fraud and internal controls linked in april 2011
DESCRIPTION
Fraud Awareness presentation applicable to managers, executives, employees, internal auditors and CPAsTRANSCRIPT
- 1. Fraud and Internal Controls: Fraud Prevention, Detection and
Incident Handling
- John J. Hall, CPA
- Hall Consulting, Inc.
- [email_address]
2. Are Business Entities Inherently Susceptible to Control Breakdowns?
- All controls break down over time
- Inadequate segregation
- Limited resources
- Thin control capability
- Skill levels may not match needs
- Service focus
- Politics and personalities
- High level override is fairly easy
3. Where Our Issues Overlap 4. Prevention/Deterrence Prompt Detection Effective Response FRAUD RISK MANAGEMENT 5.
- Risk
- When Managed
- Creates Value
6. Risk Management
- Improve performance by
- acknowledging and controlling risks
- Solutions to protect and conserve
- the organizations resources
7. Example Risk Universe
- Financial
- Operations
- Strategic
- Knowledge
8. Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Todays Largest Organizations www.protiviti.com 9. Protiviti Preventing Fraud Report
- Organizations are at different maturity points in their capabilities to evaluate, mitigate and monitor fraud risk.
- Organizations are struggling to understand what Fraud Risk Management means in the context of their daily operations.
- Education and awareness are critical issues that need greater attention in order to successfully manage fraud risk.
10. Example Risk Universe
- Financial
- Operations
- Strategic
- Knowledge
- Fraud
11. Fraud Risk Management
- Improve performance by
- acknowledging and controllingfraudrisks
- Solutions to protect and conserve
- the organizations resources
- from fraud exposures
12. Fraud Risk Management Includes:
- Theft
- Diversion
- Misconduct
- Deception
- Wrongdoing
- Misappropriation
- Irregularities
- Criminal Acts
- Other Similar Actions
Impact:
- Financial Loss
- Cost of Investigation
- Reputation
- Damaged Relationships
- Negative Publicity
- Loss of Employees
- Loss of Customers
- Litigation
- Damaged Employee
- Morale
13. What do we mean by Fraud ? 14. Fraud Defined Managing the Business Risk of Fraud: A Practical Guide
- Fraud
- is any intentional act or omission
- designed to deceive others,
- resulting in the victim suffering a loss
- and/or
- the perpetrator achieving a gain.
15. Error versus Intent to Deceive 16. Key Elements
- Clandestine
- Violates the perpetrators fiduciary duties to the victim organization
- Committed for the purpose of direct or indirect financial benefit
- Costs the organization assets, revenue or reserves
17. Three Categories Misappropriation Manipulated Results Corruption 18. Corruption
- Using influence in a transaction to obtain unauthorized benefit contrary to the persons duty to the employer
- Usually perpetrated by management, but often involves collusion among internal and external parties
SHADOW DEALS 19. Corruption Examples
- Accepting or paying a bribe
- Engaging in a business transaction where there is an undisclosed conflict of interest
- Extortion
20.
- MACRO
- micro
- systemic
How Big? 21. MACRO Fraud Risks
- Actions by leaders / abuse
- Miss-use of restricted funds
- Lies in financial or program results
- Form 990 and other tax information
- Actions that damage reputation
22. MICRO Fraud Risks
- Embezzlement
- Receipts diversion/lapping
- Information technology
- Misuse of data
- Equipment
- Vendor schemes
23. SYSTEMIC Fraud Risks
- Expense reimbursement
- Fund raising assets
- Gift cards and travelers checks
- Payroll and benefits
- P-cards and debit cards
- Shared credit cards
24. Is it Wrong to Commit Fraud? ATTITUDE 25. DISCUSSION
- What keeps honest people honest?
-
-
-
-
- Beliefs, perceptions, attitudes
-
-
-
-
-
-
-
- Culture
-
-
-
-
-
-
-
- Fear
-
-
-
-
-
-
-
- No need
-
-
-
-
-
-
-
- No opportunity
-
-
-
-
-
-
-
- Inadequate opportunity
-
-
-
26. Three Cases Four Attitudes
- The activity was within reasonable ethical and legal limits that is, not really illegal or immoral.
- The activity is within the individuals or organizations best interest that the individual would be expected to undertake the activity.
27. Three Cases Four Attitudes
- The activity is safe as it will never be found out or publicized the classic crime and punishment issue of discovery.
- Because the activity helps the organization, theorganization will condone it and even protect the person who engages in it.
28. Single Largest Deterrent
- Belief you will be
- caught
- and punished
29. DISCUSSION
- Therefore, why do some steal?
- CHANGE IN:
-
-
-
-
- Beliefs, perceptions, attitudes
-
-
-
-
-
-
-
- Culture
-
-
-
-
-
-
-
- Fear
-
-
-
-
-
-
-
- No need
-
-
-
-
-
-
-
- No opportunity
-
-
-
-
-
-
-
- Inadequate opportunity
-
-
-
30. Lets Agree
- Who commits fraud, and why?
- Situations Change /
- People Change
31. Lets Agree
- Who commits fraud, and why?
- And for some,
- its just what they do!
- Dont let them in
- If they are already in, find them ASAP and getthem out
32. Completely Dishonest Completely Honest Pressure Attitude Opportunity Honesty Scale 33. The Fraud Triangle Opportunity Pressure Attitude 34.
- INCENTIVE OR PRESSURE :Inadequate compensation levels coupled with an attitude of indifference by management and/or members of governing bodies may create an incentive for employees to commit fraud
- ATTITUDE :When employees are continually over-worked or asked to work out of class without additional compensation they may rationalize fraudulent acts as compensation for these additional hours or efforts
- OPPORTUNITY :The lack of personnel or the lack of sufficiently qualified personnel is prevalent in administrative and/or accounting and finance functions in both government and not-for-profit organizations.
35. For Consideration
- Beating
- the System
Largest threat comes from inside the system 36. Management Override Inherent Macro Risk ??? 37.
- Pause and ask,
- What if they are trying
- to fool me
38. Cold Hard Facts
- Most fraud is done by those we trust
- Most will do itunder the right (or wrong) circumstances
- Limited resources available to manage risks effectively
- Knowledge level needed may not be available internally
39. 13 High Opportunity Areas
- Remote locations
- Overseas locations
- Areas not understood well by leaders
- Costs allocated to other cost centers
- New functions or systems
- New products or services
- Areas experiencing rapid growth
- New technology
40. 13 High Opportunity Areas
- Locations or functions about to be closed or sold
- Areas or locations with a history of problems or poor performance
- Joint ventures or other similar arrangements
- Records are kept by outsiders
- Areas that are politically protected
41. SAS 99: Consideration of Fraud in a Financial Statement Audit
- Auditor Responsibilities:
- The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error(AU sec. 110.02)
42. SAS 99: Consideration of Fraud in a Financial Statement Audit
- Auditor Responsibilities:
- This statement [SAS 99] established standards andprovides guidance to auditors in fulfilling that responsibility,as it related to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards (GAAS).
43. SAS 99: Consideration of Fraud Required audit team brainstorming session 44. SAS 99: Consideration of Fraud Introduces Human Psychology into the audit process 45. Professional Skepticism
- Attitude involving two aspects
- Questioning mind
-
- recognize possibility of fraud
-
-
- set aside past experience and beliefs
-
-
-
- despite beliefs re: integrity
-
- Critical assessment of evidence
-
- not satisfied with less than persuasive evidence
46. Lessons from Psychology
- We self-correct for information that does not fit our assumptions
- Sources of assumptions
-
- Past history
-
- Personal experience
-
- Training and culture
- Our perceptions about those we audit probably are incomplete
- Categories allow us to quickly analyze data sometimes incorrectly
47. SAS 99: Consideration of Fraud Commission Conversion Concealment 48. SAS 99: Consideration of Fraud Required Skills Communication Technology Forensic Accounting 49.
- Comprehensive
- Fraud Risk
- Management
- Program
50. Fraud Risk Management Program
- Prevention and Deterrence
- Early Detection
- Effective Handling
ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS 51.
- Level 1:
- Deterrence
- and
- Prevention
52. 9 Suggestions
- Effective Governance and Oversight
- Strong Control Procedures and Behaviors
- Fraud Policy
- Require Reporting
- Fraud Skills Training
- Hotline in Place and Trusted
- Fraud Exposure Analysis
- Be Ready to Respond
- Culture of Doubting
53. Internal Controls
- Preventive
- Detective
Controls may be: Effective internal control often includes a combination of preventive and detective controls to achieve a specific control objective 54. COSO Control Framework 55.
- BALANCE
Two Factors 56. HI LOW HI HARD CONTROLS SOFT CONTROLS 57. Internal Controls HARD CONTROLS Policies Procedures Systems Soft Controls Simply: The competence, attention andintegrity of the people 58. Internal Controls A process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws and regulations
59. Business Controls Theprocesses designed to provide reasonableassurance regarding theachievementofbusiness and operating objectives Effectiveness and efficiency of operations Measures HDWK 60. Managing the Business Risk of Fraud: A Practical Guide July 7, 2008 61. Key Points
- Suitable fraud risk management oversight and expectations exist (governance) Principle 1
- Fraud exposures are identified and evaluated (risk assessment) Principle 2
- Appropriate processes and procedures are in place to manage these exposures (prevention and detection) Principles 3 & 4
- Fraud allegations are addressed, and appropriate corrective action is taken in a timely manner (investigation and corrective action) Principle 5
62. Fraud Risk Assessment: Key Elements
- How might a fraud perpetrator exploit weaknesses in the system of controls?
- How could a perpetrator override or circumvent controls?
- What could a perpetrator do to conceal the fraud?
63.
- Level 2:
- Early Detection
64. How Fraud is Detected
- Normal internal controls
- Managers and employees paying attention
- Internal auditors
- Whistle Blower
- Change of management
- Anonymous tip-off
- External audit
- Other
65. Fraud Detection Steps
- Think like a thief
- Use discovery techniques aggressively
-
- Discovery testing
-
- Interviews
-
- Monitoring
- Determine the cause of all fraud indicators surfaced
66.
- PLANwith the
- PRESUMPTION
- That a Fraud Incident
- Has Occurred
67. Comprehensive Fraud Exposure Analysis
-
-
- By functional area
-
-
-
- By position
-
-
-
- By relationship
-
- End Result: Fraud Risk Inventory
68. Creation of aFraud Risk Inventory
- What could go wrong?
- What has happened in the past?
- Can we prevent it?
- Can we catch it right away?
- Can we handle it?
69. FRAUD RISKS
- Cash
- Disbursements
70. FRAUD RISKS
- THINGS WE KNOW ABOUT
- Cash Disbursements -
- Fake Vendor
- Contractor Overcharges
- Inflate hours on time cards
- Travel expenses
- Others
- THINGS WE DONT KNOW ABOUT
71. FRAUD RISKS
- Cash Disbursements
- Fake Vendor Scheme
72. Detection Prevention Indicator Fraud Risk
- Independent verification of all first time payments
- Periodic verification of little known suppliers
- Focus on service providers
- Verify receipt of goods or services prior to payment
- Use purchase orders
- Segregate duties
- Build in duplication
- Limit access
- Reconcile all bank accounts immediately upon receipt of the bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence and legitimacy
- REVIEW ALL MONTH END TRANSACTION REPORTS 100%
- Positive Pay
- Use Computer Data Mining Techniques to Surface Fraud Indicators
- Cash Disbursements Fake Vendor:
- Fake documents are introduced into the payments system,
- The invoice is from a consultant for services rendered
- Approval signatures are forged
- Funds are disbursed by check,
- The check is deposited into the personal checkingaccount of a volunteer
- The transaction is charged toConsulting Expenses in the accounting system
- Generic looking invoice
- Unknown vendor / contractor
- Address:
-
- Same as employee or volunteer
-
- PO Box
-
- Mailboxes, Etc.
-
- Prison
-
- Hold check for pickup
- No phone number on invoice
- Unknown charges on cost center reports
- Check:
-
- Clears too fast
-
- Funny endorsements
-
- Geography
73. Control to Detect Control To Prevent Indicator Fraud Risk
- Audit Program Steps
- Look for indicators
- Test prevention control
- Test detection control
NATURE,TIMING andEXTENT ofAUDITPROCEDURES
- Cash
- Disbursements
- Fake Vendor:
- Fake documents are introduced into the payments system,
- The invoice is from a consultant for services rendered
- Approval signatures are forged
- Generic looking invoice
- Unknown vendor / contractor
- Address:
-
- Same as employee or volunteer
-
- PO Box
-
- Mailboxes, Etc.
-
- Prison
-
- Hold check for pickup
- No phone number on invoice
- Independent verification of all first time payments
- Periodic verification of little known suppliers
- Focus on service providers
- Verify receipt of goods or services prior to payment
- Use purchase orders
- Segregate duties
- Build in duplication
- Limit access
- Reconcile all bank accounts immediately upon receipt of the bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence and legitimacy
- REVIEWALL MONTH END TRANSACTION REPORTS 100%
- Positive Pay
74. Detection Indicator Fraud Risk: Cash Disbursements Fake Vendor Scheme
- Reconcile all bank accounts immediately upon receipt of the bank statement
- Examine all cancelled checks
- Periodically review all vendors and contractors for existence and legitimacy
- REVIEW ALL MONTH END TRANSACTION REPORTS 100%
- Positive Pay
- Use Computer Data Mining Techniques to Surface Fraud Indicators
- Generic looking invoice
- Unknown vendor / contractor
- Address:
-
- Same as employee or volunteer
-
- PO Box
-
- Mailboxes, Etc.
-
- Prison
-
- Hold check for pickup
- No phone number on invoice
- Unknown charges on cost center reports
- Check:
-
- Clears too fast
-
- Funny endorsements
-
- Geography
75. Detection Controls Prevention Controls Indicator Fraud Risk HARD CONTROLS Soft Controls 76. Fraud Controls
- HARD CONTROLS
- Soft Controls
- Simply: The competence, attention and
- integrity of the people
Policies Procedures Systems 77.
- Monitoring
78.
- Level 3:
- Effective
- Handling
79. Effective Fraud Handling
- Response mechanism
- Investigation
- Loss recovery
- Control weaknesses
- External authorities
- Publicity
- Morale and HR concerns
80. Investigative Resources
- Experienced investigators
- Forensic accounting
- Computer forensics specialists
- Others
81. Override / Collusion Shadow Deals Time SPECIAL CHALLENGES 82.
- So, what should
- YOU do???
-
-
- Acknowledge Expectations
-
-
-
- Examine Skills
-
-
-
- Identify Gaps
-
-
-
- Act to Fill the Gaps
-
83. Last Thoughts
- Think like a thief
- Teach others what they need to know to be effective
- Look for fraud indicators.Design and perform discovery based steps
- When in doubt, doubt
- Follow up / formally refer all suspicions
84.
- BALANCE
85.
- John J. Hall, CPA
- PO Box 850
- Vail, CO 81658
- Cell: (312) 560-9931
- www.hallconsulting.biz
- jhall @ hallconsulting.biz
Further Questions or Comments??