Fraud & Internal Controls

Transcription

1

2 Daniel Anderson, CPA Mauldin & Jenkins, LLC 100% governmental 10 years experience Presenter at FGFOA Chapter meetings, FICPA State and Local Government Conference and In-House training Member of the FICPA State and Local Government Committee Trey Scott, CPA Mauldin & Jenkins, LLC 100% governmental 10 years experience Presenter at FGFOA Chapter meetings, FICPA State and Local Government Conference and In-House training

3 WHO LOVES A GOOD HEADLINE? 3

4 Former School Superintendent Indicted on Fraud Charges for Allegedly Misappropriating School Funds for His Own Benefit Finance Director Sentenced for Embezzling $742,190 Woman Pleads Guilty To Theft Concerning Programs Receiving Federal Funds Former Budget Director Charged with Embezzlement and Fraud

5 Rita Crundwell City Comptroller and Treasurer 5

6 $53 MILLION LARGEST MUNICIPAL FRAUD IN U.S. HISTORY 6

7 How She Did it Rita opened an unauthorized RSDCA bank account in 1990 RSDCA account was not set up on the city s general ledger Rita wrote checks from a legitimate city bank account to Treasurer - these checks were deposited into the RSDCA bank account 7

8 Tax commissioner $800,000 Stolen

9 Receipts not reconciling to cash

10 Nonprofit Controller Daniel Wiant Stole $6.9 Million

11 Wire transfers for $6.9 Million

12 City Council Members $20,000 Bribes

13 Request bribe Contract up for renewal City council member asks waste water treatment vendor for $20,000 Vendor contacts FBI

14 Maintenance Director Allegedly Over $3 Million Stolen

15 Case overview May 2015, Leigh Patterson, the Rome Judicial Circuit District Attorney, filed a complaint in Floyd County Superior Court alleging that Floyd County school employees engaged in fraudulent practices Primary person named is the former maintenance director -- Derry Richardson At least a dozen other people have been named

16 Resignations Maintenance director Lead maintenance specialist Director of school improvement Operations coordinator Chief of operations

17 Internal Controls Overview Fraud Segregation of Duties Activity Level Control Cash Disbursements Accounting for Cash Disbursements Definition of Expenditures Incurring a Liability Common Deficiencies

18 Internal Control Process to provide reasonable assurance of Reliability Effectiveness/Efficiency Compliance

19 Control Environment Risk Assessment Control activities Information / Communication Monitoring

20

21 Resources: (1) COSO Website (2) United States Government Accountability Office (GAO) Green Book

22 Fraud Risk Factors

23 Misappropriation of Assets Material Misstatement of Financial Information Headlines

24 According to the ACFE s 2016 Global Fraud Study, the typical organization loses 5% of its annual revenue to fraud. Of the cases examined involving governments, those that occurred at the federal level reported the highest median loss ($194,000) compared to the state ($100,000) or local ($80,000) level.

25

26

27

28 Risk Factors Misappropriation of Assets Inappropriate transaction authorization and approval Poor physical safeguards Lack of timely and appropriate transaction documentation No mandatory vacation for control function employees

29 Transactions improperly recorded or not recorded completely / timely. Unsupported/unauthorized balances or transactions. Last-minute adjustments significantly affecting financial results. Significant unexplained reconciling items Missing documents Risk Factors Material Misstatements

30 New York Times (1/7/2014) During a major modernization project, consultants were accused of committing a $100 million fraud under a contract to modernize the City payroll system. The fraudulent scheme involved kickbacks and money laundering. The original budget for this project increased from $63 million to over $700 million, with many project delays. In early 2010, a City Controller audit the first one in 12 years identified numerous contracting irregularities. In late 2010, federal charges were filed against contractor and subcontractor personnel. Among the consequences, three consultants eventually pled guilty, each receiving 20-year prison terms. Risk Factors - Headlines! Washington Post (4/26/2017) An independent three-member PTA audit team, which reviewed financial activities from July 1 to March 31, provided police with further documentation last week, said Lynne Harris, who was elected president of the group Tuesday night. Harris said the audit team compared the treasurer s records with banking records, among other things. They were meticulous, she said. What they believe they discovered was unauthorized disbursements that began as early as last summer totaling approximately $39,000.

31 Which of the following detects the most frauds? External audit Internal audit Management review of controls IT controls Tip Accident Other controls Confession

32

33 Establish a strong internal control structure Formal policies: Fraud, waste and abuse Whistleblower Know key financial indicators and trends Watch for warning signs amongst the team: Financial difficulties Expensive habits Unwilling to delegate, take vacation, etc.

34 Segregation of Duties

35 Segregation of Duties No financial transaction is handled by one person from beginning to end! The more negotiable the asset, the greater the need for proper segregation of duties.

36 Which duties should be segregated? Authorization of transactions Custody of assets Recordkeeping Reconciliation

37 Authorization of Transactions The process of reviewing and approving transactions or operations Approving purchase requisitions or purchase orders; Approving timesheets, payroll certifications, leave requests and cumulative leave records; Approving change orders, computer system design or programming changes

38 Custody of Assets The process of having access to, or control over, any physical asset such as cash, checks, equipment, supplies, or materials Access to any funds through the collection of funds or processing of payments; Access to safes, lock boxes, file cabinets or other places where money, checks or other assets are stored; Custodian of a petty cash or change fund

39 Recordkeeping The process of creating and maintaining records of revenues, expenditures, inventories, and personnel transactions. These may be manual records or records maintained in automated computer systems Preparing purchase requisitions, payroll certifications and leave records Entering charges or posting payments to accounts receivable Maintaining inventory records

40 Reconciliation Verifying the processing or recording of transactions to ensure that all transactions are valid, properly authorized and properly recorded on a timely basis. This includes following up on any differences or discrepancies identified.

41 Cash Disbursements to Vendors

42 Cash Disbursements to Vendors Internal Controls Purchasing: Approved vendor list Periodic review of changes to the vendor list POs are reviewed to ensure the expenditure is within budget or other restrictions

43 Cash Disbursements to Vendors Internal Controls Purchasing documents (POs, receiving reports, etc.): Prenumbered Sequence is accounted for regularly Unissued forms are controlled Retain voided documents

44 Cash Disbursements to Vendors Internal Controls General Controls: Bank accounts are authorized by the governing board or appropriate level of management Individual(s) responsible for signing checks is/are authorized by the governing board or appropriate level of management Mechanical check signers and signature plates Dual signatures for checks over a certain amount Prohibit checks payable to cash Use of Positive Pay

45 Cash Disbursements to Vendors Internal Controls Check Processing: Prepared after proper matching to support documentation Support documentation is appropriately marked/canceled with the check number Signed by authorized signers Dual signatures obtained, if required Check for clerical accuracy, pricing, quantities received, brand name, etc. to the vendor invoice Check signer reviews all supporting documents Promptly recorded to the general ledger

46 Cash Disbursements to Vendors Internal Controls Accounts Payable: Reconcile monthly vendor statements Accounts payable subsidiary ledger is compared to open invoices Accounts payable subsidiary ledger is compared to open invoices Appropriate individual is reviewing reconciliations Receiving reports are provided to accounts payable personnel

47 Cash Disbursements to Vendors Internal Controls Segregation of Duties Individuals responsible for following should be separate: Initiator of purchases Approver of purchases Receiving goods/services Shipping Preparation of checks Cash receipts Accounts payable

48 Electronic Disbursements to Vendors Source: GFOA

49 Electronic Disbursements to Vendors Fedwire generally used for large dollar and / or time critical transactions ACH used for batch processing EBT electronic system utilizing point of sale terminal or ATM Purchase cards

50 Electronic Disbursements to Vendors Before utilizing electronic payments, establish policies and procedures that address: What online banking & EFT activities will be utilized? Who is authorized to initiate transactions? Who will approve electronic transactions? Who will record electronic transactions? Who will review and reconcile?

51 Electronic Disbursements Safeguards Strong internal & information technology controls Written agreements with banks & third parties Dual controls authorizing non-repetitive transactions Dual controls for establishment of repetitive transactions Establishment of dollar limits for authorized personnel Use of passwords / pin numbers / call-back verification

52 Electronic Disbursements Safeguards Overlapping of cybersecurity risks and the cash disbursement process: Vendor compromised Phishing sent to government Wire payment initiated to fraudulent account

53 Procurement Cards Internal Controls

54 What is a Procurement Card? - A special credit type card that works similarly to a personal credit card, except the accumulative charges for all cards are billed directly to the government and payment is initiated by an appropriate official of the government.

55 Benefits of Using a Procurement Card Simple and cost effective to use for both user and supplier; Reduction in invoices, ordering time and processing time; Creates a full and visible audit trail; No cost to user for standard product; Environmental savings through decreased consumption of paper; Free up staff time to concentrate on more productive issues (decreased paperwork processing).

56 Best Practice Controls Procurement Cards Establish criteria for eligibility Require cardholders to sign usage agreement Require cardholders to log a description of all items purchased Cardholder s name should be embossed on card Single / monthly transaction limit Purchase logs should be reviewed and approved by supervisors

57 Best Practice Controls Procurement Cards Cardholder not allowed to use P-Card to obtain cash advances or refunds Cardholder not allowed to purchase unauthorized items Cardholder not allowed to split purchase items to circumvent purchasing policy limits Maximum liability limit for charges on lost / stolen cards Deactivated timely

58 Documenting Use of Procurement Cards Documentation must support what was ordered, received and paid for: Date of purchase Vendor name Item and description Amount Shipping address Card user

59 Procurement Cards Disciplinary Action Improper or Unauthorized Use of P-Cards Any incident of improper or unauthorized use of the P-Card shall be immediately reported to Accounting / Finance Director or an appropriate official Accounting Director or an appropriate official may suspend or terminate cardholder privileges for improper or unauthorized use

60 Procurement Cards Disciplinary Action Improper / Unauthorized Use of P-Cards (cont d) Improper or unauthorized use of the P-Card will subject the employee to appropriate disciplinary action In addition to any administrative and disciplinary action taken, the employee may be required to reimburse the government for the total amount of the improper charges through payroll deduction or direct payment

61 Procurement Cards Disciplinary Action Failure to Submit Reports Related to Cardholder Activity within the Time Periods Specified in the Policies and Procedures Manual First Offense Suspension of privileges for a minimum of seven (7) days. Second Offense Suspension of privileges for a minimum of thirty (30) days. Third Offense Immediate termination of privileges and a written reprimand to be maintained in personnel file.

62 Procurement Cards Headline Risk A November 2014 report by the Office of the Inspector General for the EPA found abuse of the EPA s purchase cards and significant problems with the agency s system for ensuring that cards are not misused. In an 80-charge sample, the OIG found 75 of the purchases were prohibited, improper, or erroneous. The OIG report found that the EPA s oversight was not effective because of inattention by everyone involved and inadequate training. A recurring theme in the report is the claim by employees that they did not realize they were violating policy.

63 Segregation of Duties Exercise How can you segregate the following duties with: (1) A Finance Director and an accounting staff of 3 employees? (2) A Finance Director and an accounting staff of 2 employees?

64 Segregation of Duties Exercise Receive cash Prepare deposit slips Initiate bank transfers Authorize purchase orders and check requests Write checks Approve & process vendor invoices Mail checks Review bank reconciliations Disburse petty cash Reconcile bank and petty cash accounts Sign checks Record accts. recv. and gen. ledger journal entries

65 Segregation of Duties Exercise Solution Finance Director and 3 Accounting Staff: Finance Director Acct. Manager Acct. Staff I Acct. Staff II Sign checks Prepare deposit slips Receive cash Write checks Review bank reconciliations Approve/process vendor invoices and employee time cards Disburse petty cash Reconcile bank & petty cash accts Initiate bank transfers Authorize POs and check requests Record A/R and G/L journal entries Mail checks

66 Segregation of Duties Exercise Solution (Finance Director and 2 Accounting Staff: City Manager Acct. Manager Acct. Staff Sign checks Authorize POs Write checks Prepare deposit slips Review bank reconciliations Approve/process vendor invoices and employee time cards Disburse petty cash Reconcile bank & petty cash accts Record A/R and G/L journal entries Initiate bank transfers Receive cash Mail checks

67 Compensating Controls Management should play an active role in achieving compensating controls: Insist on timely reconciliation and review of bank accounts and reconciliation of subsidiary ledgers to general ledger. Periodically change the person who reconciles the bank accounts. Cross-train employees to reconcile the accounts of another individual. Require employees who are involved in accounting functions to take a vacation of at least one week in length.

68 Compensating Controls (continued) Require two (2) signatures on checks in excess of certain amounts. Consider outsourcing functions. Utilization of a lockbox service.

69 Importance of Internal Controls and Minimizing the Cost of Fraud Set the tone at the top Have a written code of ethics and other important policies Check employee references Examine the bank statements Establish a whistleblower hotline Create a positive work environment Perform an internal control review

70 Timing of Expenditures / Expenses Accrual Basis of Accounting: Revenues are recorded when earned and expenses are recorded when a liability is incurred, regardless of the timing of the related cash flows. Modified Accrual Basis of Accounting: Expenditures are generally recorded when a liability is incurred, as under accrual accounting. However, debt service expenditures and other items related to long-term liabilities are recorded only considered due and payable.

71 Timing of Expenditures / Expenses (1) Service period NOT invoice date

72 Timing of Expenditures / Expenses (3) Invoices that span multiple periods

73 Common Audit Deficiencies We ran checks on the last day of June so we don t have any A/P this year. Back dating of checks to accomplish the same impact as described in point #1 above. From an internal controls standpoint, what makes this item especially worrisome / concerning?

74 Common Audit Deficiencies (continued) This isn t an expenditure in the current period because we didn t budget for it until next year. Booking accounts payableand prepaiditems Departments holding invoices / not remitting to accounting in a timely manner.

75 Best Practices Train purchasing / accounts payable staff to identify the proper fiscal period from a review of the invoice. Empower them to ask questions! Perform a review of disbursements made after year-end and cross-reference those items to the A/P listing. Require all departments to remit invoices to A/P or accounting within a specified timeframe and send reminders as year-end approaches and shortly thereafter.

76 Best Practices (Continued) Review variance reports for the fiscal period to identify any unusual fluctuations (current period vs. prior period; current period vs. final budget). For significant construction in progress (CIP), review the last contractor invoice that was paid and ensure that the application for payment went up to and included year-end. Retainage?

77 Payroll Review of payroll system master file for changes. Segregations of duties: Preparation of checks Signing of checks Review and authorization of electronic payroll disbursements Resolution of employee payroll questions Edit payroll master file Analytical reviews of current and previous payrolls Payroll registers are reconciled to control totals and approved by mgmt.

78 Payroll (Continued) Access to data/transaction files is restricted Those that make salary determinations should not: Approve changes to salary/wage rates in the employee database master file Define the financial closing and reporting process related to payroll. Where might fraud manifest in the Payroll cycle?

79 Capital Assets Capital asset listings are reviewed by the appropriate level of management and are routed to department managers to ensure the asset physically exists. Physical inventory of capital assets (asset tags). Capital assets are located in a secure area where access is restricted. We monitor our construction projects Process for the approval of additions/disposals

80 Capital Assets (Continued) Capital asset related fraud: Misappropriation of assets Fictitious assets Misrepresentation of asset value

81 Information Technology (IT) Data back-up and recovery procedures are in place These items are scheduled Recovery procedures are tested (at least annually) to ensure they are functioning properly Environmental safeguards are in place (smoke detectors, temp controls, etc.) Physical Security and access to programs and data are appropriately controlled. Procedures exist (and are followed) related to establishing, issuing, suspending, modifiying and closing user accounts and access as needed. Access is terminated in a timely manner when an employee is terminated Password protection, changing passwords, password length and lockout procedures are appropriately followed. Avoiding possibility of ransomware attacks (seem to be very common)

82 Information Technology (IT) Program changes and systems acquisitions/development are managed/approved/reviewed Appropriate level of approval related to program/system changes Only authorized individuals can migrate application programs to production. Test plans are used for any major integration Segregation of duties between: Those who administer IT security Those who can make changes to programs/systems Those who can perform transaction and accounting duties

83 Closing Thoughts As financial leaders, you are responsible for fraud prevention in your organization. You can minimize the risk of loss by taking action sooner rather than later and develop a structured plan and sound internal controls for your organization. Make sure there is follow through on your plans. Proper internal controls often start with personnel handling the transactions having a solid understanding of what needs to be done training is key! Don t be a headline for the wrong reasons.

84