Real World Perspective: How to Be an Effective … Studies in Fraud Company Year Events Zzzz Best...
Transcript of Real World Perspective: How to Be an Effective … Studies in Fraud Company Year Events Zzzz Best...
© 2015 Association of Certified Fraud Examiners, Inc.
Real-World Perspective:
How to Be an Effective Gatekeeper
Lisa Duke, CFE, CPA, MAFF
Real World Perspective: How to Be an Effective
Gatekeeper
Lisa Duke, CFE, CPA, MAFF
New York State Comptroller’s Office
Email: [email protected]
Objective
Overview of auditors’ failure to detect fraud
Examples of auditors' failure to detect fraud (case studies)
Consequences of auditors failing to detect fraud
Deploying an effective fraud-detection model
Forensically accepted best practices of effective gatekeepers
Audit Failures
Definition of audit failure:
• A U.S. Government Accountability Office
study defined the term “audit failure,” in part,
as “audits for which audited financial
statements filed with the SEC contained
material misstatements whether due to errors
or fraud.”
Audit Failures
Definition of audit failure:
• An audit failure is a situation in which an audit
wrongly states that a company’s accounts are
correct when they contain mistakes or false
statements.
• When an audit of a company’s financial records
does not find things it should, there could be fraud.
• Basically, it is when the auditor “missed the boat.”
Arthur Levitt Jr., chairman of the
Securities and Exchange Commission
under President Bill Clinton, said in a
speech at New York University in 1998
that corporate managers, auditors, and
analysts were taking part in a “game of
nods and winks.”
In a recent article, the Public Company
Accounting Oversight Board’s chief
auditor is quoted by The Wall Street
Journal as saying, “When we look at an
audit, the rate of failure has been in a
range of around 35 to 40%.”
February 27, 2014 | CFO.com
www.company.com
Expectation Gap
Public Perception
Accounting standards should prevent fraud from going undetected.
Public is surprised that presumably the auditors followed the standards and still missed the fraud.
Case Studies in Fraud
Company Year Events
Zzzz Best 1986 Barry Minkow ran a Ponzi scheme.
Phar-Mor 1992 Factictious inventory on the books to cover operating losses. Mail
fraud, wire fraud, bank fraud.
Sybase 1997 Inconsistencies in profit reporting from overseas division.
Cendant 1998 SEC charge: Company deliberately and fictitiously manufactured
about $500 million in fake revenues over a three-year period.
Waste Management,
Inc.
1999 Inflated earnings
MicroStrategy 2000 Earnings manipulation
Unify Corporation 2000 Overstated sales and revenue
Computer Associates 2000 Inflated sales
Case Studies in Fraud 2001‒2002
Xerox K-Mart Enron Adelphia
Bristol- Myers Squibb
Mirant AOL CMS
Halliburton
Merrill Lynch
Dynegy El Paso Corp.
Freddie Mac
Nicor Homestore
s.com ImClone systems
Case Studies in Fraud
Company Year Events
Peregrine Systems 2002 Overstated sales
Qwest Communications 2002 Inflated revenues
Reliant Energy 2002 Round-trip trades
Sunbeam 2002 Overstated sales and revenues
Symbol Technologies 2002 Overstated sales and revenue
Tyco International 2002 Improper accounting
WorldCom 2002 Overstated cash flows
Royal Ahold 2003 Inflating promotional allowances
Parmalat 2003 Falsified accounting documents
Chiquita Brands International 2004 Illegal payments
AIG 2004 Accounting of structured financial deals
Bernard L Madoff 2008 Massive Ponzi scheme
Lehman Brothers 2010 Failure to disclose Repo 105 transactions to investors
Roslyn School District—OSC
Over $11 M of district funds were used for personal expenses.
Top-level managers—district superintendent, assistant superintendent
(Gluckin) and account clerk (Gluckin’s niece)—overrode the system and
processed payments outside the normal flow of transactions.
“The external auditors, the CPA firm that audited the district once a year,
had conflicts of interest and performed an audit that was so flawed and so
far below professional standards that it failed to identify the millions that
were apparently misappropriated.” NYS Comptroller, 2005
A Clean Bill of Health from Auditors
How did the auditors miss detecting the fraud?
Are the auditors at fault for missing these massive
frauds?
Did they look but didn’t look deep enough?
Are auditors in on the fraud, either looking the
other way or actively helping clients hide the
deception?
Reasons Why Audits Fail
Reliance on control system when controls are weak
Improper planning, including not revising audit plan after the initial assessment of fraud
Inappropriate methodology for selecting sample size
Lack of training and appropriate supervision
Audit team lacking in skill
Reasons Why Audits Fail
Not designing test to look for the fraud
Audit team not gathering sufficient appropriate evidence to support the basis of their conclusion
Lack of effective quality assurance at the audit shop
Audit staff failure to exercise due professional care
Relying on management information and lack of professional skepticism
Auditee-Related Reasons
Misapplying accounting policies
Collusion involving high-level officials who
circumvent controls
Scope limitations
Audit impairments
Management not cooperative with the audit
Occupational Frauds
Occupational frauds can be classified into three primary
categories:
1. Asset misappropriations
2. Corruption
3. Financial statement fraud
Consequences of Audit Failures
Negative impact on investors’ confidence
Impact on our financial structure
Impact on government programs and service delivery—OSC
case study of MTA. Fraud comes in all sizes and shapes.
Reputational harm to the audit firm
Legal and regulatory consequences
Expense associated with attempted recovery of stolen assets
Expense associated with investigation
New York State Comptroller Audit Report
Report on Preschool Audits Finds Fraud and
Inappropriate Billing of $20 Million in Questionable
Costs in 2014
About 81,000 preschool students with disabilities
receive Special Education Itinerant Teacher (SEIT)
services in New York, at an annual cost of $1.4 billion.
Services in New York are predominantly provided by
for-profit and not-for-profit private contractors.
New York State Comptroller Audit Report
Eleven new audits identified:
More than $6.7 million in public funds that
special education providers misspent or
misused
Including cases of possible fraud that
have been referred to law enforcement
The auditor’s responsibility is to provide
reasonable assurance.
This is accomplished by reducing audit risk
to appropriate levels. The auditor needs to
keep detection risk low so that he or she
can provide reasonable assurance.
The auditor may fail to detect material
misstatements caused by fraud but that
does not preclude auditors from detecting
fraud.
Effective Auditing
SAS 99, as Amended— AU Section 316
• Requires brainstorming sessions to discuss how
and where the entity’s financial statements might
be susceptible to material misstatement due to
fraud
• Have the discussions of fraud at every stage of the
audit.
• During the brainstorming sessions, auditors must
exercise professional skepticism.
SAS 99, as Amended— AU Section 316
The standards require the following:
Obtain information from management and others
within the organization.
Analytic procedures
Consideration of fraud risk factors
Other sources
Other High-Risk Areas
Consider the human dimension to fraud.
Remain objective with long-time clients.
Follow up on the gray area between legitimacy
and outright fraud.
“Ask the final question and turn over the last rock,”
–Frank Patone, OSC
Audit Example #1— Special Education Associates
Special Education Associates (SEA) is a for-profit
provider based in Brooklyn.
For FY 2007‒08 and FY 2008‒09, SEA received
$12.5 million in state money.
What the Auditors Missed
• Executive director essentially created a $150k/year
no-show job for his wife, the assistant executive
director.
• The assistant executive director had a full-time job
at City University of New York.
What the Auditors Missed
DeptID Pay Period
End Name ID Earn Code Descr Hours Earnings Earns Begin Earns End
70 1/2/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 12/20/2007 1/2/2008
70 1/16/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 1/3/2008 1/16/2008
70 1/30/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 1/17/2008 1/30/2008
70 2/13/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 1/31/2008 2/13/2008
70 2/27/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 2/14/2008 2/27/2008
70 3/12/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 2/28/2008 3/12/2008
70 3/26/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 3/13/2008 3/26/2008
70 4/9/2008 Name # RGS Regular Pay Salary Employee 80 3682.06 3/27/2008 4/9/2008
70 4/23/2008 Name # RGS Regular Pay Salary Employee 80 3682.06 4/10/2008 4/23/2008
70 5/7/2008 Name # RGS Regular Pay Salary Employee 80 3786.73 4/24/2008 5/7/2008
70 5/7/2008 Name # RRS Retro Regular Pay Salaried 0 856.55 12/20/2007 4/23/2008
70 5/21/2008 Name # RGS Regular Pay Salary Employee 80 3786.73 5/8/2008 5/21/2008
70 6/4/2008 Name # RGS Regular Pay Salary Employee 80 3786.73 5/22/2008 6/4/2008
70070 6/18/2008 Name # RGS Regular Pay Salary Employee 80 3786.73 6/5/2008 6/18/2008
What the Auditors Missed
Other Findings:
• Food and holiday gifts claimed as office supplies and postage
• Leased car for the assistant executive director, who was
working elsewhere
• Paid 12-year-old granddaughter for clerical work and claimed
her as an independent contractor instead of an employee, and
therefore didn’t pay employment taxes.
Results
OSC audit team disallowed $324,881 for the assistant executive director’s salary
for the two years, which we reported was fraudulently claimed.
There was another $225K since this fraud started. Executive director paid
restitution.
Executive Director
• Pled guilty to one count of defrauding the government (felony)
• Sentenced to probation
Assistant Executive Director
• Pled guilty to offering a false instrument (misdemeanor)
Both are also barred from ever participating in an SED-funded program … for life.
Incorporate Emerging Technology
• Consider the cost/benefit trade-off in
investing in fraud detection technology.
• Data analysis identifying anomalies and
patterns may point to areas that are high-
risk and may require closer attention.
• Team should have data analytics and
computer forensic skills.
Audit Example #2— Lawrence Bruckner and Other Brooklyn Dentists
Result of Data Analysis
Audit of dental services provided to Medicaid patients
Should be for essential services only
Billings for services provided at two locations by six dentists
Received $6.9 million from Medicaid between January 2007
and June 2011
Fraud Detection with Data Analysis
Billed for duplicate procedures by different dentists
For one patient, two dentists did the same work on different
days.
For another, two dentists provided services on the same day.
Poor-quality work
Unreadable or incorrect x-rays
Filled cavities rather than pulling teeth
Fraud Detection with Data Analysis
Of the $6.9 million paid to the six dentists, $2.3 million was
considered possibly fraudulent.
One dentist pleaded guilty to numerous felonies.
Required to pay restitution
Attorney General may also pursue jail time.
Second dentist agreed to a civil settlement.
Establish an Ethical Culture
Areas to review:
Does the organization have a formal ethics and values
policy?
Does the organization have an ethics officer?
Are employees continuously trained on ethics policies?
Does the internal audit plan include a review of the
organization’s culture and ethical risks?
Establish an Ethical Culture
• Internal audit should work with senior management to
make ethical behavior and tone at the top a priority.
• Ensure that members are held to the highest ethical
standard as required by their organization’s Code of
Professional Conduct (Code).
• The public must be confident that the profession can
regulate itself.
Establish an Ethical Culture
• Have clearly defined expectations.
• Internal audit should make recommendations on the development of
the governance framework.
• Establish a whistleblower hotline and periodically assess it.
• Gather information from all levels of the organization.
• This includes the tone in the middle and the tone at the top.
Effective Gatekeeping
Understand the complex organizations being audited:
• Know your client and the environment your client
works in.
• What is your audit universe?
• What data can you capture from your universe
that can be used for your analysis?
Effective Gatekeeping
• Schemes based on department
Different kinds of fraud risks might exist within the various
departments of an organization.
By analyzing the types of schemes that occur in various
departments, management and the audit department can
develop controls to specifically address the highest fraud
risks in any given area.
Tap into your valuable tool: experience gained through
working in different areas of the business (and regions
around the globe).
Identify High-Risk Areas
• Perform an annual update of the high-risk areas and develop an audit plan.
• Look beyond control weakness.
• Don’t look for process; instead look for outcomes.
• Look for the red flags. This may require a little digging.
• Look at areas where there are yearly repeats of deficient internal control.
Develop Fraud-Detection Audit Steps
• Design an environment hostile to fraud by implementing fraud-detection
processes.
• Deploy an element of surprise in your audit program:
– For payroll fraud—Conduct analysis of highest overtime employees.
– Conduct site visits/observations at locations where employees are
reporting high overtime to determine whether they are performing work
during the time they are paid.
– For inventory checks—Do not share with the auditee the location for the
inventory check.
– Look for transactions that are on the organization’s bank statement but
should not be on the statement.
• Look for supporting transactions that should be there but are not.
Effective Audit Supervision
Have a subject matter expert on the audit team.
Train new auditors to review last year’s work papers and direct them to
perform additional audit steps on the next audit.
Continuously train employees on potential fraud risk factors.
Have adequate staffing mix.
Conduct talent development, recruitment, and succession planning.
Maintain strong external relationships with other audit shops/organizations.
Other Areas for Effective Oversight
• Increasing the sample size may assist in detecting
the fraud.
• Consider the impact time constraints can have on
audit failure.
• Design the audit program to cover the established
objectives.
Other Areas for Effective Oversight
Be mindful of the following:
• Creative or aggressive accounting techniques
• Income and expenses are free from manipulations.
• Manipulation or mismanagement of an organization’s earnings
• Financial statements and records are free of misstatement or omission.
• Make inquiries of management and others within the organization.
“It is true that you may fool all the people
some of the time; you can even fool some
of the people all the time; but you can’t
fool all of the people all the time.”
‒Abraham Lincoln
Real World Perspective: How to Be an Effective
Gatekeeper
? ? ?
Lisa Duke, CFE, CPA, MAFF
Email: [email protected]