Presented by
C. Michelle Blackstock, CPA/CITP
Partner, Grau & Associates
FRAUD
Webster’s definition is: “The intentional perversion of
truth in order to induce another to part with
something of value or to surrender a legal right.”
Audit Perspective of Fraud
 Intentional act that leads to the material misstatement
in the financial statements that are the subject of an
audit.
 Auditor is responsible for obtaining reasonable
assurance the financial statements, taken as a whole,
are free of material misstatements – either from fraud
or error.
Auditor Responsibilities
 The auditor is responsible for assessing the risks
(including fraud) that could result in the financial
statements being materially misstated and to respond
to those risks.
 Conduct fraud related inquiries of management and
others within the organization
Auditor Responsibilities
(Continued)
Auditors cannot detect all instances of fraud or
provide absolute assurance that the financial
statements are free of material misstatements caused
by fraud. This is mostly due to the fact that fraud can
involve
collusion,
false
documents
and
misrepresentations.
Two Fraud Types
 Misappropriation of assets
 Financial reporting
Misappropriation of Assets
Wikipedia definition is: “Intentional use of
property or funds of another person for one’s own
use or other unauthorized purpose.”
Types of Misappropriations





Embezzlement
Asset theft
Register schemes – refunds
Payroll and expense reimbursement
Billing and vendor
Fraudulent Financial Reporting
Intentional misstatement or omissions in financial
reporting with the intent to deceive the user of the
financial statements.
The Fraud Triangle
Attitude/Rationalization
Pressure
Opportunity
Attitude/Rationalization
 Environment that includes a lack of importance
regarding controls that leads to the ability to accept
or rationalize the committing of fraud.
 Is there a whistleblower policy that allows for
employees to anonymously report abuse and fraud?
Incentive/Pressure

Environment that gives management/employees
a reason to commit fraud.

Are there rewards based on reaching financial
goals, is the municipality trying to maintain a
specific credit rating, is there pressure to expend
grant funds in order to keep the grant funding?
Opportunity
Do you give your employees the opportunity to
steal you blind? Let’s take a look at what forms
these opportunities might take.
 Custody of assets
 Authorization or approval of related transactions
 Recording or reporting of related transactions
Statistics
Association of Certified Fraud Examiners – 2010 Report
to the Nations on Occupational Fraud:
 5% of annual revenue lost to fraud which could be $2.9
trillion on a global basis
 Median loss is $160,000
 Small organizations are disproportionately victimized
due to lack of anti-fraud controls
Detection Top Five
Association of Certified Fraud Examiners – 2010 Report
to the Nations on Occupational Fraud:
 Tip from insider or outsider
 Management review
 Internal audit
 By accident
 Account reconciliation
Behavior Warning Signs
Association of Certified Fraud Examiners – 2010 Report
to the Nations on Occupational Fraud:
 Living beyond means
 Financial difficulties
 Control issues
 Unusually close relationship with vendors/customers
 Wheeler-dealer attitude
Prevention
 Understand fraud risks and make an honest
assessment for your industry and organization.
 Brainstorm on significant fraud risk areas and how
fraud can be perpetrated including segregation of
duties conflicts.
 Develop plan of controls on how to address each
risk.
 Monitor the controls to make sure that they are
working as intended and make necessary changes
on a continuing basis.
Segregation of Duties
Basic premise is that we do not give any one
employee or group of employees the ability to
perpetrate and conceal an error or fraud in the
normal course of performing their duties.
Cash Collections
Take the time to identify those areas within the
organization that deal specifically in handling cash
and consider the following:
How much of the total revenue does this area
generate?
2. How many people are involved?
1.
Cash Collections
(Continued)
If this is a significant area with few employees, then
need to consider, at a minimum, that the person
who collects and deposits the cash (including
opening mail) is a different person than the one who
records the cash. Oversight from a manager/board
or council/audit committee should include approval
of write off, review of the receivable aging and
adjustments, follow up on discrepancies.
Cash Collections
(Continued)
Consider who has direct access to cash, the controls
that are in place to minimize the ability of those
employees to steal/take the cash, continually
monitor this area and test that the controls in place
are working.
Segregation of Duties
 Process by which charge is paid to a department
different from where the transaction occurs or
through an automated process.
 The person who collects the cash should not deposit
the cash.
 Independent bank reconciliation.
 Person who directly handles cash collection should
not record the transactions or have cash
disbursement responsibilities.
Revenues
Take the time to identify those areas within the
organization that deal specifically in revenue
generation and consider the following:
Process for determining the fees and rates
charged – how can this be overridden and who
reviews for accuracy.
2. Process for setting up the customer and
refunds/credit memos.
3. Who fields customer complaints?
1.
Segregation of Duties
 Council should approve/authorize rates, fees, fines
or assessments.
 Person who prepares the bills should not collect the
revenue or record the transactions.
 Person that records the transactions should not
approve or process write offs or adjustments,
maintain the customer list, field customer
complaints.
 Independent review of accounts receivable aging.
Expenditures
Take the time to identify those areas within the
organization that deal specifically in disbursements/
procurement/payroll and consider the following:
1. Process for procurement and approval as well
exceptions to those processes and who monitors it.
What ways can this be circumvented?
2. Employee expense reimbursement policies.
3. Process for setting up vendors and employees and
maintenance of these lists.
4. Who fields vendor/employee complaints about
payments and paychecks ?
Expenditure – Red Flags
 Voided transactions/checks
 Check written to employees or cash
 Checks written to vendors with a P.O. box
 Checks written out of sequence
 Multiple entries on the same day to the same vendor
just under approval limits
Segregation of Duties
 Check signers should not prepare/cut the checks.
 Person who procured/approved the purchase should
not be the person that records the transaction and
cuts the check.
 Person that processes payroll or cuts the check
should not be able to set up a new employee or
vendor.
Small Government Issues
Not enough employees to properly segregate duties.
Consider the following:
1. Create an audit committee of qualified individuals
to perform regular ongoing oversight.
2. Utilize employees from other small governments or
departments to perform duties.
3. Utilize management/board members/council to
review monthly financial reports as oversight.
4. Hire outside accountant to perform some functions.
Small Government Issues
(Continued)
5. Establish a whistleblower policy that allows for
6.
7.
8.
9.
employees to anonymously report abuse and fraud.
Mandatory vacation
Rotation of responsibilities
Surprise cash counts/reconciliations
External audits
General IT Controls





Control Environment
Access Controls
Change management
Backup and recovery
Service providers
IT and SOD - Software
 Is the software used to bill revenues, initiate
purchases and process payroll the same?
 If not, how does it integrate with the accounting
software and who reconciles the amounts?
 Who initiates upgrades to the software program and
whether or not they should be made?
IT and SOD - Access
 Who sets up and removes users from the server?
 Who has access to the software or modules?
 Are users required to have and use passwords to log
in and is there mandatory password change policies
in place?
 Who has tested that access rights are working as
intended?
IT and SOD - Data
 Who has access to the data and is there a log that
has an “audit” trail?
 Does someone review user accounts to make sure
that employees that have left have been removed in a
timely fashion and denied remote access?
 Are exceptions reports reviewed by an independent
person and followed up on in a timely fashion.
Presented by
Angela D. Balent, CPA, Member
Internal Control Standards
 SAS 115, Communicating Internal Control Related
Matters Identified in an Audit
 SAS 109, Control Risk Assessment, Use of Service
Organizations and IT Controls
SAS 115
 Communicating matters related to an entity’s internal control over financial reporting
identified in an audit of the financial statements
 Applicable whenever an auditor expresses or disclaims an opinion on financial




statements
Effective for audits of financial statements for periods ending on or after December
31, 2009
Defines deficiency in internal control, significant deficiency and material weakness
Provides guidance on evaluation of severity of deficiencies
Requires the auditor to communicate in writing to management and those charged
with governance significant deficiencies and material weaknesses
 Generally controls that are relevant to an audit of the financial statements are those that
pertain to the entity’s objective of reliable financial reporting.
Deficiency in Internal Control
 Exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to
prevent, or detect and correct misstatements on a timely basis.
 Deficiency in design exists:
 A control necessary to meet the control objective is missing
 An existing control is not properly designed so that, even if the control
operates as designed, the control objective would not be met
 Deficiency in operation exists:
 A properly designed control does not operate as designed
 The person performing the control does not possess the necessary authority or
competence to perform the control effectively.
Examples of Deficiency in Design
 Inadequate design of controls over a significant account or process
 Inadequate documentation of the components of internal control
 Absent or inadequate segregation of duties within a significant account or
process
 Inadequate design of IT general and application controls that prevent the
information system from proving complete and accurate information
consistent with financial reporting objectives and current needs.
 Employees or management who lack qualifications and training to fulfill their
assigned functions.
Examples of Deficiency in Operation
 Failure in the operation of effectively designed controls over a significant
account or process: for example failure of a control such as dual authorization
for significant disbursements within the purchasing process.
 Failure to perform reconciliations of significant accounts. For example
accounts receivable subsidiary ledger is not reconciled to the general ledger
account in a timely or accurate manner.
 Undue bias or lack of objectivity by those responsible for accounting decisions.
For example consistent understatement of expenses or overstatement of
allowances at the direction of management.
SAS No. 115—Definitions
 Material Weakness—A deficiency, or combination of
deficiencies, in internal control, such that there is a reasonable
possibility that a material misstatement of the entity’s financial
statements will not be prevented or detected and corrected on a
timely basis. (Reasonably possible: chance of the future event or
events occurring is more than remote but less than likely.)
 Significant Deficiency—A deficiency, or combination of
deficiencies, in internal control that is less severe than a material
weakness, yet important enough to merit attention by those
charged with governance. (Previous: more than remote—
“Remote” the chance of future events is slight)
Evaluation of Control Deficiencies
 Is the identified deficiency a material weakness?
 At least a reasonable possibility that a misstatement of the
entity’s financial statements will not be prevented, or
detected and corrected on a timely basis, and such a
misstatement could be material.
 There are compensating controls that mitigate the severity of
the identified deficiency which have been tested and found to
be effective.
 Is the deficiency, which is less severe than a material weakness,
important enough to merit attention by those charged with
governance?
Factors that Affect the Magnitude of a Misstatement
 Financial statement amounts or total of transactions exposed to the deficiency
 Volume of activity (in the current period or expected future periods) in the
account or class of transactions exposed to the deficiency
 Risk factors - nature of account, susceptibility of asset or liability to loss or
fraud, complexity/subjectivity of account, possible future consequences.
 Multiple deficiencies that affect the same significant account or disclosure,
relevant assertion or component of internal control.
Indicators of Material Weaknesses
 Identification of fraud on the part of senior management
 Restatement of previously issued financial statements to reflect the
correction of a material misstatement due to error or fraud
 Identification by the auditor of a material misstatement of the financial
statements under audit in circumstances that indicate that the
misstatement would not have been detected by the entity’s internal
control
 Ineffective oversight of the entity’s financial reporting and internal
control by those charged with governance.
Communication—Form, Content and Timing
 Significant deficiencies and material weaknesses must be communicated in writing




including those communicated in previous audits that have not yet been
remediated. You may refer to the previously issued written communication and the
date of that communication
The written communication is best made by report release date bust should be
made no later than 60 days following release date.
Early communication is permitted orally but must ultimately be included in written
communication even if such significant deficiencies or material weaknesses were
remediated during the audit
Conditions know to management where management has accepted the risk because
of costs or other considerations still must be communicated.
Nothing precludes the auditor from communicating to management other matters
related to an entity’s internal control or recommendations for operation or
administrative efficiency. If these items are communicated orally he auditor should
document the communication.
SAS 109
 SAS 109, Understanding the Entity and Its
Environment and Assessing the Risks of Material
Misstatement
 Guidance to auditors related to consideration of internal
control as part of the audit
 Guidance on how the entity’s use of information
technology (IT) affects auditors consideration of
internal control in planning the audit
Extent of Auditor’s Understanding
 Must be sufficient to assess the risk of material misstatement of
the financial statements due to error or fraud and to design the
nature, timing and extent of further audit procedures.
 Develop a fairly thorough and robust knowledge of the
components of internal control as the auditor must document
the basis for their risk assessment.
 The auditor is not permitted simply to default to high control
risk. Further emphasized in AICPA Technical Practice Aid (TIS
8200.10)
TIS 8200.10 Defaulting to Maximum Control Risk
 Issued March 2008:
 Question posed is defaulting to the maximum control risk still permitted
under AU section 314
 Answer was No. Clarified that as the auditor obtains that understanding he or
she may identify material weaknesses in the design of controls and as a result
end up at assessing control risk as maximum for some financial statement
accounts and relevant assertions.
 In addition also discuss that control risk might initially be assessed at less than
maximum but after testing the operating effectiveness of controls, that controls
were not effective and would then reassess control risk at maximum.
TIS Question 8200.07
 TIS Question 8200.07 Considering a Substantive Audit
Strategy is also referenced:
 After identifying and assessing the risk of material
misstatement at the assertion level, the auditor may
adopt a substantive audit strategy because the cost of
testing the operating effectiveness of controls might
exceed their benefits.
TIS 8200.11 Ineffective Controls
 Question: If based on the auditor’s knowledge of the
entity the auditor believes in advance of performing
risk assessment procedures that controls over financial
reporting are nonexistent or ineffective, could the
evaluation and documentation of such controls
(including the walk-through) be skipped?
 Answer: No for all the same reasons.
TIS 8200.15 Identifying Significant Deficiencies
 Question: If the auditor decides not to test controls, does this
mean there is a control deficiency that needs to be evaluated?
 Answer: No—it depends on the reasons the auditor does not test
the control. If the auditor decides not to test a control because it
is nonexistent or improperly designed then it would represent a
control deficiency that would need to be assessed. If the design
is appropriate but the auditor decides not to test it for another
reason (ex. control is redundant) then the auditor has not
identified a control deficiency.
Service Organizations
 When do you need a SAS 70 or additional audit evidence?
 AU Section 324 – Applicable to the audit of the financial statements of an
entity that obtains services from another organization that are part of its
information system.
 Examples:
 Bank Trust Departments that invest and service assets for employee benefit plans or
for others
 Third party billing and collection services (EMS)
 ASP that provide packaged software applications and a technology environment that
enables customers to process financial and operational transactions
Service Organizations
 Does not apply:
 Situations in which the services provided are limited to
executing client organization transactions that are
specifically authorized by the client
 Processing checking account transactions by the bank
 Execution of securities by the broker.
Service Organizations
 Requirements
 Understand service organization controls
 Test the operating effectiveness of user controls if
relying on service organization controls
 Design and perform further audit procedures based
upon the evaluation of service organization controls
Why Should You Understand Controls?
 Identify types of potential misstatements
 Identify factors that affect the risks of material
misstatements
 Design test of controls and substantive procedures
Three Questions
 What does the client do? (process)
 What can go wrong? (risks/objectives)
 What does the client do about it? (control)
Focus on What Really Matters!
 BIG risks—risks that could result in a material
misstatement
 BIG controls—controls that address the most risks
Control
Environment
Risk Assessment
Information and
Communication
Monitoring
Control Activities
Top Down Approach
 A company may have hundreds of controls in place!
 Focus on controls related to financial reporting
 Identify the significant classes of transactions
 Identify the most important risks in each class of transactions
(what can go wrong)
 Identify the most effective controls related to those risks (key
controls)
Key Controls often Consist of…
 Activity-Level Controls (Financial Reporting System)
 Authorization
 Segregation of duties
 Safeguarding of assets
 Reconciliations
 Entity-Level Controls (Pervasive Effect on the Entity’s
System of Internal Controls)
 Management reviews
 IT security
Internal Controls Types
 Activity-Level Controls
 Control activities
 Information - process
 Entity-Level Controls
 Control environment
 Risk assessment
 Information and communication
 Monitoring
Walkthrough Inquiries
 Talk to the people who actually do the work
 Understand individual’s understanding of:
 Required procedures
 Whether procedures are performed that way
 Ask about specific instances of non-compliance
Walkthrough Procedures
 Observe activities and operations
 Inspect documents
 Visit client premises and plant facilities
 Trace transactions through the system
Computer Errors
 “A computer lets you make more mistakes faster than
any invention in human history—with the possible
exceptions of handguns and tequila.”
--Mitch Radcliffe
Components of a System
Application
Database
Operating System
Network
Simple IT Diagram
Backup Server
Purchases &
Disbursement
Subledger
General
Ledger
Primary
Server
AP Clerk
End User
Internet
Understanding IT General Controls
 Computer operations
 Security
 Change management
Operations
Security
Change
Management
Computer Operations
 Ensures that the IT system:
 Operates smoothly
 Has the necessary functionality
 Accurately transfers information between applications,
as necessary
 Is appropriately backed-up and protected
Security
 Protects data and hardware from unauthorized access.
Usually consists of the following types of controls:
 Physical security
 Logical security


Access (e.g. passwords)
Setup/maintenance of system user rights
 Job function
 Administrator
Change Management
 Ensures that changes to the IT system are authorized,
planned and implemented in line with management’s
intentions. Changes include:
 Upgrades
 Development of new systems
 Deployment of packaged systems
 Changes to the functionality of existing systems (e.g.
changes to report parameters)
Evaluating IT General Controls
 Consider complexity
 Determine scope of evaluation
 Evaluate design and verify implementation
IT General Controls vs. Application Controls
IT General Controls
• Company-wide policies
and procedures that
ensure the proper
function and control of
information technology
• Analogous to entity-level
controls
IT Application Controls
• Controls that prevent or
detect misstatements in a
particular process
• Classified as activity-level
controls
IT Complexity
More Complex
Less Complex
• More likely use of a
specialist
• More likely use of audit
staff
• More potential risks of
material misstatement
introduced by the system
• Fewer risks of material
misstatement introduced
by the system
• More formal ITGCs
• Less formal ITGCs
• Greater reliance on IT
application controls
• More reliance on manual
controls around the IT
system
Do I Need a Specialist?
 Customized system with in-house programmers
 New system or significant changes have occurred
 Multiple locations or multiple applications synching to G/L
 Significant e-commerce activities
 Significant audit evidence only in electronic form
Small Government Fraud
 Town Clerk-Treasurer, the organization’s must trusted employee who
had worked at the Town for 20 years, misappropriated funds from
unauthorized credit card use and fraudulent disbursements.
 $90,256 total loss averaged 3% of the Town’s $1 million annual
operating budget.
 Unauthorized use of town’s credit card purchases from a variety of
internet shopping sites and issued checks to herself using an electric
typewriter that can make corrections
 Employee duties within the town’s treasury department were
inadequately segregated. No one monitored her work to ensure all
financial transactions were authorized, properly supported and
accurately recorded in town’s accounting records.
Easy internal control practices
 Finance Commissioner or someone on Council should require monthly
bank statements to be delivered unopened directly to themselves or
some other independent party. The individual should review the
redeemed checks for unauthorized or unusual transactions.
 Governing bodies should receive disbursement reports listing all
transactions to ensure all disbursements are reviewed and approved
and there are no gaps in check numbers listed for transactions shown
on consecutive reports
 Check signers should never sign blank checks.
 Check signers should compare payee information for agreement on
supporting documents, the check register and redeemed checks.
Big Government Fraud
 GAO reports P-Card abuse in two San Diego Navy facilities. Navy
exercised little control over the $68 million in credit card purchases
made during 2000.
 Numerous questionable purchases, including expensive computer
monitors and Palm Pilots that could not be accounted for as well as gift
certificates to Nordstrom and Mary Kay cosmetics.
 36% of employees at one of the Navy units had military credit cards
and 16% had cards at the other unit investigated. No more than 4% of
the employees at 6 other large defense contractors in area were allowed
to have cards.
 GAO stated the more cardholders in an organization, the harder it is to
control the card system.
Internal controls for P-Cards
 Develop written policies and procedures for effective use of p-cards including
sample disciplinary actions the organization may take against employees, such as
termination for inappropriate use of cards or failure to follow the rules.
 Rules should require employees to obtain copies of receipts for purchases made, to
sign documents acknowledging the received the items and to submit all receipts to
their supervisors for review and approval.
 Supervisors should agree all purchase transactions with bank’s monthly p-card
reports before the organization pays the total amount due to the bank.
 Never pay from the bank’s monthly statement.
 Maintain a log of those prenumbered P-cards that have been issued to each
employee.
UDBOFF Research
 Using the Deviant Behaviors of Others to Find Fraud.
 Primary drivers that motivate human beings to act the way they do:
money, sex and power.
 The strength and security of the mightiest castle is unfortunately
linked to the ability of the lowliest night watchman to stay awake. Said
another way - if employees (or Council) responsible for management
oversight aren’t doing their jobs, how does their inattentiveness affect
the entire organization?
Audit Committees
Weaknesses in internal controls have been the root cause of many
problems, including fraudulent activities, errors and noncompliance with
laws and regulations. Accordingly the adequacy of internal controls
should be the primary concern of the governing bodies and audit
committees. Understanding internal controls will help audit committees
understand the organization’s risk management and the processes used to
mitigate risks.
Why committees struggle:
 No clear definition of composition – GFOA and others differ on
opinions of who should be on committee.
 Ability to act independently or with authority.
 Responsibilities of committee are unclear or undefined.
 Difficult to find a financial expert.
 Are they valuable – YES.
Contact information:
mblackstock@graucpa.com
angela.balent@warrenaverett.com