government risk briefings internal controls fraud prevention in local government november 16 2012 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012 PowerPoint Presentation
Download Presentation
Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012

Loading in 2 Seconds...

play fullscreen
1 / 81

Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012 - PowerPoint PPT Presentation

  • Uploaded on

Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012. Ron Steinkamp, CPA, CIA, CFE, CRMA 314.983.1238 | Agenda. INTERNAL CONTROL DEFINED. COSO .

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012' - rance

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
government risk briefings internal controls fraud prevention in local government november 16 2012

Government Risk BriefingsInternal Controls & Fraud Prevention in Local GovernmentNovember 16, 2012

Ron Steinkamp, CPA, CIA, CFE, CRMA314.983.1238 |

1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200

1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100

1.888.279.2792 │


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Internal Control Integrated Framework

The Report:

  • Established a common definition of internal control
  • Provided a standard (criteria) to assess the effectiveness of internal controls
  • Became the standard for internal control recognized by the U.S. accounting profession


Definition of Internal Control

COSO defines internal control “as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Internal Controls can help…

  • An organization ensure the quality of financial reporting
  • An organization achieve its performance and profitability targets and prevent a loss of resources
  • An organization comply with laws and regulations, avoiding damage to its reputation and other consequences
  • An organization prevent the theft or inappropriate use of assets


COSO Control Categories

COSO defines five categories of Internal Control:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring


COSO Control Categories

Control Environment - Sets the tone of an organization and influences the control consciousness of its people.

  • Is the foundation for all other components of internal control, and
  • Provides discipline and structure
  • Factors include…
    • Integrity, ethical values and competence of the entity’s people
    • Management’s philosophy and operating style
    • The way management assigns authority and responsibility, and organizes and develops its people, and
    • The attention and direction provided by the board of directors


COSO Control Categories

Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

  • The identification and analysis of relevant risks to the achievement of objectives
  • Forming a basis for determining how the risks should be managed


COSO Control Categories

Control Activities - Are the policies and procedures that help ensure management directives are carried out

  • Help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives
  • Occur throughout the organization, at all levels and in all functions
  • Include activities such as approvals, authorizations, verifications, reconciliations


COSO Control Categories

Information and Communication – Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components

  • Produces reports containing operational, financial and compliance related information
  • Also deals with information concerning external events, activities and conditions necessary to enable informed business decision-making and external reporting


COSO Control Categories

Monitoring - Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

  • Occurs in the course of operations
  • Includes reviews of operating performance, security of assets and segregation of duties
  • Internal control deficiencies should be reported upstream, with significant deficiencies and material weaknesses reported to top management, the audit committee, and the external auditor


Control Roles and Responsibilities


Board of Directors

Internal Audit

Other Personnel


Types of Controls
  • Preventative controls
  • Detective controls
  • Manual controls
  • Computer controls
  • Management controls


General Controls
  • Code of conduct
  • Policies and procedures manual
  • Segregation of duties
  • Records retention
  • Documentation of transactions
  • Budgetary
  • Fraud Policy and reporting
  • Access to systems


Cash Management Controls
  • Policies and procedures.
  • All bank accounts opened and maintained in organizations name with proper approval.
  • Segregate access to cash from accounting for cash.
  • Monthly reconciliation of recorded balances to bank account detail by employees not involved in cash activities.
  • Control credit cards and reconcile to receipts on a timely basis.


Revenue Cycle Common Controls
  • Policies and procedures.
  • All orders received are processed and recorded.
  • All orders processed are invoiced.
  • All invoices are posted to customer accounts.
  • Billings are accurate.
Procurement Cycle Common Controls
  • Policies and procedures.
  • All purchase orders are authorized.
  • All vendors are authorized.
  • Individuals have authorization limits.
  • Check stock is controlled.
  • EDI/ACH transactions require authorization.
  • Credit card purchases are controlled and statements are reconciled to detailed receipts.
Payroll Common Controls
  • Procedures for adding, changing, removing employees and related pay and benefits.
  • Payroll personnel can not add/change/delete employees and related pay and benefits.
  • All changes are authorized by management.
  • Payroll preparation segregated from payroll authorization, check signing and distribution.
  • Access to payroll is restricted.
  • Safeguard checks.
  • Reconciliations.


Fixed Assets Common Controls
  • Procedures for adding and removing fixed assets.
  • Detailed records of all fixed assets.
  • Tracking of fixed assets.
  • Inventory fixed assets and reconcile to records periodically.


Management Reporting Common Controls
  • Accurate, Timely, and Consistent Reporting.
  • Recorded balances should be periodically substantiated and evaluated.


Inventory Monitoring Common Controls
  • Exception reporting
  • Shipping/Receiving
  • Physical Inventory Monitoring
  • Perpetual Records
  • Controlling slow-moving and obsolete inventories
  • Scrap
  • Adjustments are controlled
  • Cycle counting
  • Disposal


IT Common Controls
  • Back-ups
  • Disaster Recovery
  • Security (Physical & logical)
  • Virus Protection
  • Administrative
    • Change control
    • Trouble reporting
    • Helpdesk
    • Systems Development Life Cycle


Authorization Controls

Authorization – Authorization controls require that a transaction be “authorized” or approved prior to executing the transaction.


  • Legal department approves a contract prior to execution.
  • Controller signs Accounts Payable checks greater than a set amount.
  • Accounting Supervisor approves journal entries prepared by the Clerk prior to entry into the system.


Segregation of Duties

Segregation of Duties – These controls split responsibilities for a process so that it requires more than one person to execute a transaction or complete a process.


  • Personnel accepting/processing cash receipts do not deposit, record or reconcile receipts.
  • Personnel that edit the vendor master files do not process invoices.
  • A person separate from the approval process sets up users on the system.



Reconciliations – This involves comparing to items, from different sources, to determine if transactions were executed accurately and completely.


  • Reconciling the accounts receivable sub-ledger to the general ledger.
  • Reconciling the bank statements to the general ledger.
  • Reconciling credit card statements to the related detail.
  • Physically inventorying fixed assets and comparing them to the fixed asset system.
Management Review

Management Review – This involves a review, by a manager/supervisor, of executed transactions/activities for appropriateness.


  • The Finance Director review the bank and credit card reconciliations for reasonableness.
  • The Payroll Manager reviews a report of the payroll run to ensure that the total run is consistent with past periods.
  • The owner of a process reviews a listing of personnel that have access to the system that supports the process.
System Access Controls

System Access – System Access controls prevent a person from executing a transaction because they cannot log on to the system or have not been granted the specific transaction authority.


  • AP personnel are not given user accounts on the payroll system.
  • Only accounting personnel can post journal entries in the system.
  • Only the Finance Director and/or City Administrator can authorize payments out of the system.


Configuration/Account Mapping

Configuration/Account Mapping – This is a control that is performed by the system/application and prevents the execution of a transaction unless certain parameters are met.


  • The AP system automatically populates the payee field of a check from the vendor master file.
  • The Revenue system automatically calculates the invoice amount based on contract data and payroll data.
  • System functionality prevents the posting of journal entries to a prior period.


Exception/Edit Reports

Exception/Edit Reports –These controls alert you to changes/issues in the system via an online or paper report.


  • An edit report that lists all changes to the vendor master file.
  • An exception report that identifies all AP checks over a certain amount.
  • A report that identifies payroll exceptions/adjustments.


Key Performance Indicators

Key Performance Indicators – These are analytical indicators of performance metrics that help to identify incorrect transactions or breakdowns in the control system.


  • Variance Reports (Budget to Actual, Prior to Current Period, Etc.)
  • Production Reports (Rate per Hour, Utilization, Etc.)
What is Fraud?

The use of one’s occupation for personal enrichment through the deliberate misuse or application of the employing organization’s resources or assets.

Three general categories:

  • Asset misappropriation
  • Corruption
  • Financial statement fraud


Asset Misappropriation

Perpetrator steals or misuses an organizations resources.

  • Examples:
    • Clerk stealing cash receipts.
    • Payroll Clerk creating a ghost employee.
    • Purchasing Clerk creating a fictitious vendor and false invoice.
    • Street Department personnel “borrowing” equipment.
    • City Manager purchasing personal items on the City credit card.



Employee’s use of his/her influence in business transactions in a way that violates his/her duty to the employer for the purpose of obtaining benefit for him/herself or someone else.

  • Examples:
    • City Council member trading votes for personal favors.
    • Purchasing Department Manager awarding a City contract to a vendor for a kickback.
    • Human Resources Director hiring unqualified “friends” to fill positions.


Financial Statement Fraud

Intentional misstatement or omission of material information in the organization’s financial reports.

  • Examples:
    • Inflating City revenues on the Consolidated Annual Financial Report.
    • Forcing actual expenditures to match budget by moving expenses between accounts.
    • Improperly accounting for grant receipts and expenditures.


2012 ACFE Global Fraud Study

2012 Report to the Nations on Occupational Fraud and Abuse


Summary of Findings
  • Typical fraud losses equal 5% of revenue
  • Asset misappropriation - the most common
  • Financial statement fraud - the least common
  • Frauds are most likely to be detected by tips
  • Small organizations are disproportionately victimized by occupational fraud
  • Fraud perpetrators often display warning signs

7. Government/public administration is one of the most victimized industries

8. Anti-fraud controls help reduce the cost and duration of occupational fraud

9. High-level perpetrators cause the greatest damage to their organizations

10. Nearly 50% of all victim organizations do not recover any losses


Conclusions & Recommendations

Implement hotlines to receive tips from internal/external sources

Organizations over-rely on audits

Most frauds are detected by tips

Anti-fraud training among employees and managers result in fewer fraud losses

Surprise audits are an effective fraud prevention tool


Conclusions & Recommendations

Using internal controls as your sole fraud prevention strategy is insufficient

Employees exhibit behavior warning signs

Employees should be trained to recognize common signs of fraud

Effective fraud prevention measures are critical


Common Characteristic/Red Flags

Pressure or Incentive (NEED)

High personal debts

Substance or gambling abuse

Job frustration

Resentment of superiors


  • Unfairly compensated
  • Everyone else does it
  • Intension of repayment
  • Financial need
  • Opportunity
    • Inadequate internal controls
    • Weak management
    • Excessive turnover
    • Large amounts of cash on hand or processed


Internal Control Abuse by Management

Failure to establish:

  • Policies & procedures
  • Segregation of duties
  • Third-party oversight (boards)

Failure to oversee/supervise/review

Overworking/underpaying staff to make budget

Inappropriate use of cell phone, company credit cards, autos, and expense reports

Inadequate IT Access Controls

Not allowing Internal Audit to look at a department

Non-responsive to management inquiries


Why Management?

Three major reasons these events occur:

1. It pays to do it

2. It is easy to do

3. It is unlikely you will get caught

Indicators of possible management fraud

1. A week control environment

2. Management facing extreme competitive pressure

3. Management known or suspected of having questionable character


Internal Control Abuses by Employees
  • Accounts payable fabrication
  • Accounts receivable manipulation
  • Bank fraud
  • Bid rigging
  • Check forgery and counterfeiting
  • Credit card fraud
  • Embezzlement
  • Expense account abuse
  • Fictitious vendors, customers, employees
  • Kickbacks
  • Material misstatement
  • Medical/insurance claims overstatement
  • Unnecessary purchases or purchases for own use


Example – Check Tampering

Check tampering occurs when an employee:

  • Prepares a fraudulent check for his/her own benefit
  • Intercepts a check intended for a third party and converts the check to benefit his/herself.


Example – Check Tampering

How can check tampering be prevented?

  • Check stock should be locked in a secure location to ensure blank checks are not accessible to potential fraudsters.
  • Checks should be mailed immediately after signing to reduce the risk of legitimate checks being stolen.


Example – Check Tampering

How can check tampering potentially be detected through data analysis?

  • Perhaps better identified through other ways.
    • Bank reconciliations
    • Communication with vendors


Example – Billing Schemes

Billing schemes occur when an employee submits a false invoice or alters an existing one, thus causing the company to willingly (but unknowingly) issue a check for false expenses.


Example – Billing Schemes

How can billing schemes be prevented?

  • Prior to authorizing payment, invoices should be checked for validity of the vendor, validity of the goods or services invoiced, accuracy, and authenticity.
  • Prior to processing payment, invoices should be checked for proper authorization, accuracy and authenticity. This will prevent overpayment, as well as payments being made to fictitious vendors.
  • Strictly control access to vendor master data.


Example – Billing Schemes

How can billing schemes be potentially be detected through data analysis?

  • Vendor-level expenditures analysis
  • Benford analysis
  • Duplicates analysis
  • Vendor master data analysis


Example – Fraudulent Expense Reimbursements

Expense reimbursement schemes occur when an employee submits false expenses in the hope of being reimbursed by the company.


Example – Fraudulent Expense Reimbursements

How can fraudulent expense reimbursements be prevented?

  • Require original itemized receipts.
  • Receipts should be scrutinized to detect alterations or forgeries.
  • Other means of proving incurred expenses, such as airline itineraries, credit card statements, etc. should not be accepted unless approved by a supervisor.
  • All expense reimbursements should be reviewed and immediately processed upon approval.
  • Use a specific credit card for all business expenses. Receive this information electronically from credit card company and require electronic filing of expense reports by employees. This will minimize the possibility of fraud, and if fraud is occurring, will provide an easier means to identify it.


Example – Fraudulent Expense Reimbursements

How can fraudulent expense reimbursements potentially be detected through data analysis?

  • Use a specific credit card for all business expenses. Receive this information electronically from credit card company and require electronic filing of expense reports by employees. Reconcile the two data sets.
  • Duplicates analysis.
  • Benford analysis.


Example - Payroll Fraud

Payroll fraud occurs when an employee submits false documentation (i.e. timecards) in an effort to inflate his/her wages/salary. Such documentation prompts the organization to unknowingly disburse funds to the perpetrator.

Possible ways in which Payroll Fraud can occur:

  • Falsified hours and salary
  • Ghost employees


Example - Payroll Fraud

How can payroll fraud be prevented?

  • All timecards should be reviewed for validity and accuracy.
  • Once submitted for approval, employees should never see their timecard again.
  • Overtime hours must be authorized by a supervisor.
  • If employees use a time clock to “punch in” and “punch out”, they must do so when they arrive for work, take breaks, go to lunch, leave for the day, etc.
  • Monitor employees to assure one employee is not punching out for another.
  • Strictly control access to payroll master data.


Example - Payroll Fraud

How can payroll fraud be detected through data analysis?

  • Review personnel files for duplicate addresses, P.O. boxes, or social security numbers. Duplicate information may suggest “ghost” employees are on the payroll.
  • Perform an employee-level hours analysis, comparing employees’ hours with peers in their departments.


Example – Receipts Interception

Receipts interception occurs when an employee:

  • Has access to customer payments
  • Directs intercepted receipts to personal accounts

Receipts interception can be difficult to detect if the fraudster also has access to manipulate accounts receivable records or customer credit memos.


Example – Receipts Interception

How can receipts interception be prevented?

  • Segregate cash receipts and accounting responsibility.
  • Issue receipts.
  • Track receipts in system and reconcile daily.
  • Surprise cash counts.
  • Cameras.


Example – Receipts Interception

How can receipts interception be detected through data analysis?

  • Identify gap or sequence errors in accounts receivable records.
  • Perform a customer level analysis of credit memos.


How to Prevent Fraud

Create an anti-fraud environment

Know your fraud risks

Develop an oversight process


Create an Anti-Fraud Environment

Set the Tone at the Top

  • Hold elected officials and management responsible
  • Lead by example
  • Behave ethically
  • Openly communicate expectations to employees
  • Maintain a zero tolerance policy
  • Treat all employees equally, regardless of position
  • Enforce a code of conduct founded on integrity


Create an Anti-Fraud Environment
  • Create a Positive Workplace Environment
    • Poor employee morale can affect attitudes about committing fraud
    • HR is instrumental in helping to build a positive work environment
    • Employees should be empowered to help create a positive workplace


Create an Anti-Fraud Environment
  • Hire and Promote Appropriate Employees
    • Conduct background investigations; verifying education, employment history and references
    • Give regular performance reviews
    • Perform an objective compliance review of your code of conduct and ethic policies at consistent intervals Address violations immediately


Create an Anti-Fraud Environment
  • Fraud Awareness / Training
    • All new employees should be trained upon hiring on values and code of conduct
    • Offer periodic refresher training for all employees


Create an Anti-Fraud Environment
  • Confirmation
    • Clearly articulate that all employees are held accountable to act within the code of conduct
    • Have a written Code of Conduct statement


    • Actions should be taken in response to any alleged incident of fraud
    • Expectations about the consequences of committing fraud must be clearly communicated throughout the entity


Know Your Fraud Risks
  • Identify and measure fraudrisks
  • Mitigate fraud risks
  • Implement and monitor appropriateinternalcontrols


Develop An Oversight Process

To effectively prevent or deter fraud, an entity should have an appropriate oversight function in place that includes the following:

  • Audit committee
  • Management
  • Internal auditors
  • Independent auditors
  • Certified fraud examiners


Code of Conduct (AKA – Antifraud Policy)

Should be based on the organization’s core values

Established by executive management and a board with input from employees

Written documentation consisting of:

  • Clear guidance on what behaviors and actions are/are not permitted
  • Detailed documentation of employee responsibilities in the prevention and detection of fraud
  • Procedures on how employees should seek additional advice when faced with uncertain ethical decisions
  • Process for communicating concerns about known or potential wrongdoing

All employees should be trained on the code of conduct when hired, and annual refresher training with affirmation should be provided


Anti – Fraud Hotline

Communication system that enables employees, vendors,

customers and others to communicate concerns about known

or potential/suspected wrongdoing.

Telephone, email, web site


Adequately publicized


Fraud Prevention Checkup

ACFE tool

High level assessment of an organization’s fraud health

Identifies major gaps in fraud prevention processes and fixes them before it is too late

Focus of a Fraud Prevention Checkup is:

  • Fraud risk oversight
  • Fraud risk ownership
  • Fraud risk assessment
  • Fraud risk tolerance and risk management policy
  • Anti-fraud controls
  • Proactive fraud detection

Should be completed by a Certified Fraud Examiner (CFE)


Fraud Risk Assessment

Assists management in systematically identifying where and how fraud may occur and who may be in a position to commit fraud

Focuses on fraud schemes and scenarios to determine whether or not the current internal controls can be circumvented

Five general steps:

  • Identify relevant fraud risk factors
  • Identify potential fraud schemes and prioritize based on risk
  • Map existing controls to potential fraud schemes and identify gaps
  • Test operating effectiveness of fraud prevention and detection controls
  • Document and report the fraud risk assessment


Data Analysis

Data Analysis is great for analyzing trends and identifying unusual items and changes to operations 

  • A systemic and efficient way of verifying 100% of transactions and reducing risks
  • Highlights red flags and identifies errors, fraud, inefficient operations and audit targets
  • Identifies control weaknesses/breakdowns before they cause too much damage


Fraud Review / Investigation

Results from a concern or suspicion of wrongdoing

Consists of gathering sufficient information about specific details and performing procedures necessary to determine:

  • Whether fraud has occurred
  • The loss or exposure associated with the fraud
  • Who was involved, and how it happened


Fraud Review / Investigation

Must prepare, document and preserve evidence sufficient for potential legal proceedings

Must carefully manage in accordance with laws

Include legal counsel

Include internal audit

Include expertise – Certified Fraud Examiner (CFE)



Have you identified your key processes and control?

Have you tested the key controls?

Have you identified your fraud risks?

What are your fraud risks?

How are you mitigating these risks?


Contact Information

Ron Steinkamp, CPA, CIA, CFE, CRMA

Principal, Risk Advisory Services

Brown Smith Wallace LLC

314.983.1238 (Direct)