The anonymous tip had been right on target. Police and the security chief of the Capital Metropolitan Transportation Authority in Austin, Texas, saw the theft unfold one evening in 2005.
From a vantage point overlooking Capital Metro’s garage, they witnessed two maintenance workers emptying bus fare boxes into sacks, which they stowed in their cars. When the authorities swooped down on the pair and tore open the bags, nearly $3,500 in small change shined up at them.
A subsequent investigation found that actual receipts were short by almost exactly the amount they found in the sacks. However, the two crooks and their small one-night haul were minor symptoms of a malignant disease — Capital Metro’s then-myopic anti-fraud program.
Glaring weaknesses in internal controls had prevented detection of the thefts. Since the beginning of FY 2005, more than $100,000 had disappeared from Capital Metro fare boxes before anyone noticed. And no one could say how much longer the thefts would have continued had the anonymous tipster not alerted investigators. The internal control deficiencies had prevented anyone from noticing the losses.
“This really put a spotlight on the organization's fraud recognition and reporting program,” said Marcus Horton, CFE, CIA. Horton joined Capital Metro as a senior internal auditor less than a year subsequent to the theft, but he knows the case and its lessons well. In addition to Horton, Capital Metro’s internal audit team consists of a vice-president and a second internal auditor.
“Internal controls and safeguards are as strong as their weakest link,” Horton said. At the time, some of the organization’s controls were robust, but there were material weaknesses. Among them was easy access to a supposedly secure key to Capital Metro’s fare boxes.
“Capital Metro just didn't recognize the potential for such an exposure and the need for controls that would prevent or detect it,” Horton added.
Following the fraud, Capital Metro significantly revamped its security. First, it implemented procedures to safeguard and track keys and other critical items that could make it easy to access fare box receipts undetected. And it increased its ability to detect potential threats to the security of fare receipts before they are vaulted, or recorded and safely deposited.
Capital Metro had a tight process for reconciling its actual cash inflows with the amounts that fare box computers recorded, Horton said. But the breach in security occurred before vaulting, which allowed fraudsters to skim funds Capital Metro had received but not yet recorded.
Earlier, when Capital Metro had selected and installed the soon-to-be plundered fare boxes, its internal audit function had only recently begun operations.
“To my knowledge, internal audit wasn’t consulted before new boxes were put in,” Horton said. “So it’s possible there wasn’t a thorough assessment of the risk of tampering and theft. Since then, the scoping procedures for any audit engagement include a fraud risk assessment to identify potential exposures. We include our audit clients in this process so that we can draw upon their knowledge and experience.”
That sort of multidisciplinary approach is central to the latest thinking in anti-fraud program design and implementation, discussed at length in “Who Owns Fraud?,” in the January/February 2011 issue of Fraud Magazine.
DOUBLE DUTY: BEFORE AND AFTER FRAUD STRIKES
An effective fraud risk assessment must identify and evaluate an organization’s exposures to its most likely specific types of fraud. Internal auditors easily possess the greatest overall familiarity with each operating unit’s business processes, internal and external relations, and fraud exposures. This knowledge qualifies them to proactively target fraud risks; weigh the threat they pose; and design, prioritize and execute audit procedures to resolve them.
CFEs, as anti-fraud specialists, are particularly knowledgeable about various techniques and devices fraudsters employ to spread corruption, misappropriate assets or falsify financial statements. That specialized insight allows them to discern where fraudsters will most likely attempt to evade controls and how much and what kinds of damage they could inflict.
“Typically, internal audit is the keeper of the risk assessment process, for overall operational risk and fraud risk in particular,” Horton said. But in many organizations, including Capital Metro, that process is not as holistic as a full-scale enterprise risk management (ERM) system would be.
Like other risk management approaches, including Capital Metro’s, ERM looks at the entire entity’s exposures. But ERM adds value, as well as complexity, by continually and simultaneously assessing risk in all business operations.
“ERM is still a relatively new concept,” Horton said. “To be effective, it requires buy-in from the president/CEO, executive leadership and the board.”
As a public entity charged with providing public transportation in Central Texas, Capital Metro is subject to new government requirements that a certain proportion of its management and board of directors possess financial and executive-level management skills. Specifically, Texas Senate bill 1263, passed by the state legislature in 2010, added accounting and management requirements for two board positions. Consequently, a recent shakeup has brought in a new president/CEO and board.
“At this point, they’re not ready for a major implementation, such as ERM,” Horton said.
“ERM does not have to be prohibitively costly and time-intensive,” he continued. “Some managers misconstrue ERM’s methods and goals, which scares them. But I don’t think that’s a problem here. In fact, Capital Metro is considering the eventual implementation of an ERM program.”
Meanwhile, as the only CFE among Capital Metro’s roughly 400 administrative employees and 1,100 drivers, mechanics and other workers, Horton combines his internal auditing and fraud examination knowledge and skills to anticipate and respond to fraud risks and occurrences quickly and effectively. Horton became a CFE in 2006 after passing each part of the CFE exam on the first attempt. He joined Capital Metro while preparing for the exam.
“In place of ERM, we prioritize the demands on our auditing capacity. Each year we selectively schedule the audits, based on criteria, including how frequently and when last a function has been audited,” Horton said.
Then, Horton and his colleagues, when planning the scope of an audit, prepare a risk assessment in collaboration with members of the business unit that they will audit.
“That’s where you identify the possibility of individual risks, including that of fraud. At this point, we assess each exposure’s probability and potential impact,” he said.
Wearing two hats — Certified Fraud Examiner and Certified Internal Auditor — gives Horton an advantage in any fraud cases, however they are initially uncovered.
MAKING A CASE
Although Horton is fully occupied as an internal auditor, his CFE training qualifies him to perform fraud examinations.
Even when a CFE’s employer calls in an external CFE to conduct an examination, the staff CFE can perform several investigative functions, such as:
- Planning the fraud examination.
- Gathering and documenting evidence.
- Analyzing data to prove fraud.
- Interviewing witnesses and suspects.
- Writing fraud examination reports.
- Testifying as a fact witness.
All of these functions make the staff CFE an important participant in the fraud response.(CFEs who wish to refresh their skills in these areas can attend ACFE seminars, including Conducting Internal Investigations, to be held in New York, March 3-4.)
PUTTING THE SYNERGY TO GOOD USE
Luise Odenheimer, CFE, CICA, a gaming industry internal auditor for the Seminole Tribe of Florida, summed up the synergy nicely in a recent ACFE Insights blog post.“When I audit, I feel that I see more than what an average internal auditor may see,” she said. “With my CFE training and strong fraud knowledge, I look at a control weakness as an opportunity for fraud to occur.”
Robert Tie is a New York business writer.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.