Docstoc

Internal Controls - Myths About Fraud

Document Sample
Internal Controls - Myths About Fraud Powered By Docstoc
					       5 Myths About Fraud
        (Adapted from www.fraudauthor.wordpress.com Tracy Coenen)

1. Fraud will be detected by our auditors
2. Small frauds aren’t important enough to
   worry about
3. If we follow gov’t regulations, we will be
   protected against fraud
4. Most people are honest and won’t commit
   fraud
5. My school doesn’t have a fraud problem
                  Myth 1
• Why won’t auditors detect fraud?
  – Audits are not designed to detect fraud
  – Designed to provide “reasonable assurance”
    regarding the financial statements
  – Auditor “complacency”
  – Employee knowledge of audit procedures
                  Myth 2
• Why should we worry about small
  frauds?
  – Virtually every big fraud started out small
  – A zero tolerance policy is a necessary part of
    any good fraud prevention program
  – More cost effective to catch early
  – Also, easier to catch before the fraudster
    becomes really good at it
                  Myth 3
• Why aren’t government regs enough?
  – We still need good internal controls such as
    segregation of duties
  – We still need actively engaged managers
    and supervisors
  – Poor business practices such as over-
    delegation aren’t prohibited by government
    regs
                    Myth 4
• Most people are honest and won’t commit
  fraud.
  – While most people are inherently honest, this
    doesn’t substitute for good internal controls
  – Past behavior doesn’t necessarily predict future
    behavior
  – Cannot predict who will commit fraud
  – Outside pressures cause people to behave in ways
    they normally would not
                  Myth 5
• Does fraud happen at your school?
  – Yes…and the USOE actively assists in
    detection, investigation, and prevention
  – Management review of detail expense and
    revenues is the best control
  – What can we do to prevent and detect
    fraud? That’s the subject of the rest of this
    training….
                   “Fun” Facts
• According to the ACFE (2008 Report)
  – 46% of frauds are detected through tips
  – Lack of adequate internal controls is the biggest contributing
    factor
  – The average organization loses 7% of revenue to fraud and abuse
  – The average fraud loss is $175,000
  – The average fraud has gone on for 2 years before detection
  – 46% of frauds involved small businesses employing less than 100
    people*** (from an earlier report)
  – Only 7% of fraud perpetrators had prior convictions and only
    12% had previously been terminated for fraud
          Why Discuss Fraud?
Obvious Answer?
  Safeguard assets of your school, fiduciary
  responsibility over public and federal funds.

Not so Obvious Answer?
  Protect management, employees and families of
  employees.
    Legal Definition of Fraud
Fraud encompasses an array of irregularities and
  illegal acts characterized by intentional
  deception. The elements of fraud are:
• A representation about a material fact – which is
  false
• Made intentionally, knowingly, or recklessly –
  which is believed
• Acted upon by the victim
• To the victim’s damage
                      Types of Fraud
2008 Report to the Nation on Occupational Fraud and Abuse - Occupational Fraud
             Schemes in Government and Public Administration
Lack of adequate internal controls was
 most commonly cited as the factor
 that allowed fraud to occur.




   2008 Report to the Nation on Occupational
               Fraud and Abuse
Myth: Fraud is committed by
“bad” people
Most people who commit fraud against
their employers are not career
criminals. The vast majority are
trusted employees who have no
criminal history and who do not
consider themselves to be lawbreakers.
So the question is, what factors cause
these otherwise normal, law-abiding
persons, to commit fraud?
Source: AICPA, Antifraud and Corporate Responsibility Center, Understanding Why
Employees Commit Fraud
           The Fraud Triangle
                         Opportunity




    Pressure                                   Rationalization




Like a three legged stool, generally all
three parts of the triangle must be in place
for fraud to occur.
             Opportunity
Opportunity is generally provided through
 weaknesses in internal controls. Some
 examples include inadequate or no:
  – Supervision and review
  – Separation of duties
  – Management approval
        Pressure
Pressure can be imposed
  due to:
• Personal financial
  problems
• Personal vices such as
  gambling, drugs,
  extensive debt, etc.
• Unrealistic deadlines
  and performance goals
• Excessive workload
                       Rationalization
Rationalization occurs when the individual
  develops a justification for their fraudulent
  activities. The rationalization varies by
  case and individual. Some examples
  include:
    – “I really need this money and I’ll put it back
      when I get my paycheck”
    – “I’d rather have the company on my back
      than the IRS”
    – “I just can’t afford to lose everything – my
      home, car, everything”
    – The reporting requirements are too time
      consuming, this is close enough
    What are the red flags of fraud?
• Ineffective internal controls such as:
   – Not separating functional responsibilities of authorization,
     custodianship, and record keeping. No one should be responsible
     for all aspects of a function from the beginning to the end of the
     process.
   – Unrestricted access to assets or sensitive data
   – Not recording transactions resulting in lack of accountability
   – Not reconciling assets with the appropriate records
   – Unauthorized transactions
   – Unimplemented controls because of the lack of or unqualified
     personnel
• Inability of accounting system to provide income statement timely
• Accounting abnormalities
• Resistance of supervisors to change procedures
Findings consistent in districts & charters

 Bank Reconciliations –Timely bank reconciliations are a crucial
internal control and should be occurring monthly. All bank accounts
should be reconciled monthly. The bank balance should be reconciled to
the general ledger balance, and reconciling items should be corrected in
a timely manner. The completed bank reconciliation should be reviewed
and approved by someone aside from the preparer.

Segregation of Duties/internal controls – In many of the
smaller or mid-sized school districts/charters a small
number of employees running the office may make
segregation of duties impractical. However,
compensating controls such as reviews by a third
party or board member can be implemented to
improve internal controls.
Reimbursements – Reimbursements to district or office personnel should
always be approved by the immediate supervisor. These approvals could
also be done by a board member.

Inadequate Written Accounting Policies and Procedures Pertaining
to Expenditures – Where policies and procedures are only contained in
negotiated agreements or by school district/charter practice, a clear written
policy should be written and approved by the Board to justify either benefits
or payments made to employees or contractors. These policies should
comply with State purchasing procedures.

Adequate documentation for expenditures/certification of payroll
costs- All expenditures should be adequately supported by
documentation. This includes payroll costs. For
charges made to Federal grants expenditures and
documentation for said expenditures must comply
With OMB Circular A87. Payroll costs that are charged
 to state and federal sources must be certified.
          Segregation of duties
Segregation (or separation) of duties is a basic, key
  internal control and one of the most difficult to
  achieve. It is used to ensure that errors or
  irregularities are prevented or detected timely by
  employees in the normal course of business.

Segregation of duties provides two benefits:
   – a deliberate fraud is more difficult because it requires
     collusion of two or more persons, and
   – it is much more likely that innocent errors will be found. At
     the most basic level, it means that no single individual should
     have control over two or more phases of a transaction or
     operation.
    Segregation of Duties (cont’d)
• In an ideal world, no one employee would have more
  than two of the key duty types
• If duties can’t be properly segregated, then
  compensating or mitigating controls must be
  implemented
• Supervision and review are an important
  compensating control
• Proper segregation of duties is important at all times
  – consider this when assigning backup responsibility
  or coverage when someone is out of the office
              Categories of Duties
• Authorization - the process of reviewing and approving transactions
  or operations

• Custody - having access to or control over any physical asset such as
  cash, checks, equipment, supplies, or materials.

• Recordkeeping - the process of creating and maintaining records of
  revenues, expenditures, inventories, and personnel transactions.
  These may be manual records or records maintained in automated
  computer systems

• Reconciliation - verifying the processing or recording of
  transactions to ensure that all transactions are valid, properly
  authorized and properly recorded on a timely basis. This includes
  following up on any differences or discrepancies identified.
Internal Controls Don’t Always Work
• Control override. “I know that’s the policy, but
  we do it this way.” “Just get it done, I don’t
  care how.”
• Inherent limitations. People are people and
  mistakes happen. You can’t foresee or
  eliminate all risk.
• Collusion. Two or more employees work
  together to circumvent controls and commit
  fraud.
Bank                                General
                                    Ledger
                                     Cash,
                                     Revenues,
          2                 2        Accounts
                                     Receivables

                Deposit
              Preparation



      1           1             1
                                               1- How do you know all the $
 School         Front                          that comes into the school gets
                                Teachers
Lunch $         Office                         receipted?

                                               2- How do you know all the $
                                               prepared for deposit gets to
                                               the bank?
                       Deposit
                     Preparation



              1           1        1

      School             Front
     Lunch $             Office        Teachers


  1- How do you know all the $ that comes into the school gets receipted?

Controls:
• Reconciliation of $ presented for deposit to a record of what was entered into the
student system/receipted into General Ledger. MOST EFFECTIVE if this is
conducted by someone that doesn’t have access to cash

•Segregate duties if possible.

•Bank Reconciliation
•Budget reviews by program
      Bank                            General
                                      Ledger


               2                  2
                      Deposit
                    Preparation




2- How do you know all the $ prepared for deposit gets to the bank?

Controls:
•Reconciliation of boundary detail to validated deposit slip.
•Bank Reconciliation
•Budget Reviews

* These reviews can also detect errors, typos, and miscoding in a timely
manner
Bank                               General
                                   Ledger

                                      Cash, Expense,
            2                 2       Accounts
                                      Payable



                Accounting




        1                      1                 1- How do you know that an
                                                 expenditure is approved? Is it
                              Credit             allowable for funding source?
 -Check Requests
                               Card
      -P.O’s                                     2- How do you know that
-Employee reimb.             Purchases
                                                 invoices were altered after
                                                 approval? How do you know
                                                 that an extra check wasn’t
                                                 added?
              Accounting



        1                  1

 -Check Requests             Credit
      -P.O’s                  Card
-Employee reimb.            Purchases

1- How do you know that an expenditure is approved? Is it allowable for funding
source?

Controls:
•Approved invoice(s) with supporting documentation.

•Someone should compare shipping documents and invoice with approved P.O.

•Credit card Statement (entire) with receipts, and supervisor approval.
      Bank                            General
                                      Ledger

                                         Cash, Expense,
                2                2       Accounts
                                         Payable



                    Accounting




2- How do you know that invoices were altered after approval? How do you know
that an extra check wasn’t added?

Controls:
•Reconcile check runs to original documentation
•SEGREGATE DUTIES: Don’t allow the creator of checks to have access/mail them
after they are signed.
•Bank Reconciliations
•Budget reviews by program
Bank                            General
                                Ledger

                                       Cash, Expense,
           2                2          Accounts
                                       Payable


                  Payroll
               company/HR
                 SYSTEM

                                                  1- How do you know that
       1                    1                     hours/salary is
                                                  approved/reasonable? Is it
                                                  allowable for funding source?
Time Cards                  Salaries              2- How do you know that hours
                                                  were not added to inflate
                                                  paycheck? How do you know
                                                  there are no ghost employees?
                                                  How do you know there
                                                  weren’t any typos? Terminated
                                                  employees?
                      Payroll
                   company/HR
                     SYSTEM



             1                   1

    Time Cards
                                  Salaries




1- How do you know that hours/salary is approved/reasonable? Is it allowable for
funding source?


Controls:
•Time card is REVIEWED, recalculated, and signed by supervisor.
•Salaries/hourly rate is documented.
•Edit review of time entered into HR system.
      Bank                             General
                                       Ledger

                                           Cash, Expense,
                2                2         Accounts
                                           Payable


                       Payroll
                    company/HR
                      SYSTEM

2- How do you know that hours were not added to inflate paycheck? How do you
know there are no ghost employees? How do you know there weren’t any typos?
Terminated employees?

Controls:
•Final review of payroll before running checks/sending EFT information to bank.
•Bank reconciliations
•Budget reviews by program
    Bank               General
                       Ledger
                                      Electronic Items
                                      Journal Entries

                        2

       1
                                          1- How do you know that all
                                          electronic deposits/payments
                                          are authorized and get recorded
                                          timely and correctly?
 Electronic deposits        Journal
                            Entries       2- How do you know that
Electronic payments
                                          journal entries are authorized?
                                          How do you know they are
                                          coded correctly and it’s ok to
                                          make the changes?
                      Overall Controls

Bank Reconciliations
-Done monthly
-Ensure that general ledger balances agree to the ending bank balance
-Ensure that all electronic transactions are posted monthly

** If the person performing the bank reconciliation has access to cash, can access the
bank accounts, has the ability to create checks, or can make entries into the g/l then
they aren’t independent.

COMPENSATING Control: (could be the audit committee of the board, or a board
member)
-Someone independent review the bank reconciliation monthly.
-Someone independent review the original bank statement monthly.
              Overall Controls cont’d
Journal Entries
* If the person making the journal entries also has access to cash, can access the
bank accounts, has the ability to create checks, or can make entries into the g/l then
they aren’t independent.

COMPENSATING Control: (could be the audit committee of the board, or a board
member)
-Documentation be retained for all journal entries. Require an approval signature.
-Someone independent review a listing of the journal entries monthly.
-Someone independent review the original bank reconciliation monthly.

Budget Review by Program/Audit
Committee/Board
-A review of income and expenses should be available at all times.
-At least monthly program personnel or the Director should have an idea of what the
budget status is.
-Only program people will be able to detect if their revenues are low, or expenditures
are high.
Your Internal Control System
              • Identify risks in
                your environment
              • Identify control
                points
              • Analyze potential
                exposures
              • Design system to
                mitigate risk
                         Resources
  USOE Internal Audit                   Utah State Auditor’s Office

 Natalie Grange, CPA, CFE               Hotline: 801-538-1383

 Natalie.Grange@schools.utah.gov        www.sao.utah.gov/spHotline.html
      Hotline: 801-538-7813

www.schools.utah.gov/fraud/fraud.html
   Resources-ARRA Specific
           Office of the Inspector General

www.recovery.gov/Contact/ReportFraud/Pages/Report_Fr
 aud.aspx

Call the Recovery Board Fraud Hotline: 1-877-392-3375
  (1-877-FWA-DESK)