Audit red flags public sector fraud l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 63

Yvonne M. Clayborne PowerPoint PPT Presentation

Red flags do not indicate guilt or innocence but merely provide possible warning ... Being able to recognize red flags is necessary not only for public accountants ...

Download Presentation

Yvonne M. Clayborne

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Audit red flags public sector fraud l.jpg

Audit Red Flags & Public-Sector Fraud

Yvonne M. Clayborne, CPA

Jeff Roth, CISA


The fraud triangle l.jpg

The Fraud Triangle

  • Inadequate or no:

  • Supervision & review

  • Segregation of duties

  • Management approval

  • System controls

  • Unrealistic deadlines

  • Unrealistic performance goals

  • Personal vices

Pressure

Opportunity

a.k.a. Rationalization – reconciling behavior with commonly accepted notions of decency & trust.

Integrity


The nature of the industry l.jpg

The Nature of the Industry…

  • Fraud can be explained by three factors:

    • A supply of motivated offenders

    • The availability of suitable targets

    • The absence of capable guardians or a control system to “mind the store”

  • The opportunity to commit & conceal fraud is the only element over which the local government has significant control.

  • What are some of the warning signs?

  • What can we do about it?

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


No free lunch l.jpg

No free lunch...

  • Business fraud and abuse in the U.S. cost about $650 billion a year.

    • Government agencies lose an average of $45,000 per fraud scheme

    • Average organization loses 5% of revenue or $8 a day per employee

  • Street crime only costs the U.S. $4 billion annually.


Acfe report to the nation on occupational fraud abuse l.jpg

ACFE Report to the Nation on Occupational Fraud & Abuse

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide6 l.jpg

Famous last words:

“It won’t happen here. We’re careful who we hire.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide7 l.jpg

Famous last words:

“But he’s in charge. He had no motive.”


Slide8 l.jpg

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide9 l.jpg

Famous last words:

“NO WAY it was Mike. He’s over 60 now.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide10 l.jpg

Famous last words:

“Sandra wouldn’t have done that. She’s a mom.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide11 l.jpg

Famous last words:

“It would never happen in our department.”


What s the cost l.jpg

What’s the cost?…

  • Economic costs:

    • Tangible & measurable

    • Insurable in some cases

    • Provides basis for prosecution and/or litigation

  • Political costs:

    • Loss of integrity

    • Diminished public confidence

    • Can’t be measured, difficult to recover


What are the warning signs l.jpg

What are the Warning Signs?

A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.

Being able to recognize red flags is necessary not only for public accountants but also for anyone working in the public sector where the potential for fraud to occur exists.

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Just keep in mind l.jpg

Just keep in mind…

Do not ignore a red flag – Studies of fraud cases consistently show that red flags were present, but were either not recognized or were recognized but not acted upon by anyone.

Sometimes an error is just an error – Red flags should lead to some kind of appropriate action, i.e. an investigation by a measured & responsible person, but sometimes an error is just an error and no fraud exists

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Employee red flags l.jpg

Employee Red Flags…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Management red flags l.jpg

Management Red Flags…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Red flags in cash or accounts receivable l.jpg

Red flags in cash or accounts receivable…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Red flags in payroll l.jpg

Red flags in payroll…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Red flags in purchasing or inventory l.jpg

Red flags in purchasing or inventory…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York


Profile of a fraud perpetrator l.jpg

Profile of a fraud perpetrator…

  • Male.

  • Intelligent and in management.

  • Married and under some type of significant stress.

  • Risk takers and not afraid to fail.

  • Rule breakers.

  • Long-time employees, hard working

Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE


Profile of an organization at risk l.jpg

Profile of an organization at risk…

  • Less than 100 employees.

  • Management ignores irregularities.

  • High turnover with low morale.

  • Staff lacks training.

    * The education industry has experienced the lowest median losses.

Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE


The typical environment in which fraud occurs l.jpg

The Typical Environment in which Fraud Occurs

  • Trust is placed in employees

  • Employees have detailed knowledge of the accounting systems and their weaknesses

  • Management domination subverts normal internal controls

  • Management adds pressure to “make the numbers”

  • Expected moral behavior is not communicated to employees

  • Unduly liberal accounting practices


The typical environment in which fraud occurs23 l.jpg

The Typical Environment in which Fraud Occurs

  • Ineffective or nonexistent internal auditing staff.

  • Lack of effective internal controls.

  • Poor accounting records.

  • Related party transactions.

  • Incomplete and out of date procedural documentation.

  • Management sets a bad example.


Government agencies in the news l.jpg

Government Agencies in the News

  • Construction Company Bills School $90,000 for Job it Did Not Get

  • Corruption in Paradise – This is Not Hawaii Five-O

  • Local Fraud: Timing is Everything

  • Former Commissioner Pleads Guilty to Stealing County Gasoline for Personal Use

  • Former Employee gets 10 years for Theft

  • Employee called Payroll Plan Foolproof

  • Missing Funds Could Top One Million

  • DA Asked to Find Out How $260,000 was lost at Tax Office

  • Sensitive Information Left in Recycle Bin

  • Councilman Embezzlement Case in Hands of FBI

  • 14 Indicted in Connection with Payroll Fraud

  • Ex-Illinois Gov. Ryan gets 6 1/2 years for graft


Fighting fraud with words l.jpg

Fighting fraud with words…

“In the current era of “whistleblower” reform, fraud controls and hotlines have become a focus in the media and in the minds of citizens. Auditors in the public sector can enhance fraud detection through employee and vendor communications campaigns specifically designed with fraud prevention as the primary goal.”

Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA


Slide26 l.jpg

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide27 l.jpg

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide28 l.jpg

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide29 l.jpg

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Slide30 l.jpg

“Who knew who they were? There was no place for me to voice my concerns, either to the internal audit function or the audit committee. Remember, I was not in the accounting department. But even if I were, I think I would have known it would have been fruitless, because I would have had access to junior auditors who were simply not in the position to raise the flags that would have hurt their senior auditors and account executives.”

  • - Sherron Watkins

  • Enron Corporation


Slide31 l.jpg

Hotline help...

“An engaging message needs to reach the right person at the right time in order to influence that person to take action.”

  • Fraud losses are reduced by 58% when an effective hotline is in place

  • 47% of hotline calls happen overnight or on weekends

  • Communications that publicize the existence of the hotline should used as an opportunity to promote ethical behavior as well

  • Components of communication strategy:

    • Message

    • Reach

    • Frequency

Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA


Role of the audit committee l.jpg

Role of the Audit Committee…

“A government audit committee should take an active role in the prevention deterrence, and detection of fraud and encourage the government organization to establish an effective ethics and compliance program. The audit committee should constantly challenge management and the auditors to ensure that the organization has appropriate anti-fraud programs and controls in place to identify potential fraud. Also, the committee should take an interest in ensuring that appropriate action is taken against known perpetrators of fraud.”

Source: Fraud and the Responsibilities of the Government Audit Committee, AICPA, 2005


We know it works but what are we doing about it l.jpg

We know it works… But what are we doing about it?

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse


Traditional approach l.jpg

Traditional Approach

  • Traditionally, fraud Investigations have been reactive in nature.

    • Identified from a variety of sources.

    • Conducted after significant losses have been incurred.

  • In response, today’s management is developing strategicapproaches to proactively identify material fraud within their organizations.

    • Forming tactical teams of forensic accountants and investigators.

    • Investing in resources to address fraud before it occurs.


Caution l.jpg

Caution

  • Government auditors are expected to have sufficient knowledge to identify the indicators of fraud but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.


Prevention first l.jpg

Prevention First

  • Educate your employees

  • Implement strong controls

  • Explain consequences

  • Have a clearly written policy

  • Make the employees sign the policy

  • Let them know you’re monitoring – Speaking of monitoring…………


Financial processes reliance on information technology l.jpg

Financial Processes’ Reliance on Information Technology

  • The majority of your organization’s financial data is in the hands of your IT department.

  • You are reliant on the confidentiality, integrity and availability of the enterprise’s infrastructure.

  • Is your IT department integrated into your anti-fraud internal control structure?

  • Let us look at how we can leverage internationally accepted framework of Control Objectives for Information related Technologies (CobiT) to integrate anti-fraud preventive and detective controls throughout the enterprise.


Slide38 l.jpg

CobiT Framework

Let’s talk about fraud prevention


Cobit delivery and support domain l.jpg

CobIT - Delivery and Support Domain

  • DS-2 Manage Third Party Services

  • DS-3 Performance and Capacity

  • DS-5 Ensure System Security

  • DS-9 Manage the configuration of IT systems

  • DS-10 Manage Problems and Incidents

  • DS-11 Manage Data

    IT Assurance testing using the CobIT Confidentiality, Availability, and Integrity guidelines can assist in determining your organisation’s level of compliance (legal, civil, business).


Cobit security baseline and fraud l.jpg

Cobit Security Baseline and Fraud

The CobiT Security Baseline objectives are organized into 39 essential steps:

  • 1: Based on a business impact analysis (BIA) for critical business processes, identify data that must not be misused or lost, services that need to be available and transactions that must be trusted. The business must consider the security requirements for:

    • Who may access and modify data.

    • What data retention and backup are needed.

    • What availability is required.

    • What authorization and verification are needed for electronic transactions.

  • 2: Define specific responsibilities for the management of security and ensure that they are assigned, communicated and properly understood. Be aware of the dangers of delegating too many security roles and responsibilities to one person. Provide the resources required to exercise responsibilities effectively.

  • 3: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents. Establish minimum dos and don’ts, and regularly remind people of security risks and their personal responsibilities.

  • 4: When hiring, verify with reference checks.

  • 5: Obtain the skills needed to support the enterprise security requirements through hiring or training. Verify annually whether skills are up-to-date.


Cobit security baseline and fraud41 l.jpg

Cobit Security Baseline and Fraud

  • 6: Ensure that no key security task is critically dependent on a single resource.

  • 7: Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements.

  • 8: Discuss with key staff what can go wrong with IT security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical for the success of the business.

  • 9: Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices and insurance coverage.

  • 10: Consider how automated solutions may introduce security risks. Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Obtain comfort regarding the trustworthiness of the solution through references, external advice, contractual arrangements, etc.

  • 11: Ensure that the technology infrastructure properly supports automated security practices.

  • 12: Consider what additional security requirements are needed to protect the technology infrastructure itself.


Cobit security baseline and fraud42 l.jpg

Cobit Security Baseline and Fraud

  • 13: Identify and monitor sources for keeping up-to-date with security patches and implement those appropriate for the enterprise infrastructure.

  • 14: Ensure that staff knows how to implement security in day-to-day procedures.

  • 15: Test the system, or major changes, against functional and operational security requirements in a representative environment so the results are reliable. Consider testing how the security functions integrate with existing systems.

  • 16: Perform final security acceptance by evaluating all test results against business goals and security requirements involving key staff.

  • 17: Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services and validity of important transactions. Based on this impact, perform adequate tests prior to making the change.

  • 18: Record and authorize all changes, including patches (possibly emergency changes after the fact).

  • 19: Ensure that management establishes security requirements and regularly reviews compliance of internal service-level agreements and contracts with third-party service providers.


Cobit security baseline and fraud43 l.jpg

Cobit Security Baseline and Fraud

  • 20: Ensure that third parties provide an adequate contact with the authority to act on security requirements and concerns.

  • 21: Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk.

  • 22: Identify critical business functions and information, and those resources (e.g., applications, third-party services, supplies and data files) that are critical to support them. Provide for the availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.

  • 23: Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident and how to communicate with customers and suppliers.

  • 24: Together with key employees, define what needs to be backed up and stored off-site to support recovery of the business, (e.g., critical data files, documentation and other IT resources, and secure it appropriately. At regular intervals, ensure that the backup resources are usable and complete.


Cobit security baseline and fraud44 l.jpg

Cobit Security Baseline and Fraud

  • 25: Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially, consider access rights of service providers, suppliers and customers.

  • 26: Ensure that responsibility is allocated to manage all user accounts and security tokens to control devices, tokens and media with financial value. Periodically review the actions and authority of those who manage user accounts. Ensure that these responsibilities are not assigned to the same person.

  • 27: Detect and log important security violations. Ensure that they are reported immediately and acted upon in a timely manner.

  • 28: To ensure that counterparties can be trusted and transactions are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.

  • 29: Enforce the use of virus-protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.

  • 30: Define policy for what information can come into and go out of the organization, and configure the network security systems (e.g., firewall), accordingly. Consider how to protect physically transportable storage devices. Monitor exceptions and follow up on significant incidents.


Cobit security baseline and fraud45 l.jpg

Cobit Security Baseline and Fraud

  • 31: Ensure that there is a regularly updated and complete inventory of the IT hardware and software configuration.

  • 32: Regularly review whether all installed software is authorized and properly licensed.

  • 33: Subject data to a variety of controls to check integrity (accuracy, completeness and validity) during input, processing, storage and distribution. Control transactions to ensure that they cannot be repudiated.

  • 34: Distribute sensitive output only to authorized people.

  • 35: Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved.

  • 36: Physically secure the IT facilities and assets, especially those most at risk to a security threat, and if applicable, obtain expert advice.


Cobit security baseline and fraud46 l.jpg

Cobit Security Baseline and Fraud

  • 37: Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.

  • 38: Have key staff periodically:

    • Assess adequacy of security controls against defined requirements and vulnerabilities.

    • Reassess what security exceptions need to be monitored on an ongoing basis.

    • Evaluate how well the security mechanisms are operating. Check for weaknesses, such as intrusion detection, penetration and stress testing, and test contingency plans.

    • Ensure that exceptions are acted upon.

    • Monitor compliance to key controls.

  • 39: Obtain, where needed, competent external resources to review the information security control mechanisms. Assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.


Test case 1 vendor master table l.jpg

Test Case 1- Vendor Master Table

  • Vendor master table integrity testing can include the following:

    • Detection of the following:

      • Duplicate vendors

      • Employee or related parties listed as vendors

    • Exception reporting for approved or convicted/debarred vendors per Section 287.133, Florida Statute


Slide48 l.jpg

Test Case 1a – Duplicate Vendor Numbers

Easy identification of duplicate

vendor numbers


Slide49 l.jpg

Test Case 1b – Duplicate Vendor Addresses

Easy identification of duplicate

vendor addresses


Slide50 l.jpg

Test Case 1c – Employee or related parties listed as vendors

Easy identification

and vendor addresses

matching


Slide51 l.jpg

Test Case 1c – Employee or related parties listed as vendors

Easy identification

and employee SSN matching

Vendor FEI number


Slide52 l.jpg

Test Case 1d – Employee or related parties listed as vendors

Easy identification

and employee beneficiary and

Vendor phone matching


Slide53 l.jpg

Test Case 1e – Using debarred vendors

Easy identification

Of debarred vendors

With active status


Test case 2 vendor invoice and payment l.jpg

Test Case 2 - Vendor Invoice and Payment

  • Vendor invoice and payment integrity testing:

    • Duplicate invoices

    • Duplicate payments

    • Non-standard payments

      • No match to approved vendor values

      • Exceed PO value


Test case 2a duplicate vendor invoice l.jpg

Test Case 2a – Duplicate Vendor Invoice

Easy identification of duplicate invoices with detailed drill down


Test case 2b duplicate vendor payments l.jpg

Although the invoice may be different we ca identify duplicate payment with detailed drill down

Test Case 2b – Duplicate Vendor Payments


Test case 2c payments not matched to the vendor table l.jpg

Test Case 2c –Payments Not Matched to the Vendor Table

In this case we can detect manual AP check print overrides and manipulation of PO tables to make payments to unapproved vendors


Test case 2d paid invoice exceeds po value l.jpg

Test Case 2d – Paid Invoice Exceeds PO Value

Provides identification of issues related to unauthorized payments in excess of PO values


Test case 3 proper approval of purchase l.jpg

Test Case 3 – Proper Approval of Purchase

  • Proper approval of purchase types and values are apparent to most management as being of important; however, monitoring approvals can be time consuming and tedious at best.

    • Obtain the flat file extract from TERMS and import into ACL

    • Stratify purchases by dollar value and extract for purchases at the specified approval thresholds and extract all those missing the required level of authorization (either by individual per department DOA trees or other authorization reference)


Test case 3 proper approval of purchase60 l.jpg

Test Case 3 – Proper Approval of Purchase

We can now review the PO documentation to investigate why the proper level of approval was not received


Summary l.jpg

Summary

  • Fraud happens throughout our organizations – regardless of industry, size and culture

  • Greater the skill and education greater the losses

  • Management must be proactively engaged in fraud preventive and detective controls

  • Ethics programs are a key component in an effective internal controls

  • If the workforce and vendors know they are being monitored the occurrence of fraud is generally lower


Questions comments l.jpg

Questions?Comments?

Progress Through Sharing…


Slide63 l.jpg

Jeff Roth, CISA

Director

RSM McGladrey Inc.

7351 Office Park Place

Melbourne, FL 32940

Tel: (321) 751-6200

Fax: (321) 751-1385

E-mail: [email protected]

Yvonne M. Clayborne, CPA

Director

RSM McGladrey Inc.

7351 Office Park Place

Melbourne, FL 32940

Tel: (321) 751-6200

Fax: (321) 751-1385

E-mail: [email protected]


  • Login