A PUBLICLY TRADED AUTO finance company was one of the lucky organizations led by a visionary chief executive officer (CEO). Senior management had always set a textbook "tone at the top" with a clear mission supported by a strong set of core values. Doing business the right way was promoted throughout the entire decentralized operation.
However, lately delinquencies and charge-offs had begun to trend upward. Then, for one month-end, there was an unexplainable drop in the number of past-due accounts. No one seemed to understand how or why the reduction occurred, just that "something" had happened. Standard audit testing revealed some unusual transactions used to adjust the accounts. When the auditor questioned the chief financial officer (CFO), he justified the transactions as a special program approved by senior management. But, rumors in the field suggested otherwise.
The grapevine story indicated that there was a team of "trusted" employees assembled by senior management to offer customers "goodwill deferments" that would bring those customers' delinquent accounts current at no cost. It appeared that senior management had directed a delinquency manipulation that went against its aboveboard operational philosophy. In addition, the CEO began making changes in senior management. The vice president of collections was released. The CFO in charge of the internal audit department was informed that he was going to be replaced and was eventually reassigned as the chief information officer. A new chief operating officer was hired to preside over the vice president of operations. Suddenly, there was a fear throughout the company that all positions were at risk if they crossed the CEO.
The auditors continued testing and uncovered some account transactions that indicated charge-offs might have also been manipulated. The materiality of the transactions was not known at that time, but the chief audit executive (CAE) had deep concerns about the change in the tone at the top.
Aware that an audit committee meeting had been scheduled, and knowing that the audit committee had never asked to meet with internal auditing directly, the CAE requested a meeting with the new CFO to express his concerns. There was no response to his requests, so the CAE went into the CFO's office just as the audit committee meeting was beginning with documentation of his concerns in hand. Once the CAE shared his concerns with the audit committee, the committee immediately authorized an investigation.
The investigation revealed that the CEO, along with the vice president of strategic planning, had directed manipulations of both delinquencies and charge-offs, using various types of transactions. This resulted in a material misstatement of the financial statements. Allowance for credit losses was understated by $43.4 million, or 252 percent, and net income was overstated by $76.7 million, or 729 percent.
The aftermath was devastating. The company's stock was delisted, and a bankruptcy petition was filed. The U.S. Securities and Exchange Commission field a complaint against the CEO, vice president, and former CFO for rules violations. The CEO pled guilty to federal charges of investor fraud and a bank consortium of more than $9 million. The CEO agreed to testify against the vice president, who was found guilty of wire fraud and providing false information. Six years after the CAE went into the CFO's office, sentencing had not yet been issued to the CEO or vice president.
SAN ANTONIO CHAPTER
TAKE TWO AUDITS
A pharmacy benefit manager (PBM) is a company that administers drug benefit programs for employers. In the United States, PBMs handle pharmacy benefits for nearly 200 million people. In 2001 and 2002, they paid out about $121 billion, constituting approximately 80 percent of the total U.S. spending on prescription drugs.
In New York, the state contracts with both an insurer and a PBM to manage its annual $1 billion prescription drug benefits for the 1 million members of its primary health benefit plan. Recognizing that this is a significant outlay, the state auditors began an audit of the PBM. Among many other tests, they reviewed correspondence between the state and the PBM, which revealed apparent violations of a key drug pricing assertion made during the contract negotiation process. The auditors also recognized that the PBM might be retaining some rebates that rightfully belonged to the state and conducted additional tests to determine how much money the PBM might owe the state.
The first discrepancy the auditors found was that the PBM had charged the state inappropriately high prices for generic drugs dispensed at out-of-state pharmacies. It didn't take long for the attorney general to become interested. Auditing discussed its results with him, including an in-progress audit that focused on the PBM's inappropriate generic drug pricing of state pharmacy claims.
When the auditors described the next audit regarding unremitted rebates, the attorney general decided that these two areas would become the leading issues in a lawsuit against the state's PBMs. At that point, audit activity became focused on supporting the attorney general's efforts--including sharing knowledge of the PBM's business operations and practices, and the essential data analysis.
During this collaboration, the auditors developed a greater appreciation for the importance of documentation. They recognized that, although the process can be dull and tedious, documenting sources, methodologies, and conclusions is valuable because such records are sometimes used to support a major legal action. In addition, because the auditors were working so closely with the attorney general's office, it gave them a unique opportunity to review documentation they would not have seen during the normal audit process--in particular, internal correspondence and comments from the PBM related to the audits. It was clear from that documentation that the auditors had the attention of the PBM's management--certainly much more than their official responses indicated--and that they were concerned about the over-all review and how to control its impact. The auditors were reminded that, while official responses often downplay the significance of audit findings, sometimes even criticizing audit methodologies and conclusions, audit clients usually take audit results very seriously.
The attorney general formally filed a lawsuit against the PBM and, in a press release, credited the internal audit department for sparking the investigation and acknowledged its role in the process. The auditors had the rare opportunity to collaborate on an important lawsuit that promises to save the state millions of dollars as well as alter many PBM industry business practices.
ALBANY [N.Y.] CHAPTER
REIMBURSEMENT JACKPOT
A well-frequented casino resort requested advance payments from guests for hotel reservations. When an advance deposit was not fully used, the hotel bill was subsequently closed with a balance due to the guest. Hotel management initiated reimbursement of the amount, and refund request forms had to be signed by the hotel manager. A copy of the guest's folio was attached, and the form was forwarded to the accounts receivable clerk to process the refund to the credit card number on file.
On one typical afternoon, the hotel manager was in the controller's office and noticed a stack of refund requests with an approval signature that was not his. He immediately contacted internal auditing and security about the irregularities, prompting a discreet investigation.
After gathering sufficient documentation, including credit card company documents, the investigation revealed that approximately $45,000 in guest refunds was processed without approval by the hotel manager. Through further investigation, management concluded that the accounts receivable clerk, who was recently passed over for promotion to supervisor, decided to take out her frustration against the company and make up for what she felt was lost compensation. The auditors found evidence of guest refunds processed to the receivable clerk's credit card account. The clerk would then use the automated teller machine in the hotel lobby to withdraw cash against the mounting credit balance.
Not only did the internal auditor find conclusive evidence against the accounts receivable clerk, he also discovered that:
* The refund process allowed refunds to be processed to credit card numbers that were different from the account used by the guest.
* The controller did not review the refund requests prior to payment, as required by the internal controls.
* The hotel manager did not review the listing of guest refunds paid, as required by the internal controls.
* Hotel management did not ask the credit card company to notify them of large numbers of credit transactions against a single credit card.
Continued from page 1.
These control weaknesses all contributed to the clerk's ability to build her own personal jackpot.
LAS VEGAS CHAPTER
POSSIBILITY FOR PROBLEMS
Regular audits of a major credit union's service center branch had not been completed because of its remote location and scheduling conflicts between the auditors and the branch managers. When an unannounced audit was finally conducted, the auditors learned why periodic reviews are necessary.
The first problem the auditors discovered was that the service center had exceeded its established cash limits and the cash counting machine was not working correctly. All the cash had to be counted manually--including the vault, all cash drawers, three automated teller machines, and a cash dispensing machine.
As the audit progressed, more discrepancies surfaced: While reviewing documentation, the auditors suspected one of the service center's tellers was processing fraudulent activities to cover her tracks. Once the auditors compared the balances to the computerized drawer records, they discovered the fraudulent transactions minutes after the teller had completed them.
The next item on the audit plan dealt with general office security. The auditors noted that the branch office building was one of the nicest they had ever seen, with video cameras in every corner covering the entrance and every other angle of the building. But, when the auditors asked the service center manager how often the cameras were monitored, he replied that they had not been monitored for more than a year. Additional research revealed that a major cable had been disconnected and that the cameras were not even operable. Effectively, there was no video surveillance.
As the day closed, the auditors began a series of questions on segregation of duties regarding access to cash as well as access to the building. They learned that every employee had full, unfettered access to the building, to the alarm system (to arm and disarm), to the room housing the safe, and to their own individual cash drawers (some with balances of more than $15,000.)
The auditors left that day shaking their heads, realizing that although it's easier to ignore remote locations--out of sight, out of mind--it's those remote locations that often need the most scrutiny.
DENVER CHAPTER
CONGRATULATIONS TO THE CENTRAL FLORIDA CHAPTER for submitting the August 2004 winning "Roundtable" story. In "Unused Credit," the auditor on a routine store audit was approached by a customer looking for the manager. Because the manager was otherwise occupied, the customer told the auditor that her statement did not reflect her last payment. When the auditor went to investigate, he was told by the credit manager that it was simply a misposting. Further investigation, however, revealed $20,000 of questionable items. The credit manager confessed to the misappropriations, citing money problems in her family--a fabricated cover story.
Internal Auditor awards a gift certificate to the affiliate, chapter, or individual submitting the best "Roundtable" story in each issue. Individuals interested in claiming the certificate should contact their affiliate president. Each submission is worth five chapter achievement program (CAP) points and furthers The IIA's motto of "Progress Through Sharing."
"Roundtable" has always been a favorite among our readers--a forum for sharing audit information and findings and learning from others' experiences. But just as the profession is evolving, so too are the types of stories readers enjoy and value. As a result, Internal Auditor is encouraging the submission of audit stories that reflect the new age of internal auditing--those that emphasize best practices, use of technology, and value-added results.
Please send your stories to: J. MIKE JACKA, Farmers Insurance Group 18444 N. 25th Ave.
Phoenix, AZ 85023-1296 USA
Fax: +1-602-863-8588
E-mail: mike_jacka@farmersinsurance.com
EDITED BY J. MIKE JACKA
COPYRIGHT 2004 Institute of Internal Auditors, Inc.
COPYRIGHT 2004 Gale Group
