Mary Breslin, CFE, CIA
President, Empower Audit
I recently returned from Jordan where I conducted a data analytics training for an internal audit banking group. As is often the case when learning to use data analytics within internal audit, people wanted to skip right to finding fraud. I wish it were that easy. While I sometimes feel like I could never conduct a fraud investigation without my data analytics tools, I've learned that I can never rely solely on analytics. We must continue to be students of the business and hone traditional methods while enhancing them with analytics.
Many of my cases have been discovered and initiated by simply walking around and talking to people. One example is a recently settled federal case. Several years ago I was in Belgium at a factory location of an American company I worked for. I asked for a tour of the facility even though I knew most of my time would be spent with accounting records and documents. I wanted to understand the business. During my tour I spotted a large crate ready to be shipped. The core product was made in the U.S. and finished in Belgium before delivery to the customer. The crate was stamped “Made in the USA” in six-inch letters. Directly beneath that stamp was another that read “Ship to the Islamic Republic of Iran.” I did a double take. Iran was (and is) an embargoed nation — it was illegal to sell goods of any kind to Iran.
I assumed this was a lack of training, and the Belgian team wasn’t aware of the restrictions, and I proceeded as such. My team requested all sales to that customer, as well as to any other countries that were embargoed at the time for the prior 18 months. Much to my dismay, it was a long list of sales.
In conversations with the general manager I reviewed the Code of Conduct and Handbook, where it explicitly forbade sales to those countries. I then reported the issue to the executive team and went about preparing the information that would be needed for counsel to self-report the issues to the necessary regulatory agencies. The situation was under control, right? But of course before my team and I went home, I added the location to our follow-up action plan for internal audit.
Three months later I returned to Belgium for an unannounced visit to the factory. Who stops by to see me? The general manager. She hands me a manila folder stuffed with evidence of the many sales to embargoed countries that had occurred since my departure just 90 days earlier, when it had seemed the executive team was clear on the problem and ready to make things right. As I flipped through the folder's contents I saw document after document that contained the written approval via email of every one of those sales by the COO himself. I was shocked. I immediately reported back to the executive team and was surprisingly met with the response, “We need those sales.” In their quest for revenue, executive management chose to break the law and go against legal counsel and internal audit’s recommendations.
In the following week, our inability to agree on the handling of the issue resulted in my termination — as well as the termination of my entire team. The issue was then reported to the Securities and Exchange Commission (SEC) and appropriate regulatory agencies and a federal investigation ensued. In October of this year the case finally settled in court. The company pleaded guilty and paid a large fine. The executive management team has since been replaced.
If I had not walked the facility that day, the issue may have never been identified. The likelihood of finding those illegal sales buried in all the sales for the year was minimal using normal audit techniques unless I knew to look specifically for that issue. While analytical tools can be invaluable, they should not replace understanding the business and the traditional methods — especially simply talking to people and touring a facility.