Weakest Link in the Chain
ANGELA BISASOR
Tom Harrison was a young man from a humble family background. He lived with his mother and his two younger siblings in a two-bedroom apartment in the inner city. His mother was a fruit vendor in the nearby market. She did her best to care for her children, but it was difficult, even more so since her husband had died. Tom carried a greater burden as the oldest son, and he wanted to help his mother and his siblings afford a better standard of life. Tom graduated from high school but found it difficult to get a job. After months of sending out applications and not getting positive responses, he finally got a small break when a friend managed to get him a temporary job working in the Registry Department of Mutual General Insurance Company Limited sorting mail and registering incoming packages. It was not his dream job, but it was a paycheck for the time being. Tom worked enthusiastically and was always eager to help others, going the extra mile wherever he could. He tried to excel, and his supervisor was impressed at his eagerness to learn the system; she encouraged him as a young man trying to improve his prospects. His coworkers liked him, and he was fortunate to have his former school friend, Jane Burns, there to guide him.
Jane secretly had a crush on Tom throughout high school and was always there to help him in whatever way she could. An apparently tough character on the outside, she had a soft spot for him. Tom knew that she cared for him and was happy to be around her. She often asked about his family and offered advice on different things that he talked to her about. At work, she kept him in the loop of the happenings in the department and the company as a whole, which he appreciated very much.
Mutual General Insurance Company Limited was a medium-size company with more than 200 employees, offering insurance coverage for property and automobiles. It had grown from a small brokerage firm to a network of ten branches. Its head office was located in the city and housed the functional departments of registry, underwriting, claims, human resources, marketing, information technology (IT) and internal audit and compliance. Each department had a policy and procedures manual to guide its operations. These manuals were approved by the audit committee and placed on the intranet for employees to access.
Audit and compliance reviews were done routinely in accordance with the approved work plans for the year. The work plans were designed to ensure that high-risk areas were reviewed over a two-year cycle and other areas over three-years. IT audits were done throughout the year. Based on the findings of the different reviews, recommendations made for improvements were generally brushed aside. The control environment in theory was strong, but, in reality, the checks and balances were not working efficiently, resulting in a somewhat laissez-faire way of doing business. The Registry Department had recently been reviewed, and there were no significant exceptions noted. However, a concern was raised during the audit of individuals' access rights to certain areas in the system where they had no need based on their current job function. Some adjustments were made to user privileges, but it was highlighted that read-only access was not considered a problem and it was required from time to time to know where to direct correspondences and queries. In any case, it was considered an issue for IT to manage.
Despite the weaknesses in the control environment, the company was profitable and a leader in the industry. The incidents of increasing insurance frauds were an industry-wide concern, and Mutual General Insurance was no exception. Management had tightened operations with its intermediaries by implementing systems to facilitate timelier reporting and settlement of outstanding claims. Often it appears that when one loophole closes, many more open, so it was a case of always trying to keep up. There were some good employees who did their best to protect the company's assets, but there were others who were just doing enough to get by and no more. All in all, the company was meeting its objectives and financial targets.
The Unexpected Meeting
I was the sole auditor at Mutual General, and we had a cosourcing arrangement with an accounting firm. Basically, we split the audit assignments, worked together and contributed to the audit report. I had just finished a branch review and was in the process of compiling my report when I got a call from Janice Henderson, the chief compliance officer, asking me to come to her office. I put aside the report, wondering what was happening now. These calls usually meant a special assignment. “If only people would do what they are supposed to do.” I sighed under my breath. “If only they would stop strangling the goose that lays the golden egg.” That was where my thoughts almost always ended up when I heard about a new case of someone defrauding Mutual General. I had learned to appreciate the source of my income and to defend it, which made my job that much easier in trying to identify weaknesses and strengthen controls to improve the efficiency, effectiveness and economy of operations. I believed that if others could see things the way I did, we would all be heading in the same direction, but the challenge was that not everyone was on the same path . . . and I guess that made my job function so critical to a healthy organization: at least I acted as a deterrent to the weak.
When I entered Janice Henderson's office, there were two police officers sitting in front of her desk. She introduced me to Sergeant Thompson and Corporal Jones from the local police station. After the formalities, they briefed me on what was transpiring. The officers had been summoned to a local bank where a claims check drawn on our company was being presented for encashment under apparently fraudulent circumstances. The officers confiscated a cell phone from the young woman who was trying to cash the check and found a text message that said “The check is ready for collection” sent from an employee at Mutual General. I asked who sent the text, and Sergeant Thompson told it came from Jane Burns, who worked in the Registry Department.
“Was the check genuine or was it fraudulently drawn?” I asked.
“It was a genuine check,” replied Janice. “The issue is that the check was collected by a fraudster posing to be the insured.”
“I don't understand, because based on my review of the Registry Department just a few months ago, our processes there appeared tight in terms of identifying the collector and ensuring that we are actually giving the right person the right check,” I interjected. General Mutual usually mailed claims checks to our customers, but some people preferred to pick up their checks in person at the office. When that occurs, we check their identification and verify that it matches our records for the individual.
Janice explained that the young woman who picked up the claims check had presented what appeared to be a valid ID that matched the information in our system.
“What went wrong then?” I asked. It turns out the woman had presented a fraudulent ID. The picture was that of the person collecting the check — a young woman whose name was Jenny Ginal — but the details matched those of the insured — an older woman named Dorothy Trimble. Very interesting, I thought. “So have we uncovered a case of identification theft?” I inquired.
“It certainly looks that way,” replied Sergeant Thompson. “And rarely are these isolated incidents. We are hoping to identify the mastermind behind the operation and take him down. Identification theft is spiraling out of control.”
The Interview
Janice summoned Jane Burns to her office. She arrived a few minutes later, looking quite disturbed at this unexpected meeting. I knew Jane from my recent audit of the Registry Department. She had been with Mutual General for more than five years and was well liked by her colleagues. Her supervisor spoke highly of Jane as well, when I asked her to discuss her staff with me. Jane was a young, pretty woman who had a deferential, sweet air about her. I had a hard time imagining her working as part of an identity-theft ring, but I pushed aside my preconceived ideas of her and tried to listen to the interview without bias.
Janice greeted Jane warmly and introduced her to the police officers, and then went on to explain why Jane was there. She informed Jane that a situation arose involving a client who seemed to be connected to her. Janice then handed over the discussion to Sergeant Thompson. He began by asking her not to be alarmed but to cooperate as they tried to ascertain what connections she had with the customer at the bank. Jane was at a total loss and blankly denied knowing who Jenny Ginal was or what they were talking about. She looked genuinely confused.
“So you are stating quite explicitly that you do not know who Jenny Ginal is and that you have never had any reason to contact any one with that name?” asked Sergeant Thompson in a strict tone of voice.
“That is exactly what I am saying,” retorted Jane adamantly. She was seemingly less and less like the meek woman I knew.
“Very well then, if that is your statement,” said Sergeant Thompson. “Do you by any chance have your cell phone on you?”
“I do not see how that is relevant to this conversation,” Jane responded in a feisty voice. She seemed to be getting angrier with every question Sergeant Thompson asked her.
“Your cell phone is what actually linked you to Jenny Ginal,” said Sergeant Thompson, watching Jane closely. He seemed to be monitoring her mood changes even more than I was. While Thompson was talking to Jane, I noticed that Corporal Jones was inconspicuously taking notes.
“I do not see how that is possible,” replied Jane.
“Perhaps if you let me have a look at your phone, it could solve some of the mystery for us all,” said Sergeant Thompson, reaching out his hand in a motion to collect something.
“Why do you want my phone? It is my private phone; it is not a company phone, and it sure was not stolen,” she exclaimed.
“You can do this the easy way or the hard way . . . it is your choice,” said Sergeant Thompson, evidently starting to get annoyed with Jane's defiance.
“I do not have the phone on me,” replied Jane. “I will have to go and get it.”
As she turned to go, Sergeant Thompson asked her to hold on just a moment. “Let us just do a quick check.”
He nodded to Corporal Jones, who dialed Jane's phone number on Janice's office line. We waited with bated breath and then heard the phone beeping from her pocket. Jane's jaw dropped and it was clear that she was embarrassed. However, more important, it was proof that the text to Jenny Ginal had come from Jane's cell phone.
“I did not remember that I had picked it up off the desk and put it in my pocket,” she said in what sounded like an apologetic tone.
Corporal Jones asked Jane for her phone, and she handed it over reluctantly. He clicked through her text messages but said there was no trace of the message to Jenny. Jane was reluctant to provide any further information, so the officers escorted her to the police station, where she was detained for further questioning.
The Interrogation
Both Janice and I decided to accompany Jane to the police station. We were hoping the whole time that Jane would recognize the severity of the situation and tell the police officers whatever she knew about Jenny and the identity theft so they could get on with their investigation. What was she covering up and why? Janice and I speculated in the waiting area, but we did not have much to go on. Sergeant Thompson came out shortly after we all arrived at the station and told us they were going to begin questioning Jane again. He allowed us in the room because any information that Jane provided would likely affect business operations.
Part of me was expecting the Hollywood interrogation scene: a cold, dark room with a small table in the middle; Jane sitting at the table with a spotlight on her; Sergeant Thompson circling her and chain-smoking while grilling her. But no, it was just your run-of-the-mill conference room. Sergeant Thompson and Corporal Jones were sitting across from Jane at the table. Janice and I sat down toward the end so as not to be in the way.
This time Corporal Jones started talking and Sergeant Thompson took notes. Jones began by explaining the implications of the situation to Jane. He made sure she understood that she was being investigated for her involvement in an identity-theft ring and for defrauding Mutual General. The evidence was on her cell phone, which was with a police forensic investigator at the moment. Corporal Jones told Jane that even though she had deleted the text to Jenny, his forensic expert would have no trouble recovering it. He continued this way for a while, thoroughly explaining the case as he understood it, and then offered Jane the opportunity to explain things from her side.
After Corporal Jones' persuasive approach, Jane eventually confessed to having loaned her cell phone to her friend Tom Harrison recently. He told her his phone's battery had died and he needed to send a message urgently. I made a mental note of Tom, and I remembered him from my audit of the Registry Department. He filled an administrative role in the department and mostly handled the mail. He seemed to be an unlikely suspect to orchestrate a fraud ring.
“Who erased the text message from the phone?” asked Corporal Jones.
“It must have been Tom. I did not see the message and I have no idea what it was all about,” declared Jane in a defensive tone. She seemed to be indicating that she would cooperate, but she was not happy about it.
“So, who is this Tom, and what is your relationship with him?” asked Corporal Jones after a moment's thought.
“Why is that important? I told you he is my friend!” exclaimed Jane.
“Young lady, listen to me very carefully. A crime has been committed and you are implicated. It is best if you just try to calm yourself and help us through this investigation as quickly as possible. Both your internal auditor and compliance manager are tired, and I am sure they want to leave in the shortest time possible. I am asking you for your full cooperation,” said Corporal Jones in a controlled tone. “Where do you know Tom from?”
“We went to school together,” said Jane in a low, hushed voice.
“Are you aware of his involvement in any sort of criminal activity?” asked Corporal Jones.
“No, I am not,” retorted Jane, “and I am sure this is all a mistake. I don't know Tom to be a thief and I am sure he is not mixed up with bad company!” By now tears were in her eyes.
“Well, right now, we are following the clues, and at this moment they are all pointing at you.”
“I have nothing more to say. I have told you all I know,” declared Jane. “I want to leave.”
Corporal Jones ended the interrogation session but Jane was remanded to custody.
The Second Interview and Interrogation
The next day, the police came by the office again, and I was summoned to Janice's office, where both Corporal Jones and Sergeant Thompson greeted me warmly. They informed Janice and me that they would like to ask Tom some questions. Janice called Tom and we waited a few minutes before he appeared at the door. The police officers went through the same routine they had done with Jane and asked if Tom knew Jenny Ginal; he said he did not. They went on to ask if he had sent a text message from Jane's phone the previous day, to which he also responded negatively.
“Why, what is this all about?” asked Tom with a questioning look, tilting his head to the right side and gesticulating with his hands.
“Jane said you borrowed her phone and we would like to corroborate this with you,” replied Corporal Jones. “So, did you or did you not?”
Tom thought about it a bit then, shrugging his shoulders, said, “If Jane said so I may have. I don't know why she would lie.”
“So what number did you text?” quizzed Sergeant Thompson.
“Like I said, I don't remember using her phone to send a message, but if Jane said she lent me her phone, I guess she did.”
“We are going to have to take you into the station for questioning. A text was sent to Jenny Ginal's number from Jane's phone and there are implications of wrongdoing on your part,” said Corporal Jones. After some formalities, the officers left with Tom for the police station. Janice and I decided not to attend Tom's interrogation.
Jane was released that day but her phone was held as evidence.
Tom, we found out later, was questioned over and over again but did not change his argument that he did not know Jenny Ginal and he did not remember borrowing the phone.
The police asked Jenny Ginal to identify Tom as the person who had communicated with her on Jane's phone, but she could not because they had never met. Jenny was kept in custody but Tom was released because there was no evidence to hold him responsible — it was Jane's word against his.
The Crime Ring Breaks
The police investigation continued over the following two weeks, during which time the officers made several trips to Mutual General's headquarters and in particular the Registry Department to question employees. They were finally able to piece together the full story. Tom was part of an identity-theft ring that had an extensive operation in the area. Tom's role was to collect information on individuals who were owed claims checks from Mutual General. He conveyed their identifying information to someone up the chain, and that person prepared a fake ID, usually a driver's license, with the insured person's information. However, the photograph would be of another fraudster, like Jenny Ginal, who was going to pick up the claims check. Tom would then text when the claims check was ready to be collected.
In this instance, Tom had accessed the payment system to ascertain the details of a payee who was in the queue for checks to be printed that day. He obtained a copy of the payee's driver's license from her records, which he copied and passed on to the mastermind to print the fake license for Jenny. As soon as the check was prepared and received at the registry for distribution, Tom texted Jenny, whose number he was given by the ringleader, that she could pick up the check from Mutual General's office.
Jenny came into the office, presented what appeared to be a valid ID in the name of the payee and had no difficulty collecting the check. The ploy unraveled when the bank teller spotted an anomaly in the age on the ID and the age of the person presenting it. Jenny Ginal appeared to be in her 20s but the age on the ID was 41. The teller excused herself for a moment and went to speak to her supervisor. She returned to the cage quite calmly and tried to keep Jenny engaged in conversation, buying time for her supervisor to alert security and call the police. In a short time, the police arrived and made their way to the cashier window where Jenny was impatiently waiting for the check to be processed. The officers asked her to go with them to an office where they detained her for questioning. Her phone rang while she was with them, and they asked to see the phone. On searching it they found the text from Jane's phone . . . the rest we know.
Based on the outcome of the investigation, Mutual General fired Tom Harrison, and shortly after Jane Burns put in her two weeks' notice. We were lucky that the bank teller had noticed the discrepancy on Jenny's fake ID and stopped the transaction, but I suspected this was not the first time Tom had directed customer payments to members of the crime ring. When we met with Tom before he was fired, our general counsel suggested that if Tom provided the details of his other thefts, we would not file criminal charges. He agreed and wrote down a dozen other names, which I then investigated. I uncovered a total of $18,000 in stolen insurance payments, and asked a customer service representative to follow up with the individuals who were still waiting for the checks to let them know they were being processed.
Lessons Learned
We had conducted reviews of system privileges in the past and recommended that steps be taken to ensure staff members are given access to proprietary systems on a need-to-know basis only. Unfortunately, that had not happened in this case, as Tom was able to access sensitive customer information that he did not need to know to perform his administrative tasks. This case taught me the importance of following up on my recommendations to make sure they have been implemented. It does no good for an auditor to suggest process improvements if no one is responsible for implementing the changes.
Recommendation to Prevent Future Occurrences
I met with Mutual General's IT team to discuss the case and reiterate the importance of limiting system access. We worked together to redefine access to sensitive information, and I feel confident in our ability to reduce the chances of future occurrence. Of course, nothing can guarantee that company information will not be misused in the future, but the process now in place reduces the risk significantly.
About the Author
Angela Marie Bisasor is a fellow of the Institute of Chartered Accountants (FCA), Certified Internal Auditor (CIA) and a Certified Information Systems Auditor (CISA). She is an auditor, chartered accountant, writer and educator.
Ms. Bisasor graduated from the University of the West Indies with a B.S. (Hons) in accounting (1989) and an M.S. degree in computer-based management information systems (2007). Her professional career began at KPMG, where she developed her skills in auditing and accountancy while pursuing ACCA examinations. She has a wide range of experience spanning different industries. Ms. Bisasor upholds integrity and accountability as key values to business success.