Fraud Detection Failure Detection Failure<p>​A report from Utah's legislative auditor general criticizes the Office of the State Auditor for failing to detect a US$1 million embezzlement fraud that took place over 10 years,​ <a href="" target="_blank"><em>The Salt Lake Tribune</em> reports</a>. In April, the state auditor's office reported that a former administrative assistant at the Utah Communications Authority (UCA) and her daughter had charged personal expenses on the agency's credit cards and covered it up by creating fake documentation. A separate performance audit of the agency by a private contractor found significant lapses in the UCA's financial oversight and recommended a state legislative review. Although the legislative auditor report holds the UCA ultimately responsible for failing to detect the fraud, it points out that​ a 2010 state audit had raised red flags about credit-card transactions that could not be verified due to missing receipts. The report faults the state auditor's office for failing to perform a more in-depth review that could have enabled auditors to detect the fraud sooner.</p><h2>Lessons Learned</h2><p>This story provides a good opportunity for internal auditors to consider not only what constitutes "a thorough review of financial statements," but more broadly what distinguishes fraud from negligence versus "following the rules as prescribed." Numerous news stories and reports continue to appear regarding both fraud and negligence cases involving professional advisers — from property and asset valuers, to fund and asset managers, to IT professionals — and also auditors themselves. For example, there is an ongoing US$1 billion lawsuit against PricewaterhouseCoopers over the thoroughness of its audits of the bankrupt investment firm MF Global. Napoleon is often credited with the adage, "one should never attribute to malice that which can be adequately explained by incompetence." But what would he say when we potentially find both, as in this story?</p><ul><li><p> <span style="line-height:1.6;">Generally, to establish negligence it must be shown that no member of the alleged negligent profession acting with reasonable skill and care would have acted as the negligent party did. Here, a significant fact in the story is that "The state auditor's 2010 annual financial audit reported that 13 of 36 credit card purchases — 36 percent — on a randomly sampled monthly statement lacked receipts. Without receipts or greater probing, the new report said, the state auditors could not validate the purchases." What do the governing audit and accounting standards say? Acc​ording to U.S. Generally Accepted Accounting Principles, an unqualified audit opinion should only be issued where "There is adequate disclosure of all material matters relevant to the proper presentation of the financial information subject to statutory requirements, where applicable" (one of four criteria). Whereas, a qualified audit opinion should be issued "when the auditor is unable to obtain audit evidence regarding particular account balance, class of transaction, or disclosure that does not have pervasive effect on the financial statements."</span></p></li><li><p> <span style="line-height:1.6;">I have reviewed several of the related financial audits of the UCA conducted by the state auditor's office, and none contained qualified opinions. It does appear that some form of "management letter" communication of the problem of missing receipts took place after the 2010 financial audit. Perhaps the overall materiality of the missing credit card receipts fell below a judged minimum, but for one-third of a required documentation to be missing is undoubtedly a fraud red flag, and a stolen amount of more than US$1 million is certainly material. Also, a private contractor's review of internal control over the UCA's financial statements disclaims any provision of an opinion of the effectiveness of the UCA's internal controls (as can be standard practice).</span></p></li><li><p> <span style="line-height:1.6;">I agree with the Utah legislative auditor general's observation that had the state auditor exercised "greater professional skepticism by recognizing its broader responsibility, accepting only original documentation, recognizing aggravating risk factors, and conducting a more thorough follow-up of the issue in 2011," the fraud might have been detected much earlier than after 10 years. Recognizing that all organizations have limits with respect to priorities, time, and money, where I have difficulty in this case is how auditors fell short in detecting a long-term fraud. Perhaps "negligence" is too strong a term, but this may be an opportunity for both strengthening audit guidance in the context of fraud detection, and for the audit profession to pursue leading practices.</span></p></li></ul><p>What do you think?​</p>​Art Stewart0775
Yellow Card for Youth Sports Card for Youth Sports<p>​A recent <a href="" target="_blank"> <em>New York Times</em> article reports</a> on the hundreds of fraud cases involving youth sports officials in the U.S. Nationwide, local youth sports officials have been arrested and convicted of embezzlement and other corruption. The National Center for Charitable Statistics notes that the 14,000 U.S. youth sports organizations have revenues of US$9 billion, while the <em>New York Times</em> report finds that local leagues have become "quasi-professional enterprises" with budgets that can exceed US$250,000 annually. Despite the amounts of money involved, the organizations typically lack oversight and regulation, the article points out.</p><h2>Lessons Learned</h2><p>It should not be surprising to hear about this sad story involving fraud in youth sports organizations. Nonprofits are at a greater risk of fraudulent activity than many other types of organizations, and every variety of nonprofit organization is at risk. Bearing in mind the major constraints faced by nonprofits — limited funds, volunteer staff and turnover, a lack of business and financial expertise, and individuals having wide access to financial and other assets — here are some practical suggestions for addressing fraud:</p> <span style="line-height:1.6;"> <ul><li><p><strong>Become fraud-savvy.</strong> Nonprofits are trust-based organizations designed to bring out the best in staff and volunteers. Moreover, many nonprofits used to handle instances of fraud or embezzlement quietly in order to avoid unwanted attention and embarrassment. This is no longer an option, and not only because fraud is on the rise. In 2008, the U.S. Internal Revenue Service (IRS) implemented regulations designed to enable the public to more easily evaluate how effectively larger nonprofits manage their money. Tax-exempt organizations whose gross receipts are greater than or equal to US$200,000, or whose assets are greater than or equal to US$500,000, are subject to additional disclosure requirements on their IRS Form 990 concerning embezzlement or theft. Specifically, these organizations are now required to publicly disclose any embezzlement or theft that exceeds US$250,000, five percent of the organization's gross receipts, or five percent of its total assets. Nonprofits may not want to go too far into an atmosphere of mistrust by introducing too many rules and controls, but they do need effective measures that both reward ethical behavior and reduce temptation. They should also cultivate transparency. This means that financial data and organizational policy and direction are maintained and communicated regularly, such as on the organization's website, so that stakeholders can, at any time, get a clear picture of the organization's operations. At the same time, this conveys a positive yet watchful message to employees and volunteers. Nonprofits also need to establish fraud and code of conduct policies as part of their fraud-savvy culture. When fraud does occur, offenders must be prosecuted, rather than sweeping cases under the rug.</p></li><li><p><strong>Establish a minimum of internal controls, especially over financial and other assets.</strong> Some form of segregation of duties is key. We are all familiar with the need to require multiple layers of approval to make it more difficult for embezzlers to steal from the organization, as well as requiring two signatories on every check and two different signatories on every authorization or payment over a certain amount. Where a nonprofit is too small to effectively implement a double signatory/authorization policy, it should designate two volunteer officers or directors for the double sign-offs. Even for small nonprofits, all check, credit card, and cash disbursement requests should be accompanied by an invoice or other document showing that the payment or disbursement is appropriate. Again, the person making the payment should not be the same person authorizing its use. Similarly, a different volunteer should be responsible for reconciling bank statements and reviewing credit card statements, as well as receiving, depositing, recording, and reconciling the receipt of funds. Wherever possible, all contracts should be approved by someone uninvolved and personally uninterested in the transaction and, larger contracts should be the product of competitive and transparent bidding. At least annually, the organization should perform a fixed-asset inventory to ensure that no equipment or other goods are missing.</p></li><li><p><strong>Recruit and manage human resources well.</strong> A balanced representation within the ranks of volunteers and leaders, such as recruiting individuals with financial, audit, or business expertise in the subject matter of the nonprofit, can help prevent fraud. At a minimum, when recruiting new volunteers and leaders, organizations should ask for and review their resumes as well as conduct background checks. This can unearth things such as undisclosed criminal records, prior instances of fraud, and heavy debt loads that can make it more likely that a volunteer or leader might succumb to fraud. The Association of Certified Fraud Examiners reports that six percent of embezzlers have been convicted of a previous fraud-related offense.</p></li><li><p><strong>Provide proper supervision.</strong> Fraud happens as a result of need and opportunity. Organizations shouldn't put staff or volunteers in tempting positions, such as where excess cash is on hand, or one person is solely responsible for balancing cash. Someone who refuses to take vacation can appear to be dedicated but actually may be hiding a pattern of fraud, so a mandatory vacation policy is a good idea. Organizations also should watch out for volunteers or employees who are disgruntled, especially about pay, roles and responsibilities, or recognition. Those who feel undervalued can rationalize taking from their organization.</p></li><li><p><strong>Embrace the audit concept.</strong> Nonprofits often resist external audits because of the associated costs, and media and donor attention on costs often reinforce this reluctance. But fraud prevention — whether through audits, supervision, or internal controls — can actually save money that otherwise would be lost. If feasible, nonprofits should undertake regular external audits to ensure that their management oversight and controls are effective. If conducting a full assurance engagement is not feasible, nonprofits could request a review of their financial information. Such a review engagement typically costs less than a full audit, and it can still help determine whether the nonprofit's financial information is plausible or has discrepancies that bear a closer look. Organizations also should establish an audit committee on their boards of directors, containing at least one person familiar with finance and accounting, to serve as the primary monitor of anti-fraud measures. In lieu of an audit committee, small nonprofits should consider putting a financially knowledgeable person on the board to serve a similar function. Another alternative is to bring in outside expertise, such as public accountants experienced in conducting fraud audits and attorneys experienced in evaluating and enhancing internal controls as well as training staff on best practices. Such individuals may be willing to volunteer their time.</p></li><li><p><strong>Establish a whistleblower system.</strong> Nonprofits should encourage the reporting of suspected wrongdoing to a designated trusted board member. This is a low-cost but potentially effective method of uncovering fraudulent activity, especially where nonprofits must rely on volunteers of varied backgrounds and participation.</p></li></ul></span> <p><span style="font-size:12px;line-height:1.42857;">​</span><br></p>Art Stewart0490
Fraud and Related-party Transactions and Related-party Transactions<p>​Individuals who use their positions to secretly benefit themselves at the expense of their employers betray the trust of the organizations that employ them. Often, these transgressions take the form of undisclosed related-party transactions, where the individuals who approve the transactions for their organizations also benefit personally from them.  <br></p><p>Internal auditors need to identify the red flags of related-party loans, sales, and purchase transactions that indicate fraud (see “Red Flags of Related-party Transactions” at the end of this article). The case studies herein illustrate common methods used to commit various frauds. By identifying the red flags in these cases, internal auditors can improve their ability to recognize related-party fraud risks. <br></p><h2>Loans<br></h2><p>The vice president of finance at a service company borrowed US$50,000 from the organization. The note states that it is a zero-interest loan with no collateral or due date. Accounting records and financial statements present the loan as a regular note receivable without disclosing the related-party nature of the note. The vice president also used her position to make the company a guarantor on one of her other personal loans.<br></p><p>Key risks in related-party loan transactions include: <br></p><ul><li>Providing loans to senior management, other employees, or board members at below-market interest rates or under terms they could not get in the marketplace.</li><li>Failing to disclose the related-party nature of the loan. </li><li>The organization providing guarantees for private loans made by employees or board members.</li></ul><p></p><p>In all of these risk areas, the favorable terms benefit the employee at the expense of the organization. </p><p><strong>Internal Audit Procedures</strong> To identify undisclosed loans to senior management, board members, and employees, the internal auditor could search for related-party loans using data analysis to compare the names on all notes receivables and accounts receivables with employee names from payroll records and board member names from board minutes. If a match occurs, the auditor should assess whether the related-party transaction was appropriately authorized and <br>disclosed in the accounting records and financial statements.<br></p><p>Auditors also could search for undisclosed related-party loans by examining the interest rate, due dates, and collateral terms for notes receivables. Notes receivable containing zero or unusually low interest rates, or requiring no due dates or insufficient collateral, may indicate related-party transactions. The internal auditor also should examine advances made to customers or others who owe money to the organization. Organizations generally do not advance money to others who owe them money unless a related-party relationship exists.  <br></p><h2>Sales<br></h2><p>A sales agent for a manufacturing company sold a significant amount of goods at a substantial discount to XYZ Supply, a company he owns but has not disclosed the conflict of interest. XYZ Supply, in turn, sold the goods at market rates, thereby providing him with a profit. XYZ returned goods it was unable to sell months later for reimbursement. XYZ did not pay accounts receivable for several purchases, and the sales agent persuaded the credit department manager to write off the related receivables. <br></p><p>Key risks for related-party sales include employees: <br></p><ul><li>Selling products or services significantly below market price or providing beneficial sales terms that ordinarily would not be granted to arms-length customers. </li><li>Inflating sales for bonuses or stock options using related parties to perpetrate the scheme. Either a sale really has not taken place because the goods were not shipped or there was an obligation to repurchase the goods sold so the sale was incomplete.  </li><li>Approving excessive sales allowances or returns as well as accounts receivable adjustments or write-offs for related parties. </li></ul><p><br>In an effort to cover up the related-party transaction, employees may deny auditors access to customers to impede them from acquiring audit evidence concerning the related-party relationship. <br><br><strong>Internal Audit Procedures</strong> Internal auditors should perform analytical procedures to compare price variations among customers to identify those who pay significantly below the average sales price. Auditors also should identify any customer who pays prices that differ from the approved price sheet. Customer contracts should be analyzed for unusual rights of return, obligations to repurchase goods sold, and unusual extended repayment terms. Analytical procedures to identify customers with excessive returns, sales allowances, account receivable adjustments, or write-offs also should be performed. Any variances in these areas could indicate undisclosed related-party transactions.<br></p><p>Data analysis can be used to compare employee addresses, telephone numbers, tax identification numbers, and birthdays with customer addresses, telephone numbers, tax identification numbers, and company organization dates. When creating a shell company, many individuals use their own contact information for convenience and their own birth date as the organization date because it is easy to remember. Any matches could indicate a related-party association and should be investigated.<br></p><h2>Purchases</h2><p>A purchasing agent for a manufacturing company buys goods for his employer from a company he secretly owns, ABC Supply. For many of the purchases, the prices significantly exceed normal market prices, allowing the purchasing agent to make a personal profit on the difference between what his company pays for the items and what he charges his employer. For other purchases, the product quality is inferior for the price paid because he purchases poor quality goods at a low price, then sells them to his employer at market rates, allowing his company to profit from the transaction.<br></p><p>Key risks for related-party purchases are: <br></p><ul><li>Paying prices significantly above market for goods or services. </li><li>Receiving significantly below average quality goods or services that are purchased at market prices for high-quality goods or services. </li><li>Never actually receiving the purchased goods or services. </li></ul><p><br><strong>Internal Audit Procedures</strong> Auditors should compare cost variations among vendors to identify those whose costs significantly exceed the average cost. For identified variances, auditors should discover why the cost variations occurred to assess whether a related-party relationship exists.    <br></p><p>Similar to the audit of customers, auditors should compare the employee’s address, telephone number, tax identification number, and birth date to vendors’ information to see if a relationship exists. Auditors also should assess the use of sales intermediaries for products they can purchase directly from the manufacturer at lower costs.  <br></p><h2>Finding Process failures</h2><p>In reviewing their organization’s documentation, internal auditors may find that the organization does not have in place any policies or procedures prohibiting related-party relationships or transactions without prior approval. The organization also may not provide training to employees around related-party relationships and transactions, or require employees to certify whether they are involved in any conflicts of interest with the organization.   <br></p><p>Organizations should maintain written policies and procedures defining the process for obtaining approval for related-party relationships and transactions. Key risks exist if: <br></p><ul><li>Written related-party policy and procedures are nonexistent or insufficient. </li><li>Employees are not required to certify regularly whether they have a conflict of interest. </li><li>Related-party transactions are not approved in accordance with established organizational policies and procedures. </li><li>Related-party transactions are approved with exceptions to organizational policies and procedures.  </li></ul><p><br><strong>Internal Audit Procedures </strong>The internal auditor should review approved related-party policies and procedures documentation. If related-party policies or procedures don’t exist or if they don’t sufficiently mitigate the risk of unauthorized or inappropriate related-party relationships or transactions, the auditor should consult with senior management and the board, if necessary, to develop appropriate policies and procedures.    <br></p><p>Auditors also should review conflict of interest statements. If an employee documents a conflict of interest in his or her statement, the internal auditor should assess whether the conflict of interest was appropriately authorized and whether the process recognizes and discloses conflicts of interest.<br></p><p>Board minutes should be reviewed for authorization of related-party relationships or transactions conducted by or on behalf of senior management and board members. Auditors also should review documentation of senior management approval for related-party relationships or transactions of non-senior management employees. While reviewing this documentation, internal auditors should assess whether the organization made exceptions to its written policies or procedures during the authorization process. If exceptions were made, the auditor should assess the business purpose and reasonableness of the exception.<br></p><h2>Coordination</h2><p>To minimize duplication of effort and to ensure appropriate coverage of related-party risks, the CAE should coordinate activities and share information about those risks with external and internal service providers (see IIA Standard 2050: Coordination). Independent auditors generally are required to consider related-party risks when conducting audits. For example, the International Federation of Accountants’ International Standard on Auditing 550 states the independent auditors’ responsibilities to specifically address related-party transactions and relationships. <br></p><p>In the United States, the Public Company Accounting Oversight Board’s Auditing Standard (AS) 18 requires independent auditors to evaluate related-party relationships and transactions (AS 18 will be renumbered as AS 2410 effective Dec. 31, 2016). By working with the independent auditors, internal auditors could help identify related-party risks that may have a material effect on the financial statements and related required disclosures, while at the same time identifying related-party risks that may fall below the threshold but are still significant to the organization.<br></p><p>The CAE also should consider government regulatory or contractual requirements that may prohibit certain types of related-party transactions or relationships. Internal auditors should work closely with their organization’s compliance, risk management, and legal departments to identify related-party risks and assure that these risks are being monitored and mitigated appropriately.<br></p><h2>Reducing Risk</h2><p>Internal auditors can uncover undisclosed conflicts of interest by recognizing red flags associated with related-party relationships and transactions. Where red flags exist, internal auditors should assess the nature of the transactions and ascertain whether the related-party transactions were authorized appropriately. By discovering unauthorized related-party transactions and assessing related-party policies and processes, internal auditors can identify deficiencies and recommend policy and process improvements to reduce the risk of future unauthorized related-party transactions and relationships.       </p><table width="100%" cellspacing="0" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Red Flags of Related-party Transactions</strong><br><br>When reviewing related-party transactions, auditors should be aware of the red flags that may indicate fraud is taking place.<br><br><strong>Loan Frauds</strong><br><ul><li>Loans to officers, board members, or employees.</li><li>Interest-free loans.</li><li>Insufficient collateral for loans.</li><li>Loans without fixed repayment terms.</li><li>Loans to parties who cannot repay.</li><li>Providing funds to pay uncollectable loans or receivables.</li><li>Inappropriate guarantees of personal loans.</li><li>Accounting records and financial statement receivables and financial statement disclosures that fail to disclose the related-party nature of the loans.</li><li>Denied access to borrower to acquire audit evidence.</li></ul> <br><strong>Sales Frauds</strong><br><ul><li>Sales prices significantly below market prices.</li><li>Sales prices below market to sales intermediary with no apparent business purposes.</li><li>Unusual rights of return.</li><li>Obligation to repurchase goods sold.</li><li>Unusual extended repayment terms.</li><li>Excessive sales allowances or returns for a customer.</li><li>Bill and hold sales.</li><li>Unapproved or undocumented accounts receivable adjustments and write-offs for a customer.</li><li>Denied access to customers to acquire audit evidence.</li></ul><br><strong>Purchasing Frauds</strong><br><ul><li>Costs significantly above market prices. </li><li>Paying premium prices for generic products.</li><li>Costs above market from a sales intermediary with no apparent business purpose.</li><li>Unusually large amounts of usage and scrap in production due to faulty materials.</li><li>Denied access to vendor to acquire audit evidence.</li></ul></td></tr></tbody></table><p></p>James A. Bailey13018
The Tech Know-how for Fraud Tech Know-how for Fraud<p>​The former vice president of accounting and IT for the Houston Police Federal Credit Union was sentenced to more than three years in a U.S. federal prison for embezzling more than US$1.2 million from the organization, <a href="" target="_blank"> <em>Credit Union Times</em> reports</a><span style="line-height:1.6;">. Beginning in 1997, Cheryl Vickers used h​er knowledge of the credit union's accounting and data processing systems to reissue unclaimed checks, skim credit card rebate fees, and steal from an account that was intended to pay the business' real estate taxes. Moreover, Vickers had helped set up the credit union's internal controls, so she knew how to avoid detection. She retired from the organization and might have gotten away with her fraud if a customer hadn't come into the credit union to cash an old check that the records showed had already been reissued by Vickers, which prompted an investigation.​</span></p><h2> Lessons Learned</h2><p>If one tried to identify the single most significant control weakness within the Houston Police Federal Credit Union in this case, arguably that would be an absence of an appropriate segregation of duties among authorization, custody, and record-keeping roles to prevent fraud. But there are likely more fundamental control gaps that would have been uncovered by a regular review of the credit union's internal controls, as the investigator quoted in this story points out.</p><p>This is a good opportunity to review four of the most important components of conducting a leading practice internal control review, as well as how some of the thinking and emphasis in such reviews has changed, particularly regarding the role of risk and risk management. How does your organization measure up?</p><ul><li><p><strong style="line-height:1.6;">​​The Control Environment. </strong> <span style="line-height:1.6;">Risk identification and control are considered fundamental to managing the business. Overall business performance is improved by linking risk management to the fulfilment of business objectives. The board of directors and its audit committee take an active interest in internal control, aiming to create an environment that promotes learning on risk and control issues throughout the organization. Risks identified at all levels of the organization are discussed and not ignored. The internal control review process is ongoing and embedded within the organization, prompting the meeting of expectations consistent with the "spirit" of guidance. Not long ago, the primary objective of an internal control review was to demonstrate compliance at minimum cost, and secondly, to identify risks and control improvements. The process was thought of as an annual initiative or just another disclosure issue.</span></p></li><li><p><strong style="line-height:1.6;">Identification and Evaluation of Risks and Control Objectives.</strong><span style="line-height:1.6;"> The review is an embedded process to identify and evaluate risks that significantly threaten business objectives. Facilitated risk reviews are used to identify business risk and drive control evaluation. In conjunction with a central control framework, business units use self-assessment to identify and evaluate their own controls. Identification of business objectives leads to the assessment of associated risks and exposures, thereby defining risk in the broadest sense. A traditional approach included a top-down, senior management-driven identification of risk on a fire-fighting basis and reliance on a centralized control manual to dictate the internal controls. Risks ended up being defined too narrowly and were focused on known or "comfortable" areas.</span></p></li><li><p><strong style="line-height:1.6;">Control Procedures. </strong> <span style="line-height:1.6;">Management actively challenges the operation of controls as part of the self-assessment process, while internal audit facilitates and challenges local management reporting and conclusions. With the old way, management confirmed control procedures in an annual letter of assurance under a self-assessment process, while internal audit coordinated or administered the review process.</span></p></li><li><p><strong style="line-height:1.6;">Monitoring and Corrective Action.</strong><span style="line-height:1.6;"> The organization formally establishes and performs follow-up procedures to ensure fieldwork leads to appropriate change or action. An ongoing monitoring process is developed and embedded within the organization's overall business operations, which provides directors and senior managers with regular reports on the state of the system of internal control. The board actively sponsors internal control initiatives, while internal audit provides assurance on the robustness of the ongoing monitoring process. In contrast, a traditional approach would emphasize "fieldwork" and the initial phases of the risk management process, paying little attention to follow-up activities. The finance function was responsible for the system of internal control and reported by exception to the board and audit committee. Internal audit did routine checks.</span></p><br></li></ul><p></p>Art Stewart02331
On the Wrong Side of the Law the Wrong Side of the Law<p>​Former top executives of the Ontario Provincial Police Association have been charged with fraud, money laundering, and misuse of funds, according to Canada's <a href="" target="_blank"> <em>National Post</em></a> newspaper. A 19-month Royal Canadian Mounted Police investigation alleges that the union's former president, vice president, and chief administrative officer used their "positions of influence" to steer business to a travel agency and a consulting company in which they had a financial interest. Also charged were the union's attorney and a New Jersey-based man, who allegedly set up the two businesses. The three former union leaders, who also are Ontario Provincial Police officers, have been suspended with pay, police officials say.</p><h2>Lessons Learned</h2><p>​Although this case has not yet been proven in court, it would appear that some of those charged with a duty to uphold the law may not have been averse to breaking it at the same time. While it may be unusual that this story involves senior Ontario police union officials, similar cases involving public- and private-sector organizations often reveal significant gaps in controls that could have prevented or detected this fraud. Such cases have had a wide range of victims such as taxpayers, union members, and investors. In the Ontario case, the police association has declared that it has made changes to improve accountability and protect its finances, and has "turned the page on a dark chapter in our history."</p><p>What are these significant control gaps that need to be addressed through changes? Here are five of the most relevant to this story:</p><ul><li><p style="line-height:1.6;"> <strong>Vigilant oversight of </strong><strong></strong><strong>management.</strong>Even public-sector union heads and executives must be accountable to a higher oversight body. The Ontario government has such a body in place, the Police Services Board of Directors. That board needs to exercise its accountability and oversight functions rigorously. The Ontario government also should review other policing bodies within its jurisdiction to determine whether similar kinds of fraud may be occurring.</p></li><li><p style="line-height:1.6;"> <strong>A strict conflict of interest and disclosure policy </strong><strong></strong><strong>regime.</strong>Senior officials should be required to attest to and declare all potential conflicts of interest. This process also needs to be updated regularly. This requirement is particularly important in organizations such as police services that have a public trust role.</p></li><li><p style="line-height:1.6;"> <strong>Regular background </strong><strong></strong><strong>checks.</strong>Senior officials of public institutions should be expected to adhere to high standards of transparency and ethics. Compliance needs to be assessed regularly. Lifestyle changes and perhaps even signs of collusion among the three top police union officials may have been detected through such processes.</p></li><li><p style="line-height:1.6;"> <strong>Strong controls over contracting and administrative services.</strong> More specifically, controls should include a comprehensive contracting regime and policy, requirements for competitive bidding — a particular problem in this story as employees were simply told to direct all business to one service vendor — and a strict segregation of duties/authorities in contract sign-offs. Requiring prospective bidders to disclose all the names of material investors and company officials may have revealed the identities of the alleged fraudsters, as well.​</p></li><li> <p style="line-height:1.6;"> <strong>An independent, reprisal-free whistleblowing </strong><strong></strong><strong>program.</strong>Command-and-control oriented institutions such as police forces need to take extra steps to ensure there are safe, effective ways for their employees and members to come forward with concerns about potentially fraudulent situations without fear that their colleagues and superiors will censor or punish them for doing so.​</p></li></ul><p>For r​​eaders who are interested in obtaining a deeper understanding of these five control areas, or who want to have concrete examples of relevant policies and measures, there is a wealth of information available on <a href="" target="_blank">The IIA's website​</a>.​</p><p><br></p>Art Stewart01079
A Reversal on Mortgage Fraud Reversal on Mortgage Fraud<p>​The U.S. Court of Appeals in Manhattan has overturned a fraud verdict against Bank of America's Countrywide mortgage business stemming from poor quality mortgages the company sold Fannie Mae and Freddie Mac in 2007 and 2008. According to a <a href="" target="_blank"><em>New York Times</em> analysis</a>, the earlier District Court ruling had imposed a civil penalty of US$1.27 billion against the bank and a US$1 million penalty against the former executive who had overseen the mortgage program. This is the only case to go to trial invoking a provision of the U.S. Financial Institutions Reform, Recovery, and Enforcement Act that authorizes civil penalties for fraud violations affecting a financial institution. The Appeals Court ruled that the Justice Department didn't prove "fraudulent intent at the time of contract execution; evidence o​f subsequent, willful breach cannot sustain the claim."<span style="line-height:1.6;"> </span></p><h2>Lessons Learned</h2><p>In the wake of the 2008 subprime mortgage crisis, many billions of dollars in fines and settlements have been paid by financial institutions for fraudulent activity and wrongdoing. But, as this story indicates, Bank of America won't have to pay a US$1.27 billion penalty as a result of a potentially significant Court of Appeals ruling — one that seems to redefine or at least reinterpret what legally constitutes fraud. And the court's decision cannot be appealed further. For auditors, this is a good opportunity to revisit the elements of how <em>fraud</em> is defined.</p><ul><li><p>Legal definitions of fraud, particularly those relating to criminal forms, vary somewhat from jurisdiction to jurisdiction. Countries such as the U.K. have adopted definitions that are more explicit than in the U.S., where fraud is based on a failure to disc​lose information within a legally defined relationship, including contractual ones. Perhaps this is something for U.S. lawmakers and regulators to study.</p></li><li> <span style="line-height:1.6;">​Most U.S. legal discussions of proving fraud in court converge around the need to show that a defendant's actions involve five elements:</span><br></li></ul><ol><ol><li><strong>A </strong><strong>false statement</strong><strong> of a material fact.</strong></li><li><strong>Knowledge</strong><strong> on the part of the defendant </strong><strong>that the statement is untrue</strong><strong>.</strong> To be fraudulent, a false statement must be made with intent to deceive the alleged victim. This may be the easiest element to prove, once falsity and materiality are proved, because most materially false statements are designed to mislead.</li><li><strong>Intent</strong><strong> on the part of the defendant </strong><strong>to deceive the alleged victim,</strong> such as depriving the individual of his or her legal rights. </li><li><strong>Justifiable reliance</strong><strong> by the alleged victim on the statement.</strong> While relying on a patently absurd false statement generally may not give rise to fraud, people who are especially gullible, superstitious, or ignorant — or who are illiterate — may recover damages for fraud if the defendant knew and took advantage of their condition.</li><li> <strong>Injury to the alleged victim</strong>, leaving him or her in a worse position as a result.</li></ol></ol><ul><li><p style="line-height:1.6;">As this story underscores, these elements contain nuances that cannot be easily proved. Two aspects are particularly significant. First, the Appeals Court has interpreted that for fraud to have occurred, there must be a "concurrence of the elements." The misstatement and the intent to defraud must be present <em>at the same time</em>, so that a subsequent decision to intentionally violate an agreement by supplying an inferior or defective product does not establish that a misstatement took place with the req​uisite intent at the time the contract was signed. This is a troublingly narrow interpretation. Many fraud cases are of a significant duration, and the intent and actions to commit fraud are not necessarily present at the outset of a given situation, but develop subsequently.</p><p style="line-height:1.6;">Secondly, although it is true that not all false statements are fraudulent, if a false statement substantially affects a decision to enter into a contract or pursue a certain course of action, there is greater cause for concern about fraud. Would Fannie Mae and Freddie Mac have entered into a contract with Bank of America's Countrywide unit if they knew that the bank would later substitute an inferior, higher risk product? There also is the aspect of the obligation of one of the contracted parties to inform the other of a significant change in the quality of the product that has been contracted for. I have not reviewed the contracts involved in this case, but such requirements are very standard.</p></li></ul><ul><li> <span style="line-height:1.6;">​Finally, the views of U.S. District Court Judge Jed Rakoff, the presiding judge in the lower court case against Bank of America, are of interest. At a recent Association of Certified Fraud Examiners conference, he told attendees that p​rosecutors are falling short in pursuing fraud cases. "I am regretfully increasingly convinced that the federal government and the federal system of justice has somewhat retrogressed over the past couple of decades in its prosecution of fraud," Rakoff said, "or at least in its prosecution of fraud when it's perpetrated by people at the highest levels of the financial establishment." Rakoff also noted that the courts have made it more difficult to prosecute fraud cases, "imposing impediments to actions against fraud that are nowhere to be found in the language of the anti-fraud statutes themselves."</span><br></li></ul><p> <br> </p><p>What do you think? Please give your views in the Comments section.​</p><p>​<br></p>Art Stewart01709
An Anti-corruption Checkup Anti-corruption Checkup<p>​Revelations from the Panama Papers investigation paint a picture of public officials and business leaders allegedly moving money to secret offshore companies. The investigation by the International Consortium of Investigative Journalists is based on more than 11 million emails, documents, and client records leaked from Panama-based law firm Mossack Fonseca. Although much of the business operations highlighted in the papers are legal, some of the dealings allegedly include money laundering and other illegal activities, and the lack of transparency involved often is a red flag of potential corruption.<br></p><p>With the spotlight now shining brightly on potential corruption, it’s more important than ever that organizations have comprehensive anti-corruption compliance programs in place. One way internal auditors can help management gauge the effectiveness and completeness of their organization’s program is by using an anti-corruption maturity model. The maturity model depicted in this article is a variation of the capability maturity model integration approach developed at Carnegie Mellon University that has been customized to measure the proficiency of an anti-corruption compliance program. The model measures an organization’s proficiency in complying with laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, by comparing its compliance program against anti-corruption standards. <br></p><p>Moreover, internal auditors can use the anti-corruption maturity model to measure the degree to which the organization has implemented governance controls and identify expectation gaps that may exist between the organization’s perceived efforts and actual efforts. The model can enable auditors to identify areas of strengths and weaknesses, and it can serve as the basis for allocating resources to most effectively reduce corruption risk. In addition, auditors can use the model to measure the degree to which their organization has adopted regulatory guidelines in its anti-corruption efforts.  <br></p><h2>Designing the Maturity Model</h2><p> <img src="/2016/PublishingImages/Morrison-Maturity-Model-Scale.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />The anti-corruption maturity model measures control strengths on a scale (see “Maturity Model Scale” at right). Each of the scale’s four levels describes a different strategy for combating corruption. The model’s scale should be commensurate with the organization’s complexity, geographic dispersion, and capital resources. For simplicity, this model is designed for a mid-sized company that has multiple product lines and sells in a global market. A large company that has many subsidiaries operating across diverse industries might be better suited with a larger scale, perhaps with five or six levels. The size of the scale is not as important as having a scale that is aligned with the organization’s risk profile.<br></p><p>After an appropriate scale is established, internal auditors should establish the criteria on which the compliance program will be measured. Corruption-related controls should be grouped into components based on the risk drivers they are designed to mitigate. A Resource Guide to the U.S. Foreign Corrupt Practices Act, Hallmarks of Effective Compliance Programs, developed by the U.S. Department of Justice and the Securities and Exchange Commission, is an excellent resource for identifying the types of components that make up the foundation on which an effective compliance program should be built. This guidance identifies seven components that form the basis for the anti-corruption maturity model: oversight, resources, risk assessment, policy statements, due diligence, controls and monitoring, and training. <br></p><h2>Components</h2><p>“Anti-corruption Maturity Model Components” (below) describes some controls that are typical of each component. Internal auditors should consider the organization’s size, complexity, and risk profile in identifying which components to include in the model. For example, an organization that plans to grow through acquisition might add a separate component dedicated to the merger and acquisition process, while a company that does not rely heavily on third-party consultants or agents might place due diligence under risk assessment.<br></p><p>After identifying the controls relevant to the organization, the internal auditor should assign them to the respective component of the maturity model. Basic controls that by themselves are not effective in preventing or detecting corruption should be assigned to lower levels. As controls become more sophisticated and effective, they should be assigned to the appropriate higher levels. It is necessary to achieve the activities on the lower levels of the scale to attain those on the higher levels. Depending on the number of controls identified for each component, it may be more practical to summarize the objectives of the controls in the model, itself. The individual controls and their objectives will be detailed in the assessment test schedule. </p><center> <img class="ms-rtePosition-4" src="/2016/PublishingImages/Morrison-anti-corruption-maturity-model-components.jpg" alt="" style="margin:5px;" /> </center> <br> <h2>Assessing Compliance Program Controls</h2><p>Assessing an organizational-level compliance program goes beyond identifying risks and controls, and evaluating their likelihood and impact. The maturity model measures strength based on the degree to which the documented evidence supports that controls were designed effectively and are functioning accordingly. This is accomplished when the internal auditor reviews supporting documentation and draws reasonable conclusions about their effectiveness. Auditors rate each control on the scale (see “Degree of Evidence Rating” below).<br></p><p>To illustrate how the degree of evidence is measured, assume an internal auditor is reviewing a control that requires anti-corruption training to be provided to all employees in a format consistent with the local languages in all business units. The business operates in Germany, Greece, Spain, and the U.S. To facilitate training, management provides PowerPoint slides in English, German, and Spanish, but it was not able to translate the slide decks into Greek. The auditor rates this control “3” and recommends that the organization translate the training slides into Greek and include them in the online training software. <br></p><p>The process continues until all controls have been assessed. If there is not a control for a significant risk, that attribute receives a zero score. <br></p><p>This methodology gives the internal auditor a deliverable that can provide management with a better picture of the strengths and weaknesses of its anti-corruption controls than it would have using a pass/fail method. That method would have failed the training control in the PowerPoint example because not all employees received instruction in their local languages. Using Excel to document and rate controls enables the auditor to easily tally ratings by component into an assessment scorecard.  <br></p><h2>Tallying the Scorecard</h2><p>After internal audit has assessed all of the controls in the respective components and established the degree of evidence, it should determine the effectiveness of the individual components and the overall compliance program by tallying the degree of evidence scores by component. The company for which this model was designed identified 107 compliance controls. The maximum score that can be attained for each component is the number of controls that were assessed multiplied by four, the highest degree of evidence rating. The actual score achieved in each component is divided by the maximum attainable score to arrive at the percentage score. This percentage score will be used to establish the level on which each component will be rated in the model. For example, the oversight component contains 17 controls for a maximum score of 68. If the component’s actual score is 47, then its rating is 69 percent. <br></p><h2>Evidence of Effectiveness</h2><p>A capability maturity model can be an effective tool for assessing the strength of an anti-corruption compliance program. The evidence-based methodology provides internal auditors who are assessing these programs unambiguous results based on empirical evidence rather than results based on subjective perception. It also provides management an easy-to-read summary that executives can use to identify improvement opportunities for the anti-corruption program as well as a methodology that can be easily repeated in future years. </p><center><img class="ms-rtePosition-4" src="/2016/PublishingImages/Morrison-degree-of-evidence-rating.jpg" alt="" style="margin:5px;width:500px;height:304px;" /></center> <br>See samples below for anti-corruption maturity models:<br><br><ol><li><a href="/2016/Documents/Assessment%20Scorecard.pdf"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/15/images/icpdf.png" alt="" />Assessment Scorecard.pdf</a></li><li><a href="/2016/Documents/Sample%20Assessment%20Ratings.pdf"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/15/images/icpdf.png" alt="" />Sample Assessment Ratings.pdf</a><br></li><li><a href="/2016/Documents/Anti-corruption%20Maturity%20Model%20Post-assessment.pdf"><img class="ms-asset-icon ms-rtePosition-4" src="/_layouts/15/images/icpdf.png" alt="" />Anti-corruption Maturity Model Post-assessment.pdf</a></li></ol><p></p>Paul J. Morrison11650
A Tutorial of Fraud Tutorial of Fraud<p>​Federal prosecutors have charged a former Detroit Public Schools (DPS) grant development director with billing the school district US$1.275 million for tutoring services that were never delivered, the <a href="" target="_blank"> <em>Detroit Free Press</em> reports</a>. According to court documents, after-school tutoring companies created by Carolyn Starkey-Darden submitted fake documents that included false test scores and forged attendance records and parental signatures between 2005 and 2012. During that time, three of those companies received US$6.1 million in federal grant money to improve tutoring at schools deemed in need of improvement, but the U​.S. Attorney alleges that at least US$1.2 million was obtained illegally.</p><h2>Lessons Learned</h2><p>This story describes a fraud prosecution based on a federal investigation concerning the DPS. Readers cannot be completely satisfied with the outcome, given how long the fraud went undetected, and an apparent lack of attention to addressing its most likely root causes — insufficient oversight, a rigorously constructed/enforced conflict of interest system, and weaknesses in internal controls, especially over financial and contract management.</p><ul><li> <strong style="line-height:1.6;">Oversight weaknesses.</strong> <span style="line-height:1.6;">The U.S. educational system is supported by a patchwork of widely varying requirements for the structuring of school district boards, including for ​​roles and responsibilities and the existence of internal audit functions. School districts are more likely to detect fraud at an early stage when they have vigilant, active boards and committees, supported by a robust internal audit function that regularly conducts risk-based audits of the duties of grants administrators — and principals, too — as well as financial and contract management controls. Furthermore, the school board needs to exercise oversight over the organization's operations, and committee meetings should reflect regular discussions of financial operations, contracting, and personnel policies, including the results of monitoring, review, and audit. An absence or lapse of such oversight should raise the question of consequences for those who did not discharge their responsibilities appropriately.</span><br> </li><li> <strong style="line-height:1.6;">Poor financial management/contracting controls. </strong> <span style="line-height:1.6;">The fact that doctored test scores, forged attendance records and parental signatures, and fake individual learning plans were submitted repeatedly on forms required by the DPS, yet went undetected, represents a gaping hole in the school district's controls. Was anyone cross-checking any of this data before approvals and money were handed over? In fact, shouldn't the school board and involved parents be providing this information primarily, rather than private companies seeking grants and profits? I also suspect that grants and financial management review duties were not segregated adequately, and there may have been gaps in the board's financial/contract management policy framework.</span><br> </li><li> <strong style="line-height:1.6;">A rigorously constructed/enforced conflict of interest system. </strong> <span style="line-height:1.6;">One can debate the appropriate level of rigor needed to protect the interests of young students, but I submit that a high standard needs to be established and enforced. In this story, a relatively senior school official was able to set up multiple private companies — some even before she retired — with the alleged aim of taking advantage of her experience and contacts to obtain significant dollar value contracts with her former employer. Numerous countries, including Canada, have conflict of interest policies for public officials that include bans and cooling-off periods ranging from one to five years before a former senior employee can engage in a for-profit arrangement with his or her former employer. Such measures may be controversial, but in the context of this story, they might have been the most effective in preventing a serious fraud. At a minimum, a high standard of scrutiny of such arrangements needs to be applied before they are approved.​</span><br></li></ul><p></p>​Art Stewart01027
The Fraud Offshore Fraud Offshore<p>​​<span style="line-height:1.6;">A U.S. bankruptcy judge has ordered Texas tycoon Sam Wyly to pay as much as US$1.4 billion in back taxes and penalties, ruling that he had taken fraudulent actions to shield assets from taxation, Reuters </span> <a target="_blank" href="" style="line-height:1.6;background-color:#ffffff;">reports</a><span style="line-height:1.6;">. The U.S. Internal Revenue Service (IRS) claimed that Wyly, along with his wife and brother, had used offshore trusts to avoid taxes on more than US$1.1 billion and had exercised stock options on four companies on which they were board members. ​Wyly and his wife filed for bankruptcy in 2014 after a jury in New York ordered him and his brother's estate to pay US$299.4 million for using those same trusts to engage in securities fraud.</span></p><h2>Lessons Learned</h2><p>Tax evasion via offshore trusts is a significant worldwide problem that should command continuous attention from governments, regulators, and auditors. The so-called Panama Papers give a glimpse into the scale of this type of fraud. The papers include 11.5 million leaked documents that detail financial and attorney-client information for more than 214,000 offshore entities, some dating back to the 1970s. The documents illustrate how wealthy individuals, including public officials, are able to keep personal financial information private. While offshore business entities often are legal, reporters found that many of the shell corporations listed were used for illegal purposes, including fraud and tax evasion.</p><p>A trust is a form of ownership in which a grantor (also called a settlor) transfers an asset to a third-party trustee who manages that asset on behalf of beneficiaries. It is a common practice in estate management, and perfectly legal in the U.S., so long as the trust documents are drafted in compliance with the Internal Revenue Code (§§ 641-683). Trusts are typically used in estate planning as a way to transfer or protect assets, for the benefit of minors or others who cannot manage their own affairs responsibly. The important part to note, as illustrated in this story, is a trust can't be used to evade taxes. Unless the grantor genuinely gives up all claim to the assets, the trustee has full legal title to them, and the trustee exercises completely independent control, the IRS calls it an abusive trust.</p><p>Here are some useful tips for internal auditors who might be looking to uncover such schemes: </p><ul><li><p><span style="line-height:1.6;">The quickest way to spot an offshore asset protection scheme is to look for those that focus on secrecy or privacy. These can be uncovered by looking at their advertising (guaranteed confidentiality, for example). Companies and people with impressive credentials can be involved. Just because the promoter is a certified public accountant, attorney, or househol​​d name does not mean he or she is honest. Look over these advertisements carefully for a reference to the fact that a U.S. citizen cannot just send his or her money offshore. U.S. citizens who create certain foreign trusts — or transfer property to them — must file an Annual Return to Report Transactions With Foreign Trusts and Receipt of Certain Foreign Gifts, IRS Form 3520. Offshore asset protection plans offered by a firm that provides U.S. tax compliance and is capable of answering U.S. questions are more likely to be legitimate.</span></p></li><li><p><span style="line-height:1.6;">Look for what is <em>not</em> there. The IRS' annual reporting requirement is just one kind of document that must be filed by grantors and their representatives. For example, every entity must file its own tax return with the IRS, something that the typical offshore incorporator involved in tax evasion schemes probably fails to mention when a grantor signs up. There also may be a need to file IRS forms 3520 and 3520-A; each corporation must file IRS Form 5471, as well. Finally, a report must be filed with the U.S. Treasury Department for each bank account held outside of the U.S. where the cumulative balance during the year is more than US$10,000. Many offshore trust fraud schemes avoid filing reports despite steep penalties for a failure to file these documents (the annual penalty for failing to file these various corporate returns is US$50,000 to US$70,000 plus a reduction in the foreign tax credit).</span></p></li><li><p><span style="line-height:1.6;">The IRS is an excellent source of trends, tips, and specific case examples. The IRS Criminal Investigations Division is aggressively targeting abusive trust schemes. The IRS undertakes many initiatives, such as serving "John Doe Subpoenas" on credit card companies, demanding the records of all accounts where the issuing bank is located in a known tax haven and the transactions are in the U.S. Similarly, the IRS is tracking debit cards — despite the fact that offshore companies aiding and abetting the tax evasion claim that use of such cards to withdraw trust funds is legal. The IRS also has been pursuing undercover operations targeting promoters, spending years and "laundering" hundreds of thousands of dollars to develop their cases against the practitioners.​</span></p></li></ul><div><span style="line-height:19.2px;">​<br></span></div>Art Stewart01850
On the Hunt for Payroll Fraud the Hunt for Payroll Fraud<p>Payroll can amount to 40 percent or more of an organization’s total annual expenditures. Payroll taxes, Social Security, Medicare, pensions, and health insurance can add several percentage points in variable costs on top of wages. So for every payroll dollar saved through audit identification, bonus savings arise automatically from the on-top costs calculated on base wages.  ​</p><p>Different industries will exhibit different payroll risk profiles. For example, firms whose culture involves salaried employees who work longer hours may have a lower risk of payroll fraud and may not warrant a full forensic approach. Organizations may present greater opportunity for payroll fraud if their workforce patterns entail night shift work, variable shifts or hours, 24/7 on-call coverage, and employees who are mobile, unsupervised, or work across multiple locations. Payroll-related risks include over-claimed allowances, overused extra pay for weekend or public holiday work, fictitious overtime, vacation and sick leave taken but not deducted from leave balances, continued payment of employees who have left the organization, ghost employees arising from poor segregation of duties, the vulnerability of data outputted to the bank for electronic payment, and roster dysfunction. </p><p>Yet the personnel assigned to administer the complexities of payroll are often qualified by experience more so than by formal finance, legal, or systems training, thereby creating a competency bias over how payroll is managed. On top of that, payroll is normally shrouded in secrecy because of the inherently private nature of employee and executive pay. Underpayment errors are less probable than overpayment errors because they are more likely to be corrected when the affected employees complain; they are less likely to be discovered when employees are overpaid. These systemic biases further increase the risk of unnoticed payroll error and fraud. </p><p>All these factors make assuring payroll controls entail a great deal of audit work that can easily leave auditors disoriented in details. Payroll risk’s silver lining is that it can provide opportunities for auditors to uncover actual cost savings and labor productivity gains.  </p><h2>Helicopter Analysis</h2><p>It is tempting to start a payroll review by auditing payroll compliance, such as checking that salary rates are in accordance with appropriately authorized contracts or checking that time sheets agree with clock in/out times. However, internal auditors may add greater value by launching the audit with a top-down analysis of total payroll cost and using that perspective to inform the detailed tests needed to provide assurance about the effectiveness of controls around the most crucial risks. If auditors omit a helicopter overview of payroll data and the payroll process, they risk performing detailed work where it is less needed while missing out on significant discoveries.<span style="line-height:1.6;">​</span></p><p> <img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Distribution-of-total-payroll-costs.jpg" alt="" style="margin:5px;" />One way to analyze payroll cost is through a distribution analysis of aggregate salary data. This can be obtained by stratifying 12 months of earnings by individual employees in a distribution chart, to show the composition of salaries across the entire workforce, from the small number of highly paid executives to lower-paid, unskilled labor (see “Distribution of Total Payroll Costs,” right). Typically the distribution will skew to the left because not all employees will have worked a full 12 months. Some employees may have joined or departed the organization during the year, and not all employees will be employed full-time. What this chart shows is how the mean salary level compares to the industry and whether or not the shape of the distribution is what management would expect.  </p><p> ​​​An insightful audit test can be to ask management how it expects salaries to be distributed above and below the average. For instance, the two peaks shown in the chart reveal that many employees were paid close to the average (the left peak), while a significant number were paid well above average (the right peak). Further analysis will reveal how this is attributed to additional earnings such as overtime, late night or weekend pay, and allowances. </p><p>Using the same source, departmental data concentrations can be graphed in a bubble chart where each bubble represents a department or cost center (see “Average Total Payroll Cost by Department,” below right). These charts highlight areas for audit questioning, such as where weaknesses in internal control may have permitted some employees to be overpaid.  </p><p> <strong>Remuneration </strong>Payroll data analysis can reveal individuals or entire teams who are unusually well-remunerated because team supervisors turn a blind eye to payroll malpractice, as well as low-remunerated personnel who represent excellent value to the organization. For example, it can identify the night shift worker who is paid extra for weekend or holiday work plus overtime while actually working only half the contracted hours, or workers who claim higher duty or tool allowances to which they are not entitled. In addition to providing management with new insights into payroll behaviors, which may in turn become part of ongoing management reporting, the total payroll cost distribution analysis can point auditors toward urgent payroll control improvements.  </p><p> <strong>Rosters</strong> Process analysis also can help steer the detailed audit test program. A payroll process overview can encompass how staff duty rosters, or schedules, are kept updated with operational needs, daily time and attendance controls, overtime approval, time sheet data entry, employee sick leave, leave approval, and how internal controls can potentially be overridden. The data on which pay is calculated originates in these often manual subprocesses, which are reliant on employee honesty and are vulnerable to error and fraud, translating into real payroll dollars.  </p><p>Rosters should be designed to optimize the allocation of employees to operational needs. If done well, rosters should eliminate, or at least minimize, the need for overtime and weekend work. Therefore, if the analysis of earnings across the workforce shows departments where overtime, holiday, or weekend bonus pay is higher than expected, this might indicate roster dysfunction, neglect of internal controls, or under-staffing. The helicopter overview may identify business units that require special audit examination.​</p><p> <strong>Process Efficiency </strong>Similarly, the efficiency of the payroll process can be considered. Organizations sometimes run multiple payroll processes across different sites such as between white-collar and blue-collar workforces or arising from historic business mergers. Efficiency savings may be achievable through collapsing multiple payrolls into a single cycle. At one organization, auditors found that the monthly executive mid-month payroll cycle was easily collapsed into the biweekly cycle, which canceled 12 pay cycles per annum and eliminated risks around paying executive employees half a month’s wages in advance. The changeover also increased the accuracy of the attendance and leave recording, because all employees went onto the same fortnightly pay cycle. Permanent efficiency savings like this are a tangible way for internal audit to add value.  </p><h2>Discovering Diamonds in the Detail</h2><p>Using the helicopter overview to generate insights into the payroll subprocesses most vulnerable to fraud and error can position internal audit to mine the rich payroll data to either assure the board that all is well or otherwise expose potential wrongdoing. Available data likely includes each employee’s start time, finish time, hours worked, location worked, vacation dates, sick time, standard pay rates, night-shift pay rates, overtime pay rates, and allowances. To accommodate the volume of data, payroll systems typically contain a job position master file, employee master file, and time sheet transaction history holding all hours worked as well as leave, which in turn update balances across all leave types. Additionally, the organization’s human resource systems may hold data on performance appraisals, competencies, and disciplinary history that frequently is linked to the employee number used for payroll purposes.  </p><p> <img class="ms-rteiaPosition-2" src="/2016/PublishingImages/Kelly-chart2.jpg" alt="" style="margin:5px;" />The detail inside these databases can reveal hidden information. Who are the highest earners of overtime pay and why? Which employees gained the most from weekend and public holiday pay? Who consistently starts late? Finishes early? Who has the most sick leave? Although most employees may perform a fair day’s work, the audit analysis may point to those who work less — sometimes considerably less — than the time for which they are paid.  </p><p>Joined-up query combinations to search payroll and human resources data can generate powerful insights into the organization’s worst and best outliers, which may be overlooked by the data custodians. An example of a query combination would be: employees with high sick leave + high overtime + low performance appraisal scores + negative disciplinary records. Or, auditors could invert those factors to find the unrecognized exemplary performers. </p><p>Where audit findings suggest fraud concerns about identified employees, internal audit can add value by triangulating time sheet claims against external data sources such as site access biometric data, company cell phone logs, phone number caller identification, GPS data, company email, Internet usage, company motor fleet vehicle tolls, and vehicle refueling data — most of which contain useful date and time-of-day parameters (see “Data Mining Tips,” below). Before taking this approach, CAEs should consider the audit committee’s risk appetite, internal audit’s data access rights, and local privacy laws.  </p><p>The data buried within these databases can reveal employee behavior, including what they were doing, where they were, and who they were interacting with throughout the work day. Common findings include:</p><ul class="p5"><li> <span style="line-height:1.6;">Employees who leave work wrongfully during their shift.  </span><br></li><li> <span style="line-height:1.6;">Employees who work fewer hours and take sick time during the week to shift the workload to weekends and public holidays to maximize pay.  </span><br></li><li> <span style="line-height:1.6;">Employees who use company property excessively for personal purposes during working hours.  </span><br></li><li> <span style="line-height:1.6;">Employees who visit vacation destinations while on sick leave.  </span><br></li><li> <span style="line-height:1.6;">Employees who take leave but whose managers do not log the paperwork, thereby not deducting leave taken and overstating leave balances.  </span><br></li><li> <span style="line-height:1.6;">Employees who moonlight in businesses on the side during normal working hours, sometimes using the organization’s equipment to do so.  ​</span><br>​</li></ul><p>The problems are magnified where supervisors collude with their employees by approving exaggerated time sheets and perpetuate the culture by inducing others to engage in what auditors may see referred to as “custom and practice.” When analyzed systematically and corroborated with other intelligence such as whistleblower information, these disparate data sources can reveal systemic fraud.</p><h2>Making a Difference</h2><p>Often management welcomes audit findings that reveal specific wrongdoing because they provide hard-to-dispute evidence with which to remedy low-performing teams, discipline or terminate unproductive personnel, and sharpen finance and management focus on cost control. These are audits that make an impact.  </p><p>Well-researched and documented audit fieldwork can support management action against those who may have defrauded the organization or work teams that may be taking inappropriate advantage of the payroll system. Simultaneously, internal auditors can partner with management to recover historic costs, quantify future savings, reduce reputational and political risk, improve the organization’s policies, and boost the productivity and morale of employees who knew of the wrongdoing but felt powerless to stop it.​​</p><p><br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-6" style="height:57px;"><tbody><tr class="ms-rteiaTableEvenRow-6"><td class="ms-rteiaTableEvenCol-6" style="width:100%;">​​ <p> <span class="s1"> <strong>Data Mining Tips</strong></span></p><p>Downloading and analyzing data across multiple sources is not easy, but doing so can be a worthwhile investment in enhancing audit effectiveness. Depending on internal audit’s organizational status, access to data may need to be negotiated with the relevant custodians, subject to local privacy restrictions and audit right of access.  </p><p>Once obtained, downloaded data usually arrives in disparate formats, most commonly text (TXT, RTF) or comma-separated values (CSV), which in turn may be variously imported into Microsoft Excel or other spreadsheet software in ways that impede audit analysis. For example, data containing numbers with slashes or hyphens ​may be converted into dates, and numbers and colons may be converted into time values. </p><p>Data containing characters deemed as wildcards by Excel, such as “*” and “?” may need to be replaced (using “~”) to ensure Excel does not treat the character as a wildcard. Numbers with leading zeros such as telephone numbers may be imported as integers with the leading zeros truncated, making them difficult to cross-match with a telephone directory.  </p><p> <strong>Time</strong> Data mining envisaged here often involves the analysis of time, which can be complicated in Excel. For analyzing time sheets and clock in/out data, Excel’s DATEVALUE() and TIMEVALUE() functions can assist with converting cells containing a mix of date and time into date-only or time-only values either in AM/PM or 24-hour clock format, which can then be sorted and analyzed. Excel does this by dividing each second into one 86,400th of a day — that is 60 seconds x 60 minutes x 24 hours. So 1/86,400 is one second after midnight, 86,399/86,400 is one second before midnight, and 0.5 is midday. Complementary to that, dates in Excel are numbered in positive integer sequence from 1 (Jan. 1, 1900). So logically, the date value is the positive integer and the time value is the decimal component. Both dates and times can then be sorted and used in calculations and pattern-seeking, which can then be presented back to management as a candlestick chart showing actual hours worked compared to the day-by-day rostered shift over a period of several weeks or months.  </p><p> <strong>Telephone numbers </strong>Telephone numbers can present another challenge because Excel automatically imports numeric strings as numbers, whereas auditors may prefer to use telephone numbers as text strings for sorting and lookup. When importing, Excel can also misinterpret the international telephone dialing symbol “+” as a mathematical operator. If telephone call logs are being matched against an electronic telephone directory, the auditor may need to convert all telephone log data into text format to preserve leading zeros; otherwise they will be truncated and mismatched if the imported telephone data is converted to numeric format. To avoid Excel stripping the leading zeros, telephone numbers can be preceded by an apostrophe (‘), using the CONCATENATE() formula, or by using Excel’s TEXT(cell_ref, “#”) formula where “#” can be substituted with a variety of syntaxes. Parsing is another technique if data fields contain consistent patterns of numeric and alphabetic data. If all else fails, it may be easier to trim all leading zeros in both the telephone log data and the lookup table by treating both as numeric fields rather than text. Once telephone call data is obtained, it can be traced to available phone number lists. Even Google yields a surprising amount of information if auditors type in a telephone number.  </p><p> <strong>Email</strong> Data associated with email can provide both date and time of day transactional information as well as the content of the written messages, themselves. Email software such as Microsoft Outlook often enable users to export entire mailboxes as plain text, comma-separated files, Excel-readable files, and other formats for advanced searching.  </p><p> <br> </p><p>The above are just some of the ways to scrub data before audit analysis. In the event the data needs to be recreated at a later date — for example, if a legal situation arises — it is helpful to ensure the data-scrubbing methodology is documented in the internal audit workpapers. Over time, this array of cleansed data can become a valuable research lab kept up to date to support future audits. </p><p>Compiling and analyzing data is worth the effort. Findings informed by the organization’s own data become harder to refute. Sometimes findings can be sufficiently startling that management will implement audit’s recommendations quickly and decisively to show they have corrected the problems.  </p></td></tr></tbody></table> <span class="ms-rteiaStyle-authorbio">​Christopher Kelly, DProf, FCA, is partner with Kelly & Yang based in Melbourne, Australia. </span>​​<br><span style="line-height:1.6;"><em>Frans Deklepper is senior software engineer at Callista Software Services in Melbourne.​</em></span>Chris Kelly12001

  • CaseWare_Aug2016_Prem 1
  • TeamMate_Aug2016_Prem 2
  • IIA All Star_Aug2016_Prem3



Asking the Tough Questions About Internal Audit the Tough Questions About Internal Audit2016-08-13T04:00:00Z2016-08-13T04:00:00Z
7 Deadly Internal Audit Sins Deadly Internal Audit Sins2016-08-01T04:00:00Z2016-08-01T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
When Internal Audit Finds Itself at the Plaintiff's Table Internal Audit Finds Itself at the Plaintiff's Table2016-08-15T04:00:00Z2016-08-15T04:00:00Z