NFL Players Tackled by Fraud Players Tackled by Fraud<p>​An investment adviser who provided services to professional athletes, including members of the National Football League (NFL), has pleaded guilty to wire fraud and filing a false tax return, according to <em><a href="">Forbes</a></em>. Between 2008 and 2013, the adviser converted and misappropriated US$2.9 million from clients and failed to report the misappropriated funds to the Internal Revenue Service. According to court documents, the investment adviser directed his clients to sign an agreement that gave him access to their accounts. He then used that access to divert funds for his own personal benefit. The adviser is scheduled for sentencing in January.​</p><h2>Lesso​​​​​​ns Learned</h2><p>Identity theft, tax fraud, and wire fraud in professional sports, not just the NFL, may be more prevalent than one might think. In the last year alone, there have been several high-profile, large​ dollar fraud cases involving players in the NFL, Major League Baseball, National Hockey League, and other professional sports organizations. Professional athletes may be one of the more vulnerable target groups for fraud, given their overarching dedication and time devoted to their chosen sport, as well as a strong desire to accumulate and maintain their wealth for a less certain future once their professional careers are over.</p><div>The <em>Forbes</em> news story includes several helpful tips to guide individuals toward enhanced basic protection against identity fraud. But alone, these are not enough to ward off the kind of exploitation seen in the NFL case. Here are suggestions for additional measures to help detect and deter professional sports industry fraud.</div><div><br></div><div><ul><li>Take a closer look at strengthening codes of ethics for professional sports. These codes tend to predominate in areas where government is involved, such as the Olympics, but are less consistently in place across the spectrum of professional sports. Where they do exist, codes of ethics tend to focus on issues of cheating, as well as the health and physical safety of athletes. Protection of the financial security of professional sports players should be an additional consideration. Moreover, owners, sports associations, and others in the sports industry could consider measures aimed at better self-regulation, addressing appropriate expectations of behavior for sports agents/financial advisors. Such groups, for example, could establish a registry of accredited individuals and companies whose track record has been validated against established standards and competencies.<br></li><li>Government needs to keep increasing the pressure on those intent on committing identity theft, tax fraud, and mail fraud, through public awareness campaigns, changes in the design of tax administration security and processes, and further efforts at targeted enforcement. Many countries use a combination of intelligence gathering, risk analysis, risk profiling, and data matching to detect cases of tax fraud and/or money laundering that involve identity theft and identity fraud. Data matching and other information sharing activities between tax authorities and other government agencies are also used to detect and investigate this type of suspected activity. In the U.S., the Department of Justice, Securities and Exchange Commission, and Internal Revenue Service (IRS) all have recently either introduced new measures and/or prosecuted and publicized related fraud cases. In particular, the IRS Criminal Investigation division’s Questionable Refund Program and Return Preparer Program focus on identifying and stopping fraudulent tax refund claims schemes. These schemes often involve hundreds of returns, with refunds totaling hundreds of thousands or even millions of dollars of revenue. Investigating and prosecuting those responsible for these ambitious schemes ranks among the programs’ highest priorities. Incorporating the professional sports industry within the scope that priority could help uncover wrongdoing like the income tax and wire fraud scheme, as well as serve to further deter other would-be fraudsters.​<br></li></ul></div>Art Stewart0
The Hedge Fund Analyst Hedge Fund Analyst<p>​Artis Capital Management and one of its senior research analysts have agreed to settle charges of failing to detect insider trading by one of the hedge firm's employees, according to <a href="" target="_blank">Bloomberg BNA</a>. The U.S. Securities and Exchange Commission (SEC) had earlier charged Matthew Teeple, an Artis research analyst covering networking technology, with using his industry connections to trade on material information not available to the public. According to the new charges, Artis should have recognized the substantial risk that Teeple's interactions with technology sources created and should have established procedures to prevent the specific misuse of information in this case. Moreover, the SEC found that Teeple's supervisor, Michael Harden, did not question Teeple about the source of his information or request that the company's chief compliance officer investigate the issue. Teeple is serving a five-year prison term.</p><h2>Lessons Learned</h2><p>Many readers know that U.S. law requires, and regulators expect, firms to have robust compliance, supervisory, surveillance, and control measures in place to prevent and detect insider trading — which appear to be almost entirely absent in the case of Artis Capital Management. Readers may not know that regulators can bring enforcement action for the failure to have an adequate insider trading prevention program — even if no insider trading has occurred. This story references many of the gaps in Artis' controls over insider trading, such as a lack of policies and measures to track interactions between its employees and their contacts, and lacking requirements for filing research or other reports on such interactions. But what is an appropriate approach to guide companies, employees, and auditors toward an adequate insider trading prevention program?</p><p><strong>1. Establish clear expectations throughout the organization regarding appropriate behavior around insider trading, including through a robust policy.</strong> This includes:</p><ul><li>Senior management demonstrating that it is committed, knowledgeable, and conversant in the steps the firm is taking to combat insider trading. This should include board- and executive-level restrictions such as prohibiting executives from pledging, hedging, short sales, and similar activities. </li><li>The deployment of appropriate personnel, IT, and other resources to focus on prevention, detection, and compliance. </li><li>Policy restrictions, requirements, and responsibilities for employees based on role and level. For example, employees may trade only after being given pre-clearance to trade, and blackout or holding periods may apply. The policy also should provide company-specific examples as to what could be deemed "material nonpublic information" — both positive and negative — and guidance related to gray areas such as communicating with relatives and friends, and information shared with third parties, including potential merger/acquisition targets. </li><li>Whistleblower mechanisms and appropriate training of all employees as part of the policy.</li></ul><p><br></p><p><strong>2. Undertake and evaluate a thorough inventory of sources of material nonpublic information to fully understand the inflow and outflow of information to and from the company.</strong> Part of the evaluation of this inventory should include a risk assessment and ranking of the highest types of sources of potential insider trading. Review the inventory periodically to make sure important developments have been identified and incorporated. Primary sources include:</p><ul><li>Research consultants.</li><li>Vendors, third-party providers, companies that are potential merger/acquisition targets, and corporate executives with whom the firm conducts meetings. </li><li>Investment advisers and portfolio companies to which the firm or its employees or principals are economically connected through a firm investment, personal investment, etc. Also, brokers with whom employees have significant gift and entertainment activity.</li><li>Employee-disclosed personal relationships, employees with board seats on outside entities, former employers of current employees, and current employers of former employees. </li><li>Fund investors.</li><li>Securities transacted around the time of a corporate announcement or that recently had a significant price change around the time of a firm transaction in such an issuer's securities.</li><li>Issuers identified through post-trade surveillance reviews. </li><li>Portfolio companies, other advisers, or other third parties that use the firm's physical premises or network.</li></ul><p><br></p><p><strong>3. Implement an enterprisewide control structure to monitor and promote compliance.</strong> Rank the possible sources of material nonpublic information according to the risk that each creates for the company, and tailor the controls over the source based on the risk. Higher risks may likely require more surveillance and monitoring, while lower risks may rely on training and certification.</p><ul><li>Implement controls covering the use of restricted lists, blackout periods, and pre-clearing requirements/procedures for employees based on their role and level within the organization; controls on blackout/no-trading periods tailored to the type of event, and requiring employees to pre-clear trades by leveraging technology solutions; establishing minimum holding periods and having information barriers in place. For example, debt restructurings should be referred to appropriate walled-off individuals for evaluation. </li><li>Put in place specific controls for high-risk areas, such as the use of "experienced consultants" or "expert panels." Examples include indicating the company's intention not to receive material nonpublic information from an expert, documenting and supervising the use of expert consultants and resulting trading, and reviewing the use of expert consultants and trading. </li><li>Similarly, tailor surveillance based on risks specific to the firm and to managers and traders. Design procedures to effectively detect potential incoming or outgoing material nonpublic information, high-risk relationships, compensation provided or received for such information, and related trading activity. Review firm trading, client trading, and personal trading activity of employees as part of surveillance activities. Some key activities that should be included are post-trade surveillance for specific events such as public announcements, price spikes, and profits; scrutiny of email and other communications about particular stocks for particular employees; and phone log surveillance to determine with whom employees are speaking. </li><li>Once surveillance measures are in place, investigate any indications of aberrant trading to identify whether the trade was made while in possession of material nonpublic information. Take action if the investigation reveals a violation of the firm's compliance policy. Look for patterns by individuals or in particular units. Follow-up rapidly and consider the root cause of problems.</li></ul><p><br></p><p><strong>4. Adopt technology to help leverage controls, monitoring, and surveillance coverage both by restricting the transmission of material nonpublic information and by automating trade review.</strong></p><ul><li>Use information barriers and data security to create a barrier between material nonpublic information and those who should not have access to it. </li><li>Electronic communication surveillance should include testing to identify incoming or outgoing material nonpublic information and patterns and relationships of interest, whether via e-mail, telephone logs, calendar entries, messenger software, business information sources, Bloomberg terminals, or social networking sites used on company networks. </li><li>Restrict trading activities through pre-trade review and approval technologies such as order management configuration rules. For example, require additional approvals for trading watch-list securities. Control employees' personal trading by using pre-clearance software that scans potential trades against the firm's restricted list, fund trading activity, holding periods, black-out windows, and minimum thresholds. </li><li>Test trading activity through automated electronic feeds from brokerage firms and use post-trade surveillance technologies to identify trading in securities where material nonpublic information may be known. Use automated rules or statistical algorithms to identify trading activity patterns that may indicate the use of material nonpublic information based on multiple risk factors, including timing, capital at risk, and performance. </li></ul><p><br></p>Art Stewart0
Blurred Lines Lines<p>​Peter Singer, the head of a marketing department at an event company, was retiring but agreed to stay on for six months to transition the new department head. On day two of the transition, the incoming department head called the CAE and left a voicemail message saying something odd was going on and urged him to take a look. </p><p>During the investigation, the CAE found that Singer purchased marketing services from a vendor to support revenue targets for a specific product. Although that seemed reasonable, the audit also revealed that Singer was holding US$500,000 in late invoices from the vendor, a significant amount to the company. Some invoices were overdue by 18 months, well past the typical 45-day average pay cycle. The vendor representative sent numerous emails to Singer complaining about the invoices. </p><p>The invoices were being paid increasingly late beginning several years earlier, when the budget for this marketing service was reduced by US$400,000. This was due to the belief that the vendor’s services were less useful as the product became more established in the marketplace. If the invoices had been paid timely, Singer would have been over budget. The invoices were never sent to accounts payable, as Singer asked the vendor to send the invoices directly to him. In addition, Singer never disclosed these commitments during the monthly financial close process. </p><p>Singer sent emails requesting that the vendor reduce the amounts of the invoices so that he could avoid additional approvals. The vendor complied by splitting invoices. Singer also developed a close personal friendship with the vendor representative — they would often go on trips together with their spouses. They were so close that, when Singer’s wife lost her job two years earlier, the vendor representative offered her a position at his firm. </p><p>As seemingly fraudulent events like this are investigated, internal auditors are often quick to look for the motivations and benefits to the perpetrators. Although the situation unraveled with a lot of juicy, and often irrelevant, tidbits of information along the way, management wanted internal audit to focus on one question: Why did Singer do it? </p><p>After hundreds of hours of research and several hours of interviews, internal audit was left with a troubling assessment of Singer’s behavior. He had committed fraud. He lied to the company about spending money with the vendor by making it appear that he was on budget, evidenced by the outstanding invoices. He was aware of these outstanding invoices, as they were piled up on his desk. He worked hard to circumvent internal controls for authorizing and recording the invoices, and the vendor representative conspired with him to circumvent company authorization limits. Because of this activity, the company had a US$500,000 debt for services it did not authorize, value, or want.  </p><p>In the end, there was no direct and convincing way to prove that Singer received any benefit from the vendor. In the eyes of management, this made the behavior much less grievous and “not quite fraud.” Internal audit was able to convince management that Singer intentionally circumvented internal controls to conceal the budget overrun, so he was asked to leave a few months earlier than planned. Consequently, management changed the policy to have all invoices sent directly to accounts ​payable to avoid future errors. However, management paid the outstanding invoices without confronting the vendor about its part in knowingly evading internal controls.  </p><p>The absence of a clear-cut villain stealing from the company left management wondering what the concern was about. As a result, management sent a muddled message about what is acceptable and missed an opportunity to strengthen the company’s defenses against future fraud.  </p><p>Fraud investigations are often the most intriguing part of an internal auditor’s job. You have villains, who break rules and selfishly benefit to the detriment of the organization. Until someone catches on, that is.  </p><p>However, the reality is not always so clear cut. In fact, it could be argued that the villain situation is rare. In many cases, a confused individual takes a few small steps across the line of good judgment and winds up entangled in rationalizations and good intentions. As things progress, this person hears the chirping of his or her conscience that something isn’t right, but the warning is distant and the words are muffled. In the end, the employee is baffled as to how his or her actions were perceived so negatively. The individual knows he or she could have done things better, but can’t believe the situation is being taken so seriously. Termination? Fraud? The employee is shocked by the possibility, and many times will utter the words, “But I didn’t steal.” </p><p>It is always difficult to see ordinary people fumble into bad situations. And organizations are not always prepared to handle these situations, which leads them down a messy road of uncomfortable conversations, half measures, and lackluster support.</p><h2>Lessons Learned</h2><ul><li>Organizations need to establish a clear perspective on how they want to approach fraud and its many faces. A strong fraud policy describes what the company perceives as fraud and lays out the expectations for investigation and resolution. Without a policy, fraudulent activity is often addressed by management based on the biases and perspectives associated with each unique instance.  <br></li><li>Internal audit should use these situations to improve the organization’s fraud perspective. Fraud is often interpreted and managed differently across organizations based on corporate culture and understanding of internal control. Although frustrating for those involved, management’s lukewarm support may be the most valuable observation from this scenario. It is an indication that there is significant work to be done to improve internal control awareness at the top of the organization.    <br></li><li>Internal audit has the expertise, perspective, skills, and independence to lead in these situations. Expecting others to share a clear vision of murky fraud cases is not always realistic.​<br></li></ul>Bryant Richards016
Bribes for Mines for Mines<p>​Hedge fund Och-Ziff has pleaded guilty and agreed to pay US$412 million to the U.S. Securities and Exchange Commission (SEC) and Department of Justice (DOJ) to settle foreign bribery charges, <a href="" target="_blank"> <em>Vanity Fair</em> reports</a>. According to the SEC, the firm paid around US$200 million in bribes to politicians, officials, and judges to obtain mining rights in Africa between 2007 and 2011. <em>The Wall Street Journal</em> found an example in the Democratic Republic of Congo where Och-Ziff partnered with Israeli billionaire Dan Gertler, who allegedly sent bags of money to high-ranking government officials. A week later, mining firm Africo sold its mining interests in that country to a Gertler-controlled company. </p><h2>Lessons Learned</h2><p>This story provides a good opportunity to revisit what management and internal auditors should be aware of to help their organizations stay compliant with the U.S. Foreign Corrupt Practices Act (FCPA). Here are six relevant suggestions:</p><p> <strong>1. Deterrence can work — investigation, prosecution, and punishment under the FCPA is becoming more common.</strong></p><p>This story outlines a significant case and large penalties. Ten years ago, FCPA prosecutions were rare, but since 2008, the U.S. government has had about 150 FCPA investigations in progress at any one time and has brought about 40 cases each year. In 2014 alone, 10 corporations were indicted, sentenced, or convicted, with assessed penalties of more than US$1.25 billion. About half of the cases have been against companies and half against individual company managers and employees. The DOJ has stated that individuals will not believe the FCPA has any teeth until they see business people going to jail, and increasingly this is what is happening.</p><p> <strong>2. Perform a corruption risk assessment to understand the organization's risk of being involved in international bribery.</strong></p><p>Companies must assess the risk of FCPA violations in their international business. The FCPA's definition of "government official" is extremely broad and includes even low-level employees of government-owned companies. Auditors need to understand in which countries their organization is placed under high-risk circumstances. <a href="" target="_blank">Transparency International</a> publishes an annual Corruption Perceptions Index for most countries in the world. Internal auditors also need to understand all the ways in which the business has contact with government customers or employees. If a company doesn't understand its specific risk, the company may fail to spend its compliance resources cost-effectively. For most companies, 80 percent of FCPA risk will come from less than 20 percent of their business. Some questions to consider are:</p><ul><li>What kind of business does the company do outside the U.S.?</li><li>Does it conduct foreign business through its own employees; agents, distributors and intermediaries; joint ventures; or all of the above?</li><li>Does the company need to get permits or qualify products for sale in foreign countries?</li><li>Does the company ship through freight forwarders and use customs agents? </li><li>Does the organization know all the third parties it uses in business outside the U.S., and has it conducted due diligence on them? Sales agents, lobbyists, and joint ventures are at the top of the risk list, along with distributors or resellers who receive variable pricing or discounts. It is important to understand who the company's intermediaries are, how many it has, why it is using them, and who in the company has authority to enter into a contract with them. These third parties create liability, accounting for 90 percent of FCPA cases brought by the U.S. government.</li><li>Does the company deal with universities, use professors in an advisory capacity, or deal with doctors or hospitals? In many countries, education and health care are government-run and all employees, including doctors and professors, are government officials who fall under the FCPA.</li><li>Is the company involved in litigation? In some countries, lawyers routinely bribe court officials and judges.</li></ul><p> <strong><br></strong></p><p> <strong>3. Establish a stand-alone international anti-corruption compliance program and policy</strong><strong>.</strong></p><p>A few paragraphs about international corruption buried in the company's general standards of business conduct are not sufficient. A member of the company's senior management team must be designated as responsible for FCPA compliance. And, in light of this story, it probably should be someone other than the president or general counsel. There also needs to be specific language placed into employment and performance contracts for <em>all</em> employees regarding compliance with the organization's anti-corruption compliance program. The company's board needs to reinforce the value of FCPA compliance to the management team, and the CEO, chief financial officer, and other responsible executives must do the same with employees about the company's commitment to FCPA compliance.<br><br>Clear FCPA terms should also be included in every international contract, and should specifically mention the importance of FCPA compliance and require the company's partners to represent that they know the elements of the law and will comply with it. The company should have a clearly worded audit clause that requires the partner to provide documents and assistance in an investigation. Finally, the company must have the ability to terminate the contract if its partner violates the FCPA.</p><p> <strong>4. Train the company's board, management, employees, and third parties who distribute its products.</strong></p><p>These individuals may or may not have had experience with "on the ground" international business, but those who have international experience will probably be out of date with FCPA compliance. Familiarize them with the actual corruption risks in the company's industry, the countries where it does business, and the business model the company is using. Employees should be able to recognize the red flags of corruption that are most likely in the business and know what to do when they see them.</p><p>Many U.S. companies do not train the third parties who facilitate their international distribution, even though these third parties represent their highest FCPA risk. Small companies may think they are safer if they use third parties that also represent major U.S. and multinational companies. They assume those companies have done appropriate vetting and provided training, but that may not be true. Major U.S. and multinational companies often have weak FCPA compliance programs and do not vet or train their third parties.<br><strong></strong></p><p> <strong>5. Establish internal controls over company expenditures and assets.</strong></p><p>The FCPA has no threshold of materiality. Companies have been prosecuted for very small bribes, inaccurate books and records, and failure to set up systems of controls, which arguably have no monetary value. A company can comply with generally accepted accounting principles and still fail to detect bribery or false or inaccurate records. The employees who are involved in corruption, kickbacks, and creating false transactions are likely to be quite smart. Finance department employees may be involved in corrupt schemes, as well — they know how the company makes and keeps records and how it audits, so they know how to keep the books looking clean and hide evidence of corruption.</p><p>Making sure the company is keeping books and records that accurately document all transactions can help prevent and detect corrupt payments. If the company has good control over its books and records, it should be much easier to accurately control and account for gifts, meals, entertainment, and travel for government officials.<br></p><p> <strong>6. Plan for the likelihood that a high-quality, international internal investigation will have to be conducted.</strong></p><p>In an FCPA investigation, a company is looking for evidence of criminal behavior and serious fraud among its employees and business associates. In many cases, internal audit may find the company's own employees working in concert with third parties and government officials. Perhaps its employees are personally receiving kickbacks. If auditors are lucky, they will "only" find private corruption — payments between commercial companies with no government officials involved. Private corruption still costs companies, and they have to deal with the FCPA issue of intentionally falsified corporate records made by employees to cover up the private corruption.</p><p>It is likely internal auditors will not be comfortable trusting anyone in the company's local country management, and auditors will not want to let local management know they have suspicions before auditors actually start their investigation. Even if they are not involved, local managers may not appreciate the danger to the parent company. They may try to conduct their own amateur investigation, or simply call a meeting of their managers and ask them what happened. In either case, they will alert the perpetrators and evidence will be destroyed, documents fabricated, or stories aligned so that an actual professional investigation will be much longer, more difficult, and expensive. </p><p> <br> </p>Art Stewart0
Following the Money the Money<p>Money laundering accusations have led Canadian payment processor PacNet to be branded a "significant transaction criminal organization" by the U.S. Treasury Department, <a href="" target="_blank">CBC News reports</a>. Treasury officials say PacNet has acted as a middleman between fraudsters and their victims in a large number of mail fraud schemes. They allege the victims would send money through a partner company to PacNet's processing operation, which would transfer it to criminals through a holding account. The Treasury designation names 12 individuals and 24 entities connected to the payment processor. PacNet claims it was misled by clients.</p><h2>Lessons Learned</h2><p>This story clearly demonstrates that individuals, companies, and institutions are at risk of mail fraud and must take steps to protect themselves as best they can. While the charges involving PacNet have yet to be heard in court, innocent or not, third-party organizations are facilitating a worldwide explosion in mail fraud. </p><p>Here's how these crimes are carried out: To shield their operations from authorities, fraudsters need a way to process payments that won't easily link them to their scheme or raise red flags. Many banks and financial institutions will shut down an account or report it to authorities if they detect suspicious activity such as a high number of small deposits, complaints, or refunds. Instead, con artists and other fraudsters turn to payment processors, most of which have a heavy online presence. </p><p>Payment processors have relationships with banks around the world, and can set up accounts for clients in the countries in which they do business, processing payments in currencies ranging from the British pound to the Indonesian rupiah. This gives fraudsters the ability to access victims and bank accounts in countries far from their home base. These criminals use a wide range of fraud schemes — from lottery prizes to charitable causes to goods and services purchased by companies and institutions — to illegally collect payments that will disappear forever, payments that frequently end up with a payment processor. The processor then deposits the money into an account under its own name and takes a cut as a commission. It holds on to the rest of the funds until they are sent to the fraudster's own bank account, typically through a wire transfer. There are so many layers that victims usually have no idea that a payment processor was involved. </p><p>U.S. regulators and enforcement agencies are on the right track in investigating and taking action against payment processing companies that are implicated in facilitating mail fraud schemes, even where that company is not a U.S. firm. Greater scrutiny and increased penalties would help further.</p><p>But the payment processing industry itself should not step back and take an "it's between the buyer and seller," hands-off approach. The industry appears to be much more focused on potential fraud by customers than that perpetrated by sellers and providers. Processors should take further strides to increase consumer and business education about the risks of mail fraud committed by sellers and to strengthen their knowledge and controls over potential seller fraud, such as by:</p><ul><li><p>Reviewing whether prevailing account-opening procedures are adequate to prevent fraudulent receiving accounts. Some countries, such as South Africa, require that a national fingerprint database be accessed to verify the identity of account holders. Denmark offers a more practical model to follow, in which payment processors and banks have built-in delays that prevent both users and providers from making or receiving payments for several days after opening an account.</p></li><li><p>Using analytics, such as velocity checks and pattern recognition checks, to detect fraud that processors otherwise would not notice. This would include factors such as providers and sellers with connections to high-risk countries, high-risk types of products and services such as lottery sales and solicitations of money for causes, and volumes of complaints. Analytics can be used to flag suspicious recipient account holders, and then place a hold on payments to the account, review transactions, inform customers and regulators, or reject the transactions outright. The use of analytics provides an extra barrier when fraudulent transactions are initiated.</p></li><li><p>Particularly in a real-time environment, an anti-fraud best practice for a payment processor is to calculate the probability of a transaction being fraudulent (also known as scoring transactions) and refer suspicious transactions to the organization's anti-fraud unit or a manager with experience in reviewing such transactions for decision-making instead of blocking the transaction outright. This allows processing operators to capitalize on the fact that they can sometimes detect patterns that customers and businesses might miss, such as a suspicious set of transactions originating from one source and headed for multiple receivers. Few payment processors actually employ such techniques. Many state that they do not have the financial strength to accept liability for fraud cases that may slip through, and some operators have expressed concerns that establishing fraud checks could reduce the incentive of banks to establish effective prevention mechanisms. Nevertheless, and particularly for the largest and most profitable payment processors, these kinds of measures should be included in any set of best practices.</p></li></ul><p></p>Art Stewart0298
Doing a Number on REITs a Number on REITs<p>​The U.S. Securities and Exchange Commission (SEC) has charged two former financial executives of a Phoenix-based real estate investment trust (REIT) with overstating the company's financial performance, <a href="" target="_blank"><em>The Arizona Republic</em> reports</a>. According to the SEC, Brian Block, former chief financial officer (CFO) at American Realty Capital Properties, conspired with the then-chief accounting officer, Lisa McAlister, to manipulate a key cash-flow measure that investors use to evaluate REITs. When the company's accounting department warned that the first quarter results were based on an incorrect accounting method, Block allegedly falsified the company's presentation of its second quarter results to conceal the previous quarter's overstatement and make it appear that the company had met its second quarter estimates. In addition to the SEC charges, the U.S. Justice Department has filed criminal charges against Block and McAlister.</p><h2>Lessons Learned</h2><p>REITs have been an option for investors since the 1980s. Although they potentially are a risk-laden choice — nontraded REITs are even higher risk — many investors have profited significantly from the generally higher movements in the value of properties. But there also has been a rise of fraud by unscrupulous owners, managers, and others, as in this story. To better understand this kind in fraud, and how to prevent and detect it, a little background is needed on how financial and accounting methods are applied to them, including the particular measure called adjusted funds from operations (AFFO). </p><p>Before new accounting rules were adopted in June, it was common for REITs to pay out more than they reported in profit. That is because they were required, under U.S. generally accepted accounting principles (GAAP), to gradually depreciate their property much as a manufacturer depreciates machinery and equipment. The purpose of depreciating an asset under GAAP was to spread the cost over the item's useful life instead of taking the full hit all at once. In the case of REITs, it ended up distorting their bottom lines, making it appear as if they earned less money than they actually did. </p><p>But real estate doesn't depreciate that way. The land doesn't depreciate at all; in fact, if it's well-located, it usually goes up. And the building doesn't really depreciate in the manner that GAAP came up with, predictably over a certain period of time.</p><p>To get around this problem, REITs have used alternative, non-GAAP measures — namely, funds from operations (FFO) and AFFO — to assess their financial performance in a REIT's financial statements. The actual definitions are complex, but FFO is essentially operating profit excluding GAAP-style depreciation and any gains or losses on disposals of properties. AFFO is generally equivalent to FFO less an allowance for maintenance capital expenditures and leasing costs, to reflect the cash a REIT spends to maintain its buildings. In other words, AFFO is the real estate equivalent of profit, and it is a key metric for assessing a REIT's payout ratio.</p><p>There are two ways to deter REIT accounting fraud:</p><ul><li><p> <strong>Tightened regulatory and enforcement framework for REITs.</strong> The two executives in this case allegedly committed accounting fraud when they used a metric that did not comply with GAAP and deliberately inflated the company's results. The SEC asserts that the executives added 3 cents per share to the company's AFFO number and misled investors into believing the company was on track to meet its full-year guidance. As a potentially key deterrent to REIT accounting fraud, the SEC recently has cracked down on made-up numbers and vague language in U.S. publicly listed companies' earnings filings. The SEC has <a href="">updated guidance</a> on the use of metrics that don't conform with GAAP, and companies should expect deeper scrutiny if they fail to comply. The updated rules allow companies to supplement their GAAP numbers with non-GAAP numbers to provide more detail, but they must provide the GAAP numbers first, give both sets of numbers equal prominence, and show how they reconcile.</p></li><li><p> <strong>Good governance by investors, boards, and audit committees</strong><strong>.</strong> Despite his knowledge of a material error in previous SEC filings, American Realty Capital Properties' CFO took no steps to advise the audit committee, board, and outside auditors of the error, which went undetected for some time. All of these parties need to exercise careful, active vigilance and scrutiny of these kinds of numbers, especially because there are relatively few reliable measures of REIT financial performance. They should ask lots of questions when reviewing financial and performance statements, including from a long-term performance trend perspective. </p></li></ul><p></p>Art Stewart0803
Fraud, Abuse, and Corruption,-Abuse,-and-Corruption.aspxFraud, Abuse, and Corruption<p>​I hope the Wells Fargo scam is causing boards, executives, and practitioners everywhere to pause and reflect: Could something like this happen to us?</p><p>If it can happen at a great institution like Wells Fargo, it can probably happen anywhere.</p><p>I have shared questions that boards and others should be asking <a href="" target="_blank">in a couple of posts</a>. They cover issues such as management setting incentive goals that don't appear to be aligned with driving revenue or earnings, why the controls to ensure customers approved the opening of accounts in their name failed, why customer complaints did not lead to identification of the problem, why this was allowed to continue for at least five years, whether management had any idea that the culture of the organization would permit such a pervasive scheme, the role of internal audit, the role of the compliance officer, the effectiveness of whistleblower provisions, and the role of risk management.</p><p>In <a href="" target="_blank">a podcast with MIS Training Institute</a> (which I recommend), I made another point. I think this is critical for everybody to understand.</p><p>I said that when people feel they are able to get away with a minor fraud, they will do something else. The level of fraud may start small but it almost always increases.</p><p>I asked what else has been happening at Wells Fargo.</p><p style="text-align:center;">**********</p><p>The public reaction by the Wells Fargo CEO, John Stumpf, included an observation that the scam only involved at any time about 1,000 people of the 100,000 in the branch network.</p><p>Let's set aside the fact that 5,300 people were fired over a period of five years and this number does not include anybody who was less severely disciplined or not caught.</p><p>Let's set aside the fact that 1,000 people fired in each of the last five years reflects a <em>continuing</em> failure and, to me, indicates a breakdown rather than a one-time failure in controls.</p><p>The point is that he seems to believe that this is a small level of incidence, almost (in my words) an <em>acceptable level of risk</em>.</p><p>I am drawn to agree that this is a low level of failure. I'm not sure it is so low that it would be acceptable.</p><p>Let's talk reality.</p><p>While it looks and sounds good to say that an organization has zero tolerance for fraud, corruption, and a failure to comply with laws and regulations, that zero level is just about impossible to achieve.</p><p>You would need somebody looking over everybody's shoulder all the time to ensure no inappropriate activity was happening, and somebody looking over <em>that</em> person's shoulder to make sure they were watching properly.</p><p>All you can do is have what a prudent person would believe is a reasonable level of control, given the level of risk to the organization of fraud.</p><p>According to studies by the Association of Certified Fraud Examiners, the typical company loses about 6 percent of its annual revenue to fraud. That number includes theft of time, personal use of the company's laptop, and so on.</p><p>Is that an acceptable level? Maybe it is; maybe it isn't. You decide for your company — and consider the cost of reducing the level of fraud risk. Is the cost greater than any reduction in fraud risk?</p><p>The same goes for compliance issues or the activity reported at Wells Fargo. Was a reasonable level of control in place? Could controls have been improved to reduce the risk without incurring substantial cost? I suspect the answer is yes, but we don't know enough of the facts yet.</p><p style="text-align:center;">**********</p><p>But let's also consider other forms of fraud, abuse, and corruption.</p><p>Are these acceptable practices, or are they another form of fraud?</p><ul><li>The CEO of a multi-billion-dollar company approves the funding of a charity of which his wife is the chair. There is no clear benefit to the company, no link to its operations.</li><li>In response to falling revenue and profits, the CEO of another company lays off about 10 percent of the workforce. The board awards him a US$1 million dollar bonus for completing the reduction in force. At the same time, the CEO spends US$1 million dollars to renovate the executive suite of offices.</li><li>A senior manager in IT refuses to provide support for the implementation of a disaster recovery plan because it is not included in his personal objectives.</li><li>The vice president of procurement for Malaysia refuses to follow instructions from the executive vice president (EVP) of procurement (to whom she does not report) and adhere to global contracts with major vendors negotiated by that EVP. Instead, she negotiates successfully with the local subsidiaries of those vendors. While she obtains better prices for Malaysia (for which she and her boss, the president of that region, are rewarded) she puts the corporate contract in serious jeopardy.</li><li>A senior executive decides to hire a friend.</li><li>The chairman of the board puts pressure on the company to select as a director an individual whom he knows will vote his way rather than searching for a director who will add critical expertise.</li></ul><p>All of these are situations where, in my view, individuals put their personal interests ahead of those of the enterprise as a whole.</p><p>They act in a way that brings them rewards but that negatively affects the company as a whole.</p><p>While technically they have not stolen and have not broken any laws, they have acted inappropriately. I will let you decide what to call their behavior.</p><p>But let's be honest: Self-dealing is ripe around the world. Very few are selfless, putting the interests of others ahead of their own.</p><p style="text-align:center;">**********</p><p>So what does this all mean? Where am I going?</p><ol><li>What we have seen at Wells Fargo (based on the few facts we know) is, in some ways, normal human behavior. When people believe that the behavior is encouraged or at least not discouraged and that they will not be caught, they will "game" the system. </li><li>While we focus on fraud, we might be better off focusing on behavior and actions. There are many forms of behavior that will negatively affect the organization.</li><li>We cannot prevent or even detect all actions that result in a loss to the organization. We need to understand all of its forms, the impact and likelihood of each, and ensure that we have the controls in place that provide a reasonable level of assurance that risk is at acceptable levels.</li><li>Management must take ownership of the design and operation of those controls.</li><li>Internal audit should provide assurance on the management of the more significant risks.</li><li>When the level of risk that the controls are failing rises, the root causes must be investigated.</li><li>A low level of fraud, if left alone, will normally grow until it is unacceptable.</li></ol><p>I welcome your views. </p><p> <br> </p>Norman Marks02682
Building on a Foundation of Fraud on a Foundation of Fraud<p>​A U.S. federal court jury in Manhattan has convicted a construction firm executive of fraud connected to the reconstruction of the World Trade Center in New York, <a target="_blank" href="">the Associated Press reports</a>. Prosecutors say Larry Davis and his company DCM Erectors Inc. filed false records attesting that the company complied with rules requiring contractors to hire subcontractors owned by women and minorities. According to prosecutors, the individuals listed as owners of the subcontracting companies were not the legitimate owners of those firms. DCM was awarded more than US$500 million in contracts in 2007 and 2009 to help construct the World Trade Center — which was destroyed in the Sept. 11, 2001, terrorist attacks — as well as an neighboring transportation center.</p><h2> Lessons Learned</h2><p>What is it about minority contracting programs that makes them such persistent sources of fraud and corruption? In New York City alone, investigations into fraudulent hiring of minority- and women-owned subcontractors are so common that they have become something of a specialty for local prosecutors. Overall, it's the rare city or state that hasn't endured a scandal tied to well-intentioned minority contracting regulations. So what can be done from an internal auditor's perspective to improve these kinds of programs and reduce the incidence of fraud?</p><ul><li><p><strong>Conduct regular audits of business development programs and follow up on their results. </strong>The U.S. federal government's program, the <a target="_blank" href="">8(a) Business Development Program</a>, is designed to help minority-owned businesses "build their competitive and institutional know-how." But the Office of the Inspector General's (OIG's) most recent April 2016 audit report, focused on program eligibility, found that 30 of the 48 8(a) Program applicants evaluated did not meet one or more areas of eligibility, based on information in the Business Development Management Information System (BDMIS). For 18 of the 48 applicants, additional information was gathered, and, these firms were approved into the program. However, the remaining 30 firms were approved without fully documenting in BDMIS how all areas of concern regarding eligibility raised by lower-level reviewers were resolved. As a result, the 8(a) Program is experiencing a change in leadership, has begun testing a revised application process, and has shifted responsibilities for continuing eligibility reviews.</p></li><li><p><strong>Tighten program controls, monitoring, and penalties for noncompliance. </strong>This is how these programs are supposed to work: Minority-owned companies register with local agencies that certify both their capability and the makeup of their ownership. In some cases, contracts are set aside for minority-owned businesses. In others, companies with large contracts are expected to subcontract out some percentage of the work to minority-owned subcontractors. But specific monitoring needs to be done to detect the most commonly found illicit behavior, such as:</p></li><ul><p></p><li>Using sham minority subcontractors — shell companies "owned" by minorities that don't have the actual capacity to perform the specified work. These faux contracting operations can make it look as though real work and real cash is flowing to minority-owned businesses, when the money is really being passed through to a nonminority-owned company that may or may not do the work.<p></p></li><p></p><li>Identifying minority-owned companies that allow their names to be used in documents as the source of supplies when the goods actually come from another, nonminority-owned company.<p></p></li></ul><p>Fines and prison sentences also should be increased. In addition, government agencies should require prime contractors to "certify under penalty of perjury" that subcontractors are genuinely minority-owned and are performing work at construction sites, not just "renting" their names to other companies.</p> </ul><p>Some people might point to broader social factors as the root of this fraud problem, such as a lack of capable minority-owned firms in their industry or city — a state of affairs that can lead contractors to look for shortcuts to satisfy municipal requirements — or argue that affirmative action in contracting is vulnerable to fraud because all parties are eager to welcome good news. But effective policing — including audits of program eligibility, monitoring, and sanctions for noncompliance — can improve the situation significantly. </p><p><br></p>Art Stewart0751
Tough Consequences Consequences<p>​Hillside Acres had a thriving parks and recreation department that offered a variety of services to its citizens. Included in these services was a community center that contained an ice rink, fitness center, and gymnasium. The city never tracked the profitability of the center, but the department typically recognized a yearly loss of US$400,000. Eventually, Hillside Acres decided to turn over day-to-day operations of the community center to ABC Co., <br>a local, for-profit entity.  <br></p><p>A rigorous contract was drafted that included a profit-sharing agreement; a right-to-audit clause; and clearly defined expectations of ABC when it came to accounting records, budgets, employing staff, payment of utilities, and assigning the agreement to another party with the city’s consent. <br></p><p>Six months after the contract was issued, the local newspaper published an article about the successful public-private partnership, indicating that ABC achieved its operating goals, installed new ice at the rink, reinstated recreation programs, and enhanced senior citizen programs. Just four months later, ABC assigned its contract with Hillside Acres to CBA Co. without the city’s knowledge or consent. Hillside Acres was never able to definitively identify all of ABC’s owners, but it appeared that some of them also were owners of CBA.<br></p><p>The contract was in effect for a year before Hillside Acres realized it had not received a proposed fiscal budget from CBA. This discovery prompted an internal investigation into CBA and its operation of the community center. Complaints from vendors and employees about unpaid bills began to trickle in. The city then realized that it had been a year since ABC or CBA had provided financial statements. The city demanded those documents, along with payment of overdue bills to vendors and employees. <br></p><p>When some financial information was finally provided to Hillside Acres, it was not in accordance with U.S. generally accepted accounting principles (GAAP), the format agreed on in the contract. Hillside Acres brought in an independent accountant to meet with the vendor and gather the contractual information. <br></p><p>When the accountants requested a copy of the financial statements, CBA indicated it was unfamiliar with GAAP. Its accounting records were maintained by a bartender with no accounting training. CBA was completely unfamiliar with the concept of accrual-basis accounting and had limited accounting records for the months it was operating the community center. <br></p><p>The city’s accountants requested a copy of the bank statements and the bookkeeping records from ABC and CBA for the community center. During the review, the accountants determined that a significant number of transactions had been omitted from the accounting records; other transactions that were included appeared to be grossly inappropriate. This included bank withdrawals that were omitted from the financial records, operating expenses from other venues managed by some of ABC’s and CBA’s owners, ATM withdrawals and retail purchases without a business purpose, and numerous overdraft fees, just to name a few. The accountants hired by Hillside Acres noted that many of these purchases appeared to be Christmas gifts for families of the CBA partners. There also were numerous purchases of cigars and alcohol, as well as payments to an attorney and traffic safety school. <br></p><p>CBA estimated revenue of US$500,000 during a five-month time period. However, only US$130,000 was included in the financial statements. ABC and CBA did not maintain any calendars or records that would indicate what events were held at the community center or the number of participants. As a result, it was impossible to corroborate the estimates. <br></p><p>ABC/CBA management was also unfamiliar with the basics of employment law, particularly with regard to the classification of employees and independent contractors. They had failed to withhold or remit payroll taxes from any of their employees working at the community center during the previous 17 months. The accountants estimated the outstanding payroll tax liability on wages paid by ABC/CBA to be at least US$50,000 before penalties and interest. <br></p><p>CBA management identified at least US$235,000 in overdue bills payable to various vendors including their utility provider; the accountant hired by Hillside Acres determined that the actual amount due was at least US$311,000. The city worked with CBA and its utility provider to agree on a payment schedule, but CBA never made the first payment due. <br></p><p>The city hired a consultant with extensive parks and recreation experience to conduct an operational review of the community center. He determined that the ice at the rink was overdue for replacement and that Hillside Acres was risking significant damage to the floor and piping at the rink. He also indicated that the building needed to be thoroughly cleaned, and he determined that the insurance purchased by ABC and CBA did not meet the requirements specified in the contract. He presented his findings at a city council meeting as the accountants were concluding their review. Shortly thereafter, Hillside Acres canceled its contract with CBA. <br></p><h2>Lessons Learned </h2><p></p><ul><li>Organizations should have procedures in place to monitor vendor contracts. A specific employee should be designated the contract administrator, should be provided with a copy of the contract, and should be responsible for acting as a liaison between the contracting parties. Noncompliance with contract terms should be immediately brought to the attention of both contracting parties for corrective action. </li><li>Because of poor accounting practices, no one at ABC, CBA, or Hillside Acres was able to determine how much revenue was earned and the amount of cash collected by the community center. These missing records permitted CBA and ABC to obscure the profitability of the center, thereby denying Hillside Acres its due portion of the net profits. It is important that both contracting parties work together to design and understand the internal controls in place, particularly over the cash receipts and revenue cycles.  </li><li>ABC and CBA maintained complete control over the financial records of the community center. As a result, they were able to easily disguise inappropriate expenditures that were paid using community center funds. Fraudulent payments would have been rapidly detected if a contract administrator or other appropriate professional was responsible for reviewing original financial records, such as bank statements. </li><li>Vendor contracts need to include an audit clause that clearly states who is responsible for paying the cost of the outside auditor and if this responsibility can change depending on the results of the audit (i.e., if there are audit findings, make the vendor pay for the cost of the audit). Sadly, the city was responsible for the external audit fees.   </li></ul>Jenell West1706
Is Houston Another Place Where Oversight Goes to Die? Houston Another Place Where Oversight Goes to Die?<p>​In a disappointing, but not surprising move, the Houston Independent School District failed to renew the contract of its chief auditor last week. Richard Patton, whose two-year tenure at the school district was marked by success in turning around a struggling internal audit function, fell victim to an all-too-common danger for conscientious practitioners.</p><p>Simply put, Patton was let go for doing his job.</p><p>Patton was suspended by the district in March for unspecified allegations of misconduct and was allowed to return to work in a diminished capacity in August. Despite requests by Patton's attorney, the district has refused to make public the investigation, which cost the district a reported $17,000, so the reasons for his suspension remain unclear.</p><p>What is clear is that Patton found problems with the district's oversight of its massive US$1.9 billion construction bond program. An audit of the program pointed to poor oversight and lack of controls as the cause for US$211 million in cost overruns, not inflation as the district's manager's claimed. An outside audit has verified the oversight problems identified by Patton and his team but also found inflation contributed to the overruns.</p><p>What is more troubling are additional details that came out as part of a lawsuit Patton filed within days of his return to work. Patton and his attorneys have said he was suspended after notifying the Federal Bureau of Investigation, the Houston Independent School District (HISD) police chief, and the Harris County District Attorney's Office about possible illegalities in the district's construction contracts, according to published reports. </p><p>If Patton's concerns about illegalities in construction contracts are accurate, the folly of the district's actions raise a troubling concern that someone is trying to cover up illegal acts.</p><p>The reprehensible treatment of an accomplished internal auditor doing his job should be troubling to any practitioner. It should be equally appalling to the taxpayers of Harris County, where Houston is the county seat.</p><p>The watchdog role of internal audit in government is well-established, and history is replete with examples of its work serving the public interest. Internal auditors often shine the light on fraud, waste, and abuse in government. It has been said that light is the best disinfectant. But from a distance, it appears the Houston school district is allergic to disinfectants.</p><p>The district's board of trustees have exhibited highly disturbing behavior on multiple levels. Aside from the prima facie case of retaliation against Patton, they likely wasted US$17,000 on a suspicious investigation, then they doubled down on that debacle by refusing to say what the investigation found. It is time to make its findings public. If there is no basis in the investigation for the actions that have been taken against Patton, then those who ordered the taxpayer-funded witch hunt should be held accountable.</p><p>I fear that the board of trustees will continue on their misguided journey when it comes time to hire a new chief auditor. Over my four decades in internal auditing, I have seen how this scenario plays out. The board will seek to hire someone who will fill the role in name only, not in function. They showed they have little interest in learning the objective truth about the district's operations when they "shot the last messenger." Does the school district want to be saddled with the reputation of being the place where oversight goes to die?</p><p>Even if by some quirk of circumstance or conscience the board sees the errors of its ways and genuinely seeks to find a suitable replacement, the school district's reputation will precede it, making it harder to find a qualified and independent professional to take on the role of HISD chief auditor.</p><p>I must also speak up for Patton, whose reputation has been sullied by the worst kind of political retribution. By all accounts Patton is a highly qualified and respected internal audit professional. I do not question for a moment his exercising his right to seek legal recourse in this case. As I've previously written, some government CAEs who have taken their complaints to the courts have told me that it was crucial that they do so in order to clear their name and professional reputation after public officials had besmirched them.</p><p>The first step in clearing Patton's name should be for the school district to make public its investigation and allow Harris County taxpayers to decide for themselves who truly was acting in their best interest. I'm certain when all is said and done, Richard Patton will be able to hold his head high.</p><p>As always, I welcome your comments. </p>Richard Chambers05389

  • MNP_Tech-Consulting_Dec2016_Prem
  • IIA_EOY_CPE_Prem 2
  • IIA_COSO-Certificate OnDemand-Dec2016_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z