Loading in 2 Seconds...
Loading in 2 Seconds...
Government Risk Briefings Internal Controls & Fraud Prevention in Local Government November 16, 2012. Ron Steinkamp, CPA, CIA, CFE, CRMA 314.983.1238 | firstname.lastname@example.org. Agenda. INTERNAL CONTROL DEFINED. COSO .
Ron Steinkamp, CPA, CIA, CFE, CRMA314.983.1238 | email@example.com
1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200
1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100
1.888.279.2792 │ www.bswllc.com
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - Internal Control Integrated Framework
COSO defines internal control “as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Internal Controls can help…
COSO defines five categories of Internal Control:
Control Environment - Sets the tone of an organization and influences the control consciousness of its people.
Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level
Control Activities - Are the policies and procedures that help ensure management directives are carried out
Information and Communication – Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components
Monitoring - Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time
Board of Directors
Authorization – Authorization controls require that a transaction be “authorized” or approved prior to executing the transaction.
Segregation of Duties – These controls split responsibilities for a process so that it requires more than one person to execute a transaction or complete a process.
Reconciliations – This involves comparing to items, from different sources, to determine if transactions were executed accurately and completely.
Management Review – This involves a review, by a manager/supervisor, of executed transactions/activities for appropriateness.
System Access – System Access controls prevent a person from executing a transaction because they cannot log on to the system or have not been granted the specific transaction authority.
Configuration/Account Mapping – This is a control that is performed by the system/application and prevents the execution of a transaction unless certain parameters are met.
Exception/Edit Reports –These controls alert you to changes/issues in the system via an online or paper report.
Key Performance Indicators – These are analytical indicators of performance metrics that help to identify incorrect transactions or breakdowns in the control system.
The use of one’s occupation for personal enrichment through the deliberate misuse or application of the employing organization’s resources or assets.
Three general categories:
Perpetrator steals or misuses an organizations resources.
Employee’s use of his/her influence in business transactions in a way that violates his/her duty to the employer for the purpose of obtaining benefit for him/herself or someone else.
Intentional misstatement or omission of material information in the organization’s financial reports.
2012 Report to the Nations on Occupational Fraud and Abuse
7. Government/public administration is one of the most victimized industries
8. Anti-fraud controls help reduce the cost and duration of occupational fraud
9. High-level perpetrators cause the greatest damage to their organizations
10. Nearly 50% of all victim organizations do not recover any losses
Implement hotlines to receive tips from internal/external sources
Organizations over-rely on audits
Most frauds are detected by tips
Anti-fraud training among employees and managers result in fewer fraud losses
Surprise audits are an effective fraud prevention tool
Using internal controls as your sole fraud prevention strategy is insufficient
Employees exhibit behavior warning signs
Employees should be trained to recognize common signs of fraud
Effective fraud prevention measures are critical
Pressure or Incentive (NEED)
High personal debts
Substance or gambling abuse
Resentment of superiors
Failure to establish:
Failure to oversee/supervise/review
Overworking/underpaying staff to make budget
Inappropriate use of cell phone, company credit cards, autos, and expense reports
Inadequate IT Access Controls
Not allowing Internal Audit to look at a department
Non-responsive to management inquiries
Three major reasons these events occur:
1. It pays to do it
2. It is easy to do
3. It is unlikely you will get caught
Indicators of possible management fraud
1. A week control environment
2. Management facing extreme competitive pressure
3. Management known or suspected of having questionable character
Check tampering occurs when an employee:
How can check tampering be prevented?
How can check tampering potentially be detected through data analysis?
Billing schemes occur when an employee submits a false invoice or alters an existing one, thus causing the company to willingly (but unknowingly) issue a check for false expenses.
How can billing schemes be prevented?
How can billing schemes be potentially be detected through data analysis?
Expense reimbursement schemes occur when an employee submits false expenses in the hope of being reimbursed by the company.
How can fraudulent expense reimbursements be prevented?
How can fraudulent expense reimbursements potentially be detected through data analysis?
Payroll fraud occurs when an employee submits false documentation (i.e. timecards) in an effort to inflate his/her wages/salary. Such documentation prompts the organization to unknowingly disburse funds to the perpetrator.
Possible ways in which Payroll Fraud can occur:
How can payroll fraud be prevented?
How can payroll fraud be detected through data analysis?
Receipts interception occurs when an employee:
Receipts interception can be difficult to detect if the fraudster also has access to manipulate accounts receivable records or customer credit memos.
How can receipts interception be prevented?
How can receipts interception be detected through data analysis?
Create an anti-fraud environment
Know your fraud risks
Develop an oversight process
Set the Tone at the Top
To effectively prevent or deter fraud, an entity should have an appropriate oversight function in place that includes the following:
Should be based on the organization’s core values
Established by executive management and a board with input from employees
Written documentation consisting of:
All employees should be trained on the code of conduct when hired, and annual refresher training with affirmation should be provided
Communication system that enables employees, vendors,
customers and others to communicate concerns about known
or potential/suspected wrongdoing.
Telephone, email, web site
High level assessment of an organization’s fraud health
Identifies major gaps in fraud prevention processes and fixes them before it is too late
Focus of a Fraud Prevention Checkup is:
Should be completed by a Certified Fraud Examiner (CFE)
Assists management in systematically identifying where and how fraud may occur and who may be in a position to commit fraud
Focuses on fraud schemes and scenarios to determine whether or not the current internal controls can be circumvented
Five general steps:
Data Analysis is great for analyzing trends and identifying unusual items and changes to operations
Results from a concern or suspicion of wrongdoing
Consists of gathering sufficient information about specific details and performing procedures necessary to determine:
Must prepare, document and preserve evidence sufficient for potential legal proceedings
Must carefully manage in accordance with laws
Include legal counsel
Include internal audit
Include expertise – Certified Fraud Examiner (CFE)
Have you identified your key processes and control?
Have you tested the key controls?
Have you identified your fraud risks?
What are your fraud risks?
How are you mitigating these risks?
Ron Steinkamp, CPA, CIA, CFE, CRMA
Principal, Risk Advisory Services
Brown Smith Wallace LLC