Mystery payments at Canadian construction company

This is interesting: An internal review at Canadian construction company SNC-Lavalin of certain payments approved by the CEO has resulted in that executive’s departure from the company.

The payments in question were approved directly by the CEO after the CFO rejected them. Documentation was apparently sketchy, as the review revealed that the projects they were attributed to were incorrect.

[The review] reveals payments to contracts that didn’t exist, mysterious agents whose identity “is without substance,” and staffers using emails and password-protected devices that the company couldn’t access.

They can’t be sure that the payments in question weren’t related to their controversial involvement with the former Gaddafi regime in Libya, since the recipients appear to be fictitious. They believe they weren’t, but there’s really no basis for that belief since the report is inconclusive.

SNC-Lavalin has operations in over 100 countries and earned over $7-billion in revenue last year.

The company said improper payments are a result of “management override, flawed design or ineffective enforcement of controls” in relation to hiring agents for two of its projects.

Design is one aspect of internal control, and operating effectiveness is the other. Add to that management’s ability override them, and they’ve pretty much covered all their bases!

Some former employees have conducted company affairs using non-corporate email addresses or had password protected devices to which the company does not have access.

This is incredibly suspicious, as what good reason could there be for using non-corporate email to conduct company business? Always a red flag, but tough to uncover. The article doesn’t discuss how it was in this case, unfortunately.

The original investigation, which was reported at the end of February, was over $35-million in payments which were undocumented. The reporting of this information resulted in a 20% decline in the company’s stock, which has since recovered only about ⅓ of the drop. Clearly, controls at the company are not strong enough and the market believes the environment may be such that more of these types of situations exist.

Now, with these recent developments, it seems that the “tone at the top,” a critical component of a strong control environment (see COSO Internal Control Framework), was not one of uncompromising integrity.

Depending on the nature of the payments, if it is ever determined satisfactorily, this could have implications related to the Corruption of Foreign Public Officials Act, Canada’s version of the Foreign Corrupt Practices Act in the US.


IT audit training for me this week

This week I have a small reprieve from my duties as auditor, as I’m taking part in a training course put on by the firm at the Hilton. The training is related to the internal Information Systems specialization the firm offers, which will allow me to get more experience working with IS at clients and hopefully provide a jumping off point to the CISA designation next year.

I’m pretty excited about the opportunity, since training like this doesn’t come around too frequently. I had to pester a few key people at the office to get into the course, but it’ll be worth it. I think it will be perfect for someone with my interests and aptitude!

Not only that but the past couple weeks have been two of the busiest I’ll have all year. It’s no surprise then that blog post frequency has suffered as a result. But the end is in sight and things should ease up soon.


How to prevent the fake supplier fraud

Fraud. The very word strikes fear in the hearts of good men and women around the globe. Fraud can take down a company, fraud can destroy shareholder wealth, and fraud can make you very, very rich.

Just kidding about the last one. Eventually, if you are committing a fraud, you will get caught. Sooner or later, the paper trail will catch up to you, whether as a result of the auditors looking into suspicious activity or management conducting non-routine inquiries.

Fraud can be perpetrated in as many different ways as can be imagined, and fraudsters – I’ve always found that term mildly funny – have tried and will continue to try every trick in the book.

The method I want to talk about today is that of the ‘fake supplier’. This fraud is enabled when adequate control over the approved supplier list is not exercised. The fraudster sets up a fake supplier and has control over purchasing. The fake supplier fake invoices the company and the fraudster simply pays the invoice.

But the cheque cut to a fake supplier ends up in the fraudster’s bank account.

How does a small and medium sized business owner or manager contain this type of fraud risk?

  • Keeping tight control over the approved supplier list.
  • Segregation of duties between who is responsible for adding/removing suppliers and who is responsible for paying invoices.
  • Limiting the number of employees who can approve suppliers.
  • Documenting and periodically testing the procedure for adding new suppliers.
  • Periodically scanning the list and randomly confirming the existence and legitimacy of suppliers.