Insider threats to an organization

Insider threats to an organization is a critical area for auditors to consider when reviewing fraud risks. Many instances in the past have shown that internal staff are frequently the perpetrators of fraud. Over time within an organization, trust in a single staff person can build to such a point that controls which would have prevented the fraud no longer exist. Other times, certain fraud risks are not even considered and are only discovered after the fact, sometimes by luck.

I’ll be providing an overview of two fraud cases involving insider threats. These cases are both very large. One involves the lottery and another involves a small Midwestern town.

When random isn’t truly random

The first case involves one of the most successful lottery frauds ever committed. If you wanted to commit fraud in a lottery, what would be the best way to get the most money? Rig the scratch off tickets? Too many people involved in the creation and distribution of those tickets — plus, the prizes aren’t that large to begin with.

How about rigging the mega jackpot drawing? You could walk away with tens of thousands to millions of dollars. But how? The drawing is random… right? What if you are one of the few people with access to the computer code? What if you made it so the numbers were not, in fact, random? Imagine you had the power to know what the numbers would be on a given drawing. I think we’ve all dreamed about knowing the winning numbers. Apparently, as this case illustrates, all it takes is a little fraud.

Eddie Tipton worked for the Multi-State Lottery Association. Reports indicate he was a likeable guy who hosted holiday parties at his large home. Eddie knew coding and worked as the information security director at the association. Part of his duties involved having access to the code that generated the random numbers for the lottery game. Eddie made it so the code was no longer random.

However, he had a dilemma: if he changed every drawing, the pattern might be discovered and the case could lead back to him. Instead, he made it so most days the drawing was random — but the drawings on Memorial Day, Thanksgiving, and Christmas were a whole other matter. He also couldn’t make the drawing be the same set of numbers each time, because that would also get him caught. Instead, he narrowed down the possible combinations so, rather than having odds of one in eleven million, the odds were one in a few hundred. Eddie started buying tickets for himself or sharing numbers with friends and family so they could win. For years, the scheme worked. But in 2014, something changed.

A young prosecutor named Rob Sand was given a case from his retiring boss. Someone had tried to cash in a $16.5 million lottery ticket under suspicious circumstances. So suspicious, in fact, that the claim was withdrawn just to protect the identity of the ticket purchaser. After all leads failed, a video of the individual purchasing the ticket was released to the public. That is when fellow lottery colleagues recognized Eddie Tipton. Rob Sand kept digging and discovered a string of fraudulent lottery winnings dating back years. In a bizarre twist, the case involved a Bigfoot hunting hobbyist organization known as the Bigfoot Field Researchers. You can read a thrilling and detailed account of The Man Who Cracked The Lottery from the New York Times.

So what happened to Rob Sand? He won his case and decided to give up prosecuting. Now, his focus is protecting taxpayer dollars as Iowa’s State Auditor.

Even a small town can have a massive fraud

The city of Dixon, Illinois, used to be known as the childhood home of Ronald Reagan. That changed in 2012, when Rita Crundwell was indicted for embezzlement and the town became famous for one of the worst frauds ever committed. Her take from the city of 15,000 residents? $53 million. That is about $3,500 per capita. Rita used that money to fund a quarter-horse breeding program and a lavish, luxury lifestyle.

Rita was the Dixon Municipal Comptroller and had worked for the city since she was 17 years old. She was a trusted employee. City councilor Roy Bridgeman once remarked: “[Rita] is a big asset to the city as she looks after every tax dollar as if it were her own.” But as it turns out, she only looked after those tax dollars so she could take millions for her own use. Rita also was well-liked and respected in the city. No one was ever suspicious about her actions.

How did she do it? Well, in 1990, Rita opened a bank account under her sole control and associated it with city accounts. Rita was authorized to endorse city checks as treasurer and she would write the check payable to her secret bank account — the Reserve Sewer Capital Development Account. As owner of the RSCDA account, she would then sign the back of the check and cash it into that account, where it would then be used to pay off credit cards or get transferred to other accounts under Rita’s control.

The fraud was discovered in 2012 when Rita took an extended vacation and another employee took over her duties. A bank statement came in for the RSCDA during Rita’s time off. The new employee immediately recognized that it looked suspicious and didn’t match any other records. Before too long, the FBI began investigating the case. You can read more about the Rita Crundwell case through reporting from the Chicago Tribune. In the end, the bank that issued Rita the account and the auditor who had “audited” Dixon’s financial statements were found partially culpable and ordered to pay restitution to the city totaling close to $40 million. There is also a great documentary on the Fraud: https://www.allthequeenshorsesfilm.com/. It is currently available on Netflix if you subscribe to that service.

Lessons to learn from these two cases

These two cases highlight the potential risk that insiders can pose to an organization. In both instances, some simple controls could have prevented the frauds. First, segregation of duties was lacking in both cases. For Eddie Tipton, there wasn’t sufficient monitoring of his access to critical computer code and the changes he was making to that code. Eddie was able to insert a few lines of code completely undetected. Understanding code changes, especially to critical IT applications, is crucial to an organization. All changes should be appropriately controlled and monitored to ensure that unauthorized changes, like those Eddie made, do not occur.

With Rita, she controlled almost everything in the Dixon’s treasurer’s office. Rita was able to issue and approve payments, draft checks, record transactions, reconcile bank records, and control and monitor the city budget. Assume the city required two signatories on all checks over $10,000. The fraud would have never occurred at the level it did as the other signatory could have easily questioned Rita what the check was for. Dixon now requires large checks to have two signatories to ensure this never happens again.

Another important lesson to take away is being diligent about your audit work, even if it seems mundane. Segregation of duties is important, so always keep an eye out for instances where a lack of segregation could lead to a control weakness. Furthermore, many invoices that Rita issued to support her fraudulent transactions contained errors and other red flags. Consider the two invoices below (images of invoices obtained from David Hancox’s blog). Notice any differences? Can you spot the fake?

Invoice #1

Invoice #2

If you compare and contrast the two invoices several items should become apparent fairly quickly. In the first statement there is formal letterhead with an agency logo. In the second there is no logo. The 2nd invoice also has spelling errors as a result of converting a PDF to Word document. See Section vs. Secton. The first invoice is very specific and involves match rates and full calculations (e.g. $8,402.99 due), whereas the 2nd invoice is not specific and includes a large, even dollar amount (e.g. $1,250,000.00 due). The 2nd invoice also was issued on a Saturday (11/15/2003), which is odd for a state agency. Lastly, the first invoice has a contact person and phone number, which is suspiciously absent from the fraudulent invoice.

Other resources

The Association of Certified Fraud Examiners is another great resource. Their annual Report to the Nations highlights a lot of important statistics on fraud and their Fraud Examiners Manual is a treasure trove of information on fraud detection and strong internal controls. See also this past blog post on Benford’s Law for a great tool for your fraud fighting toolkit.

Ian Green, M.Econ, CGAP, CFE, CISA
Principal Auditor at the Oregon Secretary of State Audits Division

 

Accountability and Media Featured Fraud Investigation

How becoming an amateur baker taught me to be a better auditor

This past spring I took on a new hobby: baking homemade bread. I have long been a home cook, but I had never baked a loaf of bread.  One of the key differences between cooking and baking is the balance between art and science.  Cooking is much more art than science.  In cooking, there are underlying techniques and key steps that must take place, but a cook has tremendous flexibility in how they make a dish, just as an artist has tremendously flexibility in how they paint a picture (Think Van Gogh vs. Picasso vs. Manet).  As a cook, you can deviate quite significantly from a standard recipe and get a great result.  In baking, the key to success is being precise and scientific.  Deviation can bring failure.

Where a cook might take a pinch of salt, a baker measures out an exact ratio of salt to flour. This is known as a baker’s percentage (it really should be called a baker’s ratio IMO, but we will leave that for another blog post).  Deviating from a recipe will have tremendous consequences in bread making that are not typically seen in cooking.  Add a percent too much salt or too little yeast and your bread will not rise.  A bit too much water and the bread will lose structure and be flat (and the dough will be super sticky).  Too little water and it will be dense like a bagel.  Bake it until it reaches 150 degrees and it will be gummy and undercooked inside despite looking golden brown and delicious on the outside.  However, bake it past 160 degrees and it will have that beautiful crumb inside we all know.  The reason behind this? Chemistry. Gluten gelatinizes around 160 degrees.

The crumb structure inside bread is due to fermentation and gelatinized gluten

I am not trying to say there is not an art to bread making, there certainly is, but in general, it is a more scientific pursuit than cooking. Just like auditing, is a more science than art in my opinion.

So what does this have to do with being a better auditor? Well actually a lot when you start thinking about it. Results in both bread making and auditing come from good planning and implementation of your plan.  If we invest the right time into planning and implementing our plan, we will get a good audit.

What else has it taught me? Patience.  Bread making is a long ordeal (well not as long as auditing, but do not expect to get something on the table in 10 minutes).  Most artisan breads require a long fermentation.  From start to finish, a nice flavorful loaf takes 3 to 4 days to make.  Over time, the dough develops and builds flavor if the right ingredients are mixed together.  Just like our findings are slowly developed over time using the right mix of condition, criteria, cause, and effect. In the end, we strive for ‘flavorful’ findings. One of the important stages of bread making is “proofing” or proving the bread is alive and rising. Proofing is the last step before baking. With proofing I see some similarities to our quality assurance processes. QA is the stage of an audit where the findings are proved out.

This ciabatta was well proved, with a nice rise and airy texture

Lastly, control is critical. Bread making is all about controlling ingredients, temperature, and time.  With good controls in place, you can achieve the same results every time.  Every professional baker knows this and that is how they churn out delicious bread every day.  Bakers control ingredients by precisely weighing them.  Good bread makers never measure by volume, as no two cups of flour are the same and by weight can vary by 25% or more.  Auditors should do the same and measure using precise tools. Bakers also control for time and do not try to rush or delay.  A baker aims to get the dough into the oven at the right moment. If it is put in the over too early flavor development through fermentation and rising has not occurred. If put in too late after fermentation has ended the bread will lose all the air that was made and the bread will be flat and dense.

This ciabatta did not go into the oven at the right time and came out flat because it was overproved

We should strive to do the same thing and get our reports into the ‘oven’ at the right time by auditing what is relevant now and issuing our reports timely.  Lastly, bakers control for temperature to produce a bread with the right characteristics (baguettes only get crispy and crunchy in a hot and steam filled oven). We should consider our tone (e.g. temperature) that we use when ‘baking’ our reports.  Sometimes we need a hotter oven and other times we can cool it down.

Peter Reinhart has been a valuable resource for me as I learn about bread making. You can listen to his TED talk or get any of his great books on baking if you are interested. He likes to give what he calls his bakers blessing “May your crust be crisp and your bread always rise”. In his honor, I am ending with an auditors blessing: May your findings be impactful and your recommendations always implemented.

First attempt at a Miche, a whole-wheat sourdough loaf

 

Ian Green, CGAP and OAD Principal Auditor

 

Accountability and Media Featured How To

The Scales of Time

This post is in honor of May being National Historic Preservation Month

Two years ago, our former director Gary Blackmer wrote about Oregon’s long history of auditing.  He outlined how Oregon’s territorial statutes of 1854 called for an auditor to report recommendations “for lessening the public expenses; for using public money to the best advantage; for promoting frugality and economy in public offices; and generally, for the better management and more perfect understanding of the fiscal affairs’ of the state”.

One of those recommendations was to provide sufficient resources to the state penitentiary. Territorial auditor B.F. Bonham noted in 1857 that “The amount appropriated by the Legislative Assembly ($2,500) annually for the support of the penitentiary department, is wholly inadequate for that purpose, and must be increased unless a reorganization can be effected”.  In 2017 dollars, the amount allocated would be approximately $70,000 per year, which I think we can all agree would have been wholly inadequate to operate a state prison.

Oregon’s founding fathers designed our constitution with accountability and independence in mind based on our territorial experience. Drafted in 1857, Oregon’s constitution calls for the Secretary of State to be the “auditor of public accounts”.

In 1897, Secretary H.R. Kincaid reported on what could now be termed a performance audit and certainly the earliest known audit from our office. The Secretary was concerned the state was purchasing paper without verifying the quantity of paper received.  Secretary Kincaid reported “Soon after taking charge of this office I bought a pair of scales for the purpose of weighing paper which is purchase by weight for the public printing.  The first lot of paper received for the state printer after the scales were obtained fell short of the weight charged in the bill several hundred pounds, amounting to about nineteen dollars, which sum was deducted from the bill.  Since then full weight has been required.  This has no doubt saved to the state many times the cost of the scales.  Previous to the time mentioned thousands of dollars work of paper had been received and paid for ever year on bills of shippers without being weighed here to verify the correctness of the weight charges in the bills”.

Recently, I was at the Oregon office of Publishing and Distribution. While there I saw a small historic exhibit with some old printing equipment and some very old scales.

And wouldn’t you know it, one of the scales had a serial number dated 1890.

From a report from the State Treasurer in 1897, the state made several disbursements to the Howe Scale Company (Thank you Google for digitizing the book and making it text searchable and thank you Treasurer Phil Metschan for the excellent transparency of Oregon’s expenditures). The largest disbursement to Howe Scale company was for $71.50, which matches the report by Secretary Kincaid since the scales cost more than what was saved on the first weighing ($19.00).

Given all of the evidence, from the Secretary’s report on purchasing two scales to a corresponding the serial number date (these scales were made in Vermont and would have taken a long time to cross the country or sail to the west coast), and the Treasurer’s report showing a payment to Howe Scales that matches the Secretary’s report, it seems more likely than not that this scale is one of the pair H.R. Kincaid used more than 120 years ago to do some innovative performance audit work.

The scale shown above cost roughly $22.50 according to this 1900 catalog. The scale’s current value – priceless.

Ian Green, CGAP and OAD Principal Auditor

Accountability and Media Auditors at Work Featured

How To: Set Outlook to text calendar notifications

Life is busy. Luckily, there are some tools we can use to help keep track of everything. Take advantage of notification tools built into Outlook to help manage your calendar. My new personal favorite is text alerts sent right to my phone.

Step 1: Log into Outlook Web Portal (Many State of Oregon Employees use https://owa.portal.oregon.gov/owa/, although it may vary by agency)

Step 2: Open “Options” in the top right and click on “Show all Options”

How to - outlook notifications 1

Step 3: Click on the “Phone” tab and select “Text Messaging”

How to - outlook notifications 2

Step 4: Select “Set up Calendar Notifications”

how to - outlook notifications 3

Now you have a dialog box with several options to select. My preference is to get text messages whenever my calendar is changed within the next two days. I also like to receive a daily agenda each morning at 5:30.

With these tools you can help stay in front of your busy life.

Ian Green, CGAP and OAD Senior Auditor

Ian Green, CGAP and OAD Senior Auditor

 

Featured How To

How to: Be a quiet leader

Ian Green examines the difference between being a boss and being a leader, and how choosing to be a leader changes how we interact with those we work with and can lead to more employee engagement and improved workplace performance.

Today’s topic is leadership. More specifically, what you can do to become a better leader.  I was inspired to write this post after reading Quiet Leadership: Six Steps to Transforming Performance at Work by David Rock.

What makes a good leader?  In my opinion, they inspire you to achieve more.  Bosses tell you what to do, but as David Rock explains, leaders help you how to think.  They are someone you go to when you need an insight.  Someone you want to follow. Not someone who micromanages your every move.  Below is a great illustration of this concept.

leadership vs management

Source: https://www.flickr.com/photos/84593672@N05/10141810486

To become a better leader, you need to make sure you are focused in the right areas.  An age-old proverb tells us that if we give someone a fish, they will eat for a day.  But if we teach someone to fish they will eat for a lifetime.  Leaders need to adopt this perspective.

Telling someone what to do is just like giving someone a fish.  It may help them in the short-term, but it does not advance their skills.  It is also time-consuming for the leader. To be a great leader you must teach people how to think and come to their own conclusions. In other words, teach them how to fish.

David Rock illustrates this point in his book Quiet Leadership: “Quiet Leaders are masters at bringing out the best performance in others.  They improve their employees’ thinking—literally improving the way their brains process information—without telling anyone what to do.  Given how many people in today’s companies are being paid to think, improving thinking is one of the fastest ways to improve performance.”

The argument is rather simple: to improve performance we need to improve how people think and process information. Leaders ask probing questions more often than giving detailed instructions. They help guide people to conclusions rather than telling them.

David uses a number of academic studies to make his point that people who develop their own conclusions are more likely to retain that information (and high performance) than those who were told what the conclusions were. Leaders can help guide their staff to these conclusions by using a number of techniques. One of the primary techniques is listening.

Really listen during the next conversation you have with a colleague.  Think about what they are asking you and why they are facing a roadblock.  Ask yourself what struggles they are facing and how you can help guide them past the issue to a solution.  Many times the individual needs to process the information verbally and a few questions will help them resolve the issue they are facing.  Ask questions rather than give direction.  That will help them discover the answer themselves.

Another great point that David brings up is how to improve performance of people who are struggling. When facing a colleague with performance problems, rather than focusing on the problem, try something new. Try to develop a new habit for the individual that will help them succeed.  Studies have proven that it is easier to develop new habits than to change bad habits. By changing their focus away from what was done wrong to what they need to do right, you are more likely to see lasting changes and better performance.

I encourage you to go to your library or favorite book store to read more about Quiet Leadership. There many great concepts and ideas you can adopt to become a better leader.

If you are a State of Oregon employee, you can access this book, free of charge, from safaribooks. Read more about this service and how to register on the Oregon State Library website: http://libguides.osl.state.or.us/safaribooks

Ian Green, CGAP and OAD Senior Auditor

Ian Green, CGAP and OAD Senior Auditor

*Author attempted to contact David Rock for approval to use materials from his book, but received no response. Author’s limited noncommercial use of copyrighted material from Quiet Leadership was done under the fair use exemption: http://www.copyright.gov/fair-use/more-info.html.
 
Featured How To Noteworthy

How To: Use Excel’s Named Cell Range Feature

Developing formulas can be tricky at times when you are dealing with Excel’s built in cell references (e.g. tabname!$J$5:$J$356). You may know where in the spreadsheet this information is and what it describes, but you always need to spend time going back and forth between different tabs to pull the reference in or copying it from another cell. That can take a lot of valuable time.

Wouldn’t it be great if you could just call data by its own name? Such as “PayrollHours” or “AR” for accounts receivable. Well you can. Formulas don’t need to look like this:

The first step is accessing Excels named range feature. And as with everything there are a couple of ways to do this. The easiest is to highlight the cell or range you want to name. Then look to the top left of the spreadsheet and you should see a little box with a cell reference in it. It is just to the left of your formula bar and looks like this:

cellrange2a

Click in the box (shown as V8 above) and rename that to anything you want. For example, I renamed this reference “Apple”. Now in the formula bar you can type “Apple” anywhere you would normally put a cell reference and Excel will know exactly what data to pull in there.

Say you are a financial auditor and want to conduct a ratio analysis. You can go through the balance sheets and various financial documents and rename all the important cells to the terms you are used to. For example, call the cell that contains current assets “Assets” and current liabilities “Liabilities”. Now in Excel you can type in the current ratio by just entering “=assets/liabilities”.

The other way of naming references is to use the name manager on the Formula tab of the ribbon.

cellrange3a

Click on new to create a new name. Enter the name and whether it applies to the whole workbook or just that single tab. You can also add a comment to document what it is you are defining.

cellrange4

On the bottom, you can adjust what individual cell or ranges you are referencing. Click the little box with the arrow to select them manually.

Now you have the tools available to change your formulas to look like this:

cellrange5
The formula is now much easier to understand.  It is summing (adding) all payroll hours. The formula breaks out the totals by location, classification, and pay code. To learn more check out this website.

Ian Green, CGAP and OAD Senior Auditor

Ian Green, CGAP and OAD Senior Auditor

Enjoy reading our ‘how to’ posts? Subscribe to the Oregon Audits blog through the ‘Follow’ link in the right hand sidebar and keep tabs on the latest data wonk tips and tricks, audit releases, interviews, and more!

Data Wonk Featured How To