Fraud Awareness at Emory University

1. Rev. January 24, 2007 1 Fraud Awareness at Emory University William Mulcahy, CPA, CIA Chief Audit Officer Emory University Good Morning, As Emory�s Chief Audit Officer, my office leads various audits across Emory University and Emory Healthcare to ensure business operations are performed with the appropriate internal controls. Our office also performs formal investigations based upon tips received from management, Emory Trust Line, faxes, and internal audit procedures. Our most frequent mechanism of fraud detection is tips which corresponds to a recent publication. According to the 2006 Report to the Nation on Occupational Fraud issued by the Association of Certified Fraud Examiners the number one method of fraud detection is through tips received by employees, followed by accidental findings and internal audit procedures. From these investigations � all of which are conducted under attorney-client privilege � we are able to see trends, patterns, and best practices management should be aware of, and we recommend applying these practices to your operating environment. Good Morning, As Emory�s Chief Audit Officer, my office leads various audits across Emory University and Emory Healthcare to ensure business operations are performed with the appropriate internal controls. Our office also performs formal investigations based upon tips received from management, Emory Trust Line, faxes, and internal audit procedures. Our most frequent mechanism of fraud detection is tips which corresponds to a recent publication. According to the 2006 Report to the Nation on Occupational Fraud issued by the Association of Certified Fraud Examiners the number one method of fraud detection is through tips received by employees, followed by accidental findings and internal audit procedures. From these investigations � all of which are conducted under attorney-client privilege � we are able to see trends, patterns, and best practices management should be aware of, and we recommend applying these practices to your operating environment.

2. Fraud Awareness at Emory University 2 Agenda Introduction Fraud Triangle Red Flags Five Key Control Activities Closing Read this slide as is . . .Read this slide as is . . .

3. Fraud Awareness at Emory University 3 Occupational Fraud and �Beating the System� All businesses and organizations trust employees to handle various operations. Employee fraud, happens because dishonest employees are aware of this trust and know how �to beat the system� Management should learn how to control their own environment and recognize red flags. Occupational Fraud is a significant financial drain on businesses and institutions throughout the world. It�s one thing to have fraud committed by external entities over whom we may have little control; however, internal employee fraud is something that every organization � including Emory University - must work to prevent and deter. To prevent and deter fraud, management should learn how to control their own environment and recognize red flags. In addition, management should trust their employees but verify their activities. Occupational Fraud is a significant financial drain on businesses and institutions throughout the world. It�s one thing to have fraud committed by external entities over whom we may have little control; however, internal employee fraud is something that every organization � including Emory University - must work to prevent and deter. To prevent and deter fraud, management should learn how to control their own environment and recognize red flags. In addition, management should trust their employees but verify their activities.

4. Fraud Awareness at Emory University 4 Prevalent Schemes We have seen various fraud schemes here at Emory � involving fraudulent disbursements, inventory, and cash. Employee�s lives have been radically changed by terminations, retribution, and felony indictments by the DeKalb County District Attorney for their participation in fraudulent activities. I would like to share three specific stories with you. These three stories illustrate how employees� ethics strayed and resulted in their committing fraud. Payroll Schemes For example, we received a tip regarding an employee perpetrating payroll fraud. In fact, the investigation revealed that she had her brother, boyfriend, and his sister on the payroll. In addition, her brother was the highest overtime person for several years in a row. Why was this person able to do this? Ask yourself, do you have employees who create their own version of a system report for your review? Perhaps � you think it is easier for you to read. Lessons Learned: Our computer assisted audit techniques were able to match the fact that this person would have this money deposited into her mother�s account and then made available to her ghost employee brother. Review source system reports when possible. Be sure to monitor payroll and overtime for your department on a recurring basis for reasonableness. P-Card and Employee Reimbursements Another possible fraud we were alerted to thanks to our colleagues in the Finance Division � the P-Card compliance and audit team � pertained to a department administrator. This individual was at the top of the �totem pole� administratively for this unit. Her P-Card transactions were for personal meals, her home furniture purchases, and her family�s car repairs and upgrades. Why was this person able to do this? Ask yourself, do you have one or two individuals in your department assigned with �doing everything�? Even if that means that they monitor everyone�s payroll, P-Card transactions, and reimbursements --- but in turn, NO ONE reviews theirs? Lessons Learned: Review P-Card and employee reimbursements. Don�t just sign reimbursement requests or approvals for P-Card statements without reviewing what you are signing. As we have seen in many cases, management has signed-off on documents � indicating their approval � when in fact, they may have been signing off for a new desk from Pottery Barn for their well-respected or hardworking employee�s lake house. Also, learn to recognize and follow-up on red flags. This employee, given her Emory salary , was living beyond her means (talking about her primary residence, her lake house, her new boat dock, her children�s expensive cars, the hundreds of gifts she bought her family). Fictitious Vendor Continuing on with this story of the employee living beyond her means � was her ability to place fictitious vendors on our Accounts Payable. When was the last time you looked at the vendors your department makes payments to? In fact, this person was able to place her sick brother and good friend as two separate Emory vendors delivering a service � when in fact neither had they delivered any goods or performed any service for Emory! Lessons Learned: Check payments made to vendors from your department. Monitor vendor payments for reasonableness and business need. Make sure the employees you trust do not have the opportunity to pay even small, but consistent amounts of money to their family, good friends, or others. If you let this go off your radar screen, over time Emory can lose millions of dollars. We have seen various fraud schemes here at Emory � involving fraudulent disbursements, inventory, and cash. Employee�s lives have been radically changed by terminations, retribution, and felony indictments by the DeKalb County District Attorney for their participation in fraudulent activities. I would like to share three specific stories with you. These three stories illustrate how employees� ethics strayed and resulted in their committing fraud. Payroll Schemes For example, we received a tip regarding an employee perpetrating payroll fraud. In fact, the investigation revealed that she had her brother, boyfriend, and his sister on the payroll. In addition, her brother was the highest overtime person for several years in a row. Why was this person able to do this? Ask yourself, do you have employees who create their own version of a system report for your review? Perhaps � you think it is easier for you to read. Lessons Learned: Our computer assisted audit techniques were able to match the fact that this person would have this money deposited into her mother�s account and then made available to her ghost employee brother. Review source system reports when possible. Be sure to monitor payroll and overtime for your department on a recurring basis for reasonableness. P-Card and Employee Reimbursements Another possible fraud we were alerted to thanks to our colleagues in the Finance Division � the P-Card compliance and audit team � pertained to a department administrator. This individual was at the top of the �totem pole� administratively for this unit. Her P-Card transactions were for personal meals, her home furniture purchases, and her family�s car repairs and upgrades. Why was this person able to do this? Ask yourself, do you have one or two individuals in your department assigned with �doing everything�? Even if that means that they monitor everyone�s payroll, P-Card transactions, and reimbursements --- but in turn, NO ONE reviews theirs? Lessons Learned: Review P-Card and employee reimbursements. Don�t just sign reimbursement requests or approvals for P-Card statements without reviewing what you are signing. As we have seen in many cases, management has signed-off on documents � indicating their approval � when in fact, they may have been signing off for a new desk from Pottery Barn for their well-respected or hardworking employee�s lake house. Also, learn to recognize and follow-up on red flags. This employee, given her Emory salary , was living beyond her means (talking about her primary residence, her lake house, her new boat dock, her children�s expensive cars, the hundreds of gifts she bought her family). Fictitious Vendor Continuing on with this story of the employee living beyond her means � was her ability to place fictitious vendors on our Accounts Payable. When was the last time you looked at the vendors your department makes payments to? In fact, this person was able to place her sick brother and good friend as two separate Emory vendors delivering a service � when in fact neither had they delivered any goods or performed any service for Emory! Lessons Learned: Check payments made to vendors from your department. Monitor vendor payments for reasonableness and business need. Make sure the employees you trust do not have the opportunity to pay even small, but consistent amounts of money to their family, good friends, or others. If you let this go off your radar screen, over time Emory can lose millions of dollars.

5. Fraud Awareness at Emory University 5 Fraud Triangle Opportunity The first point on the triangle is Opportunity. Management has primary control over this element � they sometimes facilitate fraud by maintaining an environment with weak internal controls. Decreasing the opportunity for fraudulent activity is crucial for prevention. In one Emory department, the department administrator performed all the duties from hiring and firing of personnel to P-Card transaction review and approval, budget preparation and review, expense approvals, and etc.; this department administrator performed multiple fraudulent transactions ranging from accounts payable to payroll to P-Card to human resources because the opportunity was available. Management should ensure that, although tasks can be delegated, accountability for your area or unit cannot be delegated. Management must provide oversight and monitoring. At Emory, an Administrative Assistant who had access to add/delete employees from payroll reformatted the labor distribution reports and provided them to the human resources manager. Unbeknownst to the manager was that the employee was omitting the ghost employees documented on the labor reports. The review of system generated reports would have identified the ghost employees. Not all employees will exploit opportunity. Typically, these individuals also experience �Pressure� or �Incentive� to do so. This brings me to the second point on the fraud triangle. Pressure/Incentive Typically, pressure stems from lifestyle habits, personal debts, and other non-sharable problems. These non-sharable problems may be problems the individual experiences him or herself OR extends out to close family members and friends. In an attempt to lessen the problem, the fraudster is pressured to carry his/her plan out. Rationalization Once the individual has opportunity and personal pressure, the fraud is executed with a rationalization: �I deserve to get paid more. The company makes so much money.� �I am only borrowing it for now. I�ll pay it back when I can.� ****The ability to rationalize is influenced by the �tone at the top� and perceptions the employee has regarding management�s commitment to the �rules.� **** Opportunity The first point on the triangle is Opportunity. Management has primary control over this element � they sometimes facilitate fraud by maintaining an environment with weak internal controls. Decreasing the opportunity for fraudulent activity is crucial for prevention. In one Emory department, the department administrator performed all the duties from hiring and firing of personnel to P-Card transaction review and approval, budget preparation and review, expense approvals, and etc.; this department administrator performed multiple fraudulent transactions ranging from accounts payable to payroll to P-Card to human resources because the opportunity was available. Management should ensure that, although tasks can be delegated, accountability for your area or unit cannot be delegated. Management must provide oversight and monitoring. At Emory, an Administrative Assistant who had access to add/delete employees from payroll reformatted the labor distribution reports and provided them to the human resources manager. Unbeknownst to the manager was that the employee was omitting the ghost employees documented on the labor reports. The review of system generated reports would have identified the ghost employees. Not all employees will exploit opportunity. Typically, these individuals also experience �Pressure� or �Incentive� to do so. This brings me to the second point on the fraud triangle. Pressure/Incentive Typically, pressure stems from lifestyle habits, personal debts, and other non-sharable problems. These non-sharable problems may be problems the individual experiences him or herself OR extends out to close family members and friends. In an attempt to lessen the problem, the fraudster is pressured to carry his/her plan out. Rationalization Once the individual has opportunity and personal pressure, the fraud is executed with a rationalization: �I deserve to get paid more. The company makes so much money.� �I am only borrowing it for now. I�ll pay it back when I can.� ****The ability to rationalize is influenced by the �tone at the top� and perceptions the employee has regarding management�s commitment to the �rules.� ****

6. Fraud Awareness at Emory University 6 Opportunity? Opportunity? As mentioned earlier, opportunity is something we as management could provide with a weak internal control environment. For example, think of this situation to illustrate what I mean by opportunity. A manager has access to use an Emory-owned vehicle across campus and to drive to Oxford College. Apparently his personal vehicle breaks down about one year ago, and now the Emory vehicle becomes his on-campus AND personal vehicle as well. Although management maintains fuel reports for the car, they did not perform regular reviews of their own valuable reports. If they had, they would have realized that the car was being fueled on-campus infrequently � since � according to the report -- the vehicle was averaging 50 mpg (being a 10 year old vehicle)! This incident is not unique to Emory, and in fact there are similar frauds that have occurred such as the recent fraud indictment against the New York State Comptroller. Apparently, he was engaging the use of state employees to chauffer his wife as well as providing personal aides to his wife. So, what can management across Emory do to limit such opportunity? -- You should empower yourself by regularly using and monitoring � 1.) The AMO 90 and 91 Report � to monitor any variances in your budget to actual 2.) The Labor Distribution Report � to monitor for active employees and against any �Ghost employees� placed on the payroll. 3.) FAS � to monitor for unusual transactions and reasonableness 4.) P-Card Statements � to monitor for inappropriate purchases 5.) Employee Reimbursements � to monitor for inappropriate purchases as well as employees purchasing items on the P-Card and then submitting a request for reimbursement also called �double dipping� ** HRAFS also can be monitored by management to ensure HRAFS submitted on behalf of the department are substantiated.Opportunity? As mentioned earlier, opportunity is something we as management could provide with a weak internal control environment. For example, think of this situation to illustrate what I mean by opportunity. A manager has access to use an Emory-owned vehicle across campus and to drive to Oxford College. Apparently his personal vehicle breaks down about one year ago, and now the Emory vehicle becomes his on-campus AND personal vehicle as well. Although management maintains fuel reports for the car, they did not perform regular reviews of their own valuable reports. If they had, they would have realized that the car was being fueled on-campus infrequently � since � according to the report -- the vehicle was averaging 50 mpg (being a 10 year old vehicle)! This incident is not unique to Emory, and in fact there are similar frauds that have occurred such as the recent fraud indictment against the New York State Comptroller. Apparently, he was engaging the use of state employees to chauffer his wife as well as providing personal aides to his wife. So, what can management across Emory do to limit such opportunity? -- You should empower yourself by regularly using and monitoring � 1.) The AMO 90 and 91 Report � to monitor any variances in your budget to actual 2.) The Labor Distribution Report � to monitor for active employees and against any �Ghost employees� placed on the payroll. 3.) FAS � to monitor for unusual transactions and reasonableness 4.) P-Card Statements � to monitor for inappropriate purchases 5.) Employee Reimbursements � to monitor for inappropriate purchases as well as employees purchasing items on the P-Card and then submitting a request for reimbursement also called �double dipping� ** HRAFS also can be monitored by management to ensure HRAFS submitted on behalf of the department are substantiated.

7. Fraud Awareness at Emory University 7 Pressure/Incentive? Pressure/Incentive? Next, for pressure and incentive, a very special incident comes to mind. Again, remember � pressure often stems from lifestyle habits, personal debts, and other non-sharable problems. Several relatives of an Emory University employee were experiencing financial difficulties, and so the Emory employee established their relatives on the payroll as students and temporary employees. This fraud could have been prevented if system generated labor distribution reports were reviewed by management. As management, be cognizant of recent abrupt changes in lifestyle such as financial difficulties, sick children or relatives, living beyond ones means including extravagant homes, clothing attire, and vehicles as these are typically red flags of possible pressures and incentives which may lead to fraudulent behavior. Pressure/Incentive? Next, for pressure and incentive, a very special incident comes to mind. Again, remember � pressure often stems from lifestyle habits, personal debts, and other non-sharable problems. Several relatives of an Emory University employee were experiencing financial difficulties, and so the Emory employee established their relatives on the payroll as students and temporary employees. This fraud could have been prevented if system generated labor distribution reports were reviewed by management. As management, be cognizant of recent abrupt changes in lifestyle such as financial difficulties, sick children or relatives, living beyond ones means including extravagant homes, clothing attire, and vehicles as these are typically red flags of possible pressures and incentives which may lead to fraudulent behavior.

8. Fraud Awareness at Emory University 8 Rationalization? Rationalization? The rationale a fraud perpetrator utilizes is typically the one triangle point that can not be determined. However, once the opportunity arises and there is pressure and incentive, then typically the perpetrator will rationalize their behavior. Although we do not know the rationalization behind one Emory employee�s inappropriate P-Card transactions, when we interviewed the suspect, he stated that his smoking habit caused conflict amongst co-workers and therefore purchased toiletries such as deodorant, toothpaste, and shaving cream/razors �freshen-up� before meetings. This fraud could have been prevented by reviewing the P-Card statements and detailed receipts. Employees at all levels of the organization can commit fraud. For example, Thomas Coughlin was the Wal-Mart former vice chairman and number two in the organization. He recently plead guilty to misappropriating as much as $500,000 from Wal-Mart in the form of fraudulent reimbursements and improper use of gift cards (although his salary was over $1 million per year, with 3 million in bonuses and other income, and $20 million in Wal-Mart stock)! Why this executive, second in command, committed such frauds I will never know, but it astonishing that with all of his wealth he would still commit fraud. Rationalization? The rationale a fraud perpetrator utilizes is typically the one triangle point that can not be determined. However, once the opportunity arises and there is pressure and incentive, then typically the perpetrator will rationalize their behavior. Although we do not know the rationalization behind one Emory employee�s inappropriate P-Card transactions, when we interviewed the suspect, he stated that his smoking habit caused conflict amongst co-workers and therefore purchased toiletries such as deodorant, toothpaste, and shaving cream/razors �freshen-up� before meetings. This fraud could have been prevented by reviewing the P-Card statements and detailed receipts. Employees at all levels of the organization can commit fraud. For example, Thomas Coughlin was the Wal-Mart former vice chairman and number two in the organization. He recently plead guilty to misappropriating as much as $500,000 from Wal-Mart in the form of fraudulent reimbursements and improper use of gift cards (although his salary was over $1 million per year, with 3 million in bonuses and other income, and $20 million in Wal-Mart stock)! Why this executive, second in command, committed such frauds I will never know, but it astonishing that with all of his wealth he would still commit fraud.

9. Fraud Awareness at Emory University 9 Red Flags Never takes vacation or sick leave �Does it all� (i.e., handles an entire transaction or business process from initiation to completion). Comes early, leaves late, works weekends Submits many �rush requests� for approval Unexplained variances Provides copies (not originals) No reconciliations Unfortunately, many of the red flags listed are also indicative/or characteristics of what you would consider hard-working or good employees to be. In fact, the first three bullets are descriptive of what you would may think a dedicated and loyal employee is. Nonetheless, a combination of these characteristics may be indicative of some underlying issues or of circumstances that may provide opportunities for fraudulent activities. Of course, this list is not necessarily comprehensive of all red flags. During a recent investigation, the alleged fraud perpetrator exhibited many of the red flags including being a hard worker, working long hours and weekends, and never taking a vacation. However, through our detailed investigation, we determined that the perpetrator was not committing fraudulent acts, but was in fact, was a hard-working employee. The main difference was that her behavior and work history did not include the last four bullets listed on this slide. Unfortunately, many of the red flags listed are also indicative/or characteristics of what you would consider hard-working or good employees to be. In fact, the first three bullets are descriptive of what you would may think a dedicated and loyal employee is. Nonetheless, a combination of these characteristics may be indicative of some underlying issues or of circumstances that may provide opportunities for fraudulent activities. Of course, this list is not necessarily comprehensive of all red flags. During a recent investigation, the alleged fraud perpetrator exhibited many of the red flags including being a hard worker, working long hours and weekends, and never taking a vacation. However, through our detailed investigation, we determined that the perpetrator was not committing fraudulent acts, but was in fact, was a hard-working employee. The main difference was that her behavior and work history did not include the last four bullets listed on this slide.

10. Fraud Awareness at Emory University 10 Five Key Control Activities Control Awareness Segregation of Duties Authorizations and Verifications Asset Control Continuous Monitoring Control Awareness Management should work towards educating themselves of existing controls and what control gaps may exist. These gaps should be remedied to provide an acceptable level of risk. In addition, management�s awareness of controls and their importance should be communicated to staff. Segregation of Duties If a single person can carry out and conceal errors and/or irregularities in the course of performing day-to-day activities � they have been assigned conflicting duties. Authorizations and Verifications Again, you can delegate tasks to your trusted staff, but keep the control of final authorization and verification. E.g., Timekeepers may have the opportunity to approve time cards and submitting approval for own timecards. Asset Control Establish systems or inventories that provide up-to-date snapshots of your department�s assets � these assets can span equipment, software, and other items that your department is responsible for housing. Continuous Monitoring Continuous monitoring is an indispensable activity, that when applied in a �continuous� and periodic manner, can provide significant value. Control Awareness Management should work towards educating themselves of existing controls and what control gaps may exist. These gaps should be remedied to provide an acceptable level of risk. In addition, management�s awareness of controls and their importance should be communicated to staff. Segregation of Duties If a single person can carry out and conceal errors and/or irregularities in the course of performing day-to-day activities � they have been assigned conflicting duties. Authorizations and Verifications Again, you can delegate tasks to your trusted staff, but keep the control of final authorization and verification. E.g., Timekeepers may have the opportunity to approve time cards and submitting approval for own timecards. Asset Control Establish systems or inventories that provide up-to-date snapshots of your department�s assets � these assets can span equipment, software, and other items that your department is responsible for housing. Continuous Monitoring Continuous monitoring is an indispensable activity, that when applied in a �continuous� and periodic manner, can provide significant value.

11. Fraud Awareness at Emory University 11 Emory Trust Line As mentioned at the beginning of the presentation, our Division receives tips from the Emory Trust Line. The Trust Line is operated by a third party, available 24 hours a day � 7 days a week, and callers may remain anonymous. We encourage you to report suspected misconduct to our Trust Line. The toll-free number is 1-888-550-8850. The Financial Attestation Process is an annual certification by senior leadership of the fairness of their financial data. This process assigns fiscal accountability to Divisions and Schools. Both the Trust Line and the Financial Attestation Process are part of our voluntary response to the Sarbanes-Oxley Act of 2002. As mentioned at the beginning of the presentation, our Division receives tips from the Emory Trust Line. The Trust Line is operated by a third party, available 24 hours a day � 7 days a week, and callers may remain anonymous. We encourage you to report suspected misconduct to our Trust Line. The toll-free number is 1-888-550-8850. The Financial Attestation Process is an annual certification by senior leadership of the fairness of their financial data. This process assigns fiscal accountability to Divisions and Schools. Both the Trust Line and the Financial Attestation Process are part of our voluntary response to the Sarbanes-Oxley Act of 2002.

12. Fraud Awareness at Emory University 12 Questions? Any questions from the group? Any questions from the group?