Post on 26-Mar-2015
FLORIDA COURT CLERKS AND COMPTROLLERS
ANNUAL CONFERENCEJUNE 12, 2013
SAM M. MCCALL, PHD, CPA, CGFM, CIA, CGAP,CHIEF AUDIT OFFICER
FLORIDA STATE UNIVERSITY
Fraud - A Risk for Your Organization
1
2
Session Outline
Public Expectations for Public OfficialsInternal Control and RiskThe Elements of Internal ControlWeaknesses in Internal Control can Result in
Fraud and Illegal ActsCase StudiesReviewing Internal Control and Identifying
Fraud, Illegal Acts, and AbuseSummary and Wrap Up
3
Public Expectations for Public Officials
High ethical and moral behaviors Public employees will conduct business within policy
and proceduresPublic resources will not be wasted, abused, lost or
stolenYellow Book – management should conduct
operations Economically Efficiently Effectively Ethically Equitably
4
Terms of Importance
MisfeasanceMalfeasanceNonfeasanceAbuseFraudInternal controls
5
What Is Misfeasance?
A misdeed or trespassThe improper or wrongful performance
of some act that a person may lawfully do
6
What Is Malfeasance?
Ill conduct, evil doingThe commission of an act that is unlawful Comprehensive term including any wrongful
conduct that interferes with the performance of official duties
The doing of an act that a person should not do at all
7What is Nonfeasance?
Nonperformance of an act that a person is obligated or has a responsibility to perform
Not doing what you should doTotal neglect of duty
8
What Is Abuse?
Improper or inappropriate program management
Misuse of authority or positionEverything that is contrary to good order Can be intentional or unintentionalDoes not have to violate a law, regulation, or
contract provision
9
What Is Fraud?
A false representation of a matter of factConcealing that which should be disclosed –
deceiving to cause legal injuryIntentional perversion of the truthTo deceive another such that they rely
on the false representation and surrender a valuable thing or a legal right
10
Components of Internal Control
Control EnvironmentRisk AssessmentControl ActivitiesInformation & CommunicationMonitoring
11
12
Who is Responsible for Internal Control?
Management!!Not the
Auditor!!
13
14
Components of Internal Control – Control Environment
The building block for all other components: Integrity & ethical values Commitment to competence Independent audit committee Management philosophy & operating style Organizational structure Assignment of authority & responsibility Human resource policy & practices
15
Components of Internal Control – Risk Assessment
Segmenting department into organizational components
Analyze general control environmentAnalyze inherent riskDevelop appropriate control activities
16
Annual Audit Plan Risk Assessment Criteria
Program Fiscal Impact 20Strength of Management 20Sensitivity and Public Relations 15Risk of Loss, Noncompliance,
Corruption or Fraud 10Complexity of Activity 20 Risk to Public Welfare 15
100
17
Risk
Risk are essentially the opposite of control objectives
If the objective is to safeguard assets, the risk is that assets will be lost or stolen.
Therefore, without knowing the risk, one cannot decide on the appropriate control activities
Conduct brainstorming sessions to identify risk and potential areas for fraud
18
Risk – Questions to Consider
Chance of Occurrence - How likely is it to go wrong? (High, Medium, Low)
Impact of Occurrence - What will happen if it goes wrong (assets lost, clients not served, noncompliance with law, damage to the reputation of the government, etc.) (High, Medium, Low)
Assessment of Risk (High, Medium, Low)
19
Components of Internal Control – Control Activities
Link to objectivesAccountability for resourcesDirect activity managementTop level reviewsSegregation of dutiesPhysical controlsExecution & recording of transactions &
events
20
Components of Internal Control – Information and Communication
Information – ReportsCommunication – Dissemination of Reports
21
Components of Internal Control - Monitoring
Ongoing monitoringSeparate evaluationsReporting deficiencies
Internal control
The plan of organization and policies and procedures established by management to accomplish organization goals and objectives
No individual person should have access to assets and also maintain summary accounting records relating to those assets – no one should control all phases of a transaction
There should be periodic comparison of assets of record (recorded accountability) to physical existence
In instances where cost of control exceeds resources, there should be mitigating controls
22
23
Who Commits Fraud?
MarriedBetween 18 and 36Has 2 childrenOwns a homeDoes not have a drug or alcohol problemDoes not recognize harm to victimsBrightStrong sense of challenge and game playingVersed in technology and skillfulHas a position of trust
24
Reporting Fraud – Employees Do It Best
1.7%
5.1%
6.2%
8.6%
11.5%
15.4%
18.6%
18.8%
26.3%Tip from employee
Accidental discovery
Internal Audit
Internal controls
External audit
Tip from customer
Anonymous tip
Tip from Vendor
Notification from law enforcement
25
Who Has the Responsibility for Detecting/Reporting Fraud?
ManagementEmployeesExternal AuditorsInternal AuditorsGovernment VendorsPublic
26
ManagementResponsibilities
Adopt and implement internal control policies
Establish a control environmentAssess and analyze risksEstablish control activities to address risksDevelop information and reporting systemsMonitoring activitiesUnderstand and communicate your
organizations ethics policies
27
Management Responsibilities Relating to Audits
Help in the identification of areas susceptible to fraud and abuse
Address audit findings & recommendations and maintain a process to track their status
Follow sound procurement processes when contracting for audits or attestation engagements
28
EmployeeResponsibilities
Be aware of where fraud can occurLook for irregularitiesReport suspicious activities (don’t assume
others know)Conduct work in an ethical manner and
perform work in accordance with policies and procedures
29
External Auditors - Responsibilities
Examine the government’s financial statements and express an overall opinion
Design the audit to detect fraud that is material to the financial statements
Conduct fraud brainstorming sessions and be alert to possible fraud as it relates to the financial statements
Review internal controls over financial reporting
30
Government Internal AuditorResponsibilities
Review department, division, unit and/or program internal controls
Review transactions for possible waste, fraud and abuse
Design the audit such that fraud significant to the audit objectives will be detected
If abuse come to the auditors attention, follow up on that abuse to determine if its presence is significant to the audit objectives
31
Vendors Responsibilities
Be aware of how and where fraud can occur in their operations
Look for irregularitiesReport suspicious activities (don’t assume
others know)
32
Public Responsibilities
Report suspicious transactions or behaviors
33
Approach to Detecting Fraud
Exercise professional judgmentExercise professional skepticism
Balance between a questioning mind and doubting everyone
Critical assessment of evidence
34
Management Red Flags
Reluctance to provide information when requested
High employee turnover in high risk areasLack of segregation of duties in a high risk
areaExcessive number of checking accounts Increase in purchase of inventory but no
increase in productivityAbnormal inventory shrinkageLack of physical security over assetsPayments to vendors not on approved vendor
list
35
Employee Red Flags
Employee lifestyle changes (expensive cars, jewelry, homes, etc.)
Behavior changes (drug, alcohol, gambling)
Reluctance to provide information when requested
Refusal to take vacation or sick leaveExcessive purchasing of suppliesInappropriate overtime hours
36
How to Improve Your Chance of Detecting Fraud?
Assume anyone can commit fraudGood documentation does not mean
something happened – only that someone said it happened
Pay attention to detail (numbers, dates, amounts, alterations, reasonableness, etc.)
Pay attention to hints or rumors of wrong doing
Look for patterns or unusual transactions
37
Potential Red Flags
Erased or crossed out figuresInconsistent inks and typefacesUnusual dates, amounts, notes, phone
numbers and calculationsConsecutively numbered invoicesExcessive voids or refundsInvoices in large even sumsMultiple invoices to the same vendor
just under $10,000
38
Potential Red Flags(Continued)
Invoices printed on other than prepared forms
Vendor address changeUnusual number of payments to one payeeInadequate description of item purchasedDelay in responding to request for
documentationStale invoice dates
39
What Conditions Make Fraud Easier
Weaknesses in Internal Controls relating to: Control Environment Risk Assessment Control Activities Information and
Communication Monitoring
The Fraud Triangle Incentive (Pressure) Opportunity Rationalization
40
41
Fraud TrianglePressure such as a financial need, is the “motive” for committing the fraud. Pressure includes living beyond ones means or family and relationship situations.
Rationalization The person committing the fraud frequently rationalizes the fraud. Rationalizations may include, “I’ll pay the money back”, “They will never miss the funds”, or, “I will just do this just one time” or “They don’t pay me enough.”
Opportunity The person committing the fraud sees an internal control weakness and, believing no one will notice if funds are taken, begins the fraud with a small amount of money. If no one notices, the amount will usually grow larger.In any organization, the risk of fraud can be reduced. Internal control procedures can particularly diminish the “opportunity” point of the Fraud Triangle.* Of the above three, the one that management can control is “_________”
OKALOOSA COUNTY BOARD OF COUNTY COMMISSION OVERSIGHT OF THE TOURIST DEVELOPMENT COUNCIL AND THE USE OF
TOURIST DEVELOPMENT TAXES AND FUNDS RECEIVED FROM BRITISH PETROLEUM
REPORT NO. 2013-085JANUARY 2013
Case Study OneAuditor General Report on
42
Weaknesses in Internal Controls
Organizational OversightFraud Controls and Control Risk AssessmentsProcurement of Goods and ServicesTravelSpecial Events Grants and SponsorshipsAllowable Use of Restricted ResourcesMotor VehiclesAccounting ControlsElectronic Funds TransfersInformation Technology ControlsPublic Records
43
Background
In May 2012, the Auditor General received a request to conduct and audit of the Tourist Development Council and the Board of County Commissioners use of tourist development taxes and funds received from BP.
For the two year period 5-31-10 to 5-31-2012, revenues totaled $36.4 million.
44
Organizational Oversight and Budget Monitoring
The BCC, TDC, and CCC did not exercise sufficient control over funds received and invoices processed did not demonstrate or document the public purpose served
Budgets were not adopted at the level of their restriction
Spreadsheets prepared were not used to reject invoices when sufficient funds were not available at the ordinance restricted level.
45
Monitoring
The TDC acted in an action oriented manner rather than in an advisory role. As a result they authorized expenditures without BCC approval.
The TDC did not continuously review expenditures or regularly receive summary or detailed reports of expenditures.
Conflicts of interest were present as purchases were made with companies that had ties with BCC members, a TDC member, and a TDC subcommittee member.
Risk assessments were not performed by the BCC to identify the potential for fraud
46
Support for Invoices
Purchases were made without obtaining written quotations
There was failure to document the selection process for two advertising and marketing firms
Contracts with marketing firms did not required them to competitively procure goods and services.
Contracted marketing firms were not required to submit invoices, including invoices from third parties in sufficient detail to allow for adequate preaudit to ensure goods were actually received and the correct amounts charged. The firms were paid $12.1 million without adequate review or oversight
47
Support for Invoices
A payment for promotion and advertising services had been misappropriated for the purchase of a house by the TDC Executive director.
The county paid $747,000 from the BP grant on an advertising and marketing invoice as “Boast the Coast National Television Campaign and Promotion.”
After payment was made to the firm, the TDC Director instructed the firm to wire the monies to a designated bank account. The monies were then used to by the ED for the purchase of the house titled to a revocable trust for him and his wife.
48
Example Purchases$155,400 paid to vendors and invoices inadequately
described the goods or services purchased $48,000 described as “prize for 2010-2011 Internet/viral video
contest.” Actually purchased a Porsche titled to the former TDC Executive Director
$47,000 described as “convention center marketing expenses” included $19,620 for a County Christmas Party, A TDC holiday party, and a harbor cruise for employees and $5000 donated to a charity.
$31,400 identified as “Harbor Walk/Destin Advertising” was actually for furniture for the TDC office including $6,250 in furniture located at the former TDC Executive Director’s home
Had the BCC or CCC required adequate documentation, the payments may have been denied.
49
Competitive Procurement
The County purchased a yacht for $710,000 without evidence of formal bids.
Three vehicles were purchased for a total amount of $129,808 without evidence of written quotes
508 beach towels purchased for $8,832 without written quotes
Over $12 million was expended through outside firms and those firms were not required to competitively procure goods and services or follow County purchasing policies and procedures. Results in limited assurance that costs were reasonable.
50
Advance Payments
Payments were made in advance and there was evidence that in many instances services paid for were not received. 187 days of drivers services paid for and 43 days
provided 32 day of spokesman services paid for and 23 days
provided $25,000 paid for a musical group and no concerts
were performed
Advance payments increase the risk that goods and services may not be provided
51
P-Card and Travel Expenditures
There was no evidence that the former TDC Executive Director’s p-card expenditures were approved by another employee.
$14,680, 20 of 60 purchases tested, did not document the public purpose of expenditures made.
$41,225 in travel-related expenditures were not supported by travel vouchers
The TDC Director directed travel be paid for a candidate for a position and was denied. The TDC Director then had an advertising firm pay the travel and the cost was then billed back to the TDC
52
Special Events and Sponsorships
Special events and sponsorships totaled over $800,000
Policies and procedures had not been developed for these type services
Written agreements were not entered into to guide the terms and conditions and provision of services
53
Compliance
$1,912,095 in TD taxes were used to fund lifeguarding and beach patrol and were not allowable from this source
$564,000 in TD taxes were used to fund beach shuttle services and these expenditures are not expressly authorized from this source
County records supporting funds paid to two advertising and marketing firms were inadequate and a portion resulted in questioned cost
$207,304 in debit card purchases and use were questioned
54
Accounting Controls and Minutes
Transactions were recorded to the wrong accounts $97,766 in vehicles were recorded as contracted services –
public relations rather than as capital outlay – machinery and equipment
$81,237 for a marquee was recorded as contracted services – advertising rather than as capital outlay – infrastructure
$2,208 for televisions were recorded as motor vehicles rather than as machinery and equipment.
Inaccurate records can lead to incorrect management conclusions
Minutes were not recorded for TDC and TDC Subcommittee meetings
55
Summary
In general, the BCC and CCC agreed with the findings and recommendations
New policies were written and implemented
There was significant “reputational risk” for this type operation and as a result of the above, there has been significant reputational damage. It is up to the governing body to address these issues in an accountable and transparent manner in order to restore the public trust.
56
Case Study One
Any weaknesses in: Control environment Control risk Control activities Information and communication Monitoring
57
58
Case Study TwoCity of Tallahassee Fleet
Department
Parts supervisor could order, receive, and issue parts. Could also open closed work orders and adjust the inventory
Suspicious transactions with three vendors identified
Collusion with one vendorLosses totaled almost $3 million over five
years.City employees and vendors prosecutedTheft was not material to each years
internal service fund financial statements
59
See Page 2 for
Invoices
60
Number of large dollar invoices all for the same amount
61
Notice instructions Valid Invoice
62
Notice instructions Improper
63
Same Amounts and Consecutive
Invoice #
64
Same Amounts
No Description
Consecutive #
65
High Dollar Items
66
Invoice Altered
with Whiteout
67
68
ZZ4 / 350 Engine
355 horsepower out of a small block aluminum head engine! The evolution of the ZZ series, this engine powers thousands of street rods, drag racers, and show cars. With 405 ft/lbs of torque, the ZZ4 is the best way to put a high performance small block engine under your hood!
69
70
71
72
73
74
75
76
77
Summary for Case Study Two
Any weaknesses in: Control environment Control Risk Control Activities Information and Communication Monitoring
78
Where do you Place Responsibility
With the City?With the vendors?With Both?
79
Case Study Three - Leon County Research and Development Authority
Organizational Background Board Composition – Nine MembersStaff – An Executive Director and an Office
ManagerExternal Auditors – Same for several yearsFinancial Statements – Clean opinionsMonthly budget to actual statements -
prepared by the office managerTreasurer reports – prepared by the office
managerAudit Committee – well-intentioned but
absent strong financial members
80
Discovery of a $650,000 Fraud
A change in auditors in 2010 led to the discovery of a $650,000 fraud that spanned 5 years
The previous auditors focused on the revenue side of the audit believing the expenditure side was not a significant risk and therefore doing minimal testing of expenditures.
81
Fiscal Year Number of Fraudulent Checks Written
Total Amount of Checks
Total Operating Expenses – Salaries, Depreciation& Other
Percent Fraud of Total Operating Expenses
Total Other Expenses
Percent of Fraud of Other Expenses (Not Including Salaries and Depreciation
2005 – 2006
11 $41,075 $1,014,203 4.04% $402,495 10.2%
2006 – 2007
13 $80,947 $1,159,355 6.98% $468,114 17.3%
2007 – 2008
30 $172,948 $1,387,237 (1) Note: Salaries and Depr. Were $758,000
12.47% $628,398 27.5%
2008 – 2009
39 $239,684 Approximately 25%
$481,410 49.78%
2009 -2010
19 $112,797 Audit year in progress
Total 113 $647451
82
Internal Controls - The Office ManagerReceived and opened the mail to include receiving tenant
rental payments, vendor invoices for services provided, and monthly bank statements to include cancelled checks
Had custody of check stockHad signature stampsPrepared invoices for payment to include preparing checks
for dual signature by someone other than herselfMaintained the accounting records and prepared and
presented monthly financial and budget reports for Board meetings
Reconciled the check book to the bank statement for review by the Executive Director. Cancelled checks were not provided to the Executive Director
83
What Was Not Known by the Previous Auditors or the Board
The Office Manager was fired by her former employer and found guilty of a felony for embezzlement of over $100,000
During the time the Office Manager worked for the Board (during the day), she also performed community service at night at the County jail as part of her previous sentence
No background check was performed by the Board upon employment of the Office Manager – the previous auditors were aware of no background check through inquiry, noted this in the working papers, but took no further action
84
The Office Manager
Drove an expensive vehicleLived in an expensive homeWas married with children and was a
devoted parent Was well liked Was praised by the previous auditors
in their audit report for being helpful to them
85
Discovery of the Fraud by the New Auditors
The Office Manager failed to timely respond to records request
The new auditors observed the Manager’s lifestyleThe auditors checked and verified through the
county records a criminal historyThe auditors noticed a check that appeared unusual The auditors made a direct request to the bank
for copies of cancelled checks The auditors notified the Audit Committee Chair of
their concern as well as the Board Chair
86
The Office Manager Asked to Explain Herself at a Board Meeting
The Office Manager admitted that she did not tell the Board when she was hired that she was previously fired by her former employer for embezzlement – she said she was not asked
The Office Manager denied any wrongdoing while with the Board
The Office Manager accused one of the Board Members of sexual harassment
The Office Manager was subsequently convicted and sentenced to prison
To date the Board has received little monies back from the former employee. It recovered $100,000 from its insurance company and additional monies from the external auditors
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
The City Auditor was Appointed by the Mayor to Represent the City on the
BoardOfficially joined the
Board October 1The Board had a new
Chairperson and several new Board members
Named to the Audit Committee upon joining the Board
Worked on and received Board approval of an Audit Committee Charter
Was elected to become Treasurer in mid-November to replace the current Treasurer
Asked the question - Is there any liability of the previous auditors for not detecting the fraud?
Was requested to pursue the issue with the Board Attorney and to represent the Board
103
What Was the Board’s (and /or Audit Committee)Responsibility
To establish an adequate system of internal control The control
environment Control risk Control activities Information and
communication Monitoring
Other specific responsibilities Have policies and
procedures Meet with the auditors to
discuss the planned audit, and any concerns about risk and the system of internal control
To follow up on audit findings and recommendation and to take corrective actions
104
What was the Auditor’s Responsibility
To conduct the financial statement audit in accordance with Generally Accepted Government Auditing Standards.
To plan the audit to obtain reasonable assurance
To use professional judgment To consider fraud in a financial
statement audit and to provide reasonable assurance on whether the f/s are free of material misstatement, whether caused by error or fraud
To brainstorm about fraud risk
Specific GAGAS Follow up on previous
significant findings Exercise professional
skepticism Use professional judgment Consider lower materiality
levels for government entities
Report on significant deficiencies and material weaknesses in internal control over financial reporting
105
Opportunities to Detect Fraud
Confirm vendor payments or year-end payables Obtain copies of cancelled checks directly from the bank or
review checks on-line. Instead, cancelled checks on hand were traced to vendor invoices and accounting records
Review the organization process for performing background checks
Request were made to the accountant to review specific checks. Bank statements were not reviewed (when I reviewed bank statements, all fraudulent checks had been removed - the review took approximately one hour). The auditors stated in the W/P’s there was no need to review bank statements
W/P’s indicate no conditions susceptible to fraud in amounts material to the financial statements
Audit procedures did not vary from year to yearThis was not a complicated fraud
106
The Subsequent Auditors Report for 2009 (Two audits have subsequently
been issued)
5 material weaknesses6 significant deficiencies 4 additional weaknesses in internal control
Weaknesses reported were not new
107
Reputational Risk
This fraud made the front page of the local paper on numerous occasions
Previous Board members were embarrassedThe name of the Board (Park) was linked to the
fraud as opposed to its mission for many monthsSubsequent clean audits - for the last two years –
have helped For the most recent audit, there were no material
weaknesses, significant deficiencies, or management comments. This was also reported in the newspaper
108
Comment from Office Manager to previous auditor’s inquiry about any knowledge of
fraud:
“I can honestly say that I know of none, nor do I know of any allegations of fraud.”
109
Where Do you Place Responsibility?
With the Board?With the Auditors?With both?
110
Case Study Three
Was there a weakness in Control environment Control risk Control activities Information and communication Monitoring
111
What are Some Suggestions
Be aware that fraud and abuse can exist
Exercise professional judgment and professional skepticism
Ask about background checks
Discuss risk and fraud with organizations management and determine whether there are mitigating controls
Brainstorm with staff and supervisor on risk, controls, and testing to be done. Document discussions
Look for persuasive fact-based evidence
Document adequacy of responses to questions
112
113
High Risk Areas Susceptible to Fraud
Travel reimbursementsTime & attendance OvertimeCash collectionsPetty cash purchasesUse of vehicles and equipmentP-card transactions
114
What to Do When You Suspect or Discover Fraud?
Do not pursue so as not to interfere with potential future investigations or legal proceedings
Secure documentationNotify your supervisor Notify upper management (department
directors) if you do not feel that your concerns have been investigated satisfactorily, or
Call the Auditor
Potential Red Flags
One person opening the mail that contains moneyIndividuals collecting money in the fieldUsing only certain vendors when quotes would
be more logicalLack of dual check signatures over a certain
amountThe person having check stock and check writing
authority also reconciling the bank statementReceipt of bank statements by the check writer
115
116
10 Tips on How to Deter Fraud in Your Organization
1. Integrity at the Top2. Positive Reputation3. New-hire Screening Process4. Ethics Programs5. Written Fraud Program with
Expectation of Consequences
117
10 Tips on How to Deter Fraud in Your Organization
(Continued)
6. Communicate Policies to Vendors7. Proper Handling of Investigations8. Independent Internal Audit Function9. Effective Internal Controls and Auditing10. Open Internal Reporting
118
Questions?
Comments/Questions
Thank you!!!
Sam McCall850 6440651
smmccall@fsu.edu
119