How to reduce the risk of purchasing fraud

Crissy R. Fiscus (cfiscus@deandorton.com)Lance R. Mann (lmann@deandorton.com)

September 29, 2014

Agenda• Key risks of fraud within procurement function• Specific areas of focus for today• Real world examples• Internal controls

- Preventative- Detective

• Other higher education risks

What is Occupational Fraud?

The use of one’s occupation for personal enrichment through the

deliberate misuse or misapplication of the employing organization’s

resources or assets.

Fraud Triangle

For a fraud perpetrator to commit a fraud, he has to feel some type of pressure to do so. The pressure may be financial, such as having to pay medical bills or living beyond his means. Alternatively, the pressure may be non-financial, such as desiring to report better-than-actual performance or self-imposing a challenge to “beat the system.”

Pressure

Opportunity may be real or perceived. It is the circumstances that allow the perpetrator to find a way to commit the fraud. The perpetrator may take advantage of weak internal control or his position in the organization. For example, a claims examiner in an insurance company may write claims checks to himself because of his ability to generate claims payments as a normal duty.

Opportunity

The perpetrator finds a way to make her improper actions consistent with her personal code of conduct. To the fraud perpetrator, she can rationalize that a crime has not actually been committed. Typical rationalizations include borrowing money on a “temporary” basis, justifying the theft from a sense of being underpaid, or depersonalizing the victim of the theft (“I wasn’t stealing from my boss, I was stealing from the company”).

Rationalization

How is Fraud Committed?• Asset misappropriation schemes

employee steals or misuses organization’s resources (e.g., theft of company cash, false billing schemes or inflated expense reports)

• Corruption schemesemployee misuses influence in a business transaction in a way that violates duty to employer, to gain direct or indirect benefit (e.g., schemes involving bribery or conflicts of interest)

• Financial statement fraud schemesemployee intentionally causes misstatement or omission of material information in organization’s financial reports (e.g., recording fictitious revenues, understating reported expenses or artificially inflating reported assets)

Occupational Fraud and Abuse Classification System

Today we are here to focus on corruption related fraud – Conflicts of Interest, Kickbacks, and Bribery

State University of New YorkDownstate Medical Center

Allegations of Procurement Fraud, Waste and Abuse

• Office of the New York State Comptroller received 3 anonymous letters alleging waste, fraud and abuse involving procurement practices at the Center.

• These letters were received over the course of several months.

State University of New YorkDownstate Medical Center

Allegations of Procurement Fraud, Waste and Abuse

Key Findings in the Audit:• A vendor, Eagle Two Construction (Eagle Two),

was able to circumvent the Center’s bidding processes.

• In six cases fake bids or bids from companies affiliated with Eagle Two were submitted against Eagle Two’s bids.

• In all six cases Eagle Two was awarded the contract.

• Eagle Two or its affiliates were paid additional amounts for work that should have been covered under contract already in place.

State University of New YorkDownstate Medical Center

Allegations of Procurement Fraud, Waste and Abuse

The audit revealed that one company, Eagle Two, owned by Roxanne T., was connected to several other companies that submitted supposed competing bids in procurements. The relationships are as follows:• Ms. T is the president and owner of Eagle Two, which is

located at 294 20th Street, Brooklyn• Ms. T is the president and owner of RJS Construction (RJS)

and JIT Enterprises LLC (JIT), both of which were located at 294 20th Street, Brooklyn

• Workshop Group, Inc. (Workshop Group), also located at 294 20th Street, Brooklyn was disclosed as a subcontractor of Eagle Two

State University of New YorkDownstate Medical Center

Allegations of Procurement Fraud, Waste and Abuse

While Eagle Two, RJS, JIT, and Workshop Group all submitted bids for work at the Center, at some point, only Eagle Two, RJS and JIT were paid by the Center. In all cases, we found if one of these affiliated companies bid against Eagle Two, Eagle Two won the project.

State University of New YorkDownstate Medical Center

Allegations of Procurement Fraud, Waste and AbuseControls that failed:

• The Facilities Coordinator was unable to contact the “fake” bidders, and therefore took the supposed competing bids directly from Ms. T and never questioned the validity of the bids.

• All the appropriate people signed off on the bid documents. However, these people all said they merely signed off and they took no responsibility for receiving or reviewing the bids or for ensuring a thorough review of the bid process• Director of Contracts and Procurement• Director of Procurement Facilities Operations• Director of Procurement Design and Construction

• All of the bid packages looked identical – even had the same mistakes and nobody noticed.

Kennesaw State UniversityAlleged Fraudulent Purchasing

Practices• Identified by a tip• False vendor profiles and payments to

fictitious vendors• $1 million over several years• The accused was responsible for approving

contracts and verifying that work was completed as specified

Kennesaw State UniversityAlleged Fraudulent Purchasing

PracticesKSU officials have taken the following actions in direct response to the loopholes that were identified in the University’s – and the state’s – procurement procedures:• Hiring of a new high-level administrator, the associate vice president

for operations, to whom the business operation team now reports;• Initiation of an internal monitoring process of all contracts greater

than $2,500, and requiring them to have two signatures (the previous one-signature limit was $5,000);

• Rigorous post-award reviews of all contracts from the past two years – nearly 5,000 – that exceeded $5,000; and more than 70 contracts that exceeded $1 million;

• Establishment of a low threshold for repetitive contracts with single-signature authorization;

Kennesaw State UniversityAlleged Fraudulent Purchasing

Practices (Continued)• Quarterly aggregation of all contracts under a single person’s

signature for supervisory review;• Increased scrutiny of vendors and implementation of a more

rigorous vendor-approval process;• Implementation of additional controls that separate purchasing

activities among more contract and billing reviewers; and• Utilization of fraud prevention software. 

In all instances, these implementations exceed current state-level requirements. Campus-wide reviews of potential risk areas also are continuing to develop additional procedures that can help mitigate future loss.

Multiple UniversitiesStudent Loan Kickbacks

Student financial aid officials all over the country accepted cash, gifts, trips to exotic locations, sponsorships of award dinners and association conferences, from lenders they recommended to students.

Some lenders made payments directly to universities.

Multiple UniversitiesStudent Loan Kickbacks

• Dean of Financial Aid at Widener University received $80,000.

• Student financial aid officials at Columbia University, University of Southern California, and University of Texas at Austin, each owned at least 1,500 shares of stock of Student Loan Xpress, which they listed as the preferred lender at their respective institutions.

• Drexel University in Philadelphia received $124,000 from Education Finance Partners for making them the sole preferred source for private student loans.

• The student financial services director at Johns Hopkins University received $63,000 over several years from Student Loan Xpress in addition to the payment of her tuition in a doctoral program.

 

Multiple UniversitiesStudent Loan Kickbacks

University of Pennsylvania will pay $1.6 million back to students.

New York University will pay $1.4 million back to students.

The American Association of Universities has drafted a “statement of principles” for relationships between universities and student-loan providers. The policy is to help guide campus leaders as they review these agreements.

We have discussed the how and why of how fraud occurs, along with examples

of how fraud can occur at your institution –let’s now discuss ways to

prevent corruption fraud.

Internal Controls – It starts at the top

Governance Related Controls• Active Board of Directors• Management Oversight• Employee Code of Conduct (require annual

certification)• Code of Ethics• Conflict of Interest Policies and Annual Disclosure

Statement• Vendor Code of Conduct• Gift and Gratuities Policies• Whistleblower Hotline• Fraud Awareness Training for Employee

Fraud Awareness Training

Don’t be afraid to talk about fraud

Discuss with employees what fraud looks like and what to do if they have suspicions (If you see something, say something!!)

Get your auditor to perform the training

Don’t just train once

Small groups work great for this training, as it encourages more questions

Hotlines

Detection of Fraud Schemes

Initial Detection of Occupational Frauds

©2012 Association of Certified Fraud Examiners, Inc.

Detection of Fraud Schemes

Source of Tips

©2012 Association of Certified Fraud Examiners, Inc.

Detection of Fraud Schemes

Impact of HotlinesOrganizations with some form of hotline saw a much higher likelihood that a fraud would be detected by a tip (51%) than organizations without such a hotline (35%).

©2012 Association of Certified Fraud Examiners, Inc.

Detection of Fraud Schemes

©2012 Association of Certified Fraud Examiners, Inc.

Impact of Hotlines

Implementing an Effective Hotline

• Anonymity is key • Train employees• Communicate often• Consider outsourcing• Make it easy• Follow-up on every report

©2012 Association of Certified Fraud Examiners, Inc.

Preventative Controls

Preventative Controls

• Vendor research• Segregation of duties• Detailed review and approval process• Central purchasing offices (i.e. departments do not

have independent purchasing authority)• Job rotation/mandatory vacation• Effective human resource practices – hiring and

employee support practices• Approval committees for purchases over certain

thresholds

Vendor Management

• Multiple reviews required for any new vendor• Determine if any conflicts of interest exist– Check vendor ownership records– Compare vendor address to employee

addresses• Constant review of vendor database• Vendor Code of Conduct

Preventative Controls

You have designed a great set of preventative controls – how often are you making sure the controls are operating as designed?

Are you performing an annual policy and procedures review?

Detective Controls

Detective Controls

• Internal Audit• Budget to Actual Analysis• Analyzing purchasing trends• Effective management review– Review of purchase records– Sign off on contract completion and/or quality of

products received• Engaged leadership team

Internal Audit

• Surprise audits• Price comparisons• Continuous monitoring techniques• Search for excess or unnecessary purchases• Fraud Risk Assessment (annually)

Other Higher Education Risks

Every purchasing officers nightmare…

Institutional Purchasing Cards• Most institutions have effective controls for

lower level employees (i.e. supervisor approval of all charges, controls provided by card issuer, etc…).

• Higher level employees (i.e. presidents cabinet members, vice presidents, etc…) sometimes have less oversight in their purchasing habits.

Institutional Purchasing Cards

Effective Controls• Purchasing limits• Detailed review by superior (subordinate

should never be in a position to review supervisors expenses)

• Policies regarding allowable expenses• Surprise audits

Institutional Purchasing Cards

Effective Controls• Continuous monitoring techniques• Evaluate the number of cards annually (at

some institutions – the number of issued cards has gotten excessive)

• Eliminate cards used by more than one individual (e.g. checking out a department card)

• Have a policy for revoking privileges and FOLLOW IT! No matter the level of the individual.

Affiliated Companies or Employee-Owned Companies

Institutions should limit the amount of exchange with employee owned companies.

All employees and board members should be required to submit an annual conflict of interest disclosure.

Have a strict policy about employees or student organizations opening an account with the word “University” in it.

Student Organizations

Student organizations pose a great risk for institutions to wind up on the front page of the local paper.

Institutions need to implement procedures to ensure the organizations have proper oversight over their activities and over safeguarding their funds.

Consider engaging your internal auditor to assist in developing these controls.

Let’s discuss

• What is working?• What is not working?• What keeps you up at night?• What barriers are there at your institution for

implementing effective internal controls?

Questions?Contact Us Here:

Crissy R. Fiscus, CPAcfiscus@deandorton.com

Lance Mann, CPA, CFE, CGMAlmann@deandorton.com

Visit the Dean Dorton website at deandorton.com