Coming Soon: New Report on Measuring In-House Fraud Investigation Teams

FROM THE RESOURCE GUIDE

Andi McNeal, CFE, CPA
ACFE Director of Research

Proving ROI on anti-fraud initiatives can be incredibly difficult. Measuring the amount of fraud that’s been prevented, determining whether investigations are being performed as efficiently and cost-effectively as possible, evaluating whether frauds are being detected and responded to quickly and thoroughly enough — we frequently hear our members express how challenging these types of assessments are to perform. And the effort of explaining these issues to management, who is pressing for formal metrics, can make this area even more challenging in many organizations.

But anti-fraud teams need to be held accountable, just like every other team within the organization. One of the best ways for any team to measure and report its effectiveness is to benchmark its structure and performance against industry norms. Organizations often have historical data about their own investigation teams, but lack access to similar data from other organizations that can be used for benchmarking purposes. In 2015, we released our first benchmarking report for fraud investigation teams, and the response was incredibly positive. We knew there was a need for this type of data, but we heard from so many people — both members and non-members, from all over the world, from numerous industries, from all over the organizational chart — that this was the information they had been waiting for. Two years later, we are excited to release our next edition of this members-only resource, which has been expanded from the first to include additional benchmarking angles. 

Some insights from the upcoming In-House Fraud Investigation Teams: 2017 Benchmarking Report include:

If you want to learn more about how other fraud investigation teams are structured and how your investigation team measures up, you can see the full benchmarking report next month on ACFE.com. We hope this report helps support your team’s effectiveness and highlights its success to your organization’s decision-makers. And if there are benchmarking metrics or questions you’d like to see covered in future ACFE benchmarking research, send your ideas to Research@ACFE.com.

Find out more about the ACFE's latest resources, products and events in the most recent Resource Guide.

Fraud, Bad Business Decisions, and Waste and Abuse

GUEST BLOGGER

Mary Breslin, CFE, CIA
President, Empower Audit

In light of International Fraud Awareness Week, I wanted to take a look at why fraud awareness in every organization needs to specifically define what fraud is for your organization.

Six weeks after the U.S. government bailed out AIG, the AIG executives held a weeklong retreat at a five-star hotel – The St. Regis Monarch in California – and spent half a million dollars. Congress consequently held hearings questioning why a seemingly exorbitant amount of money was spent on an executive retreat immediately after receiving more than $80 billion from the American people to be bailed out. The half a million spent at St. Regis included expenses for rooms up to $1,200 per night, large bar tabs, spa treatments including massages, manicures, pedicures, facials and hair treatments, and more than $150,000 on banquet fees.

When I teach my internal audit fraud course, I like to begin by playing a clip from the congressional hearings that details the expenses, and questions why and how this money was spent. The video does not show any conclusion; it shows the frustration of the congressmen and women trying to understand how after needing to be bailed out by the government, AIG could rationalize those expenditures. One could argue they needed to gather for strategy meetings after the bailout. Sure, but did they need to do it at a five-star resort? And were the spa treatments and bar tabs necessary?

I then poll my class participants and ask them if it is fraud. Most say “no.” The vast majority of people feel it is either waste and abuse, or simply a bad business decision. Most also feel that once the money was given to AIG it was their money to spend as they saw fit. I like to use the AIG example because AIG recovered and was able to pay the money back, which I believe impacts our perception. If AIG had failed, would everyone shake their heads at the company spending a half a million dollars on a retreat and readily call it fraud? But was it fraud? Were the executives acting with appropriate fiscal responsibility and integrity? If not, is that fraud? Or is it waste or abuse? Or maybe it’s simply a bad business decision?  We very rarely have trouble labeling actions as fraudulent in hindsight, especially when the company failed or became embroiled in a scandal. But do we see as clearly while it is happening? I think not.

Finally, we also have a much easier time labeling fraud in theoretical situations. This is why organizations need to define what fraud is to them before facing potential fraud risks. If organizations do not clearly define what they consider to be fraud, and the difference between fraud, waste and abuse, and bad business decisions, then as questionable situations arise they may not be seen as a real threat. Just ask Wells Fargo.

Who is Responsible for Vendor Fraud?

GUEST BLOGGER

Emma Zhang, CFE, CPA

When I was working as an internal auditor at an oil and gas company (the Company) in California, one of my colleagues and I conducted a routine vendor audit. The vendor provided services to one of the oil rigs of the Company and the Company had used the vendor for two years. Basically, the audit was to ensure that the vendor performed jobs as contracted.

In this audit, I was responsible for the vendor payment review. The vendor assigned 35 employees to perform jobs at the rig during the two-year period. Five employees covered 24-hour shifts daily. The working-hour review and billing process was that the employees submitted their timesheets to their supervisor for review and authorization. Then, the supervisor submitted the timesheets to the project manager for review and approval. The project manager was the Company’s employee and oversaw the vendor services and the project progress. The vendor presented the invoice each month to the project manager for review and approval before billing the Company. The project manager should ensure that the invoice was correct and accurate before approving it.

I requested all approved timesheets and pulled all vendor invoices from the Company’s accounting system to ensure that they were properly authorized. No exception was noted. Then, I created a spreadsheet to include the 35 employees’ names and their working dates and hours. Once the spreadsheet was built and all data were input, I found some employees’ working hours were suspect. For example, some employees were consistently working 15 hours a day; or some employees worked a night shift and continued to work another 8-hour shift in the following day; or some employees never took any days off and worked on holidays.

To confirm whether the timesheets were fraudulent, I requested all payrolls of the two years. The vendor denied my request, claiming that the payrolls included confidential information and it would not be secure to send them. I then requested an on-site review of payrolls. The vendor found excuses to reject the visit but eventually agreed to a two-day visit. Soon my colleague and I flew to California to visit the vendor’s office. Unsurprisingly, we experienced a cold welcome and we were arranged to sit just outside of the restroom. No one in the vendor office hid their unpleasant feeling towards us. In the two days, my colleague and I input payroll information into the spreadsheet and then compared the payroll hours with the working hours from the timesheets. Through the comparison, we found that the working hours on the timesheets did not match the paid hours on payrolls. We even noted that two employees were not on the payroll. This was a fraud scheme to alter employee timesheets and create ghost employees to obtain payments. Consequently, the fraud cost the Company around $250,000 overpay.

So, you may be wondering, “Who is responsible for the fraud?” After coming back from California, I completed a report that was distributed to my manager and the California office management. Soon, my manager and I had a phone meeting with the CFO and his team, including the project manager in California office, to discuss the fraud. During the meeting, the CFO and his team were laughing about the fraud and took this as a joke until we mentioned the ownership of the fraud. Who should be responsible for this fraud and loss? Quickly, we felt the intense silence from the other side of the phone.

The project manager could hardly absolve himself of the blame. The CFO and the accounting team in the California office, as the payment gatekeeper, held responsibility as well. Two weeks later, we had another meeting with the CFO and his team. This time, we had a serious discussion about responsibilities and actions to recover the loss. Several months later, the Company requested the full amount of overpay from the vendor and stopped working with the vendor when the contract expired. The project manager was demoted to a project supervisor. Also, the corporate management made a decision to let the internal audit department review the billing process and vendor bidding process across the organization to determine if any gaps or poor controls existed and required improvement or redesign.

Emma Zhang is an experienced audit professional at Carrtegra, with more than seven years of internal audit and Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. 

Detecting Fraud the Old-School Way: How a Facility Tour Led to a Break in a Routine Audit

GUEST BLOGGER

Mary Breslin, CFE, CIA
President, Empower Audit

I recently returned from Jordan where I conducted a data analytics training for an internal audit banking group. As is often the case when learning to use data analytics within internal audit, people wanted to skip right to finding fraud. I wish it were that easy. While I sometimes feel like I could never conduct a fraud investigation without my data analytics tools, I've learned that I can never rely solely on analytics. We must continue to be students of the business and hone traditional methods while enhancing them with analytics. 

Many of my cases have been discovered and initiated by simply walking around and talking to people. One example is a recently settled federal case. Several years ago I was in Belgium at a factory location of an American company I worked for. I asked for a tour of the facility even though I knew most of my time would be spent with accounting records and documents. I wanted to understand the business. During my tour I spotted a large crate ready to be shipped. The core product was made in the U.S. and finished in Belgium before delivery to the customer. The crate was stamped “Made in the USA” in six-inch letters. Directly beneath that stamp was another that read “Ship to the Islamic Republic of Iran.” I did a double take. Iran was (and is) an embargoed nation — it was illegal to sell goods of any kind to Iran.

I assumed this was a lack of training, and the Belgian team wasn’t aware of the restrictions, and I proceeded as such. My team requested all sales to that customer, as well as to any other countries that were embargoed at the time for the prior 18 months. Much to my dismay, it was a long list of sales. 

In conversations with the general manager I reviewed the Code of Conduct and Handbook, where it explicitly forbade sales to those countries. I then reported the issue to the executive team and went about preparing the information that would be needed for counsel to self-report the issues to the necessary regulatory agencies. The situation was under control, right? But of course before my team and I went home, I added the location to our follow-up action plan for internal audit.

Three months later I returned to Belgium for an unannounced visit to the factory. Who stops by to see me? The general manager. She hands me a manila folder stuffed with evidence of the many sales to embargoed countries that had occurred since my departure just 90 days earlier, when it had seemed the executive team was clear on the problem and ready to make things right. As I flipped through the folder's contents I saw document after document that contained the written approval via email of every one of those sales by the COO himself. I was shocked. I immediately reported back to the executive team and was surprisingly met with the response, “We need those sales.” In their quest for revenue, executive management chose to break the law and go against legal counsel and internal audit’s recommendations. 

In the following week, our inability to agree on the handling of the issue resulted in my termination — as well as the termination of my entire team. The issue was then reported to the Securities and Exchange Commission (SEC) and appropriate regulatory agencies and a federal investigation ensued. In October of this year the case finally settled in court. The company pleaded guilty and paid a large fine. The executive management team has since been replaced.

If I had not walked the facility that day, the issue may have never been identified.  The likelihood of finding those illegal sales buried in all the sales for the year was minimal using normal audit techniques unless I knew to look specifically for that issue. While analytical tools can be invaluable, they should not replace understanding the business and the traditional methods — especially simply talking to people and touring a facility.

Maintaining Strong Ethical Culture is All in a Day's Work

MEMBER PROFILE

Dora Gomez, CFE, Global Fraud Officer, AXA Tech 
Jersey City, N.J.

Dora Gomez, CFE, a native New Yorker, began an early passion for travel, thanks to her parents, and was even a DJ for four years during college. But it was Gomez's passion for fighting fraud that led her to her current position as Global Fraud Officer at AXA Tech.

Where were you born and raised?

I was born in Brooklyn, New York, a first-generation American to Ecuadorian parents. I grew up in a multi-cultural neighborhood, which taught me to build friendships with people of other ethnicities. I also learned to love an array of international foods, which I appreciate to this day. At heart, I am still a true New Yorker.   

How did you become passionate about fighting fraud?

I think I always had the "bug" inside of me to fight fraud. When I worked in public accounting and internal audit I was exposed some cases of fraud and learned how to spot the signs of fraud. It’s vital for the company to have strong ethical principles where employees feel empowered to speak up when something seems wrong. It’s not just about the company’s reputation, it also about working for a company we feel proud to be a part of.

What is your personal motto?

Take risks in life, be confident, and don’t underestimate yourself. I learned that during an expat assignment in Paris. Not only was it an eye opener to learn how the company functioned at the headquarter level, but I also learned about the French culture and those of other European countries. I overcame obstacles (not speaking French, making new friends, working with new colleagues, etc.) but tackled them and learned from that experience. The only constants that I brought with me were my two small dogs … that also learned to bark in French!

What do you consider your greatest achievement to date?

I don’t know if I can actually name one great achievement. I think I did pretty well in my career and personal life for a middle class ‘kid’ from Brooklyn, NY. Let’s face it, being a minority and a woman has its challenges and tackling them requires persistence and determination. I have overcome many obstacles in life (both personal and work related), and I am proud and happy with the person I am today.

Read Gomez's full profile on ACFE.com in the Career Center.