Fraud Occurs in Governments Too February 17, 2017

Let’s start our journey with the good news.

Type of Victim Organization – Frequency and Median Loss

Industry of Victim Organizations

Level of Government – Frequency and Median Loss

Learning Objectives Overview of the COSO framework and fraud triangle Review occupational fraud statistics Case studies – learn from what other have experienced How to design internal controls with fraud in mind

COSO Framework and Fraud Triangle

COSO Framework

Who is Responsible? Governance Basic part of oversight responsibility May delegate fraud management responsibilities to a committee of the board (Audit Committee) Management Key beneficiary of internal control No practical alternative Internal Auditors Critical element of framework Works with audit committee to design and test control objectives Carry out findings and recommendations External Auditors Not responsible for design or effectiveness Does not give an opinion on internal controls Reliance upon independent auditor would be evidence of a “control deficiency”

Fraud Triangle Organizational Pressure Financial Pressure Status Pressure Lack of internal controls Management override of controls “I deserve this” “They owe it to me” I just watched “Enron – The Smartest Guys in the Room” this week, and one of the key elements to the continued fraud was keeping up with the status pressure of those around them and outside the firm (investors|maintain celebrity status).

Fraud Statistics Obtained from the “Report to the Nations on Occupation Fraud and Abuse – 2016 Global Fraud Study” – Association of Certified Fraud Examiners (ACFE)

What is Occupational Fraud? Occupational fraud is the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets Corruption Asset Misappropriation Financial Statement Fraud

Frequency and Median Loss based on Duration of Fraud People just don’t commit fraud one time. If they start doing it, they don’t stop. When we talk about anti-fraud controls, I think we need to discuss the responsibility organizations have to their employees to help people get help. The largest key identifier for fraud is personal money problems. How much fraud could we prevent if we help people with their problems before they find the rationalization and opportunity to commit fraud?

Concealment Method by Fraud Type The Top five items have to deal with falsifying documents. Surprise audits looking for fraud related items outside of the regular internal controls will help catch these techniques. From an external audit perception, the industry is doing more to review journal entries. Obtaining the complete GL, reviewing for completeness and missing entries

Primary Internal Control Weaknesses Found

Anti-Fraud Controls Frequency of Anti-Fraud Controls – United States Change in Implementation Rates of Anti-Fraud Controls

Initial Detection of Occupational Frauds Only 3 times more likely to catch fraud from an external audit vs. waiting for someone to confess!

Impact of Hotlines

Behavioral Red Flags Displayed by Perpetrator

Recovery of Victim Organization’s Loss

Case Studies

Special Investigation 16-402 Embezzlement of $1,794,594 by unlawfully issuing and signing checks Falsified computer data to conceal embezzlement Falsified audit reports

Special Investigation 16-402 Cause No independent oversight of accounting personnel (no segregation of duties) Financial records not evaluated (reviewed) Accounting software inadequately managed (no user access restrictions) No assurance of financial audits performed (No review of audit reports) Overall – no segregation of duties

Special Investigation 16-402 Recommendations Those who have access to process checks, should not have rights to be the check signors and approvers User access restrictions should be established in the computerized system Governing board members should regularly review bank statements and check register reconciliations. Additionally, board members should consider receiving training to educate themselves about statutory requirements as well as financial policies and procedures

Special Investigation 16-403 Outcome Illicitly received $65,895 from two vendors after helping to award them contracts Misspent $2,299 using entity credit card Misspent $38,706 from entity checking account writing checks, withdrawing cash and through credit cards. One transaction for a leased vacation home in Mexico Cause Conflict of interest policy not enforced Not following procurement policies Improper use of credit cards Recommendations Maintain and ensure conflict of interest forms are complete and used during procurement process Monitor procurement policies to ensure they are being followed Bank statement and reconciliation review for unusual activity, especially around credit card transactions

Payroll Fraud Case Outcome Employee had personal financial issues that lead to the fraud being perpetrated. Embezzlement of $23,504 of public monies from falsified overtime pay. Cause No review of payroll before being processed to review overtime pay entered. Work hours were altered and overtime hours reported for time not worked. Recommendations Ensure independent review of payroll adjustments. Implement procedures for supervisors to review payroll vouchers, tying them out to supporting documents before being processed.

Special Investigation 16-405 245 checks and 12 p-card transactions issued to fictitious vendors for $354,902 Falsified invoices and fabricated purchasing card records were issued to conceal fraud scheme Monies were deposited into a joint account of perpetrator and used for personal use

Special Investigation 16-405 Cause Lack of receiving report verification. Credentials were used to falsify receipt Accounting software log-in credential improperly shared Invoice anomalies not investigated Purchasing card reports not reconciled to bank software

Special Investigation 16-405 Recommendations Periodic review of invoiced goods marked as received should be investigated to see if products were actually received, located and accounted for Provide periodic training to employees, letting them know of the importance of keeping their passwords and log-in secret Periodically review IT policies and ensure passwords are changed on a periodic basis Perform monitoring procedures (surprise audits) of p-card transactions

Other Case Studies Recommendation: Restrict access to those with bank privileges. Ensure multiple sign-offs are required to make bank transfers. Have someone outside of the reconciliation process review activity. Review credit card transactions and supporting receipts for anomalies and accuracy. Cause: Altering access to bank accounts and transferring monies to personnel accounts. Submitted falsified invoices for credit card charges. Outcome: Misappropriation of approximately $1.1 million in assets. Gambling Addition Cause: Monies transferred from City funding to undisclosed bank account in perpetrator’s name. No internal control structure established to review transfers in/out of real accounts and no segregation of duties or management level review. Perpetrator had control over writing checks, making deposits, balancing the checkbook, picking up mail, reconciling accounts and transferring monies between accounts. Outcome: Embezzlement of $54M over the course of two decades. Excessive Hobbies Recommendation: Similar to those of the case above, with ensuing stronger segregation of duties and access to transferring monies and establishing bank accounts. Additionally, analytics could have been performed and questions investigated to catch fraud sooner.

How to design internal controls with fraud in mind

Internal Controls & Fraud “A process used by management to help an entity achieve its objectives” How does internal control work: Run its operations efficiently and effectively Report reliable information about its operations Comply with applicable laws and regulations Source: Standards for internal Control in the Federal Government “Green Book”

Internal Controls & Fraud Internal controls are not inherently designed to detect fraud?! Organizations should formally document the techniques developed and implemented to prevent fraud Document processes used to monitor the performance of fraud preventative controls or indicate when ineffective

Establish Fraud Risk Policies Governance Create Ethical Environment Know responsibilities Delegate Responsibility (Audit Committee | Internal Audit Function) Set Policies Risk Assessment Identify Inherent Risk Assess likelihood and significance of inherent risk Respond to likely and significant inherent and residual fraud risks Accomplished through fraud risk teams (brainstorming techniques)

Establish Fraud Risk Policies (continued) Prevention Techniques Establish Anti-fraud training Authority Limitations (Use access rights, JE processing, adjustments, etc.) Detection Techniques Establish Anti-fraud controls that evaluate the underlying support for consistency in application Fraud Hotlines and whistleblower programs Monitoring techniques Reporting Conduct investigations Implement corrective actions

Assess your Organization Do we have anti-fraud controls built into our existing internal control structure? Does everyone know their role? When do we perform our risk assessment? Who is responsible? Are we at risk?

Internal Control and Fraud Risk Tools ACFE – Fraud Prevention Check-up GOA’s Standards for Internal Control in the Federal Government “Green Book” AICPA – Managing the Business Risk of Fraud: A practical guide (Fraud Prevention and Detection Scorecards) COSO Framework Other Organizations similar to yours

Dennis J Osuch, CPA Principal dennis. osuch@CLAConnect Dennis J Osuch, CPA Principal dennis.osuch@CLAConnect.com Dennis V Maschke, MBA, CPA Manager dennis.maschke@CLAConnect.com Thank you!