Wednesday, July 22, 2009

Conflict of Interest - the Power of External Databases

As my last post on DoD indicated, there are some real gems waiting to be mined when comparing internal data to external data for fraud and abuse. Today's Chronicle of Higher Education reports a two-month old WSJ and UPI Story about a UCLA Surgeon who received more than $450,000 in payments from Medical Device companies, but repeatedly failed to disclose that outside income on conflict of interest forms required by the University.

Representative Charles Grassley is regularly in the news for advocating a national law (i.e. Physician Payments Sunshine Act) that would require disclosure of speaking fees. Currently, state laws and specific academic institution each set their own policies and monitoring requirements.

The Chronicle opined that "Universities also need to pay more attention to whether they review research activities by their own staff that may damage their institutional reputations even though the work involves outside facilities, Ms. Chimonas said. The case of Dr. Wang may prove a strong incentive for UCLA to do so. Even within the same statewide system, she said, there are campuses such as the University of California at Davis that have taken a much more aggressive definition of how they monitor outside research by university faculty members.

Institutions such as UCLA could be realizing the danger of ignoring outside research work, Ms. Chimonas said. "This may be a wake-up call for a lot of institutions who have been thinking, 'Well, this has nothing to do with us,'" she said."

Taking information from external databases like Excluded Parties List System (the list of Federally debarred vendors), or the OFAC Watch List is a high-value audit test, especially as frequency is increased from annual to quarterly or more frequently. UCLA's situation with Dr. Wang, especially because of reputation risk, calls for better monitoring of external databases.

What external databases are your organizations monitoring? How often? What are the more interesting findings? Please comment - all input is welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Monday, July 20, 2009

The Value of Frequency - how the Defense Department paid millions in wages to invalid accounts

Last week, the Office of Inspector General for the Department of Defense (DOD) issued Report 2009-092 titled "Validity of DOD Civilian Employee Accounts." As widely reported on CNN and elsewhere, the DOD "Specifically, the DOD's Payroll System included invalid Social Security numbers, employees under the legal employment age, and multiple employee accounts that shared the same bank account. As a result, DFAS [the Finance arm of DOD) may have paid approximately $15.4 million to more than 2,300 invalid DoD civilian employee accounts from January 2002 through April 2008 (excluding 2007).

These payments represent fraud and misuse of tax dollars, but because the audit approach was a point in time audit, looking backward over a very long time period (six years!), it is highly likely that the money will never be recovered.

Had the DOD used leading edge technology like Continuous Controls Monitoring for Transactions (CCM-T), which can compare all SSN's from master files, from payment files, to the suspicious SSN lists like those at Social Security Death Index database, they could have known of the errors PRIOR to payment. The more frequently the data is compared, the more valuable the analysis becomes.

And implementation is a tiny fraction of the $15 million spent for erroneous payments. Factor in the time value of money (errors go back to 2002!) and the reputation risk associated with such errors, and CCM-T looks better and better.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Tuesday, July 14, 2009

University Business - 101 Ways to Raise Revenue or Decrease Costs

In addition to being a regular reader of the Chronicle of Higher Education I've also become a reader and subscriber of University Business (UB). Unlike the Chronicle, UB is free to qualified subscribers, and they have an outstanding digital archive of previously published articles.

One that grabbed my attention this week is an archived (pre-recesssion!) article titled 101 Smart Revenue Generators and Money Saving Ideas. After all, who wouldn't like a little more on the top line, and on the bottom line. Regardless of whether you're for-profit or non-profit.

What strikes me as noteworthy about the article is that most (and the first few!) Revenue Generating ideas are actually all related to expense control and expense reduction. Some are traditional vendor negotiation strategies, like Visual Risk IQ does together with its partner Third Law Sourcing, while others are P-Card. Many can benefit from CCM-T, and many are worth a fresh read / re-read, given the current state of the economy.

Feel free to add Comments on your strategies for trimming costs or raising revenue in today's challenging times. Success stories are always welcome!

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

Wednesday, July 8, 2009

Observations from Recent, Local Frauds in Charlotte NC

Several folks commented on recent tweets of local fraud and embezzlement, first at UNC-Charlotte and again at Charlotte's Mecklenburg County, specifically within the Department of Social Services. The Fraud Triangle teaches us that as long as there is Pressure / Incentive (I really need the money), Rationalization (e.g. other people do it, I'll pay it back...etc.) and Opportunity (I won't get caught because...) fraud can and will occur and recur.

My own experience is these three elements of the fraud triangle are closely related, and that Opportunity needs to be re-evaluated, especially as Incentive increases. Today's economic times are proving this need most everywhere we look, yet we still see only a few companies who are actively changing and increasing how they monitor for potential fraud, despite the availability of very effective, modern tools for fraud detection. Like CCM-T tools from Oversight and Approva.

A specific example: During my Big 4 Accounting Firm days, I led a team that audited the procedures used to produce scratch-off lottery tickets. When we started, the largest prize awarded was $5,000 or $10,000. While internal controls were always very good (i.e. Opportunity = Low), there were still a number of people at the Ticket Printer and at the Big 4 Firm who had access to information that might help locate a batch of 250 tickets that would likely contain a $5,000 or $10,000 winner.

The likelihood that a person would risk their career to steal $5,000 or $10,000 (two to six months net pay) was pretty low. But when the Ticket Printer and State Lotteries began printing tickets with $100,000 and eventually $1,000,000 tickets. That represented at least a year or even 20 years or more in net pay. What a powerful Incentive!

This change in Incentive was a trigger that we saw to re-evaluate internal controls, because now the temptation needed a corresponding decrease in opportunity. In addition to our agreed-upon procedures to evaluate controls over ticket production, we began a continual security review which included review of other controls that would identify who may be accessing information that might allow a large ticket winner to be located. We publicized the continual security review within the company (and the Big 4 team!), so that the decreased Opportunity was understood by anyone who may have been tempted.

As staffs are cut and monitoring controls become less frequent, what is your organization doing to reduce the Opportunity for Fraud. For a couple of high-profile cases in Charlotte, it's clear that more needs to be done.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA