Understanding the Dynamic Relationshipo Between Internal Controls and Fraud Prevention

7/30/2019 Understanding the Dynamic Relationshipo Between Internal Controls and Fraud Prevention

1/41

Annual OAPT Conference -Understanding Internal Control &

Fraud PreventionOctober 4, 2012

Presented by: Chad Welty, CPA

Principal, Government Services


2/41

Today.

Five Components of Internal Control

Fraud Triangle

Fraud Risk Assessment

Fraud Statistics

Fraud Prevention Tips


3/41

What is the definition of Internal Control?

Internal Control can be defined as the sum of:

An accounting procedure or system designed to promote :

Efficiency and effectiveness

Assure the implementation of a policy

Safeguard of assets

Avoid fraud

Avoid errors


4/41

Five components of Internal Control

Control Environment

Risk Assessment

Information and Communication

Control Activities

Monitoring


5/41

Internal Control - Environment

DefinitionManagements attitudes, awareness, andactions concerning the importance of a control.

The Environment sets the tone of the entity

Influences the control consciousness of its people Serves as the foundation for all internal control components,

providing components, discipline, and structure.

The best designedpolicies and procedures have little

hope of being effective without the proper tone at thetop.

Management must lead by example. Controls are not limited to

staff.


6/41

Internal Control Risk Assessment

DefinitionThe entitys identification and analysis of relevant risksto the achievement of its objectives, forming a basis for determininghow the risk should be managed.

This is an ongoingprocess. The risks of yesterday, may not be the risksof today or tomorrow.

Risks must not only be identified, but must be anticipatedso they canbe avoided or mitigated. (analogy installation of lights at a railwaycrossing beforean accident occurs).

Managements focus on identifying riskshould start with change:

Change in operating environment

Change in personnel

Change in information systems and technology

New programs or services provided

Change in structure


7/41

Internal Control Risk Assessment cont

Management should also focus on the inherent risks

Complexity

Cash receipts

Third-party beneficiaries

Prior problems

Prior unresponsiveness to identified control weaknesses

Payroll withholdings

Fake vendors

Credit/purchase cards

Central garage/storage locations

Proper training, ongoing efforts, responsiveness and commitment toongoing assessment will strengthen internal controls to ensure a strongframework.


8/41

Internal Control Information &Communication

DefinitionThe identification, capturing, and exchange of information in a form and on atimely basis to enable employees to carry out their responsibilities.

Management must be able to obtain reliable information to determine and assess riskand communicate polices and other information to those who need it.

Potential issues effected by information:

The entitys performance evaluation vs strategy or goal

Impact on efficiency and effectiveness

Management decisions on use of resources (financial or human)

Management can develop the best internal control environment, policies andprocedures, etc., however if not properly communicatedthey may as well not exist.

Written policies and procedures distributed

Training programs established

New hire orientations

Polices posted on websites for easy access


9/41

Internal Control Information &Communication cont

Potential issues facing communicationof information:

Effectiveness and efficiency in the performance of the duties of employees

Lack of communication channels available to employees to report suspected

improprieties

Untimely information reporting causing reduction in usefulness to makedecisions


10/41

Control Activities

Definition The policies and procedures that help ensuremanagement directives are carried out.

As a result of ongoing risk assessmentand the strategies tocommunicate information, management must develop policies andprocedures to carry out and meet the goals and strategies of the entity.

Traditionally, control-related policies and procedures related to financeare classified into one of the following categories:

Authorization

Properly designed records

Security/safeguarding of assets and records Segregation of duties

Periodic reconciliations

Analytical review


11/41

Internal Controls - Monitoring

Definition The process used by those charged with governance(management AND the elected taxing authority) to assess the

quality of internal control over time.

The best developed control policies and procedures require changes

over time as the environment changes. Not only are controls implemented to reduce/eliminate problems, they

should be designed to alert management of a potential problem.

Without proper monitoring, these problems could go undetected.


12/41

Internal ControlsMonitoring cont

The Roles in monitoringinternal controls

Who is ultimately responsible for internal control?

THE GOVERNING BODY!!

Its the job of the governing board to ensure that management meets all of itsresponsibilities.

How can this be achieved? Establish an audit committee

Audit Committee responsibilities may include independent reviews and oversight of:

Reporting processes

Internal controls

Independent auditors

Who is primarily responsible for internal control?

MANAGEMENT!!

Fundamentally a management concern since it uses the tools and techniques in orderto achieve managements objectives

Whos role is it to validate the success of designed controls and determine operatingeffectiveness.

YOUR AUDITORS!!


13/41

Internal Controls Inherent Limitations

No internal control framework can be perfect.

Inherent limitations include:

Management over-ride of controls (policies and procedures)

Collusion Cost of the control (policy or procedure) should not cost more than the

benefit it was expected to achieve

Human judgment can be faulty, human errors and mistakes

Limitation on segregation of duties based on number of employees


14/41

Cresseys Fraud Triangle Concept that datesback over half a century. Generally for fraud to occur,three things must be present:

Opportunity

RationalizationPressure/Incentive

Source: ACFE 2012 Report to the Nations on Occupational Fraud and Abuse


15/41

Fraud Triangle

Pressure Financial need that is often unwilling to beshared (addictions, debt, etc.) or that emotions haveimpacted the person (sick child or keeping up with theJoneses)

OpportunityThe ability to commit a fraudulent activitymust exist (weaknesses in internal control or the abilityto override them)

RationalizationWhen a person has the ability to

justify their actions (Im underpaid, Ill pay it back, or thehealth of my child is more important)


16/41

It Could Happen to You

Embezzlement of Utility Payments

Missing Evidence

IT Equipment and Purchases

Off-the Books Bank Accounts

See the AOS website for numerous stories and findings


17/41

What is Fraud Risk Assessment?

Proactive approach to mitigating fraud in your

organization

Analyzing where fraud can occur in your organization

Fraud Prevention vs. Fraud Detection

Prevention = Proactive

Detection = Reactive


18/41

Who is Responsible for Risk Assessment

Governing Body

Audit or Finance Committee

Mayor/Administrator

Finance Director/Treasurer

Executive Staff

Everyone throughout the Organization informal lines

of communication


19/41

Definition of Fraud

Intentional perversion of truth in order to induce anotherto part with something of value or to surrender legalright. (Mirriam-Websters online dictionary)

Association of Certified Fraud Examiners (ACFE)

Misrepresentation of material facts

Concealment of material facts

Bribery

Conflicts of Interest Theft of money and property

Breach of Fiduciary Duty


20/41

Risk Assessment Includes:

Risk Identification

Risk Likelihood

Significance Assessment

Risk Response


21/41

Risk Identification

Risk Identification

Gathering information from both internal and external sources

Brainstorming

Interviews

Analytical Procedures

Trend analysis: vendor example

Where are the inherent risks?

Cash collection points

Lack of oversight


22/41

Risk Identification cont.

Risk Identification

Incentives/Pressures

Budget constraints

Performance Bonuses

Opportunities

Cash collection points

Segregated accounts

Access to create vendors


23/41

Risk Likelihood

Risk Likelihood

More interviews

Historical information

Analyze vendor listing


24/41

Risk Response

Consider cost-benefit

How will council/management respond

Increased Training

Surprise Audits

Change in Policy and Procedure


25/41

Types of cases at risk

4

9

18

12

25

15

10

27

19

33

50

0 10 20 30 40 50 60

Register Disbursements

Financial Statement Fraud

Payroll

Cash on Hand

Skimming

Check Tampering

Larceny

Non-Cash

Expense Reimbursements

Billing

Corruption

Government & Public Administration-141 Cases



26/41

Who are the perpetrators?

17.6%

37.5%

41.6%

16.9%

41.0%

42.1%

0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0%

Owner/Executive

Manager

Employee

2010

2012

Position of Perpetrator-Frequency



27/41

Tenure of Perpetrator

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

35.0%

40.0%

45.0%

50.0%

< 1 Year 1-5 Years 6-10 Years >10 Years

5.7%

45.7%

23.2%25.4%

5.9%

41.5%

27.2%25.3%

2010

2012



28/41

Schemes from Perpetrators working in

Accounting Department

5.1%

9.2%

5.5%

17.1%

13.3%

17.1%

18.4%

17.1%

22.9%

31.1%

29.7%

3.1%

7.2%

15.4%

25.1%

16.6%

11.4%

11.6%

11.2%

15.7%

26.1%

14.9%

0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0%



Non-Cash

Corruption

Expense Reimbursement

Cash on Hand

Payroll

Cash Larceny

Skimming

Billing

Check Tampering

All Cases

Accounting



29/41

Schemes from Perpetrators in Executive orUpper Management

1.3%

11.6%

12.5%

13.8%

13.8%

14.3%

16.1%

18.3%

29.9%

40.6%

48.7%

2.5%

11.9%

13.8%

15.1%

20.8%

8.2%

12.6%

15.7%

21.4%

32.7%

53.5%

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%


Cash Larceny

Cash on Hand

Skimming


Check Tampering

Payroll

Non-Cash

Expense Reimbursement

Billing

Corruption

2012

2010



30/41

Behavioral Red Flags Based on Perpetrators

Position

8.3%

11.2%

11.9%

30.5%

32.7%

16.8%

23.4%

27.2%

25.0%

37.2%

26.0%

24.3%

21.7%

23.0%

39.6%

0.0% 5.0% 10.0%15.0%20.0%25.0%30.0%35.0%40.0%45.0%

Wheeler-dealer attitude

Control issues, unwillingness to share duties

Unusually close association with vendor

Financial difficulties

Living beyond means

Owner/Executive

Manager

Employee



31/41

Behavioral Red Flags

Behavioral Red Flag Percent of Cases

Living beyond means 35.6%

Financial Difficulties 27.1%

Unusually close associationwith vendor

19.2%

Control Issues,

Unwillingness to Share

Duties

18.2%

Divorce/Family Problems 14.8%

Wheeler-Dealer Attitude 14.8%

Irritability, Suspiciousness or

Defensiveness

12.6%



32/41

Behavioral Red Flags

Behavioral Red Flag Percent of Cases

Addiction problems 8.4%

Past-employment-relatedproblems 8.1%

Complained about

inadequate pay

7.9%

Refusal to Take Vacations 6.5%

Excessive Pressure fromWithin Organization

6.5%

Past Legal Problems 5.3%



33/41

Billing Schemes

False invoicing through a shell company

Personal purchases with government funds

False invoicing through an established vendor


34/41

False Invoicing

Fake invoice no service or product exchange

www.customreceipt.com
http://www.customreceipt.com/http://www.customreceipt.com/


35/41

Fake invoices many times lack information

Street address PO box only

Phone number

Good description

Logo

Packing slip for products purchased

Shipping destination for products

Invoice numbers are sequential


36/41

Vendor Files

What needs done to vendors files

Clean vendor file annually

Vendor approval process

Training

Google new vendor requests

IT controls limiting access


37/41

Employee Expense Reimbursements Whatto look for:

Lack of invoice

Fake invoices

Lack of detail on invoices

Wrong mileage

False mileage

Personal expenses

Alcohol

Per diems with no detailed receipts required


38/41

Effective Fraud Deterrents

Written Fraud Policy

Policy sets expectations

Zero Tolerance

Review and sign-off by each employee for personnel file

Include Reporting Process

Whistleblower Protection

Issues addressed consistently and timely

Ethics Policy, Conflict of Interest PolicyTraining

Continuous Risk Assessment


39/41

Steps to Reduce Fraud Risk

Fraud risk analysis performed

Educate

Tone at the Top

Conflict Disclosures (Council and Management)

Establish whistle-blower hotlines

Rotation of job duties

Zero tolerance

Background checks for new hiresdont hire crooks

Keep eyes and ears open regarding employee behavior

Discuss concerns with auditors

Establish effective Internal Audit division

Use of Data Mining Software

Surprise audits


40/41

Highlights

Understand the Five Components of Internal Control

Everyone is responsible for effective and efficient control

development and/or application

Train your Team(s)Ongoing evaluation of controls and fraud risk

assessment

Fraud Statistics

Fraud Prevention tips

Trust is never a control!


41/41

Annual OAPT Conference -Understanding Internal Controls & Fraud

PreventionOctober 4, 2012

QUESTIONS???

Understanding the Dynamic Relationshipo Between Internal Controls and Fraud Prevention

Documents

Transcript of Understanding the Dynamic Relationshipo Between Internal Controls and Fraud Prevention