Presented by C. Michelle Blackstock, CPA/CITP Partner, Grau & Associates

Presented byC. Michelle Blackstock,

CPA/CITPPartner, Grau & Associates

FRAUDWebster’s definition is: “The intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.”

Audit Perspective of FraudIntentional act that leads to the material

misstatement in the financial statements that are the subject of an audit.

Auditor is responsible for obtaining reasonable assurance the financial statements, taken as a whole, are free of material misstatements – either from fraud or error.

Auditor ResponsibilitiesThe auditor is responsible for assessing the

risks (including fraud) that could result in the financial statements being materially misstated and to respond to those risks.

Conduct fraud related inquiries of management and others within the organization

Auditor Responsibilities (Continued)

Auditors cannot detect all instances of fraud or provide absolute assurance that the financial statements are free of material misstatements caused by fraud. This is mostly due to the fact that fraud can involve collusion, false documents and misrepresentations.

Two Fraud TypesMisappropriation of assetsFinancial reporting

Misappropriation of Assets Wikipedia definition is: “Intentional use

of property or funds of another person for one’s own use or other unauthorized purpose.”

Types of Misappropriations Embezzlement Asset theft Register schemes – refunds Payroll and expense reimbursement Billing and vendor

Fraudulent Financial Reporting Intentional misstatement or omissions in

financial reporting with the intent to deceive the user of the financial statements.

Attitude/Rationalization

Pressure Opportunity

Attitude/RationalizationEnvironment that includes a lack of

importance regarding controls that leads to the ability to accept or rationalize the committing of fraud.

Is there a whistleblower policy that allows for employees to anonymously report abuse and fraud?

Incentive/Pressure Environment that gives

management/employees a reason to commit fraud.

Are there rewards based on reaching financial goals, is the municipality trying to maintain a specific credit rating, is there pressure to expend grant funds in order to keep the grant funding?

Opportunity Do you give your employees the

opportunity to steal you blind? Let’s take a look at what forms these opportunities might take.

Authorization or approval of related transactions

Recording or reporting of related transactions

Custody of assets

StatisticsAssociation of Certified Fraud Examiners –

2010 Report to the Nations on Occupational Fraud:

5% of annual revenue lost to fraud which could be $2.9 trillion on a global basis

Median loss is $160,000Small organizations are disproportionately

victimized due to lack of anti-fraud controls

Detection Top FiveAssociation of Certified Fraud Examiners – 2010 Report to the Nations on Occupational Fraud:

Tip from insider or outsiderManagement reviewInternal auditBy accidentAccount reconciliation

Behavior Warning SignsAssociation of Certified Fraud Examiners – 2010 Report to the Nations on Occupational Fraud:

Living beyond meansFinancial difficultiesControl issues Unusually close relationship with vendors/customersWheeler-dealer attitude

PreventionUnderstand fraud risks and make an honest

assessment for your industry and organization.

Brainstorm on significant fraud risk areas and how fraud can be perpetrated including segregation of duties conflicts.

Develop plan of controls on how to address each risk.

Monitor the controls to make sure that they are working as intended and make necessary changes on a continuing basis.

Segregation of Duties Basic premise is that we do not give any

one employee or group of employees the ability to perpetrate and conceal an error or fraud in the normal course of performing their duties.

Cash Collections Take the time to identify those areas within

the organization that deal specifically in handling cash and consider the following:

1.How much of the total revenue does this area generate?

2.How many people are involved?

If this is a significant area with few employees, then need to consider, at a minimum, that the person who collects and deposits the cash (including opening mail) is a different person than the one who records the cash. Oversight from a manager/board or council/audit committee should include approval of write off, review of the receivable aging and adjustments, follow up on discrepancies.

Cash Collections (Continued)

Consider who has direct access to cash, the controls that are in place to minimize the ability of those employees to steal/take the cash, continually monitor this area and test that the controls in place are working.

Cash Collections (Continued)

Segregation of DutiesProcess by which charge is paid to a

department different from where the transaction occurs or through an automated process.

The person who collects the cash should not deposit the cash.

Independent bank reconciliation.Person who directly handles cash collection

should not record the transactions or have cash disbursement responsibilities.

Revenues Take the time to identify those areas within

the organization that deal specifically in revenue generation and consider the following:

1.Process for determining the fees and rates charged – how can this be overridden and who reviews for accuracy.

2.Process for setting up the customer and refunds/credit memos.

3.Who fields customer complaints?

Segregation of DutiesCouncil should approve/authorize rates, fees, fines

or assessments.Person who prepares the bills should not collect the

revenue or record the transactions.Person that records the transactions should not

approve or process write offs or adjustments, maintain the customer list, field customer complaints.

Independent review of accounts receivable aging.

Expenditures Take the time to identify those areas within the

organization that deal specifically in disbursements/ procurement/payroll and consider the following:

1.Process for procurement and approval as well exceptions to those processes and who monitors it. What ways can this be circumvented?

2.Employee expense reimbursement policies.3.Process for setting up vendors and employees and

maintenance of these lists.4.Who fields vendor/employee complaints about

payments and paychecks ?

Expenditure – Red FlagsVoided transactions/checksCheck written to employees or cashChecks written to vendors with a P.O. boxChecks written out of sequenceMultiple entries on the same day to the same

vendor just under approval limits

Segregation of DutiesCheck signers should not prepare/cut the

checks.Person who procured/approved the purchase

should not be the person that records the transaction and cuts the check.

Person that processes payroll or cuts the check should not be able to set up a new employee or vendor.

Small Government IssuesNot enough employees to properly segregate duties.Consider the following:1.Create an audit committee of qualified individuals

to perform regular ongoing oversight.2.Utilize employees from other small governments or

departments to perform duties.3.Utilize management/board members/council to

review monthly financial reports as oversight.4.Hire outside accountant to perform some functions.

Small Government Issues (Continued)

5. Establish a whistleblower policy that allows for employees to anonymously report abuse and fraud.

6. Mandatory vacation 7. Rotation of responsibilities 8. Surprise cash counts/reconciliations 9. External audits

General IT Controls Control Environment Access Controls Change management Backup and recovery Service providers

IT and SOD - SoftwareIs the software used to bill revenues,

initiate purchases and process payroll the same?

If not, how does it integrate with the accounting software and who reconciles the amounts?

Who initiates upgrades to the software program and whether or not they should be made?

IT and SOD - AccessWho sets up and removes users from the

server?Who has access to the software or

modules?Are users required to have and use

passwords to log in and is there mandatory password change policies in place?

Who has tested that access rights are working as intended?

IT and SOD - DataWho has access to the data and is there a

log that has an “audit” trail?Does someone review user accounts to

make sure that employees that have left have been removed in a timely fashion and denied remote access?

Are exceptions reports reviewed by an independent person and followed up on in a timely fashion.

Presented byAngela D. Balent, CPA,

Member

Internal Control StandardsSAS 115, Communicating Internal Control

Related Matters Identified in an Audit

SAS 109, Control Risk Assessment, Use of Service Organizations and IT Controls

SAS 115 Communicating matters related to an entity’s internal control over

financial reporting identified in an audit of the financial statements Applicable whenever an auditor expresses or disclaims an opinion on

financial statements Effective for audits of financial statements for periods ending on or

after December 31, 2009 Defines deficiency in internal control, significant deficiency and

material weakness Provides guidance on evaluation of severity of deficiencies Requires the auditor to communicate in writing to management and

those charged with governance significant deficiencies and material weaknesses

Generally controls that are relevant to an audit of the financial statements are those that pertain to the entity’s objective of reliable financial reporting.

Deficiency in Internal Control Exists when the design or operation of a control does not allow

management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.

Deficiency in design exists: A control necessary to meet the control objective is missing An existing control is not properly designed so that, even if the

control operates as designed, the control objective would not be met

Deficiency in operation exists: A properly designed control does not operate as designed The person performing the control does not possess the necessary

authority or competence to perform the control effectively.

Examples of Deficiency in Design Inadequate design of controls over a significant account or process

Inadequate documentation of the components of internal control

Absent or inadequate segregation of duties within a significant account or process

Inadequate design of IT general and application controls that prevent the information system from proving complete and accurate information consistent with financial reporting objectives and current needs.

Employees or management who lack qualifications and training to fulfill their assigned functions.

Examples of Deficiency in Operation Failure in the operation of effectively designed controls over a

significant account or process: for example failure of a control such as dual authorization for significant disbursements within the purchasing process.

Failure to perform reconciliations of significant accounts. For example accounts receivable subsidiary ledger is not reconciled to the general ledger account in a timely or accurate manner.

Undue bias or lack of objectivity by those responsible for accounting decisions. For example consistent understatement of expenses or overstatement of allowances at the direction of management.

SAS No. 115—DefinitionsMaterial Weakness—A deficiency, or combination of

deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. (Reasonably possible: chance of the future event or events occurring is more than remote but less than likely.)

Significant Deficiency—A deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. (Previous: more than remote—“Remote” the chance of future events is slight)

Evaluation of Control DeficienciesIs the identified deficiency a material weakness?

At least a reasonable possibility that a misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis, and such a misstatement could be material.

There are compensating controls that mitigate the severity of the identified deficiency which have been tested and found to be effective.

Is the deficiency, which is less severe than a material weakness, important enough to merit attention by those charged with governance?

Factors that Affect the Magnitude of a Misstatement Financial statement amounts or total of transactions exposed to

the deficiency

Volume of activity (in the current period or expected future periods) in the account or class of transactions exposed to the deficiency

Risk factors - nature of account, susceptibility of asset or liability to loss or fraud, complexity/subjectivity of account, possible future consequences.

Multiple deficiencies that affect the same significant account or disclosure, relevant assertion or component of internal control.

Indicators of Material Weaknesses Identification of fraud on the part of senior management

Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud

Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control

Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.

Communication—Form, Content and Timing Significant deficiencies and material weaknesses must be communicated in

writing including those communicated in previous audits that have not yet been remediated. You may refer to the previously issued written communication and the date of that communication

The written communication is best made by report release date bust should be made no later than 60 days following release date.

Early communication is permitted orally but must ultimately be included in written communication even if such significant deficiencies or material weaknesses were remediated during the audit

Conditions know to management where management has accepted the risk because of costs or other considerations still must be communicated.

Nothing precludes the auditor from communicating to management other matters related to an entity’s internal control or recommendations for operation or administrative efficiency. If these items are communicated orally he auditor should document the communication.

SAS 109SAS 109, Understanding the Entity and Its

Environment and Assessing the Risks of Material Misstatement

Guidance to auditors related to consideration of internal control as part of the audit

Guidance on how the entity’s use of information technology (IT) affects auditors consideration of internal control in planning the audit

Extent of Auditor’s UnderstandingMust be sufficient to assess the risk of material

misstatement of the financial statements due to error or fraud and to design the nature, timing and extent of further audit procedures.

Develop a fairly thorough and robust knowledge of the components of internal control as the auditor must document the basis for their risk assessment.

The auditor is not permitted simply to default to high control risk. Further emphasized in AICPA Technical Practice Aid (TIS 8200.10)

TIS 8200.10 Defaulting to Maximum Control Risk Issued March 2008: Question posed is defaulting to the maximum control risk still

permitted under AU section 314 Answer was No. Clarified that as the auditor obtains that

understanding he or she may identify material weaknesses in the design of controls and as a result end up at assessing control risk as maximum for some financial statement accounts and relevant assertions.

In addition also discuss that control risk might initially be assessed at less than maximum but after testing the operating effectiveness of controls, that controls were not effective and would then reassess control risk at maximum.

TIS Question 8200.07TIS Question 8200.07 Considering a

Substantive Audit Strategy is also referenced:

After identifying and assessing the risk of material misstatement at the assertion level, the auditor may adopt a substantive audit strategy because the cost of testing the operating effectiveness of controls might exceed their benefits.

TIS 8200.11 Ineffective ControlsQuestion: If based on the auditor’s

knowledge of the entity the auditor believes in advance of performing risk assessment procedures that controls over financial reporting are nonexistent or ineffective, could the evaluation and documentation of such controls (including the walk-through) be skipped?

Answer: No for all the same reasons.

TIS 8200.15 Identifying Significant DeficienciesQuestion: If the auditor decides not to test controls,

does this mean there is a control deficiency that needs to be evaluated?

Answer: No—it depends on the reasons the auditor does not test the control. If the auditor decides not to test a control because it is nonexistent or improperly designed then it would represent a control deficiency that would need to be assessed. If the design is appropriate but the auditor decides not to test it for another reason (ex. control is redundant) then the auditor has not identified a control deficiency.

Service Organizations When do you need a SAS 70 or additional audit evidence?

AU Section 324 – Applicable to the audit of the financial statements of an entity that obtains services from another organization that are part of its information system.

Examples: Bank Trust Departments that invest and service assets for employee

benefit plans or for others Third party billing and collection services (EMS) ASP that provide packaged software applications and a technology

environment that enables customers to process financial and operational transactions

Service OrganizationsDoes not apply:

Situations in which the services provided are limited to executing client organization transactions that are specifically authorized by the client

Processing checking account transactions by the bank

Execution of securities by the broker.

Service OrganizationsRequirements

Understand service organization controlsTest the operating effectiveness of user

controls if relying on service organization controls

Design and perform further audit procedures based upon the evaluation of service organization controls

Why Should You Understand Controls?Identify types of potential misstatements

Identify factors that affect the risks of material misstatements

Design test of controls and substantive procedures

Three QuestionsWhat does the client do? (process)

What can go wrong? (risks/objectives)

What does the client do about it? (control)

Focus on What Really Matters!BIG risks—risks that could result in a

material misstatement

BIG controls—controls that address the most risks

Control Activities

Control Environment

MonitoringInformation

and Communication

Risk Assessment

Top Down ApproachA company may have hundreds of controls in place!

Focus on controls related to financial reporting

Identify the significant classes of transactions

Identify the most important risks in each class of transactions (what can go wrong)

Identify the most effective controls related to those risks (key controls)

Key Controls often Consist of…Activity-Level Controls (Financial Reporting

System)AuthorizationSegregation of dutiesSafeguarding of assetsReconciliations

Entity-Level Controls (Pervasive Effect on the Entity’s System of Internal Controls)Management reviewsIT security

Internal Controls TypesActivity-Level Controls

Control activitiesInformation - process

Entity-Level ControlsControl environmentRisk assessmentInformation and communicationMonitoring

Walkthrough InquiriesTalk to the people who actually do the work

Understand individual’s understanding of:Required proceduresWhether procedures are performed that way

Ask about specific instances of non-compliance

Walkthrough ProceduresObserve activities and operations

Inspect documents

Visit client premises and plant facilities

Trace transactions through the system

Computer Errors

“A computer lets you make more mistakes faster than any invention in human history—with the possible exceptions of handguns and tequila.”

--Mitch Radcliffe

Components of a SystemApplication

Database

Operating System

Network

Simple IT DiagramBackup Server

General Ledger

Purchases & Disburseme

nt Subledger

Primary Server

Internet

AP ClerkEnd User

Understanding IT General ControlsComputer operations

Security

Change management

Operations Change Management

Security

Computer OperationsEnsures that the IT system:

Operates smoothlyHas the necessary functionalityAccurately transfers information between

applications, as necessaryIs appropriately backed-up and protected

SecurityProtects data and hardware from

unauthorized access. Usually consists of the following types of controls:Physical securityLogical security

Access (e.g. passwords) Setup/maintenance of system user rights

Job function Administrator

Change ManagementEnsures that changes to the IT system are

authorized, planned and implemented in line with management’s intentions. Changes include:UpgradesDevelopment of new systemsDeployment of packaged systemsChanges to the functionality of existing

systems (e.g. changes to report parameters)

Evaluating IT General ControlsConsider complexity

Determine scope of evaluation

Evaluate design and verify implementation

IT General Controls vs. Application Controls

IT General ControlsIT Application

Controls

• Company-wide policies and procedures that ensure the proper function and control of information technology

• Analogous to entity-level controls

•Controls that prevent or detect misstatements in a particular process

•Classified as activity-level controls

IT ComplexityMore Complex Less Complex

• More likely use of a specialist

• More potential risks of material misstatement introduced by the system

• More formal ITGCs

• Greater reliance on IT application controls

•More likely use of audit staff

•Fewer risks of material misstatement introduced by the system

•Less formal ITGCs

•More reliance on manual controls around the IT system

Do I Need a Specialist?Customized system with in-house programmers

New system or significant changes have occurred

Multiple locations or multiple applications synching to G/L

Significant e-commerce activities

Significant audit evidence only in electronic form

Town Clerk-Treasurer, the organization’s must trusted employee who had worked at the Town for 20 years, misappropriated funds from unauthorized credit card use and fraudulent disbursements.

$90,256 total loss averaged 3% of the Town’s $1 million annual operating budget.

Unauthorized use of town’s credit card purchases from a variety of internet shopping sites and issued checks to herself using an electric typewriter that can make corrections

Employee duties within the town’s treasury department were inadequately segregated. No one monitored her work to ensure all financial transactions were authorized, properly supported and accurately recorded in town’s accounting records.

Small Government Fraud

Finance Commissioner or someone on Council should require monthly bank statements to be delivered unopened directly to themselves or some other independent party. The individual should review the redeemed checks for unauthorized or unusual transactions.

Governing bodies should receive disbursement reports listing all transactions to ensure all disbursements are reviewed and approved and there are no gaps in check numbers listed for transactions shown on consecutive reports

Check signers should never sign blank checks.

Check signers should compare payee information for agreement on supporting documents, the check register and redeemed checks.

Easy internal control practices

GAO reports P-Card abuse in two San Diego Navy facilities. Navy exercised little control over the $68 million in credit card purchases made during 2000.

Numerous questionable purchases, including expensive computer monitors and Palm Pilots that could not be accounted for as well as gift certificates to Nordstrom and Mary Kay cosmetics.

36% of employees at one of the Navy units had military credit cards and 16% had cards at the other unit investigated. No more than 4% of the employees at 6 other large defense contractors in area were allowed to have cards.

GAO stated the more cardholders in an organization, the harder it is to control the card system.

Big Government Fraud

Develop written policies and procedures for effective use of p-cards including sample disciplinary actions the organization may take against employees, such as termination for inappropriate use of cards or failure to follow the rules.

Rules should require employees to obtain copies of receipts for purchases made, to sign documents acknowledging the received the items and to submit all receipts to their supervisors for review and approval.

  Supervisors should agree all purchase transactions with bank’s monthly

p-card reports before the organization pays the total amount due to the bank.

  Never pay from the bank’s monthly statement.  Maintain a log of those prenumbered P-cards that have been issued to

each employee. 

Internal controls for P-Cards

Using the Deviant Behaviors of Others to Find Fraud.

Primary drivers that motivate human beings to act the way they do: money, sex and power.

 The strength and security of the mightiest castle is

unfortunately linked to the ability of the lowliest night watchman to stay awake. Said another way - if employees (or Council) responsible for management oversight aren’t doing their jobs, how does their inattentiveness affect the entire organization?

UDBOFF Research

Weaknesses in internal controls have been the root cause of many problems, including fraudulent activities, errors and noncompliance with laws and regulations. Accordingly the adequacy of internal controls should be the primary concern of the governing bodies and audit committees. Understanding internal controls will help audit committees understand the organization’s risk management and the processes used to mitigate risks.

Audit Committees

Why committees struggle:No clear definition of composition – GFOA and others

differ on opinions of who should be on committee.

Ability to act independently or with authority.  Responsibilities of committee are unclear or undefined. Difficult to find a financial expert.

Are they valuable – YES.

Contact information:mblackstock@graucpa.com

angela.balent@warrenaverett.com