One call likely would have prevented county’s $566,000 fraud loss, audit says

Sedgwick County’s new auditor says a lack of due diligence and internal checks led to the county losing $566,088 to a fraud scheme last fall.

An audit recommended the county could improve its internal procedures, communication between departments and employee training “especially for fraud detection (and) prevention.”

The audit says appropriate internal checks and balances would have required all changes to payment instructions “be verified by a phone call to the vendor.”

“It is highly likely that had this control been in place, this particular fraud would have been discovered before it could be perpetuated.”

The county has already begun some of the work of improving procedures, including new policies across the organization and changing what financial information is displayed on its website.

BKD LLC was hired late last year to do the audit as well as a separate review of internal financial policies and procedures.

“It was clearly time for a fresh look,” said Sedgwick County Commission Chairman Dave Unruh. “A fresh look found some ways to do better.”

County Manager Michael Scholes said it was important to have a new auditing firm that could bring fresh perspective and a more robust review of the county’s internal controls.

“In light of the fraud that occurred in 2016, status quo was not an option,” Scholes said.

Scholes said he was happy with the framework the audit could provide moving forward.

“It identified weaknesses that we need to work on,” he said. “It gives us an opportunity to use a road map to get better as an organization.”

‘No due diligence’

Sedgwick County lost $566,088.90 to an e-mail phishing scam last fall. A fraudster pretending to be a vendor sent a fake Automated Clearing House form and a voided check to the county. That changed the payment instructions for Cornejo & Sons, a Wichita construction company that’s a county vendor.

The transaction, meant to pay for a road project on 53rd Street North between Andale and Maize, was instead diverted to the fraudster’s bank account.

George S. James of Georgia pleaded guilty last week to being part of the scheme. But he said it wasn’t his idea and that he worked with someone else, identified only as “A.H.” in court records. It’s an ongoing investigation.

There were multiple factors that allowed the fraudster to pull off the scheme, according to the audit.

“The most significant factor was that the county lacked appropriate internal controls to safeguard against this type of fraud,” according to BKD. “There were no policies or procedures regarding verification activities related to … vendor payment instructions.

“The requested change was processed with no due diligence performed,” it added.

The county wasn’t insured for the fraud loss, which the insurance company blamed on an “employee’s mistake.”

‘Balance transparency with … security’

Chief financial officer Lindsay Poe Rousseau said the county now confirms payment updates on the phone with two designated people from each vendor.

“One of the steps that we take now is to make sure to contact those vendors before we make any changes,” she said.

Poe Rousseau said the county changed the way its collects and manages vendor information before the audit began. A group of county staff members recommended the county remove a variety of vendor forms and transparency tools, including the ACH form, from the website.

Poe Rousseau said they tried to “balance transparency with identified security risks.”

“We were already on notice that there were things that we needed to make sure our processes and procedures were as good as they could be to prevent similar activity from occurring,” she said.

Scholes said he ordered an internal review of policies and procedures shortly after the fraud loss.

“We kind of went a little far to the right immediately, probably to the extreme, to guarantee that we’re shutting things down, almost triple checking,” Scholes said. “Once we got that in place, we kind of backed that off to where now we believe is the right level of internal control.”

Scholes said some elements of the website have been restored with less compromising information “but with more internal control.”

“There were several areas that you could have deduced or any perpetrator could have deduced from what we had on the website,” Scholes said. “Whether that’s where he got it or not, we’ll never really know.”

Other weaknesses, deficiencies

Poe Rousseau said the auditor found the county’s financial checklist for the end of the year “wasn’t comprehensive enough.” She said the county would focus on adhering to strict deadlines.

BKD found the county doesn’t have adequate tracking of grant activities, such as state grants.

“We lack some consistency in how we do that,” Poe Rousseau said. “We want to make sure that information Finance is receiving is accurate and timely.”

Poe Rousseau said they’ve also worked to boost communication between the Finance Department and Public Works staff who manage capital projects.

“We have a lack of communication where we need it, between Finance and divisions,” she said. “We are working to improve that.”

Sedgwick County has 489 purchasing or travel cards throughout the organization. Poe Rousseau said a new policy to make sure the right people have access to the right type of card was “one of our highest priorities.”

BKD also recommended the county get more detailed data on how purchasing cards are used by employees. Poe Rousseau said the county is now reviewing that data routinely “to make sure that there are no irregular transactions and, if there are, to dig into that.”

The audit also said the county had not completed a recent fraud risk assessment and needs an anti-fraud culture or “tone at the top.”

‘A different perspective’

Allen, Gibbs and Houlik had been the county’s longtime auditor until late last year. A top AGH executive suggested in December that the process to choose an auditor had been manipulated against his firm, which county officials denied.

Scholes said Allen, Gibbs and Houlik had long been a good partner but that government organizations should be willing to change who audits them more frequently.

“We asked BKD to do a more thorough (audit),” Scholes told The Eagle. “They were purposefully coming in here with that in mind.

“It was just time to get somebody in here with a different perspective,” Scholes added. “Any time you do have a different auditor, they’re going to come in here with a different process than the previous one used.”

Sedgwick County commissioners also praised the work of the audit and switching to a new firm.

“This is not the best report, but this is why we did what we did when we changed auditors,” Commissioner Richard Ranzau said.

“You don’t know what you don’t know until you take a good hard look,” Commissioner Jim Howell added.

Commissioner David Dennis said the audit identified “some things that we can do better.”

“But, overall, our organization is strong and our financial situation is strong,” Dennis said. “Everyone can see exactly where we’re at. That was the whole purpose of this audit. That was the purpose of having BKD do this audit.”

This story was originally published July 11, 2017 at 3:16 PM with the headline "One call likely would have prevented county’s $566,000 fraud loss, audit says."