Internal Control and Fraud

Presented bySteve Hooper, CIA, CFE, CGAP, CCSASenior Internal AuditorClerk of the Circuit Court,Hillsborough County, Florida

Ed Tobias, CISA, CIAIT Audit Manager Clerk of the Circuit Court,Hillsborough County, Florida

FLORIDA GOVERNMENT FINANCE OFFICERS ASSOCIATIONTampa Bay ChapterNovember 19, 2010

Internal Controls and Fraud

What is Fraud?… any illegal act characterized by deceit, concealment, or violation of trust.... Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Source: International Professional Practices Framework (IPPF) Glossary

How Does Fraud Occur?

• Poor internal controlsLack of proper authorizationNo separation of authorization, custody, record

keepingNo independent checks on performanceLack of clear lines of authorityInadequate documentation

• Management override of internal control

• Collusion between employees and 3rd parties

• Collusion between employees and management

• Poor, or non-existent ethics policy

• Limited, unclear, or no policies and procedures to direct department/division

processes

IIA IPPF Standards

•“….evaluate the potential for the occurrence of

fraud and the how the organization manages fraud risk.” (IPPF 2120.A2)

•“….consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.”

•(IPPF 2210.A2)

IIA IPPF Standards

•“….have sufficient knowledge to evaluate the risk of fraud….” (IPPF 1210.A2)

•“….exercise due professional care by considering the…probability of…fraud...” (IPPF 1220.A1)

•“CAE must report periodically to senior management and the board ….. Including

• fraud risks….” (IPPF 2060)

Leading Fraud Management Practices

•Implement a well-publicized fraud management program

•Ensure effectiveness of established controls

•Ensure audit plans encompass IT audit activities

–Fraud detection software–Data mining–Etc.

Elements of a Fraud Risk Management Program

•Control environment and structure

•Fraud risk assessment•Control activities•Detection and monitoring•Incident response and remediation

Elements of a Fraud Risk Management Program

Control Environment & Structure

•High Integrity Culture•Audit Committee Oversight•Roles and Responsibility for Fraud Risk

Management• Information and Communication•Codes of Ethics and Compliance•Ethics Hotline/Whistleblower Program•Hiring and Promotion Procedures•Significant Third Party Relationships

Elements of a Fraud Risk Management Program

Fraud Risk Assessment

Risk Assessment Process–Management Participation–Likelihood and Significance

• Subsidiaries, Segments, Divisions, Regions, Units and Functions

• Areas of Vulnerability and Specific Presumed Fraud Risks (e.g., IT)

Control Activities

• Risk and Control Activities Linkage• Controls Design and Operating Effectiveness

Elements of a Fraud Risk Management Program

Detection and Monitoring

•Identifying Risk Factors•Identifying Risk Indicators•Contemporaneous Monitoring

Incident Response and Remediation

•Investigation•Remediation

Assessing the Adequacy of a Fraud Risk Management Program

For each element:•Define what it is•What is appropriate practice based on risk•Assess whether the organization meets that

practice

Methods of collecting information•Targeted audit as groups of elements•Detailed testing of isolated elements

For each department/division’s objective, ask:

What could go wrong? How could we fail?What must go right to succeed?What decisions require the most judgment?What activities are most complex?What activities are regulated?On what do we spend the most money?How do you bill/collect related revenue?On what information do we most rely?What assets do we need to protect?How could someone or something disrupt our operations?

HOW TO IDENTIFY RISK

Conditions that increase risk

•Lack of segregation of duties•Too much trust

Approval of documents without review

Lack of verification of transactions after they have been entered in the system

Lack of reconciliations•No follow up when things appear

“questionable” or “not reasonable”•Lack of control over cash/petty cash•Lack of control over purchasing of

materials/supplies•Lack of knowledge of policies and• procedures

Activities for the Controlling Mind

Joe, the hard working staff assistant, is asked to process a requisition to purchase a new $5,000 camera to be used by a project manager who is working on a federal grant project.

Later, when Joe conducts the annual physical inventory for the department, as requested by the Accounting Department, he is not able to locate the camera in the department. Joe learns the project manager was given permission by the department manager to take the camera home so that he could take photos at his sister’s wedding (that was 2 months ago).

When Joe talks to the department director about it, he is told not to worry – since the camera wasn’t purchased with organizational funds (i.e., the grant paid for it), it would be okay to check it off on the inventory report even though it had been removed from the premises. PROBLEM………?

Activities for the Controlling Mind

Jill, a senior staff assistant, is a department procurement card holder. Her department manager, Anna, travels extensively so Jill occasionally uses a signature stamp to approve her procurement card statements. Jill went shopping for a new TV one weekend. While checking out, Jill mistakenly used her County’s procurement card. On Monday she received an email from Accounting confirming the purchase; at that time she realized her mistake.Jill decided to wait until Anna returned from out of town to ask her advice. Jill was certain Anna would understand and help her straighten things out. The statement arrived a week later and Jill had Jack, the office assistant, approve the statement since Anna wasn’t due back for another two weeks. Upon Anna’s return, Jill had not saved enough money to repay the Organization for the TV. Since Anna had not seen the statement and it had already been processed by Accounting, Jill decided not to bring it up. She had been an exceptional employee for years and had seen many of her coworkers receive bonuses. She decided it was her turn. This would be her bonus. She had earned it!

IT Fraud Risk Assessment Key Elements

•Types of fraud•Inherent risk of fraud•Existing controls•Control gaps•Likelihood•Business Impact

IT Fraud Risks

•Access to systems or data for personal gain

•Changes to system programs or data for personal gain

•Fraudulent activity by an independent contractor or off-shore programmer

•Conflicts of interest with suppliers or third parties

•Copyright infringement

Computer Crime Resource

SOURCE:WWW.USDOJ.GOV/CRIMINAL/CYBERCRIME/CC/HTML

Computer Crime and Intellectual Property SectionUnited States Department of Justice

Examples:

Independent Contractor FraudSCENARIO

An IT consultant undercontract illegally accessesthe company’s computersystems.

Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section

FRAUD

After the company declined tooffer an IT contractor permanent employment, heillegally accessed thecompany’s computersystems and caused damageby impairing the integrityand availability of data. Hewas indicted on federalcharges, a charge thatcarries Maximum statutorypenalty of 10 year in federalprison

Access to Systems or Data for Personal Gain

SCENARIO

A database analyst for a major

check authorization and credit

card processing company, exceeds his authorized computer access.

Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section

FRAUD

The employee uses his computer access to unlawfully steal consumer information of 8.4 million individuals. The information stolen included names and addresses, bank account information , and credit and debit card information. He sold the datato telemarketers over a fiveyear period. A U.S. Districtjudge sentenced him to 57months‘ imprisonment and a$3.2 million in restitution forconspiracy and computer fraud

Access to Systems or Data for Personal Gain

Scenario

An employee in the Payroll

department moved to a New

position. Upon switchingpositions, the

employee’sAccess rights were leftunchanged.

Source: 2008 Insider Threat Study,

US Secret Service and CERT/SEI

Fraud

Using the retained privileged access rights, the Employee provided an associate with confidential information for 1,500 of the firm’semployees, including 401kaccount numbers, creditcard account numbers,and Social security numbers,which was then used tocommit over 100 cases of identity theft. The insider’s actions caused over $1

millionin damage to the companyand its employees.

Why Data Analysis?

•Examine 100% of transactions•Compare data from different applications

•Perform tests to detect fraud & verify controls

•Automate tests in high-risk areas•Maintain logs of analytics performed

Fraud Self Audit Program Components

•Profile of potential fraud•Test transactional data•Automate tests for high risk areas

•Review results of testing•Respond with recommendations

Analytical Techniques

• Calculate statistical parameters• Classify to find patterns• Stratify to identify unusual values• Digital analysis, to identify unlikely occurrences • Joining or matching data between systems• Duplicates testing• Gaps testing to identify missing data• Summing and totaling to check control totals that

may be falsified• Graphing to provide visual identification of

anomalous transactions

Application of Data Analytics in Fraud Detection

• Accounts Payable• Accounts Receivable• Cash Disbursements• Conflict of Interest• Credit Card Management• Deposits• General Ledger• Kickbacks• Insurance claims• Loans• Materials Management• Inventory Control• Purchase Order Management• Salaries and Payroll• Claims• Vendor Management

Types of Fraud Tests -Examples

Type Tests usedFictitious vendors Run checks to uncover post

office boxes used as addresses and to find any matches

between vendor and employee addresses and/or phone numbers.

Altered invoices Check for invoice amounts not matching contracts or

purchase order amounts.

• `

Types of Fraud Tests -Examples

Type Tests used

Duplicate invoices Review for duplicate invoice numbers, duplicate dates, and

duplicate invoice amounts.

Duplicate payments Search for identical invoice numbers and payment amounts.

Payroll fraud Check whether a terminated employee is still on payroll by

comparing termination date with the period covered by the paycheck.

Key Considerations

1. Build a profile of potential frauds to be tested

2. Analyze data for possible indicators of fraud

3. Automate the detection process through continuous auditing/monitoring of high-risk business functions to improve controls

4. Investigate and drill down into emerging patterns

5. Expand scope and repeat as necessary

Benefits

•Close control loopholes before fraud escalates

•Quantifies the impact of fraud•Cost-effective•Acts as a deterrent•Can be automated for continuous analysis•Provides focus based on risk and

probability of fraud•Direct pointers to critical evidence•Support for regulatory compliance