Sunday, July 15, 2012

Peregrine – Auditors Fail to Find $200 Million Fraud


The Peregrine Financial Group Inc. fraud is still emerging, but once again, we see auditors being duped because they failed to follow the basic procedures of the auditing profession and exercise an appropriate level of professional skepticism.

The CEO and sole owner of Peregrine Financial Group, Russell Wasendorf, Sr., attempted to commit suicide and left a note detailing the fraud that was committed over a 20 year period of time. It’s alleged that more than $200 million in customer funds are missing.

The Note Confirming the Fraud

 Here is part of the suicide note (I’ve highlighted important concepts in red):
“I have committed fraud. For this I feel constant and intense guilt. I am very remorseful that my greatest transgressions have been to my fellow man. Through a scheme of using false bank statements I have been able to embezzle millions of dollars from customer accounts at Peregrine Financial Group, Inc.
“The forgeries started nearly twenty years ago and have gone undetected until now. I was able to conceal my crime of forgery by being the sole individual with access to the US Bank accounts held by PFG. No one else in the company ever saw an actual US Bank statement. The bank statements were always delivered directly to me when they arrived in the mail. I made counterfeit statements within a few hours of receiving the actual statement and gave the forgeries to the accounting department.
“... I had no access to additional capital and I was forced into a difficult decision: Should I go out of business or cheat? I guess my ego was too big to admit failure. So I cheated, I falsified the very core of the financial documents of PFG, the Bank Statements.
“At first I had to make forgeries of both the Firstar Bank Statement and the Harris Bank Statements. When I choose [sic] to close the Harris Account I only had to falsify the Firstar statement. I also made forgeries of official letters and correspondence from the bank, as well as transaction confirmation statements.
“Using a combination of Photo Shop, Excel, scanners, and both laser and ink jet printers I was able to make very convincing forgeries of nearing every document that came from the Bank. I could create forgeries very quickly so no one suspected that my forgeries were not the real thing that had just arrived in the mail.
“With careful concealment and blunt authority I was able to hide my fraud from others at PFG. PFG grew out of a one man shop, a business I started in the basement of my home. As I added people to my company everyone knew I was the guy in charge. If anyone questioned my authority I would simply point out that I was the sole shareholder.
“I established rules and procedures as each new situation arose. I ordered that US Bank statement were to be delivered directly to me unopened, to make sure no one was able to examine an actual US Bank Statement. I was also the only person with online access to PFG’s account using US Bank’s online portal. On US Bank side, I told representatives at the bank that I was the only person they should interface with at PFG.
“When it became a common practice for Certified Auditors and the Field Auditors of the Regulators to mail Balance Confirmation Forms to Banks and other entities holding customer funds I opened a post office box. The box was originally in the name of Firstar Bank but was eventually changed to US Bank....
“When online banking became prevalent I learned how to falsify online Bank Statements and the Regulators accepted them without questions.”[1]

Improper Bank Confirmation

During a financial audit, auditors verify bank balances by sending confirmation forms directly to the banks. In this case, the auditors made a fundamental mistake. They allowed Mr. Wasendorf to give them the bank address to send the confirmation form. This was a false address. It was P.O. Box which Mr. Wasendorf controlled, he said in his statement.[2]

As we’ve learned from many frauds in the past, auditors must be sure they do not allow management to control any part of the audit process. Time and again, we have seen management, in the interest of helping the auditors, work to deceive them.

Lack of Professional Skepticism

 According to the Wall Street Journal:

In early 2011, NFA [National Futures Association - the regulator] officials reached out to U.S. Bank, a unit of U.S. Bancorp, seeking to confirm that Peregrine's customer account figures matched the bank's own account, according to a person familiar with the investigation. The regulator received a response from the bank showing that the client-fund account held less than $10 million—far below what it was supposed to contain.
A few days later, the NFA received a fax purporting to be from U.S. Bank that showed that the account was whole, with more than $200 million, the person says. In fact, this person says, investigators now believe the fax came from a number controlled by Mr. Wasendorf.[3]
Now many people might think that the second document was sufficient to support the $200 million account. But, there are two problems, first, auditors have a professional obligation to be skeptical about all transactions. Second, they have a professional obligation to follow-up on any potential “red flags” they observe.
In fairness to the regulators, the alleged fraud was exposed:
“…after the National Futures Association, Peregrine's front-line regulator, dispatched an audit team in recent weeks to Cedar Falls to review the firm's books and pressure the executive to sign on to a new, online system for verifying accounts. The system, called Confirmation.com, likely would have rendered the fraud unsustainable.
Mr. Wasendorf resisted signing the necessary form for several days, prompting the NFA to threaten stronger action against Peregrine, according to a person familiar with regulators' investigation. Mr. Wasendorf relented and signed on Sunday, the person said.[4]

The Lessons for the Auditors

 Finding fraud requires a level of skill that calls for the auditor to understand how frauds have occurred in the past and to be willing to challenge management. Too often, auditors do not spend the time learning about past frauds. I’ve even heard auditors say, “I doubt it is happening here.”

Here are some lessons from this fraud. Recognize:
1.    Any document can be altered with the technology available to us today.
2.    Management has an incentive to get a “good” audit result. A “bad” audit result can create future difficulties for the management team.
3.    Auditors should independently obtain confirmation from third parties. Do not use the audited organization’s mail stream and do not let management assist in any part of the process.
4.    If third party documents are available (such as bank statements) get them directly from the source.
5.    Many people depend on the auditor or regulator to find the fraud that may be occurring and to stop it before significant harm occurs to innocent parties.
Fraud happens. Auditors have got to get better at finding it. Keep in mind Mr. Wasendorf’s statement: Using a combination of Photo Shop, Excel, scanners, and both laser and ink jet printers I was able to make very convincing forgeries of nearing every document that came from the Bank. I could create forgeries very quickly so no one suspected that my forgeries were not the real thing that had just arrived in the mail.
 Here are two of the documents Mr. Wasendorf altered:

The Phony Bank Statement:


The Phony Bank Confirmation:



1 comment:

  1. > Fraud happens. Auditors have got to get better at finding it.

    If the forgeries remain in an electronic format (aka not paper) then a way to detect them is to focus on what traces the technology leaves behind within the documents. Most electronic documents contain information about how they were created, when they were created, and who created them which is known as metadata. The metadata can be used to determine if they are real or forgeries. One example is a technique I have been working on to find fake documents for two specific types of frauds. It works by identifying red flags in a document's metadata; the technique should empower people to find forgeries sooner rather than later. Unfortunately, the technique may not have been useful in this specific fraud since based on your post it appears like the forgeries were in paper format. However, if any of the documents remained in an electronic format then the metadata would have been a dead giveaway. Auditors just need to start analyzing it.

    If interested, you can read about my technique in my slides from a recent presentation. The target audience was digital forensic practitioners but I'm working on a paper for a more general audience such as auditors and investigators. Here is the link to my blog post showing where to grab the slides.

    http://journeyintoir.blogspot.com/2012/06/detect-fraud-documents-360-slides.html

    ReplyDelete