Technical Articles

International Journal of Government Auditing – July 2010

Alleged Fraud Involving Millions of Euros: Why Didn’t We Notice?

by Freddy Dezeure and Gregory Van Caenegem (DG INFSO, European Commission) and Dominique Bernadaux, Mattia Ferrara, and Kjell Larsson (OLAF, European Anti-Fraud Office)

Editor's note: This article expresses the personal views of the authors and in no way constitutes a formal/official position of the European Commission.

Toward the end of 2007, allegations of fraud[1] were made involving millions of euros spent to carry out research projects funded by the European Union (EU). This alleged fraud had apparently gone on for a number of years and had been previously undetected.

This article describes the factors that may have allowed this alleged fraud to occur and the actions that have been taken to address it and prevent its future recurrence. While the alleged fraud in this case occurred in the context of audits of research grants—a rather common public sector role—we believe that the lessons learned can be applied in many other areas in the public sector, such as grants and subsidies or the procurement of infrastructure, goods, or services.

Background

The European Commission is the executive arm of the EU. DG INFSO, one of the Commission’s departments, provides EU grants to information technology research projects by cofunding the costs incurred. DG INFSO manages 5,000 projects, and its 15,000 beneficiaries invest more than 1 billion euros per year. DG INFSO carries out 200 annual financial audits on these projects, and the audit results contribute to the annual assurance process.

OLAF, the European Anti-Fraud Office, conducts administrative antifraud investigations to protect the EU budget. Although statutorily part of the European Commission, OLAF is operationally independent as far as its investigations are concerned. It can carry out controls with the help of Member State authorities and, in some cases, with powers similar to national administrative authorities. In its investigations, OLAF cooperates with European Commission departments and national authorities and helps the Commission prevent fraud.

How Did It Start?

At the end of 2007, OLAF contacted DG INFSO to discuss allegations that several entities had claimed substantial but fictitious costs in EU-funded research projects. A highly disturbing detail was that some of these entities had received clean audit reports in the recent past.

As DG INFSO and OLAF analyzed the projects and entities in question, we determined that to confirm or dismiss these allegations we needed radically new cooperation mechanisms between our two departments to synchronize audits and investigations.

A first step was to ensure that we were using the most modern auditing methods, drawing on the new standards issued by the International Auditing and Assurance Standards Board adapted to the public sector context by INTOSAI, and carefully tailoring them to the particular situation.

We also realized that we needed to get insight and drill into vast amounts of data (thousands of legal entities, contracts, transactions, people, addresses, and e-mails). To do that, the advanced data-mining tools that OLAF used were adapted to DG INFSO’s audit environment. This resulted in excellent synergies between audits and investigations, though we were always careful to bear in mind and respect the different roles and mandates of audit and investigation.

The information gathered seemed to confirm that a complex fraud scheme had been discovered that might have gone unnoticed over many years. The alleged fraud was conservatively estimated at millions of euros. The alleged fraud scheme we identified gave both auditors and investigators new insights about the strengths and weaknesses of their respective methods and the importance of an effective cooperation between the two professions.

Let us share some of these lessons learned from an auditor’s point of view.

How Could This Go Unnoticed?

We are convinced that the alleged perpetrators of the fraud had in-depth knowledge of the EU’s control systems and were constantly adapting their behavior as the controls evolved. Loopholes or weaknesses in the regulations were exploited, and misrepresentations were used to an extent that none of us had seen before. The modus operandi included the following:

  • Fictitious documents that look formally correct but were completely fabricated were produced to comply with controls.

  • Shell companies were set up in remote and uncooperative (tax-haven) places, using fake Web sites, hypothetical activities, and clients involved in other offshore entities.

  • Fictitious staff with fabricated curricula vitae were listed. E-mails between these fictitious staff were generated to make it appear that they had worked on the projects.

  • Names of real companies and real people were used without their consent to unduly benefit from their established reputations.

  • Contracts, invoices, and accounting transactions were massively falsified or coded using fake descriptions.

  • Intercompany subcontracting, cross-payments, and back-payments were used to circumvent controls.

EU services were not prepared for the complexity of this fraud scheme and its massive use of misrepresentation. Also, the auditors used traditional audit approaches with standard audit programs that were simply bound to fail in this case. Furthermore, audits were conducted as separate assignments, without links between them.

A key weakness of the existing control processes was undoubtedly the lack of healthy professional skepticism in planning and carrying out audits. Fraud was considered as a scope exception in the auditors’ opinion rather than an integral part of the scope, as specified in International Standard on Auditing (ISA) 240 “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements,” and International Standard of Supreme Audit Institutions (ISSAI) 1240.

Why Could This Fraud Be Addressed Now?

The shock of large-scale fraud in entities with a clean audit opinion provoked a radical rethinking of our tools and methods, resulting in the following:

  • A continuous and proactive cooperation between OLAF and DG INFSO was set up.

  • Audit methods were brought in line with current standards. Entities were assessed as a whole, gathering as much information as possible before the fieldwork (ISA 315). For every entity, specific risks were identified and the audit program adapted accordingly (ISA 240).

  • An innovative data-mining and risk-assessment approach for audit preparations was designed.

  • A new intelligence tool (PLUTO, see box) was developed to analyze anomalies in large volumes of structured data.
    PLUTO is an intelligence database storing all information about the 15,000 beneficiaries and 5,000 research projects funded by DG INFSO. PLUTO allows the relationships between the various entities it contains (beneficiaries, projects, persons, telephones, and addresses) to be analyzed visually. This analysis identifies risky areas in the contractual environment, facilitating auditing and investigative work. While auditors and investigators still need to demonstrate the fraud, PLUTO makes their task easier by locating the possible areas to look for fraud. PLUTO is based on the commercially available software iBase from i2 Inc.

  • Operational data from DG INFSO’s contractual and financial systems, dating back 10 years and comprising 500 gigabytes of information, were downloaded and indexed, allowing keyword search (names, amounts, and dates). This information was used in audit preparation and during the fieldwork.

  • All past audit reports and documentation on the suspicious companies and projects were retrieved and analyzed.

  • A complete inventory of people, companies, and projects under suspicion was drawn up.

Building on this information, a large number of targeted audits were launched, incrementally building on available information.

Audits were conducted with the level of secrecy required by investigations, limiting the information to a core group of staff. Information was shared on a “need to know” basis. Data and documents were protected using encryption techniques; they were also protected physically.

Lessons Learned for Ongoing Audits and Investigations

While this approach was applied for the first time in a specific fraud case, the lessons learned have now been integrated into our respective daily activities. The following sections describe some of the key elements that have been adopted.

Preparation for Fieldwork

The preparation is designed to

  • obtain an accurate risk assessment of the entity,

  • devise a proprietary audit program based on identified risks, and

  • limit the likelihood that audit evidence will be altered.

The aim is to assess the risk of intentional material misstatements in the entity’s cost claims. Two main factors influence this risk:

  • the entity’s inherent dependency on EU funds and

  • evidence of misrepresentation in documents submitted to obtain funding.

For this risk assessment, we analyze the entity as a whole, using all accessible information sources—internal, open, and commercial.

Information is extracted from DG INFSO’s contract management systems, and EU project officers are interviewed about the entity’s performance. Unexpected changes in the project’s objectives are highlighted. Documents submitted by the entity are assessed for indications of misrepresentation or anomalies (in names, signatures, authenticity, authors, or dates). Previous and related audit reports on the entity are analyzed.

Information is collected from company registries: shareholders, directors, related entities, contact references, and accounting data. Information is cross-checked with open sources (such as Google, company Web sites, Wayback Machine, phonebooks, and Google Maps) and internal sources.

Information about the entity’s key staff is collected from open sources (such as LinkedIn, PIPL, 123People, and Yasni) and cross-checked with the data provided by the entity.

Information about other fund sources is collected. Income from grants is compared with the entity’s annual income statements to assess potential overdependency on grants, which could be an incentive to invent and claim costs not incurred.

All the gathered information is structured and discussed in a brainstorming session with the audit team to determine the key risks and the appropriate audit program.

In most cases, we grant a very short lead-time between the time the audit is announced and the fieldwork (2 weeks instead of months) in order to find the situation as unaltered as possible. In cases where there are clear indications of fraud, OLAF carries out on-the-spot checks without any advance warning, involving DG INFSO auditors as technical experts.

During Fieldwork

Our aim during fieldwork is to

  • gain access to essential information,

  • obtain an accurate assessment of the entity, and

  • safeguard important evidence.

We implement an audit program that is tailored to the entity, applying professional skepticism at every stage. If new elements or new risks emerge during the fieldwork, the audit program is quickly fine-tuned to address them. We ensure that we incorporate unpredictable or unusual components in the program. For example, we

  • interview employees that worked on EU-funded projects, including previous employees;

  • interview the auditors that have signed assurance statements;

  • request that the project’s tangible outputs are demonstrated to us;

  • consult documents other than traditional ones (such as general ledgers, bank accounts, employment registers, and tax declarations);

  • visit the operational premises of the entity; and

  • use scientific experts to control the substance and quality of work completed.

We pay additional attention to any scope limitations imposed by the entity.

Essential documents—authenticated by the entity where relevant—are safeguarded as part of the audit documentation. In doing so, we also bear in mind the need for OLAF investigators to substantiate their case and allow documents to be swiftly transmitted to national judicial authorities.

Feedback to the audited entity may be limited to protect subsequent audits or investigations.

After the Fieldwork

After the fieldwork, our main goal is to

  • carefully consider whether we have grasped the complete picture, seeing the forest and not only the trees, and

  • document the audit findings accurately and in a self-explanatory way.

We analyze the collected information for coherence and plausibility. In some cases, we organize audits in related entities to obtain a complete overview. Communication of conclusions to the audited entity may be deferred until all the linked audits have been completed.

All comments that the audited entity makes when reviewing the audit findings are carefully analyzed, and the audit conclusions are worded carefully.

We feed lessons we have learned concerning potential weaknesses of operational controls into DG INFSO operational services to allow them to improve the controls of the payment and other processes (information technology systems, changing procedures, training staff).

We actively encourage that audit conclusions be implemented as swiftly and efficiently as possible in order to achieve a rapid recovery of improper payments and to dissuade other beneficiaries from similar fraudulent activities.

Challenges

Our new approach is not only resulting in more effective audits and investigations, but also preventing problems. However, it also brings new challenges:

  • Success in detecting irregularities results in increased risk of litigation, with additional burden and cost to the European Commission.

  • More effective audits increase the reported error rate, which, paradoxically, could result in the perception that the system is more vulnerable to fraud than before.

Both these points underline the importance of active communication with internal and external stakeholders to avoid serious misunderstandings. The underlying reasoning should be that detecting fraud is a positive result that demonstrates an improved control system and, first and foremost, helps ensure that money is used for its intended and rightful purpose.

Therefore, higher error rates that result from better detection mechanisms are, at least in the short term, good news and a promise of better public services in the future.

Conclusions

This article demonstrates how EC services implemented INTOSAI’s motto, “Experientia mutua omnibus prodest.” In this case, mutual experience did benefit all and resulted in a new combined audit and investigation approach that helped to successfully untangle a very complex and costly example of fraud.

The lessons learned have already led to improved financial and other controls in INFSO. The new approach and tools will also be used by other EC bodies to implement their risk analysis and organize their controls.

We are sure the improved detection of irregularities and the subsequent administrative, financial, and judicial follow-up will also prevent future problems.

However, we also expect that perpetrators of fraud will apply their own lessons learned, which means that our methods will need continuous updating to keep abreast of a changing reality. This case has given us new perspectives and a salutary electroshock, preparing us also for new challenges. We have identified misrepresentation as a key risk factor in our audit work and developed appropriate methods to cover this risk. Things will never be the same again.

For additional information, please contact the authors at:

kjell.larsson@ec.europa.eu or
freddy.dezeure@ec.europa.eu

[1] To improve readability, the term “fraud” is used here to refer to irregularities and suspected fraud, even though the allegations have not been substantiated in a court of law.