Fraud and Segregation of Duties - PowerPoint PPT Presentation

Loading...

PPT – Fraud and Segregation of Duties PowerPoint presentation | free to download - id: 46eb52-MjdiN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Fraud and Segregation of Duties

Description:

Presented by C. Michelle Blackstock, CPA/CITP Partner, Grau & Associates * * * * * * * * * * * * * * * * * * * * * * * Simple IT Diagram Backup Server General Ledger ... – PowerPoint PPT presentation

Number of Views:186
Avg rating:3.0/5.0
Slides: 84
Provided by: C435
Learn more at: http://www.fgfoa.org
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Fraud and Segregation of Duties


1
Fraud and Segregation of Duties
Presented by C. Michelle Blackstock,
CPA/CITP Partner, Grau Associates
2
What is the BIG deal?
3
FRAUD
  • Websters definition is The intentional
    perversion of truth in order to induce another to
    part with something of value or to surrender a
    legal right.

4
Audit Perspective of Fraud
  • Intentional act that leads to the material
    misstatement in the financial statements that are
    the subject of an audit.
  • Auditor is responsible for obtaining reasonable
    assurance the financial statements, taken as a
    whole, are free of material misstatements
    either from fraud or error.

5
Auditor Responsibilities
  • The auditor is responsible for assessing the
    risks (including fraud) that could result in the
    financial statements being materially misstated
    and to respond to those risks.
  • Conduct fraud related inquiries of management and
    others within the organization

6
Auditor Responsibilities (Continued)
  • Auditors cannot detect all instances of fraud
    or provide absolute assurance that the financial
    statements are free of material misstatements
    caused by fraud. This is mostly due to the fact
    that fraud can involve collusion, false documents
    and misrepresentations.

7
Two Fraud Types
  • Misappropriation of assets
  • Financial reporting

8
Misappropriation of Assets
  • Wikipedia definition is Intentional use
    of property or funds of another person for ones
    own use or other unauthorized purpose.

9
Types of Misappropriations
  • Embezzlement
  • Asset theft
  • Register schemes refunds
  • Payroll and expense reimbursement
  • Billing and vendor

10
Fraudulent Financial Reporting
  • Intentional misstatement or omissions in
    financial reporting with the intent to deceive
    the user of the financial statements.

11
The Fraud Triangle
  • Attitude/Rationalization
  • Pressure Opportunity

12
Attitude/Rationalization
  • Environment that includes a lack of importance
    regarding controls that leads to the ability to
    accept or rationalize the committing of fraud.
  • Is there a whistleblower policy that allows for
    employees to anonymously report abuse and fraud?

13
Incentive/Pressure
  • Environment that gives management/employees a
    reason to commit fraud.
  • Are there rewards based on reaching financial
    goals, is the municipality trying to maintain a
    specific credit rating, is there pressure to
    expend grant funds in order to keep the grant
    funding?

14
Opportunity
  • Do you give your employees the opportunity to
    steal you blind? Lets take a look at what forms
    these opportunities might take.
  • Custody of assets
  • Authorization or approval of related transactions
  • Recording or reporting of related transactions

15
Statistics
  • Association of Certified Fraud Examiners 2010
    Report to the Nations on Occupational Fraud
  • 5 of annual revenue lost to fraud which could be
    2.9 trillion on a global basis
  • Median loss is 160,000
  • Small organizations are disproportionately
    victimized due to lack of anti-fraud controls

16
Detection Top Five
  • Association of Certified Fraud Examiners 2010
    Report to the Nations on Occupational Fraud
  • Tip from insider or outsider
  • Management review
  • Internal audit
  • By accident
  • Account reconciliation

17
Behavior Warning Signs
  • Association of Certified Fraud Examiners 2010
    Report to the Nations on Occupational Fraud
  • Living beyond means
  • Financial difficulties
  • Control issues
  • Unusually close relationship with
    vendors/customers
  • Wheeler-dealer attitude

18
Prevention
  • Understand fraud risks and make an honest
    assessment for your industry and organization.
  • Brainstorm on significant fraud risk areas and
    how fraud can be perpetrated including
    segregation of duties conflicts.
  • Develop plan of controls on how to address each
    risk.
  • Monitor the controls to make sure that they are
    working as intended and make necessary changes on
    a continuing basis.

19
Segregation of Duties
  • Basic premise is that we do not give any one
    employee or group of employees the ability to
    perpetrate and conceal an error or fraud in the
    normal course of performing their duties.

20
Cash Collections
  • Take the time to identify those areas within
    the organization that deal specifically in
    handling cash and consider the following
  • How much of the total revenue does this area
    generate?
  • How many people are involved?

21
Cash Collections (Continued)
  • If this is a significant area with few
    employees, then need to consider, at a minimum,
    that the person who collects and deposits the
    cash (including opening mail) is a different
    person than the one who records the cash.
    Oversight from a manager/board or council/audit
    committee should include approval of write off,
    review of the receivable aging and adjustments,
    follow up on discrepancies.

22

Cash Collections (Continued)
  • Consider who has direct access to cash, the
    controls that are in place to minimize the
    ability of those employees to steal/take the
    cash, continually monitor this area and test that
    the controls in place are working.

23
Segregation of Duties
  • Process by which charge is paid to a department
    different from where the transaction occurs or
    through an automated process.
  • The person who collects the cash should not
    deposit the cash.
  • Independent bank reconciliation.
  • Person who directly handles cash collection
    should not record the transactions or have cash
    disbursement responsibilities.

24
Revenues
  • Take the time to identify those areas within
    the organization that deal specifically in
    revenue generation and consider the following
  • Process for determining the fees and rates
    charged how can this be overridden and who
    reviews for accuracy.
  • Process for setting up the customer and
    refunds/credit memos.
  • Who fields customer complaints?

25
Segregation of Duties
  • Council should approve/authorize rates, fees,
    fines or assessments.
  • Person who prepares the bills should not collect
    the revenue or record the transactions.
  • Person that records the transactions should not
    approve or process write offs or adjustments,
    maintain the customer list, field customer
    complaints.
  • Independent review of accounts receivable aging.

26
Expenditures
  • Take the time to identify those areas within
    the organization that deal specifically in
    disbursements/ procurement/payroll and consider
    the following
  • Process for procurement and approval as well
    exceptions to those processes and who monitors
    it. What ways can this be circumvented?
  • Employee expense reimbursement policies.
  • Process for setting up vendors and employees and
    maintenance of these lists.
  • Who fields vendor/employee complaints about
    payments and paychecks ?

27
Expenditure Red Flags
  • Voided transactions/checks
  • Check written to employees or cash
  • Checks written to vendors with a P.O. box
  • Checks written out of sequence
  • Multiple entries on the same day to the same
    vendor just under approval limits

28
Segregation of Duties
  • Check signers should not prepare/cut the checks.
  • Person who procured/approved the purchase should
    not be the person that records the transaction
    and cuts the check.
  • Person that processes payroll or cuts the check
    should not be able to set up a new employee or
    vendor.

29
Small Government Issues
  • Not enough employees to properly segregate
    duties.
  • Consider the following
  • Create an audit committee of qualified
    individuals to perform regular ongoing oversight.
  • Utilize employees from other small governments or
    departments to perform duties.
  • Utilize management/board members/council to
    review monthly financial reports as oversight.
  • Hire outside accountant to perform some
    functions.

30
Small Government Issues (Continued)
  1. Establish a whistleblower policy that allows for
    employees to anonymously report abuse and fraud.
  2. Mandatory vacation
  3. Rotation of responsibilities
  4. Surprise cash counts/reconciliations
  5. External audits

31
FUNCTION OF INFORMATION TECHNOLOGY IN SOD
32
General IT Controls
  • Control Environment
  • Access Controls
  • Change management
  • Backup and recovery
  • Service providers

33
IT and SOD - Software
  • Is the software used to bill revenues, initiate
    purchases and process payroll the same?
  • If not, how does it integrate with the accounting
    software and who reconciles the amounts?
  • Who initiates upgrades to the software program
    and whether or not they should be made?

34
IT and SOD - Access
  • Who sets up and removes users from the server?
  • Who has access to the software or modules?
  • Are users required to have and use passwords to
    log in and is there mandatory password change
    policies in place?
  • Who has tested that access rights are working as
    intended?

35
IT and SOD - Data
  • Who has access to the data and is there a log
    that has an audit trail?
  • Does someone review user accounts to make sure
    that employees that have left have been removed
    in a timely fashion and denied remote access?
  • Are exceptions reports reviewed by an independent
    person and followed up on in a timely fashion.

36
Internal Control Essentials
Presented by Angela D. Balent, CPA, Member
37
Internal Control Standards
  • SAS 115, Communicating Internal Control Related
    Matters Identified in an Audit
  • SAS 109, Control Risk Assessment, Use of Service
    Organizations and IT Controls

38
SAS 115
  • Communicating matters related to an entitys
    internal control over financial reporting
    identified in an audit of the financial
    statements
  • Applicable whenever an auditor expresses or
    disclaims an opinion on financial statements
  • Effective for audits of financial statements for
    periods ending on or after December 31, 2009
  • Defines deficiency in internal control,
    significant deficiency and material weakness
  • Provides guidance on evaluation of severity of
    deficiencies
  • Requires the auditor to communicate in writing to
    management and those charged with governance
    significant deficiencies and material weaknesses
  • Generally controls that are relevant to an audit
    of the financial statements are those that
    pertain to the entitys objective of reliable
    financial reporting.

39
Deficiency in Internal Control
  • Exists when the design or operation of a control
    does not allow management or employees, in the
    normal course of performing their assigned
    functions, to prevent, or detect and correct
    misstatements on a timely basis.
  • Deficiency in design exists
  • A control necessary to meet the control objective
    is missing
  • An existing control is not properly designed so
    that, even if the control operates as designed,
    the control objective would not be met
  • Deficiency in operation exists
  • A properly designed control does not operate as
    designed
  • The person performing the control does not
    possess the necessary authority or competence to
    perform the control effectively.

40
Examples of Deficiency in Design
  • Inadequate design of controls over a significant
    account or process
  • Inadequate documentation of the components of
    internal control
  • Absent or inadequate segregation of duties within
    a significant account or process
  • Inadequate design of IT general and application
    controls that prevent the information system from
    proving complete and accurate information
    consistent with financial reporting objectives
    and current needs.
  • Employees or management who lack qualifications
    and training to fulfill their assigned functions.

41
Examples of Deficiency in Operation
  • Failure in the operation of effectively designed
    controls over a significant account or process
    for example failure of a control such as dual
    authorization for significant disbursements
    within the purchasing process.
  • Failure to perform reconciliations of significant
    accounts. For example accounts receivable
    subsidiary ledger is not reconciled to the
    general ledger account in a timely or accurate
    manner.
  • Undue bias or lack of objectivity by those
    responsible for accounting decisions. For
    example consistent understatement of expenses or
    overstatement of allowances at the direction of
    management.

42
SAS No. 115Definitions
  • Material WeaknessA deficiency, or combination of
    deficiencies, in internal control, such that
    there is a reasonable possibility that a material
    misstatement of the entitys financial statements
    will not be prevented or detected and corrected
    on a timely basis. (Reasonably possible chance
    of the future event or events occurring is more
    than remote but less than likely.)
  • Significant DeficiencyA deficiency, or
    combination of deficiencies, in internal control
    that is less severe than a material weakness, yet
    important enough to merit attention by those
    charged with governance. (Previous more than
    remoteRemote the chance of future events is
    slight)

43
Evaluation of Control Deficiencies
  • Is the identified deficiency a material weakness?
  • At least a reasonable possibility that a
    misstatement of the entitys financial statements
    will not be prevented, or detected and corrected
    on a timely basis, and such a misstatement could
    be material.
  • There are compensating controls that mitigate the
    severity of the identified deficiency which have
    been tested and found to be effective.
  • Is the deficiency, which is less severe than a
    material weakness, important enough to merit
    attention by those charged with governance?

44
Factors that Affect the Magnitude of a
Misstatement
  • Financial statement amounts or total of
    transactions exposed to the deficiency
  • Volume of activity (in the current period or
    expected future periods) in the account or class
    of transactions exposed to the deficiency
  • Risk factors - nature of account, susceptibility
    of asset or liability to loss or fraud,
    complexity/subjectivity of account, possible
    future consequences.
  • Multiple deficiencies that affect the same
    significant account or disclosure, relevant
    assertion or component of internal control.

45
Indicators of Material Weaknesses
  • Identification of fraud on the part of senior
    management
  • Restatement of previously issued financial
    statements to reflect the correction of a
    material misstatement due to error or fraud
  • Identification by the auditor of a material
    misstatement of the financial statements under
    audit in circumstances that indicate that the
    misstatement would not have been detected by the
    entitys internal control
  • Ineffective oversight of the entitys financial
    reporting and internal control by those charged
    with governance.

46
CommunicationForm, Content and Timing
  • Significant deficiencies and material weaknesses
    must be communicated in writing including those
    communicated in previous audits that have not yet
    been remediated. You may refer to the previously
    issued written communication and the date of that
    communication
  • The written communication is best made by report
    release date bust should be made no later than 60
    days following release date.
  • Early communication is permitted orally but must
    ultimately be included in written communication
    even if such significant deficiencies or material
    weaknesses were remediated during the audit
  • Conditions know to management where management
    has accepted the risk because of costs or other
    considerations still must be communicated.
  • Nothing precludes the auditor from communicating
    to management other matters related to an
    entitys internal control or recommendations for
    operation or administrative efficiency. If these
    items are communicated orally he auditor should
    document the communication.

47
SAS 109
  • SAS 109, Understanding the Entity and Its
    Environment and Assessing the Risks of Material
    Misstatement
  • Guidance to auditors related to consideration of
    internal control as part of the audit
  • Guidance on how the entitys use of information
    technology (IT) affects auditors consideration of
    internal control in planning the audit

48
Extent of Auditors Understanding
  • Must be sufficient to assess the risk of material
    misstatement of the financial statements due to
    error or fraud and to design the nature, timing
    and extent of further audit procedures.
  • Develop a fairly thorough and robust knowledge of
    the components of internal control as the auditor
    must document the basis for their risk
    assessment.
  • The auditor is not permitted simply to default to
    high control risk. Further emphasized in AICPA
    Technical Practice Aid (TIS 8200.10)

49
TIS 8200.10 Defaulting to Maximum Control Risk
  • Issued March 2008
  • Question posed is defaulting to the maximum
    control risk still permitted under AU section 314
  • Answer was No. Clarified that as the auditor
    obtains that understanding he or she may identify
    material weaknesses in the design of controls and
    as a result end up at assessing control risk as
    maximum for some financial statement accounts and
    relevant assertions.
  • In addition also discuss that control risk might
    initially be assessed at less than maximum but
    after testing the operating effectiveness of
    controls, that controls were not effective and
    would then reassess control risk at maximum.

50
TIS Question 8200.07
  • TIS Question 8200.07 Considering a Substantive
    Audit Strategy is also referenced
  • After identifying and assessing the risk of
    material misstatement at the assertion level, the
    auditor may adopt a substantive audit strategy
    because the cost of testing the operating
    effectiveness of controls might exceed their
    benefits.

51
TIS 8200.11 Ineffective Controls
  • Question If based on the auditors knowledge of
    the entity the auditor believes in advance of
    performing risk assessment procedures that
    controls over financial reporting are nonexistent
    or ineffective, could the evaluation and
    documentation of such controls (including the
    walk-through) be skipped?
  • Answer No for all the same reasons.

52
TIS 8200.15 Identifying Significant Deficiencies
  • Question If the auditor decides not to test
    controls, does this mean there is a control
    deficiency that needs to be evaluated?
  • Answer Noit depends on the reasons the auditor
    does not test the control. If the auditor
    decides not to test a control because it is
    nonexistent or improperly designed then it would
    represent a control deficiency that would need to
    be assessed. If the design is appropriate but
    the auditor decides not to test it for another
    reason (ex. control is redundant) then the
    auditor has not identified a control deficiency.

53
Service Organizations
  • When do you need a SAS 70 or additional audit
    evidence?
  • AU Section 324 Applicable to the audit of the
    financial statements of an entity that obtains
    services from another organization that are part
    of its information system.
  • Examples
  • Bank Trust Departments that invest and service
    assets for employee benefit plans or for others
  • Third party billing and collection services (EMS)
  • ASP that provide packaged software applications
    and a technology environment that enables
    customers to process financial and operational
    transactions

54
Service Organizations
  • Does not apply
  • Situations in which the services provided are
    limited to executing client organization
    transactions that are specifically authorized by
    the client
  • Processing checking account transactions by the
    bank
  • Execution of securities by the broker.

55
Service Organizations
  • Requirements
  • Understand service organization controls
  • Test the operating effectiveness of user controls
    if relying on service organization controls
  • Design and perform further audit procedures based
    upon the evaluation of service organization
    controls

56
Why Should You Understand Controls?
  • Identify types of potential misstatements
  • Identify factors that affect the risks of
    material misstatements
  • Design test of controls and substantive
    procedures

57
Three Questions
  • What does the client do? (process)
  • What can go wrong? (risks/objectives)
  • What does the client do about it? (control)

58
Focus on What Really Matters!
  • BIG risksrisks that could result in a material
    misstatement
  • BIG controlscontrols that address the most risks

Control Activities
Control Environment
Monitoring
Information and Communication
Risk Assessment
59
Top Down Approach
  • A company may have hundreds of controls in place!
  • Focus on controls related to financial reporting
  • Identify the significant classes of transactions
  • Identify the most important risks in each class
    of transactions (what can go wrong)
  • Identify the most effective controls related to
    those risks (key controls)

60
Key Controls often Consist of
  • Activity-Level Controls (Financial Reporting
    System)
  • Authorization
  • Segregation of duties
  • Safeguarding of assets
  • Reconciliations
  • Entity-Level Controls (Pervasive Effect on the
    Entitys System of Internal Controls)
  • Management reviews
  • IT security

61
Internal Controls Types
  • Activity-Level Controls
  • Control activities
  • Information - process
  • Entity-Level Controls
  • Control environment
  • Risk assessment
  • Information and communication
  • Monitoring

62
Walkthrough Inquiries
  • Talk to the people who actually do the work
  • Understand individuals understanding of
  • Required procedures
  • Whether procedures are performed that way
  • Ask about specific instances of non-compliance

63
Walkthrough Procedures
  • Observe activities and operations
  • Inspect documents
  • Visit client premises and plant facilities
  • Trace transactions through the system

64
Computer Errors
  • A computer lets you make more mistakes faster
    than any invention in human historywith the
    possible exceptions of handguns and tequila.

    --Mitch Radcliffe

65
Components of a System
Application
Database
Operating System
Network
66
Simple IT Diagram
Backup Server
General Ledger
Purchases Disbursement Subledger
Primary Server
AP Clerk End User
Internet
67
Understanding IT General Controls
  • Computer operations
  • Security
  • Change management

Operations
Security
Change Management
68
Computer Operations
  • Ensures that the IT system
  • Operates smoothly
  • Has the necessary functionality
  • Accurately transfers information between
    applications, as necessary
  • Is appropriately backed-up and protected

69
Security
  • Protects data and hardware from unauthorized
    access. Usually consists of the following types
    of controls
  • Physical security
  • Logical security
  • Access (e.g. passwords)
  • Setup/maintenance of system user rights
  • Job function
  • Administrator

70
Change Management
  • Ensures that changes to the IT system are
    authorized, planned and implemented in line with
    managements intentions. Changes include
  • Upgrades
  • Development of new systems
  • Deployment of packaged systems
  • Changes to the functionality of existing systems
    (e.g. changes to report parameters)

71
Evaluating IT General Controls
  • Consider complexity
  • Determine scope of evaluation
  • Evaluate design and verify implementation

72
IT General Controls vs. Application Controls
IT General Controls IT Application Controls
Company-wide policies and procedures that ensure the proper function and control of information technology Analogous to entity-level controls Controls that prevent or detect misstatements in a particular process Classified as activity-level controls
73
IT Complexity
More Complex Less Complex
More likely use of a specialist More potential risks of material misstatement introduced by the system More formal ITGCs Greater reliance on IT application controls More likely use of audit staff Fewer risks of material misstatement introduced by the system Less formal ITGCs More reliance on manual controls around the IT system
74
Do I Need a Specialist?
  • Customized system with in-house programmers
  • New system or significant changes have occurred
  • Multiple locations or multiple applications
    synching to G/L
  • Significant e-commerce activities
  • Significant audit evidence only in electronic form

75
Real Life Case Studies
76
Small Government Fraud
  • Town Clerk-Treasurer, the organizations must
    trusted employee who had worked at the Town for
    20 years, misappropriated funds from unauthorized
    credit card use and fraudulent disbursements.
  • 90,256 total loss averaged 3 of the Towns 1
    million annual operating budget.
  • Unauthorized use of towns credit card purchases
    from a variety of internet shopping sites and
    issued checks to herself using an electric
    typewriter that can make corrections
  • Employee duties within the towns treasury
    department were inadequately segregated. No one
    monitored her work to ensure all financial
    transactions were authorized, properly supported
    and accurately recorded in towns accounting
    records.

77
Easy internal control practices
  • Finance Commissioner or someone on Council should
    require monthly bank statements to be delivered
    unopened directly to themselves or some other
    independent party. The individual should review
    the redeemed checks for unauthorized or unusual
    transactions.
  • Governing bodies should receive disbursement
    reports listing all transactions to ensure all
    disbursements are reviewed and approved and there
    are no gaps in check numbers listed for
    transactions shown on consecutive reports
  • Check signers should never sign blank checks.
  • Check signers should compare payee information
    for agreement on supporting documents, the check
    register and redeemed checks.

78
Big Government Fraud
  • GAO reports P-Card abuse in two San Diego Navy
    facilities. Navy exercised little control over
    the 68 million in credit card purchases made
    during 2000.
  • Numerous questionable purchases, including
    expensive computer monitors and Palm Pilots that
    could not be accounted for as well as gift
    certificates to Nordstrom and Mary Kay cosmetics.
  • 36 of employees at one of the Navy units had
    military credit cards and 16 had cards at the
    other unit investigated. No more than 4 of the
    employees at 6 other large defense contractors in
    area were allowed to have cards.
  • GAO stated the more cardholders in an
    organization, the harder it is to control the
    card system.

79
Internal controls for P-Cards
  • Develop written policies and procedures for
    effective use of p-cards including sample
    disciplinary actions the organization may take
    against employees, such as termination for
    inappropriate use of cards or failure to follow
    the rules.
  • Rules should require employees to obtain copies
    of receipts for purchases made, to sign documents
    acknowledging the received the items and to
    submit all receipts to their supervisors for
    review and approval.
  •  
  • Supervisors should agree all purchase
    transactions with banks monthly p-card reports
    before the organization pays the total amount due
    to the bank.
  •  
  • Never pay from the banks monthly statement.
  •  
  • Maintain a log of those prenumbered P-cards that
    have been issued to each employee.
  •  

80
UDBOFF Research
  • Using the Deviant Behaviors of Others to Find
    Fraud.
  • Primary drivers that motivate human beings to act
    the way they do money, sex and power.
  •  
  • The strength and security of the mightiest castle
    is unfortunately linked to the ability of the
    lowliest night watchman to stay awake. Said
    another way - if employees (or Council)
    responsible for management oversight arent doing
    their jobs, how does their inattentiveness affect
    the entire organization?
  •  

81
Audit Committees
  • Weaknesses in internal controls have been the
    root cause of many problems, including fraudulent
    activities, errors and noncompliance with laws
    and regulations. Accordingly the adequacy of
    internal controls should be the primary concern
    of the governing bodies and audit committees.
    Understanding internal controls will help audit
    committees understand the organizations risk
    management and the processes used to mitigate
    risks.

82
Why committees struggle
  • No clear definition of composition GFOA and
    others differ on opinions of who should be on
    committee.
  • Ability to act independently or with authority.
  •  
  • Responsibilities of committee are unclear or
    undefined.
  •  
  • Difficult to find a financial expert.
  • Are they valuable YES.

83
Questions?
  • Contact information
  • mblackstock_at_graucpa.com
  • angela.balent_at_warrenaverett.com
About PowerShow.com