Audit, Fraud, and Misuse – Oh My!

Stephanie Bussenger, DOAJennifer Vaughn, DOA

Disclaimer

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets divisions of Bank of America Corporation. Lending, other commercial banking activities,and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financialinstruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”),including, in the United States, BofA Securities, Inc. and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, by locallyregistered entities. BofA Securities, Inc. and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA.

Investment products offered by Investment Banking Affiliates:

Are Not FDIC Insured * May Lose Value * Are Not Bank Guaranteed.

This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any informationcontained herein.

These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly addressed and delivered (the“Company”) in connection with an actual or potential business relationship and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us.We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under nocircumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referencedin the accompanying materials may be provided through one or more affiliates of Bank of America, N.A.

We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other information that will allow us toidentify the client in accordance with the USA Patriot Act (Title III of Pub. L. 107-56, as amended (signed into law October 26, 2001)) and such other laws, rules and regulations.

We do not provide legal, compliance, tax or accounting advice.

For more information, including terms and conditions that apply to the service(s), please contact your Bank of America representative.

Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutualfunds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and arenot insured by the Federal Deposit Insurance Corporation (“FDIC”) or any other governmental agency (unless explicitly stated otherwise).

This document does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or forInvestment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein.

With respect to investments in money market mutual funds, you should carefully consider a fund’s investment objectives, risks, charges, and expenses before investing. Although money market mutualfunds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived fromthem may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange betweencurrencies may cause the value of investments to decrease or increase.

We have adopted policies and guidelines designed to preserve the independence of our research analysts. These policies prohibit employees from offering research coverage, a favorable research ratingor a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation.

© 2020 Bank of America Corporation. All rights reserved.

AGENDA

• DOA Audit Process

• PA Responsibilities

• Audit Types & Resources

• Define: What is Misuse and Fraud? What’s the difference?

• Identifying signs of Misuse

• Types and Trends of Fraud

• How to Prevent Fraud

• Questions

DOA Audit Process• DOA runs various audit reports for Purchase Cards and IL Travel Cards on a

weekly, monthly, and as needed basis

• Reports are reviewed and transactions that are questionable and/or disallowed are noted

• Audit emails are sent to the Agency PA’s with audit type, transaction details, and response deadline

• PA contacts Cardholder and/or Cardholder’s Supervisor for justification and clarification of the transaction

• PA responds to audit by deadline provided and attaches all pertinent backup documentation

• DOA reviews response and will request more information/justification if needed. The audit will then be noted as a Violation or Non Violation.

PA Responsibilities

• Ensuring agency and cardholder compliance with all CAPP policies and procedures including CAPP 20355 – Purchase Card and CAPP 20360 – Travel Card

• Monitoring on a regular basis, at least monthly, the transactional data to ensure compliance to policy.

• Promptly notify DOA of any “Internal Investigations” in relation to suspected or confirmed cardholder misuse.

Purchase Card Audit Types

Approved Exceptions -Is there an approved Exception on file for these restrictions?

Accommodations, Car Rental, Restaurant, EZ Pass

Unusual and/or Prohibited Purchases - Are these personal purchases or disallowed?

Amazon, Best Buy, Insurance, iTunes, Weekend Spend

Audit Types – Approved Exceptions

MCC Restriction Tables

https://www.doa.virginia.gov/reference/chargeCardAdmin/Charge_Card/COV_PCard_Restriction_Table.pdf

Audit Types – Unusual or Prohibited Purchases

Employee personal expenses and Agency sponsored event expenses which do not clearly support the agency mission such as – Non-uniform clothing, traffic fines, personal items that are lost or stolen, holiday decorations, charitable contributions, gifts and flowers, etc.

CAPP 20335 – STATE TRAVEL REGULATIONS / Disallowed Expenses

Disallowed expenses include such as – Alcoholic beverages, personal vehicle damage, travel insurance, etc.

See CAPP Topics for full list of Improper/Disallowed Expenses

CAPP 20310 – EXPENDITURES / Improper Expenditure Examples

Audit ExamplesDo you see what I see???

Are these legitimate business expenses or Violations?

WORKS® Reports

SPEND reports by Vendor Name, MCC, MCC Description

Contains Vendor Name

Contains MCC Contains MCC Description

AMAZON or AMZN 5812-5814 (Rest/Bar)

Spa

IL Audit Types

• Grocery Stores and Service Stations – Alcohol, Tobacco, Gift Cards, High $ Transactions

• Retail Cycle Limits over $100 – Not Higher Ed (HE)

• Premium Class Airfare

12

Poll Question

Premium class airfare is a DOA audit specific to what card type?

1. Small Purchase Charge Card

2. Small Purchase Charge Card and Individual Liability Travel Card

3. Small Purchase Charge Card, Individual Liability Travel Card, and Airline Travel Card.

Tools/Resources• WORKS

Reports

Training Guides, Training Videos, Live Training

Help Desk

• Intellilink

14

Poll Question

How often do you review cardholder transactions for compliance, fraud and/or misuse?

1. Daily

2. Weekly

3. Monthly

4. Annually

5. Never

So how does auditing help me with detecting Fraud and/or Misuse?

Auditing is the tool to help detect Fraud and/or Misuse by reviewing card transactions for purchase compliance.

Reports can indicate transactions that require additional information.

Level 3 Data can show EXACTLY what’s been purchased.

Fraud vs Misuse

MisuseMisuse is defined as unauthorized use of the PCard by the cardholder.

So….What exactly does misuse look like?

• Ordering in greater amounts than authorized/approved

• Purchases for personal gain (intentional/unintentional)

• Purchasing from an unauthorized supplier

• Purchasing in violation of Procurement policies and procedures

Fraud

Fraud is defined as unauthorized use of the PCard, or similar payment tool (ACH,EFT, recurring charge, etc.), by someone other than the cardholder to fraudulently obtain money or property.

So….What exactly does fraud look like?

• Account takeovers

• Skimming

• Social Engineering Fraud

When it comes to misuse, it’s a lot easier than you

think…Real or Fake?

Misuse: More than meets the eye

Legitimate Statement Forged Document

It’s the little things

• No “$” signs

• Characters are off center/Too close together

• Charges don’t equal Total Activity amount

• No commas

*This is a staged example*

FRAUD TRENDS & TYPES

• Shimming- A paper-thin device embedded with a micro-chip and flash storage.

• Phishing- A fraudulent attempt to obtain sensitive data.• Card Not Present: Transactions where a cardholder does

not present the card to the merchant (i.e. internet, phone orders)

• Spoofing- The practice of concealing your true online identity by impersonating that of another.

• E.g., A fraudster — let’s call her Maude the Fraud —can use a spoofing application that makes it look like she’s calling from Safe Sally’s phone number. This method allows the fraudster to disguise her online identity and masquerade as a good customer, sailing through the first eCommerce customer touchpoint.

I thought EMV Chip and Pin cards would eliminate fraud?

• EMV chip cards enabled with contactless technology could also be at risk of NFC skimming. A contactless card uses NFC (Near Field Communication), a

secure wireless technology that allows data to transfer from a mobile device to a card reader at a short distance.

• Vendors who have not upgraded to a chip card reader

• EMV Liability Shift:October 1st, 2015: Liability for fraud for most card present transactions switched to the least-EMV compliant party (excludes automated fuel dispensers at gas stations).

October 1st, 2016: ATMs were included in the new liability rules, with the least-compliant party being held liable.

October 1st, 2017: Automated fuel dispensers at gas stations were set to be included in the liability shift, but in 2016 this date was moved three years back.

October 1st, 2020: Automated fuel dispensers at gas stations will be included in the new liability rules.

• October 2020 is the new date at which all card present transactions in the U.S. will be held to these standards, including automated fuel dispensers.

22

Poll Question

EMV Chip and PIN cards can eliminate fraud completely?

1. Yes

2. No

3. No, with exception

Example of Phishing Email

IN GONE 4 GOOD SHRED LLC 8999 PROFESSIONAL SERVICES NOT ELSEWHERE CLAS

1/15/2020 1/16/2020 $80.00 " : 2 96 GAL BIN T NMB

IN ATLANTIC COMMUNICATIO 5065 ELECTRICAL PARTS AND EQUIPMENT 1/27/2020 1/28/2020 $2,296.98 "CREDIT CARD FEE - PLEASE NMB

IN ATLANTIC COMMUNICATIO 5065 ELECTRICAL PARTS AND EQUIPMENT 1/27/2020 1/28/2020 $2,296.98 "EVA TRANSACTION FEE" NMB

IN SEVEN HILLS FOOD 5422 FREEZER AND LOCKER MEAT PROVISIONERS 1/29/2020 1/30/2020 $1,047.42 "FLANK STEAK (BEEF) 21.100 NMB

IN SEVEN HILLS FOOD 5422 FREEZER AND LOCKER MEAT PROVISIONERS 1/29/2020 1/30/2020 $1,047.42 "INNER SKIRT STEAK (BEEF) NMB

IN DISCOVERIES INC 5085 INDUSTRIAL SUPPLIES NOT ESLEWHERE CLASSI 1/15/2020 1/16/2020 $189.00 "OUT-OF-STATE SALE, EXEMPT NMB

CDW GOVT #WRC8286 5045 COMPUTERS,COMPUTER PERIPHERAL EQUIPMENT,

2/3/2020 2/4/2020 $328.15 +OTTERBOX DEFNDR IPAD 5T EAC

VIRGINIA INDUSTRIES FOR 7399 BUSINESS SERVICES NOT ELSEWHERE CLASSIFI 1/21/2020 1/22/2020 $1,125.56 1276 HIGHLIGHTER PK

IN ADVANTAGE SUPPLY CENT 5399 MISCELLANEOUS GENERAL MERCHANDISE STORES

1/30/2020 1/31/2020 $113.19 8542016310BOXLEGEND SHIRT NMB

Amazon.com Z37V31KK3 5942 BOOK STORES 1/18/2020 1/20/2020 $119.00 Coca-Cola Soda Soft Drink, PCE

IN ONE TOUCH SOLUTIONS, 7399 BUSINESS SERVICES NOT ELSEWHERE CLASSIFI 2/3/2020 2/4/2020 $825.14 VALENTINE'S DAY HEARTS PLA NMB

IN ONE TOUCH SOLUTIONS, 7399 BUSINESS SERVICES NOT ELSEWHERE CLASSIFI 2/3/2020 2/4/2020 $825.14 VALENTINE'S GUSHERS, FRUIT NMB

What would you investigate?

Purchase Date Post Date Credit Amount Vendor Name MCC MCC Description Detail Description

5/8/2019 5/10/2019 $0.00 $10.82 SAFEWAY #3257 5411 GROCERY STORES, SUPERMARKETS ADULT COLD COUGH FLU SOLID EA

8/6/2019 8/7/2019 $0.00 $3.36 SHEETZ 00005884 5541 SERVICE STATIONS ARIZONA 34OZ HLF HLF Singl EAC

3/17/2019 3/18/2019 $0.00 $5.18 SHEETZ 00002253 5541 SERVICE STATIONS BLUE MOON BELGIAN WHITE 24 EAC

7/1/2019 7/2/2019 $0.00 $5.55 SHEETZ 00003640 5541 SERVICE STATIONS Breakfast Croissant EAC

2/7/2019 2/8/2019 $0.00 $9.35 SHEETZ 00002618 5541 SERVICE STATIONS CADBURY CREME Single EAC

3/2/2019 3/4/2019 $0.00 $9.03 PUBLIX #664 5411 GROCERY STORES, SUPERMARKETS CONDOMS M/BARESKIN NMB

8/4/2019 8/6/2019 $0.00 $858.00 EXPEDIA LOCAL EXPERT HOS 7399 BUSINESS SERVICES NOT ELSEWHERE CLASSIFI Expedia Local Expert Hoste EACH

12/13/2019 12/16/2019 $0.00 $20.00 IN WALSH JESUIT HIGH SCH 8299 SCHOOLS AND EDUCATIONAL SERVICES NOT ELS FRIDAY TICKET IRON MAN WRE NMB

6/15/2019 6/17/2019 $0.00 $12.24 SQ DAJEN EATS 5499 MISC FOOD STORES-SPECIALITY,CONVENIENCE, IDENTITY CRISIS NMB

1/28/2019 1/30/2019 $0.00 $40.28 SAFEWAY #1689 5411 GROCERY STORES, SUPERMARKETS IMPORT BEER EA

1/29/2019 1/31/2019 $0.00 $29.73 SAFEWAY #1689 5411 GROCERY STORES, SUPERMARKETS IMPORT BEER EA

8/26/2019 8/27/2019 $0.00 $14.53 SHEETZ 00004077 5541 SERVICE STATIONS MARL KG GOLD BOX Single EAC

9/21/2019 9/23/2019 $0.00 $9.35 SQ PROSECCO BAR 5814 FAST FOOD RESTAURANTS Prosecco NMB

5/12/2019 5/13/2019 $0.00 $15.00 PUBLIX #1643 5411 GROCERY STORES, SUPERMARKETS RX CASH/COPAY NMB

Preventing Card Fraud and Misuse

• Keep your credit cards secure

• Report lost/stolen cards immediately

• Review authorization logs/statements weekly/bi-weekly

• Utilize retailers that use a chip reader

• Don’t store credit card information online

• Set up Fraud alerts

• Review card authorization log/statements weekly/bi weekly

• Compare receipts to PCard Log/OLR Log

• Review Employee Reimbursement requests

• Look for Level III data

• QUESTION, QUESTION, QUESTION!!!

27

Poll Question

Level 3 Data can show exactly what has been purchased?

1. Yes

2. No

3. Yes, with exception

Thanks for listening.

Any Questions?

29

CPE Evaluation Form

1. Were the learning objectives met?2. Were prerequisite requirements appropriate and sufficient?3. Were the materials relevant? 4. Did the program increase your professional competence?5. Was the time allotted appropriate to learning?6. Was the presentation of the material effective?7. Was the instructor effective?8. Comments

Kristen Bolden, Assistant Director

Jamie Spears, Lead Analyst

Jennifer Vaughn, Charge Card Analyst

Stephanie Bussenger, Charge Card Analyst

Amy Butler, vPayables Analyst

Janet Yu, vPayables Analyst

CCA Contact Information

cca@doa.virginia.gov

804.786.0874

https://www.doa.virginia.gov/onlineservices.shtml#chargecard