Following the Money the Money<p>Money laundering accusations have led Canadian payment processor PacNet to be branded a "significant transaction criminal organization" by the U.S. Treasury Department, <a href="" target="_blank">CBC News reports</a>. Treasury officials say PacNet has acted as a middleman between fraudsters and their victims in a large number of mail fraud schemes. They allege the victims would send money through a partner company to PacNet's processing operation, which would transfer it to criminals through a holding account. The Treasury designation names 12 individuals and 24 entities connected to the payment processor. PacNet claims it was misled by clients.</p><h2>Lessons Learned</h2><p>This story clearly demonstrates that individuals, companies, and institutions are at risk of mail fraud and must take steps to protect themselves as best they can. While the charges involving PacNet have yet to be heard in court, innocent or not, third-party organizations are facilitating a worldwide explosion in mail fraud. </p><p>Here's how these crimes are carried out: To shield their operations from authorities, fraudsters need a way to process payments that won't easily link them to their scheme or raise red flags. Many banks and financial institutions will shut down an account or report it to authorities if they detect suspicious activity such as a high number of small deposits, complaints, or refunds. Instead, con artists and other fraudsters turn to payment processors, most of which have a heavy online presence. </p><p>Payment processors have relationships with banks around the world, and can set up accounts for clients in the countries in which they do business, processing payments in currencies ranging from the British pound to the Indonesian rupiah. This gives fraudsters the ability to access victims and bank accounts in countries far from their home base. These criminals use a wide range of fraud schemes — from lottery prizes to charitable causes to goods and services purchased by companies and institutions — to illegally collect payments that will disappear forever, payments that frequently end up with a payment processor. The processor then deposits the money into an account under its own name and takes a cut as a commission. It holds on to the rest of the funds until they are sent to the fraudster's own bank account, typically through a wire transfer. There are so many layers that victims usually have no idea that a payment processor was involved. </p><p>U.S. regulators and enforcement agencies are on the right track in investigating and taking action against payment processing companies that are implicated in facilitating mail fraud schemes, even where that company is not a U.S. firm. Greater scrutiny and increased penalties would help further.</p><p>But the payment processing industry itself should not step back and take an "it's between the buyer and seller," hands-off approach. The industry appears to be much more focused on potential fraud by customers than that perpetrated by sellers and providers. Processors should take further strides to increase consumer and business education about the risks of mail fraud committed by sellers and to strengthen their knowledge and controls over potential seller fraud, such as by:</p><ul><li><p>Reviewing whether prevailing account-opening procedures are adequate to prevent fraudulent receiving accounts. Some countries, such as South Africa, require that a national fingerprint database be accessed to verify the identity of account holders. Denmark offers a more practical model to follow, in which payment processors and banks have built-in delays that prevent both users and providers from making or receiving payments for several days after opening an account.</p></li><li><p>Using analytics, such as velocity checks and pattern recognition checks, to detect fraud that processors otherwise would not notice. This would include factors such as providers and sellers with connections to high-risk countries, high-risk types of products and services such as lottery sales and solicitations of money for causes, and volumes of complaints. Analytics can be used to flag suspicious recipient account holders, and then place a hold on payments to the account, review transactions, inform customers and regulators, or reject the transactions outright. The use of analytics provides an extra barrier when fraudulent transactions are initiated.</p></li><li><p>Particularly in a real-time environment, an anti-fraud best practice for a payment processor is to calculate the probability of a transaction being fraudulent (also known as scoring transactions) and refer suspicious transactions to the organization's anti-fraud unit or a manager with experience in reviewing such transactions for decision-making instead of blocking the transaction outright. This allows processing operators to capitalize on the fact that they can sometimes detect patterns that customers and businesses might miss, such as a suspicious set of transactions originating from one source and headed for multiple receivers. Few payment processors actually employ such techniques. Many state that they do not have the financial strength to accept liability for fraud cases that may slip through, and some operators have expressed concerns that establishing fraud checks could reduce the incentive of banks to establish effective prevention mechanisms. Nevertheless, and particularly for the largest and most profitable payment processors, these kinds of measures should be included in any set of best practices.</p></li></ul><p></p>Art Stewart0298
Doing a Number on REITs a Number on REITs<p>​The U.S. Securities and Exchange Commission (SEC) has charged two former financial executives of a Phoenix-based real estate investment trust (REIT) with overstating the company's financial performance, <a href="" target="_blank"><em>The Arizona Republic</em> reports</a>. According to the SEC, Brian Block, former chief financial officer (CFO) at American Realty Capital Properties, conspired with the then-chief accounting officer, Lisa McAlister, to manipulate a key cash-flow measure that investors use to evaluate REITs. When the company's accounting department warned that the first quarter results were based on an incorrect accounting method, Block allegedly falsified the company's presentation of its second quarter results to conceal the previous quarter's overstatement and make it appear that the company had met its second quarter estimates. In addition to the SEC charges, the U.S. Justice Department has filed criminal charges against Block and McAlister.</p><h2>Lessons Learned</h2><p>REITs have been an option for investors since the 1980s. Although they potentially are a risk-laden choice — nontraded REITs are even higher risk — many investors have profited significantly from the generally higher movements in the value of properties. But there also has been a rise of fraud by unscrupulous owners, managers, and others, as in this story. To better understand this kind in fraud, and how to prevent and detect it, a little background is needed on how financial and accounting methods are applied to them, including the particular measure called adjusted funds from operations (AFFO). </p><p>Before new accounting rules were adopted in June, it was common for REITs to pay out more than they reported in profit. That is because they were required, under U.S. generally accepted accounting principles (GAAP), to gradually depreciate their property much as a manufacturer depreciates machinery and equipment. The purpose of depreciating an asset under GAAP was to spread the cost over the item's useful life instead of taking the full hit all at once. In the case of REITs, it ended up distorting their bottom lines, making it appear as if they earned less money than they actually did. </p><p>But real estate doesn't depreciate that way. The land doesn't depreciate at all; in fact, if it's well-located, it usually goes up. And the building doesn't really depreciate in the manner that GAAP came up with, predictably over a certain period of time.</p><p>To get around this problem, REITs have used alternative, non-GAAP measures — namely, funds from operations (FFO) and AFFO — to assess their financial performance in a REIT's financial statements. The actual definitions are complex, but FFO is essentially operating profit excluding GAAP-style depreciation and any gains or losses on disposals of properties. AFFO is generally equivalent to FFO less an allowance for maintenance capital expenditures and leasing costs, to reflect the cash a REIT spends to maintain its buildings. In other words, AFFO is the real estate equivalent of profit, and it is a key metric for assessing a REIT's payout ratio.</p><p>There are two ways to deter REIT accounting fraud:</p><ul><li><p> <strong>Tightened regulatory and enforcement framework for REITs.</strong> The two executives in this case allegedly committed accounting fraud when they used a metric that did not comply with GAAP and deliberately inflated the company's results. The SEC asserts that the executives added 3 cents per share to the company's AFFO number and misled investors into believing the company was on track to meet its full-year guidance. As a potentially key deterrent to REIT accounting fraud, the SEC recently has cracked down on made-up numbers and vague language in U.S. publicly listed companies' earnings filings. The SEC has <a href="">updated guidance</a> on the use of metrics that don't conform with GAAP, and companies should expect deeper scrutiny if they fail to comply. The updated rules allow companies to supplement their GAAP numbers with non-GAAP numbers to provide more detail, but they must provide the GAAP numbers first, give both sets of numbers equal prominence, and show how they reconcile.</p></li><li><p> <strong>Good governance by investors, boards, and audit committees</strong><strong>.</strong> Despite his knowledge of a material error in previous SEC filings, American Realty Capital Properties' CFO took no steps to advise the audit committee, board, and outside auditors of the error, which went undetected for some time. All of these parties need to exercise careful, active vigilance and scrutiny of these kinds of numbers, especially because there are relatively few reliable measures of REIT financial performance. They should ask lots of questions when reviewing financial and performance statements, including from a long-term performance trend perspective. </p></li></ul><p></p>Art Stewart0803
Fraud, Abuse, and Corruption,-Abuse,-and-Corruption.aspxFraud, Abuse, and Corruption<p>​I hope the Wells Fargo scam is causing boards, executives, and practitioners everywhere to pause and reflect: Could something like this happen to us?</p><p>If it can happen at a great institution like Wells Fargo, it can probably happen anywhere.</p><p>I have shared questions that boards and others should be asking <a href="" target="_blank">in a couple of posts</a>. They cover issues such as management setting incentive goals that don't appear to be aligned with driving revenue or earnings, why the controls to ensure customers approved the opening of accounts in their name failed, why customer complaints did not lead to identification of the problem, why this was allowed to continue for at least five years, whether management had any idea that the culture of the organization would permit such a pervasive scheme, the role of internal audit, the role of the compliance officer, the effectiveness of whistleblower provisions, and the role of risk management.</p><p>In <a href="" target="_blank">a podcast with MIS Training Institute</a> (which I recommend), I made another point. I think this is critical for everybody to understand.</p><p>I said that when people feel they are able to get away with a minor fraud, they will do something else. The level of fraud may start small but it almost always increases.</p><p>I asked what else has been happening at Wells Fargo.</p><p style="text-align:center;">**********</p><p>The public reaction by the Wells Fargo CEO, John Stumpf, included an observation that the scam only involved at any time about 1,000 people of the 100,000 in the branch network.</p><p>Let's set aside the fact that 5,300 people were fired over a period of five years and this number does not include anybody who was less severely disciplined or not caught.</p><p>Let's set aside the fact that 1,000 people fired in each of the last five years reflects a <em>continuing</em> failure and, to me, indicates a breakdown rather than a one-time failure in controls.</p><p>The point is that he seems to believe that this is a small level of incidence, almost (in my words) an <em>acceptable level of risk</em>.</p><p>I am drawn to agree that this is a low level of failure. I'm not sure it is so low that it would be acceptable.</p><p>Let's talk reality.</p><p>While it looks and sounds good to say that an organization has zero tolerance for fraud, corruption, and a failure to comply with laws and regulations, that zero level is just about impossible to achieve.</p><p>You would need somebody looking over everybody's shoulder all the time to ensure no inappropriate activity was happening, and somebody looking over <em>that</em> person's shoulder to make sure they were watching properly.</p><p>All you can do is have what a prudent person would believe is a reasonable level of control, given the level of risk to the organization of fraud.</p><p>According to studies by the Association of Certified Fraud Examiners, the typical company loses about 6 percent of its annual revenue to fraud. That number includes theft of time, personal use of the company's laptop, and so on.</p><p>Is that an acceptable level? Maybe it is; maybe it isn't. You decide for your company — and consider the cost of reducing the level of fraud risk. Is the cost greater than any reduction in fraud risk?</p><p>The same goes for compliance issues or the activity reported at Wells Fargo. Was a reasonable level of control in place? Could controls have been improved to reduce the risk without incurring substantial cost? I suspect the answer is yes, but we don't know enough of the facts yet.</p><p style="text-align:center;">**********</p><p>But let's also consider other forms of fraud, abuse, and corruption.</p><p>Are these acceptable practices, or are they another form of fraud?</p><ul><li>The CEO of a multi-billion-dollar company approves the funding of a charity of which his wife is the chair. There is no clear benefit to the company, no link to its operations.</li><li>In response to falling revenue and profits, the CEO of another company lays off about 10 percent of the workforce. The board awards him a US$1 million dollar bonus for completing the reduction in force. At the same time, the CEO spends US$1 million dollars to renovate the executive suite of offices.</li><li>A senior manager in IT refuses to provide support for the implementation of a disaster recovery plan because it is not included in his personal objectives.</li><li>The vice president of procurement for Malaysia refuses to follow instructions from the executive vice president (EVP) of procurement (to whom she does not report) and adhere to global contracts with major vendors negotiated by that EVP. Instead, she negotiates successfully with the local subsidiaries of those vendors. While she obtains better prices for Malaysia (for which she and her boss, the president of that region, are rewarded) she puts the corporate contract in serious jeopardy.</li><li>A senior executive decides to hire a friend.</li><li>The chairman of the board puts pressure on the company to select as a director an individual whom he knows will vote his way rather than searching for a director who will add critical expertise.</li></ul><p>All of these are situations where, in my view, individuals put their personal interests ahead of those of the enterprise as a whole.</p><p>They act in a way that brings them rewards but that negatively affects the company as a whole.</p><p>While technically they have not stolen and have not broken any laws, they have acted inappropriately. I will let you decide what to call their behavior.</p><p>But let's be honest: Self-dealing is ripe around the world. Very few are selfless, putting the interests of others ahead of their own.</p><p style="text-align:center;">**********</p><p>So what does this all mean? Where am I going?</p><ol><li>What we have seen at Wells Fargo (based on the few facts we know) is, in some ways, normal human behavior. When people believe that the behavior is encouraged or at least not discouraged and that they will not be caught, they will "game" the system. </li><li>While we focus on fraud, we might be better off focusing on behavior and actions. There are many forms of behavior that will negatively affect the organization.</li><li>We cannot prevent or even detect all actions that result in a loss to the organization. We need to understand all of its forms, the impact and likelihood of each, and ensure that we have the controls in place that provide a reasonable level of assurance that risk is at acceptable levels.</li><li>Management must take ownership of the design and operation of those controls.</li><li>Internal audit should provide assurance on the management of the more significant risks.</li><li>When the level of risk that the controls are failing rises, the root causes must be investigated.</li><li>A low level of fraud, if left alone, will normally grow until it is unacceptable.</li></ol><p>I welcome your views. </p><p> <br> </p>Norman Marks02682
Building on a Foundation of Fraud on a Foundation of Fraud<p>​A U.S. federal court jury in Manhattan has convicted a construction firm executive of fraud connected to the reconstruction of the World Trade Center in New York, <a target="_blank" href="">the Associated Press reports</a>. Prosecutors say Larry Davis and his company DCM Erectors Inc. filed false records attesting that the company complied with rules requiring contractors to hire subcontractors owned by women and minorities. According to prosecutors, the individuals listed as owners of the subcontracting companies were not the legitimate owners of those firms. DCM was awarded more than US$500 million in contracts in 2007 and 2009 to help construct the World Trade Center — which was destroyed in the Sept. 11, 2001, terrorist attacks — as well as an neighboring transportation center.</p><h2> Lessons Learned</h2><p>What is it about minority contracting programs that makes them such persistent sources of fraud and corruption? In New York City alone, investigations into fraudulent hiring of minority- and women-owned subcontractors are so common that they have become something of a specialty for local prosecutors. Overall, it's the rare city or state that hasn't endured a scandal tied to well-intentioned minority contracting regulations. So what can be done from an internal auditor's perspective to improve these kinds of programs and reduce the incidence of fraud?</p><ul><li><p><strong>Conduct regular audits of business development programs and follow up on their results. </strong>The U.S. federal government's program, the <a target="_blank" href="">8(a) Business Development Program</a>, is designed to help minority-owned businesses "build their competitive and institutional know-how." But the Office of the Inspector General's (OIG's) most recent April 2016 audit report, focused on program eligibility, found that 30 of the 48 8(a) Program applicants evaluated did not meet one or more areas of eligibility, based on information in the Business Development Management Information System (BDMIS). For 18 of the 48 applicants, additional information was gathered, and, these firms were approved into the program. However, the remaining 30 firms were approved without fully documenting in BDMIS how all areas of concern regarding eligibility raised by lower-level reviewers were resolved. As a result, the 8(a) Program is experiencing a change in leadership, has begun testing a revised application process, and has shifted responsibilities for continuing eligibility reviews.</p></li><li><p><strong>Tighten program controls, monitoring, and penalties for noncompliance. </strong>This is how these programs are supposed to work: Minority-owned companies register with local agencies that certify both their capability and the makeup of their ownership. In some cases, contracts are set aside for minority-owned businesses. In others, companies with large contracts are expected to subcontract out some percentage of the work to minority-owned subcontractors. But specific monitoring needs to be done to detect the most commonly found illicit behavior, such as:</p></li><ul><p></p><li>Using sham minority subcontractors — shell companies "owned" by minorities that don't have the actual capacity to perform the specified work. These faux contracting operations can make it look as though real work and real cash is flowing to minority-owned businesses, when the money is really being passed through to a nonminority-owned company that may or may not do the work.<p></p></li><p></p><li>Identifying minority-owned companies that allow their names to be used in documents as the source of supplies when the goods actually come from another, nonminority-owned company.<p></p></li></ul><p>Fines and prison sentences also should be increased. In addition, government agencies should require prime contractors to "certify under penalty of perjury" that subcontractors are genuinely minority-owned and are performing work at construction sites, not just "renting" their names to other companies.</p> </ul><p>Some people might point to broader social factors as the root of this fraud problem, such as a lack of capable minority-owned firms in their industry or city — a state of affairs that can lead contractors to look for shortcuts to satisfy municipal requirements — or argue that affirmative action in contracting is vulnerable to fraud because all parties are eager to welcome good news. But effective policing — including audits of program eligibility, monitoring, and sanctions for noncompliance — can improve the situation significantly. </p><p><br></p>Art Stewart0751
Tough Consequences Consequences<p>​Hillside Acres had a thriving parks and recreation department that offered a variety of services to its citizens. Included in these services was a community center that contained an ice rink, fitness center, and gymnasium. The city never tracked the profitability of the center, but the department typically recognized a yearly loss of US$400,000. Eventually, Hillside Acres decided to turn over day-to-day operations of the community center to ABC Co., <br>a local, for-profit entity.  <br></p><p>A rigorous contract was drafted that included a profit-sharing agreement; a right-to-audit clause; and clearly defined expectations of ABC when it came to accounting records, budgets, employing staff, payment of utilities, and assigning the agreement to another party with the city’s consent. <br></p><p>Six months after the contract was issued, the local newspaper published an article about the successful public-private partnership, indicating that ABC achieved its operating goals, installed new ice at the rink, reinstated recreation programs, and enhanced senior citizen programs. Just four months later, ABC assigned its contract with Hillside Acres to CBA Co. without the city’s knowledge or consent. Hillside Acres was never able to definitively identify all of ABC’s owners, but it appeared that some of them also were owners of CBA.<br></p><p>The contract was in effect for a year before Hillside Acres realized it had not received a proposed fiscal budget from CBA. This discovery prompted an internal investigation into CBA and its operation of the community center. Complaints from vendors and employees about unpaid bills began to trickle in. The city then realized that it had been a year since ABC or CBA had provided financial statements. The city demanded those documents, along with payment of overdue bills to vendors and employees. <br></p><p>When some financial information was finally provided to Hillside Acres, it was not in accordance with U.S. generally accepted accounting principles (GAAP), the format agreed on in the contract. Hillside Acres brought in an independent accountant to meet with the vendor and gather the contractual information. <br></p><p>When the accountants requested a copy of the financial statements, CBA indicated it was unfamiliar with GAAP. Its accounting records were maintained by a bartender with no accounting training. CBA was completely unfamiliar with the concept of accrual-basis accounting and had limited accounting records for the months it was operating the community center. <br></p><p>The city’s accountants requested a copy of the bank statements and the bookkeeping records from ABC and CBA for the community center. During the review, the accountants determined that a significant number of transactions had been omitted from the accounting records; other transactions that were included appeared to be grossly inappropriate. This included bank withdrawals that were omitted from the financial records, operating expenses from other venues managed by some of ABC’s and CBA’s owners, ATM withdrawals and retail purchases without a business purpose, and numerous overdraft fees, just to name a few. The accountants hired by Hillside Acres noted that many of these purchases appeared to be Christmas gifts for families of the CBA partners. There also were numerous purchases of cigars and alcohol, as well as payments to an attorney and traffic safety school. <br></p><p>CBA estimated revenue of US$500,000 during a five-month time period. However, only US$130,000 was included in the financial statements. ABC and CBA did not maintain any calendars or records that would indicate what events were held at the community center or the number of participants. As a result, it was impossible to corroborate the estimates. <br></p><p>ABC/CBA management was also unfamiliar with the basics of employment law, particularly with regard to the classification of employees and independent contractors. They had failed to withhold or remit payroll taxes from any of their employees working at the community center during the previous 17 months. The accountants estimated the outstanding payroll tax liability on wages paid by ABC/CBA to be at least US$50,000 before penalties and interest. <br></p><p>CBA management identified at least US$235,000 in overdue bills payable to various vendors including their utility provider; the accountant hired by Hillside Acres determined that the actual amount due was at least US$311,000. The city worked with CBA and its utility provider to agree on a payment schedule, but CBA never made the first payment due. <br></p><p>The city hired a consultant with extensive parks and recreation experience to conduct an operational review of the community center. He determined that the ice at the rink was overdue for replacement and that Hillside Acres was risking significant damage to the floor and piping at the rink. He also indicated that the building needed to be thoroughly cleaned, and he determined that the insurance purchased by ABC and CBA did not meet the requirements specified in the contract. He presented his findings at a city council meeting as the accountants were concluding their review. Shortly thereafter, Hillside Acres canceled its contract with CBA. <br></p><h2>Lessons Learned </h2><p></p><ul><li>Organizations should have procedures in place to monitor vendor contracts. A specific employee should be designated the contract administrator, should be provided with a copy of the contract, and should be responsible for acting as a liaison between the contracting parties. Noncompliance with contract terms should be immediately brought to the attention of both contracting parties for corrective action. </li><li>Because of poor accounting practices, no one at ABC, CBA, or Hillside Acres was able to determine how much revenue was earned and the amount of cash collected by the community center. These missing records permitted CBA and ABC to obscure the profitability of the center, thereby denying Hillside Acres its due portion of the net profits. It is important that both contracting parties work together to design and understand the internal controls in place, particularly over the cash receipts and revenue cycles.  </li><li>ABC and CBA maintained complete control over the financial records of the community center. As a result, they were able to easily disguise inappropriate expenditures that were paid using community center funds. Fraudulent payments would have been rapidly detected if a contract administrator or other appropriate professional was responsible for reviewing original financial records, such as bank statements. </li><li>Vendor contracts need to include an audit clause that clearly states who is responsible for paying the cost of the outside auditor and if this responsibility can change depending on the results of the audit (i.e., if there are audit findings, make the vendor pay for the cost of the audit). Sadly, the city was responsible for the external audit fees.   </li></ul>Jenell West1706
Is Houston Another Place Where Oversight Goes to Die? Houston Another Place Where Oversight Goes to Die?<p>​In a disappointing, but not surprising move, the Houston Independent School District failed to renew the contract of its chief auditor last week. Richard Patton, whose two-year tenure at the school district was marked by success in turning around a struggling internal audit function, fell victim to an all-too-common danger for conscientious practitioners.</p><p>Simply put, Patton was let go for doing his job.</p><p>Patton was suspended by the district in March for unspecified allegations of misconduct and was allowed to return to work in a diminished capacity in August. Despite requests by Patton's attorney, the district has refused to make public the investigation, which cost the district a reported $17,000, so the reasons for his suspension remain unclear.</p><p>What is clear is that Patton found problems with the district's oversight of its massive US$1.9 billion construction bond program. An audit of the program pointed to poor oversight and lack of controls as the cause for US$211 million in cost overruns, not inflation as the district's manager's claimed. An outside audit has verified the oversight problems identified by Patton and his team but also found inflation contributed to the overruns.</p><p>What is more troubling are additional details that came out as part of a lawsuit Patton filed within days of his return to work. Patton and his attorneys have said he was suspended after notifying the Federal Bureau of Investigation, the Houston Independent School District (HISD) police chief, and the Harris County District Attorney's Office about possible illegalities in the district's construction contracts, according to published reports. </p><p>If Patton's concerns about illegalities in construction contracts are accurate, the folly of the district's actions raise a troubling concern that someone is trying to cover up illegal acts.</p><p>The reprehensible treatment of an accomplished internal auditor doing his job should be troubling to any practitioner. It should be equally appalling to the taxpayers of Harris County, where Houston is the county seat.</p><p>The watchdog role of internal audit in government is well-established, and history is replete with examples of its work serving the public interest. Internal auditors often shine the light on fraud, waste, and abuse in government. It has been said that light is the best disinfectant. But from a distance, it appears the Houston school district is allergic to disinfectants.</p><p>The district's board of trustees have exhibited highly disturbing behavior on multiple levels. Aside from the prima facie case of retaliation against Patton, they likely wasted US$17,000 on a suspicious investigation, then they doubled down on that debacle by refusing to say what the investigation found. It is time to make its findings public. If there is no basis in the investigation for the actions that have been taken against Patton, then those who ordered the taxpayer-funded witch hunt should be held accountable.</p><p>I fear that the board of trustees will continue on their misguided journey when it comes time to hire a new chief auditor. Over my four decades in internal auditing, I have seen how this scenario plays out. The board will seek to hire someone who will fill the role in name only, not in function. They showed they have little interest in learning the objective truth about the district's operations when they "shot the last messenger." Does the school district want to be saddled with the reputation of being the place where oversight goes to die?</p><p>Even if by some quirk of circumstance or conscience the board sees the errors of its ways and genuinely seeks to find a suitable replacement, the school district's reputation will precede it, making it harder to find a qualified and independent professional to take on the role of HISD chief auditor.</p><p>I must also speak up for Patton, whose reputation has been sullied by the worst kind of political retribution. By all accounts Patton is a highly qualified and respected internal audit professional. I do not question for a moment his exercising his right to seek legal recourse in this case. As I've previously written, some government CAEs who have taken their complaints to the courts have told me that it was crucial that they do so in order to clear their name and professional reputation after public officials had besmirched them.</p><p>The first step in clearing Patton's name should be for the school district to make public its investigation and allow Harris County taxpayers to decide for themselves who truly was acting in their best interest. I'm certain when all is said and done, Richard Patton will be able to hold his head high.</p><p>As always, I welcome your comments. </p>Richard Chambers05389
Conflicts of Interest Can Be Hazardous of Interest Can Be Hazardous<p>U.S. federal prosecutors say a Tennessee state representative profited from a cigarette tax increase he had championed, then failed to pay taxes on his windfall, according to <a href="" target="_blank">an Associated Press report</a>. At his trial in Knoxville, Tenn., prosecutors said Rep. Joe Armstrong bought more than US$250,000 worth of tax stamps at the old 20 cent a pack rate and sold them at a profit when the tax rate increased to 62 cents a pack in 2007. According to prosecutors, Armst​rong sought to withhold paying taxes on more than US$300,000 in profits so he would not appear to be benefiting from tobacco sales at a time when he was chairman of the Tennessee House Health Committee. Armstrong's attorney argued that buying and selling tax stamps is not illegal, and he claimed that Armstrong's tax accountant didn't turn over the tax owed to the U.S. Internal Revenue Service.</p><h2>Lessons Learned</h2><p>This story raises important issues regarding the need for strongly designed and rigorously monitored conflict of interest/ethics rules and processes. Internal auditors should be mindful of such regimes when assessing their adequacy. Although a Tennessee lawmaker is in legal trouble for not paying taxes on profits he made from a cigarette tax hike he had a hand in designing and supporting, some people would argue that his alleged crimes go much further than tax evasion. Indeed, his actions amounted to a form of insider trading — profiting from inside knowledge of the scope, materiality, and timing of the tax hikes he possessed as a member of the legislature.</p><p>So what might be done to create a strong ethics regime and better detect and prevent this kind of fraud? Here are four essential measures in the context of the U.S. states and this story:</p><ul><li><p><strong style="line-height:1.6;">Clearly define what a conflict of interest is. </strong> <span style="line-height:1.6;">Whether it be in a state constitution, statute, or rule, all 50 states address the potential of conflicts of interests for legislators. Definitions of </span> <em style="line-height:1.6;">conflict of interest</em><span style="line-height:1.6;"> usually specify that a legislator may not obtain a personal or private interest or gain financially from votes or their legislative duties. This is where the Tennessee legislator allegedly let his constituents down.</span></p></li><li><p><strong style="line-height:1.6;">Disclosure, especially regarding financial interests, is a fundamental element of addressing conflict of interest. </strong> <span style="line-height:1.6;">All but three states require legislators to disclose information about their outside income. Actual amounts need not be reported, but many states have a monetary threshold or list amount categories, which typically include legislators' income, occupations, business relationships, and property. Notably, Tennessee does not require disclosure of property interests, a gap the state should consider correcting. Most states also require lawmakers to state their occupation, the sources of their income, the names of corporations in which they hold a position such as director or officer, the addresses of their property, the names of creditors and debtors, and the names of businesses in which they hold a financial interest.<br><br> Many states also require disclosure to meet client identification requirements, including the names of accountants used by legislators. However, Tennessee is one of the states that does not require this information to be disclosed. Other measures implemented by states include creditor and debtor requirements, criminal penalties for public corruption or violation of ethics laws, gift and honorarium requirements and restrictions, household member requirements, and disclosure of lobbyist connections and state government connections.</span></p></li><li> <strong style="line-height:1.6;">Establish clear, comprehensive regulations and procedures for legislators to follow when faced with a potential conflict of interest.</strong><span style="line-height:1.6;"> In most states, legislators can turn to specific regulations and procedures on when and how to handle the conflict, including when legislators must recuse themselves from voting. In Tennessee — and this is typical of most states — conflict of interest rules for state senators say that, "When a member of this body arises to address himself to a bill, section thereof, or amendment in which he has a personal interest, he shall state to the Speaker and members of the body 'that it may be considered that I have a degree of personal interest in the subject matter of this bill, but I declare that my argument and my ultimate vote answer only to my conscience and to my obligation to my constituents and the citizens of the State of Tennessee.'" That rule does not apply to Tennessee state representatives such as the one in this case.</span><p></p></li><li><p><strong style="line-height:1.6;">Put in place a state ethics commission, along with standing Senate and House committees, with the authority to fully address conflict of interest issues. </strong> <span style="line-height:1.6;">The powers and duties of state ethics commissions include the authority to develop forms and manuals, examine reports and monitor compliance, subpoena witnesses, issue advisory opinions and orders enforceable in court, conduct ethics training, and issue annual reports. Most states (including Tennessee) have a standing legislative ethics committee in both the House and Senate. These committees can hear complaints of ethics violations by legislators, investigate the complaint, and impose a penalty.</span></p></li></ul><div><span style="line-height:19.2px;">​<br></span></div>Art Stewart01426
Fraud Detection Failure Detection Failure<p>​A report from Utah's legislative auditor general criticizes the Office of the State Auditor for failing to detect a US$1 million embezzlement fraud that took place over 10 years,​ <a href="" target="_blank"><em>The Salt Lake Tribune</em> reports</a>. In April, the state auditor's office reported that a former administrative assistant at the Utah Communications Authority (UCA) and her daughter had charged personal expenses on the agency's credit cards and covered it up by creating fake documentation. A separate performance audit of the agency by a private contractor found significant lapses in the UCA's financial oversight and recommended a state legislative review. Although the legislative auditor report holds the UCA ultimately responsible for failing to detect the fraud, it points out that​ a 2010 state audit had raised red flags about credit-card transactions that could not be verified due to missing receipts. The report faults the state auditor's office for failing to perform a more in-depth review that could have enabled auditors to detect the fraud sooner.</p><h2>Lessons Learned</h2><p>This story provides a good opportunity for internal auditors to consider not only what constitutes "a thorough review of financial statements," but more broadly what distinguishes fraud from negligence versus "following the rules as prescribed." Numerous news stories and reports continue to appear regarding both fraud and negligence cases involving professional advisers — from property and asset valuers, to fund and asset managers, to IT professionals — and also auditors themselves. For example, there is an ongoing US$1 billion lawsuit against PricewaterhouseCoopers over the thoroughness of its audits of the bankrupt investment firm MF Global. Napoleon is often credited with the adage, "one should never attribute to malice that which can be adequately explained by incompetence." But what would he say when we potentially find both, as in this story?</p><ul><li><p> <span style="line-height:1.6;">Generally, to establish negligence it must be shown that no member of the alleged negligent profession acting with reasonable skill and care would have acted as the negligent party did. Here, a significant fact in the story is that "The state auditor's 2010 annual financial audit reported that 13 of 36 credit card purchases — 36 percent — on a randomly sampled monthly statement lacked receipts. Without receipts or greater probing, the new report said, the state auditors could not validate the purchases." What do the governing audit and accounting standards say? Acc​ording to U.S. Generally Accepted Accounting Principles, an unqualified audit opinion should only be issued where "There is adequate disclosure of all material matters relevant to the proper presentation of the financial information subject to statutory requirements, where applicable" (one of four criteria). Whereas, a qualified audit opinion should be issued "when the auditor is unable to obtain audit evidence regarding particular account balance, class of transaction, or disclosure that does not have pervasive effect on the financial statements."</span></p></li><li><p> <span style="line-height:1.6;">I have reviewed several of the related financial audits of the UCA conducted by the state auditor's office, and none contained qualified opinions. It does appear that some form of "management letter" communication of the problem of missing receipts took place after the 2010 financial audit. Perhaps the overall materiality of the missing credit card receipts fell below a judged minimum, but for one-third of a required documentation to be missing is undoubtedly a fraud red flag, and a stolen amount of more than US$1 million is certainly material. Also, a private contractor's review of internal control over the UCA's financial statements disclaims any provision of an opinion of the effectiveness of the UCA's internal controls (as can be standard practice).</span></p></li><li><p> <span style="line-height:1.6;">I agree with the Utah legislative auditor general's observation that had the state auditor exercised "greater professional skepticism by recognizing its broader responsibility, accepting only original documentation, recognizing aggravating risk factors, and conducting a more thorough follow-up of the issue in 2011," the fraud might have been detected much earlier than after 10 years. Recognizing that all organizations have limits with respect to priorities, time, and money, where I have difficulty in this case is how auditors fell short in detecting a long-term fraud. Perhaps "negligence" is too strong a term, but this may be an opportunity for both strengthening audit guidance in the context of fraud detection, and for the audit profession to pursue leading practices.</span></p></li></ul><p>What do you think?​</p>​Art Stewart01301
Yellow Card for Youth Sports Card for Youth Sports<p>​A recent <a href="" target="_blank"> <em>New York Times</em> article reports</a> on the hundreds of fraud cases involving youth sports officials in the U.S. Nationwide, local youth sports officials have been arrested and convicted of embezzlement and other corruption. The National Center for Charitable Statistics notes that the 14,000 U.S. youth sports organizations have revenues of US$9 billion, while the <em>New York Times</em> report finds that local leagues have become "quasi-professional enterprises" with budgets that can exceed US$250,000 annually. Despite the amounts of money involved, the organizations typically lack oversight and regulation, the article points out.</p><h2>Lessons Learned</h2><p>It should not be surprising to hear about this sad story involving fraud in youth sports organizations. Nonprofits are at a greater risk of fraudulent activity than many other types of organizations, and every variety of nonprofit organization is at risk. Bearing in mind the major constraints faced by nonprofits — limited funds, volunteer staff and turnover, a lack of business and financial expertise, and individuals having wide access to financial and other assets — here are some practical suggestions for addressing fraud:</p> <span style="line-height:1.6;"> <ul><li><p><strong>Become fraud-savvy.</strong> Nonprofits are trust-based organizations designed to bring out the best in staff and volunteers. Moreover, many nonprofits used to handle instances of fraud or embezzlement quietly in order to avoid unwanted attention and embarrassment. This is no longer an option, and not only because fraud is on the rise. In 2008, the U.S. Internal Revenue Service (IRS) implemented regulations designed to enable the public to more easily evaluate how effectively larger nonprofits manage their money. Tax-exempt organizations whose gross receipts are greater than or equal to US$200,000, or whose assets are greater than or equal to US$500,000, are subject to additional disclosure requirements on their IRS Form 990 concerning embezzlement or theft. Specifically, these organizations are now required to publicly disclose any embezzlement or theft that exceeds US$250,000, five percent of the organization's gross receipts, or five percent of its total assets. Nonprofits may not want to go too far into an atmosphere of mistrust by introducing too many rules and controls, but they do need effective measures that both reward ethical behavior and reduce temptation. They should also cultivate transparency. This means that financial data and organizational policy and direction are maintained and communicated regularly, such as on the organization's website, so that stakeholders can, at any time, get a clear picture of the organization's operations. At the same time, this conveys a positive yet watchful message to employees and volunteers. Nonprofits also need to establish fraud and code of conduct policies as part of their fraud-savvy culture. When fraud does occur, offenders must be prosecuted, rather than sweeping cases under the rug.</p></li><li><p><strong>Establish a minimum of internal controls, especially over financial and other assets.</strong> Some form of segregation of duties is key. We are all familiar with the need to require multiple layers of approval to make it more difficult for embezzlers to steal from the organization, as well as requiring two signatories on every check and two different signatories on every authorization or payment over a certain amount. Where a nonprofit is too small to effectively implement a double signatory/authorization policy, it should designate two volunteer officers or directors for the double sign-offs. Even for small nonprofits, all check, credit card, and cash disbursement requests should be accompanied by an invoice or other document showing that the payment or disbursement is appropriate. Again, the person making the payment should not be the same person authorizing its use. Similarly, a different volunteer should be responsible for reconciling bank statements and reviewing credit card statements, as well as receiving, depositing, recording, and reconciling the receipt of funds. Wherever possible, all contracts should be approved by someone uninvolved and personally uninterested in the transaction and, larger contracts should be the product of competitive and transparent bidding. At least annually, the organization should perform a fixed-asset inventory to ensure that no equipment or other goods are missing.</p></li><li><p><strong>Recruit and manage human resources well.</strong> A balanced representation within the ranks of volunteers and leaders, such as recruiting individuals with financial, audit, or business expertise in the subject matter of the nonprofit, can help prevent fraud. At a minimum, when recruiting new volunteers and leaders, organizations should ask for and review their resumes as well as conduct background checks. This can unearth things such as undisclosed criminal records, prior instances of fraud, and heavy debt loads that can make it more likely that a volunteer or leader might succumb to fraud. The Association of Certified Fraud Examiners reports that six percent of embezzlers have been convicted of a previous fraud-related offense.</p></li><li><p><strong>Provide proper supervision.</strong> Fraud happens as a result of need and opportunity. Organizations shouldn't put staff or volunteers in tempting positions, such as where excess cash is on hand, or one person is solely responsible for balancing cash. Someone who refuses to take vacation can appear to be dedicated but actually may be hiding a pattern of fraud, so a mandatory vacation policy is a good idea. Organizations also should watch out for volunteers or employees who are disgruntled, especially about pay, roles and responsibilities, or recognition. Those who feel undervalued can rationalize taking from their organization.</p></li><li><p><strong>Embrace the audit concept.</strong> Nonprofits often resist external audits because of the associated costs, and media and donor attention on costs often reinforce this reluctance. But fraud prevention — whether through audits, supervision, or internal controls — can actually save money that otherwise would be lost. If feasible, nonprofits should undertake regular external audits to ensure that their management oversight and controls are effective. If conducting a full assurance engagement is not feasible, nonprofits could request a review of their financial information. Such a review engagement typically costs less than a full audit, and it can still help determine whether the nonprofit's financial information is plausible or has discrepancies that bear a closer look. Organizations also should establish an audit committee on their boards of directors, containing at least one person familiar with finance and accounting, to serve as the primary monitor of anti-fraud measures. In lieu of an audit committee, small nonprofits should consider putting a financially knowledgeable person on the board to serve a similar function. Another alternative is to bring in outside expertise, such as public accountants experienced in conducting fraud audits and attorneys experienced in evaluating and enhancing internal controls as well as training staff on best practices. Such individuals may be willing to volunteer their time.</p></li><li><p><strong>Establish a whistleblower system.</strong> Nonprofits should encourage the reporting of suspected wrongdoing to a designated trusted board member. This is a low-cost but potentially effective method of uncovering fraudulent activity, especially where nonprofits must rely on volunteers of varied backgrounds and participation.</p></li></ul></span> <p><span style="font-size:12px;line-height:1.42857;">​</span><br></p>Art Stewart0653
Fraud and Related-party Transactions and Related-party Transactions<p>​Individuals who use their positions to secretly benefit themselves at the expense of their employers betray the trust of the organizations that employ them. Often, these transgressions take the form of undisclosed related-party transactions, where the individuals who approve the transactions for their organizations also benefit personally from them.  <br></p><p>Internal auditors need to identify the red flags of related-party loans, sales, and purchase transactions that indicate fraud (see “Red Flags of Related-party Transactions” at the end of this article). The case studies herein illustrate common methods used to commit various frauds. By identifying the red flags in these cases, internal auditors can improve their ability to recognize related-party fraud risks. <br></p><h2>Loans<br></h2><p>The vice president of finance at a service company borrowed US$50,000 from the organization. The note states that it is a zero-interest loan with no collateral or due date. Accounting records and financial statements present the loan as a regular note receivable without disclosing the related-party nature of the note. The vice president also used her position to make the company a guarantor on one of her other personal loans.<br></p><p>Key risks in related-party loan transactions include: <br></p><ul><li>Providing loans to senior management, other employees, or board members at below-market interest rates or under terms they could not get in the marketplace.</li><li>Failing to disclose the related-party nature of the loan. </li><li>The organization providing guarantees for private loans made by employees or board members.</li></ul><p></p><p>In all of these risk areas, the favorable terms benefit the employee at the expense of the organization. </p><p><strong>Internal Audit Procedures</strong> To identify undisclosed loans to senior management, board members, and employees, the internal auditor could search for related-party loans using data analysis to compare the names on all notes receivables and accounts receivables with employee names from payroll records and board member names from board minutes. If a match occurs, the auditor should assess whether the related-party transaction was appropriately authorized and <br>disclosed in the accounting records and financial statements.<br></p><p>Auditors also could search for undisclosed related-party loans by examining the interest rate, due dates, and collateral terms for notes receivables. Notes receivable containing zero or unusually low interest rates, or requiring no due dates or insufficient collateral, may indicate related-party transactions. The internal auditor also should examine advances made to customers or others who owe money to the organization. Organizations generally do not advance money to others who owe them money unless a related-party relationship exists.  <br></p><h2>Sales<br></h2><p>A sales agent for a manufacturing company sold a significant amount of goods at a substantial discount to XYZ Supply, a company he owns but has not disclosed the conflict of interest. XYZ Supply, in turn, sold the goods at market rates, thereby providing him with a profit. XYZ returned goods it was unable to sell months later for reimbursement. XYZ did not pay accounts receivable for several purchases, and the sales agent persuaded the credit department manager to write off the related receivables. <br></p><p>Key risks for related-party sales include employees: <br></p><ul><li>Selling products or services significantly below market price or providing beneficial sales terms that ordinarily would not be granted to arms-length customers. </li><li>Inflating sales for bonuses or stock options using related parties to perpetrate the scheme. Either a sale really has not taken place because the goods were not shipped or there was an obligation to repurchase the goods sold so the sale was incomplete.  </li><li>Approving excessive sales allowances or returns as well as accounts receivable adjustments or write-offs for related parties. </li></ul><p><br>In an effort to cover up the related-party transaction, employees may deny auditors access to customers to impede them from acquiring audit evidence concerning the related-party relationship. <br><br><strong>Internal Audit Procedures</strong> Internal auditors should perform analytical procedures to compare price variations among customers to identify those who pay significantly below the average sales price. Auditors also should identify any customer who pays prices that differ from the approved price sheet. Customer contracts should be analyzed for unusual rights of return, obligations to repurchase goods sold, and unusual extended repayment terms. Analytical procedures to identify customers with excessive returns, sales allowances, account receivable adjustments, or write-offs also should be performed. Any variances in these areas could indicate undisclosed related-party transactions.<br></p><p>Data analysis can be used to compare employee addresses, telephone numbers, tax identification numbers, and birthdays with customer addresses, telephone numbers, tax identification numbers, and company organization dates. When creating a shell company, many individuals use their own contact information for convenience and their own birth date as the organization date because it is easy to remember. Any matches could indicate a related-party association and should be investigated.<br></p><h2>Purchases</h2><p>A purchasing agent for a manufacturing company buys goods for his employer from a company he secretly owns, ABC Supply. For many of the purchases, the prices significantly exceed normal market prices, allowing the purchasing agent to make a personal profit on the difference between what his company pays for the items and what he charges his employer. For other purchases, the product quality is inferior for the price paid because he purchases poor quality goods at a low price, then sells them to his employer at market rates, allowing his company to profit from the transaction.<br></p><p>Key risks for related-party purchases are: <br></p><ul><li>Paying prices significantly above market for goods or services. </li><li>Receiving significantly below average quality goods or services that are purchased at market prices for high-quality goods or services. </li><li>Never actually receiving the purchased goods or services. </li></ul><p><br><strong>Internal Audit Procedures</strong> Auditors should compare cost variations among vendors to identify those whose costs significantly exceed the average cost. For identified variances, auditors should discover why the cost variations occurred to assess whether a related-party relationship exists.    <br></p><p>Similar to the audit of customers, auditors should compare the employee’s address, telephone number, tax identification number, and birth date to vendors’ information to see if a relationship exists. Auditors also should assess the use of sales intermediaries for products they can purchase directly from the manufacturer at lower costs.  <br></p><h2>Finding Process failures</h2><p>In reviewing their organization’s documentation, internal auditors may find that the organization does not have in place any policies or procedures prohibiting related-party relationships or transactions without prior approval. The organization also may not provide training to employees around related-party relationships and transactions, or require employees to certify whether they are involved in any conflicts of interest with the organization.   <br></p><p>Organizations should maintain written policies and procedures defining the process for obtaining approval for related-party relationships and transactions. Key risks exist if: <br></p><ul><li>Written related-party policy and procedures are nonexistent or insufficient. </li><li>Employees are not required to certify regularly whether they have a conflict of interest. </li><li>Related-party transactions are not approved in accordance with established organizational policies and procedures. </li><li>Related-party transactions are approved with exceptions to organizational policies and procedures.  </li></ul><p><br><strong>Internal Audit Procedures </strong>The internal auditor should review approved related-party policies and procedures documentation. If related-party policies or procedures don’t exist or if they don’t sufficiently mitigate the risk of unauthorized or inappropriate related-party relationships or transactions, the auditor should consult with senior management and the board, if necessary, to develop appropriate policies and procedures.    <br></p><p>Auditors also should review conflict of interest statements. If an employee documents a conflict of interest in his or her statement, the internal auditor should assess whether the conflict of interest was appropriately authorized and whether the process recognizes and discloses conflicts of interest.<br></p><p>Board minutes should be reviewed for authorization of related-party relationships or transactions conducted by or on behalf of senior management and board members. Auditors also should review documentation of senior management approval for related-party relationships or transactions of non-senior management employees. While reviewing this documentation, internal auditors should assess whether the organization made exceptions to its written policies or procedures during the authorization process. If exceptions were made, the auditor should assess the business purpose and reasonableness of the exception.<br></p><h2>Coordination</h2><p>To minimize duplication of effort and to ensure appropriate coverage of related-party risks, the CAE should coordinate activities and share information about those risks with external and internal service providers (see IIA Standard 2050: Coordination). Independent auditors generally are required to consider related-party risks when conducting audits. For example, the International Federation of Accountants’ International Standard on Auditing 550 states the independent auditors’ responsibilities to specifically address related-party transactions and relationships. <br></p><p>In the United States, the Public Company Accounting Oversight Board’s Auditing Standard (AS) 18 requires independent auditors to evaluate related-party relationships and transactions (AS 18 will be renumbered as AS 2410 effective Dec. 31, 2016). By working with the independent auditors, internal auditors could help identify related-party risks that may have a material effect on the financial statements and related required disclosures, while at the same time identifying related-party risks that may fall below the threshold but are still significant to the organization.<br></p><p>The CAE also should consider government regulatory or contractual requirements that may prohibit certain types of related-party transactions or relationships. Internal auditors should work closely with their organization’s compliance, risk management, and legal departments to identify related-party risks and assure that these risks are being monitored and mitigated appropriately.<br></p><h2>Reducing Risk</h2><p>Internal auditors can uncover undisclosed conflicts of interest by recognizing red flags associated with related-party relationships and transactions. Where red flags exist, internal auditors should assess the nature of the transactions and ascertain whether the related-party transactions were authorized appropriately. By discovering unauthorized related-party transactions and assessing related-party policies and processes, internal auditors can identify deficiencies and recommend policy and process improvements to reduce the risk of future unauthorized related-party transactions and relationships.       </p><table width="100%" cellspacing="0" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Red Flags of Related-party Transactions</strong><br><br>When reviewing related-party transactions, auditors should be aware of the red flags that may indicate fraud is taking place.<br><br><strong>Loan Frauds</strong><br><ul><li>Loans to officers, board members, or employees.</li><li>Interest-free loans.</li><li>Insufficient collateral for loans.</li><li>Loans without fixed repayment terms.</li><li>Loans to parties who cannot repay.</li><li>Providing funds to pay uncollectable loans or receivables.</li><li>Inappropriate guarantees of personal loans.</li><li>Accounting records and financial statement receivables and financial statement disclosures that fail to disclose the related-party nature of the loans.</li><li>Denied access to borrower to acquire audit evidence.</li></ul> <br><strong>Sales Frauds</strong><br><ul><li>Sales prices significantly below market prices.</li><li>Sales prices below market to sales intermediary with no apparent business purposes.</li><li>Unusual rights of return.</li><li>Obligation to repurchase goods sold.</li><li>Unusual extended repayment terms.</li><li>Excessive sales allowances or returns for a customer.</li><li>Bill and hold sales.</li><li>Unapproved or undocumented accounts receivable adjustments and write-offs for a customer.</li><li>Denied access to customers to acquire audit evidence.</li></ul><br><strong>Purchasing Frauds</strong><br><ul><li>Costs significantly above market prices. </li><li>Paying premium prices for generic products.</li><li>Costs above market from a sales intermediary with no apparent business purpose.</li><li>Unusually large amounts of usage and scrap in production due to faulty materials.</li><li>Denied access to vendor to acquire audit evidence.</li></ul></td></tr></tbody></table><p></p>James A. Bailey13704

  • TeamMate_Oct2016_Prem1
  • IIA BookstoreRiskyBusiness_Oct2016_Prem 2
  • IIA LearningOnDemadd_Oct2016_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Focusing on the Wrong Line of Defense on the Wrong Line of Defense2016-10-14T04:00:00Z2016-10-14T04:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Internal Audit and the Internet of Things Audit and the Internet of Things2016-10-06T04:00:00Z2016-10-06T04:00:00Z