The Oregon Secretary of State Audits Division

Friends and colleagues,

The Oregon Audits blog has been discontinued, but our work continues on!

Please visit the links in the bar above (or click on the links below) to learn more about what we do, our past audits, our vital ongoing work to improve Oregon government, and to report on fraud, waste, or abuse of public funds.

Who we are

Released Audits

Audit Summaries

Fraud, Waste, and Abuse Hotline

We look forward to continuing to promote accountability and good governance for the people of Oregon.

Auditors at Work

Insider threats to an organization

Insider threats to an organization is a critical area for auditors to consider when reviewing fraud risks. Many instances in the past have shown that internal staff are frequently the perpetrators of fraud. Over time within an organization, trust in a single staff person can build to such a point that controls which would have prevented the fraud no longer exist. Other times, certain fraud risks are not even considered and are only discovered after the fact, sometimes by luck.

I’ll be providing an overview of two fraud cases involving insider threats. These cases are both very large. One involves the lottery and another involves a small Midwestern town.

When random isn’t truly random

The first case involves one of the most successful lottery frauds ever committed. If you wanted to commit fraud in a lottery, what would be the best way to get the most money? Rig the scratch off tickets? Too many people involved in the creation and distribution of those tickets — plus, the prizes aren’t that large to begin with.

How about rigging the mega jackpot drawing? You could walk away with tens of thousands to millions of dollars. But how? The drawing is random… right? What if you are one of the few people with access to the computer code? What if you made it so the numbers were not, in fact, random? Imagine you had the power to know what the numbers would be on a given drawing. I think we’ve all dreamed about knowing the winning numbers. Apparently, as this case illustrates, all it takes is a little fraud.

Eddie Tipton worked for the Multi-State Lottery Association. Reports indicate he was a likeable guy who hosted holiday parties at his large home. Eddie knew coding and worked as the information security director at the association. Part of his duties involved having access to the code that generated the random numbers for the lottery game. Eddie made it so the code was no longer random.

However, he had a dilemma: if he changed every drawing, the pattern might be discovered and the case could lead back to him. Instead, he made it so most days the drawing was random — but the drawings on Memorial Day, Thanksgiving, and Christmas were a whole other matter. He also couldn’t make the drawing be the same set of numbers each time, because that would also get him caught. Instead, he narrowed down the possible combinations so, rather than having odds of one in eleven million, the odds were one in a few hundred. Eddie started buying tickets for himself or sharing numbers with friends and family so they could win. For years, the scheme worked. But in 2014, something changed.

A young prosecutor named Rob Sand was given a case from his retiring boss. Someone had tried to cash in a $16.5 million lottery ticket under suspicious circumstances. So suspicious, in fact, that the claim was withdrawn just to protect the identity of the ticket purchaser. After all leads failed, a video of the individual purchasing the ticket was released to the public. That is when fellow lottery colleagues recognized Eddie Tipton. Rob Sand kept digging and discovered a string of fraudulent lottery winnings dating back years. In a bizarre twist, the case involved a Bigfoot hunting hobbyist organization known as the Bigfoot Field Researchers. You can read a thrilling and detailed account of The Man Who Cracked The Lottery from the New York Times.

So what happened to Rob Sand? He won his case and decided to give up prosecuting. Now, his focus is protecting taxpayer dollars as Iowa’s State Auditor.

Even a small town can have a massive fraud

The city of Dixon, Illinois, used to be known as the childhood home of Ronald Reagan. That changed in 2012, when Rita Crundwell was indicted for embezzlement and the town became famous for one of the worst frauds ever committed. Her take from the city of 15,000 residents? $53 million. That is about $3,500 per capita. Rita used that money to fund a quarter-horse breeding program and a lavish, luxury lifestyle.

Rita was the Dixon Municipal Comptroller and had worked for the city since she was 17 years old. She was a trusted employee. City councilor Roy Bridgeman once remarked: “[Rita] is a big asset to the city as she looks after every tax dollar as if it were her own.” But as it turns out, she only looked after those tax dollars so she could take millions for her own use. Rita also was well-liked and respected in the city. No one was ever suspicious about her actions.

How did she do it? Well, in 1990, Rita opened a bank account under her sole control and associated it with city accounts. Rita was authorized to endorse city checks as treasurer and she would write the check payable to her secret bank account — the Reserve Sewer Capital Development Account. As owner of the RSCDA account, she would then sign the back of the check and cash it into that account, where it would then be used to pay off credit cards or get transferred to other accounts under Rita’s control.

The fraud was discovered in 2012 when Rita took an extended vacation and another employee took over her duties. A bank statement came in for the RSCDA during Rita’s time off. The new employee immediately recognized that it looked suspicious and didn’t match any other records. Before too long, the FBI began investigating the case. You can read more about the Rita Crundwell case through reporting from the Chicago Tribune. In the end, the bank that issued Rita the account and the auditor who had “audited” Dixon’s financial statements were found partially culpable and ordered to pay restitution to the city totaling close to $40 million. There is also a great documentary on the Fraud: https://www.allthequeenshorsesfilm.com/. It is currently available on Netflix if you subscribe to that service.

Lessons to learn from these two cases

These two cases highlight the potential risk that insiders can pose to an organization. In both instances, some simple controls could have prevented the frauds. First, segregation of duties was lacking in both cases. For Eddie Tipton, there wasn’t sufficient monitoring of his access to critical computer code and the changes he was making to that code. Eddie was able to insert a few lines of code completely undetected. Understanding code changes, especially to critical IT applications, is crucial to an organization. All changes should be appropriately controlled and monitored to ensure that unauthorized changes, like those Eddie made, do not occur.

With Rita, she controlled almost everything in the Dixon’s treasurer’s office. Rita was able to issue and approve payments, draft checks, record transactions, reconcile bank records, and control and monitor the city budget. Assume the city required two signatories on all checks over $10,000. The fraud would have never occurred at the level it did as the other signatory could have easily questioned Rita what the check was for. Dixon now requires large checks to have two signatories to ensure this never happens again.

Another important lesson to take away is being diligent about your audit work, even if it seems mundane. Segregation of duties is important, so always keep an eye out for instances where a lack of segregation could lead to a control weakness. Furthermore, many invoices that Rita issued to support her fraudulent transactions contained errors and other red flags. Consider the two invoices below (images of invoices obtained from David Hancox’s blog). Notice any differences? Can you spot the fake?

Invoice #1

Invoice #2

If you compare and contrast the two invoices several items should become apparent fairly quickly. In the first statement there is formal letterhead with an agency logo. In the second there is no logo. The 2nd invoice also has spelling errors as a result of converting a PDF to Word document. See Section vs. Secton. The first invoice is very specific and involves match rates and full calculations (e.g. $8,402.99 due), whereas the 2nd invoice is not specific and includes a large, even dollar amount (e.g. $1,250,000.00 due). The 2nd invoice also was issued on a Saturday (11/15/2003), which is odd for a state agency. Lastly, the first invoice has a contact person and phone number, which is suspiciously absent from the fraudulent invoice.

Other resources

The Association of Certified Fraud Examiners is another great resource. Their annual Report to the Nations highlights a lot of important statistics on fraud and their Fraud Examiners Manual is a treasure trove of information on fraud detection and strong internal controls. See also this past blog post on Benford’s Law for a great tool for your fraud fighting toolkit.

Ian Green, M.Econ, CGAP, CFE, CISA
Principal Auditor at the Oregon Secretary of State Audits Division

 

Accountability and Media Featured Fraud Investigation

Audit Release: Oregon’s Framework for Regulating Marijuana Should Be Strengthened to Better Mitigate Diversion Risk and Improve Laboratory Testing


Report Highlights

Gaps in Oregon’s developing marijuana regulatory framework increase the risk of legal marijuana diverting to the black market, especially in the medical marijuana program. To improve marijuana laboratory testing and protect public health, the state should consider requiring testing for heavy metals and microbiological contaminants, enhance test oversight, and ensure labs meet accreditation standards.

Background

Voters approved Measure 91 in 2014, legalizing the production and sale of recreational marijuana in Oregon. However, marijuana remains illegal federally, and federal officials have expressed serious concerns about marijuana from Oregon crossing into other states. The Oregon Liquor Control Commission (OLCC) regulates the recreational marijuana market, while the Oregon Health Authority (OHA) oversees medical marijuana and marijuana lab testing rules. As of November 2018, retail sales had generated $207 million in tax revenue.

Purpose

This audit’s purpose was to determine whether Oregon has adequate controls to deter the diversion of legal marijuana to the black market and to oversee marijuana laboratory testing to ensure test results are accurate.

Key Findings

  1. OLCC is still establishing a regulatory framework for recreational marijuana and has put many controls in place, such as requiring seed-to-sale product tracking and surveillance cameras. However, with no cap on the number of licenses and more applications than expected, staffing and inspections have not kept pace. As a result, only 3% of retailers and 32% of growers have had a compliance inspection.
  2. Structural weaknesses in the medical marijuana program greatly increase the risk of diversion. In contrast to OLCC, OHA lacks the authority to put important controls in place, such as requiring medical growers to have surveillance cameras. The agency has only four permanent staff to inspect roughly 14,000 grow sites and has struggled with decreasing revenues, turnover, and performance management.
  3. All recreational marijuana in Oregon must be tested for pesticides and solvents, but most medical marijuana is not required to be tested. Also, OHA does not require heavy metal and microbiological testing, in contrast to some other states. These contaminants could pose a risk to consumers.
  4. Without a mechanism for verifying test results, Oregon’s marijuana testing program cannot ensure that test results are reliable and products are safe. Limited authority, inadequate staffing, and inefficient processes reduce OHA’s ability to ensure Oregon marijuana labs consistently operate under accreditation standards and industry pressures may affect lab practices and the accuracy of results.

Recommendations

OLCC and OHA agreed with all 23 of our recommendations; for three of them, OHA indicated it would be unable to take action without further statutory authority. The agencies’ responses are included at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Audit Release: Oregon Department of Revenue Cybersecurity Controls Assessment


Report Highlights

This audit was conducted to assess critical security controls and the Department of Revenue’s (DOR) information technology (IT) security management program.  We concluded the agency should update its security management program to reflect recent statewide changes to IT security governance structures, as well as correct weaknesses in inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.

Background

DOR handles sensitive information, including taxpayer personal information and tax data. The agency, in collaboration with the Enterprise Security Office at the Office of the State Chief Information Officer (OSCIO), is responsible for implementing a security management program to ensure the confidentiality, availability, and integrity of the information with which it is entrusted.

Purpose

The purpose of this audit was to determine whether DOR has implemented an appropriate IT security management program and the basic cyber security controls necessary to ensure cyber defense readiness.

Key Findings

  1. DOR had implemented a security management program, but associated plans and procedures have not been updated to reflect current staffing levels and reorganization of statewide security by the OSCIO.
  2. DOR lacks specific policies and fully automated controls for many elements of the basic security controls identified by the Center for Internet Security. These basic controls should be implemented in every organization to reduce the risk that attackers could compromise systems and data.

Recommendations

We recommend DOR improve its security management program and remedy weaknesses we identified in the basic controls defined by the Center for Internet Security.

DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release

Audit Release, Oregon Department of Revenue: Enhancing Organizational Culture and Addressing Customer Service Challenges Will Optimize Agency Performance


Report Highlights

Organizational culture is key to shaping how members interact with each other and how they achieve their mission and objectives. However, organizational culture in an organization, such as the Department of Revenue (DOR), can be difficult to assess or change. Both DOR staff and management have identified a desire to shift towards a more collaborative agency culture and share perspectives on how culture can be enhanced to meet employees’ needs. DOR leadership makes decisions regarding agency operations; this report provides information that can help inform some of those decisions. DOR leadership has been engaged with the audit and acknowledged that enhancing the culture is a good opportunity within the agency.

Background

DOR has undergone tremendous change in the last five years. This include several changes in leadership positions, including the Director, and implementation of a critical and expansive information technology system. These significant governance and operational changes affected both internal and external stakeholders. For example, DOR’s customer service rating decreased dramatically, drawing the attention of the Legislature in 2017. We utilized a specialized methodology to assess how enhancing culture could help optimize the agency’s performance. The DOR Director has been supportive of our methodology and appears committed to enhancing the agency’s culture.

Purpose

The purpose of this audit was to determine how changes to DOR’s culture could improve agency performance and to identify factors for the decline in customer service satisfaction from 2013 through 2016 that can be addressed to enhance customer service moving forward.

Key Findings

  1. Opportunities exist to enhance DOR’s operating culture and employee morale. Specifically, DOR management should develop a formal strategy and take action to better incorporate collaborative values within the agency. The strategy should include robust internal communications, an effective accountability framework, a collaborative feedback process, and improved workplace interactions.
  2. The agency’s customer satisfaction declined between 2013 and 2016. A portion of this decrease was due to implementation of a critical and complex IT system known as GenTax. DOR has already identified and addressed a number of customer service deficiencies; as a result, customer service ratings increased in 2017 and 2018. DOR should complete efforts underway to address these challenges.

Recommendations

We made five recommendations to DOR for actions needed to improve its organizational culture and customer satisfaction. DOR agreed with all of our recommendations. The agency’s response can be found at the end of the report.

Read the full report here.

Featured New Audit Release Performance Audit

TEDx Repost: Don’t have 10,000 hours to learn something new? That’s fine — all you need is 20 hours

Wanting to learn something new comes from that best, most curious part of us. But then we have to put in the work. When it’s day three on the keyboard and the cat walking across the keys still sounds better than us, we can get discouraged — and often give up.

Writer Josh Kaufman, author of The First 20 Hours: How to Learn Anything … Fast and The Personal MBA: Master the Art of Business has figured out why so many of us get stopped in our tracks during this early learning period. “Feeling stupid doesn’t feel good, and the beginning of learning anything new is feeling stupid,” he says.

Through trial and error, he has come up with four steps that can help you scramble up the sharp slope of the learning curve in as little as 20 hours. Why 20? As he puts it, “20 hours is doable — that’s about 45 minutes a day for about a month, even skipping a couple of days here and there.”

The mastery of a new skill can be tough and humbling. This post provides practical tips for how to approach the task, or you can watch the video below.

Accountability and Media Featured

GAO WatchBlog Reblog: A lot of government information is freely available

Open government data is government-produced information that anyone can freely use, modify, and share for any purpose. For example, the Treasury Department publishes open data on its new USAspending.gov website, which provides detailed information to help track government spending.

Open data can foster accountability and public trust by giving citizens information about government activities and results. It can also promote private sector innovation and help industries generate revenue, such as by providing demographic, financial, or geographic information. For example, some real estate websites use Census data to provide information on the neighborhoods where homes for sale are located.

The GAO recently reported on ways that the U.S. Treasury may more transparently and effectively share government data through five key practices. While the report addresses federal data, the recommendations and insights may be relevant to a variety of state and local government functions.

You can read the report highlights and recommendations here, and check out the GAO WatchBlog here.

Accountability and Media Auditors at Work Audits in the News Featured