Presented by C. Michelle Blackstock, CPA/CITP Partner, Grau & Associates FRAUD Webster’s definition is: “The intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” Audit Perspective of Fraud Intentional act that leads to the material misstatement in the financial statements that are the subject of an audit. Auditor is responsible for obtaining reasonable assurance the financial statements, taken as a whole, are free of material misstatements – either from fraud or error. Auditor Responsibilities The auditor is responsible for assessing the risks (including fraud) that could result in the financial statements being materially misstated and to respond to those risks. Conduct fraud related inquiries of management and others within the organization Auditor Responsibilities (Continued) Auditors cannot detect all instances of fraud or provide absolute assurance that the financial statements are free of material misstatements caused by fraud. This is mostly due to the fact that fraud can involve collusion, false documents and misrepresentations. Two Fraud Types Misappropriation of assets Financial reporting Misappropriation of Assets Wikipedia definition is: “Intentional use of property or funds of another person for one’s own use or other unauthorized purpose.” Types of Misappropriations Embezzlement Asset theft Register schemes – refunds Payroll and expense reimbursement Billing and vendor Fraudulent Financial Reporting Intentional misstatement or omissions in financial reporting with the intent to deceive the user of the financial statements. The Fraud Triangle Attitude/Rationalization Pressure Opportunity Attitude/Rationalization Environment that includes a lack of importance regarding controls that leads to the ability to accept or rationalize the committing of fraud. Is there a whistleblower policy that allows for employees to anonymously report abuse and fraud? Incentive/Pressure Environment that gives management/employees a reason to commit fraud. Are there rewards based on reaching financial goals, is the municipality trying to maintain a specific credit rating, is there pressure to expend grant funds in order to keep the grant funding? Opportunity Do you give your employees the opportunity to steal you blind? Let’s take a look at what forms these opportunities might take. Custody of assets Authorization or approval of related transactions Recording or reporting of related transactions Statistics Association of Certified Fraud Examiners – 2010 Report to the Nations on Occupational Fraud: 5% of annual revenue lost to fraud which could be $2.9 trillion on a global basis Median loss is $160,000 Small organizations are disproportionately victimized due to lack of anti-fraud controls Detection Top Five Association of Certified Fraud Examiners – 2010 Report to the Nations on Occupational Fraud: Tip from insider or outsider Management review Internal audit By accident Account reconciliation Behavior Warning Signs Association of Certified Fraud Examiners – 2010 Report to the Nations on Occupational Fraud: Living beyond means Financial difficulties Control issues Unusually close relationship with vendors/customers Wheeler-dealer attitude Prevention Understand fraud risks and make an honest assessment for your industry and organization. Brainstorm on significant fraud risk areas and how fraud can be perpetrated including segregation of duties conflicts. Develop plan of controls on how to address each risk. Monitor the controls to make sure that they are working as intended and make necessary changes on a continuing basis. Segregation of Duties Basic premise is that we do not give any one employee or group of employees the ability to perpetrate and conceal an error or fraud in the normal course of performing their duties. Cash Collections Take the time to identify those areas within the organization that deal specifically in handling cash and consider the following: How much of the total revenue does this area generate? 2. How many people are involved? 1. Cash Collections (Continued) If this is a significant area with few employees, then need to consider, at a minimum, that the person who collects and deposits the cash (including opening mail) is a different person than the one who records the cash. Oversight from a manager/board or council/audit committee should include approval of write off, review of the receivable aging and adjustments, follow up on discrepancies. Cash Collections (Continued) Consider who has direct access to cash, the controls that are in place to minimize the ability of those employees to steal/take the cash, continually monitor this area and test that the controls in place are working. Segregation of Duties Process by which charge is paid to a department different from where the transaction occurs or through an automated process. The person who collects the cash should not deposit the cash. Independent bank reconciliation. Person who directly handles cash collection should not record the transactions or have cash disbursement responsibilities. Revenues Take the time to identify those areas within the organization that deal specifically in revenue generation and consider the following: Process for determining the fees and rates charged – how can this be overridden and who reviews for accuracy. 2. Process for setting up the customer and refunds/credit memos. 3. Who fields customer complaints? 1. Segregation of Duties Council should approve/authorize rates, fees, fines or assessments. Person who prepares the bills should not collect the revenue or record the transactions. Person that records the transactions should not approve or process write offs or adjustments, maintain the customer list, field customer complaints. Independent review of accounts receivable aging. Expenditures Take the time to identify those areas within the organization that deal specifically in disbursements/ procurement/payroll and consider the following: 1. Process for procurement and approval as well exceptions to those processes and who monitors it. What ways can this be circumvented? 2. Employee expense reimbursement policies. 3. Process for setting up vendors and employees and maintenance of these lists. 4. Who fields vendor/employee complaints about payments and paychecks ? Expenditure – Red Flags Voided transactions/checks Check written to employees or cash Checks written to vendors with a P.O. box Checks written out of sequence Multiple entries on the same day to the same vendor just under approval limits Segregation of Duties Check signers should not prepare/cut the checks. Person who procured/approved the purchase should not be the person that records the transaction and cuts the check. Person that processes payroll or cuts the check should not be able to set up a new employee or vendor. Small Government Issues Not enough employees to properly segregate duties. Consider the following: 1. Create an audit committee of qualified individuals to perform regular ongoing oversight. 2. Utilize employees from other small governments or departments to perform duties. 3. Utilize management/board members/council to review monthly financial reports as oversight. 4. Hire outside accountant to perform some functions. Small Government Issues (Continued) 5. Establish a whistleblower policy that allows for 6. 7. 8. 9. employees to anonymously report abuse and fraud. Mandatory vacation Rotation of responsibilities Surprise cash counts/reconciliations External audits General IT Controls Control Environment Access Controls Change management Backup and recovery Service providers IT and SOD - Software Is the software used to bill revenues, initiate purchases and process payroll the same? If not, how does it integrate with the accounting software and who reconciles the amounts? Who initiates upgrades to the software program and whether or not they should be made? IT and SOD - Access Who sets up and removes users from the server? Who has access to the software or modules? Are users required to have and use passwords to log in and is there mandatory password change policies in place? Who has tested that access rights are working as intended? IT and SOD - Data Who has access to the data and is there a log that has an “audit” trail? Does someone review user accounts to make sure that employees that have left have been removed in a timely fashion and denied remote access? Are exceptions reports reviewed by an independent person and followed up on in a timely fashion. Presented by Angela D. Balent, CPA, Member Internal Control Standards SAS 115, Communicating Internal Control Related Matters Identified in an Audit SAS 109, Control Risk Assessment, Use of Service Organizations and IT Controls SAS 115 Communicating matters related to an entity’s internal control over financial reporting identified in an audit of the financial statements Applicable whenever an auditor expresses or disclaims an opinion on financial statements Effective for audits of financial statements for periods ending on or after December 31, 2009 Defines deficiency in internal control, significant deficiency and material weakness Provides guidance on evaluation of severity of deficiencies Requires the auditor to communicate in writing to management and those charged with governance significant deficiencies and material weaknesses Generally controls that are relevant to an audit of the financial statements are those that pertain to the entity’s objective of reliable financial reporting. Deficiency in Internal Control Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. Deficiency in design exists: A control necessary to meet the control objective is missing An existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met Deficiency in operation exists: A properly designed control does not operate as designed The person performing the control does not possess the necessary authority or competence to perform the control effectively. Examples of Deficiency in Design Inadequate design of controls over a significant account or process Inadequate documentation of the components of internal control Absent or inadequate segregation of duties within a significant account or process Inadequate design of IT general and application controls that prevent the information system from proving complete and accurate information consistent with financial reporting objectives and current needs. Employees or management who lack qualifications and training to fulfill their assigned functions. Examples of Deficiency in Operation Failure in the operation of effectively designed controls over a significant account or process: for example failure of a control such as dual authorization for significant disbursements within the purchasing process. Failure to perform reconciliations of significant accounts. For example accounts receivable subsidiary ledger is not reconciled to the general ledger account in a timely or accurate manner. Undue bias or lack of objectivity by those responsible for accounting decisions. For example consistent understatement of expenses or overstatement of allowances at the direction of management. SAS No. 115—Definitions Material Weakness—A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. (Reasonably possible: chance of the future event or events occurring is more than remote but less than likely.) Significant Deficiency—A deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. (Previous: more than remote— “Remote” the chance of future events is slight) Evaluation of Control Deficiencies Is the identified deficiency a material weakness? At least a reasonable possibility that a misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis, and such a misstatement could be material. There are compensating controls that mitigate the severity of the identified deficiency which have been tested and found to be effective. Is the deficiency, which is less severe than a material weakness, important enough to merit attention by those charged with governance? Factors that Affect the Magnitude of a Misstatement Financial statement amounts or total of transactions exposed to the deficiency Volume of activity (in the current period or expected future periods) in the account or class of transactions exposed to the deficiency Risk factors - nature of account, susceptibility of asset or liability to loss or fraud, complexity/subjectivity of account, possible future consequences. Multiple deficiencies that affect the same significant account or disclosure, relevant assertion or component of internal control. Indicators of Material Weaknesses Identification of fraud on the part of senior management Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance. Communication—Form, Content and Timing Significant deficiencies and material weaknesses must be communicated in writing including those communicated in previous audits that have not yet been remediated. You may refer to the previously issued written communication and the date of that communication The written communication is best made by report release date bust should be made no later than 60 days following release date. Early communication is permitted orally but must ultimately be included in written communication even if such significant deficiencies or material weaknesses were remediated during the audit Conditions know to management where management has accepted the risk because of costs or other considerations still must be communicated. Nothing precludes the auditor from communicating to management other matters related to an entity’s internal control or recommendations for operation or administrative efficiency. If these items are communicated orally he auditor should document the communication. SAS 109 SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Guidance to auditors related to consideration of internal control as part of the audit Guidance on how the entity’s use of information technology (IT) affects auditors consideration of internal control in planning the audit Extent of Auditor’s Understanding Must be sufficient to assess the risk of material misstatement of the financial statements due to error or fraud and to design the nature, timing and extent of further audit procedures. Develop a fairly thorough and robust knowledge of the components of internal control as the auditor must document the basis for their risk assessment. The auditor is not permitted simply to default to high control risk. Further emphasized in AICPA Technical Practice Aid (TIS 8200.10) TIS 8200.10 Defaulting to Maximum Control Risk Issued March 2008: Question posed is defaulting to the maximum control risk still permitted under AU section 314 Answer was No. Clarified that as the auditor obtains that understanding he or she may identify material weaknesses in the design of controls and as a result end up at assessing control risk as maximum for some financial statement accounts and relevant assertions. In addition also discuss that control risk might initially be assessed at less than maximum but after testing the operating effectiveness of controls, that controls were not effective and would then reassess control risk at maximum. TIS Question 8200.07 TIS Question 8200.07 Considering a Substantive Audit Strategy is also referenced: After identifying and assessing the risk of material misstatement at the assertion level, the auditor may adopt a substantive audit strategy because the cost of testing the operating effectiveness of controls might exceed their benefits. TIS 8200.11 Ineffective Controls Question: If based on the auditor’s knowledge of the entity the auditor believes in advance of performing risk assessment procedures that controls over financial reporting are nonexistent or ineffective, could the evaluation and documentation of such controls (including the walk-through) be skipped? Answer: No for all the same reasons. TIS 8200.15 Identifying Significant Deficiencies Question: If the auditor decides not to test controls, does this mean there is a control deficiency that needs to be evaluated? Answer: No—it depends on the reasons the auditor does not test the control. If the auditor decides not to test a control because it is nonexistent or improperly designed then it would represent a control deficiency that would need to be assessed. If the design is appropriate but the auditor decides not to test it for another reason (ex. control is redundant) then the auditor has not identified a control deficiency. Service Organizations When do you need a SAS 70 or additional audit evidence? AU Section 324 – Applicable to the audit of the financial statements of an entity that obtains services from another organization that are part of its information system. Examples: Bank Trust Departments that invest and service assets for employee benefit plans or for others Third party billing and collection services (EMS) ASP that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions Service Organizations Does not apply: Situations in which the services provided are limited to executing client organization transactions that are specifically authorized by the client Processing checking account transactions by the bank Execution of securities by the broker. Service Organizations Requirements Understand service organization controls Test the operating effectiveness of user controls if relying on service organization controls Design and perform further audit procedures based upon the evaluation of service organization controls Why Should You Understand Controls? Identify types of potential misstatements Identify factors that affect the risks of material misstatements Design test of controls and substantive procedures Three Questions What does the client do? (process) What can go wrong? (risks/objectives) What does the client do about it? (control) Focus on What Really Matters! BIG risks—risks that could result in a material misstatement BIG controls—controls that address the most risks Control Environment Risk Assessment Information and Communication Monitoring Control Activities Top Down Approach A company may have hundreds of controls in place! Focus on controls related to financial reporting Identify the significant classes of transactions Identify the most important risks in each class of transactions (what can go wrong) Identify the most effective controls related to those risks (key controls) Key Controls often Consist of… Activity-Level Controls (Financial Reporting System) Authorization Segregation of duties Safeguarding of assets Reconciliations Entity-Level Controls (Pervasive Effect on the Entity’s System of Internal Controls) Management reviews IT security Internal Controls Types Activity-Level Controls Control activities Information - process Entity-Level Controls Control environment Risk assessment Information and communication Monitoring Walkthrough Inquiries Talk to the people who actually do the work Understand individual’s understanding of: Required procedures Whether procedures are performed that way Ask about specific instances of non-compliance Walkthrough Procedures Observe activities and operations Inspect documents Visit client premises and plant facilities Trace transactions through the system Computer Errors “A computer lets you make more mistakes faster than any invention in human history—with the possible exceptions of handguns and tequila.” --Mitch Radcliffe Components of a System Application Database Operating System Network Simple IT Diagram Backup Server Purchases & Disbursement Subledger General Ledger Primary Server AP Clerk End User Internet Understanding IT General Controls Computer operations Security Change management Operations Security Change Management Computer Operations Ensures that the IT system: Operates smoothly Has the necessary functionality Accurately transfers information between applications, as necessary Is appropriately backed-up and protected Security Protects data and hardware from unauthorized access. Usually consists of the following types of controls: Physical security Logical security Access (e.g. passwords) Setup/maintenance of system user rights Job function Administrator Change Management Ensures that changes to the IT system are authorized, planned and implemented in line with management’s intentions. Changes include: Upgrades Development of new systems Deployment of packaged systems Changes to the functionality of existing systems (e.g. changes to report parameters) Evaluating IT General Controls Consider complexity Determine scope of evaluation Evaluate design and verify implementation IT General Controls vs. Application Controls IT General Controls • Company-wide policies and procedures that ensure the proper function and control of information technology • Analogous to entity-level controls IT Application Controls • Controls that prevent or detect misstatements in a particular process • Classified as activity-level controls IT Complexity More Complex Less Complex • More likely use of a specialist • More likely use of audit staff • More potential risks of material misstatement introduced by the system • Fewer risks of material misstatement introduced by the system • More formal ITGCs • Less formal ITGCs • Greater reliance on IT application controls • More reliance on manual controls around the IT system Do I Need a Specialist? Customized system with in-house programmers New system or significant changes have occurred Multiple locations or multiple applications synching to G/L Significant e-commerce activities Significant audit evidence only in electronic form Small Government Fraud Town Clerk-Treasurer, the organization’s must trusted employee who had worked at the Town for 20 years, misappropriated funds from unauthorized credit card use and fraudulent disbursements. $90,256 total loss averaged 3% of the Town’s $1 million annual operating budget. Unauthorized use of town’s credit card purchases from a variety of internet shopping sites and issued checks to herself using an electric typewriter that can make corrections Employee duties within the town’s treasury department were inadequately segregated. No one monitored her work to ensure all financial transactions were authorized, properly supported and accurately recorded in town’s accounting records. Easy internal control practices Finance Commissioner or someone on Council should require monthly bank statements to be delivered unopened directly to themselves or some other independent party. The individual should review the redeemed checks for unauthorized or unusual transactions. Governing bodies should receive disbursement reports listing all transactions to ensure all disbursements are reviewed and approved and there are no gaps in check numbers listed for transactions shown on consecutive reports Check signers should never sign blank checks. Check signers should compare payee information for agreement on supporting documents, the check register and redeemed checks. Big Government Fraud GAO reports P-Card abuse in two San Diego Navy facilities. Navy exercised little control over the $68 million in credit card purchases made during 2000. Numerous questionable purchases, including expensive computer monitors and Palm Pilots that could not be accounted for as well as gift certificates to Nordstrom and Mary Kay cosmetics. 36% of employees at one of the Navy units had military credit cards and 16% had cards at the other unit investigated. No more than 4% of the employees at 6 other large defense contractors in area were allowed to have cards. GAO stated the more cardholders in an organization, the harder it is to control the card system. Internal controls for P-Cards Develop written policies and procedures for effective use of p-cards including sample disciplinary actions the organization may take against employees, such as termination for inappropriate use of cards or failure to follow the rules. Rules should require employees to obtain copies of receipts for purchases made, to sign documents acknowledging the received the items and to submit all receipts to their supervisors for review and approval. Supervisors should agree all purchase transactions with bank’s monthly p-card reports before the organization pays the total amount due to the bank. Never pay from the bank’s monthly statement. Maintain a log of those prenumbered P-cards that have been issued to each employee. UDBOFF Research Using the Deviant Behaviors of Others to Find Fraud. Primary drivers that motivate human beings to act the way they do: money, sex and power. The strength and security of the mightiest castle is unfortunately linked to the ability of the lowliest night watchman to stay awake. Said another way - if employees (or Council) responsible for management oversight aren’t doing their jobs, how does their inattentiveness affect the entire organization? Audit Committees Weaknesses in internal controls have been the root cause of many problems, including fraudulent activities, errors and noncompliance with laws and regulations. Accordingly the adequacy of internal controls should be the primary concern of the governing bodies and audit committees. Understanding internal controls will help audit committees understand the organization’s risk management and the processes used to mitigate risks. Why committees struggle: No clear definition of composition – GFOA and others differ on opinions of who should be on committee. Ability to act independently or with authority. Responsibilities of committee are unclear or undefined. Difficult to find a financial expert. Are they valuable – YES. Contact information: mblackstock@graucpa.com angela.balent@warrenaverett.com