The Importance of a Fraud

1
The Importance of a Fraud Misconduct Strategy

• NYSICA
• March 25, 2004
• Presented by
• Christopher J. Rosetti, Partner
• BST Advisors, LLC
• Forensic Accounting and Investigative Services

2
AGENDA

• Introduction
• Tone at the Top
• Code of Conduct
• Effective Fraud and Misconduct Strategy
• Best Practices
• Grant Administration

3
Unknown

• Confidence and trust are like a mortals need
  for air. When the required good is present, its
  never noticed. When its missing, its all
  thats noticed

4
Public Misconduct
5
Audit Risks for the Public Sector
6
The Principal Types of Fraud

• Bribery
• Conflicts of Interest
• Theft of Money or Property
• Breach of Fiduciary Duty

7
Bribery

• Giving or receiving a thing of value to influence
  a business decision without the consent or
  knowledge of the principal.

8
Conflicts of Interest

• An agent taking an interest in a transaction that
  is actually or potentially adverse to the
  principal without full and timely disclosure to
  the principal

9
Theft of Money or Property

• Embezzlement
• The defendant took or converted, without the
  knowledge or consent of the organization, money
  or property of another that was properly
  entrusted to the defendant.
• Larceny
• Taking and carrying away money or property of
  another, without the consent of the owner, with
  the intent to permanently deprive the owner of
  its use or possession.

10
Breach of Fiduciary Duty

• The principal fiduciary duties are loyalty and
  care.
• Duty of Loyalty requires that the employee act
  solely in the best interest of the employer, free
  of any self dealing, conflicts of interest, or
  other abuse for personal advantage.
• Duty of Care requires that persons in a fiduciary
  relationship must conduct business affairs
  prudently with the skill and attention normally
  exercised by a person in similar positions.

11
Many technological advances reduce the audit
trail and facilitate perpetration of
sophisticated computer crimes which siphon funds
to fictitious or unauthorized accounts.
12
Internal Control Facts

• Internal control starts with a strong control
  environment
• Management has the proper attitude and operating
  style
• Management is the owner of internal control
• Internal controls are built into the business
  process
• Adapted from the 12/03 issue of Financial Audit
  Solutions

13
Tone at the Top

• Is there an ethics/compliance program in place?
• Has it been designed to satisfy leading
  governmental models (e.g., federal sentencing
  guidelines)?
• Has it been implemented throughout the
  organization, are there indicators that it is
  operating as intended (e.g., frequency of
  training, volume of hotline calls, consistency of
  discipline)?
• Has it been effective in achieving compliance
  with the organizations ethical and legal
  obligations?

14
An Effective Fraud and Misconduct Strategy
Strong corporate culture, values ethics
Effective personnel policies

Fraud\misconduct awareness
Fraud and misconduct reporting and response
Effective Compliance Program
15
An Effective Fraud and Misconduct Strategy
(continued)

• Strong Corporate Culture with supporting Ethics
  and Values
• Credible leadership commitment
• Corporate Values Statement
• Clear and specific Code of Conduct
• Define acceptable and unacceptable behavior
• Address potential ethical dilemmas

16
Effective Ethics/Code of Conduct

• Helps prevent misconduct
• Detects violations and provides and early warning
  system
• Timely and responsible actions help avert
  prosecution

17
Code of Conduct Checklist

• Use of equipment (telephone, vehicle,
  photocopiers, scanner, supplies, credit cards)
• Use of the internet during work hours and/or for
  non-work related reasons.
• Acceptance of gifts from vendors, suppliers and
  contractors

18
Code of Conduct Checklist (continued)

• Conflicts of interest (sign form annually)
  Having direct or indirect, financial or
  otherwise, in any transaction or activity that
  conflicts with the proper discharge of the
  employees duties.
• Outside employment or dual employment
• Confidential information
• Intellectual property

19
Code of Conduct Checklist (continued)

• Use of official position to secure unwarranted
  privileges or exemptions
• On-site weapons
• Restricting competition
• Computer security
• Time and attendance

20
Code of Conduct Checklist (continued)

• Exercising common sense
• Expense reimbursements
• Disparaging contractors
• Illegal betting or gambling
• Destruction of organizational records

21
Reasons for Failure

• The message is not supported by senior management
  
• The ethics policy/code of conduct does not
  provide practical guidance or example
• Regular training is not provided
• Compliance officer is overburden with other
  matters

22
Reasons for Failure (continued)

• People are not aware of the hotline nor is it
  used
• Corrective actions are not initiated
• Compliance is not monitored and an annual report
  is not issued

23
Periodically Reinforce Values

• Annual training
• Annual conflicts of interest affidavit
• Posted flyers
• Reminders with W-2s

24
Periodically Reinforce Values (continued)

• Weekly or monthly email reminders about policies
• Code of conduct and ethics policy posted on
  intranet
• Posters advertising anonymous reporting mechanism

25
An Effective Fraud and Misconduct Strategy
(continued)

• Effective Personnel Policies
• Recruitment screening
• Vacation policies
• Appraisal system and counseling policies
• Employee attitude surveys

26
Effective Personnel Policies

• Recruitment screening
• Verify identity
• Check qualifications, names of schools
• Probe employment gaps
• Obtain references
• Vacation policies and work patterns
• Enforce vacations
• Appraisal and counseling
• Employee attitude surveys

27
Effective Personnel Policies (continued)

• Background checks
• Social security number verification
• OFAC check
• Media checks

28
An Effective Fraud and Misconduct Strategy

• Fraud\misconduct awareness
• Typical fraud risks
• Common indicators
• Behavioral issues
• Control benchmarking
• Reporting fraud suspicions

29
Quality of Your Fraud and Misconduct Strategy

• Score each of these on a 1 to 10 scale.
• What is the quality of your anti-fraud and
  misconduct strategy?
• Is responsibility for managing fraud and
  misconduct risk well defined?
• How clear are reporting channels for reporting
  suspicions of fraud or misconduct?
• Are there clear protections for those reporting
  fraud or misconduct?
• How effective is your fraud and misconduct
  awareness program?

30
Quality of Your Fraud and Misconduct Strategy

• Score each of these on a 1 to 10 scale.
• How effective is your recruitment screening
  process?
• How developed is the understanding of fraud and
  misconduct risks facing your organization?
• How have you matched these risks to controls to
  see how they are managed?
• How effectively does your organization learn from
  fraud and misconduct incidents?
• How aware of fraud and misconduct are head office
  and regional personnel?
• What is the total score?

31
Quality of Your Fraud and Misconduct Strategy
(continued)

• How did your organization rate?
• 90 to 100 points Strong
• 80 to 89 points Effective
• 70 to 79 points Needs Improvement
• 60 to 69 points High Risk
• Below 60 points Very High Risk

32
Indications of Low Fraud and Misconduct Awareness
No forum where the subject of the meeting is
fraud and misconduct risk.
Do not believe there is a structured way of
assessing risk.
No systems on fraud or misconduct, it is not a
regular agenda item.
The organization has not considered fraud risks.
It trusts its employees.
The risk section is considered a cost driver.
People in the business do review fraud and
misconduct, but only in a passive way.
I see the potential fraud risks as nil to small.
33
An Effective Fraud and Misconduct Strategy
(continued)

• Effective Fraud and Misconduct Reporting and
  Response Program
• Fraud and misconduct reporting channels
• Whistler blower protection and non-retaliation
  policy
• Fraud and misconduct response plans

34
Effective Fraud and Misconduct Reporting and
Response

• Questions
• Why investigate?
• When to investigate?
• What to investigate?
• Who should investigate?
• How to conduct investigation?

35
Effective Fraud and Misconduct Reporting and
Response (continued)

• Importance of fraud risk management
• Every organization should have a documented
  anti-fraud strategy and corporate integrity
  program. At a minimum it should include
• Agencys stance on fraud and other breaches of
  companys policies and ethical code
• To whom and how should suspicions of fraud or
  misconduct be reported
• What will be done and by whom in the case that
  fraud or other breaches are suspected
• Employee rights - including limitations on
  expectations of privacy and companys rights to
  gain access and search all work areas

36
Effective Fraud and Misconduct Reporting and
Response (continued)

• Why investigate?
• Its your duty
• Its the right thing

37
Effective Fraud and Misconduct Reporting and
Response (continued)

• Why its your duty
• Organizations have no choice
• 1991 Sentencing Guidelines
• Prevalence of government voluntary disclosure
  programs
• Administrative and court rulings

38
Effective Fraud and Misconduct Reporting and
Response (continued)

• Why its the right thing
• Best practice
• Conducting internal investigations is the norm
  rather than the exception
• 94 of companies responding to 1998 Fraud Survey
  said that conducting an investigation was the
  leading response to the discovery of fraud
• Assists organizations in determining the extent
  of potential civil or criminal liability
• Assists in determining facts, available defenses,
  and appropriate response
• Assist in negotiating a favorable resolution or
  avoiding an intrusive government investigation

39
Effective Fraud and Misconduct Reporting and
Response (continued)

• Why its the right thing
• Bottom Line protection
• Deterrence
• Given the cost of fraud, a fraud response is
  essential
• Recovery
• Asset tracing and recovery
• Insurance coverage
• Public relations
• Permits affirmative, proactive communications
  strategy
• Avoids charge of cover up

40
Effective Fraud and Misconduct Reporting and
Response (continued)

• When to investigate
• Knowledge of information suggesting reasonable
  possibility that a third party and/or an employee
  might have engaged in wrongful conduct exposing
  the organization to risk of criminal liability,
  substantial monetary loss or damage, injury to
  its reputation, or other type of significant harm

41
Effective Fraud and Misconduct Reporting and
Response (continued)

• When to investigate
• Timing
• Decision should be made as soon as possible
• Advantages of early start
• Greater ability to develop appropriate response
  and defense
• Increases likelihood that corporations can gather
  information and interview employees before
  government
• Enables corporations to qualify for credit for
  full cooperation under Sentencing Guidelines
• Importance of Fraud and Misconduct Response Plan
  as part of a compliance program
• Corporation needs to be prepared in advance to
  insure prompt and appropriate response

42
Effective Fraud and Misconduct Reporting and
Response (continued)

• What to investigate
• Fraud Internal or external
• Falsification of financial data
• Misappropriation of assets
• Theft or embezzlement

43
Effective Fraud and Misconduct Reporting and
Response (continued)

• What to investigate
• Violations of organization policy
• Examples
• Conflicts of interest
• Policies regarding giving or receiving gifts
• Waste/Mismanagement
• Mishandling of confidential or proprietary
  information

44
Effective Fraud and Misconduct Reporting and
Response (continued)

• Who should investigate
• Chief of internal compliance (Integrity Officer)
• An individual should be designated by each
  organization to whom all information regarding
  potential misconduct should be reported
• Responsibility
• To receive reports of fraud or misconduct
• To conduct initial evaluation (refer to either HR
  or GC)
• General Counsel
• Responsibility
• To determine seriousness of allegation
• To determine scope and direction of investigation
• To consult and advise other relevant executives
• To determine the need for retention of outside
  counsel

45
Effective Fraud and Misconduct Reporting and
Response (continued)

• Who should investigate
• All internal investigations should always be
  directed by counsel
• Principal reason
• Permits invocation of privilege to protect the
  confidentiality of internal investigative results

46
!!!Assume all Cases Will End in Litigation!!!
47
Findings Could Result in

• Civil Litigation
• Criminal Litigation
• No Action

48
False Imprisonment Occurs When There Is

• An intent to confine
• An act resulting in confinement
• Consciousness of confinement or resulting harm.

49
Effective Fraud and Misconduct Reporting and
Response (continued)

• How to investigate
• Develop Investigative Hypothesis
• Theory of fraud or misconduct - Extent and
  elements
• Who may be involved
• Where is the evidence likely to be found
• Documents
• Witnesses
• Individual computers
• Transportable media
• Network servers
• Constantly refine and re-examine

50
Effective Fraud and Misconduct Reporting and
Response (continued)

• How to investigate
• Develop Work Plan
• Consistent with theory of fraud or misconduct
• Identify documents to be examined
• Procedures to be followed
• Examples
• Document examination and verification
• Types of analysis
• Manual review
• Gap, variance
• Reconciliation
• Sorting and comparisons
• Trend

51
Effective Fraud and Misconduct Reporting and
Response (continued)

• How to investigate
• Identify potential sources of electronic or voice
  information and data
• Examples
• PCs
• Laptops
• Transportable media
• Network servers
• Voice-mails
• Emails
• Recorded conversations e.g. securities trading
• Video tapes
• Procedures and tools to be used to retrieve
  electronic and voice data

52
Effective Fraud and Misconduct Reporting and
Response (continued)

• How to investigate
• Identify individuals to be interviewed
• Inside organization
• Outside organization e.g. vendors
• Develop interview menus
• Order of interviews
• Questions to be asked
• Identify other investigative procedures
• Public database searches
• Data analysis

53
Effective Fraud and Misconduct Reporting and
Response (continued)

• Respecting employee rights
• Employees Duty to Cooperate
• Duty to cooperate exists in every internal
  investigation, unless compliance is
• impossible
• unlawful
• unreasonable

54
Effective Fraud and Misconduct Reporting and
Response (continued)

• Respecting employee rights
• Employee Rights include
• Contractual Right
• Example
• If employee is a member of a union, union
  contract or collective bargaining agreement may
  contain restrictions on investigation procedures
• Whistleblower laws
• Protect employees who report misconduct to
  government from retaliatory action

55
An Effective Fraud and Misconduct Strategy
(continued)

• Effective Compliance Program
• Standards and procedures that are reasonably
  capable of preventing fraud and misconduct
• High-level oversight
• Due care in delegating discretionary authority
• Effective communication of standards and
  procedures (Training)
• Monitoring and auditing of compliance program
• Enforcement of program through discipline
• Appropriate response upon notification of
  wrongdoing

56
Federal Sentencing Guidelines for an Effective
Compliance Program

• High level oversight
• Standards of conduct
• Communications and training
• Compliance auditing and monitoring
• Pre-employment screening
• Enforcement of standards and disciplinary actions
• Corrective actions taken

57
An Effective Fraud and Misconduct Strategy
(continued)
Culture, values ethics
Effective personnel policies

• Values statement
• Code of Conduct
• Defining acceptable and unacceptable
• Addressing ethical dilemmas

• Recruitment screening
• Vacation policies
• Appraisal and counseling
• Employee attitude surveys

Fraud\ misconduct awareness

• Typical fraud risks
• Common indicators
• Behavioral issues
• Control benchmarking
• Reporting fraud suspicions

Effective Compliance Program

• Standards and procedures
• High-level oversight
• Delegation due care
• Training
• Monitoring and Auditing
• Discipline
• Appropriate response

Fraud and misconduct Reporting and response

• Reporting channels
• Whistle blower protections
• Response plans

58
Objectives of a Fraud Response Plan

• Provide a conduit for whistleblowers
• Identify internal affairs personnel
• Outline the manner in which all reviews should
  proceed
• Prevent further loss
• Identify high risk areas

59
Objectives of a Fraud Response Plan

• Respond quickly
• Secure evidence
• Identify parties involved
• Identify loss remedies
• Identify specialists

60
Best Practices (continued)

• Collecting payments with credit cards Reduces
  exposure to cash and transfers risk to credit
  card issuer.
• Typical payments Water rents, sewer rents,
  taxes.

61
Best Practices (continued)

• Third party receives complaints about billing,
  collections and payments.
• Clerk who issued bills, collected cash and
  received complaints misappropriated 357,000 via
  a lapping scheme involving 4,000 water utility
  customers.

62
Best Practices (continued)

• Bonding employees
• Estimate the amount and add a cushion (Nobody
  steals small amounts)

63
Best Practices (continued)

• Telephone Audits www.google.com. Type in
  telephone number and hit google search.
• 900 calls by mailman during lunch
• Go out an let people know what your doing. They
  dont know who youre looking at.

64
Best Practices (continued)

• Checking inventory annually to identify excess
  inventory

65
Right to Audit

• Obtaining the right
• Right to Audit Agreement - on the back of
  purchase order or procurement form
• Right to Audit Clause in a Contract - include
  language in the body of the contract

66
Best Practices (continued)

• Compliance audits of purchasing policies
  (kickbacks and embezzlements)
• Written policies and procedures

67
The Value of Nothing

• No telephone number is master vendor file
• Telephone number is the same digit, i.e. all 9s
• No address
• No contact person of fed ID

P
68
Grant Administration

• Right to audit
• Purchasing vs. leasing
• Tel Calls
• Travel
• Food Vendors
• Subcontracts
• Employees

P
69
Questions?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
1
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

• Chris Rosetti
• crosetti_at_bstadvisors.com
• BST Advisors, LLC
• 26 Computer Drive West
• Albany, New York 12205
• Tel 518-459-6700 / 800-724-6700 ? Fax
  518-459-8492
• www.bstadvisors.com

?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?