Internal Audit And Control

Home Assignment

Internal audit and control

Important Notice : This first home assignment evaluates the understanding of the student of the basics of internal audit and control. The student should be able to identify the stakeholders of an organization, and explain the impact of fraud on those stakeholders. The student should be also able to identify a risk, and to explain how the COSO framework could limit the risk.

Here are below 4 cases of fraud described by the Fraud-magazine as the worst of the year 2019.

For each of the 4 cases, answer in your own words and in maximum 5 lines per question and per case,

the following questions:

1) Name 3 stakeholders, and describe the impacts of the fraud on each of them.

2) Identify the highest risk that the organisation is facing. Tell if the risk named is from external factor

or internal factor. Why?

3) Tell how, according to you, internal control (the COSO framework) applied to the organization could

have prevented the fraud.

By Emily Primeaux, CFE Source : https://www.fraud-magazine.com January/February 2020

Case 1:

March 2019 Thirty-three parents of college applicants are accused of bribery to influence undergraduate admissions decisions

Parties charged: 50

The ringleader: William Singer

They’re rich. Some of them are famous. Not all of them are ethical. In March 2019, U.S. federal prosecutors charged at least 50 people for schemes involving wealthy parents who bought spots for their children in freshman classes at Yale, Stanford, the University of Southern California and other big-name schools.

Nicknamed “Operation Varsity Blues,” by the U.S. federal government, the 2019 college admissions bribery scandal arose over a criminal conspiracy to influence undergraduate admissions decisions at several top American universities. Hollywood celebrities, like Felicity Huffman and Lori Loughlin, and prominent business leaders, like William E. McGlashan Jr., a partner at the private equity firm TPG, were among the parents charged. Also implicated were top college athletic coaches, who were accused of accepting millions of dollars to help admit undeserving students to a wide variety of colleges by suggesting they were top athletes.

According to prosecutors, many of the students were unaware that their parents were doctoring their test scores and lying to get them into school. Federal prosecutors haven’t charged any students or universities with wrongdoing.

“‘Bounded ethicality’ describes the systematic and predictable ways in which people engage in unethical acts without realizing they are doing anything wrong,” says Bret Hood, CFE, ACFE Faculty member and director, 21st Century Learning & Consulting. “In the school admissions case, parents were focused on doing what they felt was best for their children. Bounded ethicality likely led the parents to never give thought to the possibility that their actions would adversely impact others, yet for someone completely detached, the damage to others would be obvious.”

And the damage to others in the college admissions scandal is obvious, according to Andrew E. Lelling, the U.S. attorney for the District of Massachusetts. “The parents are the prime movers of this fraud,” Lelling said in The New York Times article. “The real victims in this case are the hardworking students.” They were displaced in the admissions process by “far less qualified students and their families who simply bought their way in,” he said.

Of the schemes, some of the most noteworthy included:

Parents of a teenage girl who’d never played soccer paid $1.2 million to magically make her a star soccer recruit.

A student with no rowing experience won a spot on the University of Southern California crew team after a photograph of another person in a boat was submitted as evidence of her ability. Her parents paid $200,000.

Actress Felicity Huffman paid thousands of dollars to have one of her daughter’s SAT scores inflated. She was later sentenced to 14 days in prison. (See Actress Felicity Huffman Sentenced To 14 Days In College Admissions Scandal, by Vanessa Romo, NPR, Sept. 13, 2019.)

According to The New York Times article, the puppeteer of the financial crime and fraud case was William Singer, the founder of a college preparatory business called the Edge College & Career Network, also known as The Key. Authorities said The Key and its nonprofit arm helped students cheat on their standardized tests, and paid bribes to the coaches who could get them into college with fake athletic credentials. This was the Justice Department’s largest-ever college admissions prosecution.

Case 2:

July 2019 More than 100 million Capital One credit card applications and accounts compromised

Accounts hacked: More than 100 million

The hacker: Paige Thompson

We’ve seen a surge of data breaches in the last decade: Target in 2013, Home Depot in 2014, Anthem in 2015, Marriott International in 2018 and more. But 2019 saw one of the biggest data breaches ever when a hacker gained access to more than 100 million Capital One customers’ accounts and credit card applications.

In July 2019, Paige Thompson, 33, was accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, plus an undisclosed number of people’s names, addresses, credit scores, credit limits, balances and other information, according to the bank and the U.S. Department of Justice (DOJ).

According to the CNN Business article, a criminal complaint said Thompson tried to share information with others online. She’d previously worked with Amazon Web Services, the cloud hosting company that Capital One was using. Capital One said the hack occurred in March, and the company had fixed the vulnerability.

“It was obviously application data that was released,” says Tom Shaw, CFE, financial services consultant and former vice president of Enterprise Financial Crimes Management at USAA. “So, once we heard about the Capital One breach, the major players in the space of providing products such as credit cards, deposit accounts and loans asked, ‘What do we need to mitigate that fraud that is going to emanate once that information gets out on the dark web and starts to get sold?’ That was our No. 1 priority in the industry. When a sizable breach happens it can expose financial institutions to an uptick in application fraud, which results in identity theft for many consumers that were part of the breach.”

Shaw says that without knowing all of the types of individual records released, they had to relook at the financial services preventive and detective measures to verify who people say they are, and they had to make sure they were doing the best job of validating people applying for accounts.

“It had a big impact on digital banks that open accounts online,” he says. “We had to verify in nondocumentary means using third-party data sources. We had to look at our defenses without knowing what information had been breached.”

According to a source with direct knowledge of the breach investigation, the problem in the hack stemmed in part from a misconfigured open-source web application firewall that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services. A misconfiguration allowed Thompson to trick the firewall into relaying requests to key back-end resources on the platform.

“Financial institutions need to have defense of depth to protect their data and to be able to detect cyber intrusions,” says Shaw. “Fraud examiners should collaborate with their front-line defense teams in cybersecurity and fraud prevention and detection. When you see patterns that look out of the ordinary, make sure you’re working closely with the front-line fraud preventative and detective teams to report back your investigative findings.”

Case 3:

March 2019 PwC investigation finds $7.4 billion accounting fraud at Steinhoff

Money lost: $7.4 billion

Duration of fraud: 8 years

Steinhoff International is a South African international retail holding company that deals mainly in furniture and household goods. It operates in Europe, Africa, Asia, the U.S., Australia and New Zealand. It also overstated profits for several years to the tune of a $7.4 billion accounting fraud involving a small group of top executives and outsiders, according to an independent report by PwC.

According to the Reuters article, Steinhoff first disclosed irregularities in its books in December 2017, but it wasn’t until PwC conducted and completed its investigation that the accounting fraud was revealed. PwC found the firm recorded fictitious or irregular transactions totaling 6.5 billion euros ($7.4 billion) from 2009 to 2017. Investigators found that a small group of former Steinhoff executives and individuals from outside the company implemented the deals, which substantially inflated the group’s profit and asset values. It’s the country’s biggest corporate scandal to date.

Chief Executive Markus Jooste has resigned, but denied any wrongdoing, while other high-level executives at Steinhoff have also exited the company. Shareholder value plummeted in the wake of the news, and reports have said the company posted a $12 billion valuation write-down after PwC provided its findings to the firm.

Case 4:

April 2019 Feds take down $1 billion Medicare fraud

Money lost: $1 billion

Parties charged: 24 doctors and owners of medical equipment companies

The U.S. Senate Committee on Aging recently presented its annual report on staggering elder financial abuse. Scammers continue to target this vulnerable population, according to a Jan. 16, 2019, Forbes article by Ted Knutson.

It appears that elder fraud continues to keep a target on its back — in April 2019, an international telemarketing network lured hundreds of thousands of elderly or disabled patients into a criminal scheme, according to U.S. prosecutors.

According to the article, two dozen people, including doctors and owners of medical equipment companies, were charged in a more than $1 billion Medicare scam. Investigators uncovered a plot that targeted elderly and disabled people by setting them up with back, neck and knee braces they didn’t need. The scheme has been dubbed Operation Brace Yourself.

Prosecutors said the fraudsters laundered the ill-gotten gains through international shell companies and used them to buy exotic cars, yachts and luxury real estate in the U.S. and overseas. As part of the scheme, doctors were paid to prescribe braces to patients they had little-to-no relationships with. Doctors had brief conversations via phone calls or video conferences with patients they never met using call centers in the Philippines and throughout Latin America. As a result, personal information of hundreds of thousands of Medicare beneficiaries was compromised and could be used in future schemes, according to prosecutors in the NBC News article.