Tampa Bay Chapter of the American Society of Military ComptrollersImproving Internal Controls and Reducing the Risk of Fraud Sam M. McCall, PhD, CPA, CGMA, CGFM, CIA, CGAP, Chief Audit Officer Florida State University April 4, 2014
Session Outline • Public Expectations for Public Officials/Employees • Internal Control and Risk • The Elements of Internal Control • Weaknesses in Internal Control that can Result in Fraud, Waste and Abuse • The Necessary Elements for every Purchase • Case Studies • Reviewing Internal Control and Identifying Fraud, Waste, and Abuse • Reporting Fraud • Summary and Questions
Public Expectations for Public Officials/Employees • High ethical and moral behaviors • Public employees will conduct business within policy and procedures • Public resources will not be wasted, lost, or stolen • Management should conduct operations • Economically – at the least cost • Efficiently - with the least use of effort or resources • Effectively – accomplishing desired program goals and objectives • Ethically – perform fairly, faithfully, and with due regard for all rights of program participants • Equitably – no partiality shown in the delivery of services
Terms of Importance • Misfeasance • Malfeasance • Nonfeasance • Abuse • Fraud • Internal controls
What Is Misfeasance? • A misdeed or trespass • The improper or wrongful performance of some act that a person may lawfully do
What Is Malfeasance? • Ill conduct, evil doing • The commission of an act that is unlawful • Comprehensive term including any wrongful conduct that interferes with the performance of official duties • The doing of an act that a person should not do at all
What is Nonfeasance? • Nonperformance of an act that a person is obligated or has a responsibility to perform • Not doing what you should do • Total neglect of duty
What Is Abuse? • Improper or inappropriate program management • Misuse of authority or position • Everything that is contrary to good order • Can be intentional or unintentional • Does not have to violate a law, regulation, or contract provision • Performing an act that falls short of societal expectations **What are some examples of “Abuse?”
What Is Fraud? • A false representation of a matter of fact • Concealing that which should be disclosed – deceiving to cause legal injury • Intentional perversion of the truth • To deceive another such that they rely on a false representation and surrender a valuable thing or a legal right
What is the Cost of Fraud? Direct Cost Associated with Fraud: Loss of cash, supplies, or equipment Fines and Penalties Indirect Costs Associated with Fraud: Bad publicity Loss of public trust Injury to organization reputation Increased legislation Loss of future grants, gifts, and donations Decreased enrollment and tuition revenue
Florida Law Public employees committing specified offenses or aiding another person in committing specified offenses shallforfeit benefits accrued in their retirement system. “Specified offense” means: (partial listing – please see the law) Committing, aiding, or abetting of an embezzlement of public funds; Committing, aiding, or abetting of any theft by a public officer or employee from his or her employer; Committing of any felony by a public officer or employee who willfully and with intent defrauds the public or the public agency for which the public officer or employee acts or in which he or she is employed
Section 112.3173(3) Florida Statutes “FORFEITURE.—Any public officer or employee who is convicted of a specified offense committed prior to retirement, or whose office or employment is terminated by reason of his or her admitted commission, aid, or abetment of a specified offense, shall forfeit all rights and benefits under any public retirement system of which he or she is a member, except for the return of his or her accumulated contributions as of the date of termination.”
What is Internal Control? The policies and procedures and plan of organization established by management to promote the accomplishment of organization goals and objectives.
General Objectives of Internal Controls • Reliability of financial information • Compliance with laws and regulations • Efficiency and effectiveness of operations • Safeguarding of resources against loss due to waste, abuse, mismanagement, errors, and fraud
Components of Internal Control • Control Environment • Risk Assessment • Control Activities • Information & Communication • Monitoring
COSO Illustration of Internal Control(The Committee of Sponsoring Organizations)
Who is Responsible for Establishing the Internal Control System? Management!!
Who is Responsible for Monitoring the Internal Control System? Management!!
First Component of Internal Control – Control Environment • The building block for all other components: • Integrity & ethical values • Commitment to competence • Independent audit committee • Management philosophy & operating style • Organizational structure • Assignment of authority & responsibility • Human resource policy & practices • “The Tone at he Top”
Second Component of Internal Control – Risk Assessment • Risks are essentially the opposite of control objectives • If the objective is to safeguard assets, the risk is that assets will be lost or stolen • Therefore, without knowing the risk, one cannot decide on the appropriate control activities • As a manager you should continually assess operations to identify risk and potential areas for fraud and abuse
Risk – Questions to Consider • Chance of Occurrence - How likely is it to go wrong? (High, Medium, Low) • Impact of Occurrence - What will happen if it goes wrong (assets lost, students not served, noncompliance with law, damage to the reputation of the organization, etc.?) (High, Medium, Low) • Assessment of Risk (High, Medium, Low) – What is your “risk appetite?” How much risk are you willing to accept? * The cost of control should not outweigh the benefit to be received from the control
Risk Assessment • Segmenting departments into organizational components • Analyze general control environment • Analyze inherent risk • Develop appropriate control activities
Risk Assessment Criteria • Program Fiscal Impact 20 • Strength of Management 20 • Sensitivity and Public Relations 15 • Risk of Loss, Noncompliance, Corruption, or Fraud 10 • Complexity of Activity 20 • Risk to Public Welfare 15 100
Types of Internal Controls to Reduce Risk Preventive Detective Corrective
Examples of Preventive Controls • Segregation of duties • Proper authorization to prevent improper use of organizational resources • Standardized forms • Physical control over assets • Computer passwords • Locks / security cameras • Computerized techniques such as transaction limits • System edits
Examples of Detective Controls • Bank reconciliations by someone that does not maintain the checkbook • Physical counts of cash and comparison to recorded accountability • Physical counts of inventories/other physical assets and comparison with recorded accountability • Independent confirmation of amounts paid or owed to vendors (A/P) or amounts received or due from vendors(A/R)
Examples of Corrective Controls Revise policies and procedures Look for similar conditions elsewhere in the organization Counsel or discipline the employee as appropriate Provide training and education programs More closely monitor the issue going forward Make the organization aware of the issue and consequences
Third Component of Internal Control – Control Activities • Link to objectives • Accountability for resources • Direct activity management • Top level reviews • Segregation of duties • Physical controls • Execution & recording of transactions & events
Considerations for Segregation of Duties No one person should control all phases of a transaction No one person should have physical access to assets and also maintain summary accounting records relating to those assets Where adequate controls are not possible due to staffing or resources, there should be compensating controls to mitigate risk. For example, the manager (director) should periodically review records
Fourth Component of Internal Control – Information and Communication • Information – What types of reports are prepared and how should they be used? • Communication – who receives the reports prepared and do they know how to use the reports?
Fifth Component of Internal Control - Monitoring • Ongoing monitoring • Separate evaluations • Reporting deficiencies * Monitoring is a management responsibility
Fraud Facts Estimated $3.5 trillion annually in global losses due to fraud (5% of Gross World Product) The median loss caused by occupational fraud was $140,000 Frauds lasted a median of 18 months before being detected Perpetrators with higher levels of authority tend to cause much larger losses The longer a perpetrator has worked for an organization, the higher fraud losses tend to be Most occupational fraudsters are first-time offenders with clean employment histories The presence of anti-fraud controls is notably correlated with significant decreases in the cost and duration of occupational fraud schemes
Types of Fraud 3 Primary Fraud Categories: Asset Misappropriation Schemes – an employee steals or misuses organization resources (e.g., theft of cash, false billing schemes or inflated expense reports) Corruption Schemes – an employee misuses their influence in a business transaction in a way that violates their duty to the organization in order to gain a direct or indirect benefit (e.g., schemes involving bribery or conflicts of interest) Financial Statement Schemes – an employee intentionally causes a misstatement or omission of material information in the financial reports (e.g., recording fictitious revenues, understating reported expenses or artificially inflating reported assets)
Types of Fraud Asset Misappropriations Schemes Involving Theft of Cash Receipts: • Skimming – Employee steals cash from the organization before it is recorded on the organization's books and records. • Employee accepts payment from a customer but does not record the receipt and instead pockets the money • Cash Larceny – Employee steals cash from the organization after it has been recorded on the organization’s books and records. • Employee steals cash and checks from daily receipts before they can be deposited in the bank
Types of Fraud Asset Misappropriations Schemes Involving Fraudulent Disbursement of Cash: • Billing– Employee causes the organization to issue a payment by submitting invoices for fictitious goods or services, inflated invoices, or invoices for personal purchases. • Employee creates a shell company and bills organization for services not actually rendered • Employee purchases personal items and submits an invoice for payment • Expense Reimbursements – Employee makes a claim for reimbursement of fictitious or inflated business expenses. • Employee files fraudulent expense report, claiming personal travel and nonexistent meals
Types of Fraud Asset Misappropriations Schemes Involving Fraudulent Disbursement of Cash: • Check Tampering – Employee steals organization funds by intercepting, forging or altering a check drawn on one of the organization’s bank accounts. • Employee steals organization check payable to a vendor and deposits it in their own bank account • Payroll – Employee causes the organization to issue a payment by making false claims for compensation. • Employee claims overtime for hours not worked • Employee adds ghost employees to the payroll
Types of Fraud Asset Misappropriations Schemes Involving Fraudulent Disbursement of Cash: • Cash Register Disbursements – Employee makes false entries on a cash register to conceal the fraudulent removal of cash. • Employee fraudulently voids a sale on their cash register and steals the cash
Types of Fraud Asset Misappropriations Other Asset Misappropriation Schemes: • Misappropriation of Cash on Hand – Employee misappropriates cash kept on hand at the department’s premises. • Employee steals cash from the department’s safe • Non-Cash Misappropriations – Employee steals or misuses non-cash assets of the organization . • Employee steals inventory from a storeroom • Employee steals or misuses confidential customer financial information • Employee takes home office equipment for personal use
Types of Fraud Corruption • Conflict of Interest – Employee with an undisclosed financial or personal interest in a transaction that adversely affect the organization • Principal Investigator subcontracts with a company that is 50% owned by her husband • Employee awards a scholarship to his or her nephew • Bribery– Someone offers, gives, receives, or solicits something of value to influence an official act or business decision. • Employee processes inflated invoices from a vendor an in return receives 10% of the invoice price as a kickback • Employee accepts payment from a vendor in return for providing confidential information about competitor’s bids on a project
Types of Fraud Corruption • Illegal Gratuities – Someone offers, gives, receives, or solicits something of value for performing an official act or making a business decision. • Employee negotiates a contract with a vendor, and the vendor gives the employee an expensive gift in appreciation. • Extortion – Coercion of someone else to enter into a transaction or deliver property based on the wrongful use of actual or threatened force, fear, or economic duress. • Employee refuses to purchase goods or services from a vendor unless the vendor hires one of the employee’s relatives
Types of Fraud Falsifying Financial Statements Concealed Liabilities – Improperly recording liabilities and/or expenses. Fictitious Revenues – Recording sales or services that never occurred or inflating actual sales. Improper Asset Valuations – Intentionally misstating the value of assets. Improper Disclosures – Not disclosing important information in financial statements in order to mislead others. Timing Differences – Intentionally misstating financial statements by recording revenues in a different accounting period than the corresponding expenses.
Elements of Fraud Perceived Opportunity Fraud Triangle Pressure/Incentive Rationalization With increasing pressure and decreased internal controls, people will explore more opportunities to create fraud.
Fraud Triangle Pressure such as a financial need is the “motive” for committing the fraud. Pressure includes living beyond one’s means or family and relationship situations. Rationalization The person committing the fraud frequently rationalizes the fraud. Rationalizations may include, “I’ll pay the money back”, “They will never miss the funds”, or, “I will just do this just one time” or “They don’t pay me enough.” Opportunity The person committing the fraud sees an internal control weakness and, believing no one will notice if funds are taken, begins the fraud with a small amount of money. If no one notices, the amount will usually grow larger. In any organization, the risk of fraud can be reduced. * Of the above three, the one that management can most control is “_________”
Elements of Fraud Pressure / Incentives: Greed Financial crisis Gambling, alcohol, drugs Living beyond means Extramarital affair Mid-life crisis Family problems Revenge Envy
Elements of Fraud Rationalization: It is so easy They don’t pay me enough My child is sick My boss does not follow the rules, so why should I I’ll pay it back later It won’t be missed I work extra hours each week that I do not get paid for
Elements of Fraud Opportunities: Poor, weak or lack of internal controls Lack of monitoring the controls High management turnover
Who Commits Fraud? • Married • Between 18 and 36 • Has 2 children • Owns a home • Does not have a drug or alcohol problem • Does not recognize harm to victims • Bright • Strong sense of challenge and game playing • Versed in technology and skillful • Has a position of trust
Reporting Fraud – Employees Do It BestSource: Journal of Accountancy Tip from employee Accidental discovery Internal Audit Internal controls External audit Tip from customer Anonymous tip Tip from Vendor Notification from law enforcement
Prevention and Detection Cash Larceny Scheme Red Flags: Cash counts and register records do not reconcile Personal Checks or IOU’s are in the cash register drawer Refunds or voids without supporting documentation or authorization Lack of separation of duties in the custody, authorization, and recording of cash