Governmental Fraud, Waste and Abuse

November 12, 2019

Curtis A Binney, CPA CFE

Binney Accounting and Assurance Services, PLLC

WasteOver utilization of services (not caused by criminally

negligent actions) and the misuse of resources

AbuseExcess or improper use of services or actions that are

inconsistent with acceptable business or medical practice

What is Fraud ?

… all multifarious means which human ingenuity can devise, and which are sorted to by one individual to get an advantage over another by false suggestions or suppression of the truth.

Blacks Law Dictionary

3

What must be present for a fraud to have occurred

• A false statement, representation or disclosure

• A material act, which induces someone to act

• An intent to deceive

• A justifiable reliance

• An injury or loss by the victim

4

ACFE Comprehensive Fraud Study

• Typical organization loses 5% of it’s revenue to fraud

• Potentially a global fraud loss of $3.7 trillion year

• Median occupational fraud lasts 18 months & $150,000

• High level perpetrators most costly• Owners 4x more costly than managers

• Owners 11x more costly than employee

• 23% of frauds are greater than $1,000,000

• 70% were accounting, operations, sales, management, purchasing or finance

• 92% of perpetrators had no prior record

5

Other Statistics

• Health Care fraud is tens of billions, annually

• Tax gap - $406 billion, annually

• Fraud losses – credit and debit cards 21.8 billion, globally

• 80% of frauds by outsiders

• 30% of business failures are due to fraud

• Estimated that 76% of companies have at least one fraud

• 84% are perpetrated by employees

• 20% of employees are aware of fraud

• 44% of restaurant employees steal cash or food

6

What have victimized companies done?

• Code of professional conduct

• Independent audit committee

• Internal audit or fraud examination department

• Independent audit of internal controls

• Management certification of financial statements

• External audit

7

Warning Signs• Living beyond their means (44%)

• Experiencing financial difficulties (33%)

• Exhibiting control issues or an unwillingness

to share data (22%)

• Unusually close association with vendors

or customers (22%)

• Wheeler-dealer attitude (18%)

• Divorce or other family problems (17%)

8

Warning Signs (continued)

• Irritability, suspiciousness or defensiveness (15%)

• Addiction problems (12%)

• Inadequate pay complaints ( 9%)

• Past employment – related problems ( 9%)

• Refusal to take vacations ( 9%)

9

Other statistical data

• Health Care Fraud = tens of billions $/yr (NHCFA)

• Gross tax gap = $450 billion a year

• In one year fraudulent tax returns increased 181%

• Credit card fraud > $16 billion a year (Mercator Advisors)

• 80% of frauds were by insiders

• 30% of business failures were from employee theft

• 45% of the hundred largest military suppliers were under investigation

• 76% of companies have one or more frauds/ yr (KPMG)• 84% by employees• 21% of employees know that there is a fraud

10

The Fraud Triangle

Motive

Opportunity Rationalization

11

Fraud Risk Factors

• Motive/Incentive/Pressure (the reason to commit fraud)

• Opportunity (the ability to commit fraud)

• Rationalization (the justification to commit fraud)

12

Hurricane Maria FEMA Fraud

13

FEMA Fraud - con’t

• FBI Arrested:

• FEMA Region II, Deputy Administrator

• FEMA Deputy Chief of Staff – San Juan

• President, Cobra Acquisitions

• $1.8 billion in contracts was paid to Cobra through the Puerto Rico Electric Power Authority using FEMA funds

• “personal helicopter use, hotel accommodations, airfare, personal security services, and the use of a credit card.”

FEMA Fraud - con’t

• Tribble performed official acts, including influence,advising, and exerting pressure on PREPA andFEMA officials, in order to award restoration workto COBRA and accelerate payments to COBRA.

• All three could face 30-year sentences

Computer Information System Risks

• Natural and political disasters

• Software errors and equipment malfunctions

• Unintentional acts (Human carelessness)

• Intentional acts

16

Computer Fraud

Steal More in Less Time

17

Computer Fraud Statistics

• 1% of computer crime is detected (FBI)

• 80% to 90% of uncovered crimes go unreported

• Increased 15x in one year ($181,400 to $2.81 million per incident)

• Networks have a low level of security (3 out of 2,200)

• How to commit fraud all over internet

• Law enforcement unable to meet demand (FBI 1-15)

• Total dollar difficult to calculate

18

Percentages By Type of Computer Fraud

• Theft of money 44%

• Illegal trespasses, theft of service , other 18%

• Damage to software 16%

• Alterations to data 12%

• Theft of information 10%

19

Computer Fraud Classifications

• Input Fraud

• Processor Fraud

• Computer Instructions Fraud

• Data Fraud

• Output Fraud

20

Input Fraud

• Alteration of computer input

• Use of bogus checks or deposit slips

• Inventory fraud

• Payroll fraud

21

Processor Fraud

• Unauthorized system use

• Theft of company time and services

22

Computer Instructions Fraud

• Tampering with the software that processes company data

• Includes modifying, making illegal copies or using it in an unauthorized manner.

• Developing a program to carry out unauthorized activity

23

Data Fraud

• Altering, copying, damaging, using or searching data files

• Estimated to cost a company $6.6 million per breach

• Employees are most likely to be the perpetrators

24

Output Fraud

• Use of computers to make authentic looking outputs

• Check fraud > $20 billion a year

25

Prevention and Detection

• Make fraud less likely to occur

• Increase the difficulty to commit fraud

• Improve detection methods

• Reduce fraud losses

26

Make Fraud Less Likely To Occur

• Create a ethical organization culture

• Active, involved and independent audit committee

• Assign authority and responsibility to departments and individuals

• Identify events that lead to increased fraud risk and take steps to minimize them.

• Develop comprehensive security policies and controls

• Develop comprehensive set of anti-fraud policies

27

Make Fraud Less Likely To Occur (continued)

• Maintain open communication with employees

• Effectively supervise employees

• Require annual vacations/rotate employees

• Implement project development and acquisition controls

• Train employees in integrity and ethical considerations

• Prosecute perpetrators

28

Increase The Difficulty to Commit Fraud

• Develop and implement strong internal controls

• Segregate accounting functions

• Restrict physical and remote access to system resources

• Require proper authorization of transactions and activities

• Require independent checks on performance

• Implement computer based controls over classifications

29

Increase Difficulty To Commit Fraud (continued)

• Destroy retired hard drives

• Encrypted stored and transmitted data

• Find and fix software vulnerabilities

• Safeguard all assets, records and data

• Use properly designed documents and records

30

Improve Detection Methods

• Develop a fraud risk assessment program

• Create an audit trail for individual transactions

• Periodic external and internal audits

• Install fraud detection software

• Implement a fraud hotline

• Motivate employees to report fraud through whistleblower rewards and protections

• Employ a computer security officer or specialists

• Monitor system activities

31

Reduce Fraud Losses

• Maintain Insurance

• Develop comprehensive fraud contingency, disaster recovery, and business continuity plans

• Store backup copies of program and data files in an off-site location

• Use software to monitor system activity

32

Attacking Computer Systems

• Hacking – the unauthorized access, modification, or use ofan electronic devise or element of a computer system.Most use know flaws in the software

• Denial of Service Attack - making a resource unavailableto it’s users.

• Zero Day Attack – an attack that exploits the time betweenwhen a software vulnerability is discovered and when apatch is available to correct it

• Cross-site Scripting Attack – web page vulnerability thatallows the attacker to bypass browser security and instructthe browser to execute code, thinking it came from website

33

Attacking Computer Systems (continued)

• Buffer Overflow Attack – the amount of data enteredinto a program exceeds the amount of memory (inputbuffer), resulting in the system crashing

• SQL Injection Attack – malicious code in the form ofan SQL query inserted into input so that it can beexecuted.

• Man In The Middle Attack – a hacker is able to beplaced between a client and a host and interceptnetwork traffic between them.

34

Attacking Computer Systems (continued)

• Dictionary Attack - the use of software by spammersto guess valid email addresses. 50% of email traffic

• Phreaking Attack – attacks on a phone system that toaccess, steal, and destroy data.

• Bluetooth Attack – flaws in Bluetooth technologyopen cell phones and PDAs to viruses and worms

• Internet Terrorism – use of the internet to disruptelectronic commerce and destroy corporate andindividual communications

35

Computer Fraud

• Internet Auction Fraud - using an internet auction siteto defraud another person

• Internet Pump and Dump Fraud – using the internet topump up the price of a stock and then sell it

• Internet Click Fraud – manipulating click numbers toinflate advertising revenue

• Internet Misinformation – using the internet to spreadfalse or misleading information about people orcompanies

36

Computer Fraud (continued)• Economic Espionage – theft of information, trade

secrets, intellectual property

• Cyber Extortion and Bullying – threatening to harm aperson or company unless a specified amount ofmoney is paid

• Spamming – simultaneously sending the sameunsolicited email to many people (not fraud)

• Splogs – a combination of a spam and blog thatartificially inflates paid-ad impressions

37

Computer Fraud (continued)• Web Cramming – offering a free website for a month,

developing a worthless website charging the phone billeven if they opt out

• Salami Technique – embezzle money a “slice” at a timefrom many different accounts

• Round Down Technique – round down interestcalculations and put the remainder in the hackers act

• Data diddling/leakage – changing data before, during orafter it enters the system

• Software Piracy – unauthorized copying or distribution ofcopyrighted material

38

Unauthorized Access

• Hijacking – gaining control of someone else’scomputer to carry out illicit activities, without theuser’s knowledge.

• Spoofing – making an electronic communication lookas if someone else sent it to gain the recipients trust

• Key Logger – records computer activity, such askeystrokes, emails sent and received, websites visited,and chat session participation

• Trapdoor – a set of computer instructions that allowsthe user to bypass the system’s normal controls

39

Unauthorized Access (continued)

• Password Cracking – hacker penetrates the computersystem and steals the password file, decrypts them,and uses them to gain access to the system

• Podslurping – the use of a small devise, such as a flashdrive to download unauthorized data

• War driving/dialing – searching for an idle modem byprogramming their computers to dial thousands ofphone lines

• Packett Sniffers – programs that capture data frominformation packets as they travel over the internet orcompany networks

40

Unauthorized Access (continued)

• Superzapping – the unauthorized use of specialprogram to bypass regular system controls andperform illegal acts, without leaving an audit trail

• Identity Theft – assuming someone’s identity, almostalways for economic gain, by illegally obtaining andusing confidential information.

41

Malware

• Spyware – secretly monitors and collects personalinformation about users and sends it to someone else

• Adware – “advertising-supported software”, causesadvertisements to appear on your screen as you surfthe internet

• Scareware – software that is sold using scare tactics.

• Ransomeware – locks you out of your programs anddata by encrypting them.

• Trojan Horse – set of malicious computer instructionshidden in an authorized and otherwise functioningprogram.

42

Malware (continued)

• Logic/Time Bomb – a type of Trojan Horse that sitsidle until a specific time or a specific event. Destroysprogram, data, or both

• Steganography – writing hidden messages in such away that no one other than the sender and receiversuspects it’s existence

• Rootkit – conceals processes, files, networkconnections, memory addresses, systems utilityprograms, and system data from the operating systemand other programs

43

Questions And Discussion?

Special Thanks To:

The Association of Certified Fraud Examiners

www.ACFE.com

For More Information:

Curt Binney

curt@Binneyaccounting.com

44