Transcript 2. January 2013- Anti-Fraud and the IA Function

Anti-Fraud and the
Internal Audit Function
Proactive Measures for Finding
Fraud, Waste, and Abuse
Washington, D.C. IIA Chapter
January 16, 2013
Agenda
•
•
•
•
Introduction
Defining Fraud – ACFE Statistics
Auditor Responsibilities
Developing a Robust Anti-Fraud
Program
• Overview
• Discussion of Specific Elements
• Questions/Discussion
2
Paul J. Soos – CIA, CFE, CICA
•
•
•
•
•
•
•
•
Manager of Anti-Fraud & AP Recovery Services
BA (Accounting) Baldwin-Wallace College
Certified Internal Auditor
Certified Fraud Examiner
Certified Internal Controls Auditor
CPA Candidate
Past President of NE Ohio ACFE Chapter
Past Audit Director - The Scott Fetzer Company
3
About CBIZ, Inc.
CBIZ MHM offices
in major cities,
nationwide.
4
About CBIZ, Inc. (cont.)
• CBIZ is the 7th largest provider of professional
services in the U.S. and is NYSE listed
(CBZ)
• 4,500 people in 200 offices across the USA
• CBIZ provides consulting and advisory
services for HR, CFOs and CIOs
• Global coverage in 70 countries – Partners
with Kreston International
5
About CBIZ Risk & Advisory Services
• CBIZ Risk & Advisory Services (RAS) is the National Internal Audit and
Sarbanes-Oxley practice within CBIZ
• Internal Audit: Significant experienced practitioners with prior Fortune
1000 and Big 4 experience
• Sarbanes-Oxley: More than 900 CPAs, CIAs, CFEs, CISAs and technical
professionals
• Strong Anti-Fraud Practice – Prevention, Detection and Investigative
Services
• Significant depth in a wide variety of IT audit services including general
controls, application controls, security, and disaster recovery planning
• Local access: In major cities throughout the United States
• High percentage of Director and Manager time included in every
engagement
• Our practitioners have greater than 15 years of internal audit experience
• Independent: No attest work to cause independence conflicts
6
Anti-Fraud Services – Two Service Lines
•
•
•
•
Reactive Investigations
A problem is suspected
Quantification
Prove elements of offense
Recovery focused
– Insurance
– Restitution
– Civil remedies
• All-Size Companies
Fraud Prevention/Detection
• Fraud Risk Assessments
– Evaluating Controls
Through Eyes of a
Forensic Accountant
• Data Mining/Analysis
– Seek indicators of
fraudulent activity
– “Checkbook Analysis”
• All-Size Companies
7
Investigations – Anti-Fraud Consultants
Forensic/Investigative
Accountants
Financial
Statement
Auditors
Private
Investigators
8
Understanding Fraud
• ACFE Report to the Nation Statistics
• The Fraud Triangle
• Most Common Schemes
– In Total
– By Industry
– By Size of Company
• Likely Perpetrators
9
ACFE Report to the Nation (2012)
• Survey of CFE’s – 1,388 cases (01/10 – 12/11)
• Median loss - $140,000 – 20%+ over $1 million
• Median length of scheme – 18 months, which means
that it was not uncovered during a year-end audit
• Asset misappropriation – 87% of all cases with a
median loss of “only” $120K
• Financial Statement Fraud – only 8% of all cases, but
a median loss of over $1 million
• Corruption schemes fell in the middle, comprising just
under one-third of cases and causing a median loss
of $250,000.
10
ACFE Report to the Nation (2012)
• Survey participants estimated that the typical
organization loses 5% of its annual revenue to
fraud. Applied to the estimated 2011 Gross World
Product, this figure translates to a potential total
fraud loss of more than $3.5 trillion.
11
ACFE Report to the Nation (2012)
• Small organizations are disproportionately
victimized by occupational fraud, and suffer
the largest median losses. These
organizations are typically lacking in anti-fraud
controls compared to their larger counterparts,
which makes them particularly vulnerable.
12
ACFE Report to the Nation (2012)
• The industries most commonly
victimized in the study were:
– Banking/financial services
– Government and public administration
– Manufacturing sectors
13
ACFE Report to the Nation (2012)
• High-level perpetrators cause the greatest
damage to their organizations. Frauds
committed by owners/executives were more
than three times as costly as frauds
committed by managers, and more than nine
times as costly as employee frauds.
Executive-level frauds also took much longer
to detect.
14
ACFE Report to the Nation (2012)
• Almost 80% of the frauds in the study were
committed by individuals in one of six
departments:
•
•
•
•
•
•
Accounting
Operations
Sales
Executive/Upper Management
Customer Service
Purchasing
15
ACFE Report to the Nation (2012)
• 87% of fraudsters in the study had never been
previously charged or convicted for a fraudrelated offense and 84% had never been
punished or terminated by an employer for
fraud-related conduct. This finding is
consistent with prior studies.
16
ACFE Report to the Nation (2012)
• Fraud perpetrators often display warning
signs that they are engaging in illicit activity.
The most common behavioral red flags
displayed by the perpetrators in our study
were:
–
–
–
–
Living beyond their means (36% of cases)
Experiencing financial difficulties (27%)
Close relationships with vendors/customers (19%)
Excessive control issues (18%)
17
ACFE Report to the Nation (2012)
• 49% of victims have not recovered ANY of the
perpetrator’s takings. This finding is consistent with
prior studies, which show 40% - 50% of victim
organizations do not recover any of their fraud-related
losses.
• Anti-fraud controls appear to help reduce the cost and
duration of occupational fraud schemes. They looked
at the effect of 16 common controls on the median
loss and duration of the frauds. Victim organizations
that had these controls in place had significantly lower
losses and time-to-detection than organizations
without the controls.
18
What Can the Report Do For Us?
• Profile of common victims and perpetrators
• Identifies most common fraud schemes
• Quantifies rate of occurrence and relative
losses
• In short – know what to look for
• Evaluate your fraud risk and procedures
19
The Fraud Triangle – Donald Cressey
Incentive
Opportunity
Rationalization
20
Distribution of Losses
21
The Three Main Types of Fraud
 Asset Misappropriation – 86.7% - $120K
• Stealing stuff – $ (88%), Inventory, Other Assets
• Billing schemes, T&E, check tampering
 Corruption Schemes – 33.4% - $250K
• Conflicts of interest, bribery, improper gratuities
 Fraudulent Financial Statements – 7.6% - $1M
• Concealed liabilities, fictitious revenues,
improper valuation
22
Asset Misappropriation Sub-Categories
Schemes Involving Theft of Cash Receipts
CATEGORY
Skimming
14.6%
$58K
Cash Larceny
11.0%
$54K
DESCRIPTION
EXAMPLES
Any scheme in which cash is
stolen from an organization
before it is recorded on the
organization’s books and
records
Employee accepts payment
from a customer but does not
record sale, and instead
pockets the money
Any scheme in which cash is
stolen from an organization
after it has been recorded on
the organization’s books and
records
Employee steals cash and/or
checks from daily receipts
before they can be deposited
in the bank
23
Asset Misappropriation Sub-Categories
Schemes Involving Fraudulent Disbursements of Cash
CATEGORY
Billing
24.9%
$100K
T&E
Reimbursement
14.5%
$26K
DESCRIPTION
EXAMPLES
Any scheme in which a person
causes his employer to issue a
payment by submitting invoices
for fictitious goods or services,
inflated invoices, or invoices for
personal purchases
Employee creates a shell
company and bills employer for
services not actually rendered
Any scheme in which an
employee makes a claim for
reimbursement of fictitious or
inflated business expenses
Employee files fraudulent
expense report, claiming
personal travel, nonexistent
meals, etc.
Employee purchases personal
items and submits invoice to
employer for payment
24
Asset Misappropriation Sub-Categories
Schemes Involving Fraudulent Disbursements of Cash (cont.)
CATEGORY
Check
Tampering
11.9%
$143K
DESCRIPTION
EXAMPLES
Any scheme in which a person
steals his employer’s funds by
intercepting, forging, or altering
a check drawn on one of the
organization’s bank accounts
Employee steals blank
company checks, makes them
out to himself or an accomplice
Employee steals outgoing
check to a vendor, deposits it
into his own bank account
25
Asset Misappropriation Sub-Categories
Schemes Involving Fraudulent Disbursements of Cash (cont.)
CATEGORY
Payroll
9.3%
$48K
Cash Register
Disbursements
3.6%
$25K
DESCRIPTION
EXAMPLES
Any scheme in which an
employee causes his employer
to issue a payment by making
false claims for compensation
Employee claims overtime for
hours not worked
Any scheme in which an
employee makes false entries
on a cash register to conceal
the fraudulent removal of cash
Employee fraudulently voids a
sale on his cash register and
steals the cash
Employee adds ghost
employees to the payroll
26
Asset Misappropriation Sub-Categories
Other Asset Misappropriation Schemes
CATEGORY
DESCRIPTION
EXAMPLES
Cash on Hand
11.8%
$20K
Any scheme in which the
perpetrator misappropriates
cash kept on hand at the victim
organization’s premises
Employee steals cash from a
company vault
Non-Cash
17.2%
$58K
Any scheme in which an
employee steals or misuses
non-cash assets of the victim
organization
Employee steals inventory from
a warehouse or storeroom
Employee steals or misuses
confidential customer financial
information
27
Fraudulent Asset Misappropriation
Category
Cases
% of Cases
Median Loss
Skimming
203
14.6%
$58,000
Cash Larceny
152
11.0%
$54,000
Billing Schemes
346
24.9%
$100,000
T&E Reimbursements
201
14.5%
$26,000
Check Tampering
165
11.9%
$143,000
Payroll
129
9.3%
$48,000
Register Disbursements
50
3.6%
$25,000
Cash on Hand
164
11.8%
$20,000
Non-Cash
239
17.2%
$58,000
28
Frauds by Industry
Industry
Cases
Most
Common
Second Most
Common
Financial
Services
229
Corruption
Cash on Hand
Government
141
Corruption
Billing
Manufacturing
139
Corruption
Billing
Health Care
92
Billing
Corruption
Education
88
Billing
T&E
Retail
83
Non-Cash
Corruption
Insurance
78
Billing
Corruption
Professional
Services
55
Billing
Corruption
29
Victim Organizations of Fraud (Size)
30
Profile of Perpetrators
•
•
•
•
•
•
Position
Gender
Age
Tenure
Education Level
History
31
Position of Perpetrator
(% of Cases)
The Position of Perpetrators
Employee (41.6%)
Manager (37.5%)
Owner/Executive (17.6%)
$0
$60,000
$182,000
$573,000
$300,000
$600,000
Median Loss
$900,000
32
Gender
(% of Cases)
The Gender of Perpetrators
$232,000
Male (65.0%)
$100,000
Female (35.0%)
$0
$300,000
Median Loss
33
The Age of Perpetrators
34
The Age of Perpetrators
35
The Age of Perpetrators (2010 Survey)
$1,250,000
$974,000
Median Loss
$1,000,000
$750,000
$500,000
$428,000
$270,000 $265,000
$250,000
$15,000
$60,000
$321,000
$120,000 $127,000
$0
<26
26-30
31-35
36-40
41-45
46-50
51-55
56-60
>60
Age of Perpetrator
36
The Tenure of Perpetrators
37
The Education Level of Perpetrators
38
Perpetrator’s Criminal/Employment History
• Only 5.6% of the fraud perpetrators in the
study had been previously convicted of a
fraud-related offense, and another 5.9% were
charged but not convicted, which has been
virtually unchanged since 2008.
• 83.7% had never been punished or terminated
by a previous employer.
• These statistics suggest that criminal
background checks and employment checks
may have some effect in preventing fraud, but
the effect is probably limited.
39
Behavioral Red Flags of Perpetrators
40
How is Fraud Detected?
Percent Occurrence Quiz
Name potential methods of detection
41
How is Fraud Detected?
Percent Occurrence Quiz
1.
2.
3.
4.
5.
6.
7.
8.
Alphabetical Listing
Account Reconciliation
By Accident
Document Examination
External Audit
Internal Audit
Management Review
Notified by Police
Tip
42
How is Fraud Detected?
43
How is Fraud Detected?
44
How is Fraud Detected?
45
How is Fraud Detected?
46
How is Fraud Detected?
47
How is Fraud Detected?
48
How is Fraud Detected?
49
How is Fraud Detected?
50
Median Loss By Detection Method
51
Source of Tips?
Quiz
Name potential sources of tips
52
Source of Tips?
1.
2.
3.
4.
5.
6.
7.
Alphabetical Listing
Anonymous
Competitor
Customer
Employee
Other
Shareholder/Owner
Vendor
53
Source of Tips
54
Source of Tips
55
Source of Tips
56
Source of Tips
57
Source of Tips
58
Source of Tips
59
Source of Tips
60
Conclusions/Recommendations
•
•
•
•
•
•
Occupational fraud is a global problem.
Fraud reporting mechanisms, such as hotlines, are a
critical component of an effective fraud prevention and
detection system.
Organizations tend to over-rely on audits, especially
external audits.
Audits should not be relied upon exclusively for fraud
detection.
Employee education is the foundation of preventing
and detecting occupational fraud.
Most frauds are detected by tips.
61
Conclusions/Recommendations
•
•
•
•
•
Organizations that have anti-fraud training for employees
and managers experience lower fraud losses.
Surprise audits are an effective, yet underutilized, tool in
the fight against fraud.
While surprise audits can be useful in detecting fraud,
their most important benefit is in preventing fraud by
creating a perception of detection.
Small businesses are particularly vulnerable to fraud.
Managers and owners of small businesses should focus
their control investments on the most cost-effective
mechanisms, such as hotlines and setting an ethical
“tone from the top” for their employees.
62
Conclusions/Recommendations
•
•
•
•
Internal controls alone are insufficient to fully prevent
occupational fraud.
Fraudsters exhibit behavioral warning signs of their
misdeeds which will not be identified by traditional
controls.
Auditors and employees alike should be trained to
recognize the common behavioral signs that a fraud is
occurring and encouraged not to ignore them.
Given the high costs of occupational fraud, effective
fraud prevention measures are critical.
63
Internal Audit’s Role
•
•
•
•
•
What are our responsibilities?
What do others (management, the board,
stakeholders) think our responsibilities are?
How much time do we spend considering
fraud matters?
Do we incorporate fraud risks into our risk
assessment?
Do we use fraud specialists to
supplement/train our staff?
64
SAS 99 Considerations
•
Description and characteristics of fraud
This section describes fraud and its characteristics.
•
The importance of exercising professional skepticism
This section discusses the need for auditors to exercise
professional skepticism when considering the possibility that a
material misstatement due to fraud could be present.
•
Discussion among engagement personnel regarding
the risks of material misstatement due to fraud
This section requires, as part of planning the audit, that there be
a discussion among the audit team members to consider how
and where the entity's financial statements might be susceptible
to material misstatement due to fraud and to reinforce the
importance of adopting an appropriate mindset of professional
skepticism.
65
SAS 99 Considerations
•
Obtaining the information needed to identify risks of
material misstatement due to fraud
This section requires the auditor to gather information necessary
to identify risks of material misstatement due to fraud, by
•
•
•
•
•
Inquiring of management and others within the entity about the
risks of fraud.
Considering the results of the analytical procedures performed
in planning the audit.
Considering fraud risk factors.
Considering certain other information.
Identifying risks that may result in a material
misstatement due to fraud
This section requires the auditor to use the information gathered
to identify risks that may result in a material misstatement due to
fraud.
66
SAS 99 Considerations
•
Assessing the identified risks after taking into account
an evaluation of the entity's programs and controls
This section requires the auditor to evaluate the entity's
programs and controls that address the identified risks of
material misstatement due to fraud, and to assess the risks
taking into account this evaluation.
67
SAS 99 Considerations
•
Responding to the results of the assessment
This section emphasizes that the auditor's response to the
risks of material misstatement due to fraud involves the
application of professional skepticism when gathering and
evaluating audit evidence. The section requires the auditor to
respond to the results of the risk assessment in three ways:
1.
2.
A response that has an overall effect on how the audit is
conducted, that is, a response involving more general
considerations apart from the specific procedures otherwise
planned.
A response to identified risks that involves the nature, timing,
and extent of the auditing procedures to be performed.
68
SAS 99 Considerations
•
Responding to the results of the assessment
This section emphasizes that the auditor's response to the
risks of material misstatement due to fraud involves the
application of professional skepticism when gathering and
evaluating audit evidence. The section requires the auditor to
respond to the results of the risk assessment in three ways:
3.
A response involving the performance of certain procedures to
further address the risk of material misstatement due to fraud
involving management override of controls. The procedures
include:
•
•
•
Examining journal entries and other adjustments for evidence of
possible material misstatement due to fraud.
Reviewing accounting estimates for biases that could result in
material misstatement due to fraud.
Evaluating the business rationale for significant unusual
transactions.
69
SAS 99 Considerations
•
Evaluating audit evidence
This section requires the auditor to assess the risks of
material misstatement due to fraud throughout the audit and
to evaluate at the completion of the audit whether the
accumulated results of auditing procedures and other
observations affect the assessment. It also requires the
auditor to consider whether identified misstatements may be
indicative of fraud and, if so, directs the auditor to evaluate
their implications.
70
SAS 99 Considerations
•
Communicating about fraud to management, the audit
committee, and others
This section provides guidance regarding the auditor's
communications about fraud to management, the audit
committee, and others.
•
Documenting the auditor's consideration of fraud
This section describes related documentation requirements.
71
CFO Magazine
March 2011 Article – Where There’s Smoke, There’s Fraud
An Action Plan
•
•
•
•
•
•
•
Start at the top
Educate employees
Change the culture ASAP
Hold surprise audits
Check (and double-check) employee backgrounds
Prepare a data-breach response plan
Make sure the Board of Directors plays its role
72
Tone From the Top
Two prevailing attitudes regarding fraud:
• We would never hire someone like that
(head in the sand)
• We are willing to be proactive in making
sure that these situations do not occur
(professional skepticism)
73
Primary Internal Control Weakness
Observed by CFEs
74
Frequency of Anti-Fraud Controls
75
Dollar Impact of Anti-Fraud Controls
Control
%
Implemented
Control In
Place
Control Not
In Place
%
Reduction
Management Review
60.5%
$100,000
$185,000
45.9%
Employee Support Programs
57.5%
$100,000
$180,000
44.4%
Hotline
54.0%
$100,000
$180,000
44.4%
Manager/Executive Fraud Training
47.4%
$100,000
$158,000
36.7%
External Audit of ICOFR
67.5%
$120,000
$187,000
35.8%
Employee Fraud Training
46.8%
$100,000
$155,000
35.5%
Anti-Fraud Policy
46.6%
$100,000
$150,000
33.3%
Formal Fraud Risk Assessments
35.5%
$100,000
$150,000
33.3%
Internal Audit Department
68.4%
$120,000
$180,000
33.3%
KEY:
External Audit of F/S = Independent external audits of the organization’s financial statements
Internal Audit / FE Department = Internal audit department or fraud examination department
External Audit of ICOFR = Independent audits of the organization’s internal controls over financial reporting
Management Certification of F/S = Management certification of the organization’s financial statements
76
Duration Impact of Anti-Fraud Controls
Control
%
Implemented
Control In
Place
Control Not
In Place
%
Reduction
Job Rotation/Mandatory Vacation
16.7%
9 months
24 months
62.5%
Rewards for Whistleblowers
9.4%
9 months
22 months
59.1%
Surprise Audits
32.3%
10 months
24 months
58.3%
Code of Conduct
78.0%
14 months
30 months
50.0%
Anti-Fraud Policy
46.6%
12 months
24 months
50.0%
External Audit of ICOFR
67.5%
12 months
24 months
50.0%
Formal Fraud Risk Assessments
35.5%
12 months
24 months
50.0%
Employee Fraud Training
46.8%
12 months
24 months
50.0%
Manager/Executive Fraud Training
47.4%
12 months
24 months
50.0%
KEY:
External Audit of F/S = Independent external audits of the organization’s financial statements
Internal Audit / FE Department = Internal audit department or fraud examination department
External Audit of ICOFR = Independent audits of the organization’s internal controls over financial reporting
Management Certification of F/S = Management certification of the organization’s financial statements
77
Anti-Fraud Program Components
Often Managed by Internal Audit
– Should Incorporate Board of Directors and Senior Management Involvement –
Prevention



Organizational Ethics
Policy
Employee and Vendor
Validations
Transactional and/or
Process-Specific AntiFraud Controls
Detection



Reporting Mechanisms
(i.e. Hotlines)
Fraud Detection Analyses
Continuous Monitoring
Response


Process/protocols for:
 Internal
Investigations
 Disciplinary Actions
 Remediation to
Prevent Repeat
Occurrences
Adequate Insurance
– Continuous Evolution –
Program components should be periodically evaluated for effectiveness, efficiency, and to
ensure current organizational anti-fraud risks, or goals, are addressed.
78
Areas of Proactive Fraud Reviews
Accounts Payable/Human Resources Testing
 Vendor Master File (incomplete records, shared
addresses, TIN, phone)
 Invoice Testing (even dollar, sequential, numbering)
 Employee Testing (SSN, shared addresses, bank
accounts)
 Shell company (vendors and employees sharing info –
addresses, bank accounts)
79
Vendors/Employees Sharing Addresses
Vendor Nam e
Vendor Address 1
Em ployee
Nam e
Em ployee
Address 1
Em ployee
City
Invoice
Am ount
SOUTH EDUCATORS
709 MALL BLVD
X, Lynn
709 Mall Boulevard
Savannah
$ 1,917,034.00
GREEN VAUGHN LLC
709 MALL BOULEVARD X, Lynn
709 Mall Boulevard
Savannah
746,688.96
HOLIDAY INN NEWTON
399 GROVE STREET
399 Grove St.
New ton
305,620.00
THE INCENTIVE SHOP
706 DUNCAN AVENUE X, Phyllis
706 Duncan Ave.
Pittsburgh
190,838.00
ALBERT GREENSTONE
750 PARK AVENUE, NE X, Ophelia
750 Park Ave
Atlanta
52,174.23
R KEITH & LIZ SWICK
RT 1 BOX 775
X, Elizabeth Route 1 Box 775
Clarksburg
24,874.06
TESTA CONSULTING SERVICES INC
40 24TH STREET
X, Vincent
40 24th St
Pittsburgh
20,538.24
CULINARY THOUGHTS
2927 AVENUE D.
X, Michael
2927 Avenue D
Katy
12,272.30
DAY'S LAWN CARE, INC
2343 NOTTINGHAM NW X, Toni
2343 Nottingham NW Massillon
11,523.60
LOIS NENES
2927 AVENUE D
2927 Avenue D
11,000.00
X, Brian
X, Michael
Katy
80
Areas of Proactive Fraud Reviews
(continued)
Purchase/Procurement Card (P-Card)





Transactional/monthly/credit limit
Potential split transactions
Prohibited categories
High-risk merchants (PayPal)
Other policy violations
81
Areas of Proactive Fraud Reviews
(continued)
Travel & Entertainment (T&E)




Policy compliance (company card, agency, etc.)
Potential split transactions
Prohibited categories
High-risk merchants (airfare)
Wire Transfers and ACH Transactions
 Policy compliance/approvals
 Tie in to vendor testing
82
Conflict of Interest
83
Fraud Prevention Checklist
1.
Is ongoing anti-fraud training provided to all
employees of the organization?
Is an effective fraud reporting mechanism in place?
To increase employees’ perception of detection, are
the following proactive measures taken and
publicized to employees?
2.
3.
–
–
–
4.
Is fraudulent conduct proactively sought out?
Are surprise audits performed?
Is continuous auditing software utilized?
Is the management climate/tone at the top one of
honesty and integrity?
84
Fraud Prevention Checklist
5.
Are fraud risk assessments performed to proactively
indentify and mitigate the company’s vulnerabilities to
internal and external fraud?
Are strong anti-fraud controls in place and operating
effectively, including the following?
6.
•
•
•
•
•
Proper separation of duties
Use of authorizations
Physical safeguards
Job rotations
Mandatory vacations
85
Fraud Prevention Checklist
7.
Does the internal audit department, if one exists, have
adequate resources and authority to operate effectively
and without undue influence from senior management?
Does the hiring policy include the following (where
permitted by law)?
8.
•
•
•
•
•
•
Past employment verification
Criminal and civil background checks
Credit checks
Drug screening
Education verification
References check
86
Fraud Prevention Checklist
9.
Are employee support programs in place to assist
employees struggling with addictions,
mental/emotional health, family or financial problems?
10. Is an open-door policy in place that allows employees
to speak freely about pressures, providing
management the opportunity to alleviate such
pressures before they become acute?
11. Are anonymous surveys conducted to assess
employee morale?
87
Questions/Discussion
ACFE Report To The Nations
(includes Fraud Prevention Checklist)
www.acfe.com
Paul J. Soos - CFE, CIA, CICA
[email protected] 812.637.5737
88