Audit Red Flags - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

Audit Red Flags

Description:

Red flags do not indicate guilt or innocence but merely provide possible warning ... Being able to recognize red flags is necessary not only for public accountants ... – PowerPoint PPT presentation

Number of Views:260
Avg rating:3.0/5.0
Slides: 64
Provided by: rsmm9
Category:
Tags: audit | flags | red

less

Transcript and Presenter's Notes

Title: Audit Red Flags


1
Audit Red Flags Public-Sector Fraud
  • Yvonne M. Clayborne, CPA
  • Jeff Roth, CISA

2
The Fraud Triangle
  • Inadequate or no
  • Supervision review
  • Segregation of duties
  • Management approval
  • System controls
  • Unrealistic deadlines
  • Unrealistic performance goals
  • Personal vices

Pressure
Opportunity
a.k.a. Rationalization reconciling behavior
with commonly accepted notions of decency trust.
Integrity
3
The Nature of the Industry
  • Fraud can be explained by three factors
  • A supply of motivated offenders
  • The availability of suitable targets
  • The absence of capable guardians or a control
    system to mind the store
  • The opportunity to commit conceal fraud is the
    only element over which the local government has
    significant control.
  • What are some of the warning signs?
  • What can we do about it?

Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
4
No free lunch...
  • Business fraud and abuse in the U.S. cost about
    650 billion a year.
  • Government agencies lose an average of 45,000
    per fraud scheme
  • Average organization loses 5 of revenue or 8 a
    day per employee
  • Street crime only costs the U.S. 4 billion
    annually.

5
ACFE Report to the Nation on Occupational Fraud
Abuse
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
6
  • Famous last words
  • It wont happen here. Were careful who we
    hire.

Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
7
Famous last words But hes in charge. He had
no motive.
8
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
9
Famous last words NO WAY it was Mike. Hes
over 60 now.
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
10
Famous last words Sandra wouldnt have done
that. Shes a mom.
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
11
Famous last words It would never happen in our
department.
12
Whats the cost?
  • Economic costs
  • Tangible measurable
  • Insurable in some cases
  • Provides basis for prosecution and/or litigation
  • Political costs
  • Loss of integrity
  • Diminished public confidence
  • Cant be measured, difficult to recover

13
What are the Warning Signs?
  • A red flag is a set of circumstances that are
    unusual in nature or vary from the normal
    activity. It is a signal that something is out
    of the ordinary and may need to be investigated
    further. Red flags do not indicate guilt or
    innocence but merely provide possible warning
    signs of fraud.
  • Being able to recognize red flags is necessary
    not only for public accountants but also for
    anyone working in the public sector where the
    potential for fraud to occur exists.

Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
14
Just keep in mind
  • Do not ignore a red flag Studies of fraud cases
    consistently show that red flags were present,
    but were either not recognized or were recognized
    but not acted upon by anyone.
  • Sometimes an error is just an error Red flags
    should lead to some kind of appropriate action,
    i.e. an investigation by a measured responsible
    person, but sometimes an error is just an error
    and no fraud exists

Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
15
Employee Red Flags
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
16
Management Red Flags
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
17
Red flags in cash or accounts receivable
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
18
Red flags in payroll
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
19
Red flags in purchasing or inventory
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
20
Profile of a fraud perpetrator
  • Male.
  • Intelligent and in management.
  • Married and under some type of significant
    stress.
  • Risk takers and not afraid to fail.
  • Rule breakers.
  • Long-time employees, hard working

Source Fraud Perpetrator Profile A Short
Story by Nick Brignola, CFE
21
Profile of an organization at risk
  • Less than 100 employees.
  • Management ignores irregularities.
  • High turnover with low morale.
  • Staff lacks training.
  • The education industry has experienced the
    lowest median losses.

Source Fraud Perpetrator Profile A Short
Story by Nick Brignola, CFE
22
The Typical Environment in which Fraud Occurs
  • Trust is placed in employees
  • Employees have detailed knowledge of the
    accounting systems and their weaknesses
  • Management domination subverts normal internal
    controls
  • Management adds pressure to make the numbers
  • Expected moral behavior is not communicated to
    employees
  • Unduly liberal accounting practices

23
The Typical Environment in which Fraud Occurs
  • Ineffective or nonexistent internal auditing
    staff.
  • Lack of effective internal controls.
  • Poor accounting records.
  • Related party transactions.
  • Incomplete and out of date procedural
    documentation.
  • Management sets a bad example.

24
Government Agencies in the News
  • Construction Company Bills School 90,000 for Job
    it Did Not Get
  • Corruption in Paradise This is Not Hawaii
    Five-O
  • Local Fraud Timing is Everything
  • Former Commissioner Pleads Guilty to Stealing
    County Gasoline for Personal Use
  • Former Employee gets 10 years for Theft
  • Employee called Payroll Plan Foolproof
  • Missing Funds Could Top One Million
  • DA Asked to Find Out How 260,000 was lost at Tax
    Office
  • Sensitive Information Left in Recycle Bin
  • Councilman Embezzlement Case in Hands of FBI
  • 14 Indicted in Connection with Payroll Fraud
  • Ex-Illinois Gov. Ryan gets 6 1/2 years for graft

25
Fighting fraud with words
  • In the current era of whistleblower reform,
    fraud controls and hotlines have become a focus
    in the media and in the minds of citizens.
    Auditors in the public sector can enhance fraud
    detection through employee and vendor
    communications campaigns specifically designed
    with fraud prevention as the primary goal.

Source Fighting Fraud with Words Whistleblower
Communication March 2006, ALGA
26
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
27
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
28
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
29
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
30
  • Who knew who they were? There was no place for
    me to voice my concerns, either to the internal
    audit function or the audit committee. Remember,
    I was not in the accounting department. But even
    if I were, I think I would have known it would
    have been fruitless, because I would have had
    access to junior auditors who were simply not in
    the position to raise the flags that would have
    hurt their senior auditors and account
    executives.

- Sherron Watkins Enron Corporation
31
An engaging message needs to reach the right
person at the right time in order to influence
that person to take action.
Hotline help...
  • Fraud losses are reduced by 58 when an effective
    hotline is in place
  • 47 of hotline calls happen overnight or on
    weekends
  • Communications that publicize the existence of
    the hotline should used as an opportunity to
    promote ethical behavior as well
  • Components of communication strategy
  • Message
  • Reach
  • Frequency

Source Fighting Fraud with Words Whistleblower
Communication March 2006, ALGA
32
Role of the Audit Committee
  • A government audit committee should take an
    active role in the prevention deterrence, and
    detection of fraud and encourage the government
    organization to establish an effective ethics and
    compliance program. The audit committee should
    constantly challenge management and the auditors
    to ensure that the organization has appropriate
    anti-fraud programs and controls in place to
    identify potential fraud. Also, the committee
    should take an interest in ensuring that
    appropriate action is taken against known
    perpetrators of fraud.

Source Fraud and the Responsibilities of the
Government Audit Committee, AICPA, 2005
33
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
34
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
35
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
36
We know it works But what are we doing about it?
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
37
Traditional Approach
  • Traditionally, fraud Investigations have been
    reactive in nature.
  • Identified from a variety of sources.
  • Conducted after significant losses have been
    incurred.
  • In response, todays management is developing
    strategic approaches to proactively identify
    material fraud within their organizations.
  • Forming tactical teams of forensic accountants
    and investigators.
  • Investing in resources to address fraud before it
    occurs.

38
Caution
  • Government auditors are expected to have
    sufficient knowledge to identify the indicators
    of fraud but are not expected to have the
    expertise of a person whose primary
    responsibility is detecting and investigating
    fraud.

39
Prevention First
  • Educate your employees
  • Implement strong controls
  • Explain consequences
  • Have a clearly written policy
  • Make the employees sign the policy
  • Let them know youre monitoring Speaking of
    monitoring

40
Financial Processes Reliance on Information
Technology
  • The majority of your organizations financial
    data is in the hands of your IT department.
  • You are reliant on the confidentiality, integrity
    and availability of the enterprises
    infrastructure.
  • Is your IT department integrated into your
    anti-fraud internal control structure?
  • Let us look at how we can leverage
    internationally accepted framework of Control
    Objectives for Information related Technologies
    (CobiT) to integrate anti-fraud preventive and
    detective controls throughout the enterprise.

41
CobiT Framework
Lets talk about fraud prevention
42
CobIT - Delivery and Support Domain
  • DS-2 Manage Third Party Services
  • DS-3 Performance and Capacity
  • DS-5 Ensure System Security
  • DS-9 Manage the configuration of IT systems
  • DS-10 Manage Problems and Incidents
  • DS-11 Manage Data
  • IT Assurance testing using the CobIT
    Confidentiality, Availability, and Integrity
    guidelines can assist in determining your
    organisations level of compliance (legal, civil,
    business).

43
Cobit Security Baseline and Fraud
  • The CobiT Security Baseline objectives are
    organized into 39 essential steps
  • 1 Based on a business impact analysis (BIA) for
    critical business processes, identify data that
    must not be misused or lost, services that need
    to be available and transactions that must be
    trusted. The business must consider the security
    requirements for
  • Who may access and modify data.
  • What data retention and backup are needed.
  • What availability is required.
  • What authorization and verification are needed
    for electronic transactions.
  • 2 Define specific responsibilities for the
    management of security and ensure that they are
    assigned, communicated and properly understood.
    Be aware of the dangers of delegating too many
    security roles and responsibilities to one
    person. Provide the resources required to
    exercise responsibilities effectively.
  • 3 Consistently communicate and regularly discuss
    the basic rules for implementing security
    requirements and responding to security
    incidents. Establish minimum dos and donts, and
    regularly remind people of security risks and
    their personal responsibilities.
  • 4 When hiring, verify with reference checks.
  • 5 Obtain the skills needed to support the
    enterprise security requirements through hiring
    or training. Verify annually whether skills are
    up-to-date.

44
Cobit Security Baseline and Fraud
  • 6 Ensure that no key security task is critically
    dependent on a single resource.
  • 7 Identify what, if anything, needs to be done
    with respect to security obligations to comply
    with privacy, intellectual property rights and
    other legal, regulatory, contractual and
    insurance requirements.
  • 8 Discuss with key staff what can go wrong with
    IT security that could significantly impact the
    business objectives. Consider how best to secure
    services, data and transactions that are critical
    for the success of the business.
  • 9 Establish staff understanding of the need for
    responsiveness and consider cost-effective means
    to manage the identified security risks through
    security practices and insurance coverage.
  • 10 Consider how automated solutions may
    introduce security risks. Ensure that the
    solution is functional and that operational
    security requirements are specified and
    compatible with current systems. Obtain comfort
    regarding the trustworthiness of the solution
    through references, external advice, contractual
    arrangements, etc.
  • 11 Ensure that the technology infrastructure
    properly supports automated security practices.
  • 12 Consider what additional security
    requirements are needed to protect the technology
    infrastructure itself.

45
Cobit Security Baseline and Fraud
  • 13 Identify and monitor sources for keeping
    up-to-date with security patches and implement
    those appropriate for the enterprise
    infrastructure.
  • 14 Ensure that staff knows how to implement
    security in day-to-day procedures.
  • 15 Test the system, or major changes, against
    functional and operational security requirements
    in a representative environment so the results
    are reliable. Consider testing how the security
    functions integrate with existing systems.
  • 16 Perform final security acceptance by
    evaluating all test results against business
    goals and security requirements involving key
    staff.
  • 17 Evaluate all changes, including patches, to
    establish the impact on the integrity, exposure
    or loss of sensitive data, availability of
    critical services and validity of important
    transactions. Based on this impact, perform
    adequate tests prior to making the change.
  • 18 Record and authorize all changes, including
    patches (possibly emergency changes after the
    fact).
  • 19 Ensure that management establishes security
    requirements and regularly reviews compliance of
    internal service-level agreements and contracts
    with third-party service providers.

46
Cobit Security Baseline and Fraud
  • 20 Ensure that third parties provide an adequate
    contact with the authority to act on security
    requirements and concerns.
  • 21 Consider the dependence on third-party
    suppliers for security requirements, and mitigate
    continuity, confidentiality and intellectual
    property risk.
  • 22 Identify critical business functions and
    information, and those resources (e.g.,
    applications, third-party services, supplies and
    data files) that are critical to support them.
    Provide for the availability of these resources
    in the event of a security incident to maintain
    continuous service. Ensure that significant
    incidents are identified and resolved in a timely
    manner.
  • 23 Establish basic principles for safeguarding
    and reconstructing IT services, including
    alternative processing procedures, how to obtain
    supplies and services in an emergency, how to
    return to normal processing after the security
    incident and how to communicate with customers
    and suppliers.
  • 24 Together with key employees, define what
    needs to be backed up and stored off-site to
    support recovery of the business, (e.g., critical
    data files, documentation and other IT resources,
    and secure it appropriately. At regular
    intervals, ensure that the backup resources are
    usable and complete.

47
Cobit Security Baseline and Fraud
  • 25 Implement rules to control access to services
    based on the individuals need to view, add,
    change or delete information and transactions.
    Especially, consider access rights of service
    providers, suppliers and customers.
  • 26 Ensure that responsibility is allocated to
    manage all user accounts and security tokens to
    control devices, tokens and media with financial
    value. Periodically review the actions and
    authority of those who manage user accounts.
    Ensure that these responsibilities are not
    assigned to the same person.
  • 27 Detect and log important security violations.
    Ensure that they are reported immediately and
    acted upon in a timely manner.
  • 28 To ensure that counterparties can be trusted
    and transactions are authentic when using
    electronic transaction systems, ensure that the
    security instructions are adequate and compliant
    with contractual obligations.
  • 29 Enforce the use of virus-protection software
    throughout the enterprises infrastructure and
    maintain up-to-date virus definitions. Use only
    legal software.
  • 30 Define policy for what information can come
    into and go out of the organization, and
    configure the network security systems (e.g.,
    firewall), accordingly. Consider how to protect
    physically transportable storage devices. Monitor
    exceptions and follow up on significant
    incidents.

48
Cobit Security Baseline and Fraud
  • 31 Ensure that there is a regularly updated and
    complete inventory of the IT hardware and
    software configuration.
  • 32 Regularly review whether all installed
    software is authorized and properly licensed.
  • 33 Subject data to a variety of controls to
    check integrity (accuracy, completeness and
    validity) during input, processing, storage and
    distribution. Control transactions to ensure that
    they cannot be repudiated.
  • 34 Distribute sensitive output only to
    authorized people.
  • 35 Define retention periods, archival
    requirements and storage terms for input and
    output documents, data and software. Ensure that
    they comply with user and legal requirements.
    While in storage, check continuing integrity and
    ensure that data cannot be retrieved.
  • 36 Physically secure the IT facilities and
    assets, especially those most at risk to a
    security threat, and if applicable, obtain expert
    advice.

49
Cobit Security Baseline and Fraud
  • 37 Protect computer networking and storage
    equipment (particularly mobile equipment) from
    damage, theft, accidental loss and interception.
  • 38 Have key staff periodically
  • Assess adequacy of security controls against
    defined requirements and vulnerabilities.
  • Reassess what security exceptions need to be
    monitored on an ongoing basis.
  • Evaluate how well the security mechanisms are
    operating. Check for weaknesses, such as
    intrusion detection, penetration and stress
    testing, and test contingency plans.
  • Ensure that exceptions are acted upon.
  • Monitor compliance to key controls.
  • 39 Obtain, where needed, competent external
    resources to review the information security
    control mechanisms. Assess compliance with laws,
    regulations and contractual obligations relative
    to information security. Leverage their knowledge
    and experience for internal use.

50
Test Case 1- Vendor Master Table
  • Vendor master table integrity testing can include
    the following
  • Detection of the following
  • Duplicate vendors
  • Employee or related parties listed as vendors
  • Exception reporting for approved or
    convicted/debarred vendors per Section 287.133,
    Florida Statute

51
Test Case 1a Duplicate Vendor Numbers
Easy identification of duplicate vendor numbers
52
Test Case 1b Duplicate Vendor Addresses
Easy identification of duplicate vendor addresses
53
Test Case 1c Employee or related parties
listed as vendors
Easy identification and vendor addresses
matching
54
Test Case 1c Employee or related parties
listed as vendors
Easy identification and employee SSN matching
Vendor FEI number
55
Test Case 1d Employee or related parties
listed as vendors
Easy identification and employee beneficiary
and Vendor phone matching
56
Test Case 1e Using debarred vendors
Easy identification Of debarred vendors With
active status
57
Test Case 2 - Vendor Invoice and Payment
  • Vendor invoice and payment integrity testing
  • Duplicate invoices
  • Duplicate payments
  • Non-standard payments
  • No match to approved vendor values
  • Exceed PO value

58
Test Case 2a Duplicate Vendor Invoice
Easy identification of duplicate invoices with
detailed drill down
59
Test Case 2b Duplicate Vendor Payments
60
Test Case 2c Payments Not Matched to the Vendor
Table
In this case we can detect manual AP check print
overrides and manipulation of PO tables to make
payments to unapproved vendors
61
Test Case 2d Paid Invoice Exceeds PO Value
Provides identification of issues related to
unauthorized payments in excess of PO values
62
Test Case 3 Proper Approval of Purchase
  • Proper approval of purchase types and values are
    apparent to most management as being of
    important however, monitoring approvals can be
    time consuming and tedious at best.
  • Obtain the flat file extract from TERMS and
    import into ACL
  • Stratify purchases by dollar value and extract
    for purchases at the specified approval
    thresholds and extract all those missing the
    required level of authorization (either by
    individual per department DOA trees or other
    authorization reference)

63
Test Case 3 Proper Approval of Purchase
We can now review the PO documentation to
investigate why the proper level of approval was
not received
64
Summary
  • Fraud happens throughout our organizations
    regardless of industry, size and culture
  • Greater the skill and education greater the
    losses
  • Management must be proactively engaged in fraud
    preventive and detective controls
  • Ethics programs are a key component in an
    effective internal controls
  • If the workforce and vendors know they are being
    monitored the occurrence of fraud is generally
    lower

65
Questions?Comments?
Progress Through Sharing
66

Yvonne M. Clayborne, CPA Director RSM McGladrey
Inc. 7351 Office Park Place Melbourne, FL
32940 Tel (321) 751-6200 Fax (321)
751-1385 E-mail yvonne.clayborne_at_rsmi.com
  • Jeff Roth, CISA
  • Director
  • RSM McGladrey Inc.
  • 7351 Office Park Place
  • Melbourne, FL 32940
  • Tel (321) 751-6200
  • Fax (321) 751-1385
  • E-mail jeff.roth_at_rsmi.com
Write a Comment
User Comments (0)
About PowerShow.com