AA is Looking Backward Not Forward |
This is the second of two posts on this topic. First post here.
Point
Two: Enhanced Audit Work
The
following outlines some possible enhanced steps auditors could
have
taken.
I
don’t know what steps the auditors took.
That
WC was able to perpetrate its fraud for so long perhaps suggests the
auditors
were not employing any of these enhanced steps or had not completed
them.
Confirmation
of the Euros 1.9 Billion Accounts
Audit
Confirmations
Given
the unusual arrangements with the escrow accounts and their Euros 1.9
billion balance, WC’s auditor should have not relied on a single
step verification – the typical bank confirmation--and probably used more than one method.
What
additional steps could WC’s auditors have taken?
First,
in view of the amounts, they could have requested two bank officer
signatures on the confirm, and specified an official title, e.g.,
“one of whom must be a Vice President in the xxx
Department”.
Second,
once the audit confirmation was returned, the auditors could have
attempted to determine that the signer(s) on the confirmation were
employees of the bank and worked in a department that would be
responsible for replying.
This
could be done by referring to the bank’s “book” of authorized
signers. This document lists officers authorized to sign, any limits
on their authority, and the departments in which they work. Often
the officers are assigned a unique identifier number in case their
penmanship rivals AA’s.
Or
by phoning the bank and telling the receptionist that they had
something important to send the signer and wanted to confirm the
appropriate department to send their letter. In this case they would
not mention that audit confirm.
If
the receptionist couldn’t find the employee’s name in the bank’s
records or responded that the individual worked in “Marketing”,
alarm bells should go off.
The
auditors could send a copy of the confirmation back to the bank
requesting that in light of the amount involved the bank reconfirm
both the information in the confirm and the authority of the
signer(s).
The
reconfirmation request should not be sent to the party or parties
signing the confirmation as received, but rather to another
department.
For
example, if the auditors received the confirm from someone in the
Trust Department, they could send the reconfirmation request to the
Trust Department Internal Audit Department. Or the bank’s Internal
Audit Department. Or to the Head of the Trust Division. And when a
billion or so Euros are involved, perhaps even the President of the
bank.
The auditing firm could have asked a senior officer of its affiliate in the ROP to assist by contacting a senior officer at the bank for a reconfirmation.
Alternative Measures
The auditors could ask the bank to send duplicates of account statements directly to them. If the bank doesn’t have an account for that customer, then it would so advise.
If it sends a statement with much lower balances, then questions would arise over the amount claimed in the account.
“So what you’re saying is that between 1 and 31 December, these accounts received Euros 1.8 billion in net credits.”
The idea with this step is that requests for duplicate statements would not reach the person within the Bank conspiring to provide false information on confirmations. One department replies to audit confirms. Another department handles “routine” requests for duplicate statements.
If the auditors were engaged in reviewing the use of WC’s accounts by the third parties to determine the amounts those parties needed access to, as my proposal suggests, they should have then they should already have requested account statements.
Transactions shown in the statements should match entries in WC’s accounts. The auditors could take a statistical sample to trace/match transactions between the two.
There are other methods.
The ones outlined here are designed to prove the existence of the account, not necessarily the balance.
If there was doubt about the veracity of the account statements, the auditors could use statistical analysis of transaction amounts and patterns to identify those that likely have been “faked”. Benford’s “Law” is one such technique but there are others.
I met a chap at a financial crimes conference (anti not pro, if you’re wondering) who claimed that using Benford’s Law he quite easily “proved” that financial statements provided for an investigation had been “cooked”.
WC’s establishment of the escrow accounts probably ostensibly to mitigate the credit risk of the two Philippine banks should have resulted in a file documenting management and board discussions, engagement of ROP counsel, correspondence on legal points, review by the board, and a legal document signed by both WC and the two banks in question.
If such a file did not exist, that should raise questions. Often those perpetrating fraud do not create the full set of “backstory” documentation to support the fraud. Or miss critical details in their backstory.
If it did, it should provide another opportunity to verify the existence of the account. Contact the bank and ask to speak to its lawyer named in the correspondence. Check to see if the person signing the agreement on behalf of the bank was in the “right” department and had the authority.
Auditors could also send a request to the bank to confirm that there had been no changes to the escrow agreement. Again if the bank replied that there was no such agreement then alarm bells would go off.
Send a small payment to the bank favour the escrow account prior to fiscal year end. If it’s returned with the notation “no account”, then alarm bells go off. If it’s not returned, it should show up in statements. If not, the bells ring again.
Look for evidence of use of the escrow accounts by WC.
A transfer funds to its main operating account would confirm the existence of the accounts, but, of course, not the balance.
The bank holding the operating account should be able to provide details of any transfer – by order party (the escrow account), originating bank (one of the two Philippine banks), and date of credit to WC’s operating account. So the auditor should not simply match amounts, but look to the transaction details. Again on a sample basis.
If WC never used any funds from the escrow accounts, that should raise questions, particularly if WC is borrowing funds to pay dividends or expenses.
Review of Third Party Companies
WC gave access to its accounts to these companies, As noted, WC therefore had a credit risk exposure to them.
The auditors should understand WC’s rationale for taking this risk and ask to see the “file”. That would include among other things WC’s credit approval policy and process, documentation of WC’s review, determination of appropriate amount of access, official approval by WC authorized officers/board, supporting documents, e.g., these companies’ audited financial statements, DNB checkings, bank references, etc..
[Side Comment: AA’s smarter, elder brother expert in many things Asian once discovered a massive fraud by reviewing DNB’s for some Asian companies that were used to execute the fraud. If we believe his account, and I can think of no reason why not to, he took all of 20 minutes to do so. For this purpose, I am ignoring his much earlier persuasion of AA that our paternal grandfather was 2,000 years old and had attended grade school with Jesus.]
If WC doesn’t have this information—specifically financials and other credit information—already, the auditors should question why WC are letting these parties have access to their accounts.PPThe auditors could also check ancillary sources of information.
As indicated by the its article referenced above and this one, the FT found some rather strange things about the companies.
Now one might respond that the FT benefited from disclosures by a whistleblower and the auditors had no such help.
But if the auditors were examining the rationale and reasonableness of these companies’ access to WC escrow accounts, then they would have come across the same opaqueness and unsettling information that the FT did.
If they had details of these companies supposed contribution to revenues and net income, they would also have had reason to dig deeper.
In “simple” 30 minute Google search on Alalam I did not turn up the sort of information one would expect for tech company on the “bleeding edge” of the “PSP space”.
What's the point with the 30 minutes here and the even shorter 20 minutes ascribed to AA's wiser, elder brother?
Simply that additional audit measures do not require massive investments in time or energy if done properly.
Nothing in Crunchbase. A rather incomplete profile at Owler, where AlAlam has but one follower.
Not much in the way of third party reporting other than regurgitation of press releases. No interviews with key persons sharing their vision or thought leadership. Sad.
AlAlam has an English language website. But it doesn’t appear to have an Arabic one. Rather strange for a company in the UAE which presumably is pitching customers in the region. Perhaps, they are on the “bleeding edge” of the marketing “space” as well and have moved beyond traditional methods of marketing.
No information on officers, directors, etc.
A laughably short company profile.
The auditing firm could have asked a senior officer of its affiliate in the ROP to assist by contacting a senior officer at the bank for a reconfirmation.
Alternative Measures
The auditors could ask the bank to send duplicates of account statements directly to them. If the bank doesn’t have an account for that customer, then it would so advise.
If it sends a statement with much lower balances, then questions would arise over the amount claimed in the account.
“So what you’re saying is that between 1 and 31 December, these accounts received Euros 1.8 billion in net credits.”
The idea with this step is that requests for duplicate statements would not reach the person within the Bank conspiring to provide false information on confirmations. One department replies to audit confirms. Another department handles “routine” requests for duplicate statements.
If the auditors were engaged in reviewing the use of WC’s accounts by the third parties to determine the amounts those parties needed access to, as my proposal suggests, they should have then they should already have requested account statements.
Transactions shown in the statements should match entries in WC’s accounts. The auditors could take a statistical sample to trace/match transactions between the two.
There are other methods.
The ones outlined here are designed to prove the existence of the account, not necessarily the balance.
If there was doubt about the veracity of the account statements, the auditors could use statistical analysis of transaction amounts and patterns to identify those that likely have been “faked”. Benford’s “Law” is one such technique but there are others.
I met a chap at a financial crimes conference (anti not pro, if you’re wondering) who claimed that using Benford’s Law he quite easily “proved” that financial statements provided for an investigation had been “cooked”.
WC’s establishment of the escrow accounts probably ostensibly to mitigate the credit risk of the two Philippine banks should have resulted in a file documenting management and board discussions, engagement of ROP counsel, correspondence on legal points, review by the board, and a legal document signed by both WC and the two banks in question.
If such a file did not exist, that should raise questions. Often those perpetrating fraud do not create the full set of “backstory” documentation to support the fraud. Or miss critical details in their backstory.
If it did, it should provide another opportunity to verify the existence of the account. Contact the bank and ask to speak to its lawyer named in the correspondence. Check to see if the person signing the agreement on behalf of the bank was in the “right” department and had the authority.
Auditors could also send a request to the bank to confirm that there had been no changes to the escrow agreement. Again if the bank replied that there was no such agreement then alarm bells would go off.
Send a small payment to the bank favour the escrow account prior to fiscal year end. If it’s returned with the notation “no account”, then alarm bells go off. If it’s not returned, it should show up in statements. If not, the bells ring again.
Look for evidence of use of the escrow accounts by WC.
A transfer funds to its main operating account would confirm the existence of the accounts, but, of course, not the balance.
The bank holding the operating account should be able to provide details of any transfer – by order party (the escrow account), originating bank (one of the two Philippine banks), and date of credit to WC’s operating account. So the auditor should not simply match amounts, but look to the transaction details. Again on a sample basis.
If WC never used any funds from the escrow accounts, that should raise questions, particularly if WC is borrowing funds to pay dividends or expenses.
Review of Third Party Companies
WC gave access to its accounts to these companies, As noted, WC therefore had a credit risk exposure to them.
The auditors should understand WC’s rationale for taking this risk and ask to see the “file”. That would include among other things WC’s credit approval policy and process, documentation of WC’s review, determination of appropriate amount of access, official approval by WC authorized officers/board, supporting documents, e.g., these companies’ audited financial statements, DNB checkings, bank references, etc..
[Side Comment: AA’s smarter, elder brother expert in many things Asian once discovered a massive fraud by reviewing DNB’s for some Asian companies that were used to execute the fraud. If we believe his account, and I can think of no reason why not to, he took all of 20 minutes to do so. For this purpose, I am ignoring his much earlier persuasion of AA that our paternal grandfather was 2,000 years old and had attended grade school with Jesus.]
If WC doesn’t have this information—specifically financials and other credit information—already, the auditors should question why WC are letting these parties have access to their accounts.PPThe auditors could also check ancillary sources of information.
As indicated by the its article referenced above and this one, the FT found some rather strange things about the companies.
Now one might respond that the FT benefited from disclosures by a whistleblower and the auditors had no such help.
But if the auditors were examining the rationale and reasonableness of these companies’ access to WC escrow accounts, then they would have come across the same opaqueness and unsettling information that the FT did.
If they had details of these companies supposed contribution to revenues and net income, they would also have had reason to dig deeper.
In “simple” 30 minute Google search on Alalam I did not turn up the sort of information one would expect for tech company on the “bleeding edge” of the “PSP space”.
What's the point with the 30 minutes here and the even shorter 20 minutes ascribed to AA's wiser, elder brother?
Simply that additional audit measures do not require massive investments in time or energy if done properly.
Nothing in Crunchbase. A rather incomplete profile at Owler, where AlAlam has but one follower.
Not much in the way of third party reporting other than regurgitation of press releases. No interviews with key persons sharing their vision or thought leadership. Sad.
AlAlam has an English language website. But it doesn’t appear to have an Arabic one. Rather strange for a company in the UAE which presumably is pitching customers in the region. Perhaps, they are on the “bleeding edge” of the marketing “space” as well and have moved beyond traditional methods of marketing.
No information on officers, directors, etc.
A laughably short company profile.