audit red flags public sector fraud l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Yvonne M. Clayborne PowerPoint Presentation
Download Presentation
Yvonne M. Clayborne

Loading in 2 Seconds...

play fullscreen
1 / 63

Yvonne M. Clayborne - PowerPoint PPT Presentation


  • 531 Views
  • Uploaded on

Red flags do not indicate guilt or innocence but merely provide possible warning ... Being able to recognize red flags is necessary not only for public accountants ...

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Yvonne M. Clayborne' - Anjalena


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
audit red flags public sector fraud

Audit Red Flags & Public-Sector Fraud

Yvonne M. Clayborne, CPA

Jeff Roth, CISA

the fraud triangle
The Fraud Triangle
  • Inadequate or no:
  • Supervision & review
  • Segregation of duties
  • Management approval
  • System controls
  • Unrealistic deadlines
  • Unrealistic performance goals
  • Personal vices

Pressure

Opportunity

a.k.a. Rationalization – reconciling behavior with commonly accepted notions of decency & trust.

Integrity

the nature of the industry
The Nature of the Industry…
  • Fraud can be explained by three factors:
    • A supply of motivated offenders
    • The availability of suitable targets
    • The absence of capable guardians or a control system to “mind the store”
  • The opportunity to commit & conceal fraud is the only element over which the local government has significant control.
  • What are some of the warning signs?
  • What can we do about it?

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

no free lunch
No free lunch...
  • Business fraud and abuse in the U.S. cost about $650 billion a year.
    • Government agencies lose an average of $45,000 per fraud scheme
    • Average organization loses 5% of revenue or $8 a day per employee
  • Street crime only costs the U.S. $4 billion annually.
acfe report to the nation on occupational fraud abuse
ACFE Report to the Nation on Occupational Fraud & Abuse

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide6
Famous last words:

“It won’t happen here. We’re careful who we hire.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide7

Famous last words:

“But he’s in charge. He had no motive.”

slide8

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide9

Famous last words:

“NO WAY it was Mike. He’s over 60 now.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide10

Famous last words:

“Sandra wouldn’t have done that. She’s a mom.”

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide11

Famous last words:

“It would never happen in our department.”

what s the cost
What’s the cost?…
  • Economic costs:
    • Tangible & measurable
    • Insurable in some cases
    • Provides basis for prosecution and/or litigation
  • Political costs:
    • Loss of integrity
    • Diminished public confidence
    • Can’t be measured, difficult to recover
what are the warning signs
What are the Warning Signs?

A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud.

Being able to recognize red flags is necessary not only for public accountants but also for anyone working in the public sector where the potential for fraud to occur exists.

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

just keep in mind
Just keep in mind…

Do not ignore a red flag – Studies of fraud cases consistently show that red flags were present, but were either not recognized or were recognized but not acted upon by anyone.

Sometimes an error is just an error – Red flags should lead to some kind of appropriate action, i.e. an investigation by a measured & responsible person, but sometimes an error is just an error and no fraud exists

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

employee red flags
Employee Red Flags…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

management red flags
Management Red Flags…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

red flags in cash or accounts receivable
Red flags in cash or accounts receivable…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

red flags in payroll
Red flags in payroll…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

red flags in purchasing or inventory
Red flags in purchasing or inventory…

Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

profile of a fraud perpetrator
Profile of a fraud perpetrator…
  • Male.
  • Intelligent and in management.
  • Married and under some type of significant stress.
  • Risk takers and not afraid to fail.
  • Rule breakers.
  • Long-time employees, hard working

Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE

profile of an organization at risk
Profile of an organization at risk…
  • Less than 100 employees.
  • Management ignores irregularities.
  • High turnover with low morale.
  • Staff lacks training.

* The education industry has experienced the lowest median losses.

Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE

the typical environment in which fraud occurs
The Typical Environment in which Fraud Occurs
  • Trust is placed in employees
  • Employees have detailed knowledge of the accounting systems and their weaknesses
  • Management domination subverts normal internal controls
  • Management adds pressure to “make the numbers”
  • Expected moral behavior is not communicated to employees
  • Unduly liberal accounting practices
the typical environment in which fraud occurs23
The Typical Environment in which Fraud Occurs
  • Ineffective or nonexistent internal auditing staff.
  • Lack of effective internal controls.
  • Poor accounting records.
  • Related party transactions.
  • Incomplete and out of date procedural documentation.
  • Management sets a bad example.
government agencies in the news
Government Agencies in the News
  • Construction Company Bills School $90,000 for Job it Did Not Get
  • Corruption in Paradise – This is Not Hawaii Five-O
  • Local Fraud: Timing is Everything
  • Former Commissioner Pleads Guilty to Stealing County Gasoline for Personal Use
  • Former Employee gets 10 years for Theft
  • Employee called Payroll Plan Foolproof
  • Missing Funds Could Top One Million
  • DA Asked to Find Out How $260,000 was lost at Tax Office
  • Sensitive Information Left in Recycle Bin
  • Councilman Embezzlement Case in Hands of FBI
  • 14 Indicted in Connection with Payroll Fraud
  • Ex-Illinois Gov. Ryan gets 6 1/2 years for graft
fighting fraud with words
Fighting fraud with words…

“In the current era of “whistleblower” reform, fraud controls and hotlines have become a focus in the media and in the minds of citizens. Auditors in the public sector can enhance fraud detection through employee and vendor communications campaigns specifically designed with fraud prevention as the primary goal.”

Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA

slide26

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide27

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide28

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide29

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

slide30
“Who knew who they were? There was no place for me to voice my concerns, either to the internal audit function or the audit committee. Remember, I was not in the accounting department. But even if I were, I think I would have known it would have been fruitless, because I would have had access to junior auditors who were simply not in the position to raise the flags that would have hurt their senior auditors and account executives.”
  • - Sherron Watkins
  • Enron Corporation
slide31

Hotline help...

“An engaging message needs to reach the right person at the right time in order to influence that person to take action.”
  • Fraud losses are reduced by 58% when an effective hotline is in place
  • 47% of hotline calls happen overnight or on weekends
  • Communications that publicize the existence of the hotline should used as an opportunity to promote ethical behavior as well
  • Components of communication strategy:
    • Message
    • Reach
    • Frequency

Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA

role of the audit committee
Role of the Audit Committee…

“A government audit committee should take an active role in the prevention deterrence, and detection of fraud and encourage the government organization to establish an effective ethics and compliance program. The audit committee should constantly challenge management and the auditors to ensure that the organization has appropriate anti-fraud programs and controls in place to identify potential fraud. Also, the committee should take an interest in ensuring that appropriate action is taken against known perpetrators of fraud.”

Source: Fraud and the Responsibilities of the Government Audit Committee, AICPA, 2005

we know it works but what are we doing about it
We know it works… But what are we doing about it?

Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

traditional approach
Traditional Approach
  • Traditionally, fraud Investigations have been reactive in nature.
    • Identified from a variety of sources.
    • Conducted after significant losses have been incurred.
  • In response, today’s management is developing strategicapproaches to proactively identify material fraud within their organizations.
    • Forming tactical teams of forensic accountants and investigators.
    • Investing in resources to address fraud before it occurs.
caution
Caution
  • Government auditors are expected to have sufficient knowledge to identify the indicators of fraud but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
prevention first
Prevention First
  • Educate your employees
  • Implement strong controls
  • Explain consequences
  • Have a clearly written policy
  • Make the employees sign the policy
  • Let them know you’re monitoring – Speaking of monitoring…………
financial processes reliance on information technology
Financial Processes’ Reliance on Information Technology
  • The majority of your organization’s financial data is in the hands of your IT department.
  • You are reliant on the confidentiality, integrity and availability of the enterprise’s infrastructure.
  • Is your IT department integrated into your anti-fraud internal control structure?
  • Let us look at how we can leverage internationally accepted framework of Control Objectives for Information related Technologies (CobiT) to integrate anti-fraud preventive and detective controls throughout the enterprise.
slide38

CobiT Framework

Let’s talk about fraud prevention

cobit delivery and support domain
CobIT - Delivery and Support Domain
  • DS-2 Manage Third Party Services
  • DS-3 Performance and Capacity
  • DS-5 Ensure System Security
  • DS-9 Manage the configuration of IT systems
  • DS-10 Manage Problems and Incidents
  • DS-11 Manage Data

IT Assurance testing using the CobIT Confidentiality, Availability, and Integrity guidelines can assist in determining your organisation’s level of compliance (legal, civil, business).

cobit security baseline and fraud
Cobit Security Baseline and Fraud

The CobiT Security Baseline objectives are organized into 39 essential steps:

  • 1: Based on a business impact analysis (BIA) for critical business processes, identify data that must not be misused or lost, services that need to be available and transactions that must be trusted. The business must consider the security requirements for:
    • Who may access and modify data.
    • What data retention and backup are needed.
    • What availability is required.
    • What authorization and verification are needed for electronic transactions.
  • 2: Define specific responsibilities for the management of security and ensure that they are assigned, communicated and properly understood. Be aware of the dangers of delegating too many security roles and responsibilities to one person. Provide the resources required to exercise responsibilities effectively.
  • 3: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents. Establish minimum dos and don’ts, and regularly remind people of security risks and their personal responsibilities.
  • 4: When hiring, verify with reference checks.
  • 5: Obtain the skills needed to support the enterprise security requirements through hiring or training. Verify annually whether skills are up-to-date.
cobit security baseline and fraud41
Cobit Security Baseline and Fraud
  • 6: Ensure that no key security task is critically dependent on a single resource.
  • 7: Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements.
  • 8: Discuss with key staff what can go wrong with IT security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical for the success of the business.
  • 9: Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices and insurance coverage.
  • 10: Consider how automated solutions may introduce security risks. Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Obtain comfort regarding the trustworthiness of the solution through references, external advice, contractual arrangements, etc.
  • 11: Ensure that the technology infrastructure properly supports automated security practices.
  • 12: Consider what additional security requirements are needed to protect the technology infrastructure itself.
cobit security baseline and fraud42
Cobit Security Baseline and Fraud
  • 13: Identify and monitor sources for keeping up-to-date with security patches and implement those appropriate for the enterprise infrastructure.
  • 14: Ensure that staff knows how to implement security in day-to-day procedures.
  • 15: Test the system, or major changes, against functional and operational security requirements in a representative environment so the results are reliable. Consider testing how the security functions integrate with existing systems.
  • 16: Perform final security acceptance by evaluating all test results against business goals and security requirements involving key staff.
  • 17: Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services and validity of important transactions. Based on this impact, perform adequate tests prior to making the change.
  • 18: Record and authorize all changes, including patches (possibly emergency changes after the fact).
  • 19: Ensure that management establishes security requirements and regularly reviews compliance of internal service-level agreements and contracts with third-party service providers.
cobit security baseline and fraud43
Cobit Security Baseline and Fraud
  • 20: Ensure that third parties provide an adequate contact with the authority to act on security requirements and concerns.
  • 21: Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk.
  • 22: Identify critical business functions and information, and those resources (e.g., applications, third-party services, supplies and data files) that are critical to support them. Provide for the availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.
  • 23: Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident and how to communicate with customers and suppliers.
  • 24: Together with key employees, define what needs to be backed up and stored off-site to support recovery of the business, (e.g., critical data files, documentation and other IT resources, and secure it appropriately. At regular intervals, ensure that the backup resources are usable and complete.
cobit security baseline and fraud44
Cobit Security Baseline and Fraud
  • 25: Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially, consider access rights of service providers, suppliers and customers.
  • 26: Ensure that responsibility is allocated to manage all user accounts and security tokens to control devices, tokens and media with financial value. Periodically review the actions and authority of those who manage user accounts. Ensure that these responsibilities are not assigned to the same person.
  • 27: Detect and log important security violations. Ensure that they are reported immediately and acted upon in a timely manner.
  • 28: To ensure that counterparties can be trusted and transactions are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.
  • 29: Enforce the use of virus-protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.
  • 30: Define policy for what information can come into and go out of the organization, and configure the network security systems (e.g., firewall), accordingly. Consider how to protect physically transportable storage devices. Monitor exceptions and follow up on significant incidents.
cobit security baseline and fraud45
Cobit Security Baseline and Fraud
  • 31: Ensure that there is a regularly updated and complete inventory of the IT hardware and software configuration.
  • 32: Regularly review whether all installed software is authorized and properly licensed.
  • 33: Subject data to a variety of controls to check integrity (accuracy, completeness and validity) during input, processing, storage and distribution. Control transactions to ensure that they cannot be repudiated.
  • 34: Distribute sensitive output only to authorized people.
  • 35: Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved.
  • 36: Physically secure the IT facilities and assets, especially those most at risk to a security threat, and if applicable, obtain expert advice.
cobit security baseline and fraud46
Cobit Security Baseline and Fraud
  • 37: Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.
  • 38: Have key staff periodically:
    • Assess adequacy of security controls against defined requirements and vulnerabilities.
    • Reassess what security exceptions need to be monitored on an ongoing basis.
    • Evaluate how well the security mechanisms are operating. Check for weaknesses, such as intrusion detection, penetration and stress testing, and test contingency plans.
    • Ensure that exceptions are acted upon.
    • Monitor compliance to key controls.
  • 39: Obtain, where needed, competent external resources to review the information security control mechanisms. Assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.
test case 1 vendor master table
Test Case 1- Vendor Master Table
  • Vendor master table integrity testing can include the following:
    • Detection of the following:
      • Duplicate vendors
      • Employee or related parties listed as vendors
    • Exception reporting for approved or convicted/debarred vendors per Section 287.133, Florida Statute
slide48

Test Case 1a – Duplicate Vendor Numbers

Easy identification of duplicate

vendor numbers

slide49

Test Case 1b – Duplicate Vendor Addresses

Easy identification of duplicate

vendor addresses

slide50

Test Case 1c – Employee or related parties listed as vendors

Easy identification

and vendor addresses

matching

slide51

Test Case 1c – Employee or related parties listed as vendors

Easy identification

and employee SSN matching

Vendor FEI number

slide52

Test Case 1d – Employee or related parties listed as vendors

Easy identification

and employee beneficiary and

Vendor phone matching

slide53

Test Case 1e – Using debarred vendors

Easy identification

Of debarred vendors

With active status

test case 2 vendor invoice and payment
Test Case 2 - Vendor Invoice and Payment
  • Vendor invoice and payment integrity testing:
    • Duplicate invoices
    • Duplicate payments
    • Non-standard payments
      • No match to approved vendor values
      • Exceed PO value
test case 2a duplicate vendor invoice
Test Case 2a – Duplicate Vendor Invoice

Easy identification of duplicate invoices with detailed drill down

test case 2c payments not matched to the vendor table
Test Case 2c –Payments Not Matched to the Vendor Table

In this case we can detect manual AP check print overrides and manipulation of PO tables to make payments to unapproved vendors

test case 2d paid invoice exceeds po value
Test Case 2d – Paid Invoice Exceeds PO Value

Provides identification of issues related to unauthorized payments in excess of PO values

test case 3 proper approval of purchase
Test Case 3 – Proper Approval of Purchase
  • Proper approval of purchase types and values are apparent to most management as being of important; however, monitoring approvals can be time consuming and tedious at best.
    • Obtain the flat file extract from TERMS and import into ACL
    • Stratify purchases by dollar value and extract for purchases at the specified approval thresholds and extract all those missing the required level of authorization (either by individual per department DOA trees or other authorization reference)
test case 3 proper approval of purchase60
Test Case 3 – Proper Approval of Purchase

We can now review the PO documentation to investigate why the proper level of approval was not received

summary
Summary
  • Fraud happens throughout our organizations – regardless of industry, size and culture
  • Greater the skill and education greater the losses
  • Management must be proactively engaged in fraud preventive and detective controls
  • Ethics programs are a key component in an effective internal controls
  • If the workforce and vendors know they are being monitored the occurrence of fraud is generally lower
questions comments

Questions?Comments?

Progress Through Sharing…

slide63
Jeff Roth, CISA

Director

RSM McGladrey Inc.

7351 Office Park Place

Melbourne, FL 32940

Tel: (321) 751-6200

Fax: (321) 751-1385

E-mail: jeff.roth@rsmi.com

Yvonne M. Clayborne, CPA

Director

RSM McGladrey Inc.

7351 Office Park Place

Melbourne, FL 32940

Tel: (321) 751-6200

Fax: (321) 751-1385

E-mail: yvonne.clayborne@rsmi.com