Insider threats to an organization

Insider threats to an organization is a critical area for auditors to consider when reviewing fraud risks. Many instances in the past have shown that internal staff are frequently the perpetrators of fraud. Over time within an organization, trust in a single staff person can build to such a point that controls which would have prevented the fraud no longer exist. Other times, certain fraud risks are not even considered and are only discovered after the fact, sometimes by luck.

I’ll be providing an overview of two fraud cases involving insider threats. These cases are both very large. One involves the lottery and another involves a small Midwestern town.

When random isn’t truly random

The first case involves one of the most successful lottery frauds ever committed. If you wanted to commit fraud in a lottery, what would be the best way to get the most money? Rig the scratch off tickets? Too many people involved in the creation and distribution of those tickets — plus, the prizes aren’t that large to begin with.

How about rigging the mega jackpot drawing? You could walk away with tens of thousands to millions of dollars. But how? The drawing is random… right? What if you are one of the few people with access to the computer code? What if you made it so the numbers were not, in fact, random? Imagine you had the power to know what the numbers would be on a given drawing. I think we’ve all dreamed about knowing the winning numbers. Apparently, as this case illustrates, all it takes is a little fraud.

Eddie Tipton worked for the Multi-State Lottery Association. Reports indicate he was a likeable guy who hosted holiday parties at his large home. Eddie knew coding and worked as the information security director at the association. Part of his duties involved having access to the code that generated the random numbers for the lottery game. Eddie made it so the code was no longer random.

However, he had a dilemma: if he changed every drawing, the pattern might be discovered and the case could lead back to him. Instead, he made it so most days the drawing was random — but the drawings on Memorial Day, Thanksgiving, and Christmas were a whole other matter. He also couldn’t make the drawing be the same set of numbers each time, because that would also get him caught. Instead, he narrowed down the possible combinations so, rather than having odds of one in eleven million, the odds were one in a few hundred. Eddie started buying tickets for himself or sharing numbers with friends and family so they could win. For years, the scheme worked. But in 2014, something changed.

A young prosecutor named Rob Sand was given a case from his retiring boss. Someone had tried to cash in a $16.5 million lottery ticket under suspicious circumstances. So suspicious, in fact, that the claim was withdrawn just to protect the identity of the ticket purchaser. After all leads failed, a video of the individual purchasing the ticket was released to the public. That is when fellow lottery colleagues recognized Eddie Tipton. Rob Sand kept digging and discovered a string of fraudulent lottery winnings dating back years. In a bizarre twist, the case involved a Bigfoot hunting hobbyist organization known as the Bigfoot Field Researchers. You can read a thrilling and detailed account of The Man Who Cracked The Lottery from the New York Times.

So what happened to Rob Sand? He won his case and decided to give up prosecuting. Now, his focus is protecting taxpayer dollars as Iowa’s State Auditor.

Even a small town can have a massive fraud

The city of Dixon, Illinois, used to be known as the childhood home of Ronald Reagan. That changed in 2012, when Rita Crundwell was indicted for embezzlement and the town became famous for one of the worst frauds ever committed. Her take from the city of 15,000 residents? $53 million. That is about $3,500 per capita. Rita used that money to fund a quarter-horse breeding program and a lavish, luxury lifestyle.

Rita was the Dixon Municipal Comptroller and had worked for the city since she was 17 years old. She was a trusted employee. City councilor Roy Bridgeman once remarked: “[Rita] is a big asset to the city as she looks after every tax dollar as if it were her own.” But as it turns out, she only looked after those tax dollars so she could take millions for her own use. Rita also was well-liked and respected in the city. No one was ever suspicious about her actions.

How did she do it? Well, in 1990, Rita opened a bank account under her sole control and associated it with city accounts. Rita was authorized to endorse city checks as treasurer and she would write the check payable to her secret bank account — the Reserve Sewer Capital Development Account. As owner of the RSCDA account, she would then sign the back of the check and cash it into that account, where it would then be used to pay off credit cards or get transferred to other accounts under Rita’s control.

The fraud was discovered in 2012 when Rita took an extended vacation and another employee took over her duties. A bank statement came in for the RSCDA during Rita’s time off. The new employee immediately recognized that it looked suspicious and didn’t match any other records. Before too long, the FBI began investigating the case. You can read more about the Rita Crundwell case through reporting from the Chicago Tribune. In the end, the bank that issued Rita the account and the auditor who had “audited” Dixon’s financial statements were found partially culpable and ordered to pay restitution to the city totaling close to $40 million. There is also a great documentary on the Fraud: It is currently available on Netflix if you subscribe to that service.

Lessons to learn from these two cases

These two cases highlight the potential risk that insiders can pose to an organization. In both instances, some simple controls could have prevented the frauds. First, segregation of duties was lacking in both cases. For Eddie Tipton, there wasn’t sufficient monitoring of his access to critical computer code and the changes he was making to that code. Eddie was able to insert a few lines of code completely undetected. Understanding code changes, especially to critical IT applications, is crucial to an organization. All changes should be appropriately controlled and monitored to ensure that unauthorized changes, like those Eddie made, do not occur.

With Rita, she controlled almost everything in the Dixon’s treasurer’s office. Rita was able to issue and approve payments, draft checks, record transactions, reconcile bank records, and control and monitor the city budget. Assume the city required two signatories on all checks over $10,000. The fraud would have never occurred at the level it did as the other signatory could have easily questioned Rita what the check was for. Dixon now requires large checks to have two signatories to ensure this never happens again.

Another important lesson to take away is being diligent about your audit work, even if it seems mundane. Segregation of duties is important, so always keep an eye out for instances where a lack of segregation could lead to a control weakness. Furthermore, many invoices that Rita issued to support her fraudulent transactions contained errors and other red flags. Consider the two invoices below (images of invoices obtained from David Hancox’s blog). Notice any differences? Can you spot the fake?

Invoice #1

Invoice #2

If you compare and contrast the two invoices several items should become apparent fairly quickly. In the first statement there is formal letterhead with an agency logo. In the second there is no logo. The 2nd invoice also has spelling errors as a result of converting a PDF to Word document. See Section vs. Secton. The first invoice is very specific and involves match rates and full calculations (e.g. $8,402.99 due), whereas the 2nd invoice is not specific and includes a large, even dollar amount (e.g. $1,250,000.00 due). The 2nd invoice also was issued on a Saturday (11/15/2003), which is odd for a state agency. Lastly, the first invoice has a contact person and phone number, which is suspiciously absent from the fraudulent invoice.

Other resources

The Association of Certified Fraud Examiners is another great resource. Their annual Report to the Nations highlights a lot of important statistics on fraud and their Fraud Examiners Manual is a treasure trove of information on fraud detection and strong internal controls. See also this past blog post on Benford’s Law for a great tool for your fraud fighting toolkit.

Ian Green, M.Econ, CGAP, CFE, CISA
Principal Auditor at the Oregon Secretary of State Audits Division


Accountability and Media Featured Fraud Investigation

How to: Apply Benford’s Law in Excel to Detect Fraudulent Activity

We apply Benford’s Law here at the Oregon Audits Division as part of our fraud investigations.

For those who haven’t heard of it yet, Benford’s Law is a natural phenomenon that occurs in certain data sets. Just as the Bell Curve predicts certain distribution of numbers, so does Benford’s. You can use Benford’s to detect fraudulent transactions by looking for outliers.

Benford’s Law predicts that the number 1 will occur more often as the first digit than any other number. In fact, the number 1 is about 6 times more likely to occur than the number 9 (30.1% vs. 4.6%). The law can also be applied to the first two digits and other applications, but we won’t get into that now.

So what data sets conform to Benford’s? Well there are some, like the drainage of rivers, that do not apply to auditing, but there are also plenty of financial transactions that do.  First off, you want to have a dataset that has a large sample size.  Ideally, over 1,000 records.  This is one of the cases when 30 is a very inappropriate sample size.

Second, you want data that is not limited. ATM transactions for example are limited because there are minimum and maximum withdrawals.  They also generally require increments of $20.  Being limited also includes using assigned values like invoice numbers.  All of the digits (1 through 9) should be possible.

The data should also ideally cross multiple orders of magnitude (e.g. 1 to 10, 10 to 100, 100 to 1,000).

Here’s a list of data that should generally conform:

  • Home addresses
  • Bank account balances
  • Census data
  • Accounting related data such as Accounts Receivables
  • Transaction level data

Now that I know what data to use, how can I analyze it? With Excel of course!


1 – Load Data in Excel

2 – Calculate first digit

3 – Run Benford’s using Countif

4 – Graph

The following uses real world data that helped to convict several fraudsters in Oregon.

Screenshot of Steps 1 & 2

benfords 1

Using the left function, you can calculate the first digit of a number.

Screenshot of Step 3

benfords 2

Using the countif function, you can calculate the number of first digit in your data. You will need to calculate the percentage too.  The log formula on the right is Benfords Law in numerical form.

Screenshot of Step 4

 benfords 4

Looking at the graph, you can see that the digit 1 is overrepresented. The next step is to drill down on records that do not match Benfords.  A closer examination of these records with a first digit of 1 will yield a large number of $100 transactions.  Those $100 transactions were largely, if not all, fraudulent.  By using Benfords you can quickly identify suspicious patterns to help detect fraud.

Benfords will lead to false positives, so do not assume that if there is an outlier it has to be fraud. Next time, how to do Benford’s in ACL and why you should use the 2-digit Benford’s test.

Data Wonk Featured Fraud Investigation How To

Audits in the News: Week of Dec. 7

Audits in the News: The division’s fraud hotline is featured in The Daily Astorian.

We here in the audits division are proud that the work we do makes a difference. Our work attracts the attention of the legislature, statewide news sources, and even local media outlets. Local media coverage of our audits is just another way we communicate with the people of Oregon about the work that we’re doing on their behalf to make government better. This is part of an ongoing series of posts rounding up recent instances in which the Oregon Audits Division makes a cameo in the local news.

In addition to our audits, the division is responsible for the Secretary of State’s government waste, fraud and abuse hotline. The hotline accepts anonymous calls and complaints from citizens and investigates instances in which waste or abuse of resources — or downright fraud — may be occurring within state government. Recently, our hotline received a little media coverage of its own.

The Daily Astorian – Calls to government waste hotline at a five-year high

Read the story here.

“As of Nov. 10, the agency had received 235 complaints, according to audit manager V. Dale Bond at the Secretary of State’s Audits Division. Employees still have to go back to remove any duplicate complaints, but the highest number of complaints in the last five years was 184 complaints in 2010, according to an email from Bond. The lowest number of complaints during that period was 145 complaints in 2012.”

Photo: © Kornwa | Dreamstime Stock Photos
Audits in the News Featured Fraud Investigation

2014 Secretary of State Hotline Report

2014 Secretary of State Audits Division Hotline Report

  • The Audits Division Hotline received 180 reports in calendar year 2014.
  • We resolved all but four of the reports at year’s end by performing reviews, referring reports to contacts at other public bodies for their consideration and review, referring callers to appropriate contacts, and providing requested information.
  • We invite anyone with concerns about fraud, waste, or abuse to contact the Hotline at 1-800-336-8218. We can also be reached online here.
Featured Fraud Investigation New Audit Release