Network Management Group, Inc. Randy Johnston, Exec VP With contributions from Robert H. Spencer, PhD, CCP, CSA 2011 Internal Controls for Business. How.

Network Management Group, Inc.Randy Johnston, Exec VPWith contributions from

Robert H. Spencer, PhD, CCP, CSA

2011 Internal Controls for Business.

How To Recognize and Mitigate Fraud and Loss

Copyright © 2011. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.

What about Randy?• Top rated speaker for over 25 years• 2004, 2005, 2006, 2007, 2008, 2009, 2010

Accounting Today 100 Most Influential in Accounting for seven years

• 30+ years of technology experience• Author of articles on Technology including a

monthly column in CPATechnology Advisor• Published author of five books• From Hutchinson, KS• [email protected] or [email protected] • 620-664-6000 x 112

mailto:[email protected]



What about NMGI?• CRN top 100 emerging

technology company nationally – MSPMentor top 100 company

• NetStore – Internet backup and off-site data storage

• NetRescue – Business continuity appliance for servers, desktops and virtual machines

• NetCare - Remote Managed services - (Maintenance, Remediation & Alerting)

• NetSecure – Firewall management and Content Filtering

• Technology and Business Continuity consulting– CPA Firm Technology Assessments– Paperless– Accounting Software Selection

• Cloud Services– Server and desktop hosting– Private label hosted Exchange and

SharePoint Services– Hosted VOIP phone installation

• Traditional and virtual server installation

• Microsoft Gold / Hewlett Packard Elite/ SonicWALL Gold (vendor certified)


What about NMGI?

• CRN top 100 technology company• MSPMentor top 100 company• Announced June 7, 2010 the general availability of

national CPA support services• NetCare and NetHosting – Managed and Cloud services• NetRescue and NetStore – Backup Appliances and

web-based backup• nPEN – Secure email, HR – Business and personal goal

achievement and management track training, BC/DR – Full documentation and backup services


Session Highlights

• Discuss why internal controls are necessary for business success and give examples of common controls.

• Understand how everyday fraud affects you and your business.

• Understand typical business control deficiencies and their impact

• Discuss how to– Design effective internal control systems– Implement and monitor internal control systems – the importance of owner/manager controls – Develop effective computer system controls


Supplemental Materials

• Fraud Schemes• Practical Approaches to Relevant Professional

and Statutory Requirements• Analytical Procedures as a Fraud Detection

and Loss Tool• Benford’s Law


HOW POOR INTERNAL CONTROLS IMPACT YOUR BUSINESS


The Ugly Truth

• Most Small (SMB) to Medium (SME) Businesses do not have written Internal Control Procedures and Policy Guidelines.

• Those that have written Policy and Procedures, don’t follow them.

• Those that have them – don’t periodically review the policy, or monitor its effectiveness.


What Are Internal Controls?

• Define the Objective• Create controls to help you reach your

objective.• Some objectives will require multiple controls.• Some controls will satisfy more than one

objective.• The Policy and Procedures MUST be in writing!


Copyright © 2011. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited

If its not in writing it does not exist, if it has not been tested, it has no value!

A Simple Mantra


Ten Simple to Implement Controls1. Approve (sign where appropriate) all expenditures yourself. If your

travel schedule and work processes permit, this single step will saves you thousands. Don’t make excuses!

2. If you can't always personally approve expenditures, authorize ONE other person in addition to yourself. You can be the backup signer if he or she is unavailable. If someone else must have signature authority, make sure that person is someone different from the person who writes the checks and has access to the check stock. In this scenario, you should always have after-the-fact review and final sign-off.

3. Keep check stock under lock and key where applicable. Where electronic banking is done, protect passwords and account access to limit theft.


Ten Simple to Implement Controls4. Approve Invoices yourself. This is a quick and easy process. Again, if someone else

must approve invoices, make sure that person is different from the person writing or signing checks, and institute an after-the-fact review.

5. Have ALL financial statements (bank, credit card, broker statements, etc.) mailed to your home if possible, instead of the office. If you do not want mailed to your home – the policy should state they go to you unopened, and you open! This one is big. Open the envelope and review items, vendors and signatures. Initial next to the final total, indicating your review. Even if you only spend 10 seconds on this process you are sending a valuable message.

6. Where possible, divide up processes for handling receipts and payments. For example, different people should approve invoices, prepare checks, sign checks and reconcile the checking account. Likewise, different people should be handling incoming cash and checks, posting payments, making deposits and reconciling the checking account. We will discuss segregation of duties later in more detail.


Ten Simple to Implement Controls7. If you take credit cards, the easiest fraud opportunity is for a person with access to the

merchant account to give small credits to a card of their own or an accomplice's. Have your detailed merchant account statements reviewed by someone other than the person who enters the transactions, and watch for credits.

8. Do background checks on all new employees. People with credit problems will be a problem for you, as financial pressures drive desperate behavior. If they can't manage their own money, do you want them managing yours?

9. As a minimum review a few key reports at least monthly for irregularities;Credit Memo ReportNew Vendor and Customer ReportChange of Address ReportInventory On Hand, Back Order Report, Inventory Write OffAudit Trail Report

10. Create a Whistleblower Policy. Encourage employees to be more aware of illegal, or inappropriate actions. Help them to understand that the activities of other employees directly affects their compensation as well.


It Can’t Happen to Me!Common small business owner statement.

• “I only hire honest people.”• Half of all theft occurs inside your business!• Thousands of dollars are lost annually due to

simple negligence, poor employee training, lack of specific written guidelines.

• Fraud happens to the other guy.• What is Fraud in America like today?


Fraud In America Today

• KPMG International:…the prevalence of misconduct remains high, driven by pressures, inadequate resources and job uncertainty in a volatile economic climate. …roughly half of respondents report that what they are observing could cause “a significant loss of public trust if discovered.”

“2008-2009 Integrity Survey”, KPMG, http://us.kpmg.com/RutUS_prod/Documents/8/IntegritySuvey08_09.pdf

http://us.kpmg.com/RutUS_prod/Documents/8/IntegritySuvey08_09.pdf


Fraud Happens To Everyone!

• KPMG International:Organizations are reporting a rise in fraud, responding with expanded fraud measures both reactive and preemptive, and planning further actions for the future.



• Several studies over the years show that more than 50% of all fraud and theft occur inside your business by employees or those working beside you.



• Many are surprised to find out that most fraud is perpetrated by well-educated males in senior executive positions (61%), and is affected by conditions within the organization, beginning at the top, and filtering down.

Joel B. Charkatz, CPA, CVA, CFE

Employment and Labor Update


Fraud In America Today

• 2010 Report to the Nation, published by the Association of Certified Fraud Examiners. This Report is based on data compiled from a study of 1,843 cases of occupational fraud that occurred worldwide between January 2008 and December 2009.

• Available on-line, www.acfe.org

http://www.acfe.org/


Summary Findings of This Report

Survey participants estimated that the typical organization loses 5% of its annual revenue to fraud. Applied to the estimated 2009 Gross World Product, this figure translates to a potential total fraud loss of more than $2.9 trillion.



• The median loss caused by the occupational fraud cases was $160,000 for 2009.

• Nearly one-quarter of the frauds involved losses of at least $1 million.

• For 2009, there were more very large frauds, which may eschew the number slightly upward.



The frauds lasted a median of 18 months before being detected. This finding has remained unchanged for several years.

* Where there is collusion the fraud scheme does not last as long, but the losses are much higher.



• Asset misappropriation schemes were the most common form of fraud by a wide margin, representing 90% of cases.

• Asset misappropriation was also, according to the study, the least costly with a median loss of $135,000.



Financial Statement Fraud schemes were on the opposite end of the spectrum in both regards: • These cases made up less than 5% of the

frauds, but caused a median loss of more than $4 million — by far the most costly category.

• Corruption schemes fell in the middle, comprising just under one-third of cases and causing a median loss of $250,000.



• Occupational frauds are much more likely to be detected by tip than by any other means. This finding has been consistent since 2002.

• This may also be the reason that more fraud advisors recommend a whistleblower line or similar procedures to encourage employees to tip off others where they see fraud or theft occurring.



Small organizations fall victim to occupational fraud much more often. • These organizations are typically lacking in internal

controls compared to their larger counterparts, which makes them particularly vulnerable to fraud.

• Most small businesses lack even basic Internal Control procedures or the willingness to implement and enforce them.

• Naivety runs rampant in small business when it comes to the possibility of employees stealing from the business.



The industries most commonly victimized, according to the study, were:

– Banking/Financial services, – Manufacturing,– and Government/Public Administration sectors.

• Includes Not for Profit Groups.



• Anti-fraud controls appear to help reduce the cost and duration of occupational fraud schemes.

• One of the principal recommendations from this year’s report was the need to focus on specific Anti-fraud Controls within the overall Internal Controls process.


Who Is Committing Fraud?

Employee (39.7%)

Manager (37.1%)

Owner/Executive (23.3%)

$70,000

$150,000

$834,000

Position of PerpetratorPo

sition

of P

erpe

trat

or &

Fre

quen

cy o

f Inv

olve

men

t



<$50k

$50k to $100k

$100k to $150k

$150k to $200k

$200k to $500k

Over $500k

$75,000

$162,000

$375,000

$590,000

$1,000,000

$50,000,000

Median Loss By Perpetrators' Income

Perp

etra

tors

' Ann

ual I

ncom

e


Correlation between length of employment and amount of fraud loss

• Study shows that employees with longer tenure at an organization commit more expensive frauds than employees with shorter tenure.

• Cause attributed to higher degree of trust implicitly placed on employees with longer tenure by most organizations.

• Also, with longer tenure comes greater opportunity and a higher level of access.



<1 Year (7.4%)

1 to 5 Years (40.5%)

6 to 10 Years (24.6%)

>10 Years (27.5%)

$50,000

$142,000

$261,000

$250,000

Perpetrators' TenureMedian Loss and Frequency



63.9%

36.1%

Number of Perpetrators

One Perpetrator Two or More Perpetrators




Defining Occupational Fraud

• ACFE:The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.


Four Characteristics Of Occupational Fraud

1. The activities are clandestine. – When committing occupational fraud, the

perpetrators make attempts to conceal their actions. As examples, these attempts might involve the altering of or destroying documents, failing to record transactions, or deleting information from computer systems.



2. The activities violate the perpetrator’s fiduciary responsibilities and positions of trust within the employing organization. – All employees have been entrusted to some

degree with a level of fiduciary responsibility by their employers. When committing fraud against an employer, an employee breaches that trust. Employees in whom greater degrees of trust have been placed are in often in position to commit frauds of greater magnitudes.



3. Activities Are Committed For Personal Enrichment

– Frauds are not committed for sport; rather, there is some financial gain to be derived from the fraud.

– This gain can accrue directly to the perpetrator, or it can benefit a third party of the perpetrator’s choosing – for example, a family member.



4. The activities exact a cost on the employing organization.

– Because frauds enrich their perpetrators, there has to be an offsetting cost to the employing organization.

– This might result in the direct loss of assets, or it might result in less obvious losses such as the reputation of the entity being tarnished and loss of investor confidence.


Three Types of Occupational Fraud *

1. Misappropriation of assets2. Corruption3. Financial Statement Fraud

* These are what you want to develop good Internal Controlsto mitigate risk where possible.


Relative Frequency of Fraud and Associated Loss

Fraudulent Statements (10.3%)

Corruption (27.4%)

Asset Misappropriation (88.7%)

$2,000,000

$375,000

$150,000

Relative Frequency of Fraudand Associated Losses

(Percentages do not total to 100% because some instances of fraud involve more than one fraudulent activity.)


Types of Cash Fraud Schemes:

1. Those involving cash receipts (skimming and cash larceny),

2. Those involving cash disbursements (billing, check tampering, expense reimbursement, payroll, and register disbursements), and

3. Those involving cash on hand.


Breakdown of Cash Misappropriations

Skim

ming (16.8%)

Cash La

rceny (

10.3%)

Billing (

23.9%)

Check Ta

mpering (

14.7%)

Expense

Reimburse

ment (13.2%)

Payro

ll (9.3%)

Registe

r Disb

ursements

(2.8%)

Cash on Han

d (12.6%)

$-

$20,000

$40,000

$60,000

$80,000

$100,000

$120,000

$140,000

$160,000

$80,000 $75,000

$100,000

$138,000

$25,000

$49,000

$25,000 $35,000

Breakdown of Cash Misappropriations

Copyright © 2011. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.47

Types Of Fraud And Losses

Type of FraudPercentage of Asset

Misappropriation Cases Median Loss

Billing Schemes 28.30% $ 130,000

Expense Reimbursements 19.50% $ 25,000

Check Tampering 17.10% $ 120,000

Payroll 13.20% $ 50,000

Wire Transfers 6.50% $ 500,000

Register Disbursements 1.70% $ 26,000


Median Fraud Loss by Number of Employees

<100 (38.2%)

101 to 999 (20.0%)

1,000 to 9,999 (23.0%)

10,000+ (18.9%)

$200,000

$176,000

$116,000

$147,000

Median Loss

Num

ber o

f Em

ploy

ees a

nd P

erce

ntag

eof

Cas

es R

epor

ted


How Is Fraud Detected *

Notified by Police

External Audit

Internal Audit

Accident

Internal Controls

Tip

3.2%

9.1%

19.4%

20.0%

23.3%

46.2%

* My favorite, considering how we stress the importance of Internal Controls and Auditors! Why are these numbers the way they are today?


How Senior Manager Frauds Are Detected

Notified by Police

External Audit

Internal Controls

Internal Audit

Accident

Tip

3.4%

16.3%

15.2%

12.4%

17.4%

51.7%


So, What Should We Do?

• What should businesses do to mitigate risk and reduce fraud loss according to the ACFE 2010 study’s conclusions and recommendations?


Implement Hotlines to Report Possible Fraud, Theft, or Loss

• Fraud reporting mechanisms are a critical component of an effective fraud prevention and detection system.

• Organizations should implement hotlines to receive tips from both internal and external sources.

• Such reporting mechanisms should allow anonymity and confidentiality, and employees should be encouraged to report suspicious activity without fear of reprisal.


You Cannot Over-rely on Audits

• Organizations tend to over-rely on audits.• External audits were the control mechanism

most widely used by the victims in the survey, but they ranked poorly in both detecting fraud and limiting losses due to fraud.

• Audits are clearly important and can have a strong preventative effect on fraudulent behavior, but audits alone should not be relied upon exclusively for fraud detection.


Employee Education is the Foundation of Detecting and Preventing Fraud.

• Staff members are an organization’s top fraud detection method; employees must be trained in what constitutes fraud, how it hurts everyone in the company and how to report any questionable activity.

• Data shows not only that most frauds are detected by tips, but also that organizations that have anti-fraud training for employees and managers experience lower fraud losses.


An Audit Should be a Surprise!

• Surprise audits are an effective, yet underutilized, tool in the fight against fraud.

• Less than 30% of victim organizations conducted surprise audits; however, those organizations tended to have lower fraud losses and to detect frauds more quickly.

• While surprise audits can be useful in detecting fraud, their most important benefit is in preventing fraud by creating a perception of detection. Generally speaking, occupational fraud perpetrators only commit fraud if they believe they will not be caught!


Fraudsters exhibit behavioral warning signs of their misdeeds.

• These red flags — such as living beyond one’s means or exhibiting control issues — will most likely not be identified by traditional controls.

• Auditors and employees alike should be trained to recognize the common behavioral signs that a fraud is occurring and encouraged not to ignore such red flags, as they might be the key to detecting or deterring a fraud.


Small Businesses Are Particularly Vulnerable to Fraud.

• In general, these organizations have far fewer controls in place to protect their resources from fraud and abuse.

• Managers and owners of small businesses should focus their control investments on the most cost-effective mechanisms, such as hotlines and setting an ethical tone for their employees.

• These steps are shown to have the greatest results.



TOOLS FOR PREVENTING AND DETECTING FRAUD


Desktop Tools For Preventing And Detecting Fraud

• ODBC Queries• Excel As A Fraud Detection Tool• Access As An Audit Tool• ActiveData for Excel and Office


Open DataBase Connectivity

• Open DataBase Connectivity, a standard database access method developed by the SQL Access group in 1992.

• The goal of ODBC is to make it possible to access any data from any application, regardless of which database management system (DBMS) is handling the data.

• ODBC manages this by inserting a middle layer, called a database driver , between an application and the DBMS. The purpose of this layer is to translate the application's data queries into commands that the DBMS understands.

http://www.webopedia.com/term/o/standard.html

http://www.webopedia.com/term/o/database.html

http://www.webopedia.com/term/o/access.html

http://www.webopedia.com/term/o/data.html

http://www.webopedia.com/term/o/application.html

http://www.webopedia.com/term/o/database_management_system_DBMS.html

http://www.webopedia.com/term/o/driver.html

http://www.webopedia.com/term/o/query.html

http://www.webopedia.com/term/o/command.html



• ODBC Queries– Benefits

• Allows Window Applications To Access Multiple Data Sources Through A Single Method

• Overcomes The Problem Of Different Databases Having Different Means Of Providing Access To Information

• Simplifies Access Requirements So That Users No Longer Require Advanced Database Management Skills



• Auditors currently utilize Excel to assist with some or all of the following functions.– Amortization schedules– Trial balances– Journal entries– Financial statements– Supporting schedules– Working papers



• Virtually all of the current uses of Excel relate to documentation; rarely is Excel used as a tool for conducting audits or fraud examinations.

• Excel As A Fraud Detection Tool– Beyond Workpapers And Schedules– Use Excel For-

• Horizontal And Vertical Analysis• Trend Analysis• Statistical Measures And Summarizations• Stratifications• Regression Analysis

• Reporting tools like Biznet, http://www.biznetsoftware.com/



• Excel Add-Ins As Fraud Detection Tools– ActiveData - http://www.informationactive.com/ – @Risk - http://www.palisade.com/

http://www.informationactive.com/

http://www.informationactive.com/

http://www.palisade.com/

http://www.palisade.com/

http://informationactive.com/index.php?option=com_content&view=article&id=145&Itemid=490



• Access As An Audit Tool– Using Access To-

• Detect Duplicate Transactions/Entries• Store Data That Is Queried By Excel

– Save Queries For Future Use


COSO INTERNAL CONTROL PROCESS

Committee of Sponsoring Organizations of the Treadway Commission (1992)


Internal Control – AICPA 1995

• Internal control is a process. It is a means to an end, not an end in itself.

• People affect internal control. It is not merely policy manuals and forms; it is people at every level of an organization.

• Internal control provides only reasonable assurance, not absolute assurance, to an entity’s management and board.

• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.


SAS 78 Five Interrelated Components of Internal Control

• Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

• Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how risks should be managed.

• Control activities are those policies and procedures that help ensure that management directives are carried out.

• Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

• Monitoring is a process that assesses the quality of internal control performance over time.


Five Interrelated Components of Internal Control Framework


SAS 78 defines control activities as those policies and procedures that

help ensure that management directives are carried out

• Preventive controls,• Detective controls,• Deterrent controls, and• Compensating controls.


Four-step Process to Implement and Maintain Internal Controls


DEVELOPING WRITTEN INTERNAL CONTROL POLICIES


Why Small Business Don’t Have Written Controls

• “We know we need written documentation, but we just don’t have the time.”

• “We don’t know where to start.” Or,• “I am not a good writer!”

• There are a number of examples of good Internal Controls available via the Internet, your State Society, and the AICPA.


For The Best Controls

• First, follow the KISS method. Keep It Simple. • Second, never implement a control for the sake of

doing so! Make sure that the control is necessary and has value.

• Third, never ever implement an Internal Control that you do not follow and will not enforce. – Remember, the documentation is for your people, to guide

them, not for the court. – The court will judge you based on what you actually do (at

least what people testify that you do), not specifically what you have in writing.


How Many Controls Should You Have?

• Actual question at one of our seminars.– “I am a $150 million manufacturing company, how many

Internal Control Policies should I have?” • What do you think?• There is no specific number of controls, or a set of

specific controls you must have.• Remember that Internal Controls are created to help

you meet specific objectives of your company. A single objective may require one or more controls to achieve, and some controls may help satisfy one or more objectives.


What Does and Internal Control Look Like?

• Keep the actual format of an Internal Control policy as simple as possible.

• First, use the least amount of words to get the job done.

• If a control document is too verbose, people will not read it, much less follow it.

• Use bullet points or list items where appropriate to get the message across and keep the process simple.


A Simple Format

• Name of the Policy– Objective

• Define briefly the objective which the control will help meet.

• Define why the objective is important. Improve quality, improve production, limit risk, mitigate fraud, and so forth.

• If you have more than a few paragraphs, the control may be too complex. Consider breaking it down into multiple controls or rewording.


Following the Objective Statement

• ControlThe control is the procedures that are to be applied to meet the objective. Give a brief description of the control. This is the heart of the policy statement.

• Procedures Then itemize the procedures. Again, bullet or list format is perfect if you want the control procedure to be effective.


And Last But Not Least

• Monitoring This is the section this is most often missing, and where most Internal Control Policies fail. You cannot have a policy that is not monitored. It has no value. There has to be some reasonable procedure to ensure the control is being complied with and is effective in achieving the objective for which it was created.


Monitoring

• If the Control if valid, and is not being complied with, then there must be repercussions.

• That does not mean public beatings!• What is reasonable, first offense, second

offense, etc. You define the proper actions based on the liability and risk associated with the Control Objective.


Basic Internal Control

• So the three components are the – Objective Description,– The Control Statement– and the Monitoring Action.

• Will all your controls be this simple, perhaps not, but most can be, and with a little practice you may end up with simple Internal Control Procedures that help you meet your business objectives.


Unique Internal Controls

• There are a number of Internal Controls that businesses need today that we did not cover, but samples are available for you to download from our web site– Sample Password Policy– Sample Social Networking Policy– Sample Disaster Recovery Plan– Sample Records Retention Guideline


Request our Document on Internal Controls to use with Your Clients

• 26 pages• Written in straight-forward English• Hand me a business card

– OR• Send and email to

–[email protected]



The End

• Fraud Schemes• Practical Approaches to Relevant

Professional and Statutory Requirements• Analytical Procedures as a Fraud Detection

and Loss Tool• Benford’s Law

Supplemental Materials


COMMON FRAUD SCHEMES AND WARNING SIGNS


Common Fraud Schemes And Warning Signs

• Payments To Fictitious Vendors– Form Of Billing Scheme– Invoices Are Submitted From Fictitious Vendors– Payments Are Made And Perpetrator Intercepts

Payments



• Payments To Fictitious Vendors– Warning Signs-

• An Employee’s Home Address Matching A Vendor’s Address

• An Employee’s Initials Matching A Vendor’s Name• Checks Written To “Cash”• Using P O Boxes For Vendor Addresses• Vendor Data Is Missing• Vendor Data Is Improperly Formatted



• Payroll Schemes– False Payments For Payroll

• Ghost Employees• Falsified Hours Worked And Salary Rates• Commission Schemes



• Payroll Schemes– Early Warning Signs

• Multiple Changes To Default Employee Pay Rates,• Aging Of Accounts Receivable By Salesperson Indicates

Large Number Of Past-due Accounts For A Given Salesperson May Be Indicative Of False Sales Used To Generate Commission Payments




• Employees Records Indicate An Invalid Or Duplicate Social Security Number

• Payments To Employees After The Termination Date Of The Employee

• Adjustments Or Journal Entries To Individual Employee Earnings Records




• Unusually/Unexpectedly High Amounts Of Reported Overtime Hours

• Sales Posted To Dormant Customer Accounts May Indicate Commission Fraud

• Sales Which Place Customers Over Their Credit Limit Or Sales To Customers On Credit Hold May Be Indicative Of Commission Fraud



• Expense Reimbursement Schemes– Inappropriate Reimbursements For Submitted

Expenses• Mischaracterized Expenses – The Employee

Fraudulently Requests Reimbursement For Expenses That Are Not Considered To Be Business Expenses, But Rather Personal Expenses




Expenses• Overstated Expenses – The Employee Overstates The

Amount Of Otherwise Legitimate Business Expenses Requested For Reimbursement And Retains The Overage




Expenses• Fictitious Expenses – The Employee Submits For

Reimbursement Expenses That Were Never Actually Incurred. Oftentimes, The Amounts Of These Expenses Are Immediately Below Some Established Threshold For Requiring Receipts




Expenses• Multiple Reimbursements – The Employee Submits For

Reimbursement Expenses That Have Already Been Paid By The Employer



• Expense Reimbursement Schemes– Early Warning Signs-

• Employees Maintaining Lifestyles That Are Seemingly Beyond Their Means

• Employees Submitting For Reimbursement A Large Number Of Expenses Without Appropriate Or Required Receipts



• Expense Reimbursement Schemes– Early Warning Signs-

• Employees Submitting For Reimbursement A Large Number Of Expenses That Are In Round Dollars

• Employees Submitting For Reimbursement Expenses That Were Dated During Periods Of Vacations



• Check Tampering– Forged Maker

• The Perpetrator Forges the Signature of the Maker on the check.

– Intercepted Checks• Situations Where Checks are Intercepted in the Mail

and Negotiated by the Perpetrator.

– Forged Endorsements• Perpetrator Intercepts Checks and Forges the Payee’s

Endorsement.



• Check Tampering– Concealed Checks

• Frauds whereby the Perpetrator Deceives Someone into Unknowingly Preparing, Approving, or Signing a Check.

– Authorized Maker• Situations where the Perpetrator is Actually the Person

Designated by the Company to Prepare, Approve, and/or Sign Checks.



• Check Tampering– Early Warning Signs

• Vendor Statements Or Confirmations Not Agreeing With Amounts Due According To Company Records

• Abnormally Large Number Of Vendor Complaints On Timeliness Of Payments



• Check Tampering– Early Warning Signs

• Abnormally Large Number Of Checks Made Payable To “Cash”

• Abnormally Large Number Of Purchases Made Without A Purchase Order

• Sequence Gaps In Checks • Large Number of Journal Entries to the Checking

Account(s)• Significant Variations in Budgeted to Actual Results.



• Register Disbursements– In register disbursement frauds, the perpetrator takes

money from the company and conceals the theft through the entry of a false transaction such as a customer refund.

– Register disbursement frauds differ from skimming frauds in that in a register disbursement fraud, no sale actually occurs whereas in a skimming fraud, a sale does take place.

– Register Disbursements• Fictitious/Overstated Refunds• Credit Card Frauds• False Voids



• Register Disbursements– Early Warning Signs

• Significant Discrepancies In Inventory Actually On Hand And That Reported By The Accounting Application

• One Employee Having A Substantially Higher Percentage Of Voided Transactions Or Refund Transactions When Compared To Other Employees



• Register Disbursements– Early Warning Signs

• Refunds Issued To A Different Credit Card Than The One Used On The Original Sale Transaction

• An Abnormally Large Number Of Refunds Issued On The Same Day As The Sale Transaction



• Kiting– Disbursement Scheme To Profit From “Float”– Usually Involves Writing A “Bad” Check And

Covering It With A Deposit Of Another “Bad” Check

– 1988 NYC Scheme Involving Two People, 15,000 Checks, $2 Billion!



• Kiting– Early Warning Signs -

• Signature And Payee On Kited Checks Are Often The Same

• Area Abnormalities (Many Out-of-area Checks)• Frequent Deposits, Check Writing, And Balance

Inquiries




• Escalating Balances• Bank Abnormalities (Deposited Checks Are Usually

Drawn On The Same Banks)




• Average Length Of Time Money Remains In Account Is Short

• NSF (Frequent NSF Problems)



• Skimming, Unrecorded Sales– Selling Legitimate Products Or Services, But

Keeping The Money– Often Involves Cash Sales



• Skimming, Unrecorded Sales– Early Warning Signs

• Decline In Sales Recorded• Decline In Cash Collected• Decline In Gross Margin Percentages• Missing Or Voided Documents Such As Sales Orders

And Invoices



• Lapping– Moving Money From One Account To Cover A

Shortage In Another Account– Often Associated With Incoming Payments…



• Lapping– Money Is Taken From Customer A’s Account. – Perpetrator Subsequently Posts A Payment On

Customer B’s Account To Customer A’s Account– Perpetrator Subsequently Posts A Payment On

Customer C’s Account To Customer B’s Account– The Process Continues To Repeat Until The

Lapping Scheme Is Discovered



• Lapping– Early Warning Signs-

• Excessive Billing Errors• An Increase In The Accounts Receivable Collection

Period• Increasing Write-offs Of Bad Debts• Delays In Posting Customer Payments



• Lapping– Early Warning Signs-

• An Increase In Customer Complaints About The Status Of Their Accounts

• A Trend Of Decreasing Payments Received• Accounts Receivable Ledger Not In Agreement With

General Ledger



• Financial Statement Fraud– Overstating Assets– Fictitious Revenues– Understating Liabilities And Expenses



• Overstating Assets– Journal Entries Initiated Or Recorded By Members Of

Senior Management Team, Particularly At Year-end.– Large Number Of Journal Entries In Round Dollar

Amounts.– A Significant Amount Of Slow-moving Inventory

Items.– A Significant Percentage Of Accounts Receivable

Being Past Due, With Relatively Little Bad Debt Expense.



• Recording Fictitious Revenues– Relatively Large Amounts Of Customer Refunds Or

Adjustments Immediately After Year-end– New Customers Existing On The Customer Master

file With Missing Key Information– Average Sale Per Customer Increasing Significantly

In The Month/Quarter Which Includes Year-end



• Understating Liabilities & Expenses– Journal Entries Initiated Or Recorded By Members Of

Senior Management Team, Particularly At Year-end– Average Purchase Per Vendor Decreasing Significantly

In The Month/Quarter Which Includes Year-end– Relatively High Amount Of Expense Recorded In

Month After Year-end– Relatively Large Number Of Open Purchase Orders At

Year-end Where The “Required By” Date Has Been Exceeded


Confirmation Frauds

• One form of fraud that would result in overstated assets is that of confirmation fraud. When a confirmation fraud occurs, the person(s) committing the fraud deceptively causes overstated asset balances to be confirmed at their inflated balances…


Example of Confirmation Fraud

• Management could cause inflated bank account balances to be confirmed at an inflated amount, thereby leading an auditor to express an opinion on financial statements that are likely materially misleading.


Recording Fictitious Revenues

• Relatively large amounts of customer refunds or adjustments immediately after year-end

• New customers existing on the customer master file with missing information

• Average sales per customer increasing significantly in the month/quarter which includes year-end


Understating Liabilities and Expenses

• Journal entries initiated or recorded by members of senior management team, particularly at year-end

• Average purchase per vendor decreasing significantly in the month/quarter which includes year-end

• Relatively high amount of expense recorded in month after year-end

• Relatively large number of open purchase orders at year-end where the “required by” date has been exceeded


PRACTICAL APPROACHES TO RELEVANT PROFESSIONAL AND STATUTORY REQUIREMENTS


Practical Approaches To Professional Requirements

• SAS 99 Overview– Reinforces-

Auditors Have “A Responsibility To Plan And Perform The Audit To Obtain Reasonable Assurance About Whether The Financial Statements Are Free Of Material Misstatement, Whether Caused By Error Or Fraud.”



• SAS 99 Overview– Financial Statements Includes Five Assertions

• Existence• Completeness• Valuation• Rights And Obligations• Presentation And Disclosure



• SAS 99 Overview– Auditor Must Plan And Conduct Audit To Provide

Reasonable Assurance That Assertions Are Free Of Material Misstatement



• SAS 99 Overview– Description And Characteristics Of Fraud– Identifying Risks– Responding To Risks


SAS 99 Fraud Triangle

• Fraud Triangle


Fraud Triangle

• Incentive/Pressure For Financial Statement Fraud May Result From-– Financial Stability Or Profitability Is Threatened By

Economic, Industry, Or Entity Operating Conditions– Excessive Pressure Exists For Management To

Meet The Requirements Or Expectations Of Third Parties


Fraud Triangle

• Incentive/Pressure For Financial Statement Fraud May Result From-– Management Or The Board Of Directors’ Personal

Financial Situation Is Threatened By The Entity’s Financial Performance

– Excessive Pressure On Management Or Operating Personnel To Meet Financial Targets Set Up By The Board Of Directors Or Management


Fraud Triangle

• Incentive/Pressure For Asset Misappropriation May Result From-– Personal Financial Obligations May Create

Pressure On Management Or Employees With Access To Cash Or Other Assets Susceptible To Theft To Misappropriate Those Assets


Fraud Triangle

• Incentive/Pressure For Asset Misappropriation May Result From-– Adverse Relationships Between The Entity And

Employees With Access To Cash Or Other Assets Susceptible To Theft May Motivate Those Employees To Misappropriate Those Assets.


Fraud Triangle

• Opportunity For Fraud May Result From-– Poor Internal Controls– Management Override Of Internal Controls

Journal of Accountancy - Internal Control Guidance


Fraud Triangle

• Rationalization For Asset Misappropriation May Result From-– “It’s Not Stealing”– “Company Owes Me The Money”– “Everyone Else Got A Raise”


Fraud Triangle

• Rationalization For Financial Statement Fraud– There Is Still Personal Benefit Accruing To The

Perpetrator“After all, it’s just a journal entry; as long as the line of credit gets repaid, does anyone really get hurt?”


Responding To Risks

• Responses Will Vary Based On– Perceived Risk– Industry– Volume Of Business/Transactions


Responding To Risks

• Changing Overall Approach To Audit• Responding Directly To Identified Risks• Considering Impact Of Potential Management

Override Of Internal Controls


Discuss Risks From Fraud and Loss

– Cash– Accounts Receivable and Sales– Inventory– Accounts Payable and Purchases– Revenues and Expenses– Payroll


Discuss – Warning Signs

• Numerous adjustments• Key personnel going to work for vendors• Lack of segregation of duties• Failure to reconcile bank statements or a conflict of

duties on the part of performing reconciliations• Accounts receivable grows substantially faster than

sales• Growth in accounts payable substantially exceeds

revenue growth• Significantly outpace other companies in same industry



• Frequently change auditors, banks, and attorneys• Dramatic changes in key ratios or ratios too good• Excessive number of checking accounts• Increase in scrap materials and reorders for same

items• Inventory that is slow to turnover• Vendors that pick up payments • Consistent cash flow problems



• Delivery location not the office, plant or job site• Invoices with minimal information• Increase in purchasing inventory but no increase in sales• Lack of physical security over assets / inventory• Customer complaints• Vendor complaints• Can’t talk to people (protection)• Turning down promotions or transfers• Improperly trained employees


• Excessive or unjustified changes in accounting personnel

• Premature or excessive destruction of controlled documents

• Excessive cash transactions• High rate of employee turnover• Significant life-style changes• Refusal to take vacation



• Excessive movement of funds between accounts• Single vendor• Payments to a vendor post office box• No original source documents• Lack of competitive bidding• No exceptions or errors• Unexplained employee absences• Refusal to produce records, files or documents



• Excessive overtime• Missing documentation• Falsified documentation• Excessive involvement by management over routine tasks• Reconciliations are ‘plugged’ or require involvement by

management to reconcile• Lack of due diligence over significant transactions• Excessive changes of reporting structure or organizational

structure• Numerous changes to general ledger accounts or accounting

systems



ANALYTICAL PROCEDURES AS A FRAUD & LOSS DETECTION TOOL


Analytical Procedures As A Fraud Detection Tool

• Nature of Analytical Procedures (APs)• Requirements To Use APs• Useful Tools For Applying APs



• Nature of Analytical Procedures (AP)– SAS 56

“Analytical Procedures Involve Comparisons Of Recorded Amounts, Or Ratios Developed From Recorded Amounts, To Expectations Developed By The Auditor”

– APs Are Required By SAS 56 And By SSARS 10



• Examples Of APs– Account Balance Fluctuation Analysis (“Flux Test”)– Budgeted Versus Actual Account Balance

Comparisons– Ratio Analysis (Discussed In The Following Section)– Comparing Aging, Write-offs, And Collection Days

Trends



• Examples Of APs– Analyzing Sales Volume To Past Results, Industry

Norms, And Forecasted Results– Reviewing Sales Discounts And Returns And

Allowances Trends– Comparing Raw Materials, Work-in-process, And

Finished Goods Inventory Balances– Performing A Trend Analysis On Gross Profit And

Inventory Turnover



• When Planning, Consider– Nature Of The Assertion Being Tested– Plausibility And Predictability Of The Relationships

Of Data– Availability Of Reliable Data Used To Develop

Expectations– Precision Of The Expectation



• As Substantive Tests, Consider– Expectation And Factors Considered In Its

Development – Results Of The Comparison Of The Expectation To

The Recorded Amounts – Any Additional Auditing Procedures Performed In

Response To Unexpected Differences Between The Expected Results And Those Obtained By Applying The Analytical Procedures



• Ratio Analysis Is A Common Form Of AP• Spreadsheets (Excel) Used Extensively To

Perform Ratio Analysis• Useful Applications For Applying Analytical

Procedures– ProfitCents– Profit Driver


BENFORD’S LAWStatistical Detection of Fraud


Using Benford's Law for Data Analysis

• Benford’s Law In Detail-– Numbers Do Not Follow A “Random Walk” In

Nature.– Smaller Digits – “1” And “2” – Occur More

Frequently Than Larger Ones – “8” And “9”


Benford’s Law

• Benford’s Law In Detail-– Discovered In 1881 By Astronomer Simon

Newcomb– “Rediscovered” In 1938 By Scientist Frank Benford

Of GE Research Laboratories


Using Benford’s Law to Detect Fraud


Understanding And Implementing Benford’s Law

• Benford’s Law In Detail-– Powerful Fraud Detection Tool– Allows Tests Against Expected Norms– Facilitates Searches For Fraudulent Transactions

And Transactions Manipulated To Avoid Authorization And Approval



• Benford’s Law In Detail-– Based On Formula-

)10ln(

11ln

}{

d

dP



• Benford’s Law 1st Digit ProbabilitiesBenford's Law

First Digit Probabilties

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

Pe

rce

nt

Oc

cu

rre

nc

e

1st Digit 30.10% 17.61% 12.49% 9.69% 7.92% 6.69% 5.80% 5.12% 4.58%

1 2 3 4 5 6 7 8 9



• Benford’s Law 2nd Digit ProbabilitiesBenford's Law

Second Digit Probabilities

0.00%

2.00%

4.00%

6.00%

8.00%

10.00%

12.00%

14.00%

2nd Digit 11.97% 11.39% 10.88% 10.43% 10.03% 9.67% 9.34% 9.04% 8.76% 8.50%

0 1 2 3 4 5 6 7 8 9



• Benford’s Law 3rd Digit ProbabilitiesBenford's Law

Third Digit Probabilities

9.60%

9.70%

9.80%

9.90%

10.00%

10.10%

10.20%

10.30%

3rd Digit 10.18% 10.14% 10.10% 10.06% 10.02% 9.98% 9.94% 9.90% 9.86% 9.83%

0 1 2 3 4 5 6 7 8 9



• Benford’s Law 4th Digit ProbabilitiesBenford's Law

Fourth Digit Probabilities

9.96%

9.97%

9.98%

9.99%

10.00%

10.01%

10.02%

10.03%

4th Digit 10.02% 10.01% 10.01% 10.01% 10.00% 10.00% 9.99% 9.99% 9.99% 9.98%

0 1 2 3 4 5 6 7 8 9



• First Two Digit ProbabilitiesBenford's Law

First Two Digit Probabilities

0.0%0.5%1.0%1.5%2.0%2.5%3.0%3.5%4.0%4.5%

10

15

20

25

30

35

40

45

50

55

60

65

70

75

80

85

90

95



• Applying Benford’s Law– State Of Arizona vs. Wayne James Nelson

• Of Twenty-Three Checks, Only One Began With “1”; Expected Value Of Seven

• Of Twenty-Three Checks, Only One Began With “2”; Expected Value Of Four

• Twenty-One Of Twenty-Three Checks Began With “7”, “8”, Or “9”



• Applying Benford’s Law In Excel– Use Of Commands Such As LEFT( ), MID( ), And

COUNTIF( ) Facilitate Benford’s Law Tests In Excel



• Applying Benford’s Law Using ACL• To run a Benford’s Law test in the popular

audit package ACL, select Analyze from the menu.

• On the Main tab of this dialog box, indicate on which field the test should be performed, how many digits should be included, and what selection criteria should be utilized.


Using Benford’s Law with ACL

Benford's Law Graphical Output Generated by ACL



• Applying Benford’s Law Using Idea• To perform a first digit, first two digits, first

three digits, and second digit Benford’s Law test in IDEA, select Analysis from the menu and choose Benford’s Law.

• Output will be available in both text and graphic format.


Using Benford’s Law with Idea

Sample First Digit Benford's Law Test in IDEA



Sample Second Digit Benford's Law Test in IDEA



Sample First Two Digits Benford's Law Test in IDEA

Network Management Group, Inc. Randy Johnston, Exec VP With contributions from Robert H. Spencer, PhD, CCP, CSA 2011 Internal Controls for Business. How.

Documents

technology business

k2 enterprises training

backup services

hr business

business success

technology company mspmentor

internal controls

emerging technology