DIERCKX & ASSOCIATES LTD

Earlier this year two fraudsters were convicted for defrauding the Otago District Health Board. The case has been covered at length in the media. The fraudsters were found guilty of fraud, which they both denied, in December last year. During the trial, the Crown said they had used 198 invoices from a company formed by one of the two fraudsters, to charge the board $16.9 million for IT-related services that were never provided. The two fraudsters had been billing the Otago Health Board for maintenance and program upgrades and had cashed in around 16.9 million, 10% of which was kept while the other 90% was paid to related companies. One could ask oneself: how could it be that these things happen right under the noses of everyone?  The case raises some serious questions about he governance structures in place and probably more about how they are actually working in day to day business.

• WAS THERE AN INTERNAL AUDIT FUNCTION? External audits generally do not detect fraud ( so don’t blame the auditor straight away).
  A large organisation like the ODHB should have an internal audit function.
• WAS INDEPENDENT IT-SECURITY AUDIT? This would have identified vulnerabilities due to outdated/not updated software. The fake invoices were for software updates that never eventuated.
• WAS THE CONTRACT FOR SERVICES TENDERED COMPETITIVELY? AND IF NOT WHY NOT?  A $17 million contract running over several years should be decided at Board of Directors level or at least  CEO level. Where larger contracts like that are to be arranged it should at all times be a competitive tender.
• IS THIS A CASE OF WRONGLY DELEGATED AUTHORITY? (In this case to the CIO)?  From the media it appears to transpire that use was made of delegated authority with no checks or balances in place! It seems the CIO had the delegated the authority to decide all by himself. A competitive tender including proper due diligence would have most likely have exposed that  company was a sham or even prevented this fraud from happening in the first place. (Unless the fraudsters would have use an accomplice company to pull off the same trick).
• HAS ANYONE EVER WONDERED WHETHER THE COMPANY WAS REPUTABLE AND/OR WELL KNOWN? With such expenditure levels one would expect that the company had some presence in the region (Dunedin), you could perhaps have dealt with it before, or know of others that used the same company. WAS THE COMPANY LISTED IN THE YELLOW PAGES AND OTHER BUSINESS LISTINGS? WAS IT A MEMBER OF INDUSTRY ASSOCIATIONS? DOES THE COMPANY HAVE A WEBSITE, A PHYSICAL ADDRESS THAT CAN BE VISITED?
• WHY WERE THE CEO OR CFO NEVER SUSPICIOUS? WHY WERE NO QUESTIONS ASKED? They had never met staff from this supplier even though the handed over $17 million to it.  It would have made sense that with such large contracts there would have bee at least some sort of relationship on a broader executive level.
• WERE THE INVOICES AND AUTHORIZATIONS FOR PAYMENT EVER QUESTIONED? As a signatory one should ensure you know what you are signing for.  It does not need to be in an unfriendly way but make sure you know what approved activities your are signing for to be paid.
• WERE IT SUPPORT SERVICES EVER QUESTIONED? Even if the services this firm was providing were real, it seems to me that this was a massive amount, I mean $17 million. What value for money would that bring?
• WERE INCREASES IN IT BUDGET EVER QUESTIONED? WAS TENDERING OUT EVER CONSIDERED AS AN OPTION TO REDUCE THESE MASSIVE COSTS?
• WAS A SUPPLIER/MAJOR CONTRACTS REVIEW POLICY IN PLACE?  Whilst the Board may not have to do the nitty gritty of such review, it is responsible for ensuring that such a policy is adopted an implemented.  WERE THE CEO AND/OR CFO EVER RECOMMENDED THAT SUCH A POLICY AND EXECUTION THEREOF WA HIGHLY RECOMMENDED?
• WHAT WAS THE NATURE OF THE FINANCIAL DELEGATION POLICY, IF ANY?  There should be a clear guideline for which expenses can be made autonomously and which require approval of the board? IF THERE WAS SUCH A POLICY, DID REVIEW EVER TAKE PLACE?

While I am not privy to the details of the case: typically the fact that such a big service provider is being run by an employee should be something to raise alarm bells. From the companies office details it transpires that the fraudsters were the director a two minute check would have shown that there was a significant shareholding. I would imagine that at least some due diligence should have been part of the tendering process . But it appears that there never was a tendering process. I can’t help but feeling that this is typically a case of a sleeping board and executive management and a pair of crooks making good use of that.
At the same time; billing schemes are known to be a favorite of corporate fraudsters. The gist of such schemes involve a perpetrator that causes the victim organization to order and pay for something that is either never delivered, it does not need,  or is obtained against a highly inflated price.  A simple set up can be used.  The fraudster sets up a shell company and uses that company to invoice the employer. Sometimes or preferably the same fraudster may also be able to authorize payment of the bills sent through the shell company. In the case above it was identified that the services billed out were never rendered. In other instances the shell company may be offering completely legitimate services but for a ridiculous price. Very often the person running the scheme is also the one that authorizes the payment of the invoices of the shell company.

Obviously, proper control mechanisms should prevent anyone from approving his or her own invoices. Part of staying under the radar is making sure that this is  kept quiet. The reality shows on a regular basis that proper controls are not in place. Similar schemes are known to be used to invoice the employer company for personal expenses. In several of the cases I was involved in over the past years a manager authorizing payments had been submitting completely bogus invoices from non-existent entities that supposedly had provided all kinds of consulting services strangely enough the bank account number of the consultant company was the same as his own.

I recall one case a few years ago where the fraudulent billing involved non-existent taxes: the fraudster, also the tax expert of the company, had invented a local tax that id not exist and had used invoices of the local council, a pair of scissors and the company’s professional printing facilities to create a a rim of blanco tax invoices supposedly by the local council. This man was discovered after a thorough investigation in which I identified that the bank account numbers on the council’s invoices for taxes were different and tips about the fraudster’s lifestyle.

Not all fraudsters are in a position to authorize their own invoices for payment. Methods know to have been used are false purchase orders, using fictitious invoice numbers, altering existing purchase orders or by misrepresenting the nature of the purchase and the list goes on. Are you completely sure what all your bills are for and whether they are fair and reasonable? Perhaps it is time to review or audit your accounts payable.

Better yet: let an independent third party like DIERCKX & ASSOCIATES do it for you. We’ll identify gaps in your controls, we can assist in identifying suspect transactions or even frauds:

• Are policies in place adequate? Are they being adhered to? (”reality check”)
• Are there control overrides an are they being recorded?
• Are there reasons to question certain transactions or suppliers?
• Actual versus supposed receipt of goods and services?
• And  more.

We’ll leave no stone unturned, identify the suspect or potentially fraudulent  transactions and perpetrator and will help you close the gaps for the future? No system is 100% fraud proof, but that does not mean you may as well leave the door wide open. Or perhaps you would like to consider talking about an overall fraud risk assessment. Would you recognise the signs of a fraud if there was one in your company? And would your employees recognise it? Contact us, we would love to hear what we may be able to assist you with.

Filed under: OCCUPATIONAL FRAUD AND ABUSE, RISK MANAGEMENT