2012-2013 USPAP - Virginia Association of Assessing Officers
Virginia Government Finance Officers’ Association Training · Virginia Government Finance...
Transcript of Virginia Government Finance Officers’ Association Training · Virginia Government Finance...
Virginia Government Finance Officers’ Association Training Thursday, March 19, 2015
_________________________________________________________________
8:30 am - 9:00 am Registration & Continental Breakfast 9:00 am - 9:05 am Welcome Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 9:05 am – 10:05 am Legal Update Daniel M. Siegel, Shareholder, Sands Anderson 10:05 am - 11:05 am IRS Compliance Issues Denise Hill, Senior Manager, Elliott Davis Decosimo 11:05 am - 11:15 am Break 11:15 am - 11:45 am GASB 86 – Accounting & Reporting for Pensions Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 11:45 am – 12:15 pm OMB Uniform Guidance Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 12:15 pm - 1:15 pm Lunch 1:15 pm - 2:10 pm Fraud: Current Trends & Case Studies Lee Wagner, Senior Manager, Elliott Davis Decosimo 2:10 pm - 3:00 pm Information Technology-Database Security and Threats Richard Cook, Director, Elliott Davis Decosimo
IRS Compliance Issues: Spotlight on Fringe Benefits
Denise P. Hill Senior Tax Manager March 19, 2015
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Why Discuss Fringe Benefits?
• Employment audits generate significant income for the IRS – considered to be an untapped source of revenue – made up 44% of all IRS collections in 2009
• 2010 Project for small employers – results will help IRS identify potential audit targets - IRS is examining 6,000 employment tax returns and has discovered that under reporting fringe benefits is a wide-spread problem
• Audits and IRS analysis supposed to be completed in the summer of 2014 • The benefits are no longer a minor part of compensation – they now
represent close to 40% of the total cost of compensation • The employer is “secondarily liable” for failing to withhold
3 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
• Fringe Benefits are the most overlooked area by employers
- Difficult to identify - Difficult to value - Uncertainty in reporting (i.e. taxable or not?) - Lack of clear communication to employees: Benefits are a wide
variety of inducements offered to employees having little in common except they are not “paid” to the person each payday. This makes terminology and categorization of benefits difficult.
- Finance/payroll not aware of the benefit - Overall departmental differences
4 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Topics of Discussion
• Define Fringe Benefits • Discuss Taxable versus Nontaxable • Components of an Accountable Plan • Managing Written Guidelines and Policies • Employee versus Nonemployee – does it matter?
5 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
What is a Fringe Benefit?
• A fringe benefit is a form of pay for the performance of services:
- Property - Services - Cash or Cash Equivalent
All fringe benefits are taxable and must be included in the recipients’ pay unless the law specifically excludes it.
6 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Examples of Fringe Benefits
• Airline club memberships • Disability payments • Automobile allowances • Discounts on property or service
• Awards or prizes • Discounted airline passes • Back pay awards • Educational reimbursements • Bonuses (cash or noncash) • Executive dining rooms • Cafeteria plans • Estate planning • Cell phones and other • Financial counseling telecommunications devices • Financial seminars • Chauffeur service • Free or subsidized lodging • Club memberships (including campus lodging) • Company aircraft • Golden parachute payments
7 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Examples of Fringe Benefits Continued
• Company cars •Memberships in athletic facilities • Credit cards (employer-provided) •Military differential pay • Dependent care assistance programs •Moving expense reimbursements • Group-term life insurance over $50,000 •Nonqualified stock bonus plans • Holiday gifts •Nonqualified stock option plans • Home security systems •Outplacement services • Income tax preparation •Parking • Laptop computers •Personal liability insurance • Legal counseling •Physical examinations and/or loans
(low-interest or interest-free) •Use of health/medical facilities • Local transportation for commuting purposes • Reimbursements of expenses on meal money because of overtime • Sale of personal residence • Meal allowances/reimbursements (not away overnight)
8 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Examples of Fringe Benefits Continued • Retirement gifts • Safety or length of service awards • Severance pay • Scholarships or fellowships • Sick pay • Spousal travel • Uniform allowances • Use of recreation vehicles or boats • Use of vacation homes • Vacations (all expense paid or discounted)
9 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Nontaxable Fringe Benefits
• Specifically excluded by law:
- IRC 79 – Group Term Life Insurance - IRC 105 & 106 – Employer Health Benefits - IRC 119 – Meals or Lodging for the Employer’s
Convenience - IRC 125 – Cafeteria Plans - IRC 127 – Educational Assistance Programs - IRC 129 – Dependent Care Assistance
10 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
IRC Section 132
• Fringe Benefits excluded under certain conditions (the “Workhorse” of Statutory Exclusions):
- No additional cost service - Qualified employee discounts - Working condition fringe - De minimis fringe - On-premises athletic facilities - Qualified transportation fringe - Qualified moving expense reimbursements - Qualified retirement planning services - Qualified military base realignment and closure fringe
11 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Working Condition Fringe Benefits
The entire value of the property or service provided is excludable from the employee’s income if the employee would be able to deduct it as a trade or business expense if he/she had to pay for it during the process of getting an employee’s job done.
- Examples: • Professional dues and subscriptions • Supplies • Business meal • Cash reimbursement for business travel • Job training • Uniforms that are not adaptable to general use
12 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
De Minimis Benefits
• Excluded from the employee’s income when the employer-provided property or services have such a small value and frequency that accounting for them would be impractical
• De minimis benefits can be provided on a discriminatory basis • De minimis rules do not apply to – cash and cash equivalents
(including gift cards) and memberships in private country clubs or athletic facilities
- Examples: • Employee cocktail parties • Company picnics • Coffee and doughnuts / bottled water and soft drinks • Occasional use of the copy machine/fax machine/phones
13 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Gifts and Awards - Employers may give employees cash or noncash awards and
prizes as a reward for achievements within the organization - The fair market value of the reward are included in gross
income of the employee – IRC Section 74
Cash gifts and awards are always included in gross income, including gift cards which are considered cash equivalents. No matter how small the amount, even $5, gift cards presented to an employee should be reported in their wages.
14 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Gifts and awards may be excluded from income under certain exceptions:
- De minimis fringe benefits (turkey/pin/flowers/coffee mugs/plaques) - Recognition awards that are given for charitable/other achievement
such as the Nobel Peace Prize - Tangible noncash employee achievement awards given for length of
service or safety: • Must be presented with meaningful presentation • FMV of award must be under $400 per award / $1,600 per year • Length of service may not be during first five years of employment
- Traditional retirement awards presented upon completion of lengthy term of service (gold watch regardless of value because no expectation of future services, i.e. not compensatory)
15 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Meals on Business Premises- Nontaxable - Meals provided after hours for employees working
overtime - Meals provided during employer’s training seminars /
departmental meetings - Free meal from the cafeteria to substantially all
employees during each work day so that employees may be on call at all times
TAXABLE: The value of food provided on a regular, expected basis (not just occasionally) should be included in taxable wages.
16 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Cell Phone/ Tablets
- For tax years after 2009, cell phones and related devices are no longer considered listed property, meaning that employers no longer need to meet substantiation requirements to deduct the equipment (i.e. no need for a contemporaneous detailed activity log)
- Business use of the cell phones (or other similar telecommunications equipment) are considered a working condition fringe benefits (i.e. provided for non-compensatory business reasons) and are therefore not taxable
- The personal use, however, is still considered taxable compensation, unless provided for non-compensatory business reasons, then the personal use will be considered excludable as a de minimis fringe benefit
17 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Employer Provided Auto
- Use of an employer-provided auto by an employee while conducting an employer’s business is an excludable working condition fringe benefit
- Personal use of the company auto is a taxable fringe benefit - Personal use cannot be changed to business use by attaching
display material that advertises business while the employee is driving
- Business use must be properly substantiated with adequate records (i.e. using an accountable plan with documentation)
- All of an employee’s use of a qualified non-personal-use vehicle (such as a police car, unmarked vehicles, fire vehicles) is excluded from taxable income
18 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Spousal Travel - Employer-provided spouse or dependent travel is
generally taxable income to the employee - The expense will qualify as a working condition fringe
benefit only if the employer: • Can adequately demonstrate that spouse’s presence on the
business trip has a bona fide business purposes and • If the employee substantiates the travel and • If the companion is also an employee
19 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Uniforms - Must be related to the employer’s business and be provided so the
employee can perform his/her job – such as high visibility shirts/reflective lettering for road crews or police officers and protective clothing
- Embroidered logos and patches on polo shirts are almost always taxable (i.e. considered an informal work uniform). If the clothing /shoes are adaptable to normal wear, the value is taxable. However, most organizations consider the purchase of low-cost clothing items ($100 or less per employee per calendar year) to be a de minimis fringe and nontaxable
- Safety equipment is excludable from wages such as safety glasses, hardhats, work gloves and anti-glare screen for computers
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
20
Common Fringe Benefits
• Employer Issued Credit Cards Many companies allow employees to use credit cards to buy items for the company. Some companies issue credit cards to executives and pay the bills without requiring the executive to show business purpose. Personal expenses paid through these credit cards to executives are considered taxable fringe benefits and they cannot be deducted as business expenses. If executives are not required to substantiate that the expenses charged to the corporate credit card were for business expenses, the reimbursement is considered to have been made under a non-accountable plan and the entire reimbursement is taxable to the executive, and wages for employment tax purposes.
21 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Fringe Benefits
• Awards Funded by Third Party If funds or a noncash prize are provided by an outside party, the award is taxable in the same way as if provided directly by the employer. If the third party selects and distributes the award directly to the agency employee without any direction or decision making from agency personnel, then the award is income to the recipient and must be reported. The outside party would be required to furnish a Form 1099-MISC to the recipient if the amount is $600 or more in a calendar year.
22 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Employee Business Expense Reimbursements
• Provided under an Accountable Plan
Must meet all three of the following to be non-taxable:
- 1. There must be a business connection
- 2. Must be adequate accounting by the recipient within a reasonable period of time – receipts required for lodging and for expenses in excess of $75 or more
- 3. Excess of expenses must be returned within a reasonable period of time
The Accounts Payable function is essentially administering a payroll tax body of law – so communication and written policies are critical.
23 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Business Connection
• The plan must provide reimbursements or advances only
for business expenses that would otherwise qualify as a trade or business expense under IRC Section 162
• Section 162 allows deductions for all ordinary and necessary expenses paid or incurred during the taxable year in carrying on a trade or business
• The IRS looks to whether or not the expenditure secured a business benefit when evaluated if the expense is ordinary and necessary
24 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Adequate Accounting
• Employees are required to provide sufficient information to satisfy a “business connection” of the expenditure – i.e. the 5 “W”’s:
- What – amount - When – time, date, etc. - Where – business location, destination, etc. - Why – business purpose - Who – for entertainment purposes
Written contemporaneous recordkeeping has more values than oral evidence.
25 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Written Guidelines and Policies
• When is it time to update your policy handbook/procedures/guidelines?
- Given the recent publicity regarding fiscal mismanagement in state and county agencies (due to lack of coordination and information sharing) – it may be time to re-write your policies in order to provide:
• Better audit measurements to access compliance within the Agencies departments
• To provide clarification of the Agencies position and specific guidance for employees that may have resulted in confusion or non-compliance in the past
• To ensure there are no gaps in the public’s understanding
26 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Written Guidelines and Policies- Best Practices
• Provide background of the purpose for the policy, including how the
personal use will be reported via the employer’s payroll process.
• Clear concise guidance on the distinction between business and personal use. Accountability issues will arise when detailed standards for conduct are inaccurate or outdated.
• Review the requirements for business use of the “benefit” and how to record and report the business use. Policies that do not sufficiently document processes can create varying degrees of inconsistency within each department.
• Explain the fringe benefit that is received by the employee when the benefit is used/received for non-business (i.e. personal) reasons.
27 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Consider a Fringe Benefit Plan Review
• Identifying all fringe benefits • Confirming that the benefit is properly reported and that taxes are
withheld and deposited in a timely manner • Identifying and implementing statutory fringe benefit rules /
reviewing and/or re-writing current guidelines and policies that will pass IRS scrutiny
• Identifying and implementing the special valuation rules that apply to fringe benefits
• Employment Tax audits are expensive – in addition to any penalties imposed by the IRS, increased costs in administrative and financial resources will be incurred during an audit
• Costs can be alleviated by conducting a comprehensive review before you are contacted by the IRS
28 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Employee Versus Non-Employee Classification
Generally, directors of a corporation (i.e. members of the governing board) are defined by statute as non-employees. This is due to the fact that a board member's responsibility for the fulfillment of an organization's mission and legal accountability for its operations typically dictate that the board be comprised of individuals from outside of the organization. While it is possible for a board member to also be an employee of the organization, the services they perform in their role as board member will be reported separately from the services they perform as an employee.
Independent contractors should be paid through accounts payable (i.e. and receive a Form 1099-MISC) and employees are paid through payroll.
29 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Employee Versus Non-Employee Classification
Current case law has made it clear that elected public officials are classified as employees since they are subject to a degree of control that is characteristic of an employer-employee relationship. Elected officials are responsible to the public, which has the power to vote them out of office. Appointed public officials, however, may be classified as either employees or independent contractors based on a determination of their "worker status" under common law standards. See attachment for Common Law Standards for Determining Worker Status
30 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Handouts
• Employee or Independent Contractor Status • Travel and Business Expense Policy with Exhibit A • Vehicle Use Policy • Fringe Benefit Memorandum • 2014 IRS Quick Reference Guide for Public
Employers • 2014 IRS Fringe Benefit Guide: Office of Federal,
State and Local Governments
31 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Questions?
32 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Denise P. Hill Email: [email protected] Phone: 803-255-1479 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
GASB 68 – Accounting and Reporting for Pensions
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tom McNeish Government Practice Leader & Shareholder March 19, 2015
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Effective Date
• Effective for fiscal years beginning after June 15,
2014 • For employers with a December 31 fiscal year end,
December 31, 2015 financial statements
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Under GASB 27 – Funding vs Accounting
• Accounting liabilities are about the same as funding liabilities • Pension liability = the cumulative difference between the
actuarial required contribution (ARC) versus what the employer actually contributes
• For actuarially determined contribution plans, it is likely that little or no liability is reported
• Actuarial valuation used for both accounting and funding purposes
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Under New Standards
• Funded status moves from the footnotes to the
balance sheet • Additional footnote and RSI disclosures • Shift in focus from income statement to balance
sheet focus - Before: “Are ARC contributions adequate?” - Now “How large is the Net Pension Liability?”
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Other Changes
GASB 68 GASB 27
Actuarial cost method Entry Age Normal Cost Method only Six (6) allowable actuarial cost methods
Discount rate May require use of a blended discount
rate (between long-term expected rate of return and municipal bond rate)
Long term expected rate of return on assets is the discount rate
Amortization periods
Shorter amortization periods (no longer up to 30 years) - Five (5) years for
investment gains/losses. Average future working lifetime for other gains/losses or
assumption changes
Amortizations of any kind (gains/losses, assumption changes,
benefit changes, etc.) over a maximum of thirty (30) years
Contributions Plans administered through a trust or
equivalent arrangement. Contributions are irrevocable
Trust not required
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Potential Effects
• Accounting liabilities will likely be higher than
funding liabilities • Some employers may re-evaluate defined benefit
plan • Credit ratings may be impacted • Increased complexity in accounting and reporting • Possible increased scrutiny to the plan
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
New Terms
• Total Pension Liability (TPL) the actuarial present value of projected benefit payments that is attributed to past periods of employee service.
• Net Pension Liability (NPL) Total pension liability minus the pension plan’s fiduciary net position
• Fiduciary net position = market value of assets • Pension Expense (PE) The difference between the NPL from
the prior fiscal year to the current fiscal year, with some adjustments
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Measurement date
Financial reporting period for year ended June 30, 2015:
12/31/2012 6/30/2013 6/30/2014 6/30/2015
If valuation date is in this period, it must be updated (rolled forward) to the measurement date.
Any date in this period is an appropriate measurement date.
If valuation date and measurement date are the same and in this period, no roll forward
is required.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Discount rate
• The discount rate should be the single rate that reflects the following: a. The long-term expected rate of return on pension plan investments that
are expected to be used to finance the payment of benefits, to the extent that 1. the pension plan's fiduciary net position is projected to be sufficient
to make projected benefit payments 2. pension plan assets are expected to be invested using a strategy to
achieve that return b. A yield or index rate for 20-year, tax-exempt general obligation
municipal bonds with an average rating of AA/Aa or higher (or equivalent quality on another rating scale), to the extent that the conditions in (a) are not met.
• The amount of the pension plan's projected fiduciary net position and the amount of projected benefit payments should be compared in each period of projected benefit payments.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Discount rate
Adjust discount rate to incorporate 20 -year muni
yield
-
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
0 5 10 15 20 25 30
$
Years
Fiduciary net position
Projected payments
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Reporting of Expense and Deferred Inflows/Outflows
Event Reporting Method
Differences between expected and actual experience
Should be recognized in pension expense, beginning in the current reporting period. The
portion not recognized in pension expense should be reported as deferred outflows of resources or
deferred inflows of resources
Use a systematic and rational method over a closed period equal to the average of the
expected remaining service lives of all employees (active employees and inactive employees)
determined as of the beginning of the measurement period
Changes of assumptions
Net effect of the change in proportionate share of the net pension liability and
deferred inflows/outflows
Difference between employer contributions and proportionate share of
contributions
Difference between projected and actual earnings
Use a systematic and rational method over a closed five-year period
Contributions made subsequent to the measurement date
Should be reported as a deferred outflow of resources related to pensions because they are
outside the reporting period
Employer contributions to the pension plan from the employer should not be recognized in pension
expense
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Illustration – Year 1
NPL Assets Deferred inflows
Deferred outflows
Net position
Pension expense Check
1 12/31/13 valuation date (100,000) 2 Service costs (1,250)
3 Interest costs (2,500)
4 Benefit payments 2,000
5 6/30/14 measurement date (101,750) 101,750 -
6 Deferred outflows/inflows
7 Employer contributions subsequent to measurement date - (3,000) 3,000 -
8 Actual earnings on plan assets of $10,000 vs projected earnings of $7,500 10,000 (2,500) (7,500) -
9 Increase in NPL arising from the effects of differences
10 between Expected and Actual Experience (1,000) 1,000 -
11 Decrease in NPL arising from effects of Changes of Assumptions 750 (750) -
12 Service costs (2,600) 2,600 -
13 Interest on NPL (4,900) 4,900 -
14 Administrative expense (200) 200 -
15 6/30/15 reporting date - journal entry (99,700) (3,000) (3,250) 4,000 101,750 200 -
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Illustration – Year 2
NPL Assets Deferred inflows
Deferred outflows
Net position
Pension expense Check
1 6/30/15 measurement date (99,700) (3,000) (3,250) 4,000 101,950 - -
2 Contributions made in the prior measurement period 3,000 (3,000) - -
3 Pension expense recognized from previously recorded
4 deferred inflows and outflows
5 Actual earnings on plan assets 500 (500) -
6 Differences between Expected and Actual Experience (125) 125 -
7 Changes of Assumptions (95) 95 -
8 Deferred outflows/inflows -
9 Employer contributions subsequent to measurement date (2,200) 2,200 -
10 Actual earnings on plan assets of $8,000 vs projected earnings of $9,500 8,000 1,500 (9,500) -
11 Increase in NPL arising from the effects of differences
12 between Expected and Actual Experience (500) 500 -
13 Decrease in NPL arising from effects of Changes of Assumptions 350 (350) -
14 Service costs -
15 Interest on NPL (4,500) 4,500 -
16 Administrative expense (250) 250 -
17 6/30/16 reporting date (95,800) (3,000) (3,195) 5,075 101,950 (5,030) -
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Recognition under modified accrual— single and agent employers
• The net pension liability should be recognized to the extent it is normally expected to be liquidated with expendable available financial resources
• Pension expenditures should be recognized equal to the total of a) amounts paid by the employer to the pension plan and b) the change between the beginning and ending balances of amounts
normally expected to be liquidated with expendable available financial resources.
• Net pension liabilities are normally expected to be liquidated to the extent that benefit payments have matured—that is, benefit payments are due and payable and the pension plan's fiduciary net position is not sufficient for payment of those benefits.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Cost-Sharing Employers – Fund Financial Statements
• In governmental fund financial statements, the cost-sharing employer's proportionate share of the collective net pension liability is required to be recognized to the extent the liability is normally expected to be liquidated with expendable available financial resources.
• Pension expenditures should be recognized equal to the total of (1)
amounts paid by the employer to the pension plan and (2) the change between the beginning and ending balances of amounts normally expected to be liquidated with expendable available financial resources.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Note disclosures – single and agent employers
• Descriptions of the plan and benefits provided • Significant assumptions employed in the measurement of the net
pension liability • Descriptions of benefit changes and changes in assumptions • Assumptions related to the discount rate and the impact on the
total pension liability of a 1 % point increase and decrease in the discount rate
• Net pension liability and deferred outflows of resources and deferred inflows of resources.
• Beginning and ending balances of the NPL, and the effects of changes during the period, including service cost, benefit changes, and actual investment earnings.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
RSI Schedules
• Single and agent governments will be required to present RSI schedules with the following information for each of the past 10 years (generally on a prospective basis):
- Beginning and ending balances of the total pension liability, - The plan’s net position - The net pension liability, - The ratio of the plan’s net position to the total pension liability - The covered-employee payroll, and - A ratio of the net pension liability as a percentage of the
covered-employee payroll.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
RSI Schedules
• If a single, agent, or cost-sharing government has an actuarially determined annual pension contribution, it is also required to present an RSI schedule with the following information for each of the past 10 years
1. the actuarially determined annual pension contribution 2. the amount of employer contribution actually made 3. the difference between 1 and 2, 4. the payroll of employees covered by the plan, and 5. a ratio of 2 divided by 4.
• Governments are also now required to present notes to the RSI schedules regarding factors that significantly affect the trends in the schedules. For single and agent employers, significant assumptions also should be disclosed
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Cost-Sharing Employers – Note Disclosures and RSI
• This Statement requires that notes to financial statements of cost-sharing employers include descriptive information about the pension plan.
• Cost-sharing employers should identify the discount rate and assumptions made in the measurement of their proportionate shares of net pension liabilities, similar to the disclosures about those items that should be made by single and agent employers.
• Cost-sharing employers, like single and agent employers, also should disclose information about how their contributions to the pension plan are determined
• This Statement requires cost-sharing employers to present in required supplementary information 10-year schedules containing (1) the net pension liability and certain related ratios and (2) if applicable, information about statutorily or contractually required contributions, contributions to the pension plan, and related ratios
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Computing Proportionate Share: One Potential Method
Illustration 3—Note Disclosures and Required Supplementary Information for a Cost-Sharing Employer
(Amounts in 000's)
Total Plan (all participating employers) Pension Liability $ 39,502,453 Plan net position 35,979,370
Net pension liability 3,523,083
Covered payroll for the individual employer $ 11,512 Covered payroll for the Plan (total of all participating employers) 5,615,736 Individual employer's pro-rata portion of net pension liability based on covered payroll (%) 0.20%
Individual employer
Pension liability $ 79,005
Plan net position 71,959
Net pension liability $ 7,046
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tom McNeish Email: [email protected] Phone: 919.334.6180 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
OMB New Uniform Guidance
Tom McNeish Government Practice Leader & Shareholder March 19, 2015
1
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
2
OMB Super Circular
• December 26, 2013 - Office of Management and Budget (OMB) issued
guidance that makes significant changes to federal grants management. • Super Circular - Streamlines requirements and supersedes eight existing
OMB Circulars • Changes are in response to the administrative burden of the existing
procurement standards • Language revisions to require "oversight" rather than a "system" to
ensure that contractors comply with contract terms. • Effective for entities with fiscal years beginning on or after December 26,
2014.
3
Codification
This uniform guidance codifies the following circulars into the Code of Federal Regulations:
• Administrative Requirements - A-102, Grants and Cooperative Agreements with State and Local Governments - A-110, Uniform Administrative Requirements for Grants and Other Agreements
with Institutions of Higher Education, Hospitals, and Other Non-Profit Organizations
- A-89, Catalog of Federal Domestic Assistance • Cost Principles
- A-21, Cost Principles for Educational Institutions - A-87, Cost Principles for State, Local, and Indian Tribal Governments - A-122, Cost Principles for Non-Profit Organizations
• Audit Requirements - A-133, Audits of States, Local Governments, and Non-Profit Organizations - A-50, Audit Follow-up
4
Streamlining effects
• Definition of "supplies“ - Computers will be considered supplies if the purchase
price is the lesser of institution’s capitalization policy or $5,000, regardless of useful life.
• Micro purchases - Supplies or services not exceeding $3,000 may be awarded without soliciting competitive quotes if the nonfederal entity considers the price reasonable.
• Direct Costs - Administrative costs may be charged directly when they are specifically allocated to one award, with prior approval from the awarding agency.
• Indirect costs - Approved indirect cost rates may be extended on a one-time basis without further negotiation, for up to four years.
• Provision to allow institutions to recover increased utility costs associated with research.
5
New Requirements for Recipients
• Review of Risk – Recipients to be evaluated for financial stability; the quality of management systems; performance history; reports and findings from audits; and ability to effectively implement statutory, regulatory, or other broad compliance requirements.
• Procurement standards – Emphasis on policies to prevent conflicts of interest and protect the integrity of procurements under federal awards
• Performance Measurement - Recipients will be required to provide financial information demonstrating cost-effective practices
• Internal Controls - Institutions must establish and maintain effective internal controls over federal awards.
• Personal info protection - Nonfederal entities must take reasonable measures to safeguard protected personally identifiable information.
6
New Requirements for Auditors
• Thresholds - The single audit threshold will increase to $750,000 from $500,000. - Audit oversight over 99.7 percent of federal award dollars and 81
percent of the entities subject to the requirement. - Audit oversight will be eliminated for approximately 5,000 of the
37,500 entities that currently undergo a single audit. • Findings
- The types of findings reported in the Schedule of Findings and Questioned Costs will remain substantially the same.
- The threshold for reporting questioned costs, will increase from $10,000 to $25,000.
7
Major Program Determination
Total Federal Awards Expended Type A/B Threshold
Equal to $750,000 but ≤ $25 million $750,000
> $25 million but ≤ $100 million .03 time total federal awards expended
> $100 million but ≤ $1 billion $3 million
> $1 billion but ≤ $10 billion .003 times total federal awards expended
> $10 billion but ≤ $20 billion $30 million
> $20 billion .0015 times total federal awards expended
8
Major Program Determination
• High Risk Type A Programs - To be considered low-risk, the program must have not had:
- Internal control deficiencies identified as material weaknesses - A modified opinion on compliance - Known or likely questioned costs that exceed five percent of the total federal
awards expended for the program. • High Risk Type B Programs
- A material weakness finding will be the primary trigger for high risk - The number of high-risk Type B’s to be audited will reduced from ½ to ¼ the
number of low-risk Type A’s - The Type B threshold to be omitted for risk assessment will be a flat 25 percent of
the Type A threshold - Selection of different high-risk Type B’s each year will be encouraged.
9
Low-Risk Criteria
• Low-Risk Auditee - must meet the following conditions for the two prior audit periods to qualify as low-risk :
- Single audits were performed annually - Audit opinion on the financial statements and the schedule of expenditures of
awards were unmodified. - No material weakness findings - No substantial doubt about the auditee's ability to continue as a going
concern. - No material weaknesses, questioned costs that exceeded five percent, or a
modified opinion on a major program
• Percentage of Coverage rule - The minimum percentage of total federal awards to be tested as major programs will decrease:
- 25% to 20% for low-risk auditees - 50% to 40% for all others
10
Questions?
11 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tom McNeish Email: [email protected] Phone: 803.255.1488 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
12
Fraud: Current Trends and Case Studies
Lee A. Wagner, CPA, CFE Senior Manager March 19, 2015
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Presentation Overview
• Overview and selections from the 2014 Report to the
Nations on Occupational Fraud and Abuse*, published by the Association of Certified Fraud Examiners (ACFE)
• Example real-life fraud case studies and anecdotes • Discussion of “take-away’s” and lessons learned from
the Report to the Nations and case studies *Copyright 2014 by the Association of Certified Fraud Examiners, Inc.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Speaker Background
• Senior Manager, Raleigh office • Over 8 years experience in public accounting • CFE since 2011 • Experience with a variety of forensic accounting and
fraud examination projects • Financial statement audit experience in industries
including manufacturing/distribution, state and local government, and not for profit
4 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Part I: ACFE’s Report to the Nations
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
• ACFE surveys the population of all certified fraud examiners and compiles results
• 2014 report is based on 1,483 cases of occupational fraud as reported by CFEs
• Provide valuable information on how fraud is committed, how it is detected, and how organizations can reduce their vulnerability to the risk of fraud
• Entire report available for download: - http://www.acfe.com/rttn-download-2014.aspx
6 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
“The cost of fraud is the equivalent of a financial iceberg; some of the direct losses are plainly visible, but there is a huge mass of hidden harm that we cannot see.” - Report to the Nations, ACFE
7 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Size and type of frauds
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
9 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
10 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
11 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
12 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Detection of frauds
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
14 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
15 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Fraud victims
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
17 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
18 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
19 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
20 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
21 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Fraud controls
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
23 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
24 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
The perps
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
26 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
27 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
28 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
29 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
30 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
31 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
32 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
33 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
34 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
35 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
36 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
The outcomes
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
38 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
39 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
ACFE’s 2014 Report to the Nations
40 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Part II: Case Studies and Anecdotes
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Case Studies and Anecdotes - 1
• Rita Crundwell – City Comptroller, Equine Enthusiast and Brazen Fraudster
42 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• Background Info: - Became comptroller of City of Dixon, Illinois, in 1983 - Dixon: working-class city of approx. 16,000, and the
boy-hood home of Ronald Reagan - Dixon’s 2011 general fund operating budget was $6.9
million - Rita’s salary in 2011 was approx. $80,000 - Between 1991 and April 2012, Rita embezzled $53.7
million from Dixon
43 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• How did she do it? - December 1990: Rita opens a bank account at an Ohio bank
(bank subsequently acquired by Fifth Third Bank) in the name of City of Dixon and RSCDA, c/o Rita Crundwell (Reserve Sewer Capital Development Account)
- Rita repeatedly transferred funds from City of Dixon accounts to the RSCDA account
- Rita used funds deposited into RSCDA account for personal expenses and for operations of her race horse breeding business
- Rita generated fake invoices (179 in total), mostly supposedly from the State of Illinois, as support for amounts deposited/withdrawn into RSCDA account
44 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• How did she get away with it? - Poor (or altogether nonexistent) segregation of duties
allowed Rita complete control over Dixon’s finances • Rita made bank deposits and transfers without second
signature or authorization • Rita reconciled all monthly bank accounts • Rita prepared interim financial reports for the mayor and
council • Rita even received the mail each day
- Blamed Dixon’s weak financial position on lagging or late payments from the State of Illinois
45 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• How was she caught? - In 2011 Rita took unpaid leave for 12 weeks to focus
on her horse breeding operation - During this time a monthly statement for the RSCDA
account was intercepted in the mail by another Dixon employee
- The mayor contacted the FBI – it all unraveled from there
46 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• What was the fall-out? - Rita’s purchases included the following:
• Two lavish homes in Dixon • 80 acres of farmland • A house in Florida • Extensive updates and construction at her horse farm
property • A $2 million custom motor home • Several hundred quarter horses (some at more than $100k) • Several vehicles, tractors , horse trailers and trucks (including
a 1967 Corvette Roadster) • At least $500 k in jewelry and furs
47 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
• What was the fall-out? - Rita plead guilty to $53 million scam in November
2012 - Sentenced to 19 years and 7 months in prison - CliftonLarsonAllen, one of two accounting firms used
by Dixon, settled with Dixon for $35.15 million in gross negligence suit
- Janis Card Associates (other accounting firm) paid $1 million in settlement
- Fifth Third Bank paid $3.85 million in settlement with Dixon 48
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Rita Crundwell – City Comptroller and Fraudster
Rita Crundwell began working for the City of Dixon while still in high school, was made treasurer in 1983, and by this time she was fully trusted with complete control of the City’s finances.
• What was it that Ronald Reagan used to say???
49 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Case Studies and Anecdotes - 2
• Controller of a small business in Columbia, SC steals more than $1 million over course of 6-plus years
50 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Case Studies and Anecdotes – 2
• Background info: - No names included here as investigation and legal proceedings
are ongoing - Company is industrial laundry / linens facility - Former controller (“Suspect”) was employed by Company from
2005 through 2013 - During that time, Suspect made payments to herself via direct
deposit from Company’s payroll bank account at least in the amount of $978,311
- Additionally, Suspect altered two checks totaling $51,388 to be paid to a shell company owned by Suspect
51 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• How did Controller do it? - Two bank accounts: operating and payroll - In addition to “normal” bi-monthly company-wide
payroll disbursements, Controller initiated three smaller direct deposit transactions most months to Controller’s personal bank account
- In the GL, these three transactions were recorded as one transaction, most typically as an expense transaction to one of the Company’s most significant income statement line items
52 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• How did Controller do it?
• Which one of these is not like the other??
Account Account Description
Period Date Comments Journal Source Debit Credit
1000-00 Cash 3 12/1/2011 A/P CHECK REGISTER CD-000502 A/P - 1,777.14 1000-00 Cash 3 12/5/2011 A/P CHECK REGISTER CD-000503 A/P - 86.88 1000-00 Cash 3 12/6/2011 A/P CHECK REGISTER CD-000504 A/P - 137,627.64 1000-00 Cash 3 12/8/2011 A/P CHECK REGISTER CD-000505 A/P - 894.9 1000-00 Cash 3 12/8/2011 A/P CHECK REGISTER CD-000506 A/P - 350 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER CD-000507 A/P - 153,478.86 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER CD-000508 A/P - 760 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER JE-002394 G/L - 19,396.74 1000-00 Cash 3 12/15/2011 A/P CHECK REGISTER CD-000510 A/P - 713.66 1000-00 Cash 3 12/16/2011 A/P CHECK REGISTER CD-000511 A/P - 55.62 1000-00 Cash 3 12/19/2011 A/P CHECK REGISTER CD-000512 A/P - 260 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000513 A/P - 55,237.59 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000514 A/P - 1,664.89 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000515 A/P - 1,355.93 1000-00 Cash 3 12/28/2011 A/P CHECK REGISTER CD-000516 A/P - 61,228.45 1000-00 Cash 3 12/28/2011 A/P CHECK REGISTER CD-000517 A/P - 309.25
53 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• How did Controller do it? - From December 2011 bank statement, other debits
section: • 12-6 Company Payroll – XXXXX $ 6,249.76 • 12-13 Company Payroll – XXXXX $ 6,523.49 • 12-20 Company Payroll – XXXXX $ 6,623.49
$ 19,396.74
54 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• How was Controller able to get away with it? - Lack of segregation of duties: Controller had
responsibilities over payroll, A/P disbursements, and bank reconciliations
- General manager of Company “reviewed” bank statements but clearly did not understand them or look very closely; evidence does not indicate that General Manager was ever even provided with the payroll account monthly statement
- Three-payment pattern per month consistently followed over several years, but never during month of September
- Company year end was September 30 55
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• How was Controller caught? - Controller quit company early 2013 - Before leaving Controller got greedy and careless
• Recorded illicit transactions in GL against inventory account rather than expense account (on accident?)
• Additionally, altered two checks recorded in GL to Company’s largest supplier and made payable to shell company of Controller
- Financial statement audit for FY2013: inventory sub-ledger was out of balance which led to subsequent investigation
56 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Small Company Controller and Embezzler
• What was the fall-out? - Known amounts embezzled:
• 2007 – $ 90,000 • 2008 – $ 141,000 • 2009 – $ 190,000 • 2010 – $ 143,000 • 2011 – $ 141,000 • 2012 – $ 204,000 • 2013 – $ 121,000 (resigned 4 months in to fiscal year) • Total – $ 1,030,000
57 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Case Studies and Anecdotes – 3
• Nathan J. Mueller – ING Accounting Manager and Convicted Fraudster
• Embezzled close to $8.5 million from ING over 4 year span
• See Journal of Accountancy article for detailed account in fraudster’s own words:
- “Lessons from an $8 million fraud” - http://www.journalofaccountancy.com/Issues/2014/
Aug/fraud-20149862.htm
58 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• Started his career in accounting at life insurance company, ReliaStar (Minnesota), which was acquired by ING in 2000 for more than $6 billion
• Played a significant role in transitioning company to new ERP system upon acquisition by ING
• Glitch in system parameters allowed for fraud: - “I was also, by mistake, along with a co-worker, given
authority to approve checks up to $250,000. I discovered this permission quite by accident some two years after the takeover.”
59 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• How did he do it? “In our small accounting department, we knew everyone else’s system passwords. . . . One morning, while sitting at my desk, I realized that I could log in as someone else, request a check, and then log in as myself and approve my own request.” “I went to work every day for the next year tempted by the pot of gold that was there for the taking.”
60 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• How did he do it? - Began by requesting checks paid directly payable to his
personal credit card - After debt paid off, Nathan created shell company with
Minnesota secretary of state: Ace Business Consulting - Initially, recorded debits in GL in “accounts that had a lot
of reconciliation activity” - 2005 to 2007 – Nathan was in charge of accounting for
Canadian investments in US dollars; would purposely weaken Canadian dollar by a few basis points to understated the US dollar value of the income
61 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• Why did he do it? - At first, pressures included pregnant wife and
significant credit card debt - As time went on, Nathan developed a taste for luxury
cars, expensive watches, and high-roller trips to Las Vegas
- Developed serious substance abuse issues as well as gambling problem
62 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• How was he caught? - He and his wife divorced in 2006 - His ex-wife remained friends with one of Nathan’s
coworkers in the accounting department, and over lunch in August 2007 she voiced her concerns and suspicions related to Nathan’s exorbitant “gambling winnings”
- This prompted coworker do some digging and research all checks initiated by herself and then approved by Nathan – led to discover of Ace Business Consulting checks
63 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Nathan Mueller – ING Embezzler
• What was the fall-out? - Nathan stole approx. $1 million in 2004, $2 million in
2005, $4 million in 2006, and $1 million in 2007 - Sentenced to 97 months in federal prison; term began
February 2009 - Released September 2014 with time off for good
behavior and completion of a residential alcohol abuse program
- Has paid back approx. $860 thousand to date
64 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Part III: Take Away’s and Lessons Learned
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Take Away’s and Lessons Learned
• Cressey’s Fraud Triangle
66 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Take Away’s and Lessons Learned
• Importance of anti-fraud controls at every organization!
- From ACFE’s Report to the Nations, how are most frauds discovered?
• Employee tips • Management review • Internal audit • By accident
- What about external financial statement audits?
67 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Take Away’s and Lessons Learned
• Anti-fraud controls: - Formal fraud policy and annual training to all
employees - Fraud risk assessment procedures, at least annually - Tip or whistleblower hotline - Ongoing monitoring and data analytics - Mandatory vacations and surprise audits - Regular review of segregation of duties and IT system
access
68 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Questions and open discussion
69 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Lee Wagner, CPA, CFE Email: [email protected] Phone: 919.987.2762 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Information Technology – Security
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Richard Cook, CISA, CISM & CRISC Director: IT Audit & Security March 19, 2015
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Agenda
• Cyber Terrorism - Overview - Common Data Breaches/Threats - Strategies to Mitigate Cyber Terrorism Risks
• Management Review of IT Controls - User Access Reviews - Privileged User Reviews - Vendor Management Reviews
• Password Security Guidance - Password Security Best Practices
3 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Overview of Cyber Terrorism
• Cyber Terrorism defined…. Criminal acts using computers and networks as tools or targets
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
4
Overview of Cyber Terrorism
• Quotes from Verizon’s Data Breach Investigations Report:
- “Some organizations will be a target regardless of what they do, but most become a target because of what the do.”
- “87% of all breaches were avoidable through simple or intermediate controls.”
- 37% of all breaches affected financial institutions - 66% of all breaches took months to discover - 69% of all breaches were discovered by third parties
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
5
Overview of Cyber Terrorism
Cyber terrorism video 1 • http://www2.deloitte.com/br/en/pages/risk/articles
/cybervideo-companies-like-yours.html • A Company Like Yours
6 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Common Data Breaches/Threats
The chart below shows the percentage of tactics utilized across all data breaches:
Source: Verizon Data Breach Investigations Report (2013) © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
7
Common Data Breaches/Threats
Malware threats - Malware is software designed to infiltrate, damage or
obtain information from a computer system without the owner’s consent (as defined by ISACA)
- The biggest malware culprits: • Spyware/Keylogger – 75% of cases • Backdoor – 66% • Export Data – 62% • Captured Stored Data – 55%
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
8
Common Data Breaches/Threats
Use of physical attacks - Physical threats encompass deliberate actions that
involve proximity, possession, or force. - Skimmers installed inside ATM’s, POS devices, and gas
pump terminals comprise almost all incidents in the physical category
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
9
Common Data Breaches/Threats
• Speaking of “Skimming” - Been around for a while, but the skimmers keep
getting more sophisticated - Beginning to leverage 3D printing technology to
improve efficiency and adapt to changes in card reader design
Pictures: from Krebs on Security © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
10
Common Data Breaches/Threats
• Nordstrom Case - Found 6 skimmers attached to their point-of-sale
computers back in the fall of 2013 - Team of 3 individuals used devices similar to this to
collect/store/transmit credit card data
Picture: from Google Shopping © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
11
Common Data Breaches/Threats
Social Engineering - Gaining sensitive information or unauthorized access
privileges by building inappropriate trust relationships with insiders.
- Phishing is the most common threat • Usually accomplished through email or phone call schemes • Our employees are our weakest link
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
12
Strategies to Mitigate Cyber Terrorism Risks
There are so many risks…where to start?
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
13
Strategies to Mitigate Cyber Terrorism Risks
Cyber terrorism video 2 • http://vimeo.com/60738040 • Cybersecurity Evolved
14 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Strategies to Mitigate Cyber Terrorism Risks
• How do we prevent cyber security attacks? - Perform internal network vulnerability assessments (each device as an ip address and
each type of device has known vulnerabilities that are easily accessible on the internet).
• To prevent – all systems must be appropriately patched as vulnerabilities are identified (this applies at network, operating system, application and database layers). Patches are provided by the vendors.
- Perform external penetration test (this is an actual hack attempt). • To prevent – updated patches, appropriate network security configuration –
firewalls, routers, etc.. - University of Wisconsin has recently reported nearly 100,00 hacking
attempts per day – mostly from China. As reported in The Wall Street Journal, July 2013.
- Perform social engineering test (physical or remote – email phishing is most popular). • To prevent – training of employees, periodic updates. • There are tools that can scan for these types of data/files in email and will
automatically encrypt the files prior to sending.
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
15
Strategies to Mitigate Cyber Terrorism Risks
Other strategies to consider • Create a response team to handle issues, often called
a Computer Emergency Response Team (CERT) - Much like a Business Continuity/Disaster Recovery
Plan • Network with local cyber experts to understand
emerging threats • Complete a cybersecurity risk assessment
© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
16
User Access Reviews
• Obtain system generated list of all users and their system privileges (helps with financial statement assertions for completeness and accuracy).
• No spreadsheets for tracking user access - This process only validates that the spreadsheet is
correct – actual system access may vary • User review may be difficult to do if the system is not
using either role or group security for applying access rights.
17 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
User Access Reviews, continued
• During the review; check for: - Users are current employees, contractors, 3rd party users and
temps - Be sure to cover Application, Database and Operating system
access rights - Users access rights are appropriate for their job function - Users do not have SoD (Segregation of Duties) conflicts
• If SoD conflicts exist – point to mitigating control (ex. Reconciliations or other business process control)
• SoD conflicts do not exist across systems (credit approval management system – loan origination system)
• Maintain all User Access Review documents (the user access review detail – completed by reviewer - is the most important piece of evidence that the review occurred)
18 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
User Access Reviews, continued
• Maintain User Access Review Tracking sheet, should note:
- Reviewer’s name - List of users to be reviewed - Date sent to reviewer - Date received from reviewer - If changes were requested (Yes/No) - When changes were applied - Users should not review their own access rights (very risky)
• Note: User Access Review Tracking sheet is often times maintained by IT group. User Access Reviews should be performed by management.
19 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Basic Security (layers of an onion)
• Most secure should be the center of the onion
20 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Privileged User Reviews
• Always review 100% of privileged users – this is the highest risk area for users (Administrators, Super Users, DBA, etc.)
• Privileged users are any users that can perform the following functions: user provisioning (Add, Change Delete user access rights), administrator level access, change configuration settings and users that have back end access to databases (can make changes directly to the database, i.e. DBA)
• Any 3rd party user that have access rights to your systems should be logged and monitored (we cannot outsource risk)
• 3rd party access should be limited and only granted when needed. It should not be open ended access 7X24
21 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Privileged Users Review – Database Users
• Database user reviews are often overlooked
• Privileged database users are those users who can access the data directly via the back end
• The business owners are responsible for reviewing backend access for database users
• SQL database only has one backend database account - the Security Administrator or SA account. Hence, the password must be shared and changed periodically
22 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Vendor Management Reviews
• Vendor Management Review - What is the opinion on the SOC report? - Does the SOC report have a carve out? Are these carve out
processes significant to our environment? If yes, how do we get comfort around these processes? (Ex, obtain another SOC report for carve out process)
- What is the reporting period? Need to cover at least 6 months of the financial period under review.
- Are there any exceptions in the SOC report? Do they apply to our environment? If yes, how do we get comfort that the exceptions will not affect our financial reporting process.
- Do we have the proper User Control Considerations (UCC’s) in place? Have we validated the key UCC’s? Do we have evidence of the validation process?
23 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Vendor Management Reviews/UCCs
• When reviewing UCCs be sure to include these steps: - List all UCCs from key SOC reports - Review each UCC to determine if the UCCs are key or
not (no need to test non-key UCCs) - For each key UCC for each key SOC report, provide
evidence that the UCC is designed appropriately and operating effectively
- Maintain all documentation of the UCC reviews/testing
24 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Did you know?
• The biggest violators of IT Security are the senior members of the IT/IS team – the team that is responsible for securing the enterprise
- So I ask you – how do you know that your enterprise is secure and only approved users have access to systems and their access is appropriate for their job function?
25 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Password Security Best Practices – Short Reminder
• We would recommend that the following best practices be applied to password security and account lockout parameters:
• Minimum password length – 6 to 8 characters • Maximum password age – 60 to 90 days • Minimum password age – 1 day (or more) • Password history – no password re-use for the trailing 12 months • Password complexity – enabled (at least require one alpha and one
numeric) • Unsuccessful log on attempts – 5 invalid attempts before user lock out • Lockout duration – at least 15 minutes • Reset lockout counter – at least 15 minutes • Domain inactivity timeout setting – 15 to 30 minutes
26 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Questions
27 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC
Richard Cook, CISA, CISM, CRISC Email: [email protected] Phone: 704.808.5243 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC