Monthly Newsletter

November 2018

Welcome to the November Exactech Anti-Fraud Newsletter!

When presenting a SAICA fraud risk management QUOTE OF THE MONTH

Espresso Shot (CPD session) in Nelspruit, one of the
attendees asked me, “How could directors and "It's not a matter of if fraud will
external auditors have known that something was happen, but how it will happen,"
wrong at Steinhoff as everything seemed fine?”
- Michael Marks, moderator on the All
I didn’t know the facts of the case but after doing a the Queen’s Horses: Why Fraud
bit of research I found there were many red flags
Happens webinar
that seemed to have been ignored. According to
this article, “investors were misled by a charismatic
leader and everyone listened to him. Those that saw TIP OF THE MONTH
red flags were at the trough and didn’t want to upset
the apple cart”. Ensure that all employees go on
vacation for at least two
This seems no different to the 1987 ZZZZ Best fraud
where Joe Domanick, who wrote a book about consecutive weeks and that their
Barry Minkow called ‘Faking it in America’, says, job is performed by another
“Everybody was making money, the lawyers,
person during that time. That’s
accountants and underwriters, so nobody wanted to
look too hard”. how Rita ‘the Queen’ Crundwell
I don’t think anything has changed in 30 years, do you? Money still seems to be eventually got caught!
the primary goal with the end justifying the means, and where the CEO can
simply say, “It wasn’t me”!

What were the Red Flags in the Rita Crundwell $53 000 000,00 Fraud?
Some people commented that because the fraud was so big, maybe there were no red flags. Well, we are yet to find a
fraud, big or small, where there were no symptoms of the fraud! Let’s look at the red flags that were visible and that should
have been noticed and acted upon by council members, colleagues, the bank and the auditors.
1. Rita Crundwell, the fraudster, was both the financial 6. Rita would walk to the bank and post office each day to
comptroller and the treasurer. collect mail and statements!
2. Rita opened a secret bank account called 7. If Rita went on leave her family members would collect
“R.S.C.D.A., C/O Rita Crundwell.” the mail and bank statements and keep them until she
3. Cheque payments were made out to the “Treasurer” returned from leave!!
instead of the City of Dixon.
8. Rita played on the auditing firm’s softball team,
4. The cheques were round amounts.
socialized with certain staff at the auditing firm, and the
5. Rita’s lavish lifestyle - she owned a horse ranch
firm was not only the city’s accountant, but Rita’s
with over 400 horses. She bought a motor home for
personal accountant as well!
$2 million, boats, cars, jewelry etc. while earning
I’m sure you’ll agree, there were more than enough warning
just $80 000 per year.
signs, for over 20 years, that something was not right!

Editor: Mario Fazekas Mobile: +27 (0)83 611 0161 Office: +27 (0)11 475 2525
www.exactech.co Email: mario.fazekas@exactech.co
 Cyber Risks
Okay, so you checked on HaveIbeenPwned and you found that your personal
In the last issue we discussed
data has not been compromised by data breaches and you never reuse
passwords on multiple sites, but it’s too soon to celebrate yet!
websites that were breached
where user data like
You now need to ask yourself what type of passwords you use. We have found usernames & passwords were
that many employees use simple passwords such as pet names and event stolen, so one subscriber
dates. IT administrators will tell users that their passwords must contain asked us if any of these
characters from the following categories: websites were South African?
• Upper Case characters (A..Z)
• Lower case characters (a..z) Yes, four of the largest SA
• Base 10 digits (0..9) breaches were the eThekwini
• Non-alphanumeric (!,$,#,%,-,@) Municipality, Master Deeds,
Ster-Kinekor and ViewFines.
How’s this password: “November-2018”. Using the above criteria, it complies You can see what data was
100% yet it is not a good password! An effective password should not contain
obtained here.
dictionary words so a much better password is MgR3-J+2b. But how do you
remember such a password?! Easy, “My grandchildren are three-Jennifer plus Keep in mind that many South
two boys”. Make an acronym out of a sentence! Africans use global sites like
Yahoo, Dropbox, LinkedIn,
Another option would be to use “PassPhrases” such as
MyGrandchildrenAreThreeJenniferPlusTwoBoys. Even though it only contains
Adobe, and Ashley Maddison.
letters, it’s hard to guess and due to its length, harder to crack. Ashley Maddison is an
adultery website where over
If you would a reality check of what simple passwords people use and how
30 million members’ data was
easily they will tell you, check out this video-clip.
stolen and one of our clients, in
the financial services industry,
obtained the list and searched
November & December – the fraudsters’ Busy Time! for employee names and
Here are 5 email security warning signs that you should be on emails. They found four
employees who had signed up
the alert for in the lead-up to the Christmas holidays:
using their work emails!

1. The email is from someone outside my organization and it’s not You may be thinking so what?
related to my job responsibilities. Well, the hackers were
2. I was cc’d on an email sent to one or more people, but I don’t blackmailing these members –
personally know the other people it was sent to. “pay us $2000,00 or we tell
3. Is the email message a reply to something I never sent or your family and friends what
requested? you have been doing!”
4. Do I have an uncomfortable gut feeling about the sender’s
If they don’t have money, then
request to open an attachment or click a link?
the next step would be “give
5. I hover my mouse over a hyperlink that’s displayed in the email
us your log-in details and we’ll
message, but the link-to address is for a different website.
call it quits!”

Ethics & the Internal Auditor

15-16 Nov 2018 (JHB)
Interviewing to Detect Deception
22-23 Nov 2018 (JHB)

King IV on Fraud & Ethics Fraud Investigations Fraud Prevention & 555-5555
Detection
EXACTECH FORENSICS Phone: (555)
03 Dec 2018 (JHB) 05-07 Dec 2018 (JHB) 10-13 Fax:
Dec(555)
2018555-0000
(JHB)
123 Fake Street, City, ST 12345