The Sun Chronicle (Attleboro, Mass.) reports that a former employee of a Massachusetts Bay Transportation Authority (MBTA) subcontractor — which manufactured MBTA passes — was sentenced to three years in prison for selling millions of dollars worth of illegal monthly passes. Prosecutors say the man made more than 20,000 passes worth about US $4 million, which he and two accomplices sold through Craigslist. The scheme unraveled after a commuter rail conductor reported an unusual-looking pass.
This case highlights several fraud-related issues and potential mitigation strategies that internal auditors should consider in their day-to-day work. Public transit is an important public service, frequently subsidized by taxpayers, and this type of fraudulent activity can undermine taxpayer confidence in the efficiency and effectiveness of services provided to the public.
While it is commendable that a commuter rail conductor spotted an illegal transit pass, the problem likely could have been identified and addressed sooner. MBTA or its subcontractor may not have established effective controls to prevent or detect fraudulent activities by employees.
Internal auditors are well-positioned to ask and act upon the answers to key questions that could prevent similar crimes from occurring, including:
Does the transit authority have an overall fraud risk assessment and audit plan in place that addresses the adequacy of controls over manufacturing or inventory, distribution, and use of transit passes?
Does on-site monitoring or auditing of subcontractor manufacturing and inventory control processes include matching planned versus actual volumes of transit passes manufactured, security screening of employees, supervisory monitoring, appropriate use of security cameras in sensitive work areas, or procedures to prevent employees from removing stolen property from the workplace?
Has there been sufficient consideration and adoption of cost-effective security mechanisms built into the manufacturing process of valuable items such as transit passes? Many public transit authorities are using holograms, owner photographs on passes, and other security features to reduce the risk of illegal reproduction. Other transit authorities are bypassing the use of physical passes entirely through the use of credit card-based payment systems.
Are auditors staying current on new technologies, their uses and abuses, and relevant ways to help employers better detect and prevent new ways of conducting fraud (e.g., scanning typical Internet sources where fraudsters attempt to sell their illegal wares)?
Are clear rules about transit passes in place that prohibit replication by anyone other than the transit authority, along with sufficient penalties enforced in cases of abuse?
No doubt, internal auditors could think of other equally useful ways to prevent and address this kind of fraudulent activity.