250 likes | 426 Views
Not for Profit Committee of the Suffolk Chapter of the NYSSCPA. Presents “Fraud and Internal Control in the Not-for-Profit Environment” October 19, 2006. Joel Schleifer, CPA Managing Partner Perlman, Schleifer & Perrone Certified Public Accountants Commack, NY. Robert R. Craig, CPA
E N D
Not for Profit Committee of the Suffolk Chapter of the NYSSCPA Presents “Fraud and Internal Control in the Not-for-Profit Environment” October 19, 2006 Joel Schleifer, CPA Managing Partner Perlman, Schleifer & Perrone Certified Public Accountants Commack, NY Robert R. Craig, CPA Managing Partner Craig, Fitzsimmons & Michaels, LLP Certified Public Accountants Smithtown, NY
Overview • What is Fraud. • Types of Frauds. • Common Fraud Factors - The Fraud Triangle. • Recent Examples of Fraud in the Not-for-Profit Community • Why was SAS 99 issued? • Major Provisions of SAS 99. • The Auditors Responsibilities with Respect to Fraud. • New audit procedures required. • Inquiries of Management, Leadership and Others. • Best Practices - Antifraud Programs and Controls. • The New Risk SAS’s and their Relationship to SAS 99. • Resources. • Questions and Comments.
What is Fraud? Webster’s 7th Collegiate Dictionary defines as… “intentional perversion of truth in order to induce another to part with something of value or surrender a legal right – an act of deceiving or misrepresenting” Black’s Law Dictionary adds further detail… “As distinguished from negligence, it is always positive and intentional, it comprises all acts, omissions, and concealments involving a breach of a legal or equitable duty and resulting in damage to another..”
TYPES OF FRAUDS • Common frauds committed against Not-for-Profit Organizations: • Misappropriation of Assets: • Cash receipts / collections • Cash disbursements • Petty cash • Payroll fraud • Theft of noncash assets – computers, supplies, inventory
TYPES OF FRAUDS • Frauds committed against Not-for-Profit Organizations: • Employee corruption – travel expenses; theft of services • Frauds committed by external sources – kickbacks and over billing schemes • Cooking the Books / Financial Statement Shenanigans • Overstating or revenue recognition (exchanges vs. support – no variance power) • Deferring or restricting income • Deferring expenses • Unrecognized liabilities or improperly decreasing liabilities • Accelerating expenses or “double dipping” contracts
COMMON FRAUD FACTORSThe Fraud Triangle • There is an intent to commit the fraud • There is Incentive or Motive to commit the fraud (One point of the Triangle) • There is a Weakness in Controls or the Opportunity to commit the fraud (Another point of the Triangle) • There is a plan to conceal the fraud, at least for a little while – frauds do not have an exit strategy • There is a Rationalization to committing the fraud (The third point in the Triangle) • REMEMBER – it is the “trusted” employee that is in a position to commit a fraud – circumstances / people change – beware trust does not = control!
Recent Examples of Fraud in the Not-for-Profit Community • October 6, 2006 the NY Times reports “City Finds Widespread Fraud at Bronx Charity”the article sites: • Top Officials of The Gloria Wise Boys and Girls Club diverted hundreds of thousands of dollars for personal expenses. • Executives paid themselves bonuses and charged this off as support of youth programs. • There was an “absence of oversight” within the organization the Board was “oblivious” to the fraud and “unprepared to govern…it’s dominant Executive Director.” • Falsified reimbursements documents to the Office of Children and Family Services and HUD. • Professional Fund raiser received $46,000 in improper payments.
Recent Examples of Fraud in the Not-for-Profit Community • October 17, 2006 Newsday reports “Ex-water Official Arrested”: • Former Garden City Water & Fire Superintendent arrested for stealing more than $20,000 from District. • Hundreds of unauthorized purchases for personal items. • In 1996 the Superintendent purchased a $3,480 sign cutting machine for his private business as a sign maker. • During regular business hours the Superintendent and subordinates performed personal tasks using District owned vehicles and made them make signs for his business on the District premises utilizing work equipment and materials.
Recent Examples of Fraud in the Not-for-Profit Community • The list goes on and on including… • NY State Comptroller reports on LI School Districts • NY State Comptroller reports on Fire Districts • Diocese of Rockville Center (unauthorized salary increases for paid staff) • Diocese of Brooklyn (Bookkeeper embezzlement – over $300,000)
Why Was SAS 99 Issued? • Research indicated that fraud was a serious problem. (As we have seen Not-for-Profits are not insulated from these Frauds). • Recent audit failures and public expectations (the expectation gap) have placed greater importance on detecting fraud. • Perhaps a lack of trust; increased scrutiny of financial information because of highly publicized frauds. • Concern over audit quality. • SAS 99 represents the culmination of years of work to improve audit quality and reduce audit risk. Team of professionals; forensic accountants, prosecutors, auditors, regulators, financial experts worked on the project. The hope is that by implementing these procedures auditors will more likely detect material misstatements due to fraud.
Major Provisions of SAS 99 • Responsibilities for fraud unchanged. • Emphasis on professional skepticism – realize that people and circumstances change. • Focus on identifying and responding to fraud risks. • Additional procedures now required – brainstorming sessions – inquires of management, leadership, audit committee, we will cover these later…
Responsibilities with Respect to Fraud • SAS 99 does not change the auditor’s responsibility for fraud detection. -Auditors still have the responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by error of fraud (SAS 104 now defines reasonable assurance as a “high but not absolute level of assurance”). • SAS 99 does not change the Not-for-Profit’s responsibility with respect to fraud. -Management is responsible for designing and implementing policies, procedures and controls to prevent, deter, and detect material misstatements due to error or fraud.
New Required Procedures • Increased procedures in the in early stage of the audit to identify fraud risks, including: -Making inquiries of management and others regarding fraud. -Gathering additional information to identify fraud risks. -Consideration of analytical review procedures. • Brainstorming sessions designed to identify and respond to fraud risks during the audit. • Procedures to address management’s ability to override internal controls.
Required Inquiries of Management and Others • Management of the Not-for-Profit -President, CEO, COO -Chief Financial Officer -Controller • Audit committee or audit committee chair • Internal audit • Other company employees
Inquiries of Management • Required to ask about: • Whether they know of any fraud or have suspicions of fraud affecting the organization. • Whether they are aware of any allegations of fraud or suspected fraud affecting the organization. • Their understanding of the risks of fraud within the organization. • Inquire as to how leadership communicates to employees the importance of ethical behavior and appropriate business practices. • Inquire as to the programs and controls that have been implemented to address identified fraud risks or otherwise help prevent, deter, and detect fraud and how those programs and controls are monitored. • The susceptibility of operating units to fraud and how those locations are monitored. Whether management has or has been asked to report to the audit committee or governing body about how the company’s internal control serves to prevent, deter, and detect material misstatements due to fraud.
Inquiries of Audit Committee andInternal Auditors • Required to ask audit committee about: • Their views about the risks of fraud within the organization and whether they have knowledge of any actual or suspected fraud. • Their role in overseeing the company’s fraud risk assessment and monitoring process. • Required to ask internal auditors about: • Their views about the risks of fraud within the entity and whether they have knowledge of any actual or suspected fraud. • Whether they performed procedures during the year to identify or detect fraud. • Whether management has satisfactorily responded to any findings resulting from their internal audit procedures.
Inquiries of Others • The Independent Auditor must now inquire with others in the organization about the existence or suspicion of fraud. • This means we may determine that we need to talk to one or more employees: • With varying levels of authority in the company. • Outside the accounting department. • With lower level personnel. • With those that initiates, records, or processes complex or unusual transactions. • In areas we identify as being vulnerable to fraud.
New Management Representations • “We acknowledge our responsibility for the design and implementation of programs and controls to prevent and detect fraud.” • “We have no knowledge of fraud or suspected fraud affecting the company involving management, employees who have significant roles in internal control, or others where the fraud could have a material effect on the financial statements.” • “We have no knowledge of any allegations of fraud or suspected fraud affecting the company received in communications from employees, former employees, regulators, or others.”
Antifraud Programs and Controls • Antifraud programs and controls are policies and procedures put into place to help ensure that management directives are carried out. • Three fundamental activities: - Creating an ethical company culture. - Implementing antifraud processes and controls. - Developing an effective oversight process.
Creating an Ethical Company Culture • Setting the tone at the top – this will permeate throughout the organization. • Establishing a code of conduct. • Creating a positive workplace environment. • Hiring and promoting ethical employees. • Providing ethics training. • Establishing and Circulating a Fraud Policy - disciplining and prosecuting violators.
Implementing Antifraud Controls • Identify and assess fraud risks. • Implement controls to mitigate fraud risks. • There are two categories of financial internal controls: • Preventive controls • Detective controls • Financial internal controls should be reasonably and appropriately designed to deal with both internal and external fraud risks.
FINANCIAL INTERNAL CONTROLS • Preventive controls are designed to stop a fraud before it happens. Examples of preventive controls are: • Restricting access to assets • Restricting access to data • Requiring appropriate approvals of department heads before disbursements or financial statement adjustments are made
FINANCIAL INTERNAL CONTROLS • Detective controls are designed to catch frauds that have been executed. Examples of detective controls are: • Performing monthly bank / investment reconciliations • Analyzing budget variances • Requiring that all employees take vacations – rotating – cross training • Send monthly bank statement unopened to Executive Director or Treasurer • Send Payroll summaries unopened to the Executive Director or Treasurer
The New Risk SAS’s and their Relationship to SAS 99 • SAS 107 Audit Risk and Materiality in Conducting an Audit – where SAS 99 focuses on identifying and responding to fraud risks, SAS 107 focuses on responding to the overall risk of a material misstatement in the audit. • SAS 109 focuses on gaining an understanding of the client and its environment necessary for planning the audit – much like SAS 99, SAS 109 requires the audit team to have a discussion regarding the susceptibility of the clients financial statements to a material misstatement due to an error or fraud. • SAS 110 is an outgrowth of 109, but much like SAS 99 SAS 110 requires the auditor to use procedures to address the assessed risks identified and to evaluate the evidence obtained to ensure it is adequate and appropriate. • SAS 112 emphasizes that the objective of a financial statement audit is to form an opinion on the financial statements, not to perform procedures to identify deficiencies in internal control. However, if in the course of an audit the auditor becomes aware of control deficiencies in the design or operation of these deficiencies are required to be communicated in writing. Again we see a relationship between SAS 99 and 112 to strengthen the overall governance of the not-for-profit.
Resources • Sample policy statements and other valuable information can be found on: • www.irs.gov • www.oag.state.ny.us/charities/charities.html • www.osc.state.ny.us/ • www.nonprofitpanel.org/ • www.nonprofitrisk.org • www.boardsource.org • www.independentsector.org • www.aicpa.org • www.acfe.com THANK YOU FOR PARTICIPATING!