Friday, June 12, 2009

Stimulus Fraud Could hit $50 Billion. How could CCM-T help?

MarketWatch article quotes FBI Director Robert Mueller about the potential fraud risks related to Stimulus money. "These funds are inherently vulnerable to bribery, fraud, conflicts of interest and collusion. There is an old adage, that where there is money to be made, fraud is not far behind, like bees to honey," Mueller told an afternoon gathering of business executives.

In reviews of duplicate payments / overpayments, using CCM-T technology from Oversight, Apex Analytix, and/or ACL, we typically find an error rate of 0.1 to 0.5%, or approximately $1,000 to $5,000 for every million in spending.

Fraud statistics from FBI and ACFE suggest higher losses. Often much higher. Our experience is that the fraud losses are harder to detect, especially without more sophisticated automation provided by CCM-T. But the risk is clearly there. And reputation risk may be greater than the financial loss.

Ask your internal audit or general counsel what your firm is doing to proactively find fraud, waste, and errors in your Accounts Payable and P-Card spend. If you don't like the answers - call us. We can help.

Thursday, June 11, 2009

The Red Flags Rule: What Utility Companies Need to Know About Complying with New Requirements for Fighting Identity Theft (source:

Visual Risk IQ is currently working on a continuous controls monitoring for transactions (CCM-T) project for a Utility Company, specifically focused on FACTA and the Red Flags requirement. Through a series of customized risk and performance checks, we will be assisting the Utility to monitor its new and existing customer for Red Flags related to fraud and identity theft. While the CCM-T component is only one part of a comprehensive set of policies, procedures, and new work processes, it is an integral component that will enable to Utility to achieve compliance and reduce potential fraud often associated with theft of service and bad debt.

For more information on FACTA requirements, specific to Utilities, see the article below, from the FTC's web site on the Red Flag Rules and FACTA.

The article below was originally published by Tiffany George and Pavneet Singh, from

As many as nine million Americans have their identities stolen each year. The crime takes many forms. Thieves may buy a car, get a credit card, or establish gas, water, or electric service using someone else’s identity. The cost to business can be staggering as well, with charges racked up by identity thieves unpaid and uncollectible. In addition, crooks may use proof of utility service to get driver’s licenses illegally or to apply for government benefits using a bogus address.

Utility companies may be the first to spot the “red flags” of identity theft, including suspicious activity suggesting that thieves may be using stolen information to establish service. That’s why you need to know about a new law – called the Red Flags Rule – that requires many businesses, including most companies that provide utility services to consumers, to spot the red flags that can be the telltale signs of identity theft. Under the Red Flags Rule, which the Federal Trade Commission (FTC) will begin enforcing on August 1, 2009, companies covered by the law must develop a written Identity Theft Prevention Program. Is your utility required to comply with the Red Flags Rule? If so, have you developed your program to detect, prevent, and minimize the damage that could result from identity theft?


Companies that provide utility services are covered by the Rule if they are “creditors” with “covered accounts.” A creditor is a business or organization that regularly defers payments for goods or services. The Rule defines a “covered account” as a consumer account that allows multiple payments or transactions – for example, a standard household utility account – or any other account with a reasonably foreseeable risk of identity theft. Even government agencies and publicly-owned utilities may be “creditors” covered by the Rule.

Because the Rule is geared to the types of accounts that are targeted by identity thieves, the determination of whether the law applies to your business or organization isn’t based on your status. Rather, it’s based on whether your organization’s activities fall within the relevant definitions. It boils down to this: If your utility regularly bills customers after services are provided, you are a creditor under the new law and will have to develop a written program to identify and address the red flags that could indicate identity theft in your covered accounts.


The Red Flags Rule gives utilities the flexibility to implement an identity theft prevention program that best suits the operations of their business, as long as it conforms to the Rule’s requirements. You may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

  1. Identify the kinds of red flags that are relevant to your business;
  2. Explain your process for detecting them;
  3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
  4. Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule – available at – sets out some examples, but here are a few warning signs that may be relevant to utilities:

  • Suspicious documents. Has a new customer given you identification documents that look altered or forged? Is the physical description on the identification inconsistent with what the customer looks like? Is other information on the identification inconsistent with what the customer has told you? Under the Red Flags Rule, you may need to ask for additional information.
  • Suspicious personally identifying information. Personal information that doesn’t match what you’ve learned from other sources also may be a red flag of identity theft. For example, if you pull a credit report based on the prospective customer’s Social Security number and the report comes back under someone else’s name, fraud could be afoot. A billing address that appears to be fictitious also could signal a problem.
  • Suspicious activities. Did a new customer fail to make the first payment or make an initial payment but no others? Did payments abruptly stop on an otherwise up-to-date account? Did a customer’s use pattern suddenly change? For example, are you detecting unusual activity on what’s always been a “snowbird” account? Is mail returned repeatedly as undeliverable even though transactions still are being conducted on the account? Are utilities still being used after a known move-out? Trust your gut when something seems questionable. These questionable activities may be red flags of identity theft.
  • Notices from victims of identity theft, law enforcement authorities, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.


Once you’ve identified the red flags that are relevant to your utility, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? Will you close questionable accounts or monitor them more closely? Will you contact the customer directly? When automated systems detect red flags, will you manually review the file? If you’re notified that an identity thief has run up bills using another person’s information, how will you ensure that the debt is not charged to the victim? Your response will vary depending on the circumstances and the need to accommodate other legal obligations – for example, laws regarding the provision and termination of utility service. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if you don’t have a Board, by a senior employee. The Board may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers – for example, those who manage your debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.


Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your customers that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at

Questions about the Rule? Email

Tiffany George and Pavneet Singh are attorneys with the Federal Trade Commission’s Division of Privacy and Identity Protection.

Tuesday, June 2, 2009

CFO Magazine profiles Continuous Auditing / Continuous Controls Monitoring

CFO Magazine's June issue has a feature story on 24 x 7 continuous auditing approach that has been implemented at several organizations, including Harrah's, Siemen's Financial Services, and British Columbia's Ministry of Finance. Interestingly, the article is filed in CFO's "Technology" section and emphasizes the IT component of the respective initiatives.

Those of you who have met my partner Kim Jones or me know that we believe that technology is only part of any continuous auditing or continuous controls monitoring for transactions (CCM-T) initiative. I found that point reinforced by the first comment on the article, about Monitoring still being a detective, and not a preventive control. At Visual Risk IQ, we believe that process is key. By designing a process (i.e. review of P-Card or Accounts Payable transactions) with sufficient time lag between resolution of CCM-T exceptions and PRIOR TO PAYMENT, such the monitoring activity actually becomes a Preventative control.

Interesting too that all companies profiled are ACL CCM customers, and that customers from Apex Analytix, Approva, Oversight Systems, and industry vertical CCM solutions like Actimize (banking) or XBR (retail) were not included in the article. I would have been even more interested to see any trends or patterns from customers of several different vendors.

Despite improvement opportunities if we were contacted for quotes (smile), it's a pleasure to see the topics of continuous auditing and continuous controls monitoring receiving such great publicity. As I write this, the article is both the most viewed and most emailed article of the day on Check back and see what kind of staying power the subject can achieve.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA