September 7, 2010

SMALL FRAUDS EQUAL BIG LOSSES

The Boston Herald reports that a former Massachusetts bookkeeper has been convicted of embezzling US $140,000 from her former employer of 22 years, the Woods Hole, Martha’s Vineyard, and Nantucket Steamship Authority. The woman created fictitious Steamship Authority customer names and assigned credit card refunds to them but then sent the money to credit or debit card accounts she controlled. The scheme involved about 308 fraudulent refund transactions during an eight-year period.

Lessons Learned

One of the interesting things about this fraud is that the perpetrator did not get overly greedy, as evidenced by her average of about three fraudulent transactions per month (for eight years) at approximately US $471 per transaction. Although this small amount made the frauds difficult to detect, the internal auditors should have noticed the red flags: refunds were being issued to customers who had never made a purchase, and separation of duties were insufficient. For example, the bookkeeper was authorized to create customers and assign credit card refunds without additional approvals, and she was able to redirect refunds to other accounts, which she controlled.

The IIA’s International Standards for the Professional Practice of Internal Auditing require that auditors consider the risk of fraud at the start of every audit, which should include assessing the business process for possible separation of duties issues. When there are a large number of transactions and only a small percentage is fraudulent, a carefully planned fraud risk assessment can identify key controls and symptoms of potential fraud (e.g., refunds with no prior purchase) and help focus the auditors on the “needle in the haystack.”

CRIME AGAINST THE ENVIRONMENT

A Miami-Dade County inspector general (IG) draft audit has found the county’s police force misrepresented the need for public dollars and spent nearly US $6 million of funds earmarked for combating environmental crime, according to a recent article published in The Miami Herald. The money was taken from the South Florida Environmental Task Force Trust Fund and Florida Environmental Task Force Trust Fund — both of which were led by the police force’s division chief, the report says. A separate Herald investigation detailed how spending in these funds skyrocketed while county budget problems deepened.

The IG report also shows that over a nine-year period, suspect expenditures included US $35,000 for 30 rifles and scopes (only one was issued to an environmental crimes officer); US $1.1 million in cell phone and data charges (some by staff members not assigned to environmental crimes); US $70,000 worth of cameras and GPS devices (still unrecovered); and six SUVs totaling US $293,000 (assigned to command staff who rarely visit crime scenes).

Lessons Learned

Where were the auditors? There were several red flags of potential fraud, waste, and abuse, but presumably no one was examining the expenses charged against the two funds. If the auditors had been looking, in all likelihood they would have noticed:

• An increase in expenses while other county projects were cutting back because of budget woes.
• Purchased items being delivered to nonwork addresses.
• A lack of a clear definition of eligible expenses.
• No challenge over what was being purchased.
• Purchases unrelated to the activity.

August 9, 2010

THE UNSUPERVISED LOAN SUPERVISOR

A recent article published by LoanSafe reports that a U.S. district judge has sentenced a former loan supervisor at a Maryland credit union to prison for bank fraud and aggravated identity theft.

In her plea agreement, the woman stated that she created fraudulent checking and share accounts, loans, lines of credit, and credit card accounts in the names of at least five customers, one of whom was deceased. She also manipulated these customers’ existing lines of credit and credit cards to increase limits without their knowledge. For four years, the woman concealed the fraud — which totaled more than US $219,000 — by using a portion of the funds to repay some of the accounts, backdating transactions and changing terms, and altering the accounts’ mailing instructions to prevent statements and notifications from being sent to the customers.

Lessons Learned

This bank fraud illustrates the importance for internal auditors to recognize red flags that can indicate segregation of duties issues as well as bypassing key preventive controls. In this case, the red flags included the ability of the loan supervisor — without additional signatures or approvals — to:

• Create and approve lines of credit, credit cards, and checking and savings accounts.
• Alter the terms and conditions associated with customer accounts.
• Backdate transactions.
• Bypass or remove controls around the financial statement requirements and mailing process.
• Be the only person involved with customer accounts (e.g., creating, modifying, or processing transactions).

BANKING ON POOR SEGREGATION OF DUTIES

A Colorado woman has been sentenced to 40 months in prison for defrauding the Bank of Colorado’s Craig branch of US $565,000 during her employment as head bookkeeper and later as the operations officer, according to a Craig Daily Press article.

Court records show that over a four-year period, the operations officer made unauthorized electronic transfers by means of block entries from customer accounts into her own accounts as well as accounts of family members and other customers. The woman avoided detection by developing elaborate means of re-crediting those accounts before the end of their statement cycles, concealing the unauthorized transfers, and creating and distributing false monthly statements.

Moreover, she was in charge of customer inquiries, and bank employees were instructed to direct complaints to her. She also included false descriptions of transfers and backdated electronic entries.

Lessons Learned

Control frameworks for organizations that rely on electronic transactions are built on automated controls. In this case, the head bookkeeper, who later became the operations officer, was not deterred from committing fraud by any preventive control. Without an adequate segregation of duties policy, the operations officer was authorized to process transfers, create and distribute monthly statements, and handle customer complaints. Weaknesses also existed in the preventive controls around transfers, which allowed her to have unsupervised access to customer accounts and make:

• Transfers from customer accounts to her personal account.
• Transfers just before the end of statement cycles.
• Unauthorized transfers.

JULY 12, 2010

AMMUNITION FOR FRAUD

A recent article published in The Enterprise reports that a Massachusetts Department of Correction (DOC) lieutenant was indicted on charges of financial conflict of interest, two counts of procurement fraud, and three counts of larceny. These charges are in addition to those brought against the lieutenant in 2008 for stealing more than US $100,000 in state money to buy firearms and other law enforcement equipment for personal use.

The new charges stem from the lieutenant’s relationship with a firearms vendor — selected with the lieutenant’s help — who won a contract to provide the DOC with firearms, ammunition, and accessories. The lieutenant allegedly bought sporting goods and other items using a personal line of vendor credit without a DOC purchase order with the understanding that the cost would be deducted from the DOC’s line of credit. Prosecutors also allege that the lieutenant stole and sold ammunition in exchange for credit at major retailers as well as checks made payable to him.

Lessons Learned

• Prohibit members of the contract review committee from having personal dealings with potential vendors.
• Require controls over the purchasing process to include a three-way matching of the contract or purchase order (i.e., quantity and price) to the receipt and invoice (i.e., quantities and prices).
• Use the merchant category code to search for personal purchases made with corporate credit cards.

Archive . . .