Summer 2014, Issue No. 8 - The Audit Connection by Augusta University

The Audit Connection Collaborating for Enterprise Excellence

Summer 2014, Issue No. 8

Inside this issue:

Could it happen here? Supporting a culture of compliance Clay Sprouse, Chief Audit Officer

Could it happen here? Supporting a culture of compliance

1-2

Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators

2-3

Safeguard your medical ID

4-5

Are you P-Card proficient?

5-6

A Rash of Recalls

Internal Audit Staff Clay Sprouse…………………..CAO Kathleen Boyd ...... Assoc. Director Crystal Corey ........ Audit Manager Vernon Walters…...Senior Auditor Will Barnes ............ Senior Auditor Sheryl Brown............... I.T. Auditor Rufus Copeland…………...Auditor Lisa Kedigh………Admin. Asst. III Alex Padgett………….Audit Intern The Office of Internal Audit's purpose is to support the mission and vision of the Georgia Regents Enterprise by: providing independent and objective management evaluations; identifying actual and potential problems; providing corrective guidance; developing management recommendations; and providing consultative services in accordance with professional internal auditing standards and compliance review guidelines.

We are here to help you! 706-721-2661 gru.edu/audits

Everyone has heard the old adage, “the cover-up is worse than the crime.” So why do we continue to read news stories about organizations that knew — or should have known — about problems that could endanger public safety and ultimately damage their company’s reputation?

A rash of recent recalls among automakers has brought this issue to the forefront once again. Over the past few months, several manufacturers have been forced to recall thousands of vehicles, pay millions in fines, and admit they have endangered the lives of their customers. In one of the cases, it is documented that the issue was discovered numerous times and either ignored or buried. As with most organizations in this situation, the company is already facing serious reputational damage and heightened legal risk due to an issue that was known and left unaddressed. Could it Happen Here? Research shows there are two reasons people don’t speak up or report issues: the belief that nothing will be done and fear of retaliation. If employees at our company have these concerns, then some version of the scenario described above could happen here. So how do we prevent this and protect our good name and reputation? Don’t ignore or cover up a problem. As this case demonstrates, it rarely turns out well. If you become aware of a problem or concern that is not addressed or appropriately resolved, it is important that you speak up. And, as a manager in our organization, you have a responsibility to take action to ensure the right people are involved to properly investigate the situation. Doing Your Part To help protect our organization, our employees, and our reputation, let’s all help each other to be sure to: Work issues to a satisfactory outcome (continued on page 2)

Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

The Audit Connection

Page 2

Could it happen here? Supporting a culture of compliance

1-2

Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators

2-3

Safeguard your medical ID

4-5

Are you P-Card Proficient?

5-6

Recognize inappropriate pressure and be aware of the messages you send Provide clear direction and make good and timely decisions Watch for red flags Hold others accountable to the same high standards, while showing respect Cultivate and practice good communication skills and establish an open environment where retaliation is not tolerated Use another of the multiple available resources to report your concern, including the ethics hotline/helpline, if you don’t believe the issue has been satisfactorily resolved Be a great role model — do what’s right, even when it is difficult Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators Kathleen Boyd, Associate Director Did you know that “living beyond one’s means” is the number one behavioral characteristic of a fraud perpetrator? It is not really a stretch to imagine that people who are living beyond their means, or have financial difficulties, might be the most likely to commit fraud. However, there are other shared characteristics of fraud perpetrators to which managers should also be aware … ones that are less likely to be immediately considered. Read on… The Reports to the Nations on Occupational Fraud and Abuse is a biennial publication of the Association of Certified Fraud Examiners . The 2014 edition of the Report to the Nations is based on 1,483 cases of occupational fraud as reported by the Certified Fraud Examiners who investigated them. Although the types of fraud that affect organizations vary widely, the research contained in the Report to the Nations focuses on a particularly pervasive form: occupational fraud, defined as: “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” Fraud Examiners were asked to identify which, if any, common behavioral indicators were exhibited by the perpetrators before their frauds were detected. Overall, at least one red flag was identified in 92 percent of cases, and in 64 percent of cases, the fraudster displayed two or more behavioral red flags. Figure 71 shows the distribution of those red flags. Approximately 44 percent of fraud perpetrators were living beyond their means while the fraud was ongoing, and 33 percent were experiencing known financial difficulties. Other common red flags were an unusually close association with a vendor or customer (22 percent), displaying control issues or an unwillingness to share duties (21 percent), a general “wheeler-dealer” attitude involving shrewd or unscrupulous behavior (18 percent), and recent divorce or family problems (17 percent). These six red flags were also the most common behavioral indicators in each of the last three studies conducted by the ACFE. In general, the distribution of behavioral red flags from year to year has followed a remarkably consistent curve despite the fact that each of the studies contains entirely distinct cases of fraud and perpetrators. (continued on page 3)

The Audit Connection

Page 3

Could it happen here? Supporting a culture of compliance

1-2

Increase your fraud 2-3 awareness: Behavioral red flags displayed by fraud perpetrators Safeguard your medical ID 3-4 Are you P-Card proficient? 5-6

“Fraud is ubiquitous; it does not discriminate in its occurrence.” Excerpted with permission from The 2014 Report to the Nations on Occupational Fraud and Abuse. Copyright 2014 by the Association of Certified Fraud Examiners, Inc. Hotline: 877-516-3419 To anonymously report fraud, waste, or abuse, call the Georgia Regents University and Health System hotline. Kathleen Boyd is a Certified Internal Auditor and a Certified Fraud Examiner. Safeguard your medical ID Danny Walters, Senior Auditor Financial identity theft has been all over the news lately, and steps to protect your personal ID have been prominently featured in our newsletter. However, have you ever thought about protecting your medical ID from theft? Medical identity theft can destroy your credit rating, your access to medical treatment, and your life. According to the Ponemon Institute’s 2013 Survey on Medical Identity Theft, there were 1.84 million victims of medical identity theft in 2013, an increase of about 20 percent from the previous year. Consider these real world examples of medical identity theft: (continued on page 4) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

The Audit Connection

Page 4

Could it happen here? Supporting a culture of compliance

1-2

Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators

2-3

Safeguard your medical ID

3-4

Are you P-Card proficient?

5-6

A 3-week-old baby’s family suddenly receives a collection notice for unpaid medical bills on his work-related back injuries. A woman is denied insurance coverage because her medical record shows she is an HIV-positive 28-year-old man. A man finds that an imposter has used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each hospital, the imposter has left behind a medical history in his victim’s name. A childless woman is arrested for abandoning her baby at the hospital soon after birth. The World Privacy Forum says “Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods or uses the person’s identity information to make false claims for medical services or goods.” Unlike credit card fraud — where card issuers assume responsibility for most or all of the bogus charges — there are no such protections for medical identity theft. Victims often have to pay — about 36 percent of victims in 2013 incurred an average of $18,660 in out-of-pocket costs according to the Ponemon Institute. Other victims lost their health insurance coverage or had to pay higher premiums to restore it. Stolen medical identity data such as health insurance numbers and medical records can fetch about $2,000 on the black market as compared to $25 for Social Security and financial account numbers used to commit financial identity theft. The bigger financial payoff — like a $20,000 surgery — justifies the higher price charged. You can’t prevent data breaches or employee theft of medical identity data, but you can take the following steps to detect problems and safeguard your medical ID: Guard your health insurance card and number as carefully as you would a credit card or bank account number. If you lose your card, immediately notify your insurance provider. Carefully check the Explanation of Benefits statements sent by your health insurance provider to be sure that all services listed were actually provided to you on the dates shown. Check your credit report regularly, as unpaid medical bills will show up there. Keep paper and electronic copies of your medical and health insurance records in a safe place. Shred outdated health insurance forms, prescription and physician statements, and the labels from prescription bottles before you throw them out. Avoid unfamiliar health fairs or storefronts offering free screenings that require your insurance information. Medical identity thieves may pretend to work for an insurance company, doctor’s office, clinic, or pharmacy to try to trick you into revealing your sensitive information. Don’t share medical or insurance information by phone, email, or on a website unless you initiated the contact and know who you are dealing with. Hang up on phone calls promising free supplies or from “officials” asking for your sensitive medical information. Ask all of your providers to make copies of everything in your file so you’ll have a “paper trail” to protect against future ID theft.

(continued on page 5) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

The Audit Connection

Page 5

Could it happen here? Supporting a culture of compliance

1-2

For more information on medical identity theft and what to do if you become a victim, you can visit the Federal Trade Commission’s website at consumer.gov/idtheft or call the FTC at 877-438-4338.

Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators

2-3

Information provided by: U.S. Federal Trade Commission, Ponemon Institute, The World Privacy Forum, keepmyID.org, and AARP Bulletin, June 2014.

Safeguard your medical ID

3-4

Are you P-Card proficient?

5-6

Are you P-Card proficient? Will Barnes, Senior Auditor Purchasing cards are used at GRU for a multitude of purchases. If you are a cardholder, approver, or proxy/reconciler, you should be well aware of what is and isn’t allowed to be purchased on the P-Card. Take this short quiz to test your knowledge of GRU and State of Georgia P-Card regulations. How do you rate? Are the following statements True or False (answers are provided later — no peeking!): 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Georgia Sales and Use Tax is not allowable on the P-Card. Memberships at wholesale warehouses and shopping clubs (e.g., Sam’s, Costco, Amazon Prime) are allowable on the P-Card. Alcoholic beverages may be purchased on the P-Card. You can make purchases at the GRU Bookstore using the GRU P-Card. Memberships and Dues are allowable on the P-Card. P-Card transactions should be approved in Works at least monthly by the Cardholder or the Approver, or by one or the other signing the Bank of America statement. Transaction logs must be completed monthly and retained with the other supporting documentation (invoices/receipts, etc.). If you lose your receipt or invoice, a Lost Receipt/Invoice Affidavit must be filled out, signed by the Cardholder and Supervisor, and retained with the other supporting documentation. It is OK to make a personal purchase with the GRU P-Card; just pay it back later. P-Card office personnel are available to answer all of your P-Card questions.

Did you breeze through, or was it tougher than you thought? See following page for the answers and your P-Card proficiency rating.

(continued on page 6) Ask the Auditor! We invite you to send your questions to internal_audit@gru.edu, and we may feature them in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

The Audit Connection

Page 6

Could it happen here? Supporting a culture of compliance

1-2

Increase your fraud awareness: Behavioral red flags displayed by fraud perpetrators

2-3

Safeguard your medical ID

3-4

Are you P-Card proficient?

5-6

Answers: 1. True (see GRU P-Card Purchasing Dos and Don’ts). 2. False (see Statewide Purchasing Card Policy, Revised March 2014). 3. True, but is restricted to alcoholic beverages such as cooking wine for instructional or classroom use only (see Statewide Purchasing Card Policy for required steps). 4. False (see GRU P-Card Purchasing Dos and Don’ts). 5. True, but the Accounts Payable Memorandum Form must be included (see GRU P-Card Purchasing Dos and Don’ts). 6. False – The P-Card transactions must be approved in Works each month by both the Cardholder and Approver. Also, the transactions must be reconciled to the Bank of America statement, and the statement must be signed by both the Cardholder and Approver. (Note: if the department uses a Proxy/ Reconciler, it is recommended that this individual also sign the BOA statement in addition to the Cardholder and Approver). 7. True (Note: if your department allows, transaction information can be downloaded in a report from Works). 8. True – the form is available on the GRU P-Card website. 9. False – Big Time False, the P-Card is not to be used for personal purchases (period)! 10. True – You can contact Amber Armour, P-Card Program Administrator, at aamour@gru.edu. Also, you can obtain forms, guidelines, view training, FAQs, and other helpful information on the P-Card website at gru.edu/supply/ pcard/. Ratings: How do you rate? See below based on how many you answered correctly:

Inside this Issue:

0 – 6: STOP, put your P-Card down; do not use it until you have passed P-Card training! 7 – 8: Not bad; however, you, your department, and the institution would benefit if you take the P- Card refresher and/or orientation training (both are available online). 9 – 10: Excellent, you are P-Card Proficient! P.S. Look for Mandatory P-Card Refresher Training – Coming this Fall to a computer near you!