Slick Dealings Dealings<p>The CEO of Indonesian energy company Pertamina announced that an outside forensic audit has discovered fraud in its former trading unit, <a href="" target="_blank">Reuters reports</a>. Indonesia's energy minister says auditors found that third parties had rigged tenders and leaked the Petral unit's price calculations, leading Pertamina to pay higher prices to import fuel and crude oil. Auditors also reported that Petral had prearranged traded volumes to limit competition and given preference to national oil companies. State-owned Pert​amina is dismantling Petral, which had been suspected of corruption, and is replacing it with a new group that has yielded US$103 million in cost savings in the third quarter.</p><h2>Lessons Learned</h2><p>This case is a good reminder about the risks, control failures, and the need to prevent and detect price-fixing, bid rigging, and corruption in market allocations. Although many developed countries such as the U.S. have extensive and rigorous laws, regulations, and oversight bodies for this purpose — the U.S. Sherman Antitrust Act is a good example — others including Indonesia do not have such safeguards in place. Consumers, no matter where they live in the world, should have the right to expect the benefits of free and open competition. Public and private organizations often rely on a competitive bidding process to achieve that end. The competitive process works, however, when competitors set prices honestly and independently. When competitors collude, prices are inflated and the customer is cheated. Collusion and related fraudulent activities also are more likely to occur in industries such as the energy sector if there is a monopoly or few sellers.</p><p>In several previous columns I have advised on the types of controls​ that both auditors and key guardians such as procurement agents can use to decrease the chances of fraud. This column looks at the major types of fraud schemes and the red flags auditors should focus on to detect them:</p><ul><li> <strong>Bid Rigging. </strong>The most common fraud schemes involve bid suppression, complementary bidding, bid rotation, or market allocation. Bid suppression occurs when one or more competitors agree not to bid, or withdraw a previously submitted bid, so that a designated bidder will win and in return, the nonbidder may receive a subcontract or payoff. In complementary bidding, co-conspirators submit token bids that are intentionally high or fail to meet all of the bid requirements in order to lose a contract. Bid rotation happens when all co-conspirators submit bids, but by agreement, take turns being the low bidder on a series of contracts. Market allocation occurs when co-conspirators agree to divide up customers or geographic market areas and will only submit bids when a solicitation for bids is made by a customer or in a market not assigned to them. A top 10 "red flag" list for these schemes should include:</li><ul><li>Identical bids from different companies either as individual line items or lump sum bids.</li><li>Bids that come in above the estimate for the value of the contract or comparable bids by the same companies in other areas.</li><li>The winning bidder subcontracts part of the business to one or more losing bidders.</li><li>Indications that a physical alteration of bids has occurred, particularly at the last minute.</li><li>Particular line items for some bidders are much higher than for others and seem out of sync with costs.</li><li>Bids of companies are very close, indicating that bidders knew each others' prices.</li><li>Physical evidence of collusion such as different companies submitting bids with the same handwriting, or in the same envelopes, with the same mathematical or spelling errors, or the same fax number.</li><li>Significant increases by bidders over previous prices when there have been no substantial cost increases.</li><li>Prices drop when a new bidder appears on the scene.</li><li>Competitors meet shortly before or after the bids are submitted.<br> </li></ul><li> <strong>Price Fixing. </strong>This occurs when competitors agree to raise or fix prices they will charge for their goods or services, set a minimum price that they will not sell below, or reduce or eliminate discounts. Major red flags include:</li><ul><li> Circumstances where competitors announce their price increases at the same time for the same amount or have staggered price increases with a pattern, such as appearing to take turns going first.<br></li><li> When competitors reduce or eliminate discounts at the same time.</li><li> Situations in which prices seem to be uniform and suppliers refuse to negotiate those prices.<br>​</li></ul><li> <strong>Market Allocation. </strong>Such schemes involve bidding or quoting prices for services or goods after there has been a behind-the-scenes agreement as to who will bid for what part of the market. Major red flags include:</li><ul><li>The same company seems to get the organization's business over and over, and its competitors never bid for it or they may refuse to offer a quote. And, if they do, the quote may be ridiculously high to discourage the organization from changing suppliers.</li><li>Conversely, circumstances where companies that should want the organization's business are not interested.</li></ul></ul>​ <p>​The above red flag list cannot be considered exhaustive nor definitive evidence of fraud. Instead, it provides indicators that can be used for further investigation and potential reporting to management, oversight, and regulatory bodies.</p>Art Stewart0214
The Abuse of Executive Power Abuse of Executive Power<p>​​It was 9:35 on a Wednesday morning in New York at the board meeting of a multi-billion-dollar, publically traded company. The CEO, Richard Tompkins, was in a rage. The chairman of the board had just told him to resign or he would be fired. Tompkins’ reaction was classic, immediate, and violent. He was the shareholders’ greatest nightmare. <br></p><p>Tompkins was brought in to execute the turnaround of the company and initially had done a reasonable job. He claimed he needed a team he could trust and did not have time to evaluate the existing group, so he brought in a new chief operating officer, chief financial officer (CFO)/controller, chief information officer, human resources (HR) director, general counsel, purchasing agent, CAE, and external auditor — all friends and former colleagues. The board, anxious for the company to be saved, voted in favor of every organizational change Tompkins steamrolled through. But over the next several years, rumors of executive abuse began, including insider land deals and related-party transactions, excessive equipment and service purchases from related parties, unusual consulting contracts, inappropriate personal expenses, personal use of the company airplane, extravagant golf outings and parties, unnecessary foreign travel, and company vehicle abuse.<br></p><p>During this period, even the chairman, who was busy with other ventures, took little time to fully understand what was going on inside the company. Meanwhile, the internal auditors, while formally reporting to the audit committee, were under the day-to-day control of the CFO, Tompkins’ close friend. As long as the earnings looked good, the board was happy to show up and vote “present.” <br></p><p>When the recession took hold and revenues dried up, multiple frauds began to surface, rounds of layoffs commenced, and whistleblower calls started pouring in to the HR director, with no effective or independent follow-up. The calls then were diverted to corporate counsel, who wrote them off as disgruntled former employees, assuring the chairman that there was no basis to these unfounded allegations. The audit committee chairman, an outside member of the board brought in by Tompkins, put his faith in the audit system and did not give the disgruntled former employees adequate consideration. <br></p><p>All these activities finally came to light because of Harriet Stevens, a quiet and humble accounts payable employee who identified a US$2.5 million bridge construction project over the company’s pond that was awarded to the CEO’s son, a building contractor. Stevens first called the company’s ethics hotline. When nothing happened after her report, she called the chairman of the board. <br></p><p>The chairman was independent of management and the largest shareholder in the company. His interests were well aligned with the shareholders. He called in independent investigators, which he initially paid for out of his own pocket. As the inside business process consultants reviewed company operations, they fed the outside team with various leads, which allowed the investigators to identify and target various companies and individuals for investigation and approach. This effort, combined with the numbers coming from the inside team, allowed the investigators to identify and document numerous serious irregularities and outright frauds perpetrated by Tompkins and his cohorts. <br></p><p>Tompkins’ multiple frauds were successful — at least for a time — because he had complete and unquestioned control over the day-to-day operations of the business, including the ability to circumvent existing weak controls. Tompkins was able to pack the company with yes-men and friends — some of whom actively participated, enabled, or otherwise conspired with him in several frauds. The external auditors were completely ineffective in probing deeply enough to ferret out the misdeeds. They were eager to maintain their new Fortune 100 client and did not want to rock the boat. Consequently, they failed to recommend a stronger and tighter business control structure to prevent some of the shenanigans. While the outside auditors were aware of the internal control weaknesses surrounding Tompkins’ inappropriate activities, they failed repeatedly to directly confront these issues. <br></p><p>The board was little more than a rubber stamp for Tompkins. Whatever he did in the name of saving and running the company was always approved. All of the independent directors sat on multiple boards, leaving them insufficient time to direct and monitor the company’s executives. Several lacked the depth of skill to understand the company’s operations and competitive position. In particular, the audit committee chairman placed far too much reliance on the work and opinions of the outside auditors and the CFO. <br></p><p>During the early phases of the CEO’s irregular activities, the magnitude of the transactions fell far below the “materiality levels” of the outside auditors. This fact, combined with the CFO’s willingness to hide questionable spending within the forest of the company’s transactions, effectively camouflaged the CEO’s activities.<br>The board was faced with a vexing dilemma. It needed to decide whether to pursue criminal or civil action against the CEO or let him go quietly to avoid a scandal, which would negatively affect the shareholders. In the end, it chose the quiet path.<br></p><h2>Lessons Learned</h2><p></p><ul><li>The chairman is, or should be, the chief advocate for the shareholders, and completely independent of management. It is the chairman’s primary job to direct the company’s executives and drive oversight of their activities in the name of the shareholders. </li><li>An independent and highly skilled audit committee chairman is essential to maintain a robust system of checks and balances over all operations. To be truly effective, the chairman must be independent of those he or she is charged with watching. </li><li>The CAE must report to the audit committee and have his or her budget, compensation, mission, career path, and hiring/firing authority fully insulated from executive management.   </li><li>The chairmen of the board and the audit committee must devote material time to their duties. While the board can use the company’s oversight functions to maintain a checks and balances process, there is no substitute for personal, direct involvement.</li><li>The board must be willing to direct inquiries into allegations of misconduct, and have unquestioned confidential spending authority to conduct reviews and investigations as it deems necessary.</li><li>One of the most effective compliance tools available to the board is the day-to-day vigilance of the company’s employees. When an individual employee detects wrongdoing, he or she must have an effective and safe method to report observations, such as a third-party ethics hotline that reports to the chairman of the board and audit committee. All employees must be protected from retribution to avoid any possibility of corrupting the process. </li><li>A zero-based budgeting process — requiring that the individual elements of the company’s budget be built from the bottom up, reviewed in detail, and justified — would have facilitated the identification of unusual spending in numerous corporate and operating units. This provides an in-depth view of spending as opposed to basing the current year’s spending, in aggregate, on last year’s spending, where irregularities may be buried and overlooked.  <br></li></ul><p><span class="ms-rteiaStyle-authorbio">John L. Verna, CBA, CPA, CFE, is founder and executive director of the Center for Strategic Business Integrity in Washington, D.C.  <br>Christopher T. Marquet, CBA, is managing director and head of research for the Center for Strategic Business Integrity and the CEO and founder of Marquet International Ltd. in Wellesley, Mass.</span></p>John L. Verna1562
Fleecing the Crowd the Crowd<p>Las Vegas-based Ascenergy LLC and its CEO Joseph Gabaldon are facing charges of running a deceptive crowdfunding scheme that allegedly defrauded investors of US$5 million, <a href="" target="_blank"><em>Petro Global News</em> reports</a>. The U.S. Securities and Exchange Commission (SEC) says Ascenergy used crowdfunding websites to raise investments in underdeveloped oil and gas wells, but it alleges that Ascenergy misrepresented the company and the nature of the investment. Moreover, the SEC says Ascenergy has only spent a few thousand dollars on oil and gas-related expenses out of the US$1.2 million the company has spent so far from the money it raised. Instead, most of the money has gone to Gabaldon and companies he controls, the SEC says. The U.S. District Court for Nevada has issued a temporary restraining order to halt the offering as well as an order freezing Ascenergy and Gabaldon's assets.</p><h2>Lessons Learned</h2><p>Crowdfunding has exploded as a new way of attracting funding and financing for individuals, small businesses, and entrepreneurs around the world. In 2013, the global crowdfunding industry was responsible for between US$3 billion and US$5 billion in funding, according to a January 2014 report from TD Bank Economics, Crowdfunding: A Kick Starter for Startups. A 2013 World Bank report, Crowdfunding's Potential for the Developing World, states that there is a significant number of crowdfunding investment platforms in develope​d countries — for example, the U.S. has 344 different platforms, the U.K. has 87, and France has 53 — and developing countries won't be far behind in establishing their own versions. The report also cites the 2008 financial crisis as one of the main catalysts to interest in crowdfunding and specifically equity crowdfunding in the U.S. Another catalyst is the growth in the availability of lower cost broadband Internet to a much greater number of individuals.</p><p>Crowdfunding is truly one of those game-changing concepts that disrupts the traditional industries and players, but because it is built on trust, it's ripe for fraud. The fraud can manifest itself in many different ways. Misappropriation can be easy to pull off through false websites. As with any online financial transaction, phishing schemes can be used to illegally gain access to personal and financial information such as credit card and banking information. The funds raised can be used for purposes other than what was initially disclosed. The creator also may claim that he or she owns the idea, but this may or may not be true. </p><p>Not surprisingly, many of the anti-fraud measures for preventing crowdfunding fraud are similar to those that should be adopted to counter most kinds of financial fraud. These include:</p><ul style="list-style-type:disc;"><li> <strong>Potential investors need to dig into the creator's business background.</strong> Has he or she launched other projects successfully or supported such projects? Is there a professional online profile that demonstrates expertise in this area? Is the person trying to fund the same project on multiple crowdsourcing sites? That could show an attempt to raise as much money from as many people as possible — not necessarily a fraud red flag per se but potentially an indicator of increased risk. Also, check the creator's credentials. Many crowdfunding sites state that the person has a Facebook or similar social media page, but anyone can make a Facebook page. Analyze the page: Are the friends real or just "filler?" Are there real-time comments? Does the person have just one social media site, or is he or she listed on other sites? A short time line might indicate the page was created just before asking for funding. </li></ul><ul style="list-style-type:disc;"><li> <strong>Crowdfunding platforms need to adopt basic anti-fraud strategies and techniques, </strong>both in their own interests and to protect consumers and investors. Many crowdfunding platforms assert a commitment to integrity and ethics. For example, Kickstarter deploys an "integrity team" that uses complex algorithms and automated tools to identify and investigate suspicious activity on projects. However, Kickstarter doesn't make public data on the actions it has taken to report or file a complaint about such suspicious activity with the U.S. Federal Trade Commission (FTC) or a state attorney general. The community of "backers" are more of a de facto protector against fraud, because they report on what project creators are pitching and whether they are following through.</li></ul><ul style="list-style-type:disc;"><li> <strong>Expect more regulatory scrutiny of crowdfunding as the crowdfunding industry grows and grapples with fraud</strong>. To the crowdfunding community, external regulatory oversight may be an anathema to be resisted, but the reality is that fraud such as that described in this story must be addressed. Measures do not necessarily have to impinge harmfully on the flexibility and speed desired by the crowdfunding community. For example, the FTC has launched a program called FinTech, aimed at protecting consumers in the rapidly expanding and evolving high-tech markets. Additionally, the SEC recently issued regulations to enable companies to offer and sell securities through crowdfunding, as well as to make it easier — within financial transaction size limits — for startup companies to attract financing in accordance with the Jumpstart Our Business Startups Act of 2012 (JOBS Act). The crowdfunding world appears happy about these changes. <br> <br>​The rules also include numerous requirements that should be of particular interest to auditors who might advise on ways the crowdfunding industry could protect itself more generally from fraud activity. Companies that want to conduct a crowdfunding offering need to file certain information with the SEC and provide this information to investors and the intermediary facilitating the offering, including:</li></ul><ul> <ul style="list-style-type:disc;"> <li>​The price to the public of the securities or the method for determining the price, the target offering amount, the deadline to reach the target offering amount, and whether the company will accept investments in excess of the target offering amount.</li><li>A discussion of the company's financial condition.</li><li>Financial statements of the company that, depending on the amount offered and sold during a 12-month period, are accompanied by information from the company's tax returns, reviewed by an independent public accountant, or audited by an independent auditor. A company offering more than US$500,000 but not more than US$1 million of securities relying on these rules for the first time would be permitted to provide reviewed rather than audited financial statements, unless financial statements of the company are available that have been audited by an independent auditor.</li><li>A description of the business and the use of proceeds from the offering.</li><li>Information about officers and directors as well as owners of 20 percent or more of the company.</li><li>Certain related-party transactions.</li></ul></ul>Art Stewart0415
Swipe Once for Fraud Once for Fraud<p>​​A single seller defrauded online payments company Square​ out of US$5.7 million, <a href="" target="_blank"> <em>Business Insider</em> reports</a>. Omaha, Neb.-based event planner, Creative Creations, allegedly used its Square card reader to sell worthless travel vouchers, according to the <a href="" target="_blank"> <em>Omaha World-Herald</em></a>. Square revealed that such fraud is a big risk in an initial public offering filing with the U.S. Securities and Exchange Commission (SEC). The company notes that the automated nature of its payment services makes it an attractive target for fraudulent and illegal activities. Moreover, Square acknowledged that it could be liable for losses associated with chargebacks and refunds connected to illegitimate transactions. Chargebacks occur when a person notices a charge for something he or she didn't purchase and the credit card company refunds the amount to the cardholder. Square, as the processor, may be liable for reimbursing the credit card company if the seller is unwilling or unable to do so.</p><h2>Lessons Learned</h2><p>As various forms of businesses targeting lower-cost electronic financial transactions proliferate, so too do the associated risks of fraud. In Square's business model, the company charges a fee of 2.75 percent on every credit card transaction but does not charge sellers monthly fees or set-up costs. Square claims  its costs are, on average, lower than the costs charged by conventional credit card processors. Square is regarded as a useful application for entrepreneurs, such as consultants, food truck operators, and other small retailers. Swiped payments are deposited directly into a user's bank account within one or two business days. </p><p>By its own admission, Square's business model puts it at a high level of risk for fraud. Its SEC filing notes, "The highly automated nature of, and liquidity offered by, our payments services make us a target for illegal or improper uses, including fraudulent or illegal sales of goods or services, money laundering, and terrorist financing. Identity thieves and those committing fraud using stolen or fabricated credit card or bank account numbers, or other deceptive or malicious practices, potentially can steal significant amounts of money from businesses like ours." </p><p>So what might Square do to balance its flexible payment services model while combatting fraudulent activity such as with chargebacks?</p><ul style="list-style-type:disc;"><li> <strong>Implement a robust anti-fraud regime, tailored to its business model and customers.</strong> That would include a fraud risk assessment of high-risk customers (for example, those with little or no credit history, sellers who only provide future delivery of goods/services, and sellers with links to foreign or unknown origins), and transactions (for example, a higher dollar/higher volume value). As it did with an outright ban on firearms-related transactions, Square could set out other kinds of transactions and customers it will give closer scrutiny to or ​simply not accept, based on that fraud risk assessment. Certainly, testing the legitimacy of potentially high-risk or suspicious transactions and customers periodically is a good practice. This should be done in combination with various electronic testing, such as verifying the IP address of the customer/seller, checking whether sellers have a legitimate presence on Facebook or other social media, and verifying whether the billing and selling addresses match.</li></ul><ul style="list-style-type:disc;"><li> <strong>Consider introducing stronger controls over transactions that do not compromise either its business model or financial viability. </strong>These could include: </li><ul><ul><li>Establishing a reasonable waiting period before a customer or seller is reimbursed in a chargeback situation to allow time to confirm the validity of the transaction.</li><li>Investing in EMV chip card technology for all of its card readers to increase overall security over transactions.</li><li>Requiring high-risk sellers, identified in the fraud risk assessment, to maintain a financial reserve to cover losses such as from chargebacks.</li><li>Avoiding higher-risk transactions, such as what can happen when a purchase is sent to a freight company. For example, such companies can send goods overseas and still do a chargeback.</li></ul></ul></ul>Art Stewart01555
The School Embezzler School EmbezzlerA Circuit Court judge in Blount County, Tenn. has approved a US$5.3 million civil judgment against a former Alcoa City Schools administrative assistant who confessed to stealing from the school system from 2007 to 2013, the <a href="" target="_blank"> <em>Knoxville News-Sentinel</em> reports</a>. A Tennessee State Comptroller's audit uncovered the theft in 2012, spawning a one-year criminal probe that discovered that Kathy Ann Winters had diverted money from a fund she oversaw for special education, special needs, and low-income students to her personal bank account and had used a school system credit card for personal purchases. Winters, who is currently serving a 40-month sentence, created false invoices for services and expenses and forged her supervisor's signature on them. An attorney for the Alcoa Schools said Winters took advantage of a loophole in the accounting system. Since her conviction, the school system has implemented additional layers of accountability for the system, the attorney said.<p></p><h1>Lessons Learned</h1><p>Although this story describes a successful fraud prosecution based on a Tennessee State Comptroller's investigation, we cannot be completely satisfied with the outcome, given both the amount of time it took to detect the fraudulent behavior and the lack of attention to addressing the most likely root causes that allowed Winters to perpetrate her crimes. I'm referring to a lack of oversight, including a robust audit regime, and weak internal controls, especially over financial management. These are two of the most fundamental elements that need to be strong in combating fraud.</p><p> <strong>Oversight. </strong>The U.S. does not have a consistent national framework or requirements for establishing or contracting an audit function on a regular basis. Such a requirement also may be lacking in many other developed nations. Most U.S. states do have a state comptroller with audit and investigative powers, but requirements for school boards and districts to have internal audit functions vary widely. Where such requirements exist, exemptions to those requirements are set quite differently. For example, the state of Tennessee uses a centralized model, with a state Department of Education internal audit function. By contrast, Texas requires any state agency with an annual operating budget exceeding US$10 million, or more than 100 full-time equivalent positions, to have an internal auditor. However, that law does not apply to independent school districts and charter schools, which may do so voluntarily. In New York, almost all school districts are required to establish audit functions, along with audit committees. New York school districts with less than eight teachers, expenditures of less than US$5 million in the previous year, or an enrollment of fewer than 1,500 students are exempt. </p><p>School districts with an active internal audit function that regularly conducts risk-based audits of treasurer duties and financial management controls would be more likely to detect fraud at an earlier stage than occurred in this story. </p><p>A second aspect of the need for better oversight is stated directly in the Tennessee State Comptroller's investigative report: "The supervisors association (the school body that was supposed to oversee the Treasurer's activities) did not assume oversight responsibility over the organization's operations. The minutes of committee meetings infrequently reflected discussions of the financial operations, purchases or acquisitions, and personnel policies. Management should, to the extent possible, exercise greater oversight of the organization's operations. Such association oversight should include a review of monthly bank statements, a listing and description of monthly expenditures, and bank reconciliations." That not only states the problem clearly, but also raises the question of consequences for those who did not discharge their responsibilities appropriately. </p><p> <strong>Internal Controls. </strong>With regard to the role of weak internal controls, this story simply refers to an accounting "loophole" that has since been closed, but the state Comptroller's investigation report provides a more complete picture of the kinds of internal control lapses that create ideal conditions for fraud:</p><ul><li> <span style="line-height:1.6;">​Duties were not segregated adequately within the school association steering committee. The person responsible for maintaining accounting records also was involved in disbursements, receipting, and bank deposits. The school district also had gaps in its financial management policy framework. For example, it did not have a credit card usage policy.</span><br></li><li> <span style="line-height:1.6;">Appropriate documentation for all purchases for goods and services received was not required or provided in many cases. The system did not require a minimum of two signatures on all checks issued. The director of Alcoa Schools also did not follow the schools' policy that requires the director to approve all purchase orders and travel reimbursements.</span><br></li><li> <span style="line-height:1.6;">The former treasurer was allowed to serve a term of eight years on the school board steering committee, but its bylaws clearly state that each representative may serve for a maximum of six years over any nine-year period. ​</span><br></li></ul>Art Stewart0786
The Light Paychecks Light Paychecks<p>​​<a href="" target="_blank">An investigation</a> by the Australian Broadcasting Corp.'s <em>Four Corners</em> program has found that 7-Eleven Australia franchisees have systematically underpaid their store employees by submitting false time sheets that underreported the number of hours they actually had worked, among other methods. According to the<em><a href="" target="_blank"> Herald Sun</a></em>, the company, which owns the Australian license for the convenience store chain, condu​cted its own review of 225 franchises and found 69 percent of stores had payroll compliance issues, including falsified records. Franchisees withheld holiday pay, paid employees as little as AU$10 an hour (US$7.02) — the employee wage was AU$24 an hour (US$16.86) — and confiscated an employee's passport and driver's license. 7-Eleven Australia Chairman Russ Withers has vowed to reimburse all shortchanged employees.</p><h2>Lessons Learned</h2><p>I wrote about time theft by employees in an <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=93860d42-cf0b-4a3d-a7b1-048b31107c22">earlier column</a>, so it is fitting that we now have an opportunity to see how time theft fraud can be perpetrated by the employer. Here are some audit recommendations that could help to deter and prevent the kind of fraudulent activity found at 7-Eleven Australia. A key theme in these recommendations is to ensure that the head office has the means ​to know what is going on in a franchise environment and is held accountable for how it deals with balancing profitability, efficiency, and fraudulent activity.</p><ul style="list-style-type:disc;"><li> <strong>Implement a modern, efficient, and readily monitored time management system.</strong> Closed-circuit TV as a basis for time management appears to be quite a 1990s solution, yet that is how 7-Eleven Australia monitored payroll activities at its stores. In 2015, there are numerous cost-effective, software-based solutions that enable employees to clock in and out from traditional time clocks, any computer with Internet access, mobile devices, or telephones. Time clocks are cloud-based and can be configured to record information in a variety of ways, including through fingerprints, magnetic strips, bar codes, proximity badges, and touch screens. All of the data is automatically and immediately transferred as soon as employees clock in or out, which saves the employer the work of getting the times in and out of video. More importantly, these solutions easily can be networked so that the head office has fast and accurate access to the data.</li></ul><ul style="list-style-type:disc;"><li> <strong>Establish and monitor an effective whistleblower program, along with a "no reprisals" policy.</strong> The various news stories about this fraud show that a local citizen became concerned about the potential payroll abuse of foreign worker employees on visas and became an advocate and an important factor in uncovering the 7-Eleven Australia fraud. But a large number of these employees expressed deep concern that if they came forward, they would face reprisals including firing and deportation. A corporate whistleblower program, established and enforced by head office, that includes mechanisms for local franchise employees to report abuses to a neutral central office would help to counteract employee concerns about reprisals and catch fraudulent activity earlier.</li></ul><ul style="list-style-type:disc;"><li> <strong>Raise the stakes with regard to deterring fraud and increase the consequences of getting caught. </strong>It is clear in this case that there is a long-term systemic problem that needs to be addressed. Australian Fair Work Ombudsman investigations going back as far as 2009 have found numerous violations. With regard to materiality, one franchisee was found to have underpaid four workers almost AU$90,000 (US$62,915) over four years. The Melbourne Magistrates Court penalized that franchisee AU$150,000 (US$104,858) in 2011, but even that is a relatively small amount compared to the kinds of revenues and profits 7-Eleven Australia creates regularly. And, certainly fines and penalties should strike an effective balance between franchise profitability/survival and consequences for violations. However, given that 7-Eleven Australia operates within a corporate franchise business model that relies on an overall franchise agreement — which it claims cannot be altered once signed — perhaps bigger fines and penalties should be assigned to head office as an incentive for positive change. Certainly, 7-Eleven Australia at least should be encouraged to change its franchise agreements going forward so that franchisees who systematically commit fraud lose their license. The company has claimed it did not have the necessary information to either report or deal with franchisee violations, so an appropriate remedial measure would be to require head office reporting to regulators of all franchise violations, at least until the systemic problems are addressed. </li></ul><ul style="list-style-type:disc;"><li> <strong>Finally, governments need to regularly review labor laws, along with the roles, powers, and enforcement mechanisms available to regulators. </strong>That seems to be happening in Australia now. To that I would add that this kind of fraud is a problem requiring international cooperation and alignment, given how many countries 7-Eleven operates in. 7-Eleven itself, or governments if necessary, should review and act upon knowledge of the state of franchise theft from employees in all of the countries in which it operates.​</li></ul>Art Stewart01502
Volkswagen Scandal: The Undoing of a Corporate Icon Scandal: The Undoing of a Corporate Icon<p>​<span style="line-height:1.6;">My first car was a used 1967 Volkswagen Beetle. It was a great little "starter" car, but only a couple of months after I bought it, the car was stolen. Last week, I relived that loss when Volkswagen was stolen from all of us.</span></p><p>The venerable automaker's shocking admission that it developed and installed software designed to circumvent U.S. emissions rules will forever change how the company is perceived by the public. The phrase "German engineering," once synonymous with quality, will now be the butt of jokes on late-night talk shows.</p><p>What's more, the scandal once again raises serious questions about the inner workings, and possibly ethical practices, of a respected corporation. As with FIFA, Hertz, and Toshiba, we can expect details of this debacle to trickle out in a painful and public unveiling of failure in corporate culture.</p><p>It remains to be seen how pervasive the scheme was to make Volkswagen's diesel vehicles appear to run cleaner in emissions tests than they do on the road. But one thing is perfectly and immediately clear: This is an extraordinary example of how a company's reputation, particularly one built over many decades, can be severely damaged — if not decimated — in mere days.</p><p>Already, Volkswagen has seen the resignation of its CEO against the backdrop of criminal and U.S. Environmental Protection Agency investigations, which could lead conservatively to fines of as much as US $18 billion. The company already announced it would take a charge to earnings topping US $7 billion. Not surprisingly, Volkswagen's stock price has plummeted.</p><p>On the horizon, one can expect to see lawsuits from car owners, shareholders, and others directly and indirectly affected by Volkswagen's actions. And one thing is certain, the impact won't be limited to Volkswagen. Like a devastating tsunami after an earthquake, the scandal's ripple effect already is striking stock prices of other automakers and parts suppliers.</p><p>The fallout conceivably could spread to other consumer sectors, where claims about product performance or quality will understandably be viewed more cynically. Is gluten-free really free of glutens? </p><p>Ultimately, the consequences of this misdeed might topple the world's second largest car company, according to some analysts. Whether Volkswagen can survive the storm, from an internal audit perspective, the scandal must be placed at the catastrophic end of the risk spectrum.</p><p>It remains to be seen if Volkswagen's top managers knew about the scheme or contemplated the risk of its discovery. But the lesson for internal audit is that virtually all risk carries a component of potential reputational damage to the organization. In the case of Volkswagen and many other failures of iconic companies, it would seem unimaginable that management or the internal audit function would condone potentially criminal behavior in support of boosting the company's value. The risks associated with such behavior — reputational, share value, corruption, fraud, corporate culture — are unacceptable to me, and presumably unacceptable to most shareholders and consumers. </p><p>This brings up another lesson to be drawn from the Volkswagen episode: Internal auditors must be keenly aware of the pressures associated with performance within their organizations. In a nutshell, they must understand that what gets measured/rewarded also can get manipulated.</p><p>Whether it's about profits, bonuses, or reducing the emission of nitrogen dioxide, internal audit must be attuned to pressures that management, regulators, or stakeholders place on measurable metrics. Typically, this is where an organization is most vulnerable to bending or breaking the rules.</p><p>I am encouraged by the comments of new Volkswagen CEO Matthias Müller upon his being named to the top post. Müller, who worked his way up the corporate ladder over a 38-year-career that began with Audi, a unit of Volkswagen, said winning back trust is his most urgent task. He promised to accomplish this, "by leaving no stone unturned and with maximum transparency, as well as drawing the right conclusions from the current situation."</p><p>It will be a good first test for Müller to see if he can truly determine whether creation of the emissions "defeat device" was an isolated instance of overzealous engineers succumbing to compliance pressures — or a product of a broader corporate culture willing to do anything to achieve results. </p>Richard Chambers05484
Ignoring Red Flags Red Flags<p>​The U.S. Securities and Exchange Commission (SEC) announced fraud charges against the former chairman and two former CEOs of staffing firm General Employment Enterprises, as well as audit firm BDO. According to the <a href="" target="_blank">FCPA Blog</a>, General Employment told BDO during a 2009 audit that its bank had not repaid the company when a US$2.3 million nonrenewable certificate of deposit (CD) matured — the amount represented about half of the company's assets at the time. Despite an investigation that received conflicting reports from management and board members about the CD's status, BDO issued unqualified opinions on the company's financial statements for 2009 and 2010. The SEC alleges that during this time General Employment's board chairman, Mike Pence, acted as an agent of Wilber Huff, who had funded Pence's acquisition of a controlling stake in the company, in exchange for US$500,000. Huff was sentenced in June to 12 years in prison for bribery and fraud, including receiving the money purportedly used to purchase the CD. The SEC charged BDO with ignoring red flags and issuing false and misleading audit opinions. BDO has admitted to wrongdoing and settled with the SEC. The case against Pence is ongoing.</p><h2>Lessons Learned</h2><p>This story offers many lessons for auditors, audit firms, businesses, and banks. The most interesting aspect of this story is the role of the audit firm, BDO, in enabling fraud by ignoring the standards for audit opinions established by the U.S. Public Company Accounting Oversight Board (PCAOB), as well as the breadth and depth of sanctions imposed by the SEC as a consequence.</p><p>The SEC's <a href="" target="_blank">administrative cease and desist order</a> (PDF) contains numerous constructive "dos and don'ts" to which I add a few of my own. The SEC's judgment can be summarized as follows: "BDO's conduct in the 2009 and 2010 audits of [General Employment] involved repeated instances of unreasonable conduct, each resulting in violations of PCAOB standards and indicating a lack of competence, and also satisfies the standard of highly unreasonable conduct resulting in violations of PCAOB standards in circumstances in which heightened scrutiny was warranted." </p><p>What should have happened, but didn't, is instructive to auditors in similar situations before issuing unqualified audit opinions on financial statements. These include: </p><ul><li>Full disclosure of source documents such as bank statements showing the flow of funds from the closing of special or unusual transactions through the date the funds were fully transferred, including for any related third-party situations. Although General Employment told BDO that the amount in the CD wasn't repaid by the bank upon the maturity date, the company eventually received a series of deposits totaling US$2.3 million from three entities unaffiliated with the bank. BDO never received "reasonable and coherent explanations" about why the US$2.3 million went missing and why an equivalent amount was later wired to the company under suspicious circumstances.</li><li>Explanation of why the funds in the above situation were being transferred from entities other than those expected or defined in financial relationships with the company. </li><li>Agreement that a meeting with officials at these other entities may be requested to corroborate this documentation, and to understand the nature of the transaction.</li><li>A written report by management or others to fully explain the circumstances surrounding what steps management took to gain its understanding of what transpired.</li></ul><p>What should not have happened, and are definite "red flags," include:</p><ul style="list-style-type:disc;"><li>The company CEO signing off on financial statements, rather than the treasurer, and indications that the treasurer was either unaware or not in agreement.</li><li>Allowing the company to hold an audit committee meeting where BDO was prevented from being present for the discussion of the irregular financial transaction, on the recommendation of the company's general counsel and one audit committee member.</li><li>The external auditor wavering on its responsibility to clearly interpret and adhere to audit standards. Despite the existence of multiple, unanswered questions, BDO ultimately agreed to drop its demand for an independent investigation, based on the rationale that the audit committee chair, who had initially supported the independent investigation, no longer believed that it was required. Moreover, the firm reasoned that a new CEO — in whom BDO apparently had confidence — had replaced the former one who had been involved in several dubious actions. As cited in the <a href="" target="_blank">SEC judgment</a> (PDF, Paragraph 86), "PCAOB standards require auditors to exercise due professional care in the planning and performance of the audit and the preparation of the report. Auditors must maintain an attitude of professional skepticism, which includes 'a questioning mind and a critical assessment of audit evidence.' In addition, the auditor should 'consider the competency and sufficiency of the evidence.' Since evidence is gathered and evaluated throughout the audit, professional skepticism should be exercised throughout the audit process. The commission and courts have held that related-party transactions require heightened scrutiny."</li></ul><p>Finally, the question of effective deterrence measures in cases where the auditor has failed to meet standards and expectations is particularly important. It's noteworthy that the SEC, in addition to imposing suspensions and fines of more than US$2 million, has ordered BDO to complete several actions, such as: </p><ul><li>Completing a review of the sufficiency and adequacy of BDO's quality controls set forth in its audit manual, including its policies and procedures for audit and interim reviews. </li><li>Submitting a report to the SEC, signed by its CEO, on changes resulting from that review.</li><li>Hiring an independent consultant to review whether BDO's policies are adequate and sufficient to provide reasonable assurance of compliance with all relevant SEC regulations and PCAOB standards and rules. </li><li>Providing audit training to all BDO audit professionals who serve on public company audits that covers potential illegal acts and Section 10A of the Exchange Act, identification and disclosure of related-party transactions, and fraud detection.</li><li>Annually certifying that BDO has assessed whether the firm's policies are adequate and sufficient to provide reasonable assurance of compliance with all relevant SEC regulations and PCAOB standards and rules by testing the firm's implementation of BDO's policies, among other things.</li></ul><p>Are these enough to deter BDO and other audit firms from engaging in similar behavior in the future? Perhaps. For example, Canadian courts currently are looking at imposing a penalty on SNC Lavalin for bribery and corruption infractions that would see the company banned from bidding on public contracts for 10 years. Also, although the General Employment case involves an external auditor, I wonder what might happen if an internal auditor or organization were facing revocation of its certification in comparable circumstances or what other sanctions might be involved. What do you think?​</p>Art Stewart01117
Bribes for Tech for Tech<p>The <a href="" target="_blank">IT Pro Portal website</a> reports that a former SAP executive has pleaded guilty to bribing government officials in Panama to win technology contracts for the German software company. According to the U.S. Department of Justice, Vicente Eduardo Garcia, former vice president of global and strategic accounts, paid US$145,000 in bribes to one Panamanian official and promised bribes to two other officials to influence the country's social security agency to purchase US$14.5 million in technology from an SAP reseller based in​ Panama. Moreover, Garcia admitted to setting up a slush fund that enabled the reseller to purchase software from SAP at a steep discount and then sell the software for a higher profit. In addition to the DOJ charges, Garcia has agreed to a settlement with the U.S. Securities and Exchange Commission in which he will pay back US$85,965 in profits that he gained from the scheme.​</p><h2>Lessons Learned</h2><p>Most large international organizations, in an effort to prevent bribery, corruption, and the contravention of the growing number of anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), have made significant investments to establish ethics and compliance programs. These programs typically include:</p><ul><li>Creating the position of chief compliance officer, who reports to the board of directors.</li><li>Appointing compliance officers in all of the organization's business units and regional offices worldwide.</li><li>Establishing a dedicated ethics and compliance team.</li><li>Strengthening internal controls and procedures, especially in areas susceptible to manipulation in a bribery or corruption scheme.</li><li>Implementing a code of ethics and an ethics and compliance hotline.</li><li>Producing a dedicated anti-corruption manual.</li><li>Conducting annual compliance training for all employees, along with a special focus on those working in strategic roles.</li><li>Performing periodic audits of compliance and assessments of the adequacy of controls in key areas. </li></ul><p>The DOJ and SEC websites list an ever-growing list of large international companies and executives that have been charged with FCPA violations. The Garcia case raises several concerns for organizations:</p><ul><li>A senior SAP vice president, in a 2013 <a href="" target="_blank"> article</a> declared, "Compliance programs like the SAP Governance, Risk, and Compliance solution should be a company's first line of defense, especially considering that many employees aren't even aware they are breaking the law. Nevertheless, when it comes to FCPA compliance, the buck stops with you: your organization, your employees, your compliance program." That's well stated, if a little ironic given this case. It also highlights the fact that companies that sell computer hardware, software, or other technology solutions are just as likely to receive scrutiny for FCPA violations as any other type of company, and they should be prepared to demonstrate they have a good grasp on this fraud problem. <br></li></ul><ul><li>More generally, boards of directors and executive suites should be particularly attentive. Most FCPA cases involve charges against companies, not individuals. While it appears that the DOJ organized its case against Garcia on the premise that he deliberately circumvented SAP's internal controls, the DOJ and SEC have not declared whether they will pursue charges against the company. Corporate culture and standards of business practices are critical factors in setting expectations for ethical behavior, and when a high-level official commits a fraudulent act, it would be fair to assess whether those factors were a systemic influence.<br></li></ul><ul><li>At a minimum, bribery and corruption is a high-risk category for companies doing business in foreign countries, and a continuous review of internal controls, effective monitoring, and regular audit work should be a priority focus. The role of third parties, such as consultants, agents, channel partners, and distributors, in the conduct of sales and financial transactions is a particularly high risk deserving attention. Indeed, the DOJ and SEC have identified the use of third parties as a significant factor in most of their cases.<br></li></ul><ul><li>​In the Garcia case, it's hard to accept that for more than four years sham contracts and false invoices were used to disguise bribes and that a slush fund was used to sell software to a reseller at an 82 percent discount without raising a red flag. The standard for robust third-party due diligence needs to keep evolving as part of an organization's compliance program. That should include both strengthened controls over executive delegations of financial authority, financial funding structures, onboarding, third-party background checks, and monitoring processes, as well as attention from the organization's CAE when the topics of fraud and risk assessments are discussed.​​</li></ul>Art Stewart0508
A Matter of Life and Death Matter of Life and Death<p>​Tina Graham had worked as a records clerk in the county clerk’s office for two years. She was primarily responsible for processing applications for birth and death certificates. When the office’s senior clerk left for another job, Graham’s subsequent promotion to the position provided the opportunity that she needed to embezzle nearly US$10,000 in fees paid for copies of birth and death certificates.<br></p><p>To obtain a copy of either a birth or a death certificate, individuals would complete and submit an application and a processing and copy fee. The payment was supposed to be receipted at the time the application was processed. The receipts were written in duplicate form, with the original going to the person submitting the application and the duplicate left in the receipt book as support for the payment received. Receipts were summarized weekly or more often if a large number of payments had been collected. A summary sheet of the payments was prepared and taken to the Treasurer’s Office, along with the cash and checks to be deposited in the bank. The Treasurer’s Office did not normally verify receipt numbers when accepting the deposits.<br></p><p>The county clerk’s office was small, had little or no segregation of duties, and had lax internal controls. This combination allowed Graham to easily void receipts and keep cash fees paid by customers. In some cases, Graham would write receipts for customers, give them a copy for their records, void the receipt copy — leaving it intact in the receipt book — and pocket the money. In other instances, she would write receipts for customers, give them a copy for their records, and then shred or otherwise destroy the original and keep the money. Sometimes she pocketed the money without preparing a receipt at all. In these cases, she also destroyed the birth or death certificate application so it wouldn’t be as obvious that the money was missing.<br></p><p>Because of poor performance on the job unrelated to the then-unknown embezzlement, Graham was eventually demoted to receptionist after having served as the senior clerk for only six months. While she no longer had primary responsibility for processing applications and receipting payments, she did occasionally do so while the new senior clerk, Molly Roper, was on lunch break or out sick. Again, this opportunity gave her access to cash. One day, upon returning from lunch, Roper noticed a birth certificate application on Graham’s desk. When she returned to her office, Roper expected to see a receipt for the money that would have been paid when the application was accepted. The receipt book was on her desk, but there was not a new receipt written in it. Roper then checked the cash drawer but found no additional money in it. Thinking Graham had not had time to write the receipt, she took the receipt book to her to complete the process. Receipts were supposed to be written while applicants were still in the office, and a copy was supposed to be given to them. Graham explained that the woman completing the application said her husband had cancer and could not work and they were barely getting by, so she let the woman submit the application without a payment. While Roper sympathized with the situation, she knew it was not their right to accept applications without payment. She returned to her office and called Barbara Jameson, the county clerk and her boss, who was at a training event.  <br></p><p>When Jameson returned to the office the next day she discussed the situation with Roper and then asked Graham about it. Jameson and Roper then played the tape from the office surveillance camera. Fortunately, the tape included both video and audio. In reviewing the tape, they noticed that the woman who Graham claimed she had not charged actually did hand her cash with her application. In addition, it was clear from the audio that she never mentioned anyone having cancer and not being able to pay. In addition to the suspicions generated from the missing payment, the review of the video made Jameson consider the possibility that this might not be a one-time situation. Graham was again called into Jameson’s office where she denied any wrongdoing. When Jameson told her that they had the tape, Graham refused to discuss the issue further. She was immediately put on suspension without pay while the county auditor and Jameson investigated. The investigation revealed the multiple ways Graham embezzled from the office and how she altered or destroyed the source documents:<br></p><ol><li>Receipts were never written for some cash payments although applications were processed, which was verified by checking all the applications and reviewing the receipt book for the applicant’s related payment.</li><li>Receipts were written for cash payments and then later voided even though the applications were processed, which also was verified by checking the applications and comparing them to the receipt book. Most of the receipts that had been marked “void” had related applications that had, in fact, been processed.</li><li>Receipts were written for cash payments but then later destroyed or removed from the receipt book. The timing of previous and subsequent receipts as reconciled to applications supported this finding.</li></ol><p></p><p>During the investigation, Graham resigned from her position. She was later indicted and ordered to pay restitution in lieu of jail time.<br></p><p>Following the investigation, Jameson put new procedures in place to provide better control over funds related to birth and death certificate applications and payments. The first change involved switching from a duplicate to triplicate receipt book. As before, the original was to be given to the applicant, the second copy was to stay intact in the receipt book, and the third copy was to be taken with the deposit to the treasurer’s office. The treasurer’s office was required to check the beginning number to the previous day’s ending number and verify that all receipts were received in sequence and that none were missing. The deposits were required to be made daily so that no cash was on hand in the county clerk’s office for more than a day. Also, Jameson modified the birth and death certificate applications to include a place to write the related receipt number, which would reduce the chance of an application being processed without a receipt. In addition, a second clerk was made responsible for reconciling the receipts and applications that the other clerk processed, and then preparing the deposit to be taken to the treasurer’s office. On an intermittent basis, Jameson would reconcile the applications to the receipt book and then to the deposits. In addition, she reviewed the receipt book weekly to ensure there were no missing receipts and that all voids were substantiated. Finally, Jameson rotated the duties of the two clerks on occasion.<br></p><h3>Lessons Learned <br></h3><ul><li>The use of prenumbered applications and receipts, and procedures to check for missing numbers, will make it more obvious when receipts have been destroyed. Any missing numbers should be investigated immediately as they may indicate fraud.</li><li>Staff duties should be rotated on occasion to ensure fraud is more difficult to carry out and conceal. </li><li>Accounting documents should be linked to source documents so that it is more obvious when items are missing.</li><li>Deposits should be made daily to decrease the likelihood of money being lost or stolen.</li><li>Cash handling procedures such as receipting and deposits should be segregated and reconciled to each other daily. Segregation of duties would require collusion for fraud to occur. Daily reconciliations make it more obvious if receipts are not being deposited or are being deposited for less than intended. </li></ul><p> <span class="ms-rteiaStyle-authorbio">Linda Kapp, EdD, CPA, is a manager at McClanahan & Holmes LLP in Paris, Texas. <br> Gordon Heslop, DBA, LLB(Hons), CIA, CMA, is an associate professor, professional track, in the department of accounting at Texas A&M University–Commerce. </span> <br></p>Linda Kapp11117

  • CaseWare-Analytics_Nov2015
  • ITACS_Nov2015
  • IIA CBOK_Oct2015



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Undermining Internal Audit With Low CAE Pay Is No Accident Internal Audit With Low CAE Pay Is No Accident2015-11-16T05:00:00Z2015-11-16T05:00:00Z
What the CEO Needs From the CRO the CEO Needs From the CRO2015-11-13T05:00:00Z2015-11-13T05:00:00Z