The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Carl Gabrini
January 21, 2019
One of my favorite books on bureaucracy is “Inside Bureaucracy” by Anthony Downs ‘published in 1967. In it he wrote about the complexity of controls within large bureaucracies. The implication I took away from reading it is that the more complex control systems become the more challenging managing them becomes. However, I was recently reminded that one unintended consequence of all the focus on elaborate control systems is often a window is left unlocked somewhere. In today’s cyber-world that window is frequently peoples’ behavior. Writing from personal experience we took great pains at the state auditor’s office I worked at to ensure our communications, data and working papers were secured. But the key control always came down to individual behavior and decisionmaking. When I began my teaching career, I was shocked by how often our email system was compromised by malicious outsiders who gained access through fraudulent emails to staff or faculty. I can recall chuckling with my colleagues wondering who it was that fell victim to the same email most of us received and deleted, realizing it was a scam. The saying goes beauty is in the eye of the beholder, I suppose that is true of common sense as well. The most effective methods for combating fraud do not always rely on complex, overlapping and expensive control processes and systems. It might be that combating some fraud only requires simple and inexpensive common sense.
My wife and I were sitting and reading together when she
asked if I had heard about a scam that just took place at one of our local
healthcare systems. I responded no and asked her to read it to me. After
listening I thought to myself, I was a controller once, what would I have done
in similar circumstances? I requested a copy of the police report from the city
police records office to learn more. The scam was initiated when the chief financial
officer (CFO) received an email they believed to be from their contractor
asking to change the payment instructions stipulated in their contract. The
CFO, believing the email to be legitimate, requested and received the necessary
information to change payment methods. Instead of remitting payment by check,
they would pay electronically. The email exchange provided all that was needed
to facilitate the electronic payments to a legitimate bank account in a
legitimate bank. Life went on as usual for about two weeks. Two payments
totaling about $1.25 million were transferred to the bank account provided in
the email.
The police report indicates that the CFO was sitting in a
fraud training when a bad feeling came over them. They called the contractor
directly and learned no payments were received and no email requesting a change
to the payment method was made. Hence the police report and the subsequent
ongoing investigation. Who knows what the fallout from this incident will be
for this organization and the individuals involved? But it got me thinking,
what would I have done in the same situation? It is not totally out of the
realm of reality to consider it. I recalled one time when a bank vice president
offered to wire transfer several million dollars on my authority to a bank of
my choosing without any other approvals. I was floored and refused. I explained
how I follow procedure no matter how inconvenient that might be. I exercised my
common sense. The situation did not feel right, so I went with my professional
experience that told me to follow accepted procedures.
That brings me to the point of my first column of 2019;
common sense and professional judgment are often our most important defense
against fraud. Upon receiving the email requesting the change in payment
instructions, I would have called my counterpart at the contractor to confirm
the request and ask for a change order to the contract documenting it since
payment terms are typically part of the language in a contract. That action
would have occurred before any payments were made or even before a reply was
sent to the original email. I recognize that people have busy schedules and
sometimes what we initially view as a minor detail turns out to be a big
problem. My guess is that it happens every day. This incident reminded me how
important or own diligence is when combating fraud in the cyberage. Fraud knows
no boundaries and does not discriminate based on the business sector. Fraud
prevention is everyone’s job. In this present case a simple phone call made
would have saved $1.25 million and a major organizational headache.
Author: Carl J. Gabrini
is Assistant Professor of Accounting at the Wright School of Business, Dalton
State College and earned a PhD in Public Administration at Florida State
University. Email address [email protected].
What Would You Do?
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Carl Gabrini
January 21, 2019
One of my favorite books on bureaucracy is “Inside Bureaucracy” by Anthony Downs ‘published in 1967. In it he wrote about the complexity of controls within large bureaucracies. The implication I took away from reading it is that the more complex control systems become the more challenging managing them becomes. However, I was recently reminded that one unintended consequence of all the focus on elaborate control systems is often a window is left unlocked somewhere. In today’s cyber-world that window is frequently peoples’ behavior. Writing from personal experience we took great pains at the state auditor’s office I worked at to ensure our communications, data and working papers were secured. But the key control always came down to individual behavior and decisionmaking. When I began my teaching career, I was shocked by how often our email system was compromised by malicious outsiders who gained access through fraudulent emails to staff or faculty. I can recall chuckling with my colleagues wondering who it was that fell victim to the same email most of us received and deleted, realizing it was a scam. The saying goes beauty is in the eye of the beholder, I suppose that is true of common sense as well. The most effective methods for combating fraud do not always rely on complex, overlapping and expensive control processes and systems. It might be that combating some fraud only requires simple and inexpensive common sense.
My wife and I were sitting and reading together when she asked if I had heard about a scam that just took place at one of our local healthcare systems. I responded no and asked her to read it to me. After listening I thought to myself, I was a controller once, what would I have done in similar circumstances? I requested a copy of the police report from the city police records office to learn more. The scam was initiated when the chief financial officer (CFO) received an email they believed to be from their contractor asking to change the payment instructions stipulated in their contract. The CFO, believing the email to be legitimate, requested and received the necessary information to change payment methods. Instead of remitting payment by check, they would pay electronically. The email exchange provided all that was needed to facilitate the electronic payments to a legitimate bank account in a legitimate bank. Life went on as usual for about two weeks. Two payments totaling about $1.25 million were transferred to the bank account provided in the email.
The police report indicates that the CFO was sitting in a fraud training when a bad feeling came over them. They called the contractor directly and learned no payments were received and no email requesting a change to the payment method was made. Hence the police report and the subsequent ongoing investigation. Who knows what the fallout from this incident will be for this organization and the individuals involved? But it got me thinking, what would I have done in the same situation? It is not totally out of the realm of reality to consider it. I recalled one time when a bank vice president offered to wire transfer several million dollars on my authority to a bank of my choosing without any other approvals. I was floored and refused. I explained how I follow procedure no matter how inconvenient that might be. I exercised my common sense. The situation did not feel right, so I went with my professional experience that told me to follow accepted procedures.
That brings me to the point of my first column of 2019; common sense and professional judgment are often our most important defense against fraud. Upon receiving the email requesting the change in payment instructions, I would have called my counterpart at the contractor to confirm the request and ask for a change order to the contract documenting it since payment terms are typically part of the language in a contract. That action would have occurred before any payments were made or even before a reply was sent to the original email. I recognize that people have busy schedules and sometimes what we initially view as a minor detail turns out to be a big problem. My guess is that it happens every day. This incident reminded me how important or own diligence is when combating fraud in the cyberage. Fraud knows no boundaries and does not discriminate based on the business sector. Fraud prevention is everyone’s job. In this present case a simple phone call made would have saved $1.25 million and a major organizational headache.
Author: Carl J. Gabrini is Assistant Professor of Accounting at the Wright School of Business, Dalton State College and earned a PhD in Public Administration at Florida State University. Email address [email protected].
Follow Us!