1 / 63

Yvonne M. Clayborne

Red flags do not indicate guilt or innocence but merely provide possible warning ... Being able to recognize red flags is necessary not only for public accountants ...

Anjalena
Download Presentation

Yvonne M. Clayborne

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Audit Red Flags & Public-Sector Fraud Yvonne M. Clayborne, CPA Jeff Roth, CISA

  2. The Fraud Triangle • Inadequate or no: • Supervision & review • Segregation of duties • Management approval • System controls • Unrealistic deadlines • Unrealistic performance goals • Personal vices Pressure Opportunity a.k.a. Rationalization – reconciling behavior with commonly accepted notions of decency & trust. Integrity

  3. The Nature of the Industry… • Fraud can be explained by three factors: • A supply of motivated offenders • The availability of suitable targets • The absence of capable guardians or a control system to “mind the store” • The opportunity to commit & conceal fraud is the only element over which the local government has significant control. • What are some of the warning signs? • What can we do about it? Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  4. No free lunch... • Business fraud and abuse in the U.S. cost about $650 billion a year. • Government agencies lose an average of $45,000 per fraud scheme • Average organization loses 5% of revenue or $8 a day per employee • Street crime only costs the U.S. $4 billion annually.

  5. ACFE Report to the Nation on Occupational Fraud & Abuse Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  6. Famous last words: “It won’t happen here. We’re careful who we hire.” Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  7. Famous last words: “But he’s in charge. He had no motive.”

  8. Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  9. Famous last words: “NO WAY it was Mike. He’s over 60 now.” Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  10. Famous last words: “Sandra wouldn’t have done that. She’s a mom.” Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  11. Famous last words: “It would never happen in our department.”

  12. What’s the cost?… • Economic costs: • Tangible & measurable • Insurable in some cases • Provides basis for prosecution and/or litigation • Political costs: • Loss of integrity • Diminished public confidence • Can’t be measured, difficult to recover

  13. What are the Warning Signs? A red flag is a set of circumstances that are unusual in nature or vary from the normal activity. It is a signal that something is out of the ordinary and may need to be investigated further. Red flags do not indicate guilt or innocence but merely provide possible warning signs of fraud. Being able to recognize red flags is necessary not only for public accountants but also for anyone working in the public sector where the potential for fraud to occur exists. Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  14. Just keep in mind… Do not ignore a red flag – Studies of fraud cases consistently show that red flags were present, but were either not recognized or were recognized but not acted upon by anyone. Sometimes an error is just an error – Red flags should lead to some kind of appropriate action, i.e. an investigation by a measured & responsible person, but sometimes an error is just an error and no fraud exists Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  15. Employee Red Flags… Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  16. Management Red Flags… Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  17. Red flags in cash or accounts receivable… Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  18. Red flags in payroll… Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  19. Red flags in purchasing or inventory… Source: “Red Flags for Fraud” by Mark P. Pattison, Deputy Comptroller, State of New York

  20. Profile of a fraud perpetrator… • Male. • Intelligent and in management. • Married and under some type of significant stress. • Risk takers and not afraid to fail. • Rule breakers. • Long-time employees, hard working Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE

  21. Profile of an organization at risk… • Less than 100 employees. • Management ignores irregularities. • High turnover with low morale. • Staff lacks training. * The education industry has experienced the lowest median losses. Source: “Fraud Perpetrator Profile: A Short Story” by Nick Brignola, CFE

  22. The Typical Environment in which Fraud Occurs • Trust is placed in employees • Employees have detailed knowledge of the accounting systems and their weaknesses • Management domination subverts normal internal controls • Management adds pressure to “make the numbers” • Expected moral behavior is not communicated to employees • Unduly liberal accounting practices

  23. The Typical Environment in which Fraud Occurs • Ineffective or nonexistent internal auditing staff. • Lack of effective internal controls. • Poor accounting records. • Related party transactions. • Incomplete and out of date procedural documentation. • Management sets a bad example.

  24. Government Agencies in the News • Construction Company Bills School $90,000 for Job it Did Not Get • Corruption in Paradise – This is Not Hawaii Five-O • Local Fraud: Timing is Everything • Former Commissioner Pleads Guilty to Stealing County Gasoline for Personal Use • Former Employee gets 10 years for Theft • Employee called Payroll Plan Foolproof • Missing Funds Could Top One Million • DA Asked to Find Out How $260,000 was lost at Tax Office • Sensitive Information Left in Recycle Bin • Councilman Embezzlement Case in Hands of FBI • 14 Indicted in Connection with Payroll Fraud • Ex-Illinois Gov. Ryan gets 6 1/2 years for graft

  25. Fighting fraud with words… “In the current era of “whistleblower” reform, fraud controls and hotlines have become a focus in the media and in the minds of citizens. Auditors in the public sector can enhance fraud detection through employee and vendor communications campaigns specifically designed with fraud prevention as the primary goal.” Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA

  26. Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  27. Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  28. Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  29. Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  30. “Who knew who they were? There was no place for me to voice my concerns, either to the internal audit function or the audit committee. Remember, I was not in the accounting department. But even if I were, I think I would have known it would have been fruitless, because I would have had access to junior auditors who were simply not in the position to raise the flags that would have hurt their senior auditors and account executives.” • - Sherron Watkins • Enron Corporation

  31. Hotline help... “An engaging message needs to reach the right person at the right time in order to influence that person to take action.” • Fraud losses are reduced by 58% when an effective hotline is in place • 47% of hotline calls happen overnight or on weekends • Communications that publicize the existence of the hotline should used as an opportunity to promote ethical behavior as well • Components of communication strategy: • Message • Reach • Frequency Source: “Fighting Fraud with Words: Whistleblower Communication” – March 2006, ALGA

  32. Role of the Audit Committee… “A government audit committee should take an active role in the prevention deterrence, and detection of fraud and encourage the government organization to establish an effective ethics and compliance program. The audit committee should constantly challenge management and the auditors to ensure that the organization has appropriate anti-fraud programs and controls in place to identify potential fraud. Also, the committee should take an interest in ensuring that appropriate action is taken against known perpetrators of fraud.” Source: Fraud and the Responsibilities of the Government Audit Committee, AICPA, 2005

  33. We know it works… But what are we doing about it? Source: Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud & Abuse

  34. Traditional Approach • Traditionally, fraud Investigations have been reactive in nature. • Identified from a variety of sources. • Conducted after significant losses have been incurred. • In response, today’s management is developing strategicapproaches to proactively identify material fraud within their organizations. • Forming tactical teams of forensic accountants and investigators. • Investing in resources to address fraud before it occurs.

  35. Caution • Government auditors are expected to have sufficient knowledge to identify the indicators of fraud but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

  36. Prevention First • Educate your employees • Implement strong controls • Explain consequences • Have a clearly written policy • Make the employees sign the policy • Let them know you’re monitoring – Speaking of monitoring…………

  37. Financial Processes’ Reliance on Information Technology • The majority of your organization’s financial data is in the hands of your IT department. • You are reliant on the confidentiality, integrity and availability of the enterprise’s infrastructure. • Is your IT department integrated into your anti-fraud internal control structure? • Let us look at how we can leverage internationally accepted framework of Control Objectives for Information related Technologies (CobiT) to integrate anti-fraud preventive and detective controls throughout the enterprise.

  38. CobiT Framework Let’s talk about fraud prevention

  39. CobIT - Delivery and Support Domain • DS-2 Manage Third Party Services • DS-3 Performance and Capacity • DS-5 Ensure System Security • DS-9 Manage the configuration of IT systems • DS-10 Manage Problems and Incidents • DS-11 Manage Data IT Assurance testing using the CobIT Confidentiality, Availability, and Integrity guidelines can assist in determining your organisation’s level of compliance (legal, civil, business).

  40. Cobit Security Baseline and Fraud The CobiT Security Baseline objectives are organized into 39 essential steps: • 1: Based on a business impact analysis (BIA) for critical business processes, identify data that must not be misused or lost, services that need to be available and transactions that must be trusted. The business must consider the security requirements for: • Who may access and modify data. • What data retention and backup are needed. • What availability is required. • What authorization and verification are needed for electronic transactions. • 2: Define specific responsibilities for the management of security and ensure that they are assigned, communicated and properly understood. Be aware of the dangers of delegating too many security roles and responsibilities to one person. Provide the resources required to exercise responsibilities effectively. • 3: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents. Establish minimum dos and don’ts, and regularly remind people of security risks and their personal responsibilities. • 4: When hiring, verify with reference checks. • 5: Obtain the skills needed to support the enterprise security requirements through hiring or training. Verify annually whether skills are up-to-date.

  41. Cobit Security Baseline and Fraud • 6: Ensure that no key security task is critically dependent on a single resource. • 7: Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements. • 8: Discuss with key staff what can go wrong with IT security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical for the success of the business. • 9: Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices and insurance coverage. • 10: Consider how automated solutions may introduce security risks. Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Obtain comfort regarding the trustworthiness of the solution through references, external advice, contractual arrangements, etc. • 11: Ensure that the technology infrastructure properly supports automated security practices. • 12: Consider what additional security requirements are needed to protect the technology infrastructure itself.

  42. Cobit Security Baseline and Fraud • 13: Identify and monitor sources for keeping up-to-date with security patches and implement those appropriate for the enterprise infrastructure. • 14: Ensure that staff knows how to implement security in day-to-day procedures. • 15: Test the system, or major changes, against functional and operational security requirements in a representative environment so the results are reliable. Consider testing how the security functions integrate with existing systems. • 16: Perform final security acceptance by evaluating all test results against business goals and security requirements involving key staff. • 17: Evaluate all changes, including patches, to establish the impact on the integrity, exposure or loss of sensitive data, availability of critical services and validity of important transactions. Based on this impact, perform adequate tests prior to making the change. • 18: Record and authorize all changes, including patches (possibly emergency changes after the fact). • 19: Ensure that management establishes security requirements and regularly reviews compliance of internal service-level agreements and contracts with third-party service providers.

  43. Cobit Security Baseline and Fraud • 20: Ensure that third parties provide an adequate contact with the authority to act on security requirements and concerns. • 21: Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk. • 22: Identify critical business functions and information, and those resources (e.g., applications, third-party services, supplies and data files) that are critical to support them. Provide for the availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner. • 23: Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident and how to communicate with customers and suppliers. • 24: Together with key employees, define what needs to be backed up and stored off-site to support recovery of the business, (e.g., critical data files, documentation and other IT resources, and secure it appropriately. At regular intervals, ensure that the backup resources are usable and complete.

  44. Cobit Security Baseline and Fraud • 25: Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially, consider access rights of service providers, suppliers and customers. • 26: Ensure that responsibility is allocated to manage all user accounts and security tokens to control devices, tokens and media with financial value. Periodically review the actions and authority of those who manage user accounts. Ensure that these responsibilities are not assigned to the same person. • 27: Detect and log important security violations. Ensure that they are reported immediately and acted upon in a timely manner. • 28: To ensure that counterparties can be trusted and transactions are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations. • 29: Enforce the use of virus-protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software. • 30: Define policy for what information can come into and go out of the organization, and configure the network security systems (e.g., firewall), accordingly. Consider how to protect physically transportable storage devices. Monitor exceptions and follow up on significant incidents.

  45. Cobit Security Baseline and Fraud • 31: Ensure that there is a regularly updated and complete inventory of the IT hardware and software configuration. • 32: Regularly review whether all installed software is authorized and properly licensed. • 33: Subject data to a variety of controls to check integrity (accuracy, completeness and validity) during input, processing, storage and distribution. Control transactions to ensure that they cannot be repudiated. • 34: Distribute sensitive output only to authorized people. • 35: Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved. • 36: Physically secure the IT facilities and assets, especially those most at risk to a security threat, and if applicable, obtain expert advice.

  46. Cobit Security Baseline and Fraud • 37: Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception. • 38: Have key staff periodically: • Assess adequacy of security controls against defined requirements and vulnerabilities. • Reassess what security exceptions need to be monitored on an ongoing basis. • Evaluate how well the security mechanisms are operating. Check for weaknesses, such as intrusion detection, penetration and stress testing, and test contingency plans. • Ensure that exceptions are acted upon. • Monitor compliance to key controls. • 39: Obtain, where needed, competent external resources to review the information security control mechanisms. Assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.

  47. Test Case 1- Vendor Master Table • Vendor master table integrity testing can include the following: • Detection of the following: • Duplicate vendors • Employee or related parties listed as vendors • Exception reporting for approved or convicted/debarred vendors per Section 287.133, Florida Statute

  48. Test Case 1a – Duplicate Vendor Numbers Easy identification of duplicate vendor numbers

  49. Test Case 1b – Duplicate Vendor Addresses Easy identification of duplicate vendor addresses

  50. Test Case 1c – Employee or related parties listed as vendors Easy identification and vendor addresses matching

More Related