FRAUD IN GOVERNMENT AN OPEN DISCUSSION Presented By William Blend, CPA, CFE
AGENDA Fraud and Ethics Discussion Fraud Triangle and Beyond Data from 2016 ACFE Report to the Nations Recent Fraud Investigations Government Audit Expectation GAP Red Flags Internal Controls 2
FRAUD AND ETHICS DISCUSSION
How is Ethics Related to Fraud? Because Ethics is a discipline dealing with what is good and bad with moral duty and obligation. 4
What is Ethics? Ethics is: A set of moral principles or values A theory or system of moral values The principles of conduct governing an individual or a group A guiding philosophy 5
Ethical Conflicts Personal Values vs. Social Values Self Interests vs. Benefits to Others Personal Values vs. Organizational Rules Ethical Codes vs. Benefits to Others Honesty vs. Benefits to Others Personal Values vs. Social Norms 6
FRAUD DISCUSSION
Fraud Triangle The capability to commit the fraud Opportunity 8
The Fraud Environment OPPORTUNITY I ll take the cash from the deposit, write-off the A/R as bad debt.i can work around the controls INCENTIVE How will I pay my bills? Kids need. I want. Casino night. Drugs RATIONALIZATION I deserve a raise... I work long hours.. I should have been promoted.. I ll pay it back 9
Fraud Motivation Money Ideology MICE Coercion Ego/Entitlement 10
The Fraud Diamond Considers Two Types of Fraudsters The capability to commit the fraud 11
Fraudsters More Details Accidental Fraudster Predator Fraudster Focus of Fraud Triangle First-Time Offender Well-Educated, Male, Middle Class, Good Person Pressure Occurs Rationalization Deliberate, Arrogant Seeks Opportunities No Pressure or Rationalization May Begin as Accidental Criminal Mindset 12
Fraud, Waste and Abuse Fraud as defined by Generally Accepted Government Auditing Standards: A type of illegal act involving the obtaining of something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond the auditor s professional responsibility. 13
Fraud, Waste and Abuse (Cont.) Waste involves the taxpayers/public not receiving reasonable value for money in connection with any government-funded activities due to an inappropriate act or omission by individuals with control over or access to government resources (e.g., executive, judicial or legislative branch employees, grantees or other recipients). Waste goes beyond fraud and abuse and most waste does not involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions and inadequate oversight. 14
Fraud, Waste and Abuse (Cont.) Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement. 15
DATA FROM 2016 ACFE REPORT TO THE NATIONS
Victim Organizations - Government 17
How Occupational Fraud is Committed Duration of Fraud Based on Scheme Type 18
Detection of Fraud Schemes Initial Detection of Occupational Frauds 19
Detection of Fraud Schemes (Cont.) Source of Tips 20
Perpetrators Position of Perpetrator Frequency and Median Loss 21
Perpetrators (Cont.) Gender of Perpetrator Frequency 22
Perpetrators (Cont.) Age of Perpetrator Frequency & Median Loss 23
Perpetrators (Cont.) Tenure of Perpetrator Frequency and Median Loss 24
Perpetrators (Cont.) Behavioral Red Flags of Perpetrators 25
REAL LIFE CASES
Dixon Illinois Lessons Learned Source ACFE Article The horses take a nasty fall, Part 2 of 2 Crundwell on a govt. salary of $80k per year was living a lavish horse show lifestyle. If she was making that kind of money riding horses, why would she work for a government? We have all heard it before, segregation of duties and internal controls (often touted, seldom followed) are absolutely necessary. 27
Dixon Illinois Lessons Learned (Cont.) Crundwell was able to authorize and open accounts, make payments, write checks, do transfers, etc. Excuses that the State owed the City money should have been questioned and followed up on. As City Comptroller, she was responsible for picking up and distributing mail. Trust of this employee clouded the judgment of officials and lead to a lack of controls and the important role of oversight. 28
Dixon Illinois Lessons Learned (Cont.) Segregate duties throughout the structure of Dixon. The City is reviewing possible actions. Examples of possible actions: A CFE should be added to the staff of the City. The external auditor should be a CPA who s also a CFE. The mayor and all council members should approve new bank accounts. Two responsible members of management (possibly the mayor and a council member) should review and approve all invoices. All payments exceeding a set amount based on operational budget should have two signatures for approval. The City council should review and approve all transfers of funds between accounts, including wire transfers. 29
Dixon Illinois Lessons Learned (Cont.) The mayor and/or council should provide initial anti-fraud orientations for new employees and mandatory, annual anti-fraud reorientations, which would include: The City s fraud prevention policies. A statement of zero tolerance of fraudulent activities. A discussion of red flags that employees have to report and how to report them. These three previous items have to be included in the annually updated employee handbook. 30
Dixon Illinois Lessons Learned (Cont.) The mayor and/or council should provide initial anti-fraud orientations for new employees and mandatory annual anti-fraud reorientations, which would include (Cont.): Establish an anonymous fraud hotline. Implement mandatory job rotation. Fully explain the vacation policy, which includes mandatory vacations. A designated official mayor or council member would initiate surprise audits by internal auditors or audit teams to review all or select transactions, accounts and financial statements. 31
Recent Fraud Investigations The Parks and Recreation $88K The Landfill Employee The Bookkeeper and the Corporate Credit Card $20K The Team CEO + CFO - $305k 32
Parks and Recreation Customer receipts submitted with daily deposits did not match checks and/or money orders actually deposited. Customer receipts found which were never deposited. Cash receipts found which were never matched to corresponding deposits. Missing receipt numbers discovered indicating additional missing deposits. Ticket sales did not reconcile to deposits. Instructor receipts marked void but corresponding payroll paid to instructors. 33
Bookkeeper and Corp. Cr. Card Unsupported credit card transactions Checks written supported by invoice copies attached as support Checks written supported by receipt cutoff before tax amount No supporting documentation of credit card transactions Payments to family members 34
The Team CEO + CFO Falsified healthcare reimbursement plan payments Personal transactions on corporate credit card Auto lease 35
ORGANIZATION S ANTI-FRAUD SCORE? FOOD FOR THOUGHT
Organizational Fraud Checkup Purpose potential clients think about possible issues that could impact their organization. Consider offering this as a service to clients but remember, they should have legal representation involved. 37
Organizational Fraud Checkup (Cont.) Fraud risk oversight to what extent has the organization established a process for oversight of fraud risk by its governance? Fraud risk ownership how has the organization created ownership of fraud risk by identification of parties having responsibilities for fraud risk and communication to others in the organization of responsible parties? Fraud risk assessment to what extent has the organization implemented an ongoing process to evaluate the risk of fraud in the organization? 38
Organizational Fraud Checkup (Cont.) Fraud risk tolerance and risk management policy does the organization have an approved fraud risk tolerance and risk management policy which includes a fraud risk component? Process-level anti-fraud controls / re-engineering how has the organization implemented measures to reduce each of the significant fraud risks identified through the fraud risk assessment? 39
Organizational Fraud Checkup (Cont.) Environment-level anti-fraud controls to what extent has the organization implemented a process to promote ethical behavior, deter wrongdoing and promote two-way communication on difficult issues? Proactive fraud detection to what extent has the organization established a process to detect, investigate and resolve potentially significant fraud? 40
GOVERNMENT AUDIT EXPECTATION GAP
Types of Audits Financial statement audits Focuses on looking for misstatements in the financial statements OMB Circular A-133 Compliance Audits (or Single Audits) Focuses on compliance with federal programs requirements and internal control over federal expenditures Forensic (Fraud) Audits Focuses on identification of fraud. Usually, narrowly focuses on specific allegation or suspected fraudulent activity 42
Role of Financial Statement Audit Primarily for an opinion about the fair presentation of the financial statements Provide only reasonable assurance that the financial statements are free from material misstatement, regardless of cause, but reasonable is defined as a high level of assurance However, the role shouldn t be taken for granted, as many analytical relationships among the financial statements, when performed by the auditor, can expose the potential issue 43
Financial Statement Audits Only a small percentage of fraud detected by financial statement audit Financial statement audits are not fraud or forensic audits Objective is issuing an opinion of financial statements The auditor s report only gives reasonable assurance that there are no material misstatements in the financial statements Auditors are not required to detect fraud 44
Financial Statement Audits (Cont.) Auditor s consideration of fraud risk is limited to material misstatements in the financial statements Auditors obtain an understanding of internal control over financial reporting when planning the audit A financial statement audit can provide valuable insight into adequacy of internal controls Control weaknesses could be key indicator of a fraud opportunity Auditors must exercise professional skepticism during the audit 45
AU-C Section 240 Consideration of Fraud in a Financial Statement Audit The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error or fraud. Professional skepticism Discussion among engagement personnel Identify risks of material misstatement Assess the risk Respond to the results Evaluate audit evidence Communicate with management those charged with governance Document consideration of fraud 46
Government Auditing Standards Reporting Fraud in a Financial Statement Audit In an audit performed in accordance with Government Auditing Standards the auditor has additional responsibilities related to reporting fraud above what is required in AU-C 240. If the auditor concludes that fraud has occurred or is likely to have occurred: Include in the report on internal control over financial reporting and on compliance and other matters. Information about fraud with material effect on the financial statements that warrant the attention of those charged with governance. Information that does not warrant the attention of those charged with governance, the auditor s determination of whether and how to communicate such instances to auditee officials is a matter of professional judgment. 47
OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud AU-C 240 also applies to a compliance audit In a Circular A-133 audit, the assessment of fraud risk relates to fraudulent acts that may result in a material noncompliance with a major federal program s compliance requirements or the misappropriation of federal funds 48
OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud (Cont.) As part of the risk-assessment process in a Single Audit, the auditor should: Specifically assess the risk of material noncompliance with a major program's compliance requirements occurring due to fraud (fraud risk) Consider that assessment in designing the audit procedures to be performed The assessment of fraud risk should be ongoing throughout the audit Use Professional Judgment in adapting AU-C 240 to the objectives of a Single Audit 49
OMB A-133, Single Audit Assessing Risk of Material Noncompliance Due to Fraud (Cont.) Suggested Single Audit risk assessment fraud procedures: Conducting a meeting of audit team members to discuss the risks of material noncompliance due to fraud Gathering information necessary to assess fraud risk factors for major programs Documenting entity-wide programs and controls in place to prevent, detect, and deter fraud Inquiring of management, those charged with governance, internal audit, and others about the risks of fraud related to major programs 50
RED FLAGS
Behavioral Red Flags Providing unreasonable responses to questions Bragging about significant new purchases Refusing promotions Easily annoyed at inquiries Refusing to take vacations 52
Behavioral Red Flags (Cont.) Borrowing money from co-workers Gambling, drug use Excessive drinking Creditors or collectors appearing at workplace Change in normal behavior 53
Procurement Fraud and Red Flags Unjustified Sole Source: Unjustified sole source is defined as a fraudulent act involving procurement personnel who, in collusion with a supplier, improperly award a contract without competition or prior review. 54
Procurement Fraud and Red Flags (Cont.) Unjustified Sole Source red flags: Sole source award above or just below competitive bidding limit. Previously competitive procurements become noncompetitive. Vague justification or documentation requesting a non-competitive award. Split purchases to avoid competitive bidding limits. 55
Procurement Fraud and Red Flags (Cont.) Unjustified Sole Source red flags (Cont.): Contract requirements were not reviewed and validated by management. Contract requirements appear to be tailored to a specific contractor. Awards made below the competitive bid limits that are followed by change orders that exceed such limits. 56
Procurement Fraud and Red Flags (Cont.) Change Order Abuse: Contractor acting alone or in collusion with contract personnel, can submit unjustified or inflated change order requests to increase profits, or, as a result of corruption, use the change order process to extend a contract that should be re-bid. 57
Procurement Fraud and Red Flags (Cont.) Change Order Abuse red flags: Weak internal controls and procedures regarding review or need for change orders. Numerous, unusual or unexplained change orders for a specific contractor approved by the same employee. Pattern of low-bid award followed by change orders that increase the price or scope of the contract, or extend the contract period. Vague contract specifications followed by change orders. 58
Procurement Fraud and Red Flags (Cont.) Change Order Abuse red flags (Cont.): Poorly documented change orders, or change order requests in round number amounts, if that is unusual for the job. Pattern of change orders just below upper-level approval limit. High-level personnel involved in change order decisions, especially for specific contractors. Purchase orders of contracts extended by change order, rather then re-bidding of contract. 59
Procurement Fraud and Red Flags (Cont.) Split Purchases: A single procurement can be split into two or more purchase orders or contracts, each below upper-level review or competitive bidding thresholds, to avoid review or competitive selection. Repetition of this scheme, favoring the same parties, can be a strong indicator of corruption. 60
Procurement Fraud and Red Flags (Cont.) Split Purchase red flags: Two or more similar procurements from the same supplier in amounts just under competitive bidding or upper-level review limits. Unjustified separation of purchases, e.g., separate contracts for labor and materials, each of which is below competitive bidding limits, but when combined is over such limits. Sequential purchase orders or invoices under upper-level review or competitive bidding limits. Contracts under the competitive bid limit followed by change orders that increase amount of the contract. 61
Procurement Fraud and Red Flags (Cont.) Fictitious Vendor: an employee with procurement responsibilities, or in accounts payable, or an outsider, submit bills from a non-existent vendor. Normally, fictitious vendors claim to provide services or consumables, rather than goods or work that can be verified. Dishonest bidders also can submit bids from fictitious bidders as part of bid-rigging schemes. 62
Procurement Fraud and Red Flags (Cont.) Fictitious Vendor red flags: Paid vendors are not on the approved vendor list or listed in business or telephone directories. Invoiced goods or services cannot be located or verified. Inadequate vendor identification information. Incorrect or non-existent address or phone number. Vendor address or telephone number is the same as an employee s. 63
Procurement Fraud and Red Flags (Cont.) Fictitious Vendor red flags (Cont.): Small initial purchase from vendor, followed by much larger purchases. Payment provided without an invoice. Copied or unusual supporting documents, such as purchase order or receiving document submitted with invoice. Multiple companies that have the same address/telephone numbers. 64
Cash Collection Fraud and Red Flags Cash Collection Environment Fraud: when employees manipulate cash register transactions or operations to steal cash, inventory items, or non-cash assets. In governments, this often happens at locations such as recreation departments, offsite inventory locations, special events, golf course pro-shop, etc. 65
Cash Collection Fraud and Red Flags (Cont.) Cash Collection Fraud red flags: Insufficient supervisory review of cashiers daily activities. Cashiers working out of open cash drawers/boxes. Cashiers have access to register Read and Reset keys. Cashier can then clear registers, determine sales figures for the day, and accumulate/remove overages at the end of day. Cash register "Read Window" blocked from patron s view allowing cashier to not ring or under-ring sales. 66
Cash Collection Fraud and Red Flags (Cont.) Cash Collection Fraud red flags (Cont.): Advance approval for voided transactions, refunds, and over-rings are not required. Excessive use of the no sale key. Cash deposits not received by the bank. Excessive use of coupons and discounts. Weak cash handling procedures and cash accounting records. Significant inventory adjustments; generally write offs. Significant/unexpected changes in sales without reasonable explanation. 67
Credit Card Fraud and Red Flags Credit Card Fraud: Employees use an organization s credit card to make unauthorized purchases. Credit cards are sometimes used to circumvent procurement policies. 68
Credit Card Fraud and Red Flags (Cont.) Credit Card Fraud red flags: Unreasonable or unexplained high volume of purchases from a particular vendor. Split purchases without purchase order to avoid upperlevel review or to circumvent the purchasing policy. Receipts or invoices supporting purchases are missing or photocopied, which may indicate they were altered. Receipts or invoices are not sufficiently detailed to document actual purchases. 69
Credit Card Fraud and Red Flags (Cont.) Credit Card Fraud red flags (Cont.): Lack of proper approvals and/or separation of functions, such as requiring manager approval prior to purchase, cardholder makes the purchase, and an independent person receives the purchase. Vendor used excessively by only one cardholder. Purchases made during weekends or holidays which are outside of cardholder s or organization s work schedule period. 70
CONTROLS ARE THE KEY
Types of Controls Preventive Detective Corrective Manual and Automated 72
The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: The three objectives are represented by the columns The five components are represented by the rows The entity s organizational structure is represented by the third dimension Source: COSO 73
Standards: COSO vs. Green Book Component COSO Green Book Control Environment 5 Principles 20 Points of Focus 5 Principles 13 Attributes Risk Assessment Control Activities Information & Communication Monitoring 4 Principles 27 Points of Focus 3 Principles 16 Points of Focus 3 Principles 14 Points of Focus 2 Principles 10 Points of Focus 4 Principles 10 Attributes 3 Principles 11 Attributes 3 Principles 7 Attributes 2 Principles 6 Attributes Note: GAO combined COSO s points of focus into attributes 74
What Are the Five Standards for Internal Control? The five standards for internal control are: Control Environment Risk Assessment Control Activities Information and Communications Monitoring 75
Control Environment Control Environment sets the tone of an organization, influencing staff awareness of good controls, procedures, accountability, and program management. It is the foundation for all other components of internal control, providing discipline and structure. Red Flags The agency or program has recently undergone major change e.g., new responsibilities, reorganization, cuts in funding, expansion of programs, changes in management. Employees are generally disgruntled. Top management is unaware of actions taken at the lower level of the organization. The organizational structure is inefficient or dysfunctional. 76
Risk Assessment Risk Assessment is the identification and analysis of relevant risks associated with achieving program or agency objectives, such as those defined in strategic and annual performance plans, and forming a basis for determining how risks should be managed. Red Flags The agency or program does not have well-defined objectives. (If the agency does not know what it is trying to accomplish, it will not be able to adequately assess risks). The agency or program does not have adequate performance measures. (If you don t know how to measure success or whether the program is successful, you will not be able to adequately assess risks). The agency or program does not have an adequate strategic plan. 77
Control Activities Control Activities are the policies and procedures established to achieve the entity s objectives. They help ensure that management s directives are carried out in daily program operations. Red Flags Agency or program is understaffed and/or workload has drastically increased, and staff are having difficulties handling operational workload. There have been previous issues with fraud, waste, or abuse. Employees are unaware of policies and procedures, but do things the way they have always been done. Key documentation is often lacking or does nonexist. 78
Information and Communication Information and Communication is needed by management and employees to monitor progress in meeting the organization s mission and objectives while maintaining proper accountability and internal control. Red Flags When top management needs information, there is a mad scramble to assemble the information, or the process is handled through ad hoc mechanisms (e.g., the information was not readily available). Staff isfrustrated by requests for information because it is time-consuming and difficult to provide the information. Management does not have reasonable assurance that the information it is using is accurate. 79
Monitoring Monitoring is accomplished through routine, ongoing activities, separate evaluations, or both. Internal control systems should be monitored to assess their effectiveness and to modify procedures as appropriate based on results of the monitoring activities (feedback). Red Flags Previous audit findings are not being resolved adequately or timely. Significant problems exist in controls and management was not aware of those problems until a big problem occurrs; or until another outside party brings it to their attention (e.g., a recipient of funding, or an external audit). 80
Questions or Comments