Presentation on theme: "Internal Audit Function Proactive Measures for Finding"— Presentation transcript:
1Internal Audit Function Proactive Measures for Finding Anti-Fraud and theInternal Audit FunctionProactive Measures for FindingFraud, Waste, and AbuseColors I Like (in this presentation)Washington, D.C. IIA ChapterJanuary 16, 2013
2Agenda Introduction Defining Fraud – ACFE Statistics Auditor ResponsibilitiesDeveloping a Robust Anti-Fraud ProgramOverviewDiscussion of Specific ElementsQuestions/Discussion
3Paul J. Soos – CIA, CFE, CICA Manager of Anti-Fraud & AP Recovery ServicesBA (Accounting) Baldwin-Wallace CollegeCertified Internal AuditorCertified Fraud ExaminerCertified Internal Controls AuditorCPA CandidatePast President of NE Ohio ACFE ChapterPast Audit Director - The Scott Fetzer Company
4CBIZ MHM offices in major cities, nationwide. About CBIZ, Inc.CBIZ MHM offices in major cities, nationwide.
5About CBIZ, Inc. (cont.)CBIZ is the 7th largest provider of professional services in the U.S. and is NYSE listed (CBZ)4,500 people in 200 offices across the USACBIZ provides consulting and advisory services for HR, CFOs and CIOsGlobal coverage in 70 countries – Partners with Kreston International
6About CBIZ Risk & Advisory Services CBIZ Risk & Advisory Services (RAS) is the National Internal Audit and Sarbanes-Oxley practice within CBIZInternal Audit: Significant experienced practitioners with prior Fortune and Big 4 experienceSarbanes-Oxley: More than 900 CPAs, CIAs, CFEs, CISAs and technicalprofessionalsStrong Anti-Fraud Practice – Prevention, Detection and Investigative ServicesSignificant depth in a wide variety of IT audit services including general controls, application controls, security, and disaster recovery planningLocal access: In major cities throughout the United StatesHigh percentage of Director and Manager time included in every engagementOur practitioners have greater than 15 years of internal audit experienceIndependent: No attest work to cause independence conflicts
7Anti-Fraud Services – Two Service Lines Reactive InvestigationsA problem is suspectedQuantificationProve elements of offenseRecovery focusedInsuranceRestitutionCivil remediesAll-Size CompaniesFraud Prevention/DetectionFraud Risk AssessmentsEvaluating Controls Through Eyes of a Forensic AccountantData Mining/AnalysisSeek indicators of fraudulent activity“Checkbook Analysis”All-Size Companies
9Understanding Fraud ACFE Report to the Nation Statistics The Fraud TriangleMost Common SchemesIn TotalBy IndustryBy Size of CompanyLikely Perpetrators
10ACFE Report to the Nation (2012) Survey of CFE’s – 1,388 cases (01/10 – 12/11)Median loss - $140,000 – 20%+ over $1 millionMedian length of scheme – 18 months, which means that it was not uncovered during a year-end auditAsset misappropriation – 87% of all cases with a median loss of “only” $120KFinancial Statement Fraud – only 8% of all cases, but a median loss of over $1 millionCorruption schemes fell in the middle, comprising just under one-third of cases and causing a median loss of $250,000.
11ACFE Report to the Nation (2012) Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud. Applied to the estimated 2011 Gross World Product, this figure translates to a potential total fraud loss of more than $3.5 trillion.
12ACFE Report to the Nation (2012) Small organizations are disproportionately victimized by occupational fraud, and suffer the largest median losses. These organizations are typically lacking in anti-fraud controls compared to their larger counterparts, which makes them particularly vulnerable.
13ACFE Report to the Nation (2012) The industries most commonly victimized in the study were:Banking/financial servicesGovernment and public administrationManufacturing sectors
14ACFE Report to the Nation (2012) High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.
15ACFE Report to the Nation (2012) Almost 80% of the frauds in the study were committed by individuals in one of six departments:AccountingOperationsSalesExecutive/Upper ManagementCustomer ServicePurchasing
16ACFE Report to the Nation (2012) 87% of fraudsters in the study had never been previously charged or convicted for a fraud-related offense and 84% had never been punished or terminated by an employer for fraud-related conduct. This finding is consistent with prior studies.
17ACFE Report to the Nation (2012) Fraud perpetrators often display warning signs that they are engaging in illicit activity. The most common behavioral red flags displayed by the perpetrators in our study were:Living beyond their means (36% of cases)Experiencing financial difficulties (27%)Close relationships with vendors/customers (19%)Excessive control issues (18%)
18ACFE Report to the Nation (2012) 49% of victims have not recovered ANY of the perpetrator’s takings. This finding is consistent with prior studies, which show 40% - 50% of victim organizations do not recover any of their fraud-related losses.Anti-fraud controls appear to help reduce the cost and duration of occupational fraud schemes. They looked at the effect of 16 common controls on the median loss and duration of the frauds. Victim organizations that had these controls in place had significantly lower losses and time-to-detection than organizations without the controls.
19What Can the Report Do For Us? Profile of common victims and perpetratorsIdentifies most common fraud schemesQuantifies rate of occurrence and relative lossesIn short – know what to look forEvaluate your fraud risk and procedures
20The Fraud Triangle – Donald Cressey IncentiveOpportunityRationalization
22The Three Main Types of Fraud Asset Misappropriation – 86.7% - $120KStealing stuff – $ (88%), Inventory, Other AssetsBilling schemes, T&E, check tamperingCorruption Schemes – 33.4% - $250KConflicts of interest, bribery, improper gratuitiesFraudulent Financial Statements – 7.6% - $1MConcealed liabilities, fictitious revenues, improper valuation
23Asset Misappropriation Sub-Categories Schemes Involving Theft of Cash ReceiptsCATEGORYSkimming14.6%$58KCash Larceny11.0%$54KDESCRIPTIONAny scheme in which cash is stolen from an organization before it is recorded on the organization’s books and recordsAny scheme in which cash is stolen from an organization after it has been recorded on the organization’s books and recordsEXAMPLESEmployee accepts payment from a customer but does not record sale, and instead pockets the moneyEmployee steals cash and/or checks from daily receipts before they can be deposited in the bank
24Asset Misappropriation Sub-Categories Schemes Involving Fraudulent Disbursements of CashCATEGORYBilling24.9%$100KT&E Reimbursement14.5%$26KDESCRIPTIONAny scheme in which a person causes his employer to issue a payment by submitting invoices for fictitious goods or services, inflated invoices, or invoices for personal purchasesAny scheme in which an employee makes a claim for reimbursement of fictitious or inflated business expensesEXAMPLESEmployee creates a shell company and bills employer for services not actually renderedEmployee purchases personal items and submits invoice to employer for paymentEmployee files fraudulent expense report, claiming personal travel, nonexistent meals, etc.
25Asset Misappropriation Sub-Categories Schemes Involving Fraudulent Disbursements of Cash (cont.)CATEGORYCheck Tampering11.9%$143KDESCRIPTIONAny scheme in which a person steals his employer’s funds by intercepting, forging, or altering a check drawn on one of the organization’s bank accountsEXAMPLESEmployee steals blank company checks, makes them out to himself or an accompliceEmployee steals outgoing check to a vendor, deposits it into his own bank account
26Asset Misappropriation Sub-Categories Schemes Involving Fraudulent Disbursements of Cash (cont.)CATEGORYPayroll9.3%$48KCash Register Disbursements3.6%$25KDESCRIPTIONAny scheme in which an employee causes his employer to issue a payment by making false claims for compensationAny scheme in which an employee makes false entries on a cash register to conceal the fraudulent removal of cashEXAMPLESEmployee claims overtime for hours not workedEmployee adds ghost employees to the payrollEmployee fraudulently voids a sale on his cash register and steals the cash
27Asset Misappropriation Sub-Categories Other Asset Misappropriation SchemesCATEGORYCash on Hand11.8%$20KNon-Cash17.2%$58KDESCRIPTIONAny scheme in which the perpetrator misappropriates cash kept on hand at the victim organization’s premisesAny scheme in which an employee steals or misuses non-cash assets of the victim organizationEXAMPLESEmployee steals cash from a company vaultEmployee steals inventory from a warehouse or storeroomEmployee steals or misuses confidential customer financial information
28Fraudulent Asset Misappropriation CategoryCases% of CasesMedian LossSkimming20314.6%$58,000Cash Larceny15211.0%$54,000Billing Schemes34624.9%$100,000T&E Reimbursements20114.5%$26,000Check Tampering16511.9%$143,000Payroll1299.3%$48,000Register Disbursements503.6%$25,000Cash on Hand16411.8%$20,000Non-Cash23917.2%
29Professional Services Frauds by IndustryIndustryCasesMost CommonSecond Most CommonFinancial Services229CorruptionCash on HandGovernment141BillingManufacturing139Health Care92Education88T&ERetail83Non-CashInsurance78Professional Services55
39Perpetrator’s Criminal/Employment History Only 5.6% of the fraud perpetrators in the study had been previously convicted of a fraud-related offense, and another 5.9% were charged but not convicted, which has been virtually unchanged since 2008.83.7% had never been punished or terminated by a previous employer.These statistics suggest that criminal background checks and employment checks may have some effect in preventing fraud, but the effect is probably limited.
61Conclusions/Recommendations • Occupational fraud is a global problem.• Fraud reporting mechanisms, such as hotlines, are a critical component of an effective fraud prevention and detection system.• Organizations tend to over-rely on audits, especially external audits.• Audits should not be relied upon exclusively for fraud detection.• Employee education is the foundation of preventing and detecting occupational fraud.Most frauds are detected by tips.
62Conclusions/Recommendations • Organizations that have anti-fraud training for employees and managers experience lower fraud losses.Surprise audits are an effective, yet underutilized, tool in the fight against fraud.• While surprise audits can be useful in detecting fraud, their most important benefit is in preventing fraud by creating a perception of detection.• Small businesses are particularly vulnerable to fraud.• Managers and owners of small businesses should focus their control investments on the most cost-effective mechanisms, such as hotlines and setting an ethical “tone from the top” for their employees.
63Conclusions/Recommendations • Internal controls alone are insufficient to fully prevent occupational fraud.Fraudsters exhibit behavioral warning signs of their misdeeds which will not be identified by traditional controls.• Auditors and employees alike should be trained to recognize the common behavioral signs that a fraud is occurring and encouraged not to ignore them.• Given the high costs of occupational fraud, effective fraud prevention measures are critical.
64Internal Audit’s Role What are our responsibilities? What do others (management, the board, stakeholders) think our responsibilities are?How much time do we spend considering fraud matters?Do we incorporate fraud risks into our risk assessment?Do we use fraud specialists to supplement/train our staff?
65SAS 99 Considerations • Description and characteristics of fraud This section describes fraud and its characteristics.• The importance of exercising professional skepticism This section discusses the need for auditors to exercise professional skepticism when considering the possibility that a material misstatement due to fraud could be present.• Discussion among engagement personnel regarding the risks of material misstatement due to fraudThis section requires, as part of planning the audit, that there be a discussion among the audit team members to consider how and where the entity's financial statements might be susceptible to material misstatement due to fraud and to reinforce the importance of adopting an appropriate mindset of professional skepticism.
66SAS 99 Considerations• Obtaining the information needed to identify risks of material misstatement due to fraudThis section requires the auditor to gather information necessary to identify risks of material misstatement due to fraud, byInquiring of management and others within the entity about the risks of fraud.Considering the results of the analytical procedures performed in planning the audit.Considering fraud risk factors.Considering certain other information.• Identifying risks that may result in a material misstatement due to fraudThis section requires the auditor to use the information gathered to identify risks that may result in a material misstatement due to fraud.
67SAS 99 Considerations• Assessing the identified risks after taking into account an evaluation of the entity's programs and controlsThis section requires the auditor to evaluate the entity's programs and controls that address the identified risks of material misstatement due to fraud, and to assess the risks taking into account this evaluation.
68SAS 99 Considerations • Responding to the results of the assessment This section emphasizes that the auditor's response to the risks of material misstatement due to fraud involves the application of professional skepticism when gathering and evaluating audit evidence. The section requires the auditor to respond to the results of the risk assessment in three ways:A response that has an overall effect on how the audit is conducted, that is, a response involving more general considerations apart from the specific procedures otherwise planned.A response to identified risks that involves the nature, timing, and extent of the auditing procedures to be performed.
69SAS 99 Considerations • Responding to the results of the assessment This section emphasizes that the auditor's response to the risks of material misstatement due to fraud involves the application of professional skepticism when gathering and evaluating audit evidence. The section requires the auditor to respond to the results of the risk assessment in three ways:A response involving the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls. The procedures include:Examining journal entries and other adjustments for evidence of possible material misstatement due to fraud.Reviewing accounting estimates for biases that could result in material misstatement due to fraud.Evaluating the business rationale for significant unusual transactions.
70SAS 99 Considerations • Evaluating audit evidence This section requires the auditor to assess the risks of material misstatement due to fraud throughout the audit and to evaluate at the completion of the audit whether the accumulated results of auditing procedures and other observations affect the assessment. It also requires the auditor to consider whether identified misstatements may be indicative of fraud and, if so, directs the auditor to evaluate their implications.
71SAS 99 Considerations• Communicating about fraud to management, the audit committee, and othersThis section provides guidance regarding the auditor's communications about fraud to management, the audit committee, and others.• Documenting the auditor's consideration of fraudThis section describes related documentation requirements.
72March 2011 Article – Where There’s Smoke, There’s Fraud CFO MagazineMarch 2011 Article – Where There’s Smoke, There’s FraudAn Action PlanStart at the topEducate employees• Change the culture ASAP• Hold surprise auditsCheck (and double-check) employee backgroundsPrepare a data-breach response planMake sure the Board of Directors plays its role
73Tone From the Top Two prevailing attitudes regarding fraud: We would never hire someone like that (head in the sand)We are willing to be proactive in making sure that these situations do not occur (professional skepticism)
74Primary Internal Control Weakness Observed by CFEs
76Dollar Impact of Anti-Fraud Controls % ImplementedControl In PlaceControl Not In Place% ReductionManagement Review60.5%$100,000$185,00045.9%Employee Support Programs57.5%$180,00044.4%Hotline54.0%Manager/Executive Fraud Training47.4%$158,00036.7%External Audit of ICOFR67.5%$120,000$187,00035.8%Employee Fraud Training46.8%$155,00035.5%Anti-Fraud Policy46.6%$150,00033.3%Formal Fraud Risk AssessmentsInternal Audit Department68.4%KEY:External Audit of F/S = Independent external audits of the organization’s financial statementsInternal Audit / FE Department = Internal audit department or fraud examination departmentExternal Audit of ICOFR = Independent audits of the organization’s internal controls over financial reportingManagement Certification of F/S = Management certification of the organization’s financial statements
77Duration Impact of Anti-Fraud Controls % ImplementedControl In PlaceControl Not In Place% ReductionJob Rotation/Mandatory Vacation16.7%9 months24 months62.5%Rewards for Whistleblowers9.4%22 months59.1%Surprise Audits32.3%10 months58.3%Code of Conduct78.0%14 months30 months50.0%Anti-Fraud Policy46.6%12 monthsExternal Audit of ICOFR67.5%Formal Fraud Risk Assessments35.5%Employee Fraud Training46.8%Manager/Executive Fraud Training47.4%KEY:External Audit of F/S = Independent external audits of the organization’s financial statementsInternal Audit / FE Department = Internal audit department or fraud examination departmentExternal Audit of ICOFR = Independent audits of the organization’s internal controls over financial reportingManagement Certification of F/S = Management certification of the organization’s financial statements
78Anti-Fraud Program Components Often Managed by Internal Audit– Should Incorporate Board of Directors and Senior Management Involvement –PreventionDetectionResponseOrganizational Ethics PolicyEmployee and Vendor ValidationsTransactional and/or Process-Specific Anti-Fraud ControlsReporting Mechanisms (i.e. Hotlines)Fraud Detection AnalysesContinuous MonitoringProcess/protocols for:Internal InvestigationsDisciplinary ActionsRemediation to Prevent Repeat OccurrencesAdequate Insurance– Continuous Evolution –Program components should be periodically evaluated for effectiveness, efficiency, and to ensure current organizational anti-fraud risks, or goals, are addressed.
79Areas of Proactive Fraud Reviews Accounts Payable/Human Resources TestingVendor Master File (incomplete records, shared addresses, TIN, phone)Invoice Testing (even dollar, sequential, numbering)Employee Testing (SSN, shared addresses, bank accounts)Shell company (vendors and employees sharing info – addresses, bank accounts)
82Areas of Proactive Fraud Reviews (continued) Travel & Entertainment (T&E)Policy compliance (company card, agency, etc.)Potential split transactionsProhibited categoriesHigh-risk merchants (airfare)Wire Transfers and ACH TransactionsPolicy compliance/approvalsTie in to vendor testing
84Fraud Prevention Checklist Is ongoing anti-fraud training provided to all employees of the organization?Is an effective fraud reporting mechanism in place?To increase employees’ perception of detection, are the following proactive measures taken and publicized to employees?Is fraudulent conduct proactively sought out?Are surprise audits performed?Is continuous auditing software utilized?Is the management climate/tone at the top one of honesty and integrity?
85Fraud Prevention Checklist Are fraud risk assessments performed to proactively indentify and mitigate the company’s vulnerabilities to internal and external fraud?Are strong anti-fraud controls in place and operating effectively, including the following?Proper separation of dutiesUse of authorizationsPhysical safeguardsJob rotationsMandatory vacations
86Fraud Prevention Checklist Does the internal audit department, if one exists, have adequate resources and authority to operate effectively and without undue influence from senior management?Does the hiring policy include the following (where permitted by law)?Past employment verificationCriminal and civil background checksCredit checksDrug screeningEducation verificationReferences check
87Fraud Prevention Checklist Are employee support programs in place to assist employees struggling with addictions, mental/emotional health, family or financial problems? Is an open-door policy in place that allows employees to speak freely about pressures, providing management the opportunity to alleviate such pressures before they become acute?Are anonymous surveys conducted to assess employee morale?
88Questions/Discussion ACFE Report To The Nations (includes Fraud Prevention Checklist) Paul J. Soos - CFE, CIA, CICA