1 / 119

Fraud - A Risk for Your Organization

Fraud - A Risk for Your Organization. Florida Court Clerks and Comptrollers Annual Conference June 12, 2013 Sam M. McCall, PhD, CPA, CGFM, CIA, CGAP, Chief Audit Officer Florida State University. Session Outline. Public Expectations for Public Officials Internal Control and Risk

audi
Download Presentation

Fraud - A Risk for Your Organization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fraud - A Risk for Your Organization Florida Court Clerks and Comptrollers Annual Conference June 12, 2013 Sam M. McCall, PhD, CPA, CGFM, CIA, CGAP, Chief Audit Officer Florida State University

  2. Session Outline • Public Expectations for Public Officials • Internal Control and Risk • The Elements of Internal Control • Weaknesses in Internal Control can Result in Fraud and Illegal Acts • Case Studies • Reviewing Internal Control and Identifying Fraud, Illegal Acts, and Abuse • Summary and Wrap Up

  3. Public Expectations for Public Officials • High ethical and moral behaviors • Public employees will conduct business within policy and procedures • Public resources will not be wasted, abused, lost or stolen • Yellow Book – management should conduct operations • Economically • Efficiently • Effectively • Ethically • Equitably

  4. Terms of Importance • Misfeasance • Malfeasance • Nonfeasance • Abuse • Fraud • Internal controls

  5. What Is Misfeasance? • A misdeed or trespass • The improper or wrongful performance of some act that a person may lawfully do

  6. What Is Malfeasance? • Ill conduct, evil doing • The commission of an act that is unlawful • Comprehensive term including any wrongful conduct that interferes with the performance of official duties • The doing of an act that a person should not do at all

  7. What is Nonfeasance? • Nonperformance of an act that a person is obligated or has a responsibility to perform • Not doing what you should do • Total neglect of duty

  8. What Is Abuse? • Improper or inappropriate program management • Misuse of authority or position • Everything that is contrary to good order • Can be intentional or unintentional • Does not have to violate a law, regulation, or contract provision

  9. What Is Fraud? • A false representation of a matter of fact • Concealing that which should be disclosed – deceiving to cause legal injury • Intentional perversion of the truth • To deceive another such that they rely on the false representation and surrender a valuable thing or a legal right

  10. Components of Internal Control • Control Environment • Risk Assessment • Control Activities • Information & Communication • Monitoring

  11. Who is Responsible for Internal Control? Management!! Not the Auditor!!

  12. Components of Internal Control – Control Environment • The building block for all other components: • Integrity & ethical values • Commitment to competence • Independent audit committee • Management philosophy & operating style • Organizational structure • Assignment of authority & responsibility • Human resource policy & practices

  13. Components of Internal Control – Risk Assessment • Segmenting department into organizational components • Analyze general control environment • Analyze inherent risk • Develop appropriate control activities

  14. Annual Audit Plan Risk Assessment Criteria • Program Fiscal Impact 20 • Strength of Management 20 • Sensitivity and Public Relations 15 • Risk of Loss, Noncompliance, Corruption or Fraud 10 • Complexity of Activity 20 • Risk to Public Welfare 15 100

  15. Risk • Risk are essentially the opposite of control objectives • If the objective is to safeguard assets, the risk is that assets will be lost or stolen. • Therefore, without knowing the risk, one cannot decide on the appropriate control activities • Conduct brainstorming sessions to identify risk and potential areas for fraud

  16. Risk – Questions to Consider • Chance of Occurrence - How likely is it to go wrong? (High, Medium, Low) • Impact of Occurrence - What will happen if it goes wrong (assets lost, clients not served, noncompliance with law, damage to the reputation of the government, etc.) (High, Medium, Low) • Assessment of Risk (High, Medium, Low)

  17. Components of Internal Control – Control Activities • Link to objectives • Accountability for resources • Direct activity management • Top level reviews • Segregation of duties • Physical controls • Execution & recording of transactions & events

  18. Components of Internal Control – Information and Communication • Information – Reports • Communication – Dissemination of Reports

  19. Components of Internal Control - Monitoring • Ongoing monitoring • Separate evaluations • Reporting deficiencies

  20. Internal control • The plan of organization and policies and procedures established by management to accomplish organization goals and objectives • No individual person should have access to assets and also maintain summary accounting records relating to those assets – no one should control all phases of a transaction • There should be periodic comparison of assets of record (recorded accountability) to physical existence • In instances where cost of control exceeds resources, there should be mitigating controls

  21. Who Commits Fraud? • Married • Between 18 and 36 • Has 2 children • Owns a home • Does not have a drug or alcohol problem • Does not recognize harm to victims • Bright • Strong sense of challenge and game playing • Versed in technology and skillful • Has a position of trust

  22. Reporting Fraud – Employees Do It Best Tip from employee Accidental discovery Internal Audit Internal controls External audit Tip from customer Anonymous tip Tip from Vendor Notification from law enforcement

  23. Who Has the Responsibility for Detecting/Reporting Fraud? • Management • Employees • External Auditors • Internal Auditors • Government Vendors • Public

  24. ManagementResponsibilities • Adopt and implement internal control policies • Establish a control environment • Assess and analyze risks • Establish control activities to address risks • Develop information and reporting systems • Monitoring activities • Understand and communicate your organizations ethics policies

  25. Management Responsibilities Relating to Audits • Help in the identification of areas susceptible to fraud and abuse • Address audit findings & recommendations and maintain a process to track their status • Follow sound procurement processes when contracting for audits or attestation engagements

  26. EmployeeResponsibilities • Be aware of where fraud can occur • Look for irregularities • Report suspicious activities (don’t assume others know) • Conduct work in an ethical manner and perform work in accordance with policies and procedures

  27. External Auditors - Responsibilities • Examine the government’s financial statements and express an overall opinion • Design the audit to detect fraud that is material to the financial statements • Conduct fraud brainstorming sessions and be alert to possible fraud as it relates to the financial statements • Review internal controls over financial reporting

  28. Government Internal AuditorResponsibilities • Review department, division, unit and/or program internal controls • Review transactions for possible waste, fraud and abuse • Design the audit such that fraud significant to the audit objectives will be detected • If abuse come to the auditors attention, follow up on that abuse to determine if its presence is significant to the audit objectives

  29. Vendors Responsibilities • Be aware of how and where fraud can occur in their operations • Look for irregularities • Report suspicious activities (don’t assume others know)

  30. Public Responsibilities • Report suspicious transactions or behaviors

  31. Approach to Detecting Fraud • Exercise professional judgment • Exercise professional skepticism • Balance between a questioning mind and doubting everyone • Critical assessment of evidence

  32. Management Red Flags • Reluctance to provide information when requested • High employee turnover in high risk areas • Lack of segregation of duties in a high risk area • Excessive number of checking accounts • Increase in purchase of inventory but no increase in productivity • Abnormal inventory shrinkage • Lack of physical security over assets • Payments to vendors not on approved vendor list

  33. Employee Red Flags • Employee lifestyle changes (expensive cars, jewelry, homes, etc.) • Behavior changes (drug, alcohol, gambling) • Reluctance to provide information when requested • Refusal to take vacation or sick leave • Excessive purchasing of supplies • Inappropriate overtime hours

  34. How to Improve Your Chance of Detecting Fraud? • Assume anyone can commit fraud • Good documentation does not mean something happened – only that someone said it happened • Pay attention to detail (numbers, dates, amounts, alterations, reasonableness, etc.) • Pay attention to hints or rumors of wrong doing • Look for patterns or unusual transactions

  35. Potential Red Flags • Erased or crossed out figures • Inconsistent inks and typefaces • Unusual dates, amounts, notes, phone numbers and calculations • Consecutively numbered invoices • Excessive voids or refunds • Invoices in large even sums • Multiple invoices to the same vendor just under $10,000

  36. Potential Red Flags(Continued) • Invoices printed on other than prepared forms • Vendor address change • Unusual number of payments to one payee • Inadequate description of item purchased • Delay in responding to request for documentation • Stale invoice dates

  37. Weaknesses in Internal Controls relating to: Control Environment Risk Assessment Control Activities Information and Communication Monitoring The Fraud Triangle Incentive (Pressure) Opportunity Rationalization What Conditions Make Fraud Easier

  38. Fraud Triangle Pressure such as a financial need, is the “motive” for committing the fraud. Pressure includes living beyond ones means or family and relationship situations. Rationalization The person committing the fraud frequently rationalizes the fraud. Rationalizations may include, “I’ll pay the money back”, “They will never miss the funds”, or, “I will just do this just one time” or “They don’t pay me enough.” Opportunity The person committing the fraud sees an internal control weakness and, believing no one will notice if funds are taken, begins the fraud with a small amount of money. If no one notices, the amount will usually grow larger. In any organization, the risk of fraud can be reduced. Internal control procedures can particularly diminish the “opportunity” point of the Fraud Triangle. * Of the above three, the one that management can control is “_________”

  39. Case Study OneAuditor General Report on Okaloosa County Board of County Commission Oversight of the Tourist Development Council and the Use of Tourist Development Taxes and Funds Received from British Petroleum Report No. 2013-085 January 2013

  40. Weaknesses in Internal Controls • Organizational Oversight • Fraud Controls and Control Risk Assessments • Procurement of Goods and Services • Travel • Special Events Grants and Sponsorships • Allowable Use of Restricted Resources • Motor Vehicles • Accounting Controls • Electronic Funds Transfers • Information Technology Controls • Public Records

  41. Background • In May 2012, the Auditor General received a request to conduct and audit of the Tourist Development Council and the Board of County Commissioners use of tourist development taxes and funds received from BP. • For the two year period 5-31-10 to 5-31-2012, revenues totaled $36.4 million.

  42. Organizational Oversight and Budget Monitoring • The BCC, TDC, and CCC did not exercise sufficient control over funds received and invoices processed did not demonstrate or document the public purpose served • Budgets were not adopted at the level of their restriction • Spreadsheets prepared were not used to reject invoices when sufficient funds were not available at the ordinance restricted level.

  43. Monitoring • The TDC acted in an action oriented manner rather than in an advisory role. As a result they authorized expenditures without BCC approval. • The TDC did not continuously review expenditures or regularly receive summary or detailed reports of expenditures. • Conflicts of interest were present as purchases were made with companies that had ties with BCC members, a TDC member, and a TDC subcommittee member. • Risk assessments were not performed by the BCC to identify the potential for fraud

  44. Support for Invoices • Purchases were made without obtaining written quotations • There was failure to document the selection process for two advertising and marketing firms • Contracts with marketing firms did not required them to competitively procure goods and services. • Contracted marketing firms were not required to submit invoices, including invoices from third parties in sufficient detail to allow for adequate preaudit to ensure goods were actually received and the correct amounts charged. The firms were paid $12.1 million without adequate review or oversight

  45. Support for Invoices • A payment for promotion and advertising services had been misappropriated for the purchase of a house by the TDC Executive director. • The county paid $747,000 from the BP grant on an advertising and marketing invoice as “Boast the Coast National Television Campaign and Promotion.” • After payment was made to the firm, the TDC Director instructed the firm to wire the monies to a designated bank account. The monies were then used to by the ED for the purchase of the house titled to a revocable trust for him and his wife.

  46. Example Purchases • $155,400 paid to vendors and invoices inadequately described the goods or services purchased • $48,000 described as “prize for 2010-2011 Internet/viral video contest.” Actually purchased a Porsche titled to the former TDC Executive Director • $47,000 described as “convention center marketing expenses” included $19,620 for a County Christmas Party, A TDC holiday party, and a harbor cruise for employees and $5000 donated to a charity. • $31,400 identified as “Harbor Walk/Destin Advertising” was actually for furniture for the TDC office including $6,250 in furniture located at the former TDC Executive Director’s home • Had the BCC or CCC required adequate documentation, the payments may have been denied.

  47. Competitive Procurement • The County purchased a yacht for $710,000 without evidence of formal bids. • Three vehicles were purchased for a total amount of $129,808 without evidence of written quotes • 508 beach towels purchased for $8,832 without written quotes • Over $12 million was expended through outside firms and those firms were not required to competitively procure goods and services or follow County purchasing policies and procedures. Results in limited assurance that costs were reasonable.

More Related