​Big Scam on Campus

The subsidiary was renting office space for its personnel on the premises of Future Power, so logs from entrance systems did not provide any insight on whether its employees were working on Future Power equipment or doing other tasks. The audit team concluded that the risk of overbilling existed, but no proof could be provided. Future Power management chose to accept the risk and stated additional controls were not needed. Internal auditors insisted they were and escalated the issue to FEC’s board of directors. Finally, as a compromise, Future Power management allocated one employee to conduct independent checks of hours reported by BX Solutions OY.

One year later, Future Power’s CEO emailed FEC’s audit manager, Alicia Cohen, after he received a letter from BX Ltd.: “I am forwarding to you a weird letter from our main maintenance and repair partner, BX Ltd. I told them you will handle it from here.” 

Cohen could barely believe what she read in the forwarded letter. BX Ltd. reported that its local subsidiary was defrauding FEC: “Due to a mistake and misbehavior, working hours have been overbilled since our last contract renewal. Corrective action has been taken and a credit for €2.3 million ($2.7 million) will be issued to you immediately. We suggest a regular review to ensure a robust hourly recording process moving forward.” 

The audit team felt vindicated. The potential fraud risk scheme they described to management a year before was realized. The team set out to investigate how the overbilling happened. 

Initially, BX Ltd. willingly cooperated. Via web-based meetings, BX Ltd.’s compliance representative, Pierre Brodeur, explained that its investigation was triggered by an anonymous whistleblower complaint from BX Solutions OY. The investigation revealed that remuneration for BX Solutions OY management depended on the profitability of Future Power’s maintenance and repair contract, as it was its biggest and most important client in the region. The change from fixed pricing to an hourly based system caused BX Solutions OY management to become concerned about profitability levels, so employees were instructed to bill Future Power for as many hours as possible. After the conclusion of the internal investigation, BX Solutions OY management and the employees who participated in the scheme were fired. 

Brodeur handed over internal time sheets of BX Solutions OY employees involved in maintenance and repair activities. FEC’s internal auditors compared the time sheets against billed hours, determined the number of overbilled hours, and multiplied the difference by the hourly rate to calculate the value of the hours. When FEC’s investigative team reported an amount two times higher than the €2.3 million, cooperation between the parties ended. BX Solutions OY misled BX Ltd.’s compliance team, claiming repairs were still priced at a fixed rate, so BX Ltd.’s compliance department calculated overbilled hours for maintenance services and disregarded hours spent on repairs. FEC’s internal auditors, however, reviewed repair contract terms with legal counsel and concluded that repairs had to be billed on an hourly basis, as well. 

The internal controls assessment did not take long. Internal audit tried to reconcile time sheets of BX Solutions OY personnel with hours recorded in the system, but there were no names or employee identification numbers. Moreover, BX Solutions OY personnel could record their hours monthly rather than on an ongoing basis. As a result, Future Power supervisors issued and accepted work orders without knowing how many people were on site on any specific day. 

An analysis of work orders for the previous two years found that more than 40% of annual maintenance expenses were for regularly conducted visual inspections of equipment. It was impossible to determine whether inspections were actually carried out because there was no paper trail. 

Though Future Power appointed an employee to conduct independent checks of hours reported by BX Solutions OY the year before, management never touched base with the employee to determine whether he had suitable tools to conduct those checks. The employee was overloaded with other duties and preferred to keep a low profile without interfering, controlling, or suggesting improvements. 

Future Power eventually received €2.3 million from BX Ltd. and filed a legal dispute for additional amounts owed

LESSONS LEARNED
​

• When it comes to the purchasing of services per hour — lawyers, IT developers, consultants — how often are organizations overbilled? How can an organization find the right balance of trust and control? Organizations risk playing a “catch me if you can game” with contractors unless the environment encourages fair reporting of spent hours. Internal audit’s role is to review the process of hour validation and determine whether hours can be verified, at least to a reasonable extent. 
• Operational-level management is usually overwhelmed with important daily issues, so it is difficult to get managers to take an interest in a potential fraud risk. When they read an internal audit report that raises a red flag about something that has not happened — but might — they might not care nor understand the seriousness of the risk. Rather than point out lack of caring, internal auditors should suggest additional controls or work toward reaching a compromise that satisfies both parties.
• Collaboration with a contractor that acknowledges fraud is unlikely to happen often — if at all. If the contractor has already made up its mind about how much it is going to reimburse, any collaboration promises are likely to be empty declarations. Also, internal audit should keep in mind that there is likely a specific reason why a contractor wants to acknowledge fraud. The best-case scenario is that the contractor is embarrassed of its findings and wants to avoid bad publicity. The worst case is that it is trying to cover up something much bigger and wants to voluntarily return a small part of what was stolen from the company to avoid litigation and prosecution.
• When circumstances require internal audit to collaborate with outside parties where conditions or other information is exchanged, it should include legal counsel to avoid any unwanted damage to the company, such as disclosure of confidential information. It’s important for internal audit to know when to step back as a trusted partner.