Internal Audit &
Corporate Forensic Services
Florida Government Finance Officers Association
2013 Annual Conference
Agenda


















Our View of Fraud Risk
Irregularities & Defalcations
Fraud Statistics
Fraud in Most Organizations
Frauds & Allegations in the News
Key Principles to Manage Fraud
Internal Reviews and Fraud Examinations
Common Red Flags
Red Flags and Red Herrings
Fraud Theory
The Good Person Test
Our Approach to Fraud Investigations
Why Assess Control Maturity?
Data Analytics
Business Cycle Fraud Areas
Fraud Red Flags & Cases
P2P Frauds & Controls
Reporting Results
Our View of Fraud Risk
Our View of Fraud Risk
Fraud Occurs Primarily Because…
 Unseen fraud risk – blindsided
 Unmanaged fraud risk
 Anti-fraud controls being relied upon, failed
Note that fraud most often occurs without the aid of collusion and could
have been prevented by looking at a couple key areas.
Irregularities & Defalcations
…are just fancy words for lying and stealing
 There are operational risks involved in any business which includes the risk
of loss due to fraud.
 A typical organization loses 5% of its revenues to fraud each year1.
 Applied to the 2011 Gross World Product, this figure translates to a potential
projected annual fraud loss of more than $3.5 trillion1.
1 According to the 2012 Report to the Nations published by the Association of Certified Fraud Examiners
(ACFE). See the ACFE's website for a copy at http://www.acfe.com/fraud-resources.aspx
Fraud Statistics
 Asset misappropriation comprises 87% of frauds with a median loss of
$120,000 of frauds reported.
 Corruption schemes have median losses of $250,000.
 Financial statement fraud schemes make up 8% with a median loss of $1
million.
Note that our experience is consistent with these statistics1.
1 According to the 2012 Report to the Nations published by the Association of Certified Fraud Examiners
(ACFE). See the ACFE's website for a copy at http://www.acfe.com/fraud-resources.aspx
Fraud in Most Organizations
The vast majority of fraud occurs along the procurement cycle:
 Asset misappropriation
 Inventory
 Fraudulent disbursements (there are a host of schemes)
 Corruption
 Conflicts of Interest (purchasing schemes)
 Bribery
 Illegal gratuities
 Economic extortion
 We focus much of our expertise on embezzlements. We leverage our
industry expertize, internal control specialists, technology, forensic
accountants and fraud examiners to bring value and insights to our clients.
Fraud & Allegations in the News
 Mint Hill, NC – The former Fire Chief of the Mint Hill Volunteer Fire
Department pleaded guilty to embezzling more than $225,000 from the
Town of Mint Hill and the Fire Department, according to the U.S. Attorney's
Office. The former Fire Chief carried out the embezzlement from May 2010
to April 2012, primarily by setting up a sham corporation.1
 Durham, NC – Two former North Carolina Central University administrators
were indicted Wednesday on charges of embezzlement – a year after a
state audit (June 2011) found they allegedly used an unauthorized bank
account to divert more than $1 million from a state program.2
1 wbtv.com 11/27/2012 - Former Mint Hill Fire Chief pleads guilty to embezzlement
2 WRAL 8/6/2012 - Ex-NCCU administrators indicted on embezzlement charges
Fraud & Allegations in the News
 Kinston, NC – July 17, 2012, Stephen LaRoque, a sharp-tongued former
state lawmaker who often railed against wasteful government spending, had
little to say Monday as he sat in a defendant’s chair for his first court
appearance on charges of stealing federal funds.
 LaRoque, 48, of Kinston, was named in an eight-count federal indictment
last month, accused of money laundering and embezzling hundreds of
thousands of dollars from two economic development non-profits, the East
Carolina Development Company and Piedmont Development Company.1
1 NC Policy Watch 8/6/2012 - A more subdued LaRoque in court on embezzlement charges
Key Principles to Manage Fraud
 The 5 Key Principles to proactively Manage Risk1:
1.
Written policies
2.
Fraud risk assessment
3.
Prevention controls
4.
Detection controls
5.
A reporting process, and a coordinated approach to
investigation / corrective action
1Managing the Business - Risk of Fraud: A Practical Guide Joint Study conducted by The Institute
of Internal Auditors, the American Institute of CPAs and the Association of Certified Fraud
Examiners. Published July 2008
Internal Reviews & Examinations
 An internal review is used to determine if sufficient predication exists to
commence a fraud examination.
 Predication is defined by the Association of Certified Fraud Examiners
as, “the totality of circumstances that would lead a reasonable,
professionally trained and prudent individual to believe a fraud has
occurred, is occurring and/or will occur.”
 A fraud examination is an extension of a internal review to prove or
disprove a suspected loss:
 Determine whether a loss due to fraud has occurred
 Determine the extent of loss (calculate estimated damages)
 Determine whether sufficient evidence exist to:
‒ Obtain a court order for further investigation e.g., off site search warrant of
suspect’s property
‒ Obtain a court order to seize or freeze assets
‒ File criminal charges
‒ File civil charges
Common “Red Flags”
 Attempt to Limit Access to Records, Personnel or Facilities
 Missing Documents
 Dominating Management
 Ineffective Accounting Systems (Segregation of Duties) or Inadequate Monitoring
Activities
 Highly Complex Transactions Often Recorded Near Year-End
 History of Internal Control Issues Not Resolved Satisfactorily or Timely
 Poorly Communicated Code of Code or Lax Enforcement
 Aggressive Use of Accounting Principles
 Secretiveness by Employee(s)
 Appearance of Living “Beyond One’s Means”
 Failure to Take Vacation (or extended vacations without pay)
Red Flags and Red Herrings
 Conducting interviews and spotting deception
 The cast of characters - parsing out relevant facts from equivocations
(or a/k/a “bunny trails”)
 The two types of deception
 Omission
 Falsification
 Understanding internal controls and the business cycle
 Key is defining the fraud(s) and related potential allegations
 Collecting facts (who, where, what, when and how)
 Often the hardest things is to find the proverbial “smoking gun” or “dead
body”.
Fraud Theory
 Determine if “Fraud Triangle” factors are present
 Need (whether actual or perceived)
 Opportunity
 Rationalization
PERCEIVED
NEED
(pressure)
or
(lifestyle)
PERCEIVED
OPPORTUNITY
FRAUD
–Cressey, “the Fraud
Triangle”
RATIONALIZATION
(overcoming the conscience)
(control weakness)
or
(temptation)
Why Assess Control Maturity?
L
e
v
Re
er
ga
ug
el
a
t
Si
ot
nr
e
s
s
The Good Person
 Do you think most people would consider themselves to be a good person?
 Try conducting this scientific test (scientific means the test can be repeated) –
Ask a sample of people (10 – 1,000) that you come in contact with this one
“yes” or “no” question: “Would you consider yourself to be a good person?”
 How do you think most people will respond? Yes or No?
 Our hypothesis is that people that commit fraud, must first rationalize it, so that
they suppress the alarm of their conscience. “Con” – “Science” or “With” –
“Knowledge” of right and wrong. The Conscience must be overcome in order to
maintain the self image of being good person.
 It is important to understand that every person’s behavior is logical to them.
Otherwise, it is hard, if not impossible for an individual to justify their behavior.
The Approach to Fraud Investigation
 Working through an Attorney (work product doctrine)
















Initial interviews and setting expectations
Determining the fraud area(s) and avoiding the wild goose chase
Policy and statute review
Working with/without law enforcement
Digital forensics
Assessing control maturity
Data Analytics
Fraud investigation (Fraud Red Flags)
Forensic accounting and estimating losses
Reporting results
Pre and post litigation support
Assessing control maturity
Data Analytics
Business Cycle Fraud Areas
Fraud Red Flags – Cases
Reporting
Data Analytics
 We use Computer Aided Auditing Techniques (CAATs) to run tests
for most likely red flags and to narrow the focus when investigating
fraud and estimating losses.
 Revenue cycle (Financial Fraud)
 Procurement cycle (Corruption & Embezzlement)
• Vendor management
• Purchasing & Receiving
• Inventory consumption & reclamation
• Invoice processing
• Cash disbursements
 Inventory cycle (Shrinkage)
 Payroll cycle (Fraudulent disbursements)
Business Cycle Fraud Areas
 Procurement cycle (P2P)
 Inventory
 Payroll, compensation, and benefits
P2P Frauds
Corruption Activities




Conflicts of interest
Bribery
Illegal gratuities
Economic extortion
P2P Frauds
Fraudulent Disbursements
 Billing Schemes
• Shell companies
• Non-accomplice vendors
• Personal purchases
 Check Tampering
• Maker – forged or authorized
• Forged endorsement
• Altered payee or altered amount
P2P Frauds
Fraudulent Disbursements
 Expense Reimbursement Schemes
•
•
•
•
Mischaracterized expenses
Overstated expenses
Fictitious expenses
Multiple reimbursements
What is the cheapest and best control to reduce
exposure to the risks?
P2P Control Areas
 Procurement cycle (purchasing & vendor schemes)










Vendor authorization & set up
Vendor credentials
Related parties and potential conflicts of interest
Competitive bidding
Vendor change management
Vendor inactivity
Vendor record maintenance (archives)
Purchase commitments
Gifts
Reporting improper/suspicious activities
P2P SOD Controls
Best practice is to separate these duties per the
ACFE:




Purchasing Goods and Services
Authorizing the purchase
Receiving goods and services
Making payments
What control area is missing from this
separation of duties (SOD)?
P2P – Inherent Business Risks
 Inherent Business Risks:
‒
‒
‒
‒
‒
‒
‒
‒
‒
‒
‒
Lost invoices,
Late vendor payments
Missed vendor credits,
Duplicate invoice payments,
Missed early payment discounts,
Ineffective payment push-outs and pull-ins (cash mgmt)
Over-controlled back-end authorization activities
Higher employee turnover creates exposure to change
High cost of training
Non-scalable and unsustainable business processes
Impacts manufacturing execution and service delivery risk
P2P - Opportunities
Significant value can be gained by maturing internal controls and can
save mid-sized companies ($$$K - $M+) annually:











Reduce AP headcount or create bandwidth for future growth
Eliminate lost invoices
Reduce risk of duplicate invoice payments
Reduce invoices approval time (routing paper invoices)
Reduce document retention costs
Take advantage of early payment discounts
Take advantage of electronic credit card payments
Reduce cost of payment via electronic payments
Reduce time for check voucher and payment authorizations
Significantly reduce the risk of fraud
Significant process efficiencies - save manager review time
and allow monitoring using simple, effective metrics
 Lowers manufacturing and service delivery execution risk
Measuring Success in Shared Services
 Establish key metrics
 Focus on vendor management & invoice matching (preventive)
 Effective outsourcing (invoice entry & payments)
 Create paperless shared service environment
 Vendor discounts & electronic payments
 Saves real $$$ and creates more bandwidth
Fraud Red Flags - Cases
Inventory (shrinkage)
 Controls over raw consumption
• Do cycle counts really work as an anti-fraud control?
• Material issues to production
 Controls over reclamation (waste streams)
• Data analytics and expected relationships
 Controls over finished goods
• Cycle counts again
• Accepted levels of shrinkage
Fraud Red Flags - Cases
Payroll, compensation, and benefits






Controls over new hires and terminations
Controls over salary and wages
Controls over manual check processing & payouts
Controls over stock based compensation
Controls over childcare benefits
Controls over medical benefits processing
Reporting Results
The 4 elements of effective fraud reporting:
 Brief clear statement of the issue(s)
 Relevant policies, rules, standards, laws and regs
 Analysis of evidence and impressions
 Conclusions, i.e., findings and recommendations
Our Services
 We focus on embezzlement in the form of asset misappropriations, financial
statement fraud schemes, and corruption activities.
 Our Firm provides the following services:
 Fraud examination services
 Computer examinations
 Data Analysis
 Forensic accounting and economic damage computation
 Pre and post litigation support
 Fraud risk assessment and advisory services
 Anti-fraud control design and implementation
 Targeted fraud awareness training
Note: For suspected international corruption type activities, we work with global business
partners with the regional expertise in foreign operations, law enforcement and legal
systems.
Scott McKay – Brief BIO
 Partner & Practice Leader – Risk Advisory Services, CPA, CFE, CIA, CCSA
 Director Corporate Audit and Corporate Controller – Cree, Inc. (NASDAQ “CREE”) $1.2B MNC in
Semiconductor Industry with operations in 18 countries. LED lighting technology leader.
 Audit and Risk Advisory Mgr.- McGladrey. Large public and private clients in manufacturing,
distribution, construction, gaming (Casinos), along with government and university experience.
 Fraud investigation experience: purchasing schemes, conflicts of interest, credit card fraud,
check tampering, embezzlements of inventory, financial fraud, ponzi and stock option schemes
 Select speaking engagements:
American Institute of Certified Public Accountants (AICPA)
*AICPA Internal Control Task Force member - 2012 COSO Internal Control External Financial Reporting Exposure Draft
*Member - AICPA Business and Industry - Risk Management and Internal Control Advisory Panel conference speaker
*AICPA National CFO Conference (2010 Los Angeles);
*AICPA Corporate Directors Conference (2010 New York)
*AICPA task force member - Good Practice Guidance for Evaluating and Improving Internal Control in Organization published by
International Federation of Accountants
*Institute of Internal Auditors (IIA) Raleigh Chapter
*Speaker continuing professional education classes on risk management for the local IIA Raleigh Chapter
North Carolina State University (NCSU)
*NCSU lecturer - Forensic Accounting, Internal Audit undergraduate classes
Information Systems Audit and Control Association (ISACA)
*Speaker for continuing professional education classes on risk management for the local Raleigh Chapter
QUESTIONS
Contact.
Scott McKay | Partner, Forensic and Advisory Services
smckay@cbh.com | 919.782.1040
Bruce Yasukochi | Senior Manager, Forensic and Advisory Services
byasukochi@cbh.com | 954.556.1720
Cherry Bekaert LLP
www.cbh.com