Campus fraud firewalls
Embezzlement originating from any corner of campus can threaten any college and university. As for the losses, they can be big. Take, for example:
- Emory University in Atlanta. In July, a former employee received an 18-month prison term for stealing over $300,000. As an administrative assistant in the school of nursing, she misled students into paying tuition into a PayPal account not controlled by the institution.
- Spring Hill College in Alabama. The student accounts director transferred over $186,000 into her personal bank account over a four-year period. She pled guilty to the scheme in December 2014.
- Lander University in South Carolina. In August 2014, a former IT specialist admitted to selling university-owned computer equipment and software online and then pocketing the proceeds. The thefts totaled more than $400,000.
It’s vital for the executive team and academic leaders—not just financial administrators—to understand the prevalence of the employee fraud problem.
Of the 23 types of organizations studied by the Association of Certified Fraud Examiners (ACFE) in 2014, education—including higher ed—had the fifth highest frequency of fraud. Banking and financial services led the list, followed by public administration, manufacturing and healthcare. Education had more reports of fraud than retail, construction, transportation and a variety of other industries.
On college campuses, there’s a tendency to think, “We have a great collegial organization and trust our people,” says John Morrissey, senior vice president with the financial services group of Aon, a risk management, insurance and HR firm with North American headquarters in Chicago.
The vast majority of universities don’t deploy very sophisticated defenses against fraud—but use only the basic audit controls that any organization would have, says Greg Henderson, director of the SAS Fraud and Security Intelligence Global Practice based in Cary, North Carolina.
Learn more about employee embezzlement and other fraud
- “Fraud Red Flags,” Wayne State University, Office of Internal Audit
- “The Fraud Curve: White-Collar Crime In Higher Education” (article from the Association of Certified Fraud Examiners)
- JPMorgan & Chase infographic on employee fraud
- “Report to the Nations on Occupational Fraud and Abuse (Association ofCertified Fraud Examiners, 2014)
- The University of Texas at Austin fraud hotline
A top-down focus on the prevention of financial improprieties can set the tone for the entire organization. “It’s important for leadership to develop and communicate a policy of highly ethical practices in which there is zero tolerance for any form of fraud,” Morrissey says.
Given the less attractive side of human nature, there will never be a fool-proof fraud firewall. But the use of technology and other proactive measures can reduce the threat. Here are four keys to using technology—and fraud smarts—to prevent and detect embezzlement or other financial misdoings.
1. Transactional analysis software
This form of data analysis software—which is employed with increasing frequency in the corporate world—detects unusual patterns in transactional information. Some vendors, such as ACL, LogRhythm and SciQuest, now market these products specifically to colleges and universities.
The systems can alert staff to possibly fraudulent activity by identifying anomalies in records of financial transactions.
There is always potential for hidden problems because of the tremendous amount of data institutions produce, points out Allan Bachman, education manager at ACFE. “Data analytics will help you find patterns in the data, as well as outliers,” he says.
After these systems identify that something may be amiss, follow-up is needed to determine if something unethical is going on or if it’s just a deviation such as a missing approval for an otherwise routine transaction.
Fraud experts were asked:
How do you advise college and university clients to use the information gleaned from fraud detection and prevention solutions?
“The most obvious use is to investigate possible indicators of fraudulent activity to determine if any type of malfeasance has occurred. Perhaps just as important is to provide some insight into any weaknesses in internal controls, or whether controls that appeared to be adequate can be easily circumvented. A well-designed fraud detection (or risk assessment) program should not only identify any current problems, but also assist in fortifying the organization’s policies and procedures to help prevent future fraud.”
—John A. Slavek, managing director, Kroll
“Err on the side of over-investigating. Even though a protective measure could create some false positives, investigate them thoroughly because that incident may actually be a fraud, and because you make it clear there is a strong chance that the perpetrator could get caught and that alone may deter them from trying.”
—Pete Miller, shareholder, audit and assurance, Clark-Nuber
“Fraud prevention solutions should consider as many variables as possible. But these types of solutions, and particularly analytics, can only take you so far. Detection and prevention of fraud is often both an art and a science. Skilled individuals who have knowledge of the college and universities’ process and procedures should analyze the data and information and make educated decisions on how to approach the next step of the investigation.”
—H. David Kotz , managing director, Berkeley Research Group
“If ‘false positives’ are a concern, results from fraud detection and prevention tools should be subjected to further investigation and qualification before being escalated or confronting the suspected embezzler. Similar processes are common in the world of IT security, where alerts generated by intrusion prevention systems and other security tools are sent to the incident response team for further investigation before deciding on the appropriate response.”
—Mike Paquette, vice president of security products, Prelert
The technology helps detect fraudulent schemes in their early stages. And, once the system is employed, the efforts can lead to improved controls that may reduce the likelihood of fraud in the future.
According to Aon’s Morrissey, most fraud is related to purchases, payments, expenses, payroll or billing. For example, an employee may set up bogus vendors and then submit false invoices, with payments going to the employee directly or indirectly. Or salaries may be paid to fictitious personnel whose employment has been terminated.
Other schemes range from use of institutional credit cards for personal purchases to providing tuition discounts or write-offs for friends or relatives.
Transactional analysis software can identify specific indicators of these types of fraud. “These tests work by monitoring all transactions and analyzing them to identify suspicious anomalies, as well as detecting instances where controls that are meant to be in place aren’t working,” Morrissey says.
2. Internal financial controls
Strong internal controls remain a basic part of the anti-fraud toolbox. “While secure software is an essential tool to prevent fraud, it’s not the silver bullet,” says Mary O’Connor, partner in the valuation and dispute advisory services practice at Sikich, a Chicago-area firm specializing in accounting, technology and investment banking services.
Strong internal controls, the other key piece, should include adequate separation of duties, as well as effective internal audit procedures such as surprise internal audits.
The controls every institution has in place to protect financial integrity may not be sufficient defense against crafty employees who know enough about internal systems to circumvent them.
“Colleges tend not to have tight controls like, say, General Motors,” Morrissey says. “It’s just not part of the culture. Controls are not as good or controls are not followed.”
Analyzing the effectiveness of such controls, followed by proactive efforts to strengthen them where needed, can help substantially in any fraud protection program. Staff training and consistently applying existing controls can also pay off.
“A lot of it is simply blocking and tackling,” says Andrew Sall, a vice president with Marsh USA, a risk management and insurance company based in New York. “It’s making sure the right people are following the right rules.”
This includes some of the most basic functions—such as ensuring staff always adhere to approval protocols and that the people who deposit money are not also responsible for reconciling the account. And there should be a well-defined—and rigidly followed—practice for processing wire transfers.
3. Investigation of potential fraud
Despite the best prevention efforts, someone is always willing to challenge the system. Insiders, from support staff to senior administrators, often know enough to convince themselves that even the best security procedures can be defeated.
Investigation becomes necessary once such an incident has been detected, or simply suspected. One common response is supplementing analytics with consulting or other services.
A service offered by Marsh, for example, includes investigative action as well as forensics accounting analysis. In some cases, this means sending in a team of CPAs and certified fraud examiners to review the areas where fraudulent schemes—or where exploitable weaknesses—are suspected by campus administrators. Typically, this includes an unannounced on-site review that takes about three days.
If fraud is detected, the forensics team helps provide the necessary proof for calling in law enforcement or taking steps to recoup losses. Even if no crimes have occurred, the institution receives a report that identifies future risk points and provides recommendations for tightening security.
A high level of visibility can also work against fraud. Anti-fraud efforts can be promoted across campus via memos from top-level administrators or web page announcements on the subject.
“When fraud comes to light, all of a sudden organizations take it seriously,” says John Verver, strategic advisor to ACL, a Vancouver, Canada-based provider of audit and risk management software. “But of course this is too late.”
Up-front measures can include a fraud hotline. “Hotlines provide a very valuable resource,” says Bachman of ACFE. “Not only do they provide a means for people to report suspected fraud, but they send the signal to everyone that fraud prevention is being taken seriously.”
The University of Texas at Austin maintains a fraud hotline through its office of internal audits. Anyone who suspects fraudulent activity may report it via a toll-free phone number. Alternative reporting avenues include a web-based form, standard mail, e-mail and office phone. Anonymity is also an option.
Others institutions offering similar hotlines include the University System of Georgia, Alcorn State University in Mississippi and the North Dakota State University System.
Having top-level administrators write articles about fraud prevention for internal campus publications or posting web announcements about it can both encourage others to report suspicious activity and to ward off potential embezzlers.
“The widespread knowledge that precautionary systems are in place can itself have a preventive effect,” Verver notes. “It signals employees that this is being taken seriously and if nothing else, some opportunists might be scared off.”
And every incident that is prevented represents one less costly, and perhaps embarrassing, problem that would otherwise take administrators off-mission.
“You’re never going to stop fraud completely,” Verver says. “But solid preventive systems can have a huge impact on reducing this too-common problem.”
Mark Rowh is a Virginia-based writer.