Taming the Elephant: Managing Fraud Prevention

1
Taming the Elephant Managing Fraud Prevention

• Scott C. Kelley, The University of Texas System
• Charles Chaffin, The University of Texas System

2
What is Fraud?

• Fraud is defined as intentional deception to
  secure unfair or unlawful gain.
• It can be perpetrated for the benefit of the
  organization.
• It can be perpetrated to the detriment of the
  organization.
• Perpetrators can come from outside as well as
  inside the organization.

3
Examples of Fraud

• Forgery or alteration of checks, time cards, or
  billings.
• Acceptance or solicitation of any gift, favor, or
  service as consideration for a decision, opinion,
  recommendation, vote, or other official action.
• Illegal destruction or disappearance of records,
  furniture, or equipment.
• Falsifying additions to payroll.
• Personal purchases on a procurement card.

4
Why does Fraud Happen?

• Employees may be tempted to act fraudulently
  because of a financial crisis, family problems,
  gambling/drinking/drugs, feeling unappreciated,
  or just living beyond their means.
• They may justify their actions by pointing out
  that their bosses or co-workers sometimes dont
  go by the rules in other situations.
• Pressure to hit financial targets with
  compensation tied to those targets.

5
How does Fraud Happen?

• Poor or weak internal control system (i.e.,
  duties not properly segregated, assets not
  properly safeguarded).
• Lack of monitoring of internal controls.
• Poor or inadequate training.
• High management turnover.
• Collusion among employees over whom little
  control is exercised.
• Transactions executed without proper
  authorization.

6
Warning Signs

• Departmental expenditures are not reconciled to
  account statements or un-reconciled items are not
  investigated.
• Checks or documents have even amounts.
• Reports or documents are missing.
• Documentation for payment is not an original.
• One employee does it all.
• An employee will not take a vacation.
• Frequent use of sole-source procurement contracts.

7
Warning Signs (continued)

• Lack of appropriate management supervision.
• Constant association with, and entertainment by,
  a member of a suppliers or vendors staff.
• High employee turnover.
• Low employee morale.
• Write-off of inventory with no attempt to
  determine its whereabouts.

8
Costs and Effects of Fraud

• A typical U.S. Organization loses 6 of its
  annual revenues to fraud or 4,500 per employee
  (per Associate of Certified Fraud Examiners).
• Applied to U.S. GDP for 2003 660B (ACFE).
• 15.8 of fraud cases studied involve government
  (ACFE).
• In Texas, estimated cost is over 8B.
• Post Enronthe Sarbanes-Oxley Act of 2002 (SOX)
• For companies subject to SOX, this means
  increased cost to comply with the law (primarily
  404) and required implementation of antifraud
  programs and controls.

9
Governors Executive Order RP 36

• Governor Rick Perry recognized the costs of fraud
  in Texas and in July 2004 directed all state
  agencies to
• Designate a contact person for its fraud
  prevention and elimination activities.
• Conduct a fraud risk assessment.
• Develop a fraud prevention program that includes
  best practices.
• Review existing rules, policies, and statutes to
  identify changes needed to better detect and
  fight fraud.
• Report efforts to the Governors Office by
  October 1, 2004.

10
UT Systems Response

• Chancellor designated the Executive Vice
  Chancellor for Business Affairs as the UT
  Systems contact person.
• Each president of the 15 institutions designated
  an institutional contact person.
• Each institution completed a fraud risk
  assessment which included best practices.
• All institutions reviewed existing rules,
  policies, regulations to determine whether any
  additional statutory assistance was needed.
• UT System submitted a combined report to the
  Office of the Governor on September 29, 2004.

11
What has happened since October 1, 2004

• Office of General Counsel has provided ethics and
  code of conduct training.
• Compliance office provided Fraud Training.
• Tests conducted after ethics and compliance
  training to help ensure employee understanding.
• Business Affairs provided Contract Administration
  Training and updated the standard Contract
  Processing Checklist.
• Internal Audit has conducted contract audits
  encompassing several departments.

12
Prior to Governors Executive Order RP 36

• Internal Control Initiatives of 1994 and 1996.
• Institutional Compliance (Federal Sentencing
  Guidelines) Initiative of 1998.
• Chancellors Accountability and Institutional
  Improvement Initiative 2002.
• Spirit of Sarbanes-Oxley Implementation in 2003.

13
Internal Control Initiatives of 1994 and 1996

• Internal control training provided for all
  departmental managers.
• Accountability emphasized through issuance of
  Management Responsibilities Handbook and
  training.
• Establishment of an Internal Audit Committee of
  executive management at each institution to
  oversee internal controls.

14
Institutional Compliance Initiative of 1998

• The Chairman of the UT System Board of Regents
  requested a compliance program and action plan to
  ensure UT System Compliance with applicable laws,
  regulations, policies, and procedures.
• UT System now has a nationally recognized
  Institutional Compliance Program which covers
  Medical Billing, Research, Environmental Health
  and Safety, Human Resources, and Endowment Risks.
• Each Institution has a Compliance Officer,
  Compliance Committee, Annual Risk Assessment,
  Monitoring Programs, and Hotlines.

15
Spirit of Sarbanes-Oxley Initiative 2003

• While SOX is not directly applicable to UT
  System, the Board of Regents, in November 2003,
  voluntary adopted the implementation of relevant
  parts of SOX (short of complete Section 404
  implementation) to demonstrate to UT Systems
  stakeholders - the Texas Legislature, the federal
  government, bond holders, citizens, and donors
  an increased level of accountability for actions
  and reliability of information.

16
Key Elements of Fraud Prevention Program

• Culture of Honesty and Ethics
• Anti-Fraud Processes and Controls
• Appropriate Oversight Process

17
Key ElementsCulture of Honesty and Ethics

• Board members and managers must behave ethically
  and openly communicate their expectations for
  ethical behavior to members of the agency.
• The basis of a strong antifraud program is a
  culture with a strong values system founded on
  integrity.
• Additionally, preventing major frauds requires
  creating a workplace environment that promotes
  ethical behavior, deters wrongdoing, and
  encourages employees to report any known or
  suspected wrongdoing.

18
Key ElementsCulture of Honesty and Ethics
(continued)

• Develop and clearly communicate a code of
  conduct.
• Ethics and the University of Texas System A
  Brief Practical Guide is available to all
  employees online.
• Regent policies provide guidance on ethical
  matters including gift guidelines, financial
  disclosure, and investment polices.
• Recent code of conduct and ethics training at
  System provided to employees, including a test to
  document understanding.
• Develop a Fraud Policy including a protocol for
  handling allegations of fraud.

19
Key ElementsCulture of Honesty and Ethics
(continued)

• Develop a confidential reporting mechanism and a
  whistle-blower policy
• Confidential compliance hotline available
  24/7/365.
• Outsource to enhance confidentiality and
  credibility.
• Certified fraud examiners claim that just having
  a hotline can reduce fraud by 50. (Perception of
  detection).
• Whistleblowers are protected by both statute and
  policy.
• Inform employees to whom they can report
  suspected fraud.

20
Key ElementsCulture of Honesty and Ethics
(continued)

• Develop a Code of Ethics
• Require honest and ethical conduct of all
  officers and employees who can execute contracts.
• Avoid conflicts of interest.
• UT System Board of Regents members must disclose
  all potential conflicts and abstain from voting
  on issues for which a conflict of interest
  exists.
• The University of Texas Investment Management
  Company Board of Directors and employees must
  complete multiple disclosure forms.

21
Key ElementsCulture of Honesty and Ethics
(continued)

• Develop a compliance program.
• Though not limited to fraud, it can help reduce
  the risk of fraud. Despite the recent Supreme
  Court Ruling regarding Federal Sentencing
  Guidelines, an effective program can limit your
  liability and reduce the risk of costs related to
  non-compliance with applicable laws and
  regulations.
• Compliance officers at each institution and a
  System-wide Compliance Committee.
• Conduct annual compliance risk assessments.

22
Key ElementsCulture of Honesty and Ethics
(continued)

• Create a Culture of Honesty and Ethics by
  providing continuous training to employees.
• Communicate your code of conduct at least
  bi-annually.
• Conduct ethics training and compliance training.
• Communicate employee responsibilities.
• Make hotline information readily available.

23
Key ElementsCulture of Honesty and Ethics
(continued)

• Create a Positive Workplace Environment
• Improves employee morale and loyalty. In a
  positive environment, an employee is more likely
  to think twice before committing fraud.
• Poor employee morale can affect an employees
  attitude about committing fraud.

24
Key ElementsCulture of Honesty and Ethics
(continued)

• Hire and Promote Appropriate Employees.
• Establish standards for hiring and promoting the
  most qualified individuals with emphasis on
  educational background, prior work experience,
  past accomplishments, and evidence of integrity
  and ethical behavior.
• Perform criminal background checks for those in a
  position of trust. Policy requires it for
  security sensitive positions.
• Perform annual evaluations of employees. In some
  cases, annual evaluations may not be enough.
• Provide applicable job training and educational
  opportunities.

25
Key ElementsCulture of Honesty and Ethics
(continued)

• Discipline
• Develop a process for responding to allegations
  or suspicions of fraud.

26
Key ElementsAnti-Fraud Processes and Controls

• Establish and monitor all aspects of fraud risk
  assessment and prevention activities.
• Conduct fraud risk assessments with assistance
  from Internal Audit.
• Determine vulnerabilities and exposures to
  material losses, keeping in mind the size and
  complexity of operations.

27
Key ElementsAnti-Fraud Processes and Controls
(continued)

• Internal Audit should perform a risk assessment
  as part of its annual audit plan.
• Institutions are implementing Enterprise Risk
  Management (ERM) assessments to develop a risk
  footprint of high-risk areas.
• ERM should consider fraud.
• Institutional risks identified should drive the
  annual audit plan.
• Internal Audit should be informed of all
  investigations and allegations of wrongdoing.

28
Key ElementsAnti-Fraud Processes and Controls
(continued)

• Mitigate fraud risks.
• Prioritize the different types of fraud risks and
  apply appropriate mitigation strategies.
• Determine appropriate mix of preventive and
  detective controls. With ERM, you can determine
  whether there are appropriate execution (level
  1), supervisory (level 2), and oversight (level
  3) controls.
• ACFE estimates that 80 of all fraud results from
  an absence of appropriate supervisory controls.

29
Key ElementsAnti-Fraud Processes and Controls
(continued)

• Mitigate fraud risks (continued)
• Review your contracting approval process.
• Review guidelines for consulting contracts.
• Review monitoring process. Assign responsible
  parties.
• Internal audit and external audit should consider
  fraud during engagements.
• Develop investment policies and procedures.

30
Key ElementsAnti-Fraud Processes and Controls
(continued)

• Implement and Monitor Appropriate Internal
  Controls.
• Appropriate Cash Controls.
• Segregation of duties.
• Reconciliations.
• Supervisory review (Date/Sign-Off Documented).
• Appropriate levels of expenditures approval
  authority.
• Change in Management Audits.
• Educate employees about internal controls.

31
Key ElementsAppropriate Oversight Process

• Establish an active Audit Committee of the Board
  of Directors.
• Audit Committees should meet quarterly.
• Significant Compliance and Audit Findings should
  be reported to the Audit Committee.
• Internal Audit Directors should report to the
  Chair of the Audit Committee.
• Provide Audit Committee training to inform them
  of their responsibilities.

32
Key ElementsAppropriate Oversight Process
(continued)

• Establish an active Audit Committee of the Board
  of Directors (continued)
• Review Audit Committee Charter to ensure that it
  empowers the committee to investigate any alleged
  or suspected wrongdoing brought to its attention
  and to retain legal, accounting, and other
  professional advisers to advise the committee and
  assist in its investigation.
• Report significant findings and conduct follow-up
  audits and report the results to the audit
  committee.
• Audit Committee should approve the internal audit
  plan.

33
Key ElementsAppropriate Oversight Process
(continued)

• Hold management accountable for establishing and
  maintaining an effective control system.
• Assign a member of senior management to have
  responsibility for managing all fraud risks
  within the entity and to explicitly communicate
  to divisions and units managers that they are
  responsible for managing fraud risks within their
  part of the agency.

34
Key ElementsAppropriate Oversight Process
(continued)

• Designate an Ethics Advisor.
• Involve Internal audit with implementation of new
  information technology systems.
• Document policies and procedures, including key
  controls.
• Set up appropriate delegated signature authority
  and approval limitations.
• Provide continuous training to employees of job
  duties.

35
Key ElementsAppropriate Oversight Process
(continued)

• Create additional oversight committees (other
  than Audit Committees).
• Institutional Compliance Committee approves
  compliance risk assessment and monitoring plans.

36
Cost of Control Versus Benefit

• It is difficult to compare the cost of attempting
  to prevent fraud versus the cost of actual fraud.
• Some frauds have a high negative impact because
  they are accompanied by negative publicity,
  resulting in a loss of reputation and
  credibility. Those costs can be longer-term and
  have a higher cost than the fraud itself.
• Know your risk tolerance.
• Consider the impact of not having a fraud program.

37
Consider Statistics Reported by ACFE

• The ACFE issued a comprehensive report in 2004
  titled Report to the Nation on Occupational Fraud
  and Abuse.
• The most cost-effective way to deal with fraud is
  to prevent it.
• Having a hotline with a confidential reporting
  mechanism reduces losses by 50.
• Hotlines are extremely important because most
  frauds are discovered through tips (60 of tips
  are from employees).
• Customers and vendors combined account for over
  30 of tips.

38
Consider Statistics Reported by ACFE (continued)

• Organizations with an internal audit department
  suffered significantly less loss from fraud than
  those without however, the AFCE reported that
  the effectiveness of external audits in reducing
  fraud losses was not observable in our study.
• Typically those that commit fraud are first time
  offenders (gt80).
• The median loss recovered is 20 of the original
  loss.
• 40 of victims recover nothing at all.

39
Consider Statistics Reported by ACFE (continued)

• Two-thirds of frauds are committed by one person,
  but when you add another person (collusion) the
  median loss of the fraud more than tripled for
  2004. For the 2002 report, it was seven times.
• If an employee was caught, 88 were fired. For
  the other 12, the employee disappeared. In very
  rare cases the employee remained.
• 69 of frauds are referred to law enforcement.
  Decision to refer is strongly influenced by the
  size of fraud.
• For cases where outcomes were identified, 73 of
  perpetrators pled guilty, 9 were convicted at
  trial, 16 declined to prosecute, and 2 were
  acquitted.

40
Consider Statistics Reported by ACFE (continued)

• The loss caused by fraud is directly related to
  the position of the perpetrator. The frequency of
  employee fraud is higher than for executive
  fraud, but executives have a bigger impact.

41
Summary

• Fraud is defined as intentional deception to
  secure unfair or unlawful gain.
• Fraud does occur and is costly.
• The most cost effective way to deal with fraud is
  to prevent it.
• The Board and Management are responsible for
  setting the tone of the organization and for
  establishing a fraud prevention program.
• Creating a culture of honesty and ethics is
  critical.

42
Summary (continued)

• Develop a strong ethics and fraud policy.
• Conduct a risk assessment to determine your risks
  and vulnerabilities.
• Involve internal audit in your risk assessment
  process.
• Ensure controls are in place to mitigate
  significant risks.
• Establish an Audit Committee with appropriate
  level of oversight.

43
Examples of Fraud

• Knowingly reporting or certifying fraudulent
  financial or operating information.
• Paying false invoices, either self-prepared or
  obtained through collusion with suppliers.
• Embezzlement, as typified by misappropriation of
  money or property, and falsification of financial
  records to cover up the act.
• Intentional failure to record or disclose
  significant information to improve the financial
  picture of the institution to outside parties.