Insider threats to an organization

Insider threats to an organization is a critical area for auditors to consider when reviewing fraud risks. Many instances in the past have shown that internal staff are frequently the perpetrators of fraud. Over time within an organization, trust in a single staff person can build to such a point that controls which would have prevented the fraud no longer exist. Other times, certain fraud risks are not even considered and are only discovered after the fact, sometimes by luck.

I’ll be providing an overview of two fraud cases involving insider threats. These cases are both very large. One involves the lottery and another involves a small Midwestern town.

When random isn’t truly random

The first case involves one of the most successful lottery frauds ever committed. If you wanted to commit fraud in a lottery, what would be the best way to get the most money? Rig the scratch off tickets? Too many people involved in the creation and distribution of those tickets — plus, the prizes aren’t that large to begin with.

How about rigging the mega jackpot drawing? You could walk away with tens of thousands to millions of dollars. But how? The drawing is random… right? What if you are one of the few people with access to the computer code? What if you made it so the numbers were not, in fact, random? Imagine you had the power to know what the numbers would be on a given drawing. I think we’ve all dreamed about knowing the winning numbers. Apparently, as this case illustrates, all it takes is a little fraud.

Eddie Tipton worked for the Multi-State Lottery Association. Reports indicate he was a likeable guy who hosted holiday parties at his large home. Eddie knew coding and worked as the information security director at the association. Part of his duties involved having access to the code that generated the random numbers for the lottery game. Eddie made it so the code was no longer random.

However, he had a dilemma: if he changed every drawing, the pattern might be discovered and the case could lead back to him. Instead, he made it so most days the drawing was random — but the drawings on Memorial Day, Thanksgiving, and Christmas were a whole other matter. He also couldn’t make the drawing be the same set of numbers each time, because that would also get him caught. Instead, he narrowed down the possible combinations so, rather than having odds of one in eleven million, the odds were one in a few hundred. Eddie started buying tickets for himself or sharing numbers with friends and family so they could win. For years, the scheme worked. But in 2014, something changed.

A young prosecutor named Rob Sand was given a case from his retiring boss. Someone had tried to cash in a $16.5 million lottery ticket under suspicious circumstances. So suspicious, in fact, that the claim was withdrawn just to protect the identity of the ticket purchaser. After all leads failed, a video of the individual purchasing the ticket was released to the public. That is when fellow lottery colleagues recognized Eddie Tipton. Rob Sand kept digging and discovered a string of fraudulent lottery winnings dating back years. In a bizarre twist, the case involved a Bigfoot hunting hobbyist organization known as the Bigfoot Field Researchers. You can read a thrilling and detailed account of The Man Who Cracked The Lottery from the New York Times.

So what happened to Rob Sand? He won his case and decided to give up prosecuting. Now, his focus is protecting taxpayer dollars as Iowa’s State Auditor.

Even a small town can have a massive fraud

The city of Dixon, Illinois, used to be known as the childhood home of Ronald Reagan. That changed in 2012, when Rita Crundwell was indicted for embezzlement and the town became famous for one of the worst frauds ever committed. Her take from the city of 15,000 residents? $53 million. That is about $3,500 per capita. Rita used that money to fund a quarter-horse breeding program and a lavish, luxury lifestyle.

Rita was the Dixon Municipal Comptroller and had worked for the city since she was 17 years old. She was a trusted employee. City councilor Roy Bridgeman once remarked: “[Rita] is a big asset to the city as she looks after every tax dollar as if it were her own.” But as it turns out, she only looked after those tax dollars so she could take millions for her own use. Rita also was well-liked and respected in the city. No one was ever suspicious about her actions.

How did she do it? Well, in 1990, Rita opened a bank account under her sole control and associated it with city accounts. Rita was authorized to endorse city checks as treasurer and she would write the check payable to her secret bank account — the Reserve Sewer Capital Development Account. As owner of the RSCDA account, she would then sign the back of the check and cash it into that account, where it would then be used to pay off credit cards or get transferred to other accounts under Rita’s control.

The fraud was discovered in 2012 when Rita took an extended vacation and another employee took over her duties. A bank statement came in for the RSCDA during Rita’s time off. The new employee immediately recognized that it looked suspicious and didn’t match any other records. Before too long, the FBI began investigating the case. You can read more about the Rita Crundwell case through reporting from the Chicago Tribune. In the end, the bank that issued Rita the account and the auditor who had “audited” Dixon’s financial statements were found partially culpable and ordered to pay restitution to the city totaling close to $40 million. There is also a great documentary on the Fraud: It is currently available on Netflix if you subscribe to that service.

Lessons to learn from these two cases

These two cases highlight the potential risk that insiders can pose to an organization. In both instances, some simple controls could have prevented the frauds. First, segregation of duties was lacking in both cases. For Eddie Tipton, there wasn’t sufficient monitoring of his access to critical computer code and the changes he was making to that code. Eddie was able to insert a few lines of code completely undetected. Understanding code changes, especially to critical IT applications, is crucial to an organization. All changes should be appropriately controlled and monitored to ensure that unauthorized changes, like those Eddie made, do not occur.

With Rita, she controlled almost everything in the Dixon’s treasurer’s office. Rita was able to issue and approve payments, draft checks, record transactions, reconcile bank records, and control and monitor the city budget. Assume the city required two signatories on all checks over $10,000. The fraud would have never occurred at the level it did as the other signatory could have easily questioned Rita what the check was for. Dixon now requires large checks to have two signatories to ensure this never happens again.

Another important lesson to take away is being diligent about your audit work, even if it seems mundane. Segregation of duties is important, so always keep an eye out for instances where a lack of segregation could lead to a control weakness. Furthermore, many invoices that Rita issued to support her fraudulent transactions contained errors and other red flags. Consider the two invoices below (images of invoices obtained from David Hancox’s blog). Notice any differences? Can you spot the fake?

Invoice #1

Invoice #2

If you compare and contrast the two invoices several items should become apparent fairly quickly. In the first statement there is formal letterhead with an agency logo. In the second there is no logo. The 2nd invoice also has spelling errors as a result of converting a PDF to Word document. See Section vs. Secton. The first invoice is very specific and involves match rates and full calculations (e.g. $8,402.99 due), whereas the 2nd invoice is not specific and includes a large, even dollar amount (e.g. $1,250,000.00 due). The 2nd invoice also was issued on a Saturday (11/15/2003), which is odd for a state agency. Lastly, the first invoice has a contact person and phone number, which is suspiciously absent from the fraudulent invoice.

Other resources

The Association of Certified Fraud Examiners is another great resource. Their annual Report to the Nations highlights a lot of important statistics on fraud and their Fraud Examiners Manual is a treasure trove of information on fraud detection and strong internal controls. See also this past blog post on Benford’s Law for a great tool for your fraud fighting toolkit.

Ian Green, M.Econ, CGAP, CFE, CISA
Principal Auditor at the Oregon Secretary of State Audits Division


Accountability and Media Featured Fraud Investigation

TEDx Repost: Don’t have 10,000 hours to learn something new? That’s fine — all you need is 20 hours

Wanting to learn something new comes from that best, most curious part of us. But then we have to put in the work. When it’s day three on the keyboard and the cat walking across the keys still sounds better than us, we can get discouraged — and often give up.

Writer Josh Kaufman, author of The First 20 Hours: How to Learn Anything … Fast and The Personal MBA: Master the Art of Business has figured out why so many of us get stopped in our tracks during this early learning period. “Feeling stupid doesn’t feel good, and the beginning of learning anything new is feeling stupid,” he says.

Through trial and error, he has come up with four steps that can help you scramble up the sharp slope of the learning curve in as little as 20 hours. Why 20? As he puts it, “20 hours is doable — that’s about 45 minutes a day for about a month, even skipping a couple of days here and there.”

The mastery of a new skill can be tough and humbling. This post provides practical tips for how to approach the task, or you can watch the video below.

Accountability and Media Featured

GAO WatchBlog Reblog: A lot of government information is freely available

Open government data is government-produced information that anyone can freely use, modify, and share for any purpose. For example, the Treasury Department publishes open data on its new website, which provides detailed information to help track government spending.

Open data can foster accountability and public trust by giving citizens information about government activities and results. It can also promote private sector innovation and help industries generate revenue, such as by providing demographic, financial, or geographic information. For example, some real estate websites use Census data to provide information on the neighborhoods where homes for sale are located.

The GAO recently reported on ways that the U.S. Treasury may more transparently and effectively share government data through five key practices. While the report addresses federal data, the recommendations and insights may be relevant to a variety of state and local government functions.

You can read the report highlights and recommendations here, and check out the GAO WatchBlog here.

Accountability and Media Auditors at Work Audits in the News Featured

(ALGA Repost) Opportunities for Improvement: We Need to Talk

“The Yellow Book addresses communication of audit scope and objective at the beginning of the audit, and audit results at the end, but much communication happens, or should, during the audit.

8.23 Determining the form, content, and frequency of the communication with management or those charged with governance is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate key information early in the engagement.

“Written communication is preferred”? Of course an engagement letter and discussion draft are written, and at the federal level, written is probably preferred, but the federal government is astronomically larger than any local audit office, like Jupiter is to Earth. Working under the general assumption that communications must be written, I think, will limit interaction that is critical to the ultimate success of an audit.

Because you all are auditing in a large variety of jurisdictions, I am cautious about recommending universal practices and just urge you to develop your briefing (and listening) procedures around the who, what, when, where, and why appropriate to your government.”

Gary Blackmer, former director of the Oregon Audits Division, discusses how auditors can communicate most effectively with agency heads and staff in his quarterly ALGA post, with practical suggestions for making introductions, engaging the agency in the audit process, finding context for problems, and making sure that your audit is on point. Read more here.

Accountability and Media Featured

TEDx Reblog: How do you get from diversity to inclusion? Ask these 4 questions about your meetings

Many organizations and companies today track diversity in sex, gender, race, ethnicity, sexual orientation and religion, among other factors. For some of their leaders, numerical diversity is seen as the most important — and at times, the only — thing needed to create a varied and vibrant community. But by focusing on headcount, they are making the mistake of believing that diversity and inclusion are the same.

Dolly Chugh, a social psychologist at the NYU Stern School of Business, lays down some words of advice on how to tailor your meetings to create pathways to genuine inclusion. She recommends asking the following four questions, and explains why they should be asked:

Question #1: Who speaks at meetings?

Question #2: Who sits next to whom?

Question #3: Who is listened to?

Question #4: Who gets the credit?

While pathway moments may seem relatively small — those moments when we feel like we’re more or less part of the meeting, when we’re more or less listened to, when we’re more or less credited for our work — they are the ones that help determine whether we’re given greater chances for success and effectiveness, or held back. We can all cultivate the capacity to notice failures of inclusion if and when they happen, and then try to do better going forward.

Read more here, or watch the TED talk below.



Accountability and Media Featured

Internal Auditor Reblog: The Conditions in Which You Think

The unwitting participants in the study were eight parole judges in Israel. They spend entire days reviewing applications for parole. The cases are presented in random order, and the judges spend little time on each one, an average of 6 minutes. (The default decision is denial of parole; only 35% of requests are approved. The exact time of each decision is recorded, and the times of the judges’ three food breaks — morning break, lunch, and afternoon break — during the day are recorded as well.) The authors of the study plotted the proportion of approved requests against the time since the last food break. The proportion spikes after each meal, when about 65% of requests are granted. During the two hours or so until the judges’ next feeding, the approval rate drops steadily, to about zero just before the meal. As you might expect, this is an unwelcome result and the authors carefully checked many alternative explanations. The best possible account of the data provides bad news: tired and hungry judges tend to fall back on the easier default position of denying requests for parole. Both fatigue and hunger probably play a role.

Mike Jacka writing for Internal Auditor explores the effect that our working conditions and environment have on our thinking, and the different roles that fast and slow thinking play in our work. He asks that the reader be aware of how the conditions in which they are thinking can affect (often unintentionally) the decisions they make.

As auditors (and as humans), honing a degree of self-awareness about how we are affected by the weather (or the bad traffic, or the argument we had last week with a family member, or the timing of lunch- whatever it may be) will help us look critically at our own thoughts. Are we actually making sound decisions? Or are we making rash and unfair decisions? What effect might this have on our work? And just as importantly, how can we counterbalance our fast thinking with slow thinking to make better decisions?

Read more here.

Accountability and Media Featured

Association of Local Government Auditors ReBlog: Auditing in the dark corners

A police officer sees a drunken man closely searching the ground near a lamppost and asks if he can help. The man replies that he is looking for his keys. After a few minutes of looking the officer asks whether the man is certain he dropped his keys near the lamppost. “No,” he says, “I lost the keys somewhere across the street.” “Then why are we looking here?” asks the officer. “The light is much better,” the man responds.

That’s a very old joke, and it’s also a parable for auditors.

Do you audit where the light is better? Where you know the data is reliable? Where procedures are established? Where clear criteria exist? Where you’ve audited before? Do you choose your audit topics sitting at your desk without exploring around the agency?

Gary Blackmer (who needs no introduction in the auditing community. But, for those not ‘in the know,’ he has a long and storied career in public auditing in Oregon and most recently served as the Director of the Secretary of State Oregon Audits Division.) speaks to the need for auditors to peer into the darkest, most frustrating corners to identify the most serious problems that agencies and the communities they serve face. He encourages fellow auditors not to be lured and lulled by the prospect of a quick and easy audit. The smoothest path may not yield the biggest reward. After all, it’s been traveled many times before.

There is no doubt that groping around in the dark is difficult and unpleasant, but it often produces the biggest audit impacts. Conducting surprise inspections of adult care homes was emotionally difficult, but resulted in several negligent homes getting shut down. Tabulating deployment of 500 patrol officers for four months was pure drudgery, but it pointed out the mismatch with workload. It required patience and perseverance to interview a dozen agencies to learn why they were accomplishing more, but showed a pathway to success for the collections agency.

Read more here, and learn a bit about ALGA here!

Accountability and Media Featured