330 likes | 563 Views
E N D
1. New York State Internal Control AssociationExploring the Interrelationship of Internal Controls and the Occurrence of Fraud Stephen Hamilton
Inspector General
Office of the State Comptroller
Oct 27, 2011
2. StealingStealing
3. missspendingmissspending
4. EmbezzlingEmbezzling
5. Fraudulent claims and times sheetsFraudulent claims and times sheets
6. Trading favors and gifts for awarding state businessTrading favors and gifts for awarding state business
7. How Does This Happen? Those where just the result of a quick search of resent press releases, but sadly it is a sliver of what we all have seen in the press from local to state to national government. The private sector does not have a monopoly on corruption, fraud and abuse. While government fairs better than most industries in the dollar amount of fraud, any type of fraud within government is taken seriously. The impact of fraud, waste and abuse of taxpayer dollars is devastating to the indispensable trust and respect that the public has for government leaders. To preserve the trust and respect that the public has for the governing process, government should take the necessary steps to minimize the risk of fraud, waste and abuse occurring.
Those where just the result of a quick search of resent press releases, but sadly it is a sliver of what we all have seen in the press from local to state to national government. The private sector does not have a monopoly on corruption, fraud and abuse. While government fairs better than most industries in the dollar amount of fraud, any type of fraud within government is taken seriously. The impact of fraud, waste and abuse of taxpayer dollars is devastating to the indispensable trust and respect that the public has for government leaders. To preserve the trust and respect that the public has for the governing process, government should take the necessary steps to minimize the risk of fraud, waste and abuse occurring.
8. What is Fraud?
“The use of one’s occupation for personal enrichment through deliberate misuse or misapplication of the employing organization’s resources or assets.”
Association of Certified Fraud Examiners I guess first we need to understand what Fraud is….An illegal act involving obtaining something of value through willful misrepresentation or deceit.
I guess first we need to understand what Fraud is….An illegal act involving obtaining something of value through willful misrepresentation or deceit.
9. Abuse Behavior that is excessive, deficient or improper when compared to what a prudent person would consider a reasonable and necessary business practice.
Misuse of authority to help others, extravagant purchases.
Abuse can become fraud with personal benefit and intent.
Misuse of authority to help others, extravagant purchases.
Abuse can become fraud with personal benefit and intent.
10. What Does Fraud Look Like? Many common types we see everyday:
Financial statement fraud
Check forgery
Credit card fraud
Identity theft
Medicaid and Medicare fraud
Financial statement is more likely in private industryFinancial statement is more likely in private industry
11. What Does Fraud Look
Falsifying time sheets & overtime records
Not removing people from payroll timely
Nepotism
Favoritism
Using government resources for personal, political or outside business purposes
Creating fictitious employees
For timesheets, I am not talking about the person that is late a few minutes or maybe takes a longer break..While these behaviors are unacceptable as a routine matter, they are a supervisory issue.
I am talking about people who disappear for long periods consistently or never show up at all or People who consistently take advantage of specific excused time for something other than that purpose. It is nothing more than stealing the time that was dedicated to the service of the citizens of New YorkFor timesheets, I am not talking about the person that is late a few minutes or maybe takes a longer break..While these behaviors are unacceptable as a routine matter, they are a supervisory issue.
I am talking about people who disappear for long periods consistently or never show up at all or People who consistently take advantage of specific excused time for something other than that purpose. It is nothing more than stealing the time that was dedicated to the service of the citizens of New York
12. What Does Fraud Look Like in Government? Cont’d Conducting personal business on government time
Diverting revenue coming in
Capturing payments going out
Paying personal expenses
Recording fictitious transactions
Forging business records Cash, Lapping
Generating overpayments
Fake Bids & Approvals
Stealing anything of value
Cash, Lapping
Generating overpayments
Fake Bids & Approvals
Stealing anything of value
13. Who Commits Fraud or Abuse?
It could be just about anybody!
Most people are inherently honest.
A few will actively try to steal no matter what.
While there are profiles of people who steal and who abuse their authority, truth is its very hard to predict who. How many times have you heard about a fraud and the people that worked with that individual says something like, “I had no idea. They were active in the community and so nice at work, always willing to lend a hand….”
But Lets face it, with downsizing—layoffs and cut backs, we are in a situation where there are greater opportunities for fraudsters to operate unnoticed. One round of layoffs in a critical area that diminishes controls and you have openned the door for fraud. Add to it that we are now in desperate times and unfortunately, people who are other wise honest my suddenly feel a need to commit fraud.
Most people are inherently honest.
A few will actively try to steal no matter what.
While there are profiles of people who steal and who abuse their authority, truth is its very hard to predict who. How many times have you heard about a fraud and the people that worked with that individual says something like, “I had no idea. They were active in the community and so nice at work, always willing to lend a hand….”
But Lets face it, with downsizing—layoffs and cut backs, we are in a situation where there are greater opportunities for fraudsters to operate unnoticed. One round of layoffs in a critical area that diminishes controls and you have openned the door for fraud. Add to it that we are now in desperate times and unfortunately, people who are other wise honest my suddenly feel a need to commit fraud.
14. The Fraud Triangle Pressure Opportunity
Rationalization So I am sure that most of you are familiar with the Fraud triangle. When all three of these conditions are present the risk of fraud being perpetrated can increase significantly.So I am sure that most of you are familiar with the Fraud triangle. When all three of these conditions are present the risk of fraud being perpetrated can increase significantly.
15. Pressure What motivates them to steal?
Living beyond means
Personal debts
Investment losses
Gambling or substance abuse
Extra-marital affairs
Family problems/illness
Social stature As I said before, it is no secret that we live in desperate times and this is the exact environment that those that already have a propensity to steal will increase their efforts and, unfortunately, desperate times can lead even decent people to undertake illegal acts.
As I said before, it is no secret that we live in desperate times and this is the exact environment that those that already have a propensity to steal will increase their efforts and, unfortunately, desperate times can lead even decent people to undertake illegal acts.
16. Rationalization Temporary solution
It’s just a loan. I’ll pay it back as soon as this is over.
Entitlement
I work hard for little money. They owe me.
Greater good
I need this more than they do. Nobody will really miss it
This is for an important purpose (ends justify means)
Revenge
So, they think they can take advantage of me!
It is not cash so I am not really stealing and they are insured. People have unlimited capacity to rationalize their actions. That is why core ethics and values are so important and looking for the right ones during the hiring process is one step and organization can take. While I certainly advocate doing background checks, truth is that for 85 percent of frauds examined by the ACFE in its 2010 study, the fraudster had never been previously convicted or even charged with a fraud related offense.
So organizations need to focus on what they can identify and control……People have unlimited capacity to rationalize their actions. That is why core ethics and values are so important and looking for the right ones during the hiring process is one step and organization can take. While I certainly advocate doing background checks, truth is that for 85 percent of frauds examined by the ACFE in its 2010 study, the fraudster had never been previously convicted or even charged with a fraud related offense.
So organizations need to focus on what they can identify and control……
17. Opportunity Access to cash or highly convertible assets
Ability to conceal the act
Inadequate Internal Controls
Little separation of duties
Lack of automatic controls
No management oversight
Lack of clear expectations or procedures
Weak or absent leadership Opportunity is the leg of the triangle that organizations have the most control. It is all about having appropriate controls in place to prevent or quickly detect fraudulent activity. Internal Controls is the bed rock of a fraud prevention program.
Opportunity is the leg of the triangle that organizations have the most control. It is all about having appropriate controls in place to prevent or quickly detect fraudulent activity. Internal Controls is the bed rock of a fraud prevention program.
18. Opportunity Access to cash or highly convertible assets
Ability to conceal the act
Inadequate Internal Controls
Little Separation of Duties
Lack of Automatic Controls
No Management Oversight
Lack of Clear Expectations or Procedures
Weak or Absent Leadership So what does opportunity look likeSo what does opportunity look like
19. Or to put it another wayHow to encourage fraud… Practice autocratic management
Manage by power with little trust in people
Manage by crisis
Centralize authority in top management
Measure performance on a short term basis
Give feedback that is always critical and negative
Create a highly hostile competitive work place If you want a fraud this is part of your receipt for success…and believe me those that have predisposition to fraud, will seek you out.If you want a fraud this is part of your receipt for success…and believe me those that have predisposition to fraud, will seek you out.
20. This is from the Association of Certified Fraud Examiners 2010 study on fraud. According to the survey the number one condition allowing for fraud was lack of controls followed by overriding existing controls and management review. In total these account for 75% of the observed weaknesses in frauds investigated. Without a doubt having a strong internal control system that is working as intended will reduce the likelihood of fraud.
While this breakdown of weaknesses only shows tone at the top as 8.4 percent, I would actually argue that this area could be the rood cause of the other weaknesses. Failure of management to implement a sound system of internal control and/or to demonstrate commitment to it at all times is exactly the environment a fraudster wants to be in.
This is from the Association of Certified Fraud Examiners 2010 study on fraud. According to the survey the number one condition allowing for fraud was lack of controls followed by overriding existing controls and management review. In total these account for 75% of the observed weaknesses in frauds investigated. Without a doubt having a strong internal control system that is working as intended will reduce the likelihood of fraud.
While this breakdown of weaknesses only shows tone at the top as 8.4 percent, I would actually argue that this area could be the rood cause of the other weaknesses. Failure of management to implement a sound system of internal control and/or to demonstrate commitment to it at all times is exactly the environment a fraudster wants to be in.
21. New York State Fair Case Study Tell the story
What fraud occurred, who did it and how…
Peter Cappuccilli, Jr. was appointed Fair Director in 1995 by Governor George E. Pataki
and served in that position, with an annual salary of approximately $125,000, until he resigned in
November 2005. During his long tenure, Cappuccilli wielded near-total and unchecked control
over Fair staff and operations. In abusing this authority and misappropriating state resources,
Cappuccilli, who one high-ranking Agriculture and Markets officials described as the “mayor of
the fair,” repeatedly failed to distinguish between his public responsibilities and his personal
interests. In total, Cappuccilli personally benefited by more than $78,500 through his
misconduct and abuse of office.Tell the story
What fraud occurred, who did it and how…
Peter Cappuccilli, Jr. was appointed Fair Director in 1995 by Governor George E. Pataki
and served in that position, with an annual salary of approximately $125,000, until he resigned in
November 2005. During his long tenure, Cappuccilli wielded near-total and unchecked control
over Fair staff and operations. In abusing this authority and misappropriating state resources,
Cappuccilli, who one high-ranking Agriculture and Markets officials described as the “mayor of
the fair,” repeatedly failed to distinguish between his public responsibilities and his personal
interests. In total, Cappuccilli personally benefited by more than $78,500 through his
misconduct and abuse of office.
22. State Fair Case Study Cont’d What are the controls that weren’t there and those that where overridden.
Physical Access?
Oversight?
Separation of Duties?
Control Environment?
What are the controls that weren’t there and those that where overridden.
Physical Access?
Oversight?
Separation of Duties?
Control Environment?
23. So What Can You Do?..... As Internal Control Officers and Internal Auditors what can you do what can you focus on.
I have a few suggestions.As Internal Control Officers and Internal Auditors what can you do what can you focus on.
I have a few suggestions.
24. What can you do? Incorporate fraud risk in your annual risk assessment.
• How might a fraud perpetrator exploit weaknesses in the system of controls?
• How could a perpetrator override or circumvent controls?
• What could a perpetrator do to conceal the fraud?
Essentially the same as the risk assessments you do during your certification, but spend time with the business functions brainstorming out where there are fraud vulnerabilities, who could do it and how likely they are. Focus on your high opportunity areas:
Cash,
reimbursements,
recent staffing cutbacks,
limited spans of control and separation of duties.
A quick thought here. It is not just the activities that should be separated between people, but the functions—ie ordering, verification and payment of invoices, should not report all to the same supervisor.
As part of the risk identification process, it is important to consider the potential for management override of controls established to prevent or detect fraud. Who has the power to make things happen? Personnel within the agency generally know the controls and standard operating procedures that are in place to prevent fraud. It is reasonable to assume that individuals who are intent on committing fraud will use their knowledge of the agency’s controls to do it in a manner that will conceal their actions. There is a purpose and time for Management Override. The real question is if there are exception reporting and what happens to those reports.Essentially the same as the risk assessments you do during your certification, but spend time with the business functions brainstorming out where there are fraud vulnerabilities, who could do it and how likely they are. Focus on your high opportunity areas:
Cash,
reimbursements,
recent staffing cutbacks,
limited spans of control and separation of duties.
A quick thought here. It is not just the activities that should be separated between people, but the functions—ie ordering, verification and payment of invoices, should not report all to the same supervisor.
As part of the risk identification process, it is important to consider the potential for management override of controls established to prevent or detect fraud. Who has the power to make things happen? Personnel within the agency generally know the controls and standard operating procedures that are in place to prevent fraud. It is reasonable to assume that individuals who are intent on committing fraud will use their knowledge of the agency’s controls to do it in a manner that will conceal their actions. There is a purpose and time for Management Override. The real question is if there are exception reporting and what happens to those reports.
25. Here is an example of a fraud risk assessment. As you can see it identifies potential risks, likelihood and significance (impact) along with who, what controls and whether they work. It is very similar to what many of you already do and can easily be melded with your current reviews. While some of you may add fraud as a concern during the risks assessment process, I strongly encourage you to really tap into the various expertise and knowledge of the business units and ask them where something could go wrong. I know of units in our office that make a day of this and really it is quite fun for them—almost a Sherlock Holmes play?. Once you identify what can go wrong, as with the rest of your risk assessment, you need to identify what controls are needed, if they are there and if they are working/followed.
Keep in mind you are not going to identify all fraud possibilities and you certainly can’t expect to set up a system to prevent every fraud potential—it is just too costly. If the situation warrants, you should set up detection controls which are generally lets costly then preventative controls.
You really need to know your tolerance level. An example of this is travel cards. It is true that there is an increased risk that someone can purchase things inappropriately, but NYS has determined that preventing by not issuing cards is actually more costly than utilizing detective controls on the back end knowing that there is a risk of small loss. Of course it is only as good as those detective controls are implemented. Keep in mind it does not take long for people to realize they are not being watched.
Here is an example of a fraud risk assessment. As you can see it identifies potential risks, likelihood and significance (impact) along with who, what controls and whether they work. It is very similar to what many of you already do and can easily be melded with your current reviews. While some of you may add fraud as a concern during the risks assessment process, I strongly encourage you to really tap into the various expertise and knowledge of the business units and ask them where something could go wrong. I know of units in our office that make a day of this and really it is quite fun for them—almost a Sherlock Holmes play?. Once you identify what can go wrong, as with the rest of your risk assessment, you need to identify what controls are needed, if they are there and if they are working/followed.
Keep in mind you are not going to identify all fraud possibilities and you certainly can’t expect to set up a system to prevent every fraud potential—it is just too costly. If the situation warrants, you should set up detection controls which are generally lets costly then preventative controls.
You really need to know your tolerance level. An example of this is travel cards. It is true that there is an increased risk that someone can purchase things inappropriately, but NYS has determined that preventing by not issuing cards is actually more costly than utilizing detective controls on the back end knowing that there is a risk of small loss. Of course it is only as good as those detective controls are implemented. Keep in mind it does not take long for people to realize they are not being watched.
26. Control Activities to focus on Physical Access
Job Descriptions
Reconciliations and Analysis
Supervision Physical Access- As a general rule, organizations should restrict physical access to those who require it to perform their job function. Many frauds require that the perpetrator come into physical contact with either the asset being misappropriated, or the related asset records, in order to conceal the fraud. Reducing physical access reduces opportunity. Physical access controls are often the most visible to potential perpetrators. Strong controls in this area send a powerful deterrent message vis-ŕ-vis the other controls in the system. Conversely, loose physical controls invite challenge.
Job Descriptions -Formal, specific job descriptions are a very effective fraud prevention tool. These descriptions should spell out exactly what is expected of each employee. Generally, employees should not perform duties outside their job description. Those who do, represent a significant red flag.
Employers often ignore or underestimate the need for formal job descriptions, writing them off as "more useless paper." At other times, employers create job descriptions but then ignore them. This attitude invites trouble.
Reconciliations and Analysis - After access controls and job descriptions, accounting reconciliations and analyses are the third most important group of basic controls. An essential ingredient of a successful fraud is successful concealment. Regular, appropriately performed accounting reconciliations and analyses often make such concealment difficult or impossible.
Supervision - Supervision represents the second level of internal control. From a fraud prevention perspective, strong supervision is vital. Specifically, supervisors must be alert to the possibility of fraud whenever an unusual or exceptional situation occurs, such as complaints from suppliers or customers, discrepancies that don't make sense, or accounting reconciliations that don't balance. If a manager's mind is closed to the possibility of fraud during an unusual or exceptional situation, the risk of the fraud continuing unabated greatly increases.
In addition to awareness, fraud prevention demands that supervisors actually supervise. This means going beyond the typical approval function, such as initialing invoices or performing other duties of supervisors and managers. A more thorough review, double-checking employees' work, and redoing some tasks, may be necessary and should be approached diligently. Physical Access- As a general rule, organizations should restrict physical access to those who require it to perform their job function. Many frauds require that the perpetrator come into physical contact with either the asset being misappropriated, or the related asset records, in order to conceal the fraud. Reducing physical access reduces opportunity. Physical access controls are often the most visible to potential perpetrators. Strong controls in this area send a powerful deterrent message vis-ŕ-vis the other controls in the system. Conversely, loose physical controls invite challenge.
Job Descriptions -Formal, specific job descriptions are a very effective fraud prevention tool. These descriptions should spell out exactly what is expected of each employee. Generally, employees should not perform duties outside their job description. Those who do, represent a significant red flag.
Employers often ignore or underestimate the need for formal job descriptions, writing them off as "more useless paper." At other times, employers create job descriptions but then ignore them. This attitude invites trouble.
Reconciliations and Analysis - After access controls and job descriptions, accounting reconciliations and analyses are the third most important group of basic controls. An essential ingredient of a successful fraud is successful concealment. Regular, appropriately performed accounting reconciliations and analyses often make such concealment difficult or impossible.
Supervision - Supervision represents the second level of internal control. From a fraud prevention perspective, strong supervision is vital. Specifically, supervisors must be alert to the possibility of fraud whenever an unusual or exceptional situation occurs, such as complaints from suppliers or customers, discrepancies that don't make sense, or accounting reconciliations that don't balance. If a manager's mind is closed to the possibility of fraud during an unusual or exceptional situation, the risk of the fraud continuing unabated greatly increases.
In addition to awareness, fraud prevention demands that supervisors actually supervise. This means going beyond the typical approval function, such as initialing invoices or performing other duties of supervisors and managers. A more thorough review, double-checking employees' work, and redoing some tasks, may be necessary and should be approached diligently.
27. Don’t Forget Reputation Regulatory and legal misconduct
Depending on the particular organization and the nature of its business, these risks may be applicable and should be considered in the risk assessment process.
Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import/export. Depending on the particular organization and the nature of its business, some or all of these risks may be applicable and should be considered in the risk assessment process.
Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, and trade and customs regulations in areas of import/export. Depending on the particular organization and the nature of its business, some or all of these risks may be applicable and should be considered in the risk assessment process.
28. What can you do? Track corrective action throughout the year?
Do not leave it to annual assessments—follow up. For example, I know Laurel does a formal semi-annual follow up on corrective actions identified during the certification process.Do not leave it to annual assessments—follow up. For example, I know Laurel does a formal semi-annual follow up on corrective actions identified during the certification process.
29. What can you do?
Assessing the Organization’s Fraud Prevention
Code of Ethics
Fraud and Ethics awareness training
Hotline - confidential and responsive
Is there a high-level senior manager designated as contact and responsible for follow up of Frauds. This is part of your control environment—not only should you look if the organization has it, but are they truly committed and living it.
One added note, if you have a hotline—help promote it!!!—it is part of your internal controls. If you don’t—give them ours 1-888-672-4555.
Did I mention that far outstripping other methods—tips are the number one source for identifying fraud, at just over 40%. This is your best tool so you need to make it available, known and most importantly trusted. Also look at whether employees especially managers are receiving fraud awareness training. This is the second greatest resource for identifying fraud, accounting for 24% of fraud cases identified (ACFE 2010 rept)This is part of your control environment—not only should you look if the organization has it, but are they truly committed and living it.
One added note, if you have a hotline—help promote it!!!—it is part of your internal controls. If you don’t—give them ours 1-888-672-4555.
Did I mention that far outstripping other methods—tips are the number one source for identifying fraud, at just over 40%. This is your best tool so you need to make it available, known and most importantly trusted. Also look at whether employees especially managers are receiving fraud awareness training. This is the second greatest resource for identifying fraud, accounting for 24% of fraud cases identified (ACFE 2010 rept)
30. What can you do? Work with the other units with risk assessment and compliance duties Many of you have Internal Control-Risk Management, Internal Audit, IG and perhaps even Ethics or Compliance functions. Leverage your knowledge, activities and resources. Share your findings and identified risks. In particular track any improvements identified. It needs to be an enterprise approach –not just one more monitoring silo function.
There are many different names for this type of approach, but it is really about coming at it from an enterprise view and working as a team! While separate and distinct, each of these functions share a part of ensuring and monitoring that and an organization it doing the right thing in the right way to accomplish the goals of the organization. This can be a formal relationship or informal—just do it.Many of you have Internal Control-Risk Management, Internal Audit, IG and perhaps even Ethics or Compliance functions. Leverage your knowledge, activities and resources. Share your findings and identified risks. In particular track any improvements identified. It needs to be an enterprise approach –not just one more monitoring silo function.
There are many different names for this type of approach, but it is really about coming at it from an enterprise view and working as a team! While separate and distinct, each of these functions share a part of ensuring and monitoring that and an organization it doing the right thing in the right way to accomplish the goals of the organization. This can be a formal relationship or informal—just do it.
31. 31 Control Environment Advisory Committee At OSC, back in 2007, we created a more formal process clearly labeling the roles of each of the functions and identifying the overlap and areas that we can assist and leverage each others. We identify trends and pitfalls that effect the enterprise and may not be readily apparent from an individual silo approach.
This group meets roughly quarterly, but the door is always open for working with the all the functions. This is constantly evolving, but I can tell you that it is a great place to talk through issues and have a clear understanding of what risks may face our agency. We also talk about some of the intangables that we are hear about or seeing—even rumors can spark something. You know the old addage, “where there’s smoke, there is fire” often holds true when it comes to fraud, but unless you are looking across the forrest, you may not see that burning brush just around the bend.At OSC, back in 2007, we created a more formal process clearly labeling the roles of each of the functions and identifying the overlap and areas that we can assist and leverage each others. We identify trends and pitfalls that effect the enterprise and may not be readily apparent from an individual silo approach.
This group meets roughly quarterly, but the door is always open for working with the all the functions. This is constantly evolving, but I can tell you that it is a great place to talk through issues and have a clear understanding of what risks may face our agency. We also talk about some of the intangables that we are hear about or seeing—even rumors can spark something. You know the old addage, “where there’s smoke, there is fire” often holds true when it comes to fraud, but unless you are looking across the forrest, you may not see that burning brush just around the bend.
32. Summary A major reason why people commit fraud is because they are allowed to do so. There are a wide range of threats facing organization. The threat of fraud can come from inside or outside the organization, but the likelihood that a fraud will be committed is greatly decreased if the potential fraudster believes that the rewards will be modest, that they will be detected or that the potential punishment will be unacceptably high. The main way of achieving this must be to establish a comprehensive system of control which aims to prevent fraud, and where fraud is not prevented, increases the likelihood of detection.A major reason why people commit fraud is because they are allowed to do so. There are a wide range of threats facing organization. The threat of fraud can come from inside or outside the organization, but the likelihood that a fraud will be committed is greatly decreased if the potential fraudster believes that the rewards will be modest, that they will be detected or that the potential punishment will be unacceptably high. The main way of achieving this must be to establish a comprehensive system of control which aims to prevent fraud, and where fraud is not prevented, increases the likelihood of detection.
33. Thank You!!! Stephen Hamilton
Inspector General
Office of the State Comptroller