government risk briefings internal controls & fraud prevention in local government november 16,...

Government Risk BriefingsInternal Controls & Fraud Prevention in

Local Government

November 16, 2012

1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ www.bswllc.com

Ron Steinkamp, CPA, CIA, CFE, CRMA314.983.1238 | [email protected]

© 2011-2012 All Rights Reserved Brown Smith Wallace LLC 2

Agenda

•Internal Control Defined

•Key Controls

•Control Examples

•Fraud Defined

•Fraud Survey Results

•Common Areas of Control Abuse

•Fraud Prevention

•Fraud Protection Tools

INTERNAL CONTROL DEFINED


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Internal Control Integrated Framework

The Report:• Established a common definition of internal control • Provided a standard (criteria) to assess the effectiveness of

internal controls• Became the standard for internal control recognized by the U.S.

accounting profession


COSO

COSO defines internal control “as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

Internal Controls can help…

• An organization ensure the quality of financial reporting

• An organization achieve its performance and profitability targets and prevent a loss of resources

• An organization comply with laws and regulations, avoiding damage to its reputation and other consequences

• An organization prevent the theft or inappropriate use of assets


Definition of Internal Control

COSO defines five categories of Internal Control:

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring


COSO Control Categories

1. Control Environment - Sets the tone of an organization and influences the control consciousness of its people.

• Is the foundation for all other components of internal control, and

• Provides discipline and structure

• Factors include… Integrity, ethical values and competence of the entity’s people Management’s philosophy and operating style The way management assigns authority and responsibility, and organizes and

develops its people, and The attention and direction provided by the board of directors



2. Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

• The identification and analysis of relevant risks to the achievement of objectives• Forming a basis for determining how the risks should be managed



3. Control Activities - Are the policies and procedures that help ensure management directives are carried out

• Help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives

• Occur throughout the organization, at all levels and in all functions

• Include activities such as approvals, authorizations, verifications, reconciliations



4. Information and Communication – Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components

• Produces reports containing operational, financial and compliance related information

• Also deals with information concerning external events, activities and conditions necessary to enable informed business decision-making and external reporting



5. Monitoring - Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

• Occurs in the course of operations

• Includes reviews of operating performance, security of assets and segregation of duties

• Internal control deficiencies should be reported upstream, with significant deficiencies and material weaknesses reported to top management, the audit committee, and the external auditor



• Management

• Board of Directors

• Internal Audit

• Other Personnel


Control Roles and Responsibilities


KEY CONTROLS

• Preventative controls

• Detective controls

• Manual controls

• Computer controls

• Management controls


Types of Controls

• Code of conduct• Policies and procedures manual• Segregation of duties• Records retention• Documentation of transactions• Budgetary• Fraud Policy and reporting• Access to systems

© 2012 All Rights Reserved Brown Smith Wallace LLC 15

General Controls

• Policies and procedures.• All bank accounts opened and maintained in organizations

name with proper approval.• Segregate access to cash from accounting for cash.• Monthly reconciliation of recorded balances to bank

account detail by employees not involved in cash activities.• Control credit cards and reconcile to receipts on a timely

basis.


Cash Management Controls

• Policies and procedures.• All orders received are processed and recorded.• All orders processed are invoiced.• All invoices are posted to customer accounts.• Billings are accurate.

Revenue Cycle Common Controls

• Policies and procedures.• All purchase orders are authorized.• All vendors are authorized.• Individuals have authorization limits.• Check stock is controlled.• EDI/ACH transactions require authorization.• Credit card purchases are controlled and statements are

reconciled to detailed receipts.

Procurement Cycle Common Controls

• Procedures for adding, changing, removing employees and related pay and benefits.

• Payroll personnel can not add/change/delete employees and related pay and benefits.

• All changes are authorized by management.• Payroll preparation segregated from payroll authorization,

check signing and distribution.• Access to payroll is restricted.• Safeguard checks.• Reconciliations.


Payroll Common Controls

• Procedures for adding and removing fixed assets.• Detailed records of all fixed assets.• Tracking of fixed assets.• Inventory fixed assets and reconcile to records periodically.


Fixed Assets Common Controls

• Accurate, Timely, and Consistent Reporting.• Recorded balances should be periodically substantiated and

evaluated.


Management Reporting Common Controls

• Exception reporting• Shipping/Receiving• Physical Inventory Monitoring• Perpetual Records• Controlling slow-moving and obsolete inventories• Scrap• Adjustments are controlled• Cycle counting• Disposal


Inventory Monitoring Common Controls

• Back-ups• Disaster Recovery• Security (Physical & logical)• Virus Protection• Administrative

- Change control- Trouble reporting- Helpdesk- Systems Development Life Cycle


IT Common Controls

CONTROL EXAMPLES


Authorization – Authorization controls require that a transaction be “authorized” or approved prior to executing the transaction.

Examples:

• Legal department approves a contract prior to execution.

• Controller signs Accounts Payable checks greater than a set amount.

• Accounting Supervisor approves journal entries prepared by the Clerk prior to entry into the system.


Authorization Controls

25

Segregation of Duties – These controls split responsibilities for a process so that it requires more than one person to execute a transaction or complete a process.

Examples:

• Personnel accepting/processing cash receipts do not deposit, record or reconcile receipts.

• Personnel that edit the vendor master files do not process invoices.

• A person separate from the approval process sets up users on the system.

© 2012 All Rights Reserved Brown Smith Wallace LLC

Segregation of Duties

Reconciliations – This involves comparing to items, from different sources, to determine if transactions were executed accurately and completely.

Examples:

• Reconciling the accounts receivable sub-ledger to the general ledger.

• Reconciling the bank statements to the general ledger.

• Reconciling credit card statements to the related detail.

• Physically inventorying fixed assets and comparing them to the fixed asset system.

Reconciliations

Management Review – This involves a review, by a manager/supervisor, of executed transactions/activities for appropriateness.

Examples:

• The Finance Director review the bank and credit card reconciliations for reasonableness.

• The Payroll Manager reviews a report of the payroll run to ensure that the total run is consistent with past periods.

• The owner of a process reviews a listing of personnel that have access to the system that supports the process.

Management Review

System Access – System Access controls prevent a person from executing a transaction because they cannot log on to the system or have not been granted the specific transaction authority.

Examples:

• AP personnel are not given user accounts on the payroll system.

• Only accounting personnel can post journal entries in the system.

• Only the Finance Director and/or City Administrator can authorize payments out of the system.


System Access Controls

Configuration/Account Mapping – This is a control that is performed by the system/application and prevents the execution of a transaction unless certain parameters are met.

Examples:

• The AP system automatically populates the payee field of a check from the vendor master file.

• The Revenue system automatically calculates the invoice amount based on contract data and payroll data.

• System functionality prevents the posting of journal entries to a prior period.


Configuration/Account Mapping

30

Exception/Edit Reports – These controls alert you to changes/issues in the system via an online or paper report.

Examples:

• An edit report that lists all changes to the vendor master file.

• An exception report that identifies all AP checks over a certain amount.

• A report that identifies payroll exceptions/adjustments.

© 2012 All Rights Reserved Brown Smith Wallace LLC

Exception/Edit Reports

Key Performance Indicators – These are analytical indicators of performance metrics that help to identify incorrect transactions or breakdowns in the control system.

Examples:

• Variance Reports (Budget to Actual, Prior to Current Period, Etc.)

• Production Reports (Rate per Hour, Utilization, Etc.)

Key Performance Indicators

FRAUD DEFINED


The use of one’s occupation for personal enrichment through the deliberate misuse or application of the employing organization’s resources or assets.

Three general categories:

Asset misappropriation

Corruption

Financial statement fraud


What is Fraud?

Perpetrator steals or misuses an organizations resources.

- Examples:• Clerk stealing cash receipts.• Payroll Clerk creating a ghost employee.• Purchasing Clerk creating a fictitious vendor and false invoice.• Street Department personnel “borrowing” equipment.• City Manager purchasing personal items on the City credit card.


Asset Misappropriation

Employee’s use of his/her influence in business transactions in a way that violates his/her duty to the employer for the purpose of obtaining benefit for him/herself or someone else.

- Examples:• City Council member trading votes for personal favors.• Purchasing Department Manager awarding a City contract to a

vendor for a kickback.• Human Resources Director hiring unqualified “friends” to fill

positions.


Corruption

Intentional misstatement or omission of material information in the organization’s financial reports.

- Examples:• Inflating City revenues on the Consolidated Annual Financial

Report.• Forcing actual expenditures to match budget by moving

expenses between accounts.• Improperly accounting for grant receipts and expenditures.


Financial Statement Fraud

FRAUD SURVEY RESULTS


2012 Report to the Nations on Occupational Fraud and Abuse


2012 ACFE Global Fraud Study


Summary of Findings

1. Typical fraud losses equal 5% of revenue

2. Asset misappropriation - the most common

3. Financial statement fraud - the least common

4. Frauds are most likely to be detected by tips

5. Small organizations are disproportionately victimized by occupational fraud

6. Fraud perpetrators often display warning signs

7. Government/public administration is one of the most victimized industries

8. Anti-fraud controls help reduce the cost and duration of occupational fraud

9. High-level perpetrators cause the greatest damage to their organizations

10. Nearly 50% of all victim organizations do not recover any losses

• Implement hotlines to receive tips from internal/external sources

• Organizations over-rely on audits

• Most frauds are detected by tips

• Anti-fraud training among employees and managers result in fewer fraud losses

• Surprise audits are an effective fraud prevention tool


Conclusions & Recommendations

• Using internal controls as your sole fraud prevention strategy is insufficient

• Employees exhibit behavior warning signs

• Employees should be trained to recognize common signs of fraud

• Effective fraud prevention measures are critical


Conclusions & Recommendations

Pressure or Incentive (NEED)

High personal debtsSubstance or gambling abuseJob frustrationResentment of superiors


Common Characteristic/Red Flags

Opportunity

• Inadequate internal controls• Weak management• Excessive turnover• Large amounts of cash on hand or processed

Rationalization

• Unfairly compensated• Everyone else does it• Intension of repayment• Financial need

COMMON AREAS OF CONTROL ABUSE


Failure to establish:• Policies & procedures• Segregation of duties• Third-party oversight (boards)

Failure to oversee/supervise/review Overworking/underpaying staff to make budget Inappropriate use of cell phone, company credit cards, autos,

and expense reports Inadequate IT Access Controls Not allowing Internal Audit to look at a department Non-responsive to management inquiries


Internal Control Abuse by Management

Three major reasons these events occur:1. It pays to do it2. It is easy to do3. It is unlikely you will get caught

Indicators of possible management fraud1. A week control environment2. Management facing extreme competitive pressure3. Management known or suspected of having questionable

character


Why Management?


Internal Control Abuses by Employees

• Accounts payable fabrication• Accounts receivable manipulation• Bank fraud• Bid rigging• Check forgery and counterfeiting• Credit card fraud• Embezzlement• Expense account abuse

• Fictitious vendors, customers, employees

• Kickbacks• Material misstatement• Medical/insurance claims

overstatement• Unnecessary purchases or

purchases for own use

Check tampering occurs when an employee:• Prepares a fraudulent check for his/her own benefit• Intercepts a check intended for a third party and converts

the check to benefit his/herself.


Example – Check Tampering

How can check tampering be prevented?• Check stock should be locked in a secure location to ensure

blank checks are not accessible to potential fraudsters.• Checks should be mailed immediately after signing to

reduce the risk of legitimate checks being stolen.



How can check tampering potentially be detected through data analysis?• Perhaps better identified through other ways.

- Bank reconciliations- Communication with vendors



Billing schemes occur when an employee submits a false invoice or alters an existing one, thus causing the company to willingly (but unknowingly) issue a check for false expenses.


Example – Billing Schemes

How can billing schemes be prevented?• Prior to authorizing payment, invoices should be checked for validity of

the vendor, validity of the goods or services invoiced, accuracy, and authenticity.

• Prior to processing payment, invoices should be checked for proper authorization, accuracy and authenticity. This will prevent overpayment, as well as payments being made to fictitious vendors.

• Strictly control access to vendor master data.



How can billing schemes be potentially be detected through data analysis?• Vendor-level expenditures analysis• Benford analysis• Duplicates analysis• Vendor master data analysis



Expense reimbursement schemes occur when an employee submits false expenses in the hope of being reimbursed by the company.


Example – Fraudulent Expense Reimbursements

How can fraudulent expense reimbursements be prevented?• Require original itemized receipts.• Receipts should be scrutinized to detect alterations or forgeries.• Other means of proving incurred expenses, such as airline itineraries,

credit card statements, etc. should not be accepted unless approved by a supervisor.

• All expense reimbursements should be reviewed and immediately processed upon approval.

• Use a specific credit card for all business expenses. Receive this information electronically from credit card company and require electronic filing of expense reports by employees. This will minimize the possibility of fraud, and if fraud is occurring, will provide an easier means to identify it.



How can fraudulent expense reimbursements potentially be detected through data analysis?

• Use a specific credit card for all business expenses. Receive this information electronically from credit card company and require electronic filing of expense reports by employees. Reconcile the two data sets.

• Duplicates analysis.

• Benford analysis.



Payroll fraud occurs when an employee submits false documentation (i.e. timecards) in an effort to inflate his/her wages/salary. Such documentation prompts the organization to unknowingly disburse funds to the perpetrator.

Possible ways in which Payroll Fraud can occur:

• Falsified hours and salary

• Ghost employees


Example - Payroll Fraud

How can payroll fraud be prevented? • All timecards should be reviewed for validity and accuracy.• Once submitted for approval, employees should never see their

timecard again. • Overtime hours must be authorized by a supervisor.• If employees use a time clock to “punch in” and “punch out”, they

must do so when they arrive for work, take breaks, go to lunch, leave for the day, etc.

• Monitor employees to assure one employee is not punching out for another.

• Strictly control access to payroll master data.



How can payroll fraud be detected through data analysis?

• Review personnel files for duplicate addresses, P.O. boxes, or social security numbers. Duplicate information may suggest “ghost” employees are on the payroll.

• Perform an employee-level hours analysis, comparing employees’ hours with peers in their departments.



Receipts interception occurs when an employee:

• Has access to customer payments

• Directs intercepted receipts to personal accounts

Receipts interception can be difficult to detect if the fraudster also has access to manipulate accounts receivable records or customer credit memos.


Example – Receipts Interception

How can receipts interception be prevented?

• Segregate cash receipts and accounting responsibility.

• Issue receipts.

• Track receipts in system and reconcile daily.

• Surprise cash counts.

• Cameras.



How can receipts interception be detected through data analysis?

• Identify gap or sequence errors in accounts receivable records.

• Perform a customer level analysis of credit memos.



FRAUD PREVENTION


• Create an anti-fraud environment

• Know your fraud risks

• Develop an oversight process


How to Prevent Fraud


Create an Anti-Fraud Environment

Set the Tone at the Top

• Hold elected officials and management responsible

• Lead by example

• Behave ethically

• Openly communicate expectations to employees

• Maintain a zero tolerance policy

• Treat all employees equally, regardless of position

• Enforce a code of conduct founded on integrity



Create a Positive Workplace Environment

• Poor employee morale can affect attitudes about committing fraud

• HR is instrumental in helping to build a positive work environment

• Employees should be empowered to help create a positive workplace



Hire and Promote Appropriate Employees

• Conduct background investigations; verifying education, employment history and references

• Give regular performance reviews

• Perform an objective compliance review of your code of conduct and ethic policies at consistent intervals Address violations immediately



Fraud Awareness / Training

• All new employees should be trained upon hiring on values and code of conduct

• Offer periodic refresher training for all employees



Confirmation

• Clearly articulate that all employees are held accountable to act within the code of conduct

• Have a written Code of Conduct statement

Discipline

• Actions should be taken in response to any alleged incident of fraud

• Expectations about the consequences of committing fraud must be clearly communicated throughout the entity


Know Your Fraud Risks

• Identify and measure fraud risks

• Mitigate fraud risks

• Implement and monitor appropriate internal controls

To effectively prevent or deter fraud, an entity should have an appropriate oversight function in place that includes the following:

• Audit committee

• Management

• Internal auditors

• Independent auditors

• Certified fraud examiners


Develop An Oversight Process

FRAUD PROTECTION TOOLS


• Should be based on the organization’s core values

• Established by executive management and a board with input from employees

• Written documentation consisting of: Clear guidance on what behaviors and actions are/are not permitted Detailed documentation of employee responsibilities in the prevention

and detection of fraud Procedures on how employees should seek additional advice when

faced with uncertain ethical decisions Process for communicating concerns about known or potential

wrongdoing

• All employees should be trained on the code of conduct when hired, and annual refresher training with affirmation should be provided


Code of Conduct (AKA – Antifraud Policy)

Communication system that enables employees, vendors, customers and others to communicate concerns about known or potential/suspected wrongdoing.

Telephone, email, web site

Anonymous

Adequately publicized


Anti – Fraud Hotline

• ACFE tool

• High level assessment of an organization’s fraud health

• Identifies major gaps in fraud prevention processes and fixes them before it is too late

• Focus of a Fraud Prevention Checkup is: Fraud risk oversight Fraud risk ownership Fraud risk assessment Fraud risk tolerance and risk management policy Anti-fraud controls Proactive fraud detection

• Should be completed by a Certified Fraud Examiner (CFE)


Fraud Prevention Checkup

• Assists management in systematically identifying where and how fraud may occur and who may be in a position to commit fraud

• Focuses on fraud schemes and scenarios to determine whether or not the current internal controls can be circumvented

• Five general steps: Identify relevant fraud risk factors Identify potential fraud schemes and prioritize based on risk Map existing controls to potential fraud schemes and

identify gaps Test operating effectiveness of fraud prevention and

detection controls Document and report the fraud risk assessment


Fraud Risk Assessment

Data Analysis is great for analyzing trends and identifying unusual items and changes to operations

• A systemic and efficient way of verifying 100% of transactions and reducing risks

• Highlights red flags and identifies errors, fraud, inefficient operations and audit targets

• Identifies control weaknesses/breakdowns before they cause too much damage


Data Analysis

• Results from a concern or suspicion of wrongdoing

• Consists of gathering sufficient information about specific details and performing procedures necessary to determine:

Whether fraud has occurred

The loss or exposure associated with the fraud

Who was involved, and how it happened


Fraud Review / Investigation

• Must prepare, document and preserve evidence sufficient for potential legal proceedings

• Must carefully manage in accordance with laws

• Include legal counsel

• Include internal audit

• Include expertise – Certified Fraud Examiner (CFE)


Fraud Review / Investigation

Have you identified your key processes and control?

Have you tested the key controls?

Have you identified your fraud risks?

What are your fraud risks?

How are you mitigating these risks?


Question/Discussion

Ron Steinkamp, CPA, CIA, CFE, CRMA

Principal, Risk Advisory Services

Brown Smith Wallace LLC

314.983.1238 (Direct)

[email protected]


Contact Information

government risk briefings internal controls & fraud prevention in local government november 16,...

Documents

categories of internal

components of internal

control environment

control activities

coso control categories

control consciousness

coso slide

internal sources