Aboard the Bribery Train the Bribery Train<p>​Prosecutors in Sweden have charged a Bombardier employee with aggregated bribery, <a href="" target="_blank"> <em>The Toronto Star</em> reports</a>. According to the charges, Evgeny Pavlov, a Russian national working for the Canadian plane and train manufacturer's Swedish branch, bribed a government official in Azerbaijan to help the company obtain a $340 million contract for a new railroad signaling system. Prosecutors are investigating other Bombardier employees in relation to the case.</p><h2>Lessons Learned</h2><p>Despite significant efforts by governments, regulators, and enforcement agencies in many countries around the world, corruption and bribery activities continue to be perpetrated by some of the world's largest companies and their employees. In addition to the allegations in this story, Bombardier is being investigated in Brazil, South Africa, and South Korea for various alleged bribery, corruption, and price-fixing activities. The amounts of money and potential negative reputational damage are staggering. What can internal auditors do to help?</p><p> <strong>Be prepared to follow the money, people, and goods wherever they lead. </strong>According to news reports, Swedish authorities were investigating a business structure in which equipment built by Bombardier's Swedish affiliate for the project allegedly was sold to a U.K.-based shell company called Multiserv Overseas. Multiserv is owned by a company based in Belize and has business interests in other tax havens and links to Russian businessmen. Multiserv then sold the same equipment to Bombardier's Russian affiliate at a steep markup. Costs were inflated by 400 percent in some cases. </p><p>In one example, Multiserv purchased signaling equipment for around $19 million. Multiserv then sold the same equipment to Bombardier's Russian affiliate for $104 million, a markup of $85 million. Multiserv allegedly kept some of the profits and passed the balance along to officials in Azerbaijan as bribes in exchange for favoring the Bombardier contract, even though that bid was ranked fifth. </p><p>These kinds of multistep, company and country transactions may be somewhat complex, but they are common for multinational corporations. Auditors need to ask questions and carefully examine all available documentation to obtain a clear picture of these transactions.</p><p> <strong>An anti-corruption policy and compliance regime is a necessary, but not always sufficient preventive measure. </strong>Bombardier officials said Multiserv had been verified and checked out, according to its internal compliance policies. They also said, "As always, we are committed to operating in full compliance with all legal rules and requirements and our own high ethical standards." What is missing is any evidence that the company had asked auditors to systematically assess and report on the effectiveness of its anti-corruption and compliance policies and processes. </p><p>Numerous companies have well-thought-out and articulate anti-corruption regimes (for one example, see <a href="" target="_blank"></a>). These regimes need to be regularly and systematically tested. Potential areas of weakness include:</p><ul><li>The role of the chief compliance officer and how well he or she executes, or is allowed to execute, his or her responsibilities. </li><li>The adequacy of records and controls over anti-corruption and compliance regimes. These must capture the movement of money and goods. </li><li>The scope and strength of sanctions. Sanctions frequently are disproportionately small in relation to the potential gains resulting from bribes and corruption. </li></ul><p> <br> </p><p>On this latter point, governments themselves need to self-examine their resolve to deal with the problem. The Canadian government recently pledged to lend Bombardier CAN$372 million and stated it did its due diligence in advance. Canada also said Bombardier is a significant economic contributor to the Canadian economy, and it would be premature for the government to consider suspending its agreement with the company. The balance in the equation between economic contribution and ethical behavior also is an important consideration when aiming to prevent fraud and corruption. </p><p> <br> </p>Art Stewart0
Overstating Profits Profits<p>Software company Globalscape announced it would be restating its fourth quarter earnings after an internal forensic audit discovered transactions that "circumvented the company's internal controls," according to the <a href="" target="_blank"> <em>San Antonio Express-News</em></a>. The audit found "improper arrangements" with customers that led the San Antonio-based company to overstate its year-end accounts receivable by $403,000 and its fourth-quarter license revenue by $396,000. Globalscape shares fell 23 percent on the day of the announcement.</p><h2>Lessons Learned</h2><p>Whether deliberate or not, misstatements of revenues and earnings by companies is a major concern for financial regulators and auditors. Within the last year, the U.S. Securities and Exchange Commission (SEC) alone has levied tens of millions of dollars in fines against large, diverse companies such as Ener1 Battery, Logitech, and Monsanto. This story is a good opportunity for internal auditors to refamiliarize themselves with why companies and their employees misrepresent earnings, and what auditors should be on the lookout for when auditing financial information.</p><p>The motivations for manipulations of revenues and earnings statements generally fall into four categories:</p><ol><li> <em>Bonuses (and jobs) depend on it.</em> Performance-based bonuses have now been around for a few decades, and an increasingly large portion of executive compensation is tied to hitting certain performance targets. In many cases, these are adjusted non-Generally Accepted Accounting Principles metrics that are designed to enable CEOs to always hit those incentive targets. Stock prices and shareholder interests also are involved.</li><li> <em>A desire to "lower the bar."</em> Many cases of earnings misrepresentation actually involve companies <em>decreasing</em> their earnings. While counterintuitive at first, hitting their objectives often is more important to executives than the amount by which they do so.</li><li> <em>Everyone else does it.</em> As soon as one company in an industry starts manipulating its numbers, other companies in the same region or industry are pressured to follow suit or get left behind.</li><li><em>There still is too little real accountability.</em> Despite efforts by the SEC, companies and executives — and sometimes auditors themselves — continue to manipulate financial information.</li></ol><p><strong>Auditors can never rely solely on the past when assessing whether misstatements or fraud may be involved.</strong> For example, an external audit firm may have had the same audit client for many years, and there have been no concerns about revenue misstatement in previous audits. But both internal and external auditors must always be aware of what is happening and changing, both in the broader environment, and for the company being audited. For example, in this story, Globalscape recently introduced a new product line. A common technique used in terms of sale is to provide special offers that allow potential buyers to pay later and even return goods, while revenues and earnings are counted up front. If such special offers exist, the auditor must complete different procedures than simply inspecting documents.<br></p><p><strong>Revenue and earnings manipulations can be hard to spot, even when manipulation turns to fraud.</strong> The financial operations and associated financial statements also may be complex. For some time, regulators and auditors have been turning to big data and analytical routines to examine patterns in financial information that may reveal misstatement or fraud. The SEC is using a quantitative analytic model that is econometric-based, called the Accounting Quality Model (AQM). AQM is designed to identify earnings management by, among other things, determining whether a registrant's financial statements stand out from other filers' in its industry. Some examples of the more specific indicators of risk examined and risk scored include total accruals versus discretionary accruals — the model classifies the estimated discretionary accruals as risk indicators that could be manipulated — or an accounting policy in which a high proportion of transactions are structured off-balance sheet. Of course, results of this kind of analytical work form the basis of further investigation, rather than "prima facie" evidence of wrongdoing.</p><p><strong>More generally, auditors must appreciate why it's important to understand the entity, its environment, and the assertions — along with the associated fraud risks.</strong> That includes how it earns and records revenue, and the types of revenue and revenue transactions. Auditors should analyze more qualitative elements such as the experience and credibility of the management team because they set the tone or culture under which the company's internal accounting function will operate. Moreover, they should bear in mind the four main motivations for financial manipulation. Professional skepticism and critical thinking are essential tools to apply. Once auditors have identified the risks, they must design audit procedures to respond specifically to those risks. These procedures may be different for each type of revenue or revenue transaction. For a helpful example of a specific methodology and guidance, as well as the auditor's responsibility related to fraud in financial statements, see Canadian Auditing Standard 240 and CPA Canada's Implementation Tool for Auditors at <a href="" target="_blank"></a>. </p><p><br></p>Art Stewart0
The Wrong Way to Battle Bad Press Wrong Way to Battle Bad Press<p>​A convicted fraudster was arrested by the FBI and charged with hacking into websites and threatening news outlets that had published news stories about crimes he committed in Canada, the <a href="" target="_blank"> <em>National Post</em> reports</a>. The FBI says Andrew Rakhshan contacted employees of news sites such as Canada's CBC network and offering them money to take down stories related to his 2014 fraud conviction and deportation from that country. When that didn't work, he allegedly threatened to carry out distributed denial of service (DDoS) attacks on those websites. In one case, he allegedly carried out a DDoS attack on the legal documents website The news stories covered a case in which Rakhshan was convicted of using counterfeit credit cards tied to banks in Australia, Brazil, France, the U.K., and other countries to purchase a yacht and several automobiles valued at CAN$500,000.</p><h2>Lessons Learned</h2><p>Not surprisingly, individuals, companies, and institutions not only have to prepare for, detect, investigate, and prosecute fraudsters, they also must be ready to defend themselves against threats and reprisals (including DDoS attacks) when those same fraudsters want to make the trail of their crimes disappear afterwards. DDoS attacks are being used more and more as a tool for any kind of exploit activity, including fraud and reprisals, and their sophistication and dynamic nature is increasing such that last year's solution may no longer work. Internal auditors therefore need to continuously update their knowledge and advice to help reduce the risks and impacts of these attacks.</p><p>To better fight DDoS attacks, auditors first must understand how they work. Simply put, a DDoS attack attempts to push a website off the internet by flooding it with data. There are increasingly powerful tools that anyone can download and use to trigger such attacks. The software allows attackers to direct overwhelming amounts of dummy traffic created by custom scripts at a website, then type in its URL and watch it generate fake user after fake user in an effort to overload the site's servers and bring it down. </p><p>Attacks on larger, more sophisticated networks are accomplished via a combination of DDoS tools that include botnets — collections of computer servers designed to connect and perform a unified action. Their job is often made easier because of the numerous Domain Name System (DNS) servers that exist to translate domain names into IP addresses. Freeware tools are available that contain a database of known vulnerable DNS servers on the internet. A very small data packet request to a vulnerable DNS server can request tens of thousands of bytes of information, and that server will respond as if it were to a legitimate site. These data packet requests can be efficiently generated and multiplied to overwhelm a large system. It also does not take much bandwidth to attack a login server and prevent access to services. And anyone can rent a botnet, even though it is illegal. (Just about everyone is vulnerable: To get a small idea of this, visit <a href="" target="_blank"></a> to see what other people can view from your connection.)</p><p>What can auditors assess and recommend to help their organization plan against and mitigate DDoS attacks?</p><ul><li> <strong>Organizations must not give in to fraudsters' demands</strong> that evidence of their crimes be taken down from websites. They should involve police and regulatory authorities immediately, and implement attack readiness measures, based on having already kept their DDoS risk mitigation up to date.<br> </li><li> <strong>Use cloud services or outsourcing.</strong> Organizations use cloud services that can offload excessive traffic while DDoS attacks are happening, therefore preventing those organizations' networks from having to deal with the overload. Some large providers specialize in scaling infrastructure to respond to attacks and can implement cloud scrubbing services for attack traffic to remove most of the problematic traffic before it ever hits a target's network. DDoS mitigation providers can, during an attack, reroute traffic destined for the target's network to a mitigation center, where it is scrubbed and legitimate traffic is then forwarded on. These kinds of services are scalable in affordability so that they are not just for large organizations. <br> </li><li> <strong>Fortify network architecture. </strong>Disperse organizational assets to avoid presenting a single rich target to an attacker. Locate servers in different data centers. Also ensure that data centers are located on different networks, with more than one pipe to the internet. Data centers also should have diverse paths. And data centers, or the networks they are connected to, should have no notable bottlenecks or single points of failure.<br> </li><li> <strong>Scale up network bandwidth.</strong> For high-volume attacks, many large organizations adopt a solution to scale bandwidth up to be able to absorb a large volume of traffic. However, other  organizations may not be able or willing to pay for the network bandwidth needed to handle some of the largest attacks. <br> </li> <li> <strong>Deploy and keep updating hardware</strong> that can handle known attack types and use the options that are in the hardware that protect network resources. This will lessen, but not eliminate the impact of an attack. There are many useful resources about these measures. A good starting point is the U.S. Department of Homeland Security's <a href="" target="_blank">DDoS Quick Guide</a> (PDF). </li></ul>Art Stewart0
The Costly Parking Lot Costly Parking Lot<p>​<span style="font-size:12px;">A 10-month audit investigation has questioned the CAN$12 million price tag for a proposed land purchase by the Toronto Parking Authority ​(TPA), as well as the process the authority used to put the deal together, the </span><a href="" style="font-size:12px;"><em>Toronto Star</em> reports</a><span style="font-size:12px;">. The Auditor General's report to the  city's audit committee noted that parking authority executives discussed the deal in secret, and there were possible conflicts of interest involving lobbyists and consultants with previous connections to the owner of the five-acre plot. An independent appraisal ordered by the TPA valued the land at CAN$7.5 million, but the audit report points out that one of the consultants who had helped determine the value of a digital sign located on the land had put together the original deal for that sign for the landowner. The Auditor General concluded that the TPA's actions created "unnecessary risk" of overpaying for the land, but that there was no evidence that TPA staff members or the sign consultant would directly benefit from the deal. The deal is currently on hold.</span></p><h2>Lessons Learned</h2><p>Since this story was written, an interim board overseeing the TPA has appointed an interim president, and Toronto's city council has voted to suspend TPA board members over the questionable land deal. An independent investigation is also underway, which could result in authorities filing fraud charges. </p><p>In any event, several systemic issues arising from this complex case need to be addressed — all of which fall into the broad subject of preventing fraud, bribery, and corruption in local governments. In outlining some of the key issues illustrated by this story, I've drawn upon a few resources. Although it is focused on Canadian examples, internal auditors may find one resource particularly useful, <a href="">Municipal Best Practices — Preventing Fraud, Bribery, and Corruption</a> (PDF), which was published by the International Centre for Criminal Law Reform and Criminal Justice Policy.</p><p>Organizations need to identify, assess, and implement measures, such as policies, system controls, monitoring, and disciplinary measures, to mitigate key risk issues. These measures include:</p><ul><li><strong>Review all procurement and contracting policies and processes for municipal services and infrastructure projects.</strong> Misconduct can take the form of kickback brokers, bid rigging, and the use of front or shell companies. Corrupt tendering practices, kickbacks from suppliers, unfair procurement (intervention within the municipality to ensure outcome), irregular municipal purchasing procedures, side payments to municipal purchasers, and procurement dealings based on insider links and arranged tender dealings are all variants of the kind of misconduct noted in this story.<br></li><li><strong style="font-size:12px;">​Look for potential conflicts of interest.</strong><span style="font-size:12px;"> Several forms of nepotism or cronyism may have been at play in this story, such as favoring family members, friends, and business contacts in municipal land deals. Hiring decisions and zoning regulation changes based on friendships among colleagues rather than disinterested analysis are additional risks. Where large sums of money are involved, strong conflict-of-interest policies need to be in place and followed strictly. The Toronto case is full of various conflicts of interest — several people had a personal interest in the land deal who might reasonably be expected to have influence over an elected official's performance of his or her duties. There were obvious close links between developers and city officials. Objective processes for establishing the fair value of property must be backed by requirements for detailed assessments, rather than informal estimates written on the backs of envelopes.</span><br></li><li><strong>Assess governance and accountability processes.</strong> There are numerous lapses in governance and accountability processes that need to be fixed. Local government officials appeared willing to ignore basic principles, if not legislation, that require land deals to be priced at fair market values through objective and independent decision making. There also are indications of misuse of authority and a lack of transparency such as inappropriate use of on-camera meetings by TPA officials. A governance review of the city's decision-making bodies and authorities with a view to identifying gaps may be necessary. ​</li></ul>Art Stewart0
The Secret Fund Secret Fund<p>​An internal audit has revealed that senior staff members of the Brampton city government set up a secret fund that paid nonunion employees CAN$1.25 million between 2009 and 2015, <a href="" target="_blank">the <em>Brampton Guardian</em> reports</a>. The audit report noted that these payments were difficult to monitor because they were not appropriately coded under the suburban Toronto city's transactions procedure and were made without consent from the city council. The council voted in June to request a criminal investigation to uncover who authorized the payments and whether they broke any rules. The internal audit itself was notable because it took place over a two-year period, during which the head auditor who had launched the investigation left her position.</p><h2>Lessons Learned</h2><p>This is not the typical fraud story. Indeed, fraudulent activity has neither been alleged nor proven yet. The essence of the case is that the City of Brampton council has requested a police investigation into a secretive, unapproved bonus program. Based on additional reporting I've reviewed, an audit report notes that the bonus scheme was devised by senior staff members, who allegedly kept elected officials in the dark for years. These senior employees used an obscure mechanism called an "outside policy request" (OPR) to make "discretionary salary increases determined by the operating department heads" that were "outside of council-approved policies and documented procedures." But these reports note that the objective of the OPR was to "align the salaries within the respective grades to achieve fairness and equity."</p><p>The facts of this case are not all clear yet. Whether or not Brampton Council has made the best choice in calling in the police — it had considered conducting an internal forensic investigation instead — a formal investigation to uncover everything behind the bonus payment scheme will be needed to determine whether fraud and criminal activity took place. That investigation should include who approved the program, when it was approved, who received payments, and whether any of these activities contravened policies or laws. And if ultimately fraud has been committed, those found guilty should be held responsible, no matter whether they are an employee or politician. </p><p>In the meantime, there are several actions internal auditors can and should recommend to address the many gaps in management and controls revealed by this story. At the heart of these are:</p><ul><li> <strong>Make key governance and accountability changes,</strong> such as appointing an independent auditor general at city hall with powers to investigate and report on a wide range of financial and management issues. Some Brampton councillors are already calling for this measure. Many cities have an auditor general already. Officials should review and revise delegations of authority to senior and other managers to prevent unnecessary discretion in approving financial payments — including to employees in unusual or special circumstances — unless there is full council approval. Council and its committees, especially for budgeting and audit, should review their mandates and how they operate to ensure more thorough scrutiny to detect unusual practices — this would be helped by a city audit department and auditor general.<br> </li></ul><ul><li> <strong>Address gaps in compensation policies and financial controls.</strong> Brampton's council has dropped the OPR mechanism, but it also needs to address the underlying weaknesses in its compensation policies and systems that gave rise to the use of such a mechanism. (I've learned that the city will conduct a separate audit of its compensation structure.) That should include how compensation policies and systems deal with both union and nonunion employees, and a more general examination of how current and relevant those policies are today.<br> <br>Brampton's auditors said the bonuses were not authorized under relevant rules and that over time OPR "requests were approved for reasons beyond its initial intention." "Scope creep" in policy interpretations can occur over time in situations where original policies become out of date in relation to current practices. Often, those in charge simply ignore the rules because it is difficult and time consuming to formally change them.<br><br>In addition, OPR payments to nonunion staff could not be tracked because there was a "lack of coding" that would have allowed internal controls to monitor this activity. This also is a common internal control gap organizations create for themselves when deciding how far to extend formal controls over "special" transactions — it should be included in tracking, reporting, and monitoring systems scope.</li></ul><p></p>Art Stewart0
Motivated to Steal to Steal<p>​An Indiana bookkeeper has agreed to plead guilty to charges of stealing $1.8 million from her employer over more than four years, <a href="" target="_blank">according to <em>Inc.</em> magazine</a>. The U.S. Department of Justice says Julie Ann Ashman wrote more than 400 checks to herself, in amounts between $3,000 and $5,000, from the accounts of her employer, a small, medical equipment repair company. Ashman then covered up the theft by understating the company's revenues in reports to its management and outside accountant. Moreover, she did not report the money as income in her federal income tax forms, leading her to face prosecution for tax evasion in addition to fraud charges. </p><h2> Lessons Learned</h2><p>This column has covered several frauds committed by apparently trusted, long-term employees (see <a href="/2017/Pages/Powered-Down-by-Fraud.aspx">"Powered Down by Fraud"</a> and <a href="/2016/Pages/The-Tech-Know-how-for-Fraud.aspx">"The Tech Know-how for Fraud."</a>) Particularly for smaller businesses, resource constraints can be an enormous challenge in establishing comprehensive controls, such as segregation of duties and management vigilance in monitoring cash flows, inventor​y, and check writing. The absence of these controls can provide opportunities for employees to commit fraud. </p><p>This time, though, let's discuss one of the root causes, or a major contributing factor, of employee theft: motivation. Specifically, internal auditors should consider whether the organization has a toxic work environment that could motivate an employee to commit fraud.</p><p> <strong>Look for </strong> <strong>si</strong><strong>gns of a toxic work environment. </strong>Instances of employees stealing money, stealing or destroying assets, and taking information for personal gain are on the rise. As this story suggests, a common fraud scenario may involve employees who appear to be highly dedicated to their job by working continuously, with little or no holiday or sick days. Such "dedication" can be a sign of a cover up by a disaffected or disgruntled employee. </p><p>Although it is difficult to quantify, within a typical organization, there is likely to be a small minority of employees who wouldn't steal from their employer regardless of the circumstances, another small minority who will steal at any opportunity, and a majority who may go either way. Employees in this last group may be waiting to see how serious the employer is about theft and the risks, or they may be influenced to steal by a toxic work environment. </p><p>Examples of toxic behaviors by either management or employees include:</p><ul><li>Arbitrary management decision making, including disciplinary actions and being overly critical of others. Employees who perceive they have been wronged may use theft to get back at the business.</li><li>Business processes and procedures that are perceived as overly burdensome, arbitrary, and not well-understood by employees.</li><li>Harassment, bullying, and racism in all its forms.</li><li>Excessive, hostile, and obsessive behaviors, such as employees who appear to live beyond their means. This could have been a way to uncover the fraud in this story.</li><li>Failure to address immature or troubled employees. In addition to those mentioned previously, this might include employees with other problematic behaviors such as signs of substance abuse and chronic lying. Theft may result in an emotional release for anti-social behavior.</li><li>Differential treatment, including pay and benefits for the same work. This may involve employee perception that management is receiving a disproportionate share of profits and benefits.</li><li>The presence of 'in favor" and "out of favor" employees and groups.<br> </li></ul><p> <strong>Don't take employee honesty for granted. </strong>Employers — and auditors through their findings and recommendations — must demonstrate to employees that fraud prevention is important by setting an example. This can involve establishing a code of conduct for all staff members, encouraging communication, and promoting trust and fair treatment. Employers should reinforce these measures by implementing appropriate procedures and policies to ensure compliance. And, where they have uncovered fraud, organizations should take firm action to address the crime as a deterrent to future incidents.</p><p> <br> </p>Art Stewart0
Cheap Cars Court Trouble Cars Court Trouble<p>Kentucky's state auditor is reviewing how the state's court system manages its finances in the wake of an attorney general's investigation into the system's "employees only" sale of surplus vehicles, <a href="" target="_blank">the <em>Herald-Leader</em> reports</a>. According to news reports, the Administrative Office of the Courts (AOC) sold four vehicles during the 2014 sale for prices that were 70 percent below their value. One vehicle was later resold for more than three times the price the employee had paid for it. The AOC has not released information on its employees only sales, which began in 2013, and the courts are not covered by the Kentucky Open Records Act.</p><h2>Lessons Learned</h2><p>That Kentucky's AOC has requested an audit of its financial operations is to be commended. A more narrow audit of its disposal of surplus assets might not have been sufficient to completely identify all of the root issues and recommendations needed to fully address the abuses identified in this story. However, I will focus more specifically on some of the main failings that can be exploited by fraudsters in the area of disposal of surplus assets and what can be done about them.</p><p> <strong>An asset disposals policy and related processes are a must. </strong>These should cover several internal control best practices that can help prevent frauds in the assets area:</p><ul><li> <strong></strong>Physical counts performed at least yearly.</li><li>Analysis of unusual patterns in the value of fixed assets. For example, the depreciation schedule should be checked to identify any unusual pattern in the depreciation amounts. The disposals schedule is used to analyze write-offs and scrap sales transactions, which might hide fraudulent activity. Reviewing the acquisition schedule can assess whether new assets acquired are legitimate and meet the requirements to be capitalized.</li><li> <strong></strong>Fixed assets procedures. This review should at least cover accounting and reconciliations, additions and disposals, and physical counts.</li><li> <strong></strong>Approval of additions, disposals, and related documentation. This should<strong> </strong>include details of the approval steps required for new and obsolete fixed assets, and an approval chain with at least two levels of approvals. Additional approvals should be considered for fixed assets with higher value.</li><li> <strong></strong>Reviews and random spot checks. A senior finance person and auditors should periodically review the additions and disposals, and spot-check the supporting documentation to assess its completeness and accuracy. </li><li> <strong></strong>Asset tags. Each fixed asset should be tagged and should be recorded in a fixed asset register to ensure traceability. Typically, companies with large amounts of fixed assets use barcode systems for this. </li><li> <strong></strong>Up-to-date fixed assets register. Including descriptions and cost and location details of each asset, updated regularly. </li><li>Reconciliations with the general ledger<strong> </strong>to ensure accuracy of the financial statements. This should be performed monthly and be accompanied by a review by supervisory/management staff.</li><li>Periodic evaluation of assets' condition<strong>, </strong>including adjustment to the value of damaged or deteriorated assets.</li><li> <strong></strong>Physical controls such as closed-circuit television systems.</li></ul><p></p><p>A good example of an asset disposal policy that integrates fraud prevention, but does not address roles and responsibilities, is maintained by the <a href="" target="_blank">University of Wollongong Australia</a>.<br></p><p> <strong>Halt "employees only" asset sales.</strong> More specifically related to this story, the AOC's management should reconsider the use of "employees only" auctions to dispose of assets such as automobiles. Not only is this practice inherently more susceptible to employee fraud, if the AOC made certain improvements in its practices, it could increase the amount of revenue it earns from the sale and disposal of surplus assets and better ensure that certain assets are valued appropriately when they are disposed of. For example, the AOC could generate additional revenue if it sold surplus assets on the internet, as many states and municipalities do. The AOC may be prohibited by state law from using the internet to sell surplus assets, but permission could be sought. </p><p>Minimum bids based on assessment of the current value of assets being disposed of also should be implemented. A further related consideration is the decision to sell at a minimal price versus selling for scrap. Frequently, the latter choice will yield better revenue results than selling at a low price. Of course, documentation of assessments is needed to support decision-making and to avoid the fraudulent territory of deliberate over, under, or misrepresentation of value.</p><p> <br> </p>Art Stewart0
The “Free Trial” Scam“Free-Trial”-Scam.aspxThe “Free Trial” Scam<p>​I specialize in high-crime, low-income areas, where the average household is on government assistance.” These were the exact words of Erin Turner, one of the top sales representatives at a home security company who was now under investigation for fraud. Bruce Dwyer, the company’s forensic auditor, sat baffled by the comment, wondering how so many people living on government assistance could afford a home security and automation system with a $50 monthly monitoring fee. During the interview, Turner produced a purse full of prepaid credit cards and explained to Dwyer how she obtained them, what they were used for, and how she provided the numbers to some of her customers to facilitate installation of a security system. <br></p><p>Dwyer’s investigation was the result of an analysis of a national summer promotion. The premise of the offer was a limited time, deeply discounted installation with a three-year monitoring agreement. The marketing analysis had produced mixed results. The company had made a lot of deeply discounted sales but many of the units were already being discontinued for nonpayment. Some of the sales representatives had disproportionate disconnect rates. Management suspected fraud. Dwyer was tasked with conducting the investigation. He decided to start with what appeared to be the largest offender, Turner, who also happened to be one of the top sales representatives. <br></p><p>Turner built her book of business using the company’s promoter program, where sales representatives are encouraged to develop a network of professionals and small businesses — promoters — that would refer potential customers to them. If a referral turned into a sale, the sales representative earned a commission and the promoter earned a referral fee. Turner was working with one primary promoter in a handful of large apartment complexes. A quick review of her personnel file revealed the promoter to be Turner’s sister. <br></p><p>During the interview, Turner told Dwyer that her sister was going door to door and convincing the neighbors to install a security system. Her sales pitch was that the system was free to install, they could try it for six months without making a payment, and if they were not satisfied with the service they could simply stop making payments. There were no strings attached. Turner’s sister provided customers with a prepaid credit card to get the installation completed. <br></p><p>On Dwyer’s flight home, he made a list of all the sales representatives and wondered if they also were abusing prepaid credit cards. A prepaid credit card is activated when the cardholder pays a small fee and “loads” the card by putting a set amount of money on it. Once a prepaid credit card is activated, the number is live until the card’s expiration date or the holder cancels the card. When a transaction occurs, the balance on the card is reduced. Dwyer discovered that the company’s billing and collection system could only validate that a credit card presented was “live.” In other words, the system could not determine if the credit card presented for installation charges and recurring payments was a credit card, gift card, or prepaid credit card. Furthermore, if it was a prepaid credit card they could not validate that enough funds were available for the installation charges, let alone the recurring monthly monitoring fees.<br></p><p>As luck would have it, Thomas Border, the IT specialist responsible for credit card transactions, had noticed a pattern of abuse with prepaid credit cards. Together, Dwyer and Border analyzed all credit card transactions for a six-month period to identify and quantify a pattern of abuse. To conduct the investigation, credit card transactions had to be matched to a bank identification number (BIN) database to identify prepaid credit card usage. The 16 digits on credit cards are the result of a complex algorithm. The first six digits are referred to as the BIN. The BIN can determine what institution issued the card and the type of card it is. Dwyer and Border obtained the customer account numbers associated with the cards and the names of the sales representatives who made the sales to identify who had either provided or accepted prepaid credit cards.<br></p><p>Based on the findings, Dwyer then conducted investigations of the other sales representatives and discovered a similar pattern of abuse. In some cases, Dwyer identified sales representatives who signed up 25 to 30 customers on a single prepaid credit card. Most of these accounts would immediately default on their payments, but the sales representatives collected commissions on each sale, regardless. At one point, Dwyer estimated that the scheme was costing the company almost $5 million annually over the course of two years. The sales representatives involved in the scheme were immediately terminated. <br></p><h2>Lessons Learned</h2><p></p><ul><li>Prepaid credit card usage is a common fraud scheme among commissioned sales forces, so internal auditors should compare all credit card transactions against a BIN database to identify prepaid credit card transactions, find out which customer accounts used a prepaid credit card as payment, look at the payment history while focusing on customers who have made zero or a single payment, and identify the sales representatives on the account to uncover any wrongdoing.  </li><li>The many-to-one test identifies how many customer accounts are associated with a single credit card number. After identifying a target list, internal auditors should look at the customer content (name, address, and location) to see if they are family members or small businesses that might be legitimately sharing a credit card. If no commonality can be identified, internal auditors should investigate. Incidentally, this procedure also works for checking accounts. </li><li>The scheme could have been caught sooner if the finance department was working more closely with the company’s credit card processor. Processors can assist with identifying prepaid credit cards in their transaction database.</li><li>Companies can decide not to accept prepaid credit cards for recurring monthly payments, but it must first check its agreement with its credit card processor as it may be legally required to accept prepaid credit cards as a form of payment.</li><li>Exception reports identifying sales representatives accepting prepaid credit cards should be produced monthly and distributed to area general managers to review for fraudulent activity. Internal audit should be notified of any apparent fraudulent activity and engaged to conduct an investigation.</li><li>As a result of this investigation, and several other observations, the company began conducting enhanced customer screenings in the form of credit checks on all prospective customers. Customers who have low credit scores are now required to make several months of recurring payments before system installation can occur. Requiring several months of recurring payments up front helps reduce fraudulent use of prepaid credit cards.  </li></ul>Grant Wahlstrom1
Cleaning Up Financial Crime Up Financial Crime<p>​Citigroup will pay $97 million to settle U.S. Justice Department charges against its Banamex subsidiary, the <a href="" target="_blank"> <em>Los Angeles Times</em> reports</a>. According to the Justice Department, a lack of internal controls at Banamex USA may have enabled customers to launder money through payments sent to Mexico. The Justice Department says the bank's two-person compliance staff only conducted a small number of investigations of the 18,000 suspicious transaction alerts involving money sent to Mexico between 2007 and 2012. As part of the settlement, the Justice Department will not prosecute the bank. However, the bank has agreed to shut down Banamex USA to comply with an earlier deal with the U.S. Federal Deposit Insurance Corp. and the California Department of Business Oversight to settle a separate investigation of the suspicious payments.</p><h2>Lessons Learned</h2><p>Over the last three decades, <a href="" target="_blank">U.S. Bank Secrecy Act (BSA) Anti Money Laundering (AML)</a> regulations have been expanded to cover not only banks and credit unions, but also a wide array of financial institutions. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department, maintains web pages for <a href="" target="_blank">money services businesses</a> (MSBs), <a href="" target="_blank">depository institutions</a>, <a href="" target="_blank">the insurance industry</a>, <a href="" target="_blank">securities and futures</a>, and <a href="" target="_blank">casinos</a>. These institutions are required to have a BSA/AML compliance program in place that is commensurate with its respective BSA/AML risk profile. The program must include four components — a solid risk profile foundation, a thorough internal controls review, independent testing/audits, and a BSA/AML compliance officer. To these components, I will add a fifth — a thorough and evergreen risk profile. </p><p>A 2016 Grant Thornton benchmarking report, <a href="" target="_blank">Anti-money Laundering Compliance in the Money Services Business Industry</a> (PDF), also provides some interesting trends regarding the issues and challenges faced in meeting compliance obligations, which are relevant to this story. These two sources help highlight some lessons that should be learned from the Citigroup case, with a particular emphasis on the importance of the first three of these BSA/AML program components.</p><p><strong>1. A solid risk profile foundation.</strong> Banks and other kinds of financial institutions frequently do not approach the development of their risk profile with sufficient discipline. A thorough risk assessment is the crucial first step in developing a compliance program, and careful identification of risks inherent in their business is needed, distinguishing between products and services, customers, and geographic locations. A risk profile must not only be operationally implemented, it also must be updated as changes occur for the institution. The MSB benchmarking report notes, "While all of the MSBs in the benchmarking population had a documented risk assessment, the majority (61 percent) were still in the process of making the risk assessment a practical reality of their business operations."</p><p>As this story notes, Citigroup set up Banamex USA, the former California Commerce Bank, as an arm of its Banco Nacional de Mexico subsidiary to make it easier for businesses and individuals to transfer funds across the border. That is a significant business change, and one wonders whether Citigroup updated its risk profile, at least for its Banco Nacional de Mexico subsidiary.</p><p> <strong>2. A thorough internal controls review.</strong> Particular aspects of FinCen's guidance regarding what is needed for an internal controls review seem relevant to Citigroup's acknowledged weaknesses, including:</p><ul><li>Whether the board of directors, or a committee thereof, and senior management were adequately informed of BSA/AML compliance initiatives, identified compliance deficiencies, and took corrective action. That would include notifying directors and senior management of suspicious activity reports filed with regulators.</li><li>Compliance with requirements for establishing a person or office responsible for BSA/AML compliance, including providing for program continuity despite changes in management, employee composition, or structure. According to the news report, Banamex USA "conducted fewer than 10 investigations and filed only nine suspicious activity reports stemming from the alerts because its compliance unit was seriously understaffed with only two employees."</li><li>Providing for dual controls and segregation of duties. For example, employees who complete the reporting forms, such as suspicious activity reports, should not also be responsible for the decision to file the reports or grant the exemptions.</li><li>Providing sufficient controls and monitoring systems for timely detection and reporting of suspicious activity.</li><li>Ensuring there is sufficient document and record keeping regarding transactions, particularly those with higher risks. </li></ul><p><br></p><p>The MSB benchmarking report notes several observations relating to deficiencies found in several of these areas, including transaction processing, record keeping, and the handling of suspicious transactions.<br></p><p> <strong>3. Independent Testing (Audit).</strong> According to FinCen's guidance, independent, third-party audits of BSA/AML compliance should be conducted at least every 12 to 18 months — and more frequently for higher-risk financial institutions. These audits should include:</p><ul><li>An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes. Typically, this evaluation will include an explicit statement about the BSA/AML compliance program's overall adequacy, effectiveness, and compliance with applicable regulatory requirements. The audit should at least contain sufficient information for the reviewer, such as an examiner, review auditor, or BSA officer, to reach a conclusion about the overall quality of the BSA/AML compliance program.</li><li>A review of the bank's risk assessment for reasonableness given its risk profile (products, services, customers, entities, and geographic locations).</li><li>Appropriate risk-based transaction testing to verify the bank's adherence to the BSA record-keeping and reporting requirements.</li><li>An evaluation of management's efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.</li><li>A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include suspicious activity monitoring reports, large currency aggregation reports, monetary instrument records, funds transfer records, non sufficient funds reports, large balance fluctuation reports, and account relationship reports. <br></li></ul><p><br></p><p>Additionally, Grant Thornton's benchmarking study found that while deficiencies in AML compliance programs continue to be prevalent (incidences of around 60 percent of MSBs overall), "for those MSBs that had more than one review of their program completed, there was a decrease in documentation deficiencies such as risk assessments, policy, and procedures (66 percent deficient in 2012 and 57 percent in 2016)." We do not know whether regular audit work had been conducted on Banamex's BSA/AML compliance program. However, if such audits took place, and included the above scope, it would be surprising that senior management and regulators would not have known about the program's serious deficiencies sooner.<br><br><strong>4. BSA/AML Compliance Officer. </strong>Every institution's board should designate a BSA/AML compliance officer. While this person may not be part of the executive team, he or she should be expert in BSA/AML regulations, have the ability and resources to design and implement a program, and ensure that both the board and senior management are aware of the organization's compliance status. While one needs to exercise caution in comparing MSBs to banks in this regard, the Grant Thornton benchmarking study found that of the MSBs studied, only "18 percent (down from 23 percent in 2012) had a compliance officer that was supported by a team providing assistance to oversee and meet the compliance program requirements."</p><p> <strong>5. BSA/AML Compliance Training.</strong> MSBs should train employees in appropriate parts of the BSA/AML program and communicate the organization's anti-money laundering responsibility to them. Employees whose jobs place them in a specific risk category should be aware of how mandated reporting and responsibilities apply. This training should be reviewed periodically, especially when people change jobs. BSA compliance also should be incorporated into the job descriptions and performance evaluations of bank personnel, as appropriate.</p><p> <br> </p>Art Stewart0
Red Card for Corruption Card for Corruption<p>​Global soccer governing body FIFA has suspended a member of its audit and compliance committee for 90 days following his guilty plea to U.S. charges of bribery, <a href="" target="_blank">Reuters reports</a>. Richard Lai, a U.S. citizen who is president of the Guam Football Association, admitted to taking almost $1 million in bribes to gain his influence with FIFA. Prosecutors noted that FIFA's audit and compliance committee should play an important role in combatting the corruption that has come to light since 2015. In a separate case, FIFA's ethics committee has launched an investigation into alleged conflict of interest and financial mismanagement by the president of the Caribbean Football Union. </p><h2>Lessons Learned          </h2><p>Behind the immediate headlines of this story are revelations of two decades of corruption in which FIFA officials rigged World Cup bids and steered marketing and broadcast contracts in exchange for bribes paid out through convoluted financial deals or briefcases full of cash. Globally, football officials have been accused of match-fixing and money laundering, as well.</p><p>In response to stakeholder pressure and corruption charges brought against many senior FIFA officials, the organization announced a series of reforms to its governance and decision-making processes. <a href="" target="_blank">The proposed reforms</a> (PDF) include limiting top officials to three four-year terms, a defined division of powers between FIFA's day-to-day operational division and its strategic leaders, and increased gender diversity rules to promote women in the game, such as a requirement that each of FIFA's confederations elect at least one woman to the confederation's governing board. Although there will be independent members on selected advisory committees, reforms do not include adding independent members to a new executive committee.</p><p>Here are a few suggestions FIFA could follow to address corruption:</p><ul><li><strong>Eliminate governance gaps.</strong> First and foremost, in an organization that has been subject to widespread corruption activities, there should be independent members on every committee, including the executive committee. Individuals from government, regulatory/oversight bodies, academia, and professional organizations are among examples of potential independent members. Criteria for independence should include background checks to ensure members or their families do not have connections (paid or not) to particular soccer or media organizations. Audit, ethics, and financial oversight committees must have the powers and resources to independently investigate and report on suspicious matters of any kind, and to turn over their results to regulators and lawmakers. The executive committee also must set a tone of "zero tolerance" of corruption through its words, actions, and policies. The executive committee should not have control over the release of investigative reports.<br><br> </li><li><strong>Implement measures to prevent bid rigging and vote buying. </strong>Expand the list of bidders and voters to make it more difficult for collusion to be effective. Buyers should solicit bids from as many suppliers as economically possible. Having more voters increases the chances that one party will not be able to control the outcome of the vote as easily as it was done in the past. Both bid and voting packages should require bidders and voters to sign and submit a noncollusion affidavit. The packages also should inform bidders and voters of the penalties both for violating laws such as the U.S. Sherman Antitrust Act and for signing a false noncollusion affidavit. These statements should be verified routinely through audit and review processes. <br><br>FIFA also should ensure that all purchasing department and voting oversight employees are familiar with the indicators of bid and vote rigging, price fixing, and other types of collusion. Employees also should be empowered to ask questions and raise flags when collusion is suspected. Voting and bidding processes should be well-documented and records should be maintained in the event they are needed for review when collusion is suspected.<br><br> </li></ul><ul><li><strong>Leverage the deterrence/detection effects of whistleblower mechanisms and tough sanctions for corrupt behaviors. </strong>The corruption in this story was in some significant ways<strong> </strong>uncovered by a whistleblower. FIFA should do more to support and protect whistleblowers. Moreover, its sanctions of proven perpetrators of corruption probably could be much<strong> </strong>stronger — a 90-day suspension from soccer sends a much less decisive message of deterrence than a ban of several years or a lifetime. </li></ul>Art Stewart0

  • MNP_Natonal Can Conf_Sept2017_Premium 1
  • SCCE_Aug2017_Prem 2
  • IIA FallTraining_Sept2017_Prem3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Attribute Sampling Plans Sampling Plans2010-01-01T05:00:00Z2010-01-01T05:00:00Z