Employee Benefit Plan Audit Quality Center EBPAQC Live Forum Fraud Risks in Employee Benefit Plans February 17, 2010 1 CPE Credit For Participating • Must have registered for CPE credit prior to this live forum – CPE Credit Approval Form emailed to you • Listen for announcement of 4 CPE codes (7 digits: ALL_ _ _ _ ) and 4 polling questions during the live forum • Record CPE Codes on CPE Credit Approval Form (no need to record polling questions) • Return completed form (by fax or mail) to AICPA Service Center for record of attendance • Keep a copy of completed CPE Credit Approval Form for your records 2 Today’s Presenters and Objectives Marilee Lau, CPA Chair Executive Committee AICPA Employee Benefit Plan Audit Quality Center 3 Presenters Marilee Lau, Chair, EBPAQC Executive Committee Tim Desmond, O’Connor Davies Munns & Dobbins, LLP Ian Dingwall, Chief Accountant, DOL Employee Benefit Security Administration Jim Merklin, Partner, Bober Markey Fedorovich Debbie Smith, Partner, Grant Thornton LLP 4 Today’s Objectives • Understand increased fraud risks in the current EBP environment • Discuss EBP fraud risk factors • Conducting fraud brainstorming sessions and fraud interviews • Auditor’s response to fraud • DOL criminal enforcement activities • Actual EBP fraud cases- panel discussion • Q & A session 5 Fraud Risk Factors and Conditions Debbie Smith Partner Grant Thornton LLP 6 Increased Fraud Risks in the Current EBP Environment • Current economic conditions – Unexpected losses – Employee furloughs and layoffs (plan sponsors and administrators) – Financing and liquidity difficulties – Curtailed or suspended benefits • Opportunities and incentives to commit fraud 7 Types of Fraud • Types of fraud: – Fraudulent financial reporting – Misappropriation of assets Source: AICPA Fraud Risk Factors Specific to Employee Benefit Plans 8 EBP Fraud Conditions Three conditions generally present when fraud exists: 1. Incentive/pressure to perpetrate fraud 2. Opportunity to carry out the fraud 3. Attitude/rationalization to justify the fraudulent action Source: AICPA Fraud Risk Factors Specific to Employee Benefit Plans 9 Fraud Brainstorm Sessions and Interviewing Skills James E. Merklin, CPA, CFF, CFE Partner Bober Markey Fedorovich 10 Conducting Fraud Brainstorming Sessions • Discuss how and where the plan’s financial statements might be susceptible to material misstatement due to fraud – Who should participate? – When should the brainstorm be conducted? – Who to ask in “plan management”? 11 6 Brainstorming Do’s and Don'ts Don’t •Only have a mass brainstorming session •Conduct session without partner involvement •Get input from only the audit partner and manager •Come into the meeting without current year planning information •Let past experience with client sway you to overlooking risks Do •Conduct a session customized to each specific engagement •Use all audit team members and invite new ideas from all •Have examples of what could go wrong and discuss what we know or don’t know •As about the impact of current economy on this specific client •Be professionally skeptical 12 EBP Fraud Interviewing Skills 13 Basic Audit Procedure - Interviews • SAS 99 requires interviews be conducted – Make inquiries of management and others within the plan to obtain their views about the risks of fraud and how they are addressed • Interviews help in assessing risks of fraud, but can also serve as specific audit procedures to detect fraud if a risk is identified to the team • An interview of this nature should be conducted by an experienced auditor, not a newer staff accountant • If interviewing someone where you really suspect they might have done something, the interview should be conducted by someone experienced in fraud or forensic investigations or in confession-seeking interviews Source: AICPA Employee Benefit Audit Quality Center, http://ebpaqc.aicpa.org/ 14 EBP Fraud Interviewing Skills • • • • • • Preparing for the Interview Thinking on your feet Observing body language Setting the tone Interview flow Listening skills Source: Journal of Accountancy, November 2002 15 EBP Fraud Interviewing Skills • • • • • • Be honest and forthright Don’t rush the interview Double-check / Re-confirm Use of leading questions to get a confession What is a confession Written confessions v. Oral confessions Source: Journal of Accountancy, November 2002 16 EBP Fraud Interviewing Skills • Guess what? Criminals lie! • Watch out for false confessions – Confession where the statement of responsibility received is not correct – Try to obtain corroboration during the interview that is supportive – If part of a confession is later proven to be false, it can put at risk the entire confession. Use caution. 17 DOL Criminal Cases Ian Dingwall Chief Accountant Department of Labor Employee Benefits Security Administration 18 DOL Criminal Cases • DOL perspectives on EBP frauds • Prohibited transactions • “Knowing participants” in a fiduciary breach • Voluntary Fiduciary Corrections Program (VFCP) 19 DOL Criminal Cases • EBPAQC summary analysis of DOL EBSA criminal enforcement actions • Categorizes the cases into the following plan types. – Pension/401(k) Plans – Multi-employer Plans – Medical, Health and Death Benefit Plans – Other Helpful Tip!- Tool is useful in conducting SAS 99 fraud brainstorming sessions 20 DOL Criminal Cases- Pension/401(k) Plan Fraud • Theft and embezzlement of plan assets using wire transfers, forged checks and other means • Failure to deposit employee contributions into the plan • Funneling contributions into a secret account • Transfer of funds from the plan to an outside account in the plan's name • Unauthorized withdrawals • Unauthorized use of plan assets to invest in other business interests • Issuing fraudulent statements and dividend checks to clients 21 DOL Criminal Cases- Pension/401(k) Plan Fraud • (Continued) • Making materially false statements in the plan's annual report and fraudulent annual reports • Defrauding the company by issuing duplicate paychecks • Failure to pay pension benefits due to employees • Kickbacks • Failure to deposit checks to be rolled over from a predecessor's plan into a new plan • Defrauding a lending company • Fraudulently obtaining funds from outside sources 22 DOL Criminal Cases- Multiemployer Plans • • • • • • • • • • False claim for benefits Unauthorized application for benefits Check forgery Forged reimbursement claims Improper issuance of checks to plan administration employee Filing false financial reports Embezzling of remittance checks received from employers having collective bargaining agreements with the local union Kickbacks Bribery in exchange for permitting the contractors to avoid employing and paying union members Rehiring locked-out workers under false identities during a labor dispute 23 DOL Criminal CasesMedical, Health and Death Benefit Plans • • • • • • • Embezzling health care premiums from payroll withholdings Misappropriating client-provided funds from the company's claims account Failing to pay health claims Failing to forward insurance commissions due to the plan under an arrangement with an insurance company Falsely purporting to provide health care coverage by misrepresenting that its plans were insured by legitimate insurance providers Defrauding insurance companies by submitting fraudulent insurance claims and doctor's notes to insurance companies Defrauding individuals and insurance companies by offering illegitimate services 24 DOL Criminal CasesMedical, Health and Death Benefit Plans (Continued) • Paying claims to fictitious individuals for services that were never rendered • Obtaining discounted group insurance premium rates for a fictitious company • Engaging in fraudulent activity involve the sale of insurance policies • Fraudulently obtaining bank loans by submitting false statements • Unlawfully interfering with the exercise of rights of participants • Using incorrect social security numbers • Submitting fraudulent information for a loan application • Defrauding participants by misrepresenting insurance coverage 25 Auditor’s Response to Fraud Tim Desmond, Partner O’Connor Davies Munns & Dobbins 26 Auditor’s Response to Fraud • Auditor's response to the risks of material misstatement due to fraud involves the application of professional skepticism when gathering and evaluating audit evidence. – Two types auditors of EBPs should consider • Fraudulent financial reporting • Misappropriation of assets 27 Auditor’s Response to Fraud • SAS 99 requires the auditor to respond to the results of the fraud risk assessment in three ways: 1. Has an overall effect on how the audit is conducted-- a response involving more general considerations apart from the specific procedures otherwise planned. 2. Identify risks that involves the nature, timing, and extent of the auditing procedures to be performed. 3. Perform certain procedures to further address the risk of material misstatement due to fraud involving management override of controls. 28 Auditor’s Response to Fraud How the audit is conducted-- general considerations 1. Assignment of personnel and supervision. Knowledge, skill, and ability of personnel assigned significant engagement responsibilities should be commensurate with the auditor's assessment of the risks 2. Accounting principles - Consider management's selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions. 3. Predictability of auditing procedures - Incorporate an element of unpredictability – – – – Perform substantive tests of selected account balances and assertions not otherwise tested due to their materiality or risk, Adjust the timing of testing from that otherwise expected, Use differing sampling methods, and Perform procedures at different locations or at locations on an unannounced basis. 29 Auditor’s Response to Fraud • Identify risks that involves the nature, timing, and extent of the auditing procedures to be performed. • These procedures involve both substantive tests and tests of the operating effectiveness of the entity's programs and controls. Examples: • Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified to obtain their insights about the risk and how controls address the risk • Reviewing SAS 70 reports with plan management • Gain understanding of financial stability of plan sponsor • Testing related party transactions and expenses • Ascertain whether the plan administrator lacks understanding of major regulations that govern the plan 30 Auditor’s Response to Fraud • Perform certain procedures to further address the risk of material misstatement due to fraud involving management override of controls. – Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud. – Reviewing accounting estimates for biases that could result in material misstatement due to fraud. – Evaluating the business rationale for significant unusual transactions. 31 Fraud Cases Panel discussion of actual EBP fraud cases 32 EBP Fraud Case #1 (Debbie) Fraud: Without the knowledge of the employer or plan administrator, a secretary who worked in Plan sponsor’s payroll department was able to convince the outside payroll service that she was allowed to suspend her 401(k) loan repayments. Fraud triangle conditions: • Incentives/pressures: Employee needs cash to pay bill collectors • Opportunities: Lack of appropriate system of authorization and approval of transactions • Attitudes/rationalization: The employee needs the cash and nobody else was being hurt Sample audit procedures that might detect fraud: • Compare loan balances to amortization schedules • Inquire as to why certain active participants have delinquent participant loans 33 EBP Fraud Case #2 (Jim) Fraud: 401(k) Plan Sponsor did not allocated plan expenses to all participants. Highly compensated participants were left off the allocation schedule on purpose. Fraud triangle conditions: • Incentives/pressures: Incentive to maximize personal account balance • Opportunities: Ability to exclude from allocation (since internally generated and not from a system subjected to a SAS 70 review), • Attitudes/rationalization: Would not be caught Sample audit procedures that might detect fraud: • Recognize the risk of fraud in the planning process (gaining an understanding of internal controls) and design steps to address the risk; • Reconcile base for allocation of expenses to payroll contribution records for consistency; • Test representative sample of participants (key and non-key) to validate fair allocation if expenses. 34 EBP Fraud Case #3 (Tim) Fraud: A pensioner’s benefit checks were fraudulently endorsed and cashed by a relative for several months after pensioner had died. Fraud triangle conditions: • Incentives/pressures: The relative was already being supported by pensioner • Opportunities: Relative had been endorsing checks while pensioner was alive and “assisting” with all financial affairs • Attitudes/rationalization: Needed to hold onto Grandma’s rent controlled apartment. Sample audit procedures that might detect fraud: • Reviewing endorsement against original employee records • Testing plans internal controls over distributions (death audits) 35 EBP Fraud Case #4 (Debbie) Fraud: Trustee of small plan created a fictitious employee in the census data and made employer contributions then took out loans against the balance. Fraud triangle conditions: • Incentives/pressures: Recent bonus was insufficient to cover personal cash flow needs • Opportunities: Complete lack of segregation of duties • Attitudes/rationalization: Didn’t feel he was treated fairly in incentive pay allocations, so this compensates for that Sample audit procedures that might detect fraud: • Test eligibility of new participants (birth date, date of hire and other demographic data that determine eligibility and vesting) • When designing audit approach, recognize that plan management is dominated by a single person without compensating controls 36 EBP Fraud Case #5 (Jim) Fraud: A DB plan TPA paid himself by setting fake “doing business as” (DBAs) and approving the invoices. The Plan sponsor was in bankruptcy. There was no sponsor oversight of expense payments from Plan assets. Fraud triangle conditions: • Incentives/pressures: His employer didn’t give him a raise this year • Opportunities: Lack of TPA segregation of duties. Knew no one was watching and he had approval authority without anyone else’s oversight. Presuming Plan sponsor personnel have better things to do than worry about the Plan. • Attitudes/rationalization: They’re going under, may as well get what he can while he can. Sample audit procedures that might detect fraud: • Analytical review of expenses paid compared to prior year, in total and by vendor • Inquiry of Plan sponsor about individual vendors paid by Plan and nature of costs • Review of SAS 70 should have identified a lack of segregation of duties 37 EBP Fraud Case #6 (Tim) Fraud: The plan was charged and paid for the FAS 87/132/158 calculations in addition to the FAS 35 calculations on several occasions for a number of different plans. Fraud triangle conditions: • Incentives/pressures: Plan sponsor was experiencing cash flow problems • Opportunities: HR Manager was able to convince TPA that it was OK • Attitudes/rationalization: Plan sponsor stated they were funding in the longterm anyway Sample audit procedures that might detect fraud: • Audit of expenses (even if immaterial) • Inquiry of key personnel regarding their knowledge of plan provisions and ERISA 38 EBP Fraud Case #7 (Debbie) Fraud: Plan administrator overrode the system to redirect all investment earnings for Company Fund X into their account balance. Fraud triangle conditions: • Incentives/pressures: Plan administrator is retiring next year and has sufficiently saved for retirement • Opportunities: No formal oversight committee • Attitudes/rationalization: Has worked for the Company for over 25 years yet just had his post retirement health benefits cut back Sample audit procedures that might detect fraud: • Compare ROR for plan management to those of other participants • Review participant listing for anomalies • Review the account activity for participants who have access to plan assets or assist in administering the plan 39 EBP Fraud Case #8 (Jim) Fraud: HR manager requested distributions for persons who left Company 2+ years ago. She had been successful 3 times for over $10,000. Discovered when bank refused to direct the deposit since deposit name differed from account holder’s name. Fraud triangle conditions: • Incentives/pressures: Her husband got laid off and money is really tight • Opportunities: Knew that Company and TPA had lost track of individuals and figured that they probably didn’t know they had balances due to them anyway. Knew it wasn’t material so the auditors wouldn’t see it. • Attitudes/rationalization: If she doesn’t take the money, someone else will Sample audit procedures that might detect fraud: • Direct confirmation directly with participants of sample of distributions paid • Compare signature on withdrawal request to employment application or W-4 form 40 EBP Fraud Case #9 (Tim) Fraud: A plan paid for recordkeeper services and the custodian also paid for the recordkeeper services as an indirect payment. No disclosure was made by the custodian who saw both payments being made. The trustees sued both the recordkeeper and the custodian. Fraud triangle conditions: • Incentives/pressures: Incentives for recordkeeper profits, pressure for custodian to blow whistle, ongoing business relationship • Opportunities: Plan sponsor relied on recordkeeper 100% • Attitudes/rationalization: Recordkeeper believed indirect payment would not come to light Sample audit procedures that might detect fraud: • Audit of recordkeeper fees and contracts between parties • Review of related party disclosure requirements 41 EBP Fraud Case #10 (Debbie) Fraud: Plan investments managed in house. Company controller is also plan administrator. Controller borrowed funds from the plan to cover cash flow needs of the Company. Fraud triangle conditions: • Incentives/pressures: Financial stability of plan sponsor is threatened by economic conditions • Opportunities: Lack of review of plan investment transactions (e.g., by the trustee, sponsor or the plan’s investment committee) • Attitudes/rationalization: If he doesn’t borrow from the plan, they can’t pay invenetory vendors who have them on credit hold Sample audit procedures that might detect fraud: • Analyze changes in investments and investment income during the period • Obtain evidence regarding the existence and ownership of investments and information about any liens, pledges, etc. • Test investment transactions 42 EBP Fraud Case #11 (Jim) Fraud: An HR employee, who also assisted with payroll, diverted both payroll taxes and plan contributions into his personal account for six months, then left the country. This employee also had responsibility for reconciling payroll bank accounts. Fraud triangle conditions: • Incentives/pressures: Find a way to pay for villa in the South of France • Opportunities: Lack of appropriate segregation of duties • Attitudes/rationalization: She was tired of working all the overtime that was required, felt the company had abused her long enough Sample audit procedures that might detect fraud: • Comparing amounts of withheld contributions to deposits to plan for a sample of periods throughout the year • Confirmations directly with sample of participant asking them about their contribution levels 43 EBP Fraud Case #12 (Tim) Fraud: A person was offered a job but never actually started the job. The plan sponsor entered the person as an employee into the HR system and enrolled the person in the plan and then started issuing paychecks with deductions for contributions to the plan. This went on for three years until the employee running the scam requested a distribution at which time the fraud was discovered. Fraud triangle conditions: • • • Incentives/pressures: Personal gain Opportunities: No segregation of duties at plan sponsor Attitudes/rationalization: Controlled whole process, would be able to cover her tracks Sample audit procedure(s) that might detect fraud: • • • New hire payroll test Coordination of EBP and regular plan sponsor audit (detail payroll test) Reporting to those in charge of governance, management letter, opportunities for strengthening internal control 44 EBP Fraud Case #13 (Jim) Fraud: Controller wrote bogus loan checks on behalf of employees, completed bogus promissory notes, and cashed checks personally. Controller handled all plan administration personally and didn’t report loans on participant statements. Fraud triangle conditions: • Incentives/pressures: Employer doesn’t provide good health insurance and his wife’s medical bills from her bout with cancer is overwhelming him • Opportunities: Complete lack of segregation of duties, with no oversight at all • Attitudes/rationalization: He deserves good health coverage Sample audit procedures that might detect fraud: • Confirm loan balances directly with participants • Validate signed loan documents and endorsed loan check back to other participant signatures in personnel file • In fraud inquiries, recognize pressure on controller and lack of controls 45 EBP Fraud Case #14 (Tim) Fraud: A company failed to remit all employee deferrals ($350,000) for a period of time. The company was having financial difficulties and ultimately went bankrupt. Fraud triangle conditions: • Incentives/pressures: Company was barely making payroll • Opportunities: Employees only received quarterly statements of their 401(k) • Attitudes/rationalization: The CEO believed it was better then firing employees Sample audit procedures that might detect fraud: • Contribution timeliness test • Audit of reconciliation of salary deferrals from payroll to trustee records 46 EBP Fraud Case #15 (Marilee) Example: Trustee of an ESOP plan who was also the major stockholder of the company was planning on retiring. He deliberately changed the appraisal firm that had valued the company stock to a relative and instructed them to use a different methodology in order to inflate the stock price so that he would receive a much higher distribution upon his retirement. Fraud Triangle Conditions: • • • Incentive: Maximize the value of his distribution upon retirement Opportunity: His authority was never questioned and weak internal controls. Attitude/rationalization: It was “his” company and the company owed him more for building the organization. Sample audit procedures that might detect: • • • Recognize the risk of fraud in the planning process (gaining an understanding of internal controls and overbearing management style) and design steps to address the risk; Verify the credentials of the appraisal firm including independence Determine the reason for the change in valuation methodologies and if they were appropriate 47 Question & Answer Session Submit questions to the EBPAQC mailbox at ebpaqc@aicpa.org 48 Wrap Up Thanks for joining us today for this live forum We welcome any additional feedback on today’s live forum. Send comments to the Center mailbox at ebpaqc@aicpa.org. Consider using the Center online forum to further discuss issues addressed on today’s call – http://ebpaqc.aicpa.org/Community/Member+Discussion+Forum.htm 49 Upcoming EBPAQC Live Forums • March 3 - Electronic Processing for 2009 Form 5500, 1:00 – 3:00 p.m. Eastern Time • March 23 - 11-K Audit, 1:00 – 3:00 p.m. Eastern Time • April 20 - ESOP Plans, 1:00 – 3:00 p.m. Eastern Time 50 AICPA EBP Conferences • AICPA National Conference on Employee Benefit Plans – May 11 - 13, 2010 at the Bellagio in Las Vegas, NV • AICPA EBP Accounting, Auditing and Regulatory Update Conference – December 13 – 14, 2010, Washington, DC 51 Evaluation We welcome your feedback on today’s call Please complete the online evaluation at http://www.zoomerang.com/Survey/?p=WEB22A5HQJ6T7G Thank you!!! 52 Employee Benefit Plan Audit Quality Center Thanks for Participating! 53