Bribes for Tech for Tech<p>The <a href="" target="_blank">IT Pro Portal website</a> reports that a former SAP executive has pleaded guilty to bribing government officials in Panama to win technology contracts for the German software company. According to the U.S. Department of Justice, Vicente Eduardo Garcia, former vice president of global and strategic accounts, paid US$145,000 in bribes to one Panamanian official and promised bribes to two other officials to influence the country's social security agency to purchase US$14.5 million in technology from an SAP reseller based in​ Panama. Moreover, Garcia admitted to setting up a slush fund that enabled the reseller to purchase software from SAP at a steep discount and then sell the software for a higher profit. In addition to the DOJ charges, Garcia has agreed to a settlement with the U.S. Securities and Exchange Commission in which he will pay back US$85,965 in profits that he gained from the scheme.​</p><h2>Lessons Learned</h2><p>Most large international organizations, in an effort to prevent bribery, corruption, and the contravention of the growing number of anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), have made significant investments to establish ethics and compliance programs. These programs typically include:</p><ul><li>Creating the position of chief compliance officer, who reports to the board of directors.</li><li>Appointing compliance officers in all of the organization's business units and regional offices worldwide.</li><li>Establishing a dedicated ethics and compliance team.</li><li>Strengthening internal controls and procedures, especially in areas susceptible to manipulation in a bribery or corruption scheme.</li><li>Implementing a code of ethics and an ethics and compliance hotline.</li><li>Producing a dedicated anti-corruption manual.</li><li>Conducting annual compliance training for all employees, along with a special focus on those working in strategic roles.</li><li>Performing periodic audits of compliance and assessments of the adequacy of controls in key areas. </li></ul><p>The DOJ and SEC websites list an ever-growing list of large international companies and executives that have been charged with FCPA violations. The Garcia case raises several concerns for organizations:</p><ul><li>A senior SAP vice president, in a 2013 <a href="" target="_blank"> article</a> declared, "Compliance programs like the SAP Governance, Risk, and Compliance solution should be a company's first line of defense, especially considering that many employees aren't even aware they are breaking the law. Nevertheless, when it comes to FCPA compliance, the buck stops with you: your organization, your employees, your compliance program." That's well stated, if a little ironic given this case. It also highlights the fact that companies that sell computer hardware, software, or other technology solutions are just as likely to receive scrutiny for FCPA violations as any other type of company, and they should be prepared to demonstrate they have a good grasp on this fraud problem. <br></li></ul><ul><li>More generally, boards of directors and executive suites should be particularly attentive. Most FCPA cases involve charges against companies, not individuals. While it appears that the DOJ organized its case against Garcia on the premise that he deliberately circumvented SAP's internal controls, the DOJ and SEC have not declared whether they will pursue charges against the company. Corporate culture and standards of business practices are critical factors in setting expectations for ethical behavior, and when a high-level official commits a fraudulent act, it would be fair to assess whether those factors were a systemic influence.<br></li></ul><ul><li>At a minimum, bribery and corruption is a high-risk category for companies doing business in foreign countries, and a continuous review of internal controls, effective monitoring, and regular audit work should be a priority focus. The role of third parties, such as consultants, agents, channel partners, and distributors, in the conduct of sales and financial transactions is a particularly high risk deserving attention. Indeed, the DOJ and SEC have identified the use of third parties as a significant factor in most of their cases.<br></li></ul><ul><li>​In the Garcia case, it's hard to accept that for more than four years sham contracts and false invoices were used to disguise bribes and that a slush fund was used to sell software to a reseller at an 82 percent discount without raising a red flag. The standard for robust third-party due diligence needs to keep evolving as part of an organization's compliance program. That should include both strengthened controls over executive delegations of financial authority, financial funding structures, onboarding, third-party background checks, and monitoring processes, as well as attention from the organization's CAE when the topics of fraud and risk assessments are discussed.​​</li></ul>Art Stewart0177
A Matter of Life and Death Matter of Life and Death<p>​Tina Graham had worked as a records clerk in the county clerk’s office for two years. She was primarily responsible for processing applications for birth and death certificates. When the office’s senior clerk left for another job, Graham’s subsequent promotion to the position provided the opportunity that she needed to embezzle nearly US$10,000 in fees paid for copies of birth and death certificates.<br></p><p>To obtain a copy of either a birth or a death certificate, individuals would complete and submit an application and a processing and copy fee. The payment was supposed to be receipted at the time the application was processed. The receipts were written in duplicate form, with the original going to the person submitting the application and the duplicate left in the receipt book as support for the payment received. Receipts were summarized weekly or more often if a large number of payments had been collected. A summary sheet of the payments was prepared and taken to the Treasurer’s Office, along with the cash and checks to be deposited in the bank. The Treasurer’s Office did not normally verify receipt numbers when accepting the deposits.<br></p><p>The county clerk’s office was small, had little or no segregation of duties, and had lax internal controls. This combination allowed Graham to easily void receipts and keep cash fees paid by customers. In some cases, Graham would write receipts for customers, give them a copy for their records, void the receipt copy — leaving it intact in the receipt book — and pocket the money. In other instances, she would write receipts for customers, give them a copy for their records, and then shred or otherwise destroy the original and keep the money. Sometimes she pocketed the money without preparing a receipt at all. In these cases, she also destroyed the birth or death certificate application so it wouldn’t be as obvious that the money was missing.<br></p><p>Because of poor performance on the job unrelated to the then-unknown embezzlement, Graham was eventually demoted to receptionist after having served as the senior clerk for only six months. While she no longer had primary responsibility for processing applications and receipting payments, she did occasionally do so while the new senior clerk, Molly Roper, was on lunch break or out sick. Again, this opportunity gave her access to cash. One day, upon returning from lunch, Roper noticed a birth certificate application on Graham’s desk. When she returned to her office, Roper expected to see a receipt for the money that would have been paid when the application was accepted. The receipt book was on her desk, but there was not a new receipt written in it. Roper then checked the cash drawer but found no additional money in it. Thinking Graham had not had time to write the receipt, she took the receipt book to her to complete the process. Receipts were supposed to be written while applicants were still in the office, and a copy was supposed to be given to them. Graham explained that the woman completing the application said her husband had cancer and could not work and they were barely getting by, so she let the woman submit the application without a payment. While Roper sympathized with the situation, she knew it was not their right to accept applications without payment. She returned to her office and called Barbara Jameson, the county clerk and her boss, who was at a training event.  <br></p><p>When Jameson returned to the office the next day she discussed the situation with Roper and then asked Graham about it. Jameson and Roper then played the tape from the office surveillance camera. Fortunately, the tape included both video and audio. In reviewing the tape, they noticed that the woman who Graham claimed she had not charged actually did hand her cash with her application. In addition, it was clear from the audio that she never mentioned anyone having cancer and not being able to pay. In addition to the suspicions generated from the missing payment, the review of the video made Jameson consider the possibility that this might not be a one-time situation. Graham was again called into Jameson’s office where she denied any wrongdoing. When Jameson told her that they had the tape, Graham refused to discuss the issue further. She was immediately put on suspension without pay while the county auditor and Jameson investigated. The investigation revealed the multiple ways Graham embezzled from the office and how she altered or destroyed the source documents:<br></p><ol><li>Receipts were never written for some cash payments although applications were processed, which was verified by checking all the applications and reviewing the receipt book for the applicant’s related payment.</li><li>Receipts were written for cash payments and then later voided even though the applications were processed, which also was verified by checking the applications and comparing them to the receipt book. Most of the receipts that had been marked “void” had related applications that had, in fact, been processed.</li><li>Receipts were written for cash payments but then later destroyed or removed from the receipt book. The timing of previous and subsequent receipts as reconciled to applications supported this finding.</li></ol><p></p><p>During the investigation, Graham resigned from her position. She was later indicted and ordered to pay restitution in lieu of jail time.<br></p><p>Following the investigation, Jameson put new procedures in place to provide better control over funds related to birth and death certificate applications and payments. The first change involved switching from a duplicate to triplicate receipt book. As before, the original was to be given to the applicant, the second copy was to stay intact in the receipt book, and the third copy was to be taken with the deposit to the treasurer’s office. The treasurer’s office was required to check the beginning number to the previous day’s ending number and verify that all receipts were received in sequence and that none were missing. The deposits were required to be made daily so that no cash was on hand in the county clerk’s office for more than a day. Also, Jameson modified the birth and death certificate applications to include a place to write the related receipt number, which would reduce the chance of an application being processed without a receipt. In addition, a second clerk was made responsible for reconciling the receipts and applications that the other clerk processed, and then preparing the deposit to be taken to the treasurer’s office. On an intermittent basis, Jameson would reconcile the applications to the receipt book and then to the deposits. In addition, she reviewed the receipt book weekly to ensure there were no missing receipts and that all voids were substantiated. Finally, Jameson rotated the duties of the two clerks on occasion.<br></p><h3>Lessons Learned <br></h3><ul><li>The use of prenumbered applications and receipts, and procedures to check for missing numbers, will make it more obvious when receipts have been destroyed. Any missing numbers should be investigated immediately as they may indicate fraud.</li><li>Staff duties should be rotated on occasion to ensure fraud is more difficult to carry out and conceal. </li><li>Accounting documents should be linked to source documents so that it is more obvious when items are missing.</li><li>Deposits should be made daily to decrease the likelihood of money being lost or stolen.</li><li>Cash handling procedures such as receipting and deposits should be segregated and reconciled to each other daily. Segregation of duties would require collusion for fraud to occur. Daily reconciliations make it more obvious if receipts are not being deposited or are being deposited for less than intended. </li></ul><p> <span class="ms-rteiaStyle-authorbio">Linda Kapp, EdD, CPA, is a manager at McClanahan & Holmes LLP in Paris, Texas. <br> Gordon Heslop, DBA, LLB(Hons), CIA, CMA, is an associate professor, professional track, in the department of accounting at Texas A&M University–Commerce. </span> <br></p>Linda Kapp1576
Profiting off HOAs off HOAs<p>​<span style="line-height:1.6;">A Las Vegas construction firm owner faces sentencing after pleading guilty for his part in a scheme to defraud area home owner associations (HOAs), the </span><em style="line-height:1.6;">Las Vegas Review-Journal</em><span style="line-height:1.6;"> reports. U.S. Justice Department prosecutors say Leon Benzer and attorney Nancy Quon conspired to rig elections in order to take over HOA boards of directors, obtain construction defect contracts for Quon, and secure repair work for Benzer's company. At one HOA, Quon's firm obtained more than US$5.2 million in fees from a construction defect settlement, while Benzer's company was awarded US$7 million to perform repairs. After an FBI raid in 2008, Benzer was charged; Quon, who was never charged, killed herself in 2012. Prosecutors are seeking nearly 20 years in prison for Benzer and US$13.4 million in restitution.</span></p><h3>Lessons Learned</h3><p>Unfortunately, the HOA fraud seen in this story is substantial, but not unique. HOAs are common in the U.S. and typically are formed as corporations by a real estate developer to market, manage, and sell homes and lots in a residential subdivision. Later, they transition to homeowner control after a predetermined number of lots have been sold. In 2010, the Community Associations Institute trade association estimated that HOAs governed 24.8 million U.S. homes and 62 million residents. In Nevada, there are more than 3,000 HOAs. Most HOAs are incorporated and are subject to state statutes that govern nonprofit corporations and homeowner associations. However, state oversight of HOAs is minimal and varies from state to state. </p><p>Here are some strategies that HOAs and their regulators should consider to help reduce the risk of the kind of fraud committed by the Las Vegas fraudsters.</p><ul><li><strong>State and Local governments.</strong> Governments benefit from the existence of HOAs because they handle some traditional functions such as road maintenance, streetlights, and parks, helping to contain rising government costs as growth continues. They should support strong HOA organizations and exercise greater scrutiny to ensure that HOA boards adhere to minimum standards. Board directors have a legal, fiduciary duty to HOA members and violation of that duty may result in liability for individual directors. </li><li><strong style="line-height:1.428571429;">Regulation.</strong><span style="line-height:1.428571429;"> One matter local and state regulators should oversee is whether directors actually own and reside in a unit within the specific HOA, which has been required in Nevada since 2009. The lack of such a law before that time enabled the perpetrators of the Las Vegas fraud to secure a seat on HOA boards and direct money and work to their own companies. </span><span style="line-height:1.428571429;">I</span><span style="line-height:1.428571429;">n most cases, day to day operations of HOAs are in the hands of management companies hired by their boards. Education requirements for these managers varies from state to state, with some requiring certification under all circumstances and others less. Greater consistency in these requirements would increase the probability of competent, fraud-free management. Many states, including Nevada, have established processes to handle HOA complaints such as violations of law, or set up an alternative dispute resolution process to deal with administrative violations. But given the apparent volume and impact of HOA fraud, a whistleblower system would be a useful anti-fraud addition.</span><span style="line-height:1.428571429;"> </span></li><li><strong>HOAs, directors, and managers.</strong> Robust governance by board directors is fundamental in preventing fraud. The association should adopt an ethics code for board members to ensure they act ethically and in accordance with their responsibilities. All board members and employees should be thoroughly vetted and any election or hiring process should be transparent, not secretive. The board should exercise vigilance to ensure its directors are not being paid and do not have any kind of employment contract with the HOA. Even if part time and volunteer, directors need to be engaged in monitoring HOA activities, including questioning any delays in circulating financial statements and other organizational documents.<br></li><li><strong>Internal control.</strong> Putting an effective system of controls in place is critical, even in a volunteer-based, not-for-profit organization. That should include appropriate segregation of  responsibilities, authority delegation limits, regular spot checks of financial transactions and invoices, and having HOA accounts independently and professionally audited at least once a year, preferably more often. Finally, becoming better educated about the nature, sources, and tactics of fraudulent behavior, in the context of how this impacts not-for-profit organizations, is essential. There is a wealth of resources, often free, available to boards. For example, Preventing Fraud: How to Safeguard Your Organization is a guide aimed specifically at-not-for profits, produced by BoardSource, formerly the National Center for Nonprofit Boards.​​</li></ul>Art Stewart01018
Gold Business Turns to Empty Shell for Investors Business Turns to Empty Shell for Investors<p></p><p>A Calgary judge recently sentenced two men to 12 years in prison for one of the largest Ponzi schemes in Canadian history, the <a href="">Calgary Herald</a> reports. The pair left thousands of victims in their wake, with total losses estimated up to CA​$400 million. Investors were promised an annual return of 34 percent, with low risk, that would grow their initial CA$99,000 investment to more than CA$1 million in eight years. They were told the business involved selling gold for refining. The judge said that some of the victims were left homeless, became suicidal, and suffered rejection by friends and family.  </p><h2>​Lessons Learned<br></h2><p>This is not a typical Ponzi scheme — it's worse. Typically, the fraudsters take money from investors and form shell companies, moving the money offshore to an account that feeds those companies before moving it again. A portion of that money will go to an actual operation or toward building something that looks real. In this case, it was all shell companies and nothing was produced. It is also not unlike another famous Canadian gold mining scandal, Bre-X Minerals, where there appeared to be a viable mining opportunity but no production. At no time did Bre-X officials say they would be producing gold.</p><p>Vigilance on the part of regulators, as well as a highly proactive whistleblower, were critical elements in detecting this fraud. A red flag was raised when one of the Alberta Security Commission's own staff members spotted a newspaper ad promising investors a fantastic rate of return from the fraudsters' company. The son of an elderly investor couple, also an accountant, detected the fraud and launched a campaign to expose the ringleaders Milowe Brost and Gary Sorenson.</p><p>​​Much has been written about strategies that individuals, organizations, and auditors can use to prevent Ponzi schemes. Here are a few more that come to mind, related to this case:</p><ul><li><strong style="line-height:1.428571429;">Be skeptical of</strong><span style="line-height:1.428571429;"> </span><strong style="line-height:1.428571429;">pitches to get financially involv​ed in exotic, obscure, or "too good to be true" investments</strong><span style="line-height:1.428571429;">. If you get a pitch for an asset class you're not familiar with, make sure you understand the process by which it achieves returns. If you don't understand it or your advisor cant explain it clearly, you probably shouldn't be get involved. Also beware of unusual and/or secretive conditions for getting involved. For example, those promoting the Merendon investments encouraged people to mortgage their own homes. Another example: the two fraudsters in our story used fear to build their empire, demanding that investors sign privacy agreements that later made them nervous about talking to police. Also, be especially wary if your adviser downplays or denies risk. Don't be fooled by "salting" techniques regarding the rewards of investing. Brost and Sorenson, for example, were known for showing off enticing evidence of their success: little plastic bags containing silver and gold. Finally, a key question not asked often enough in these situations and before investing is, "How and when can I get my money out?"</span><br></li><li><strong style="line-height:1.428571429;">Be prepared to commit some time and effort to deeper research before you invest.</strong><span style="line-height:1.428571429;"> Put on your gumshoes and find out how long the company has been in the business, as well as the career histories of key senior company officials. The other investors you may learn are also involved aren't necessarily a good indication of whether you should be confident. One Merendon investor was finally convinced after his accountant said he, too, had put money into the company. Check the logic of what is being claimed as the basis for good returns on an investment. In our story, Stone Mountain Resources was spending hundreds of thousands dollars putting infrastructure into a location in which no precious metals/minerals had been located. There was no indication that the area was economically viable, yet roads, a bridge, and several buildings were put in. A site visit could be very helpful (but not necessarily welcomed by fraudsters – they frequently also place sites in far-off locations).  Some of those defrauded in our story were offered trips — at their cost — to see the mine and refinery in Belize, but they declined.</span><br></li><li><strong style="line-height:1.428571429;">Those nearing or in retirement are especially at risk and need to protect themselves</strong><span style="line-height:1.428571429;">. A large portion of the investors in our story were retirees. According to a recent study by the North American Securities Administrators Association, nearly half of all investor complaints submitted to state securities agencies came from seniors. It's alway tempting to seek higher returns, but seniors are likely best advised to stick to well-known investments, investment companies, and financial advisors. Wide circulation of the results of this story and others like it perhaps will help awareness.​​</span><br></li></ul>Art Stewart01142
The Phantom Employee Phantom Employee<p>​A senior official with the U.S. Bureau of Land Management (BLM) has been convicted of covering up that a former subordinate was still being paid by the agency, <a href="" target="_blank">the Associated Press reports</a>. Federal investigators say John G​rimson Lyon, the BLM's Eastern States Region director, aided his former deputy Larry Denny in receiving US$112,000 in wages and benefits after Denny left the age​ncy for a job in Montana in July 2012. They say Lyon certified Denny's work hours and sick leave until March 2013 and pressured BLM employees who raised questions about Denny. A federal judge in Montana sentenced Lyon to six months in prison and ordered him to pay US$74,000 in restitution. Denny has pleaded guilty to theft and fraud, and awaits sentencing. </p><h2>Lessons Learned</h2><p>This story involves a form of payroll fraud, albeit a very sizable single example. Making the story that much worse is the deliberate, sustained collusion between the former employee and his supervisor that enabled this fraud to go undetected for many months. When employees are paid for time they have not actually worked, it's a form of fraud and theft. It is estimated that the average employee "steals" between four and five hours a month from his or her employer — committing time sheet fraud, break abuse, or conducting personal business on company time — which adds up to one full work week every year, costing businesses hundreds of billions of dollars a year worldwide. According to the Association of Certified Fraud Examiners, payroll fraud is the No. 1 source of accounting fraud and employee theft:</p><ul style="list-style-type:disc;"><li>Payroll fraud happens in 27 percent of businesses.</li><li>Payroll fraud occurs nearly twice as often (14.2 percent) in small organizations with fewer than 100 employees than in large ones (7.6 percent).</li><li>The average instance of payroll fraud lasts about 36 months.</li></ul><p>Internal auditors should check that their organization has taken steps to address payroll fraud and time theft:</p><ul style="list-style-type:disc;"><li>Internal controls are the first line of defense against payroll fraud. In the case of the BLM, clearly the soundness of those controls should be questioned. In writing this article, I checked the BLM's website for audits conducted, going back several years, but I didn't find any related to payroll and employee time theft issues. Payroll audits should be conducted regularly in all areas of the organization and cover all types of employment situations. Using computers, it is relatively easy to flag anyone who receives certain categories of pay such as sick leave, temporary employment with another organization, overtime, and standby time. An identified subpopulation of employees can then be stratified based on materiality and risk for further investigation.</li></ul><ul style="list-style-type:disc;"><li>Senior management and its related human resources and financial management oversight function also need to be engaged in the review of salary expenditure and employee performance reports, including talking to employees from time to time. An effective human resources function should be able to scrutinize employee time and leave reporting for unusual patterns and to report these incidents to senior management. </li></ul><ul style="list-style-type:disc;"><li>Another check and balance on potential long-term time theft fraud is to periodically conduct "desk audits" of employee work functions as detailed in job descriptions vs. how the employee actually performs the work. This practice is useful both in periods of organizational change and relative stability where productivity improvements may be desirable. </li></ul><ul style="list-style-type:disc;"><li>Rigorous background and security checking before recruitment takes place is always a good practice, but given the evidence of ever-increasing fraud committed by long-term employees and managers, it also is important to periodically re-check employee backgrounds to establish whether their personal circumstances and predilections for fraudulent behavior may have changed. In an environment where younger employees change jobs more frequently, employers need to be able to share relevant background information more readily. </li></ul><ul style="list-style-type:disc;"><li>Essential controls should be in place regarding time reporting, including that line managers must send time reports directly to the payroll function, rather than to the employee, who could gain an opportunity to falsify them. </li></ul><ul style="list-style-type:disc;"><li>As in this story, managers and employees may conspire to commit fraud. With today's tight corporate budgets, raises may be small or nonexistent, so even a well-meaning manager who has staff retention in mind may give an employee a raise by allowing questionable overtime charges or leave requests. With this in mind, some potential red flags to look out for in the behavior of managers include:</li></ul><ul><ul><li>Being overly protective or exclusive about their organizations, employees, and workspaces.</li><li>Preferring to work on sensitive matters such as human resource issues after hours or take work home.</li><li>Gaps in financial records or missing records.</li><li>Unexplained debt or wealth gains in the individual's personal life.​</li></ul></ul>Art Stewart01036
Charity Begins in the Home Begins in the Home<p>​It was a hot Friday afternoon in the Atlanta airport. John Rigby’s flight was delayed four hours, and he wanted to fill that time productively. He remembered he still had an unresolved audit exception on a routine match of vendor and employee addresses. The match was for the supervisor, Marilyn Bell, at his client’s graphics department only a few miles away from the airport.<br></p><p>After a 15-minute taxi ride, Rigby opened the door to the small office and announced himself.<br></p><p>“I’m an outside contractor for the audit team at headquarters,” Rigby explained to Bell. “I just need to follow up on an exception we had on some routine audit testing of vendor files last month. Tell me a little about your supplier, Charity Smith.”<br></p><p>The blood drained from Bell’s face as her eyes started watering. Rigby knew he was on to something.<br></p><p>“Tell me what happened,” Rigby instructed.<br></p><p>“Charity is a longtime friend of mine since high school,” Bell began to explain. “She’s a single mom with two young children, and she helps me out from time to time when we have excess work and tight deadlines.”<br></p><p>During the course of his conversation with Bell, Rigby learned a lot about Smith. During the last three years, when the need arose for new print materials — from training manuals to quarterly product catalogues to promotional posters and banners — Smith was often called on to handle the design work. <br></p><p>Smith worked from her home office, often clocking late night hours so she could better juggle the demands of client work and caring for her children. She sent her finished work and weekly time sheet by email, which were reviewed by Bell, approved by Bell’s manager, and sent to accounts payable for payment.<br></p><p>After listening silently for almost 10 minutes, Rigby thanked Bell and asked one follow-up question: “Why are Smith’s payments mailed to your home address and deposited into your checking account?”<br></p><p>Bell replied without any hesitation, “Charity lives out in the country, and with taking care of the kids all day she has a hard time getting to the bank in the nearest town to make her deposits. It’s an hour of driving round trip to get to the bank and back, so once a month I deposit her checks into my account, withdraw the cash, and meet her half way for coffee and to give her the money.”<br></p><p>Bell said she had always intended to speak to her boss about the arrangement, just to make sure he was aware of the situation, but she never got around to it. Rigby asked her to write down everything she told him. He explained that he needed something for his audit files to explain the exception, and that her write-up would take care of that.<br></p><p>As Bell wrote, Rigby called a manager in charge of the office from the next room and asked for permission to send Bell home. They agreed and called a manager from another office in Atlanta to come immediately to assist Rigby.<br></p><p>Bell wrote a 12-page report and confirmed verbally and in writing that it was all true. Before sending Bell home, Rigby asked her to get Smith on speakerphone so she could corroborate the report. Again, the blood drained from Bell’s face and her eyes teared up. She froze at the request.<br></p><p>Bell said she did not have the phone number with her in the office, so Rigby suggested she quickly drive home and get it so they could call Smith together in the office. Bell didn’t move.<br></p><p>Rigby realized that during the car ride, Bell could call someone to help her by pretending to be Smith, but it was a calculated risk that paid off. Bell continued to sit still and stare at the desk.<br></p><p>“It’s not true, is it?” Rigby inquired, while holding up Bell’s written statement.<br></p><p>“No,” she answered. “I made it all up to cover the amount I’ve taken from the company.”<br></p><p>Rigby then called the office manager back and asked him to pull Bell’s personnel file and look for any other addresses she had provided, regardless of how old they were or why they might be in the file. Two more matches with vendors were found — her parents’ address and her boyfriend’s business address (he was her emergency contact). The total paid to the three fake vendors over three years was almost US$600,000.<br></p><p>Bell’s boyfriend’s address was a retail store. Further investigation revealed that he was taking the checks mailed to his business and to Bell’s parents’ address and including them in the store receipts for the day. An identical amount of cash was removed from the deposits. He was later charged and found guilty of money laundering.<br></p><p>Bell began her scheme to recover from extreme pressures at home after a messy divorce. She fell months behind in her mortgage payments, and she and her children were going to lose their home. Once she put her ethics aside to get up-to-date on her mortgage, she found it much easier to do it again to meet other needs that came up in her life. These included a new car, paying off credit cards and a US$25,000 line of credit, new clothes, vacations, and a custom home with expensive high-end finishes and a custom spa room.<br></p><p>Bell’s manager was held responsible for signing dozens of fabricated time sheets and invoices from the three fake vendors. He trusted Bell and never checked the details.<br></p><p>Bell agreed to cooperate with the investigation and to make restitution. Her parents mortgaged their paid-off house to help, and her church took up a special collection as well. Just before her trial, Bell agreed to a plea arrangement that kept her out of jail.</p><h3>Lessons Learned</h3><p></p><ul><li>Fake vendor schemes are common. Procurement teams will assure they have adequate controls over new vendors, but fraudsters will tell you exactly how — and how easy it is — to circumvent those controls.</li><li>Address matches are a standard audit test. Unfortunately, they often lead to false positives and inefficient follow-up work. But auditors shouldn’t let down their guard. There’s a reason why procedures like this are so standard — they produce that needle in a haystack that deserves immediate attention. Auditors should always check every address they can find related to that person to see if they have been busier than first suspected.</li><li>Even well-liked, trusted employees can perpetrate fraud. Bell’s work was excellent — she was reliable and she always went the extra mile to serve her many in-house graphics clients. But financial pressures at home caused her to come up with a scheme to help her pay the mortgage and, eventually, finance a lavish lifestyle.</li><li>Nonverbal reactions can often indicate that a fraud is likely occurring. Bell’s surprise at Rigby’s visit and her attempt to cover her tracks with a complicated story about her fictitious friend were clumsy and full of obvious holes. Auditors should make a point to follow up on audit exceptions in a way that they can see the face of the person as they ask. Get trained in what to look for at this critical moment.</li><li>The command, “Tell me what happened,” can be used to pivot from an audit query to a fraud-based interview. Don’t set limits on the subject matter or time frame. Let the interviewee decide where to begin the story and what details to include. </li></ul>John Hall1699
Caught in the Medicare Fraud Sweep in the Medicare Fraud Sweep<p>​In what it calls its largest criminal health-care fraud sweep, the U.S. Department of Justice (DOJ) has charged 243 people — including 43 doctors, nurses, and other medical professionals — with submitting false bills to the U.S. Medicare program totaling US$712 million. The charges involve schemes such as false claims for treatments that were medically unnecessary or never provided, <a href="" target="_blank">Reuters reports</a>. In one case, a Miami ment​al health facility billed nearly US$64 million for psychotherapy sessions, when it actually just moved patients to a different location, the DOJ said. With these arrests, the DOJ has charged more than 2,300 people with Medicare billing fraud totaling more than US$7 billion since 2007.</p><h2>Lessons Learned</h2><p>According to numerous sources, the U.S. spends about 17 percent of its gross domestic product on health care annually. In 2012, this amounted to approximately US$3.8 trillion. The sizable US$712 million lost to fraudulent activity in this story is part of an overall total of US$3.3 billion in fraud uncovered in 2014. While losses in this case represent less than 0.1 percent of that total, it appears that the DOJ may have only uncovered the tip of the iceberg of health-care fraud. In 2014 alone, the U.S. Department of Health and Human Services' (HHS') Office of the Inspector General (OIG) undertook 867 criminal and 529 civil actions against individuals and organizations for false claims, penalty recoveries, and other related matters, according to the <a href="" target="_blank">2014 DOJ/HHS annual report</a> (PDF) on the Health Care Fraud and Abuse Control Program.</p><p>It seems evident that HHS and its OIG are taking a disciplined, systematic approach to its fraud risk assessment and detection activities. Let's take a closer look at the key elements of that approach, along with some suggestions on how it might be even further strengthened in light of ongoing implementation of the U.S. Patient Protection and Affordable Care Act (ACA).</p><ul style="list-style-type:disc;"><li> <strong>Data Analysis and Data Quality.</strong> Enhanced data analysis made possible the impressive enforcement results in this story. Claims data is being made available more quickly and efficiently, providing law enforcement increased access to data — including real-time data — and helping focus enforcement resources on high-risk geographic, organizational, and individual cluster groups. Risk scoring of Medicare claims prepayment is performed and predictive models are being tested. Moreover, investigators, data analysts, clinicians, and subject-matter experts work on cases in a multidisciplinary environment. There also is an emphasis on enterprisewide improvements in the accuracy and availability of data for Medicaid program integrity and oversight.<br><br>An area for further attention by the OIG and HHS is to ensure that it is capable of handling the changing pattern and volume of new fraud referrals that can be expected from ongoing implementation of the ACA. Also, while the HHS clearly has whistleblower programs in place, it is not clear to what extent these programs are contributing to its overall fraud prevention and detection effectiveness. Results from a new pilot program to estimate the overall probable level of program fraud are expected beginning in 2016, which may provide a clearer indication of the overall size of the health-care fraud "iceberg." ​</li></ul><ul style="list-style-type:disc;"><li> <strong>Enrollment and Payment.</strong> Since the adoption of the ACA, stronger provisions concerning screening of providers and suppliers on the basis of fraud risk have been implemented, with three risk levels for providers (limited, moderate, and high). A goal is to identify ineligible providers or suppliers before their enrollment or revalidation through provider site visits by increasing the scope and coverage of high-risk providers and suppliers such as home health providers, independent diagnostic testing facilities, and outpatient rehabilitation providers. Increasing the frequency of surprise out-of-cycle site visits could enhance the effectiveness of this element in detecting potential fraud. A temporary new enrollment moratorium for certain types of providers in high-risk geographic areas such as Florida and Texas, has been instituted but may need expansion. </li></ul><ul style="list-style-type:disc;"><li> <strong>Monitoring Benefits Delivered by Third Parties.</strong> Third-party sponsors and state governments comprise a large part of the risk landscape for delivery of health-care benefits and services. Greater oversight has resulted from auditing sponsors' compliance plans and strengthening their program integrity training responsibilities. More recent assessments have reviewed the states' performance in meeting regulatory requirements and ensuring that managed care systems deliver accessible, available, and appropriate services to Medicaid beneficiaries. Federal health-care agencies are issuing clear regulations and guidance for mandatory provider compliance plans under the ACA, but these have not been completed. Another gap to be filled is requiring state contracts with managed care entities to include a method to verify with beneficiaries whether services billed by providers were actually received.</li></ul><ul style="list-style-type:disc;"><li> <strong>Accountability.</strong> Payment suspensions are one example of an increased focus on using administrative tools to ensure accountability. Each year, HHS' OIG excludes thousands of individuals and entities from participating in federal health-care programs for a variety of reasons ranging from health-care fraud convictions to loss of medical license for professional incompetence. Since the adoption of the ACA, some 1.5 million providers have been asked to resubmit for validation of their eligibility, some 470,000 enrollments have been deactivated, and nearly 28,000 enrollments have been revoked to prevent these providers from billing the Medicare program. The HHS' OIG and its law enforcement partners also investigate suspected fraud and refer cases to the DOJ for criminal and civil adjudication. The HHS should continue to focus on accountability for fraud. In addition, its OIG should continue to use its exclusion authority to protect the department's programs and beneficiaries, including considering cases in which excluding responsible corporate officers of sanctioned providers and suppliers is appropriate and monitoring the effect of such exclusions on recidivism.</li></ul>Art Stewart0792
A Boost to Fraud Risk Assessments Boost to Fraud Risk Assessments<p>​Daily headlines of pilfered passwords and stolen credit card data have put fraud at the top of management’s risk management agenda. This concern coincides with new guidance in The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the <em>Internal Control–Integrated Framework</em> that directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. <br></p><p>Now is an opportune time for internal auditors to help their organization re-examine its approach to fraud risk. For organizations that have not formally documented processes and controls to address fraud risk, adopting COSO 2013 can jump-start a fraud risk prevention program. Organizations that have a more mature fraud risk assessment can use it to strengthen their fraud prevention processes and procedures.  <br></p><h3>COSO’s Guidance</h3><p>The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. <br></p><p>In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. <br>Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of nonfinancial reporting is a significant change that covers sustainability, health and safety, employment activity, and similar reports. Because internal auditors frequently provide assurance in this area, they can provide insights into fraudulent nonfinancial reporting.<br></p><p>One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, the Association of Certified Fraud Examiners, and The IIA. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls.<br></p><h3>Fraud Risk Governance </h3><p>Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. <br></p><p>But even organizations with committed senior leadership may have inadequate fraud risk assessment programs. Most organizations have some written policies to manage individual fraud components, but many don’t concisely summarize these documents and activities so they can communicate and evaluate the completeness of their fraud management processes. Internal audit can help with this evaluation and address the areas of fraud described in Principle 8.<br></p><h3>The Assessment Process</h3><p>Although a fraud risk assessment should ordinarily be conducted as part of a broader evaluation of organizational risk in an enterprise risk management program, it may initially be done on a stand-alone basis. Regulatory and legal misconduct, such as U.S. Foreign Corrupt Practices Act violations, as well as reputation risk, also should be considered. Internal auditors can help ensure the fraud risk assessment is sufficiently robust.<br><br><strong>Assess and Identify Inherent Risk</strong> The fraud risk assessment starts with a brainstorming session to uncover the organization’s potential fraud risks, without consideration of mitigating controls. The review should be shaped by the organization’s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, business practices, and business conditions. <br></p><p>Each risk area should be examined, including fraudulent reporting, possible loss of assets, and corruption. The assessment should consider:<br></p><ul><li>All types of fraud schemes and scenarios.</li><li>The incentives (such as compensation programs), pressures (such as a chief financial officer who needs to hit an earnings estimate), and opportunities (such as a senior executive with override ability) to commit fraud.<br></li><li>The IT fraud risks specific to the organization, which may become pervasive without appropriate controls. </li></ul><p>Additionally, the fraud risk assessment needs to consider the potential bypass of controls, as well as areas where controls are weak or there is a lack of segregation of duties.<br><br><strong>Assess Likelihood and Significance of Fraud Risk</strong> This review of identified fraud risks should be based on staff interviews — including business process owners — known fraud schemes, and historical information, both internal and external to the organization. In assessing fraud risk significance, organizations should consider not only exposures to assets and financial statements, but also risk to their operations, brand value, and reputation, as well as criminal, civil, and regulatory liability.<br></p><h3>Fraud Prevention and Detection</h3><p>Fraud prevention requires both preventive and detective controls, but the Managing the Business Risk of Fraud guide points out these are not mutually exclusive: “If effective preventive controls are in place, working, and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company’s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.”<br></p><p>Segregation of duties in small organizations can be difficult because of limited resources and personnel. These organizations need compensating controls such as periodic budget-to-actual analysis at a precise-enough level to flag and investigate unusual activity. <br></p><h3>Fraud Investigation and Corrective Action</h3><p>The fraud investigation and response system should include a process for categorizing issues, communicating within the organization — including with the audit committee or those charged with governance — conducting the investigation and fact-finding, monitoring the status of fraud cases, and resolving the investigation with a recommendation for prosecution. Standards, regulations, or laws may require parties such as legal counsel, the board, the audit committee, and external auditors to be notified if the allegation involves senior management or affects the financial statements.<br></p><h3>An Opportunity for Improvement</h3><p>Organizations that already have adopted COSO 2013 can continue to build on that foundation to prepare for the fraud challenges ahead. For those organizations that haven’t yet implemented the framework, the opportunity to improve their fraud risk assessment should motivate them to adopt it soon. In either case, internal auditors who are well-versed in COSO 2013 can help the organization’s fraud risk assessment initiative by facilitating the assessment itself or helping align policies and fraud mitigation activities. <span class="ms-rteiaStyle-authorbio">Michael Rose, CIA, CPA, CISA, CISM, is a Business Advisory Services partner at Grant Thornton LLP in New York.<br>Priya Sarjoo, CIA, is a Governance, Risk, and Compliance practice leader at Grant Thornton in Dallas. <br> Kevin Bennett, CFE, CICA, is managing director of Forensic and Valuation Services at Grant Thornton in Minneapolis.</span></p>Michael Rose12173
Bankers Caught in Currency Scheme Caught in Currency Scheme<p>A routine audit last year uncovered a US$40 million currency fraud scheme in Nigeria, according to <a href="" target="_blank"> <em>The Guardian</em></a>. Nigeria's Economic and Financial Crimes Commissi​on has charged six central bank officials and 16 commercial bank employees with stealing Nigerian naira notes intended for destruction. According to the report, Nigeria's central bank withdraws old or torn notes from circulation regularly and replaces them with new notes. The audit last September discovered irregularities with this process at a bank branch in Ibadan, a city in the southwest of Nigeria. Further investigation revealed that mutilated notes of higher denominations were swapped with lower denomination currencies, with box labels indicating they contained a higher value than their true content. </p> <h2> Lessons Learned</h2><p>Many banks around the world carry out the function of currency management, including the disposal of old or worn-out currencies, typically through a network of offices and some form of secure storage. A huge amount of money is involved: In 2012, the U.S. Federal Reserve ordered nearly 8.4 billion individual notes with a face value of more than US$358 billion to replace old currencies on a one-to-one basis. Typically this disposal work takes place under a statutory framework and a tight security regime. Bank notes and coins that are unfit, cannot be issued for further circulation, or are not needed immediately by the branches are deposited into a designated secure storage area. When sufficient quantities of these currencies have accumulated, they are remitted to a central bank office for inventory, scanning for counterfeits, and disposal. The local–central secure storage system combination is intended to remove the necessity for frequent physical movement of currency and enable banks and treasuries to work with a minimum cash balance of their own.</p><p>At least that is how it is supposed to work. Bearing in mind the potentially limited resources available in many countries, what can be done to enhance the controls and protect the security of these funds?</p><ul style="list-style-type:disc;"><li><strong>Continually work to improve the efficiency of currency management</strong> and closely monitor the printing capacity of bank note presses with a view to closing the demand–supply gap in currency and lessening the risk materiality.</li></ul><ul style="list-style-type:disc;"><li><strong>Automate the currency-processing operations</strong> in the local offices as much as possible. Many countries have installed currency verification and processing (CVP) systems for bank notes received for examination. These systems are capable of sorting the notes on the basis of denomination, design, and condition. Generally, the system sorts the notes into Fit, Unfit, Reject, and Suspect categories. Notes in the Suspect category are received in separate stacks and must be inspected manually for the presence of counterfeit notes. CVP systems also have security measures that enable the bank to provide graduated access rights, capture and store data, and produce security reports. </li></ul><ul style="list-style-type:disc;"><li><strong>Enhance physical security measures</strong> in areas where these currencies are being held. For example, install closed-circuit television (CCTV) cameras at all such facilities and retain recordings up to 90 days for appropriate monitoring by security staff. This can be enhanced by networking CCTVs from local to central offices. While there would be upfront investment costs, installing suitable biometric access systems at all currency storage locations can ensure only authorized staff members are able to enter. Banks also should consider requiring officials to present a pre-validated photograph to enter the storage area. Electronic locking of all storage bins/vaults also should be explored, along with linking them to a central server to ensure easy monitoring of transactions.</li></ul><ul style="list-style-type:disc;"><li><strong>Use tamper-proof shrink-wrapping</strong> — or similar materials — of bank notes to be disposed of, with the details of the source branch bar-coded on the bundles. This can facilitate easy identification of the branch from which the notes were received so that accountability for shortages, defects, counterfeits, theft, and fraud can be attributed precisely, which can reduce the possibility of such incidents.</li></ul><ul style="list-style-type:disc;"><li><strong>Conduct periodic security audits of secure storage areas</strong> at bank branches on a risk-based frequency, at least more often than annually. Comprehensive guidelines for such audits should be developed and well-communicated to branches. A system of surprise inspections also would be useful.</li></ul><p>Human resource measures should include rotation of staff employed at currency disposal locations and heightened background checks before hiring staff.</p>Art Stewart01253
Hedge Fund Executives Sentenced Fund Executives Sentenced<p>​Th​e chief financial officer and two managing partners of a U.S. hedge fund firm have been sentenced to prison for defrauding investors of more than US$46 million, WTNH-TV in New Haven, Conn. <a href="" target="_blank">reports</a>. Their firm, New Stream Capital LLC, launched two feeder funds in November 2007, based in the U.S. and the Cayman Islands, and announced that its Bermuda Fund would close and its investments would move to the Cayman Fund, according to court documents and testimony. When the Bermuda Fund's largest investor decided to redeem its investment in March 2008, prosecutors say the defendants secretly kept the Bermuda Fund open and prioritized investors who stayed in the fund. The firm did not inform other existing and prospective investors that the Bermuda Fund was still open and would be a priority. Each of the ​​defendants pleaded guilty to conspiracy to commit wire fraud in 2014.</p><p> <strong>Lessons Learned</strong></p><p>When it comes to offshore hedge funds, the Cayman Islands is the world leader, with estimates ranging from 45 percent to 85 percent of global market share and as much as US$1.4 trillion in assets and liabilities. Included in these funds are institutional investments, such as pension funds.</p><p>To tackle criminal and fraudulent behavior, such as in this story, we need to look beyond the individual circumstances of the case and address systemic problems from two different directions: governance/regulatory and investor awareness. Internal auditors can help with both.</p><ul style="list-style-type:disc;"><li> <strong>Governance/regulatory. </strong>Some economists consider the relative lack of oversight of the hedge fund industry by Cayman Island authorities to be a significant threat to the global economy. The Cayman Islands Monetary Authority (CIMA) is responsible for regulating and supervising financial services. It says officials on its board of directors can have contractual relationships with entities they are charged with regulating, creating inevitable conflict of interest possibilities. More independence between these two roles would help protect investors.​</li> <br> Cayman Islands-based hedge funds are not directly subject to U.S. Securities and Exchange Commission (SEC) regulation. However, in 2012, the SEC established a cooperation arrangement with CIMA as part of the commission's long-term plan to improve oversight of regulated entities that operate internationally. This type of cooperation arrangement "generally establishes mechanisms for continuous and ongoing consultation, cooperation, and the exchange of supervisory information … to monitor risk concentrations, identify emerging systemic risks, and better understand a globally active regulated entity's compliance culture," according to an SEC press release. In addition, such memorandums of understanding enable the SEC and regulators in other nations to conduct on-site examinations of registered entities located abroad. Results of these on-site examinations should be reviewed closely for further governance improvements.<br><br><a href="" target="_blank">A 2012 analysis</a> of thousands of U.S. securities filings by <em>The New York Times</em> also showed that many directors sit on the boards of 24 or more funds based in the Caymans, which "individually are supposed to be overseeing tens of billions of dollars in assets." Some of these individuals hold more than 100 directorships, and one director sits on the boards of about 260 hedge funds. Notably, this data does not include boards of hedge funds with non-U.S. ownership. Greater disclosure of how many boards directors serve on is obviously needed. And, allowing for some flexibility, limits should be placed on the number of board positions that one director can take on in the interests of investors, fiduciary responsibility, due diligence, and professionalism. A <a href="" target="_blank">2013 CIMA survey</a> (PDF) of hedge fund corporate governance stakeholders points to these same needed changes.<br> </ul>​​ <ul><li> <strong>​Investor awareness. </strong>As a general rule, investors must take responsibility for the oversight of funds in which they invest. That includes educating themselves on the nature and risks of hedge funds and offshore banking and investing. They also should apply scrutiny to drive up standards by careful and informed selection of service providers and directors, either directly or through the use of due diligence professionals, including auditors. Where red flags are noticed with regard to lapses in due diligence, class action and other forms of legal redress are likely to be pursued.​​​</li></ul>Art Stewart0540

  • TeamMate_Sept2015
  • IIA_FSAC_Sept2015
  • IIA CIALearn_Sept2015



To Audit Emerging Risks, We May Have to Leave Our Comfort Zone Audit Emerging Risks, We May Have to Leave Our Comfort Zone2015-08-31T04:00:00Z2015-08-31T04:00:00Z
When Culture Is the Culprit: Lessons From Toshiba, Hertz, and FIFA Culture Is the Culprit: Lessons From Toshiba, Hertz, and FIFA2015-08-24T04:00:00Z2015-08-24T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Harvard Business Review: How to Live With Risks Business Review: How to Live With Risks2015-08-24T04:00:00Z2015-08-24T04:00:00Z