Effective Fraud Prevention and Security Controls

1
Effective Fraud Prevention and Security Controls
DOD Managers Internal Control Program
(MICP) November 23, 2009 Cindy Brown Barnes,
Assistant Director, FSI
2
Discussion Agenda

• FSI Background
• Video FSI Work
• FSI Methodology
• Case Study Discussion
• Questions

3
FSI BackgroundWho We Are

• The Forensic Audits and Special Investigations
  (FSI) unit was formed in May 2005 to bring GAOs
  related anti-fraud and other investigative
  activities together in one organization.
• In addition to analysts, forensic auditors, and
  criminal investigators, FSI staffing includes
• data mining and systems integration experts,
• fraud hotline analysts, and
• quality control staff such as communications
  analysts.
• All permanent FSI staff are Certified Fraud
  Examiners (CFE).

4
FSI BackgroundWhat We Do

• FSI work addresses
• fiscal challenges facing our nation,
• organizational and individual ethics,
• stewardship over government resources,
• control environment at federal agencies, and
• issues related to homeland and national security.
• FSI work comes from a variety of sources
• congressional requests and proposals,
• internal research and development, and
• hotline tips.

5
FSI BackgroundWhat We Do

• FSI has governmentwide jurisdiction and has
  access to most government data including tax
  records, SSA data, and grants and disbursement
  data, including Medicare/Medicaid data.
• FSI has access to law enforcement tools such as
  the National Criminal Information Center (NCIC),
  Financial Crimes Enforcement Network (FINCEN),
  and Lexis-Nexis law enforcement.
• FSI also manages FraudNet, the governmentwide
  hotline to report fraud, waste, and abuse.
• FSI has offices in Washington, D.C., and Dallas,
  Texas.

6
Video FSI Work

• Video highlights of FSI work

7
Effective Fraud Prevention Controls

• Internal controls are intended to provide
  reasonable assurance, not absolute assurance.
• Tone at the top and supportive culture are
  critical to success.
• Effective internal control systems include
  elements of
• human capital,
• policies and processes, and
• automated and integrated systems.
• Management efforts should be focused on
  prevention
• controls in place before money is disbursed.
• Data mining is an effective tool for both
  auditors and management.

8
Fraud Prevention Program Model
9
Effective Security Controls

• Standards for security are different than the
  reasonable assurance for fraud prevention.
• Effective security controls combine elements of
• People who are properly trained
• Technology that is capable of countering the
  threat, and
• Processes that make best use of people and
  technology.
• Red team or covert tests are an effective tool
  for both investigators and management.
• Tone at the top is critical to success.

10
FSI MethodologyTechniques and Tools

• Audit steps
• Data matching
• Data mining
• Statistical sampling
• Internal controls evaluation

• Investigative steps
• Undercover tests
• Social engineering
• Coordination with IGs or other law enforcement
  agencies
• NCIC, FINCEN, Lexis Nexis law enforcement

Integration

• Combined forensic audit and investigation
• Concludes on broken controls
• Substantiates specific fraud cases and/or
  provides first-hand evidence of fraud
• Where possible identifies magnitude

11
FSI MethodologyUndercover Testing

• FSI also has the authority to perform undercover
  tests of programs or processes to identify
  vulnerabilities.
• Undercover tests are performed by criminal
  investigators as red team exercises (e.g. no
  agency notification).
• Tests allow FSI to gather first-hand knowledge of
  control breakdowns and vulnerabilities in a
  realistic setting, rather than rely on the
  representations of the tested entity.
• Analyst/auditors help interpret the results of
  the undercover tests in a broader context and
  provide planning input.

12
FSI MethodologyCase Studies

• Case studies help illustrate the details and
  impact of fraud in concrete terms to Congress and
  taxpayers.
• Criminal investigators are critical to developing
  cases
• Access to law enforcement databases and resources
• Professional interviewing skills
• Contacts in other federal agencies and IGs.
• FSI frequently refers case studies to the
  appropriate law enforcement agency or other
  entity for further investigation.

13
FSI Case Studies

• Fraud, Waste, and Abuse
• Governmentwide purchase cards
• Transit benefit fraud
• HUBZone program fraud

14
FSI Case Study 1Governmentwide Purchase Cards

• Federal employees committing fraud with their
  government purchase cards
• Statistical samples to test effectiveness of
  controls
• Investigative work for highly pilferable items
• Data mined using criteria such as prohibited
  goods or services or items likely to be for
  personal use (e.g, internet dating)
• Could not determine magnitude of fraud
  governmentwide

15
FSI Case Study 1Governmentwide Purchase Cards

• Findings
• Estimated that nearly 41 percent of all federal
  purchase card transactions from July 1, 2005,
  through June 30, 2006, failed basic internal
  control checks
• Agencies were unable to locate 458 of 1,058
  accountable and pilferable items totaling over
  2.7 million
• Case studies of fraudulent purchases included
• USDA employee embezzled 642,000 over 6 years for
  gambling, car and mortgage payments, and retail
  purchases
• U.S. Postal Service employee spent 1,100 on
  Internet dating services over a 15-month period
• Waste, abuse, and questionable purchases also
  identified

16
FSI Case Study 2Transit Benefit Fraud

• Federal employees fraudulently receiving and/or
  selling their subsidized transit benefits
• Undercover operation using both eBay and
  Craigslist to identify sellers and arrange
  purchases
• Data mined transit benefit records from selected
  federal agencies and performed additional
  investigation such as
• Comparing employee home and work addresses
• Obtaining agency records
• Interviewing employees

17
FSI Case Study 2Transit Benefit Fraud
Metrochek Warning
18
FSI Case Study 2Transit Benefit Fraud

• Findings
• Over 3 days, found at least 20 federal employees
  fraudulently selling benefits on eBay
• Data mining revealed additional fraud, including
• People who continued to obtain benefits even
  after leaving the federal government
• Numerous cases of federal employees inflating
  their commuting costs
• One Treasury employee drove to work, parked for
  free in agency parking, and collected the maximum
  105 per month in benefits (he sold them on eBay)

19
FSI Case Study 2Transit Benefit Fraud

• Findings (cont.)
• Estimated that potential fraud during 2006 in the
  National Capital Region was at least 17 million
  and likely more
• OMB tightened controls over the entire program
• One Department of State employee was fired
• Wages were garnished from a Commerce employee
• Transportation employees were suspended from duty
  without pay and suspended from the program
• A Treasury employee was forced to repay 3,020
• An IRS employee was convicted of theft of
  government computers and sentenced to jail time

20
FSI Case Study 2Transit Benefit Fraud
Undercover Buy
21
FSI Case Study 3HUBZone Fraud

• Findings
• Identified 29 case studies of firms that did not
  meet principal office requirements, employee
  residency requirements, or both
• Fraud in the D.C. metro area and beyond,
  including the states of Texas, Alabama, and
  California
• Some firms were located at known virtual office
  sites, a clear indication of fraud
• Undercover operation showed SBA lacked front-end
  controls over the program

22
FSI Case Study 3HUBZone Fraud Supposed
Principal Office
23
FSI Case Study 3HUBZone Fraud Actual
Principal Office
24
FSI Case Study 3HUBZone Fraud SBA Letter to
Bogus GAO Firm
25
FSI Case Study 3HUBZone Fraud Headquarters
for Bogus GAO Firm
26
Summary of Key Points

• There are significant benefits to establishing
  and maintaining an integrated team of auditors
  and investigators.
• Forensic audits are an effective tool for
  auditors, analysts, and investigators to
  proactively identify fraud, waste, and abuse.
• There are some cultural challenges to bringing
  together diverse staff, but a unified mission,
  clear goals, and common language (e.g., the CFE
  designation) helps to bridge the gap.

27
Question and Answer Period

• Questions?