internal control and fraud 11-19-10
DESCRIPTION
Presented to FGFOA by Steve Hooper and me. Discusses internal control and fraud detection/prevention.TRANSCRIPT
Internal Control and Fraud
Presented bySteve Hooper, CIA, CFE, CGAP, CCSASenior Internal AuditorClerk of the Circuit Court,Hillsborough County, Florida
Ed Tobias, CISA, CIAIT Audit Manager Clerk of the Circuit Court,Hillsborough County, Florida
FLORIDA GOVERNMENT FINANCE OFFICERS ASSOCIATIONTampa Bay ChapterNovember 19, 2010
Internal Controls and Fraud
What is Fraud?… any illegal act characterized by deceit, concealment, or violation of trust.... Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
Source: International Professional Practices Framework (IPPF) Glossary
How Does Fraud Occur?
• Poor internal controlsLack of proper authorizationNo separation of authorization, custody, record
keepingNo independent checks on performanceLack of clear lines of authorityInadequate documentation
• Management override of internal control
• Collusion between employees and 3rd parties
• Collusion between employees and management
• Poor, or non-existent ethics policy
• Limited, unclear, or no policies and procedures to direct department/division
processes
IIA IPPF Standards
•“….evaluate the potential for the occurrence of
fraud and the how the organization manages fraud risk.” (IPPF 2120.A2)
•“….consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.”
•(IPPF 2210.A2)
IIA IPPF Standards
•“….have sufficient knowledge to evaluate the risk of fraud….” (IPPF 1210.A2)
•“….exercise due professional care by considering the…probability of…fraud...” (IPPF 1220.A1)
•“CAE must report periodically to senior management and the board ….. Including
• fraud risks….” (IPPF 2060)
Leading Fraud Management Practices
•Implement a well-publicized fraud management program
•Ensure effectiveness of established controls
•Ensure audit plans encompass IT audit activities
–Fraud detection software–Data mining–Etc.
Elements of a Fraud Risk Management Program
•Control environment and structure
•Fraud risk assessment•Control activities•Detection and monitoring•Incident response and remediation
Elements of a Fraud Risk Management Program
Control Environment & Structure
•High Integrity Culture•Audit Committee Oversight•Roles and Responsibility for Fraud Risk
Management• Information and Communication•Codes of Ethics and Compliance•Ethics Hotline/Whistleblower Program•Hiring and Promotion Procedures•Significant Third Party Relationships
Elements of a Fraud Risk Management Program
Fraud Risk Assessment
Risk Assessment Process–Management Participation–Likelihood and Significance
• Subsidiaries, Segments, Divisions, Regions, Units and Functions
• Areas of Vulnerability and Specific Presumed Fraud Risks (e.g., IT)
Control Activities
• Risk and Control Activities Linkage• Controls Design and Operating Effectiveness
Elements of a Fraud Risk Management Program
Detection and Monitoring
•Identifying Risk Factors•Identifying Risk Indicators•Contemporaneous Monitoring
Incident Response and Remediation
•Investigation•Remediation
Assessing the Adequacy of a Fraud Risk Management Program
For each element:•Define what it is•What is appropriate practice based on risk•Assess whether the organization meets that
practice
Methods of collecting information•Targeted audit as groups of elements•Detailed testing of isolated elements
For each department/division’s objective, ask:
What could go wrong? How could we fail?What must go right to succeed?What decisions require the most judgment?What activities are most complex?What activities are regulated?On what do we spend the most money?How do you bill/collect related revenue?On what information do we most rely?What assets do we need to protect?How could someone or something disrupt our operations?
HOW TO IDENTIFY RISK
Conditions that increase risk
•Lack of segregation of duties•Too much trust
Approval of documents without review
Lack of verification of transactions after they have been entered in the system
Lack of reconciliations•No follow up when things appear
“questionable” or “not reasonable”•Lack of control over cash/petty cash•Lack of control over purchasing of
materials/supplies•Lack of knowledge of policies and• procedures
Activities for the Controlling Mind
Joe, the hard working staff assistant, is asked to process a requisition to purchase a new $5,000 camera to be used by a project manager who is working on a federal grant project.
Later, when Joe conducts the annual physical inventory for the department, as requested by the Accounting Department, he is not able to locate the camera in the department. Joe learns the project manager was given permission by the department manager to take the camera home so that he could take photos at his sister’s wedding (that was 2 months ago).
When Joe talks to the department director about it, he is told not to worry – since the camera wasn’t purchased with organizational funds (i.e., the grant paid for it), it would be okay to check it off on the inventory report even though it had been removed from the premises. PROBLEM………?
Activities for the Controlling Mind
Jill, a senior staff assistant, is a department procurement card holder. Her department manager, Anna, travels extensively so Jill occasionally uses a signature stamp to approve her procurement card statements. Jill went shopping for a new TV one weekend. While checking out, Jill mistakenly used her County’s procurement card. On Monday she received an email from Accounting confirming the purchase; at that time she realized her mistake.Jill decided to wait until Anna returned from out of town to ask her advice. Jill was certain Anna would understand and help her straighten things out. The statement arrived a week later and Jill had Jack, the office assistant, approve the statement since Anna wasn’t due back for another two weeks. Upon Anna’s return, Jill had not saved enough money to repay the Organization for the TV. Since Anna had not seen the statement and it had already been processed by Accounting, Jill decided not to bring it up. She had been an exceptional employee for years and had seen many of her coworkers receive bonuses. She decided it was her turn. This would be her bonus. She had earned it!
IT Fraud Risk Assessment Key Elements
•Types of fraud•Inherent risk of fraud•Existing controls•Control gaps•Likelihood•Business Impact
IT Fraud Risks
•Access to systems or data for personal gain
•Changes to system programs or data for personal gain
•Fraudulent activity by an independent contractor or off-shore programmer
•Conflicts of interest with suppliers or third parties
•Copyright infringement
Computer Crime Resource
SOURCE:WWW.USDOJ.GOV/CRIMINAL/CYBERCRIME/CC/HTML
Computer Crime and Intellectual Property SectionUnited States Department of Justice
Examples:
Independent Contractor FraudSCENARIO
An IT consultant undercontract illegally accessesthe company’s computersystems.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section
FRAUD
After the company declined tooffer an IT contractor permanent employment, heillegally accessed thecompany’s computersystems and caused damageby impairing the integrityand availability of data. Hewas indicted on federalcharges, a charge thatcarries Maximum statutorypenalty of 10 year in federalprison
Access to Systems or Data for Personal Gain
SCENARIO
A database analyst for a major
check authorization and credit
card processing company, exceeds his authorized computer access.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section
FRAUD
The employee uses his computer access to unlawfully steal consumer information of 8.4 million individuals. The information stolen included names and addresses, bank account information , and credit and debit card information. He sold the datato telemarketers over a fiveyear period. A U.S. Districtjudge sentenced him to 57months‘ imprisonment and a$3.2 million in restitution forconspiracy and computer fraud
Access to Systems or Data for Personal Gain
Scenario
An employee in the Payroll
department moved to a New
position. Upon switchingpositions, the
employee’sAccess rights were leftunchanged.
Source: 2008 Insider Threat Study,
US Secret Service and CERT/SEI
Fraud
Using the retained privileged access rights, the Employee provided an associate with confidential information for 1,500 of the firm’semployees, including 401kaccount numbers, creditcard account numbers,and Social security numbers,which was then used tocommit over 100 cases of identity theft. The insider’s actions caused over $1
millionin damage to the companyand its employees.
Why Data Analysis?
•Examine 100% of transactions•Compare data from different applications
•Perform tests to detect fraud & verify controls
•Automate tests in high-risk areas•Maintain logs of analytics performed
Fraud Self Audit Program Components
•Profile of potential fraud•Test transactional data•Automate tests for high risk areas
•Review results of testing•Respond with recommendations
Analytical Techniques
• Calculate statistical parameters• Classify to find patterns• Stratify to identify unusual values• Digital analysis, to identify unlikely occurrences • Joining or matching data between systems• Duplicates testing• Gaps testing to identify missing data• Summing and totaling to check control totals that
may be falsified• Graphing to provide visual identification of
anomalous transactions
Application of Data Analytics in Fraud Detection
• Accounts Payable• Accounts Receivable• Cash Disbursements• Conflict of Interest• Credit Card Management• Deposits• General Ledger• Kickbacks• Insurance claims• Loans• Materials Management• Inventory Control• Purchase Order Management• Salaries and Payroll• Claims• Vendor Management
Types of Fraud Tests -Examples
Type Tests usedFictitious vendors Run checks to uncover post
office boxes used as addresses and to find any matches
between vendor and employee addresses and/or phone numbers.
Altered invoices Check for invoice amounts not matching contracts or
purchase order amounts.
• `
Types of Fraud Tests -Examples
Type Tests used
Duplicate invoices Review for duplicate invoice numbers, duplicate dates, and
duplicate invoice amounts.
Duplicate payments Search for identical invoice numbers and payment amounts.
Payroll fraud Check whether a terminated employee is still on payroll by
comparing termination date with the period covered by the paycheck.
Key Considerations
1. Build a profile of potential frauds to be tested
2. Analyze data for possible indicators of fraud
3. Automate the detection process through continuous auditing/monitoring of high-risk business functions to improve controls
4. Investigate and drill down into emerging patterns
5. Expand scope and repeat as necessary
Benefits
•Close control loopholes before fraud escalates
•Quantifies the impact of fraud•Cost-effective•Acts as a deterrent•Can be automated for continuous analysis•Provides focus based on risk and
probability of fraud•Direct pointers to critical evidence•Support for regulatory compliance