favored but not necessarily best-qualified bidders to succeed, designing specifications to result in eventual bid-splitting, and allowing a potential bidder to view the specifications earlier than its competitors, especially when this influences the final contract specifications.<p></p><p></p>Art Stewart01140
Safeguarding Customer Data Customer Data<p>Individuals who have discovered unauthorized charges on their credit cards or learned that someone has used their name to take out a loan are not alone. A recent CNN/<em>Money</em> magazine article reports that more than 13 million people were identity fraud victims last year, up from 12.6 million in 2012, based on a recent study by San Francisco-based Javelin Strategy & Research. It was the second-highest number of victims in the 10 years Javelin has conducted its study.</p><p>With fraud on the rise, consumer data is at risk. Just this year, thieves have targeted customer data at eBay, Home Depot, Neiman Marcus, and Target. For years, retail organizations and financial institutions have known that having payment card numbers in their company databases required some level of protection. Now hackers, fraudsters, and thieves are going beyond the card numbers to obtain customers' personally identifiable information (PII). They use this stolen data to make purchases, develop fake IDs, take out fraudulent loans, and perpetrate other illegal activities. Internal auditors need to add protecting credit and debit card information to their long list of fraud threats.</p><h2>Three States of Data</h2><p><em>PII</em> is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. This includes information such as credit card, checking account, social security, and driver's license numbers that uniquely identify an individual. Businesses collect such information whenever someone makes a purchase. This enables companies to verify that the person using the payment method is authorized to do so and is who he or she claims to be.</p><p>Although collecting customer data is a good business practice to prevent fraudulent activity, the moment organizations bring PII into their databases, they become custodians of it. As custodians, they are obligated to protect that information. Additionally, auditors have a duty to point out instances where customer PII may need to be protected, and they should look critically at internal systems where customers' data is available for all to see or access.</p><p>To protect PII, auditors need to know where it exists in their organization. Data security experts consider data that needs to be protected to be in three distinct states:</p><ul><li>Data in use. Data on terminals, displays, hand-held devices, paper reports, or other devices that employees use to do their jobs.</li><li>Data at rest. Information stored on file servers, computers, tablets, or information repositories such as email and Web servers.</li><li>Data in motion. Data sent over networks.</li></ul><p>Knowing the state of the data goes a long way toward understanding how to protect and audit it. In most cases, the data at rest needs to be safeguarded. This usually is done through encryption. However, in some cases data is not encrypted because management may believe that the data is on a protected device or network. The other reason people will not encrypt data is because of performance issues such as the time needed to encrypt and decrypt the data. In either case, if the protected device is somehow compromised, the data would be in plain sight and at risk.</p><p>Encryption also is the preferred method of protecting data in motion. However, depending on the networks in use, it may not be possible to encrypt data if the receiver of the information does not have a way to decrypt it. In such cases, the organization should consider implementing other data security measures such as password protection, security keys, and biometric identification.</p><p>Above all, internal auditors need to be aware of the exact information the organization is trying to protect and the cost associated with protecting it. Additionally, as this is primarily a data security issue, the information security group should assist in any projects in this area.</p><h2>Audit Focus</h2><p>Once internal auditors know which information needs to be protected and how to do so, they need to perform a simple inventory to find out where it exists in their organization. For example, auditors should use a spreadsheet to perform the inventory analysis. On one side, the auditor should list each application system, hardware device, report, and item that may contain PII. At the top, the auditor should list the three data states — data in use, data at rest, and data in motion — and use a simple check to identify whether PII exists. Next to the cells in the spreadsheet where the PII exists, the auditor can add a column to indicate how that PII item is protected or note where the data is in plain sight and may need additional protection. This spreadsheet can function as a road map to locate all the organization's PII data and identify the method used to protect it. Moreover, it can demonstrate the organization's due diligence in protecting this information.</p><p>Now that auditors know where all the data resides, they can scope and plan to assess the organization's risks. In addition to testing the encryption in place, auditors should focus on controls over how data is used as well as appropriate data security policies and procedures. Based on the inventory analysis, auditors can decide whether the data is at risk of compromise and then decide on an appropriate protection method. Some examples include:</p><ul><li>If PII is in clear text on a report, procedures need to be in place for those reports to be protected, secured when being used, locked away when not in use, and disposed of appropriately (i.e., shredded) when they are no longer being used.</li><li>If PII is in clear text on a screen from an application that many people can access, the auditor should recommend that the fields on the screen be masked with asterisks or encrypted so only certain individuals in the organization who need to identify customers can see the full information.</li><li>If the organization collects and uses PII regularly, the auditor should recommend that the organization adopt a customer privacy policy and notify customers that it is committed to protecting their information. Additionally, a "protecting customer information" training session should be required for all employees who deal with PII.</li></ul><p>In addition to these areas, auditors should check that backup storage devices that contain PII are protected, as these often are overlooked.</p><h2>Staying Out of the Headlines</h2><p>As attackers increasingly target customer PII, internal auditors need to discard their old assumption that outside forces are primarily after internal information such as company secrets, business strategies, and financial data. With customers' data increasingly threatened, internal auditors have an obligation to help protect this information from prying thieves — or run the risk that their organization will be the next business in the news. </p>Kenneth Pyzik1911

  • CaseWareIDEASpecial_Mar2015
  • Ideagen_Pentana_Mar2015
  • IIA_CIA Practice Test_Mar2015



Viewing Cyberrisk Through a COSO Lens Cyberrisk Through a COSO Lens2015-01-29T05:00:00Z2015-01-29T05:00:00Z
More Important than Facts, Figures, and Data Important than Facts, Figures, and Data2015-02-13T05:00:00Z2015-02-13T05:00:00Z
Editor's Note: Value Through Leadership's Note: Value Through Leadership2015-01-30T05:00:00Z2015-01-30T05:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z