Checklist 10.3: Assessing Shell Company Risks
Risk
Rating
Management Controls
ASSESSMENT OBJECTIVES
1. Learning how fraud schemes are carried out
2. Developing an audit plan to detect shell companies
3. Creating a profile of data needed to identify red flags
4. Creating a strategy to extract data from systems to use in the audit
process
5. Implementing audit verification procedures to identify shell companies
that pose a financial risk to the institution
IDENTIFYING FRAUD SCHEMES
Billing Schemes Overview
1. Shell companies are involved in billing schemes, a form of occupational fraud.
2. Occupational fraud is divided into three categories:
a. Corruption
b. Fraudulent statements
c. Asset misappropriations (billing schemes)
3. Two forms of billing schemes:
a. Shell company schemes
b. Pass-through schemes
4. Shell company scheme:
a. Employee, usually involved with purchasing, will create a false
vendor to submit fake invoices for payment to their employer.
Yes
No
N/A
Risk
Rating
Management Controls
b. Employer will pay invoice assuming it was for legitimate services.
c. Payment is then deposited into falsified business bank account
allowing money to be accessible to criminals.
5. Pass-through scheme:
a. Employee will create what seems to be legitimate business and use
it to purchase goods or services from their employer.
b. They mark the goods up and sell back to their employer, pocketing
the profit from the mark-up.
Shell Company Billing Schemes
1. False billing
2. Payment for goods or services not delivered or provided
3. Pass through scheme:
a. Payment for goods or services that are provided
b. Real vendor (front company) provides goods or services to a shell
company
c. Shell company provides goods or services with a markup on price
4. Pass through fraudster alternatives:
a. Internal employee
b. Internal employee in collusion with sales person from real supplier
c. Customer handling cost reimbursable contracts
5. Red flag indicators for billing schemes:
a. Invoices for unspecified services or “soft” billings such as consulting or advertising
Yes
No
N/A
Risk
Rating
Management Controls
b. Unfamiliar vendors
c. Vendors with P.O. Boxes only
d. Vendors with company names consisting of initials only
e. Rapidly increasing purchases from one vendor
f. Vendor billings more than once a month
g. Vendor addresses that match employee addresses
h. Large billings broken into multiple smaller invoices
i. Internal control deficiencies
j. Unfolded invoices which may indicate they weren’t mailed
Fictitious Service Schemes
1. Used by foreign individuals to conceal money movements
2. Fraudster will create a false company and then enter into a contract
with another business offering an intangible service, such as consulting.
3. When payments are received from legitimate business for alleged
consulting services, fraudster deposits money into their own accounts.
4. Fictitious service schemes are tough to take legal action against.
5. State agencies often do not collect enough information pertaining to
company formations.
6. Difficult for authorities to identify fraudsters for prosecution
Bankruptcy Fraud
7. Use shell companies in bankruptcy fraud to shield assets (money,
property, valuable items, etc.) from being taken by court when filing
Yes
No
N/A
Risk
Rating
Management Controls
for bankruptcy.
8. Fraudsters set up shell entity and hide their money and/or personal
assets under business name.
9. Fraudsters file for bankruptcy without having to surrender their personal assets.
Tax Evasion and Market Manipulation Scams
10. Tax evasion
11. Shell companies used to hide personal assets under false business
names in order to avoid tax liabilities
12. Similar to bankruptcy fraud
13. Market manipulation
14. Shell companies used to stage fake stock offerings to outside investors
15. When investors decide to invest in what seems like a legitimate
business, fraudsters steal invested dollars.
How Fraudsters Use Shell Entity for Fictitious Service Schemes
16. Search online for company formation agent located in Dover, Delaware (Agents for Delaware Corporations).
17. Go to location of business and request services in assisting formation
of a Corporation.
18. File all necessary paperwork with state and use one of their executive’s names as incorporator of corporation for anonymity
(http://www.agentsfordelaware.com/FormingACorporation.html).
19. Pay fee to agent with cash or money order that guarantees no link.
20. Obtain P.O. Box with post office for company address.
Yes
No
N/A
Risk
Rating
Management Controls
21. Open bank account at local bank in business name with state filed
documents.
22. Obtain pre-paid cell phone to use as business phone. (Cell phone
carriers do not check background information nor verify names for
pre-paid purchases and services.)
23. Have some inexpensive business cards made to allude that business is
legitimate.
24. Use only name of business, P.O. Box, and phone number (no contact
name, logo, or e-mail address).
25. Submit invoices to corporate accounts payable function for professional services.
26. Receive payments for professional services invoices and deposit
funds into business bank account.
27. After checks clear or based on some external event, close business
bank account, discontinue pre-paid cell phone number from service,
and close P.O. Box that was originally set up for mailing purposes.
28. Destroy all paperwork associated with professional services company.
Using Scheme Structure to Create Audit Procedures
29. Shell company schemes always:
a. Set up an entity.
b. Commit one or more fraudulent actions.
30. General audit work steps:
a. Identify fraud scenarios.
b. Develop an audit response to each fraud scenario.
Scheme Structures
Yes
No
N/A
Risk
Rating
Management Controls
False Entity Structure
1. Fraud scenarios:
a. Involve shell company vendors, customers, and employees.
b. Use false entity structure to commit the fraudulent activities.
2. Vendors and customers:
a. Legally created (test incorporation date vs. first business date)
b. Exist in name only (entity verification procedures will detect false
entity)
c. Red flag — Incorporation date within 90 days of first business
transaction date
d. Fraudster assumes identity of real entity such as a vendor, customer, or employee.
e. Address or telephone number within company master file for entity
should not match address or telephone number of entity verification procedures.
f. Exception may be pass-through fraud scheme where fraudster is
employed at real source of goods or services resulting in record
match.
Real Entity Structure
3. Consider additional investigation even if verification indicates entity is
real.
4. Investigate nature of account relationship.
5. Review fraud scenarios.
6. Investigate evidence.
7. Look for fraudulent business or transactions.
Yes
No
N/A
Risk
Rating
Management Controls
8. If no fraud found, put on watch list.
Nominee Services Structure
9. Nominee EIN:
a. Shell companies may obtain an EIN without providing their EIN
on application.
b. Nominee officers and directors
c. Service providers may set up nominees for those offices in shell
company that appear on public record to eliminate client’s name
from secretary of state records.
10. Nominee stockholders:
a. Fraudster can retain ownership and operational control through
confidential stock ownership or appointing officers that do not
appear on public record.
b. Fraudster may use nominee stockholders to create additional layer
of privacy while maintaining control through an irrevocable
proxy agreement.
11. Nominee bank signatory
12. Nominee appointed as company accountant accepts instructions from
fraudster
Fraud Concealment Structure
13. Creating false:
a. Documents
b. Representations
c. Approvals
14. Restricting internal control effectiveness:
Yes
No
N/A
Risk
Rating
Management Controls
a. Blocking access to information
b. Avoiding or circumventing control levels
c. Geographic distance between documents and controls
d. Real and perceived pressure to carry out transaction
Identifying Concealment Complexity
Low Concealment Complexity
1. Direct matches of fraudulent entity structure to another entity structure
2. Entity identifying information links to fraudster’s known identifying
information (specific street address)
3. Fraudulent activity linked to one or a few entity structures
4. Data mining routine searches key on data matching
5. Overall sample size is determined by number of transactions that
match data profile
6. Sample size can range from zero to large number
Moderate Concealment Complexity
7. Direct matching routines less effective — data interpretation skills
necessary
8. Sample selection requires data interpretation skills and scenario-specific data mining routines.
9. Use judgment in selecting sample size.
10. Selecting all transactions meeting matching criteria may not work.
11. Use filtering techniques.
12. Drill-down analysis to reduce number of transactions fitting data
Yes
No
N/A
Risk
Rating
Management Controls
profile
13. Entity identifying information relates to some aspect of fraudster’s
known identifying information (zip code location vs. physical street
address).
High Concealment Complexity
14. Direct matches seldom occur.
15. Fraudulent activity might be linked to multiple entities or smaller-dollar transactions.
16. Entity identifying information has no relationship with fraudster’s
known identifying information
17. Entity identifying information might relate to mailbox service or
out-of-area address that has mail-back feature.
18. Sample selection relies on data interpretation skills.
19. Population for deriving a sample is larger because selection criterion
identifies all transactions in group versus specific transaction.
20. Sample size tends to be determined judgmentally versus the use of all
transactions meeting the matching criteria.
Assessment Procedures
Using Data Mining
1. Locate vendors:
a. Identify shell corporation profile.
b. Identify transactions indicative of a shell corporation.
2. Data mining audit strategy:
a. How complex is concealment strategy (larger number of transactions)?
Yes
No
N/A
Risk
Rating
Management Controls
b. Build data profile for fraud scenario.
c. Perform audit procedures consistent with concealment strategy and
data profile.
Data Mining Fraud Profiles
3. Names
a. Look for non-descriptive names.
b. Limited number of constants (five in U.S.)
c. Strip out following before counting alpha string:
i. “Inc.”
ii. Spaces
iii. Vowels
iv. Special symbols
4. Mailing Addresses
a. Search for known mailbox services.
b. Strip out all alpha, spaces and special symbols.
c. Search for duplicate numeric strings in vendor database or between
payroll and vendor databases.
d. Link zip code field to street number to minimize false positives.
5. Country, City, State and Postal Codes
a. Audit assumption
b. Shell corporation is close to targets
c. Shell corporation is within the state to avoid crossing state or
Yes
No
N/A
Risk
Rating
Management Controls
country borders
d. Does not typically fit high concealment complexity frauds
6. Telephone Numbers
a. Often use mobile lines because no physical office exists
b. Pass through fraud schemes associated with existing supplier —
conduct duplicate telephone number search
7. Create Dates
a. Use creation date to filter out vendors less likely to be shell corporations.
b. Search for correlation between first invoice date and creation date.
8. Banking Transactions
a. Bank Routing Number:
i. Payments are transferred either by wire or address.
ii. Use routing number to correlate to possible fraudsters.
iii. Fraudster is smart enough not to use personal bank account,
but may use same bank for shell corporation bank account.
b. Bank Account Number — search for duplicate bank account
numbers in vendor master file or between payroll and vendor
master file
9. Vendor Invoice Numbers
a. Invoice number pattern is critical data fields for data mining:
i. Fraudster creates the number.
ii. Pattern and frequency analysis is critical in search for false
billing schemes.
Yes
No
N/A
Risk
Rating
Management Controls
iii. Low complexity scheme will often have sequential pattern of
invoice numbers.
b. Pass through scheme:
i. Invoice number pattern will depend on whether pass through
entity has one or a few customers.
ii. Vendor invoice date: search for unusual patterns within date
(weekends, same day of week, or same day number).
iii. Vendor invoice amount: correlates to management position of
fraudster (personal risk tolerance, control levels, and
whether scheme is false billing scheme or pass through
billing scheme).
Verification Procedures
10. Entity Verification Procedures
a. Were control procedures followed when setting up vendor?
b. Test legal existence.
c. Verify physical existence.
d. Test business capacity.
e. Conduct reference checking.
11. Verify Legal Existence: Registrations
a. All entities have some form of legal government registration:
i. Establish whether entity is legally created.
ii. Gather identifying information to link to other pertinent information.
A. Employee birth records
Yes
No
N/A
Risk
Rating
Management Controls
B. Corporation registration requirements with government
office
C. Names of registrars
D. Officers’ addresses
E. Dates related to entity creation, dissolutions, or changes
iii. Look for DBA certificate for unincorporated customers and
vendors.
A. Lack of DBA certificate can be a red flag.
B. DBA certificate can provide small business owner name.
12. Verify Legal Existence: Registrations
a. Small businesses might not be registered in state matching their
business address.
b. Should be foreign corporation doing business in state matching the
address.
c. Conduct national-level search for legal registrations.
d. Is entity a member of a trade association?
e. Use Internet search companies such as Lexus Nexus to search for
public records.
13. Verify Physical Existence: Telephone Verification
a. Call entity.
i. Is telephone disconnected?
ii. Does someone answer in name of different entity?
iii. Does someone answer in name of entity in question?
Yes
No
N/A
Risk
Rating
Management Controls
b. Need good interview skills
i. Use telephone in area code of company you are auditing —
area codes from out of area might create suspicion about why
you are calling.
ii. Be prepared to provide an explanation as to why you are
calling (updating records, resolving internal problems, trying
to find original documents that have been misplaced).
iii. Have documents readily available to ask questions or provide
answers.
iv. Avoid calling multiple times — second telephone call raises
suspicions.
v. Entity you are calling might have Caller ID — do not indicate
that you are someone other than the person associated with
the number identified.
vi. Determine if manner in which a call is answered is consistent
with anticipated business size.
14. Verify Physical Existence: Check on Business
a. Internet search engines
b. Determine what physical structure is located at known address.
c. Is address consistent with entity structure:
i. Consider visiting the site — use private detectives.
ii. Check public records to determine whether a government or
business recognizes entity as real and if address is recognized by other entities.
iii. Obtain legal documents filed by banks securing a loan.
iv. Does federal identification number or Social Security number
match name associated with ID number?
Yes
No
N/A
Risk
Rating
Management Controls
v. Confirm VAT number with government ministry.
15. Business Capacity Test
a. Proof of Insurance
i. Real companies tend to have insurance (workers’ compensation insurance).
ii. Request certificate of insurance — note date of coverage and
types of coverage.
b. Employees
i. Call company to see if they have an automated telephone directory.
ii. Company telephone directory provides evidence that company
has employees.
c. UCC Filings
i. Check public record for liens filed by bank or financing company.
ii. Indicates bank recognizes entity as real
d. Review shipping documents (billing of lading) to check source of
shipment.
e. If company has website, does site provide matching information
about businesses and services offered?
16. Reference Checking
a. Professional Associations:
i. Is entity recognized by trade association?
ii. Check with associations to learn about trade practices and
trends to corroborate representations.
Yes
No
N/A
Risk
Rating
Management Controls
b. Competitors:
i. Contact competitors to establish that entity conducts business
consistent with goods and services described on invoice.
ii. Competitors may also provide information regarding ownership and business conflicts.
c. Media searches:
i. Information published regarding entity might provide names,
services, and legal actions.
ii. Advertisements by entity would suggest existence of entity
and describe type of services provided.
Yes
No
N/A