Title: Audit Red Flags
1Audit Red Flags Public-Sector Fraud
- Yvonne M. Clayborne, CPA
- Jeff Roth, CISA
2The Fraud Triangle
- Inadequate or no
- Supervision review
- Segregation of duties
- Management approval
- System controls
- Unrealistic deadlines
- Unrealistic performance goals
- Personal vices
Pressure
Opportunity
a.k.a. Rationalization reconciling behavior
with commonly accepted notions of decency trust.
Integrity
3The Nature of the Industry
- Fraud can be explained by three factors
- A supply of motivated offenders
- The availability of suitable targets
- The absence of capable guardians or a control
system to mind the store - The opportunity to commit conceal fraud is the
only element over which the local government has
significant control. - What are some of the warning signs?
- What can we do about it?
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
4No free lunch...
- Business fraud and abuse in the U.S. cost about
650 billion a year. - Government agencies lose an average of 45,000
per fraud scheme - Average organization loses 5 of revenue or 8 a
day per employee - Street crime only costs the U.S. 4 billion
annually.
5ACFE Report to the Nation on Occupational Fraud
Abuse
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
6- Famous last words
- It wont happen here. Were careful who we
hire.
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
7Famous last words But hes in charge. He had
no motive.
8Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
9Famous last words NO WAY it was Mike. Hes
over 60 now.
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
10Famous last words Sandra wouldnt have done
that. Shes a mom.
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
11Famous last words It would never happen in our
department.
12Whats the cost?
- Economic costs
- Tangible measurable
- Insurable in some cases
- Provides basis for prosecution and/or litigation
- Political costs
- Loss of integrity
- Diminished public confidence
- Cant be measured, difficult to recover
13What are the Warning Signs?
- A red flag is a set of circumstances that are
unusual in nature or vary from the normal
activity. It is a signal that something is out
of the ordinary and may need to be investigated
further. Red flags do not indicate guilt or
innocence but merely provide possible warning
signs of fraud. - Being able to recognize red flags is necessary
not only for public accountants but also for
anyone working in the public sector where the
potential for fraud to occur exists.
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
14Just keep in mind
- Do not ignore a red flag Studies of fraud cases
consistently show that red flags were present,
but were either not recognized or were recognized
but not acted upon by anyone. - Sometimes an error is just an error Red flags
should lead to some kind of appropriate action,
i.e. an investigation by a measured responsible
person, but sometimes an error is just an error
and no fraud exists
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
15Employee Red Flags
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
16Management Red Flags
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
17Red flags in cash or accounts receivable
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
18Red flags in payroll
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
19Red flags in purchasing or inventory
Source Red Flags for Fraud by Mark P.
Pattison, Deputy Comptroller, State of New York
20Profile of a fraud perpetrator
- Male.
- Intelligent and in management.
- Married and under some type of significant
stress. - Risk takers and not afraid to fail.
- Rule breakers.
- Long-time employees, hard working
Source Fraud Perpetrator Profile A Short
Story by Nick Brignola, CFE
21Profile of an organization at risk
- Less than 100 employees.
- Management ignores irregularities.
- High turnover with low morale.
- Staff lacks training.
- The education industry has experienced the
lowest median losses.
Source Fraud Perpetrator Profile A Short
Story by Nick Brignola, CFE
22The Typical Environment in which Fraud Occurs
- Trust is placed in employees
- Employees have detailed knowledge of the
accounting systems and their weaknesses - Management domination subverts normal internal
controls - Management adds pressure to make the numbers
- Expected moral behavior is not communicated to
employees - Unduly liberal accounting practices
23The Typical Environment in which Fraud Occurs
- Ineffective or nonexistent internal auditing
staff. - Lack of effective internal controls.
- Poor accounting records.
- Related party transactions.
- Incomplete and out of date procedural
documentation. - Management sets a bad example.
24Government Agencies in the News
- Construction Company Bills School 90,000 for Job
it Did Not Get - Corruption in Paradise This is Not Hawaii
Five-O - Local Fraud Timing is Everything
- Former Commissioner Pleads Guilty to Stealing
County Gasoline for Personal Use - Former Employee gets 10 years for Theft
- Employee called Payroll Plan Foolproof
- Missing Funds Could Top One Million
- DA Asked to Find Out How 260,000 was lost at Tax
Office - Sensitive Information Left in Recycle Bin
- Councilman Embezzlement Case in Hands of FBI
- 14 Indicted in Connection with Payroll Fraud
- Ex-Illinois Gov. Ryan gets 6 1/2 years for graft
25Fighting fraud with words
- In the current era of whistleblower reform,
fraud controls and hotlines have become a focus
in the media and in the minds of citizens.
Auditors in the public sector can enhance fraud
detection through employee and vendor
communications campaigns specifically designed
with fraud prevention as the primary goal. -
Source Fighting Fraud with Words Whistleblower
Communication March 2006, ALGA
26Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
27Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
28Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
29Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
30- Who knew who they were? There was no place for
me to voice my concerns, either to the internal
audit function or the audit committee. Remember,
I was not in the accounting department. But even
if I were, I think I would have known it would
have been fruitless, because I would have had
access to junior auditors who were simply not in
the position to raise the flags that would have
hurt their senior auditors and account
executives. -
- Sherron Watkins Enron Corporation
31An engaging message needs to reach the right
person at the right time in order to influence
that person to take action.
Hotline help...
- Fraud losses are reduced by 58 when an effective
hotline is in place - 47 of hotline calls happen overnight or on
weekends - Communications that publicize the existence of
the hotline should used as an opportunity to
promote ethical behavior as well - Components of communication strategy
- Message
- Reach
- Frequency
Source Fighting Fraud with Words Whistleblower
Communication March 2006, ALGA
32Role of the Audit Committee
- A government audit committee should take an
active role in the prevention deterrence, and
detection of fraud and encourage the government
organization to establish an effective ethics and
compliance program. The audit committee should
constantly challenge management and the auditors
to ensure that the organization has appropriate
anti-fraud programs and controls in place to
identify potential fraud. Also, the committee
should take an interest in ensuring that
appropriate action is taken against known
perpetrators of fraud.
Source Fraud and the Responsibilities of the
Government Audit Committee, AICPA, 2005
33Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
34Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
35Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
36We know it works But what are we doing about it?
Source Association of Certified Fraud Examiners,
Report to the Nation on Occupational Fraud Abuse
37Traditional Approach
- Traditionally, fraud Investigations have been
reactive in nature. - Identified from a variety of sources.
- Conducted after significant losses have been
incurred. - In response, todays management is developing
strategic approaches to proactively identify
material fraud within their organizations. - Forming tactical teams of forensic accountants
and investigators. - Investing in resources to address fraud before it
occurs.
38Caution
- Government auditors are expected to have
sufficient knowledge to identify the indicators
of fraud but are not expected to have the
expertise of a person whose primary
responsibility is detecting and investigating
fraud.
39Prevention First
- Educate your employees
- Implement strong controls
- Explain consequences
- Have a clearly written policy
- Make the employees sign the policy
- Let them know youre monitoring Speaking of
monitoring
40Financial Processes Reliance on Information
Technology
- The majority of your organizations financial
data is in the hands of your IT department. - You are reliant on the confidentiality, integrity
and availability of the enterprises
infrastructure. - Is your IT department integrated into your
anti-fraud internal control structure? - Let us look at how we can leverage
internationally accepted framework of Control
Objectives for Information related Technologies
(CobiT) to integrate anti-fraud preventive and
detective controls throughout the enterprise.
41CobiT Framework
Lets talk about fraud prevention
42CobIT - Delivery and Support Domain
- DS-2 Manage Third Party Services
- DS-3 Performance and Capacity
- DS-5 Ensure System Security
- DS-9 Manage the configuration of IT systems
- DS-10 Manage Problems and Incidents
- DS-11 Manage Data
- IT Assurance testing using the CobIT
Confidentiality, Availability, and Integrity
guidelines can assist in determining your
organisations level of compliance (legal, civil,
business).
43Cobit Security Baseline and Fraud
- The CobiT Security Baseline objectives are
organized into 39 essential steps - 1 Based on a business impact analysis (BIA) for
critical business processes, identify data that
must not be misused or lost, services that need
to be available and transactions that must be
trusted. The business must consider the security
requirements for - Who may access and modify data.
- What data retention and backup are needed.
- What availability is required.
- What authorization and verification are needed
for electronic transactions. - 2 Define specific responsibilities for the
management of security and ensure that they are
assigned, communicated and properly understood.
Be aware of the dangers of delegating too many
security roles and responsibilities to one
person. Provide the resources required to
exercise responsibilities effectively. - 3 Consistently communicate and regularly discuss
the basic rules for implementing security
requirements and responding to security
incidents. Establish minimum dos and donts, and
regularly remind people of security risks and
their personal responsibilities. - 4 When hiring, verify with reference checks.
- 5 Obtain the skills needed to support the
enterprise security requirements through hiring
or training. Verify annually whether skills are
up-to-date.
44Cobit Security Baseline and Fraud
- 6 Ensure that no key security task is critically
dependent on a single resource. - 7 Identify what, if anything, needs to be done
with respect to security obligations to comply
with privacy, intellectual property rights and
other legal, regulatory, contractual and
insurance requirements. - 8 Discuss with key staff what can go wrong with
IT security that could significantly impact the
business objectives. Consider how best to secure
services, data and transactions that are critical
for the success of the business. - 9 Establish staff understanding of the need for
responsiveness and consider cost-effective means
to manage the identified security risks through
security practices and insurance coverage. - 10 Consider how automated solutions may
introduce security risks. Ensure that the
solution is functional and that operational
security requirements are specified and
compatible with current systems. Obtain comfort
regarding the trustworthiness of the solution
through references, external advice, contractual
arrangements, etc. - 11 Ensure that the technology infrastructure
properly supports automated security practices. - 12 Consider what additional security
requirements are needed to protect the technology
infrastructure itself.
45Cobit Security Baseline and Fraud
- 13 Identify and monitor sources for keeping
up-to-date with security patches and implement
those appropriate for the enterprise
infrastructure. - 14 Ensure that staff knows how to implement
security in day-to-day procedures. - 15 Test the system, or major changes, against
functional and operational security requirements
in a representative environment so the results
are reliable. Consider testing how the security
functions integrate with existing systems. - 16 Perform final security acceptance by
evaluating all test results against business
goals and security requirements involving key
staff. - 17 Evaluate all changes, including patches, to
establish the impact on the integrity, exposure
or loss of sensitive data, availability of
critical services and validity of important
transactions. Based on this impact, perform
adequate tests prior to making the change. - 18 Record and authorize all changes, including
patches (possibly emergency changes after the
fact). - 19 Ensure that management establishes security
requirements and regularly reviews compliance of
internal service-level agreements and contracts
with third-party service providers.
46Cobit Security Baseline and Fraud
- 20 Ensure that third parties provide an adequate
contact with the authority to act on security
requirements and concerns. - 21 Consider the dependence on third-party
suppliers for security requirements, and mitigate
continuity, confidentiality and intellectual
property risk. - 22 Identify critical business functions and
information, and those resources (e.g.,
applications, third-party services, supplies and
data files) that are critical to support them.
Provide for the availability of these resources
in the event of a security incident to maintain
continuous service. Ensure that significant
incidents are identified and resolved in a timely
manner. - 23 Establish basic principles for safeguarding
and reconstructing IT services, including
alternative processing procedures, how to obtain
supplies and services in an emergency, how to
return to normal processing after the security
incident and how to communicate with customers
and suppliers. - 24 Together with key employees, define what
needs to be backed up and stored off-site to
support recovery of the business, (e.g., critical
data files, documentation and other IT resources,
and secure it appropriately. At regular
intervals, ensure that the backup resources are
usable and complete.
47Cobit Security Baseline and Fraud
- 25 Implement rules to control access to services
based on the individuals need to view, add,
change or delete information and transactions.
Especially, consider access rights of service
providers, suppliers and customers. - 26 Ensure that responsibility is allocated to
manage all user accounts and security tokens to
control devices, tokens and media with financial
value. Periodically review the actions and
authority of those who manage user accounts.
Ensure that these responsibilities are not
assigned to the same person. - 27 Detect and log important security violations.
Ensure that they are reported immediately and
acted upon in a timely manner. - 28 To ensure that counterparties can be trusted
and transactions are authentic when using
electronic transaction systems, ensure that the
security instructions are adequate and compliant
with contractual obligations. - 29 Enforce the use of virus-protection software
throughout the enterprises infrastructure and
maintain up-to-date virus definitions. Use only
legal software. - 30 Define policy for what information can come
into and go out of the organization, and
configure the network security systems (e.g.,
firewall), accordingly. Consider how to protect
physically transportable storage devices. Monitor
exceptions and follow up on significant
incidents.
48Cobit Security Baseline and Fraud
- 31 Ensure that there is a regularly updated and
complete inventory of the IT hardware and
software configuration. - 32 Regularly review whether all installed
software is authorized and properly licensed. - 33 Subject data to a variety of controls to
check integrity (accuracy, completeness and
validity) during input, processing, storage and
distribution. Control transactions to ensure that
they cannot be repudiated. - 34 Distribute sensitive output only to
authorized people. - 35 Define retention periods, archival
requirements and storage terms for input and
output documents, data and software. Ensure that
they comply with user and legal requirements.
While in storage, check continuing integrity and
ensure that data cannot be retrieved. - 36 Physically secure the IT facilities and
assets, especially those most at risk to a
security threat, and if applicable, obtain expert
advice.
49Cobit Security Baseline and Fraud
- 37 Protect computer networking and storage
equipment (particularly mobile equipment) from
damage, theft, accidental loss and interception. - 38 Have key staff periodically
- Assess adequacy of security controls against
defined requirements and vulnerabilities. - Reassess what security exceptions need to be
monitored on an ongoing basis. - Evaluate how well the security mechanisms are
operating. Check for weaknesses, such as
intrusion detection, penetration and stress
testing, and test contingency plans. - Ensure that exceptions are acted upon.
- Monitor compliance to key controls.
- 39 Obtain, where needed, competent external
resources to review the information security
control mechanisms. Assess compliance with laws,
regulations and contractual obligations relative
to information security. Leverage their knowledge
and experience for internal use.
50Test Case 1- Vendor Master Table
- Vendor master table integrity testing can include
the following - Detection of the following
- Duplicate vendors
- Employee or related parties listed as vendors
- Exception reporting for approved or
convicted/debarred vendors per Section 287.133,
Florida Statute
51Test Case 1a Duplicate Vendor Numbers
Easy identification of duplicate vendor numbers
52Test Case 1b Duplicate Vendor Addresses
Easy identification of duplicate vendor addresses
53Test Case 1c Employee or related parties
listed as vendors
Easy identification and vendor addresses
matching
54Test Case 1c Employee or related parties
listed as vendors
Easy identification and employee SSN matching
Vendor FEI number
55Test Case 1d Employee or related parties
listed as vendors
Easy identification and employee beneficiary
and Vendor phone matching
56Test Case 1e Using debarred vendors
Easy identification Of debarred vendors With
active status
57Test Case 2 - Vendor Invoice and Payment
- Vendor invoice and payment integrity testing
- Duplicate invoices
- Duplicate payments
- Non-standard payments
- No match to approved vendor values
- Exceed PO value
58Test Case 2a Duplicate Vendor Invoice
Easy identification of duplicate invoices with
detailed drill down
59Test Case 2b Duplicate Vendor Payments
60Test Case 2c Payments Not Matched to the Vendor
Table
In this case we can detect manual AP check print
overrides and manipulation of PO tables to make
payments to unapproved vendors
61Test Case 2d Paid Invoice Exceeds PO Value
Provides identification of issues related to
unauthorized payments in excess of PO values
62Test Case 3 Proper Approval of Purchase
- Proper approval of purchase types and values are
apparent to most management as being of
important however, monitoring approvals can be
time consuming and tedious at best. - Obtain the flat file extract from TERMS and
import into ACL - Stratify purchases by dollar value and extract
for purchases at the specified approval
thresholds and extract all those missing the
required level of authorization (either by
individual per department DOA trees or other
authorization reference)
63Test Case 3 Proper Approval of Purchase
We can now review the PO documentation to
investigate why the proper level of approval was
not received
64Summary
- Fraud happens throughout our organizations
regardless of industry, size and culture - Greater the skill and education greater the
losses - Management must be proactively engaged in fraud
preventive and detective controls - Ethics programs are a key component in an
effective internal controls - If the workforce and vendors know they are being
monitored the occurrence of fraud is generally
lower
65Questions?Comments?
Progress Through Sharing
66Yvonne M. Clayborne, CPA Director RSM McGladrey
Inc. 7351 Office Park Place Melbourne, FL
32940 Tel (321) 751-6200 Fax (321)
751-1385 E-mail yvonne.clayborne_at_rsmi.com
- Jeff Roth, CISA
- Director
- RSM McGladrey Inc.
- 7351 Office Park Place
- Melbourne, FL 32940
- Tel (321) 751-6200
- Fax (321) 751-1385
- E-mail jeff.roth_at_rsmi.com