Insider threats to an organization

Insider threats to an organization is a critical area for auditors to consider when reviewing fraud risks. Many instances in the past have shown that internal staff are frequently the perpetrators of fraud. Over time within an organization, trust in a single staff person can build to such a point that controls which would have prevented the fraud no longer exist. Other times, certain fraud risks are not even considered and are only discovered after the fact, sometimes by luck.

I’ll be providing an overview of two fraud cases involving insider threats. These cases are both very large. One involves the lottery and another involves a small Midwestern town.

When random isn’t truly random

The first case involves one of the most successful lottery frauds ever committed. If you wanted to commit fraud in a lottery, what would be the best way to get the most money? Rig the scratch off tickets? Too many people involved in the creation and distribution of those tickets — plus, the prizes aren’t that large to begin with.

How about rigging the mega jackpot drawing? You could walk away with tens of thousands to millions of dollars. But how? The drawing is random… right? What if you are one of the few people with access to the computer code? What if you made it so the numbers were not, in fact, random? Imagine you had the power to know what the numbers would be on a given drawing. I think we’ve all dreamed about knowing the winning numbers. Apparently, as this case illustrates, all it takes is a little fraud.

Eddie Tipton worked for the Multi-State Lottery Association. Reports indicate he was a likeable guy who hosted holiday parties at his large home. Eddie knew coding and worked as the information security director at the association. Part of his duties involved having access to the code that generated the random numbers for the lottery game. Eddie made it so the code was no longer random.

However, he had a dilemma: if he changed every drawing, the pattern might be discovered and the case could lead back to him. Instead, he made it so most days the drawing was random — but the drawings on Memorial Day, Thanksgiving, and Christmas were a whole other matter. He also couldn’t make the drawing be the same set of numbers each time, because that would also get him caught. Instead, he narrowed down the possible combinations so, rather than having odds of one in eleven million, the odds were one in a few hundred. Eddie started buying tickets for himself or sharing numbers with friends and family so they could win. For years, the scheme worked. But in 2014, something changed.

A young prosecutor named Rob Sand was given a case from his retiring boss. Someone had tried to cash in a $16.5 million lottery ticket under suspicious circumstances. So suspicious, in fact, that the claim was withdrawn just to protect the identity of the ticket purchaser. After all leads failed, a video of the individual purchasing the ticket was released to the public. That is when fellow lottery colleagues recognized Eddie Tipton. Rob Sand kept digging and discovered a string of fraudulent lottery winnings dating back years. In a bizarre twist, the case involved a Bigfoot hunting hobbyist organization known as the Bigfoot Field Researchers. You can read a thrilling and detailed account of The Man Who Cracked The Lottery from the New York Times.

So what happened to Rob Sand? He won his case and decided to give up prosecuting. Now, his focus is protecting taxpayer dollars as Iowa’s State Auditor.

Even a small town can have a massive fraud

The city of Dixon, Illinois, used to be known as the childhood home of Ronald Reagan. That changed in 2012, when Rita Crundwell was indicted for embezzlement and the town became famous for one of the worst frauds ever committed. Her take from the city of 15,000 residents? $53 million. That is about $3,500 per capita. Rita used that money to fund a quarter-horse breeding program and a lavish, luxury lifestyle.

Rita was the Dixon Municipal Comptroller and had worked for the city since she was 17 years old. She was a trusted employee. City councilor Roy Bridgeman once remarked: “[Rita] is a big asset to the city as she looks after every tax dollar as if it were her own.” But as it turns out, she only looked after those tax dollars so she could take millions for her own use. Rita also was well-liked and respected in the city. No one was ever suspicious about her actions.

How did she do it? Well, in 1990, Rita opened a bank account under her sole control and associated it with city accounts. Rita was authorized to endorse city checks as treasurer and she would write the check payable to her secret bank account — the Reserve Sewer Capital Development Account. As owner of the RSCDA account, she would then sign the back of the check and cash it into that account, where it would then be used to pay off credit cards or get transferred to other accounts under Rita’s control.

The fraud was discovered in 2012 when Rita took an extended vacation and another employee took over her duties. A bank statement came in for the RSCDA during Rita’s time off. The new employee immediately recognized that it looked suspicious and didn’t match any other records. Before too long, the FBI began investigating the case. You can read more about the Rita Crundwell case through reporting from the Chicago Tribune. In the end, the bank that issued Rita the account and the auditor who had “audited” Dixon’s financial statements were found partially culpable and ordered to pay restitution to the city totaling close to $40 million. There is also a great documentary on the Fraud: https://www.allthequeenshorsesfilm.com/. It is currently available on Netflix if you subscribe to that service.

Lessons to learn from these two cases

These two cases highlight the potential risk that insiders can pose to an organization. In both instances, some simple controls could have prevented the frauds. First, segregation of duties was lacking in both cases. For Eddie Tipton, there wasn’t sufficient monitoring of his access to critical computer code and the changes he was making to that code. Eddie was able to insert a few lines of code completely undetected. Understanding code changes, especially to critical IT applications, is crucial to an organization. All changes should be appropriately controlled and monitored to ensure that unauthorized changes, like those Eddie made, do not occur.

With Rita, she controlled almost everything in the Dixon’s treasurer’s office. Rita was able to issue and approve payments, draft checks, record transactions, reconcile bank records, and control and monitor the city budget. Assume the city required two signatories on all checks over $10,000. The fraud would have never occurred at the level it did as the other signatory could have easily questioned Rita what the check was for. Dixon now requires large checks to have two signatories to ensure this never happens again.

Another important lesson to take away is being diligent about your audit work, even if it seems mundane. Segregation of duties is important, so always keep an eye out for instances where a lack of segregation could lead to a control weakness. Furthermore, many invoices that Rita issued to support her fraudulent transactions contained errors and other red flags. Consider the two invoices below (images of invoices obtained from David Hancox’s blog). Notice any differences? Can you spot the fake?

Invoice #1

Invoice #2

If you compare and contrast the two invoices several items should become apparent fairly quickly. In the first statement there is formal letterhead with an agency logo. In the second there is no logo. The 2nd invoice also has spelling errors as a result of converting a PDF to Word document. See Section vs. Secton. The first invoice is very specific and involves match rates and full calculations (e.g. $8,402.99 due), whereas the 2nd invoice is not specific and includes a large, even dollar amount (e.g. $1,250,000.00 due). The 2nd invoice also was issued on a Saturday (11/15/2003), which is odd for a state agency. Lastly, the first invoice has a contact person and phone number, which is suspiciously absent from the fraudulent invoice.

Other resources

The Association of Certified Fraud Examiners is another great resource. Their annual Report to the Nations highlights a lot of important statistics on fraud and their Fraud Examiners Manual is a treasure trove of information on fraud detection and strong internal controls. See also this past blog post on Benford’s Law for a great tool for your fraud fighting toolkit.

Ian Green, M.Econ, CGAP, CFE, CISA
Principal Auditor at the Oregon Secretary of State Audits Division

 

Accountability and Media Featured Fraud Investigation

Oregon State Lottery: Unclear Laws May Let Prohibited Casinos Operate in Oregon

Executive Summary


The Oregon Constitution prohibits casinos, but enforcement is difficult because “casino” has not been clearly defined. The Oregon State Lottery’s current rules and practices may not be detecting retailers that receive most of their income from video gambling machines. We recommend Lottery seek legislation to define “casino” and take several steps to improve compliance.

 

The Oregon State Lottery offers a variety of gambling options including Powerball, Mega Millions, and Oregon games: Megabucks, Raffle, Keno, Lucky Lines, Win for Life, Pick 4, Scratch Its, and video gambling machines.

Machines are the largest annual revenue source with average net receipts of $727 million over the last five state fiscal years. Net receipts as used in this report are dollars deposited in machines minus dollars won. During fiscal year 2014, machines generated net receipts of $743 million, of which $178 million was paid in commissions to retailers and the remaining $565 million was used for state purposes. As of December 2014, there were about 2,300 retailers operating nearly 12,000 machines.

Lottery3The Oregon Constitution prohibits the operation of casinos in the State of Oregon, but does not provide a definition for a casino. In 1994, the Oregon Supreme Court concluded that “voters intended to prohibit the operation of establishments whose dominant use or dominant purpose, or both, is for gambling.” Neither the court nor the legislature has defined the terms “casino,” “dominant use,” or “dominant purpose.”
Lottery has established administrative rules to enforce casino prohibition. Under its current rule, retailers are not casinos if their non-lottery sales are at least 50% of their total income. For retailers whose non-lottery income may be less than 50%, the rule allows the Lottery to consider additional factors such as a visual inspection to determine if a retailer is operating as a casino.

In practice, Lottery is satisfied if a retailer’s facility does not look like a casino, so they perform no review of retailer income.

Lottery has identified Limited Menu Retailers as Lottery1 posing a higher risk of operating as a casino because they tend to have limited sales of non-lottery products, thus, relying more on Lottery income for their business. In 2014, 234 Limited Menu Retailers operated 1,305 or 11% of the nearly 12,000 machines in use and generated about 21% or $158 million in machines net receipts.

We focused our procedures on the higher risk Limited Menu Retailers and found that Lottery’s enforcement practices may not adequately address the Oregon Constitution’s casino prohibition. We followed the procedures prescribed by Lottery’s current enforcement program and found the program does not detect all retailers whose dominant income is gambling.
While most of the Limited Menu Retailers we reviewed did not have the appearance of a casino, over half of these retailers derived more than 50% of their income from machine commissions. Many of these Limited Menu Retailers had difficulty generating non-lottery sales sufficient to comply with the income threshold.

Recommendations

To help Lottery strengthen existing controls and to facilitate compliance with casino prohibition, we recommend Lottery management work with the legislature and other stakeholders to develop a clear and enforceable definition of a casino that aligns with the 1994 supreme court ruling of dominant use/dominant purpose. Lottery should verify gross sales reports when using them to perform an income analysis. For retailers challenged with meeting the 50% non-lottery income threshold, Lottery should evaluate whether removing a machine would enable the retailer to comply with the dominant use/dominant purpose court ruling.

Agency Response

The agency response is attached at the end of the report.

Read the full report

Featured New Audit Release Performance Audit