John's regular blogposts focus on fraud and security issues and highlight emerging risks for bizlearn members.
For more fascinating reading you can visit John's fund of good and sometimes chilling stories at Dierckx & Associates. Besides that John blogs from The Desk of the Renaissance Man.
Billing Fraud: do you know where your money goes?
Written by John Dierckx
Friday, 23 October 2009 00:57
Earlier this year two fraudsters were convicted for defrauding the Otago District Health Board. The case has been covered at length in the media. The fraudsters were found guilty of fraud, which they both denied, in December last year. During the trial, the Crown said they had used 198 invoices from a company formed by one of the two fraudsters, to charge the board $16.9 million for IT-related services that were never provided. The two fraudsters had been billing the Otago Health Board for maintenance and program upgrades and had cashed in around 16.9 million, 10% of which was kept while the other 90% was paid to related companies. One could ask oneself: how could it be that these things happen right under the noses of everyone? The case raises some serious questions about he governance structures in place and probably more about how they are actually working in day to day business.
WAS THERE AN INTERNAL AUDIT FUNCTION? External audits generally do not detect fraud ( so don't blame the auditor straight away). A large organisation like the ODHB should have an internal audit function.
WAS INDEPENDENT IT-SECURITY AUDIT? This would have identified vulnerabilities due to outdated/not updated software. The fake invoices were for software updates that never eventuated.
WAS THE CONTRACT FOR SERVICES TENDERED COMPETITIVELY? AND IF NOT WHY NOT? A $17 million contract running over several years should be decided at Board of Directors level or at least CEO level. Where larger contracts like that are to be arranged it should at all times be a competitive tender.
IS THIS A CASE OF WRONGLY DELEGATED AUTHORITY? (In this case to the CIO)? From the media it appears to transpire that use was made of delegated authority with no checks or balances in place! It seems the CIO had the delegated the authority to decide all by himself. A competitive tender including proper due diligence would have most likely have exposed that company was a sham or even prevented this fraud from happening in the first place. (Unless the fraudsters would have use an accomplice company to pull off the same trick).
HAS ANYONE EVER WONDERED WHETHER THE COMPANY WAS REPUTABLE AND/OR WELL KNOWN? With such expenditure levels one would expect that the company had some presence in the region (Dunedin), you could perhaps have dealt with it before, or know of others that used the same company. WAS THE COMPANY LISTED IN THE YELLOW PAGES AND OTHER BUSINESS LISTINGS? WAS IT A MEMBER OF INDUSTRY ASSOCIATIONS? DOES THE COMPANY HAVE A WEBSITE, A PHYSICAL ADDRESS THAT CAN BE VISITED?
WHY WERE THE CEO OR CFO NEVER SUSPICIOUS? WHY WERE NO QUESTIONS ASKED? They had never met staff from this supplier even though the handed over $17 million to it. It would have made sense that with such large contracts there would have bee at least some sort of relationship on a broader executive level.
WERE THE INVOICES AND AUTHORIZATIONS FOR PAYMENT EVER QUESTIONED? As a signatory one should ensure you know what you are signing for. It does not need to be in an unfriendly way but make sure you know what approved activities your are signing for to be paid.
WERE IT SUPPORT SERVICES EVER QUESTIONED? Even if the services this firm was providing were real, it seems to me that this was a massive amount, I mean $17 million. What value for money would that bring?
WERE INCREASES IN IT BUDGET EVER QUESTIONED? WAS TENDERING OUT EVER CONSIDERED AS AN OPTION TO REDUCE THESE MASSIVE COSTS?
WAS A SUPPLIER/MAJOR CONTRACTS REVIEW POLICY IN PLACE? Whilst the Board may not have to do the nitty gritty of such review, it is responsible for ensuring that such a policy is adopted an implemented. WERE THE CEO AND/OR CFO EVER RECOMMENDED THAT SUCH A POLICY AND EXECUTION THEREOF WA HIGHLY RECOMMENDED?
WHAT WAS THE NATURE OF THE FINANCIAL DELEGATION POLICY, IF ANY? There should be a clear guideline for which expenses can be made autonomously and which require approval of the board? IF THERE WAS SUCH A POLICY, DID REVIEW EVER TAKE PLACE?
While I am not privy to the details of the case: typically the fact that such a big service provider is being run by an employee should be something to raise alarm bells. From the companies office details it transpires that the fraudsters were the director a two minute check would have shown that there was a significant shareholding. I would imagine that at least some due diligence should have been part of the tendering process . But it appears that there never was a tendering process. I can't help but feeling that this is typically a case of a sleeping board and executive management and a pair of crooks making good use of that.
At the same time; billing schemes are known to be a favorite of corporate fraudsters. The gist of such schemes involve a perpetrator that causes the victim organization to order and pay for something that is either never delivered, it does not need, or is obtained against a highly inflated price. A simple set up can be used. The fraudster sets up a shell company and uses that company to invoice the employer. Sometimes or preferably the same fraudster may also be able to authorize payment of the bills sent through the shell company. In the case above it was identified that the services billed out were never rendered. In other instances the shell company may be offering completely legitimate services but for a ridiculous price. Very often the person running the scheme is also the one that authorizes the payment of the invoices of the shell company.
Obviously, proper control mechanisms should prevent anyone from approving his or her own invoices. Part of staying under the radar is making sure that this is kept quiet. The reality shows on a regular basis that proper controls are not in place. Similar schemes are known to be used to invoice the employer company for personal expenses. In several of the cases I was involved in over the past years a manager authorizing payments had been submitting completely bogus invoices from non-existent entities that supposedly had provided all kinds of consulting services strangely enough the bank account number of the consultant company was the same as his own.
I recall one case a few years ago where the fraudulent billing involved non-existent taxes: the fraudster, also the tax expert of the company, had invented a local tax that id not exist and had used invoices of the local council, a pair of scissors and the company’s professional printing facilities to create a a rim of blanco tax invoices supposedly by the local council. This man was discovered after a thorough investigation in which I identified that the bank account numbers on the council’s invoices for taxes were different and tips about the fraudster's lifestyle.
Not all fraudsters are in a position to authorize their own invoices for payment. Methods know to have been used are false purchase orders, using fictitious invoice numbers, altering existing purchase orders or by misrepresenting the nature of the purchase and the list goes on. Are you completely sure what all your bills are for and whether they are fair and reasonable? Perhaps it is time to review or audit your accounts payable.
Better yet: let an independent third party like DIERCKX & ASSOCIATES do it for you. We'll identify gaps in your controls, we can assist in identifying suspect transactions or even frauds:
Are policies in place adequate? Are they being adhered to? ("reality check")
Are there control overrides an are they being recorded?
Are there reasons to question certain transactions or suppliers?
Actual versus supposed receipt of goods and services?
Now it may not sound nice, but there is some truth in it: "you hired the fraudster yourself." Things may have changed somewhat in recent times but not so long ago when I looked over some of the files I had been working on in recent years I found the following:
None of the clients that experienced a problem with either a staff member or management team member had bothered to check the backgrounds of the staff members involved before they were employed.
All of the cases could be brought back to:
inadequate security;
Poor internal controls and separation of duties;
Overrides of the existing controls;
Most of the companies did not (try to) recover the losses and where losses were recovered they were usually only partial;
None of the companies involved tried to recover the investigative costs as part of the losses incurred by the misconduct;
Only a very limited part of the companies involved reported the incident to the police;
I this post I will stick to the first bulletpoint, the proces of what I refer to as "safe hiring."
When recruiters/head hunters, managers or HR professionals need to fill a position, they should look for more than just a proper skill set, experience or a good fit for team or company. They should also consider whether or not there are or may be reasons for NOT employing a specific applicant. It is estimated that around 10% (US) of applicants have criminal convictions. A considerable amount of resumes contain serious falsehoods or omissions. Diplomas and certificates can be bought at a reasonable price by those that want to beef up their academic achievements. It is therefore important to avoid costly mistakes and that appropriate measures are taken to reduce the risk associated with recruitment/hiring new employees.
It is well known idea that even the best fraud controls will not do their job if you hire dishonest employees. While it may not always be possible to predict the future and while it is believed that everyone deserves a fair chance, I am of the opinion that you can only make a good decision in these matters if you are well informed. I speak from experience when I say that I have often ended up being involved in cases where the signs were all over the wall if someone had only taken the trouble of a proper evaluation of the information provided by candidates. I further promote a systematic or so you wish programmatic approach to recruitment and hiring but at the same time undestand that this may not always be a best or cost effective approach in a small business environment.So instead I will offer some tips that may assist you. After all your employees are your most valuable asset.
Ok, enough now, here they are.
Some Safe Hiring Tips
First determine what the actual needs of the organization are and whether or not these needs may be addressed internally. Consider recruiting internally first.
If at all possible use pre-formatted application forms and include any documents or authorisation forms that you may require. This ensures that you stay in control of the information you require from each applicant and forces you to sit down and document your requirements.
Have each job applicant sign a consent form for a background check, including a check for criminal records, past employment, financial information and education. Announcing upfront that your firm checks applicants’ backgrounds may discourage applicants with something to hide, and encourage applicants to be truthful and honest about mistakes they have made in the past.
In addition to an actual check, ask whether or not an applicant has been convicted for criminal offenses in the broadest possible terms allowed by law. Laws may differ considerably so ask your lawyer or HR professional where the boundaries are. The Clean Slate Act in New Zealand makes that some older relatively minor convictions may stay undisclosed. Futhermore, driving convictions may not necessarily be relevant to the proper execution of the role you are trying to fill.
Towards the end of an interview, advise applicants that the business performs a criminal background and reference check as a standard business practice.
Ask the applicant if he or she has any concerns to share. Good applicants will usually pay no heed to the question. Applicants with a problematic background may either reveal relevant background information or withdraw their application.
You could ask applicants during an interview what they think a former employer might say about them. For example, “If we were to contact past employers, how would they describe your performance, work style?” Since the applicant has signed an authorisation and has been advised that such checks may occur, the applicant may be more motivated to reveal information about past jobs.
Make sure that the applicants are advised in clear terms that any false or misleading statements or material omissions are grounds to terminate the hiring process or employment, regardless of when discovered.
Should employment commence before the completion of a background check: make sure that any agreement states in writing that continued employment is conditional upon a background report that is satisfactory to the employer.
Verifying past employment is often a neglected but very important tool for an employer. Generally speaking, past job performance is no guarantee but can be a predictor of future success. Furthermore it offers you an opportunity to test whether or not there may be issues as to how the applicant may fit in.
Verification of dates of employment and job title are critical because an employer: there may be hidden and unexplained gaps in the employment history to should be discussed or may raise concern. There may be many reasons for a gap in employment good or bad.
When you are provided contact details of referees from past employers or otherwise, always use the general number of the organization as opposed to any private number or DDI provided. Ill-willed applicants may have made arrangements with friends or family. There are agencies even that offer services to be a (false) reference.
Gaps in employment histories should at all times be discussed. There may be a thousand very valid reasons for these gaps, however if an applicant cannot account for them that could be a red flag. Where in doubt, consider ways to corroborate the explanations provided by the applicant.
Ask for previous addresses, and likewise, if an applicant cannot account for them that may be another red flag. In some jurisdictions (for instance US) previous addresses are paramount to efficiently and effectively perform adequate criminal background checks due to the way the system is set up.
Obtain a listing of all past addresses or at least the suburbs for five to ten years.
Advise applicants that besides pre-employment screenings, employment screenings may be performed for specific reasons for instance if a future investigation is required. Ensure that this is part of your house rules.
Since you already obtained the authorisation, do actually check for criminal records of serious candidates. There are services providers that can assist in this, as well as obtain financial and other background information.
Finally, documenting an attempt to obtain references can demonstrate due diligence and may be seen as an expression of how serious you take your company and its employees, the applicant included. They are after all your most important asset.
While these short tips may address some of the most pregnant issues regularly overlooked, Dierckx & Associates Ltd promotes to have a program or system in place. It does not need to be expensive and it does not necessarily mean going overboard. Your employees are one of the most important assets of your organisations: treat them like that. Expressing this appreciation starts by due care in hiring decisions.
Last Updated on Thursday, 15 October 2009 22:32
Fraud Awareness Week: Are We Ready for More Fraud?
Written by John Dierckx
Wednesday, 04 March 2009 11:54
More than once I have wondered how it can be that the chances of conviction and imprisonment are higher when you are caught stealing a car than when you defraud investors or creditors from $15 million. It is not that hard to guess I think: in the first instance there is a clear cut criminal offense and if indeed caught for it, a fat chance of a guilty plea or at least a confession. Therefore such a case is a relatively easy addition to the stats. With frauds and scams it is not always that easy, and as a result the cases are often more complex and difficult to investigate and prosecute, even more so in those large scale frauds that are at the moment discovered on a very regular basis.
In a recent Law in Action on the BBC: Fear of Fraud episode the expected rising figures of fraud are discussed against the background of how fraud is being dealt with in the UK. The question was whether they (the UK) are putting enough resources into tackling fraud. Ex-Public Prosecutions Director Sir Ken MacDonald sketches a grim picture. His claims are supported by Monty Raphael, head of fraud and regulatory law at Peters and Peters.
I would have to agree with Monty Raphael that in order to actually tackle the issue of fraud, more investigators are needed. There is a requirement to gain a critical mass which is currently not available in most jurisdictions. Looking at current media reports, I could envisage this to be not just a matter of justice, but also a way to restore confidence in the system. The public is receiving very mixed messages and not just in the UK.
I can speak from experience when I say that the investigation and prosecution of fraud, and especially the larger and institutional frauds are highly complex and with that costly. In addition to that there is not always a fair chance of success when it comes to prosecuting fraud do to complex regulations and evidential burdens. As a result, more often than not governments seem on the lookout for alternative ways to sanction otherwise criminal behavior. In many European jurisdictions as well as on a EU level I have seen the introduction of so-called “Administrative sanctions” even in cases of blatant fraud. Other alternatives could be plea bargains, expulsion or debarment and or disqualifications to serve as for instance a director or senior manager. At the same time however we see our prisons filled with “criminals” that have been convicted for crimes that had far less severe consequences than what those big fraudsters may have been pulling of.
You could wonder of course what the message is that you are actually sending out to the public. On a regular basis we see how true white collar crimes are being dealt with on an almost consensual basis as opposed to an adversarial basis. Systems and structures actually support such an approach and as a result: the “blue collar” scam artist that changed his baseball bat or even shotgun for a laptop and a telephone, get’s a conviction and prison sentence on the basis of a relatively small fraud, while the mega fraudsters walk away with fines and plea bargains and very importantly NO STIGMA. Most of all, where the small time scam artist gets a conviction and a criminal stigma that may last for years: high profile fraudster end up not getting these stigmas and disqualifications. Does that not convey a message to the public that we are relatively lenient when it comes to dealing with serious financial crimes?
When the Police Commissioner is making his/her annual speech each year so as to commend and applaud the efforts and results of the Police, I doubt that any victim of a fraud will be equally enthusiastic after having seen their file classified as something like “more of a civil case” or “no resources available” or citing the “public interest” as a reason to not investigate and prosecute. Similar results can easily be expected from any of the other under-resourced and under-funded enforcement agencies. All up, six agencies in New Zealand are responsible for enforcing the laws against white collar crime: the Serious Fraud Office, the IRD, the Police, the National Enforcement Unit of the Ministry of Economic Development, the Official Assignee’s office, and the Securities Commission. Ultimately only a fraction of the fraud complaints pouring into their offices every week is investigated, let alone make it to a prosecution.
There is a perception that only soft targets make it to prosecution. More than once I have been involved in cases whereby an initial “no thank you” could only be turned around when a ready to go ABC prosecution file was made available: and even then there are no guarantees. I used to get upset to find out that another case was not being picked up, until I realized that some of the national enforcement agencies in New Zealand have less investigative capacity available than the local fraud squad I used to work for in the Netherlands. So can you blame these people and their agencies for setting high thresholds and priorities?
I would say well yes and no.
Yes, because I cannot help but noting that, especially the small time losers /victims are the ones that seem to be served the worst even though they are the largest in number and most often thew impact is equally severe on a relative scale. And even if cases are pursued through the criminal courts, most legal systems are aimed at confiscation of criminal proceeds rather than reparation of the damages for the victims. So where does that leave the guy that invested his nest egg into a scam or the elderly being ripped off by scrupulous scam artists, or the next victim of a pyramid scheme disguised as MLM? I cannot help but thinking how especially those that need the help the most, the most vulnerable are time and time again left out to hang and dry because of the way the system operates.
No, because the harsh and simple reality is that these agencies that are supposed to tackle frauds and scams are faced with tight budgets, limited resources and a caseload that is well above their resource capacities.
About a year ago the Sunday Star Times reported how defrauded commercial entities are prepared to pay big money for investigative leg work to put together a ready to prosecute file. I can vouch for the accuracy of that and also that even when a ready to go file is being presented to the Police or other enforcement agency, there is no way a guarantee that the file will be picked up and taken through the courts.
I guess one of my first files in New Zealand, R v Samantha Stevens is a good example of that and likewise R v Michael Devine. Both victims in these cases had to spend considerable resources to get their case ready to be prosecuted and THAT AS A REQUIREMENT FROM THE AUTHORITIES. Not every victim has those resources available to have the inquiries and case file building and where required additional (legal) advice organized by a private party.
I would have to say that more than once dealing with the perpetrator directly may open up to alternative resolution if only in terms of recovery. At the same time however, many fraudsters do not commit fraud as a means of building up savings, they spend the money and more than once there is simply nothing or virtually nothing to recover. And where your damages are relatively small, you could wonder whether the costs outweigh the benefits.
It is these same small time victims that are faced with another barrier in terms to access to justice: they are not poor enough to get legal aid and not wealthy enough to simply fund a criminal or civil case to see justice done or in order to seek recovery of damages: that is, if there is something left to recover.
This brings me back to the reason why the FDEC was established: to serve as good as possible those small time losers, the pops and mums investors, the home based business scam victims, the investment scam victims, the elderly, the SME and all these other parties that have suffered relatively minor damages per party but when aggregated represent considerable damages. Pooling your complaints helps in getting priority and could open up for pooling of costs in class type actions.
Besides that exposure is at all times to be considered as a way to at least prevent others from falling for the same trap, so also consider options such as "the compllaints board" or the "rip off report".
I will be opening our “Report a Scam or Fraud” form soon and I suggest you keep coming back here to read the lastest news on that. For the time being, contact me at
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
if you have a complaint and I wil get back to you as soon as I can. To ensure priority handling, make sure you put “Complaint” in the subject line.
Last Updated on Monday, 09 March 2009 08:13
A Pro-active Approach to Occupational Fraud and Abuse
Written by John Dierckx
Saturday, 21 February 2009 23:22
Time and time again reports show that when it comes to fraud, the greatest threat is not from outsiders but from insiders. Organizations can be proactive in detecting and preventing employee theft and fraud Below are some recommendations that could form part of a fraud prevention program.
IT IS AT ALL TIMES RECOMMENDED THAT YOU ALSO CONTACT A PROFESSIONAL: FRAUD PREVENTION AND DETECTION IS NOT AN END IN ITSELF AND SHOULD BE EMBEDDED IN THE OVERALL STRATEGY AND BUSINESS OPERATIONS.
And to get a feel of your fraud risk: take the Fraud Risk Assessment FOR FREE, I am advised that doing the assessment in itself, regardless of whether you opt in for a preliminary advice or not, is an eye opening experience.
LEAD BY EXAMPLE
Senior management and business owners set the example for the organization's employees. A non-consistent attitude toward rules and regulations by management will more than once be reflected in the attitude of employees. Every employee, regardless of their position, should be held accountable for their actions, so yes that includes top management.
And in all honesty, more than once we have found our initial client contact to be the involved party. It is often management that has the greatest access to fraudulent opportunities and it is more than once that same management that can get away with control overrides.
CREATE A POSITIVE WORK ENVIRONMENT
Create a positive work environment that encourages employees to follow established policies and procedures and act in the best interests of the organization.
Fair employment practices, written position descriptions, clear organizational structures, comprehensive policies and procedures, open lines of communication between management and employees, and positive employee recognition will all work to reduce the likelihood internal fraud and theft.
I see the importance in my daily practice. Once fraud and/or theft is established and a perpetrator has been identified, more than once the issue of feeling not-recognized is at least part of the motive for stepping accross the line.
INTERNAL CONTROLS
Internal controls are designed to ensure the effectiveness and efficiencies of operations, compliance with laws and regulations, safeguarding of assets, and accurate financial reporting (See for instance the COSO model).
The internal controls controls for safeguarding assets and financial reporting require policies and procedures that address amongst others:
Separation of Duties
No employee should be responsible for both the recording and processing a transaction. I am aware that In New Zealand with a substantial percentage of very small businesses this is sometimes hard. However there are always options and more than once overriding this basic procedure for the sake of practicability has been disastrous.
Access Controls
Access to physical and financial assets and information and accounting systems should be restricted to authorized employees and its use should be monitored on a regular basis.Start off with simple checks: just ask your employees out of the blue, I need the password of so and so who's not hewre today, can anyone help me? You'll be surprised, or check for the yellow post its on the bottom of the screen or the back of the computer.
And where it comes to physical access: more than once actually today I could have nicked all the confidential assets of my client: the person I was supposed to meet was tucked away in the back of the building, the rest of the creqw was at a seminar, and me I walked aroud and saw computers standing open, no one to receive me at the door and access to all offices. Not good.
Authorization Controls
Policies and procedures addressing the controls to initiate, authorize, record, and review financial transactions.
Internal controls will reduce the opportunity for fraud as a deterrent factor and will enhance the efficiency and effectiveness of your operations.
EMPLOYEE SELECTION
If you hire dishonest employees you run a risk. Honest employees are an asset to any organisation, even one with poor internal controls. However, a dishonest employee will ignore management’s attempts to provide a positive work environment and search for ways to defeat even the most comprehensive internal controls to commit fraud.
It is good to realize upfront that no internal control system is 100% fail safe.
Therefore it is very important to keep dishonest applicants from becoming an employee. A thorough pre-employment background check should include:
Criminal history for crimes involving violence, theft, fraud, etc
Civil history for lawsuits involving collections, restraining orders, fraud, etc
A financial background check ( Baynet)
Driver license for numerous or serious violations especially where driving is part of the job
Education verification to verify degrees from accredited institutions. By now I receive approximately 20 emails a day offering me different buyable degrees and certifications. You can no longer afford to be just impressed with what you see.A check is a requirement.
Employment verification to verify positions, length of employment, reason for leaving
EMPLOYEE EDUCATION
Employees should receive information on the policies and procedures related to fraud, the internal controls in place to prevent fraud, the organization's code of conduct and ethics policies, and how violations of these policies will be disciplined.
Every employee should sign a form to verify the receipt of this material. On a periodical basis it is recommended that employees receive training on these subject matters.
And before I forget: referring new employees to the companies intranet for further advice without providing them a full package is not a good option top keep them updated. They are an important asset, make education something personal.
REPORTING SYSTEM
If anything, more than once I encounter witnesses saying that they "had this feeling all along that something was not ok. But I didn't know where to go to to express my concerns and I didn't want that colleague to become a suspect for nothing"
Every organization should provide a confidential reporting system for employees, vendors, and customers to anonymously report any violations of policies and procedure and even concerns.
Employers should promote and encourage the use of the reporting system. Not just from a reactive point of view but also pro-actively. More than once vices are involved or signs are visible at an early stage, bosses don't see, colleagues do: make sure they can communicate those concerns.
AUDITS/ASSESSMENTS
Random, unannounced financial audits and fraud assessments are important to identify new vulnerabilities and measure the effectiveness of the controls in place.
In addition to gathering important business intelligence through audits and assessments; it will deliver a strong message to employees that a pro-active stance in respect of fraud is a priority
INCIDENT INVESTIGATION
A thorough and prompt investigation of policy and procedure violations, allegations of fraud, or the warning signs of fraud will provide management with the facts necessary to make informed decisions and reduce losses. And again it send a strong message to the internal organization that these things are taken serious.
APPROPRIATE PUNISHMENT
Employees who are identified as committing fraud and theft should receive appropriate punishment for their misdeeds. A failure to do so leaves an impression that the only risk for this conduct is termination. At all times it is recommended that recovery of damages including the costs of investigation, litigation or prosecution is sought.
