INTERNAL CONTROLS AND FRAUD DETECTION

INTERNAL CONTROLS AND FRAUD DETECTION

FROM A to Z andWHY to HOW

Paul M. Perry, FHFMA, CISM, CITP, CPAMember and Practice Leader

Presenter – Paul PerryPaul Perry has been with Warren Averett since2004 and is a Member in the Firm’s CorporateAdvisory Services Group – focusing on risk andcontrol related projects, such as internal control andinformation technology related projects, includingService Organization Control (SOC) engagements.

Paul is also a member of the Firm’s Data AnalysisGroup, a team of individuals within the Firm whoprovide data analysis solutions to both internal andexternal clients. For more than 11 years, he hasspecialized in accounting advisory and audit andreview assurance services.

Paul is also a published author, columnist andregular speaker on topics such as data analysis,internal controls and information technology foraccountants and auditors.

OUTLINE

- INTERNAL CONTROL KEYWORDS- COSO- FRAUD DISCUSSION- EFFECTIVE INTERNAL CONTROLS- RISK ASSESSMENT / MANAGEMENT- VENDOR RISK ASSESSMENTS- SERVICE AND ORGANIZATION CONTROLS- WHAT TO DO IF YOU SUSPECT FRAUD

Internal Controls

Everyone/Everyday

AnalyticsTone at the top

Communication RISK

Monitoring Segregation of duties

Zero toleranceFRAUD

Documentation

Key

Justification

Opportunity

P-D-C

Benfords

WeightNon-key

Governance

Integrity

Vulnerability

Limitations

pHysical safeguards

Quality Control

Uncertainty

eXamination

Year-end Review

Committee of Sponsoring Organizations of the

Treadway Commission

COSO

Internal Controls – WHY?

COSO- Committee of Sponsoring Organizations (COSO)

- 1985

- American Accounting Association (AAA), the American Institute of CPAs (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA)

Internal Controls

COSO Enterprise Risk Management -Aligning Risk with Strategy and Performance- Replacing 2004 ERM – Integrated Framework

- Overall GoalTo continue to encourage a risk-conscious corporate culture and to help organizations improve the way they identify, evaluate, and manage risk and opportunity in achieving their strategy.

Internal Controls – Why?

COSO Three Lines of Defense

- Addresses how specific duties related to risk and control could be assignedand coordinated within an organization, regardless of its size or complexity.

- Directors and management should understand the critical differences in roles andresponsibilities of these duties and how they should be properly assigned


COSO Three Lines of Defense- Senior Management are Owners

- Lies with the business and process owners whose activities create and/or manage the risks.

- Taking the right risks.

- Owns the risk, and the design and execution of the organization’s controls to respond to those risks.


COSO Three Lines of Defense- Support management by providing

expertise, process excellence, and management monitoring

- Ensure that risk and control are effectively managed.

- Separate but are still under the control and direction of senior management

- Management and/or oversight function that owns many aspects of the management of risk.


COSO Three Lines of Defense- Assurance to senior management and

the board.

- Not permitted to perform management functions to protect its objectivity and organizational independence.

- Usually a primary reporting line to the board.

- Assurance not a management function, which separates it from the second line of defense.

FRAUDDISCUSSION


FRAUD TRIANGLE

RATIONALIZATION(Justification)

FRAUD SCHEMES1. Revenue & Cash Receipts

Schemes

2. Purchasing & Disbursement Schemes

3. Payroll & Expense Reporting


An employee with disbursement processing responsibilities who refuses totake more than a couple days vacation at a time.

Control Issues – An employee who is over-controlling or overprotective ofresponsibilities.

Behavioral changes indicating possible drug, alcohol, gambling addiction.

Employee lifestyle changes: financial or significant debt issues, divorce,expensive cars/homes, etc.

High employee turnover, especially in areas vulnerable to fraud.

Wheeler/Dealer Type Attitude.

Suspicious or defensive behavior.

Red Flags for Fraud

Behavioral Red Flags

0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% 50.0%

Addiction Problems

Irritability, Suspiciousness or Defensiveness

Divorce/Family Problems

"Wheeler-Dealer" Attitude

Control Issues, Unwillingness to Share Duties

Unusually Close Association with Vendor/Customer

Financial Difficulties

Living Beyond Means 45.8%

30.0%

20.1%

15.3%

15.3%

13.4%

12.3%

10.00%

Source: Report to the Nations on Occupational Fraud and Abuse


Common Internal Control Limitations- Human error- Fatigue- Distractions- Misunderstandings- Carelessness- Collusion- Too Much Change Occurring- Judgment / Trust

1. Organizations lose 5% of revenues to fraud annually (U.S. = $6.3 billion dollars)

2. Organizations with anti-fraud controls experienced frauds that were up to 50% less costly and detected up to 50% more quickly

3. Mostly first-time perpetrators, no criminal history

4. Perpetrators with higher levels of authority tend to cause much larger losses (Linear Relationship: Authority, Education, and Age to Loss)

Fraud Hurts Everyone…Even Perpetrators

Fraud Facts/Conclusions…

5. Red flags - living beyond means, financial difficulties, excessive control issues – identified in 79% of cases

6. Small businesses – disproportionately victimized by fraud and under-protected by anti-fraud controls

7. External audits should not be relied upon as the primary anti-fraud mechanism. Primary detection method in just 6% of cases

Fraud Facts/Conclusions…

Fraud Hurts Everyone…Even Perpetrators

• PAYROLL

• DISBURSEMENT

LOOKING CLOSER AT SCHEMES…

Potential Payroll Schemes To Consider

1. Ghost Employees – someone paid who is not a real person, or hired

2. Duplicate/Overpayments – paying someone twice, a little extra, for hours not worked, for vacation not earned

3. Improper Commission – commission based on falsified sales records, or incorrect rates

PAYROLL RISK ASSESSMENT…

Preventive Controls to Consider1. Maintain Proper Segregation of Functions:

Personnel Records Should Be Maintained Independently from Payroll and Timekeeping Functions

Payroll Bank Accounts Should Be Reconciled by a Person who is not involved in PR Check Preparation, Check Signing, Payroll Processing, or Distribution

2. New Hires should be set up in PR system by HR3. Reference / Background Checks should be performed before Hire4. WH forms and Copies of SS Cards Obtained Upon Hire. Verify5. Approval of OT by Supervisors6. Two Levels of approval should be required for ALL changes in PR7. Commissions should be calculated by someone independent of sales


Detection Controls to Consider1. Review of PR records for duplicate or missing SSNs 2. Comparison of PR and HR for terminations3. Review of PR cancelled checks for alterations4. Perform distribution of payroll checks by someone outside of payroll5. Comparison of payroll rates to pay amounts per paychecks6. Comparison of commissions to sales7. Review of direct deposit reports for duplicate entries8. Employee list should be checked for duplicate or missing home

addresses or telephone #s. 9. Verification of forms in HR to WH deductions10. Verification of timecards to hours


Internal Auditors can assist

1. Periodic Review of Payrolls for Abnormalities2. Performance of Detection Controls Testing 3. Periodic Payroll Distribution Test4. Evaluation of Segregation of Functions


Potential Schemes To Consider

1. Shell Company schemes– a fictitious (shell) company is created for the sole purpose of committing fraud

2. Non-accomplice vendor schemes – perpetrators intentionally mishandle payments owed to legitimate vendors. (double-payments, paying wrong vendor, overpaying)

3. Personal purchases schemes – perpetrators purchase personal items and submit invoice as if it was for the company (furniture, computers, equipment, material)

4. Credit card & purchasing card schemes– employees misuse company cards to purchase personal items, or allow unauthorized individuals to use the cards.

DISBURSEMENT RISK ASSESSMENT…

Potential Schemes To Consider (continued)

5. Check Tampering Schemes - employees steal their employer’s funds by intercepting, forging, or altering a check drawn on one of the organization’s bank accounts • Forged Makers• Forged Endorsements• Altered Payee• Concealed Checks• Authorized Makers

6. Expense Reimbursement Schemes- perpetrator makes false claim for reimbursement of personal expenses or of fictitious or inflated business expenses (mischaracterized, overstated, fictitious, and/or multiple reimbursements)


Preventive Controls to Consider

1. Maintain Proper Segregation of Functions: Separate the duties of AP processing, vendor master

file maintenance, check stock custody, check preparation, check signing, check mailing and bank reconciliation.

Separate requisition, purchasing & receiving functions

2. Restrict access to AP and Cash Disbursement systems – with physical and software controls (locked area, passwords)

3. Restrict access to vendor master file and flag any changes to file, periodically purge file for only active approved vendors



4. Maintain approved vendor list independently of the purchasing department

5. Use payable system to identify duplicate or multiple payments to vendor in same day.

6. Do not pay from statements, only from original invoices

7. Severely restrict the use of manual checks

8. Use positive pay systems



9. Require dual signature for payments over a certain dollar amount

10.Never sign blank checks

11.Restrict access to signed checks and ensure they are mailed as soon as possible after signing.

• Checks should be distributed by someone independentof AP and cash disbursement function



11.Have clear policy on what constitutes a reimbursable expense

12.Establish policies and procedures regarding travel and entertainment, including limits

13.Require original receipts for expense reimbursements - no photocopies

14.Require supervisory approval of expense reports

15.And……more


Detection Controls to Consider

1. Review purchases by vendors for abnormalities

2. Compare employee and payroll files for “like” addresses, phone #’s

3. Perform post disbursement audits - internal audit and with vendors

4. Review bank statement enclosures for reasonableness, compliance with established guidelines, other potential irregularities


HOW TO IMPLEMENTEFFECTIVE INTERNAL CONTROLS

Internal Controls

- 17 Principles

- 5 Components

- Applied to - Financial Controls- Operational Controls- Technology Controls

- Cyber Risks- Compliance Controls

COSO Model for Internal Controls

Internal Controls

Source: COSO

Internal Controls

Source: COSO

Illustrative Documents:- Illustrative Tools for Assessing Effectiveness of a System of

Internal Control

- Internal Control over External Financial Reporting: A

Compendium of Approaches and Examples

Internal ControlsPreventive – Detective – Corrective Preventive – prevent problems from occurring (Proactive)

• Policies• Training / Awareness

• Fraud • Hiring Practices (thorough background checks)• Reasonable Performance Controls• Mandatory Vacation / Job Rotation• Solid IT Controls• Ethics Policy• Internal Audit• Segregation of Duties• Monitoring• Adequate Documentation• pHysical safeguards

Weakness in Preventive Controls Increases the Burden on Detection Controls

Internal ControlsPreventive – Detective – Corrective Detective – identify problems after occurrence (Reactive)

• Data Analytics• Data-mining• Benford’s Law

• Physical Inspection• Benchmarking• Reviews• Quality Controls• Reconciliations• Whistleblower Policy / Hotline

Communication that Company has a Detection Plan = Strong Deterrent to Fraud

Internal ControlsPreventive – Detective – Corrective Corrective – prevent recurrence of problems

• Revisit Risk assessment process• Submit corrective journal entries after discovering an error.• Review Policies and Procedures

• Changes to processes or personnel responsible• Additional controls needed to prevent going forward

• Back-up Data so it can be restored in the event of a crash or improper transaction.

Remember - Risk Assessment is a Fluid Process.Not a “One and done and stick it in a drawer”

RISK ASSESSMENT& RISK MANAGMENT

Internal Controls

Internal Controls₋ All entities face uncertainty, and the challenge for management

is to determine how much uncertainty to accept…₋ Enterprise risk management enables management to effectively

deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value…

- Aligning risk appetite and strategy – evaluating alternatives, setting objectives and managing risk

- Enhancing risk response decisions – risk avoidance, reduction, sharing, and acceptance.

- Reducing operational surprises and losses – identify potential events and establish responses.

- Identifying and managing multiple and cross-enterprise risks- Seizing opportunities – identify and proactively realize opportunities.- Improving deployment of capital – assess overall capital needs and enhance

capital allocation.

Internal Controls

RISK MANAGEMENT IS A PROCESS!!- A process, ongoing and flowing through an entity

- Affected by people at every level of an organization

- Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite

- Able to provide reasonable assurance to an entity’s management and board of directors

Internal Controls

VENDOR RISK ASSESSMENTCONTROL

(External Influence)

Internal Controls

A Company Can Not Outsource Responsibility!Target Breach

HVAC and Refrigeration Company

Network Credentials Stolen

Why did HVAC Company have Network Credentials?

A: to remote in and update software, patches

Malware was downloaded to point of sale registers

Credit Card Data Stolen

A Vendor Risk Assessment should be performed annually and include the following:

A listing of all vendors used by the company, including a description of the services provided by thevendor, the contract period covered, who is assigned to manage accountability of the vendorrelationship, and a determination whether each vendor is a critical vendor.

For critical vendors, need to evaluate the internal control structure and potential risks to thecompany. Most companies require their critical vendors to have an independent internal controlreport performed by an outside accountant or security specialist (such as a Service OrganizationControl report).

Each vendor should be assigned an overall risk rating. The risk rating will be based upon such itemsas the vendor internal control report findings, any issues experienced with the vendor, anyreputational issues the vendor has had, as well as any items that could potentially impact thesecurity, confidentiality, or availability of company data. The vendor risk rating should be evaluatedannually by management.

A contingency plan should be in place for all critical vendors relative to the services provided by thevendor.

Internal Controls

51

1

2

3

4

PlanningIdentify vendors providing critical activities and update vendor management policies and procedures.

Due Diligence & Third-party SelectionPerform due diligence procedures and a vendor risk assessment for potential critical vendors.

Contract NegotiationNegotiate a contract that clearly specifies rights and responsibilities of each party and periodically review contracts for critical vendors.

Ongoing MonitoringPerform annual due diligence procedures and update vendor risk assessment for current critical vendors.

5TerminationImplement a written contingency plan for critical vendors.

Internal Controls

52

Does the vendor host any systems for the company that store sensitive data?

Critical Vendor

If all of the above responses are no,

probably not a critical vendor.

If the vendor’s services were suddenly no longer

available, would it significantly impact the

company?

Does the vendor provide any type of core services

to the company?

YES

Does the vendor have access to the company's

systems?

YES

Internal Controls

SYSTEM AND ORGANIZATION CONTROL (SOC) REPORTS

(Formerly Service Organization Control)

Internal Controls – SOC

– Organizations are increasingly outsourcing systems,business processes, and data processing to serviceproviders.

– Cybersecurity and Information Security are topconcerns for Governance, Management andConsumers.

– Responsibility cannot be outsourced.

– Increase in client interest in SOC reports as a result ofcustomer and external audit demands.

– The AICPA released a series of reportingoptions called Service Organization Control(SOC) Reports to replace the former SAS 70report.

– SOC reports are designed to help serviceorganizations build trust and confidence intheir service delivery processes and controlsthrough a report by an independent CertifiedPublic Accountant.


– Statement on Standards for Attestation Engagements No. 18(SSAE 18) replaced SSAE No. 16 and SAS No. 70 inApril 2017.

– Vendor Management and Risk Assessment/Analysis Focus– Retains the original purpose of SAS No. 70 / SSAE 16– Change name of report from an ‘SSAE 16’ to ‘SOC 1’– SAS 70 was not intended to give assurance over controls

related to non-financial subject matter


SOC 1® Examinations (SSAE 18)SOC for Service Organizations: ICFR

SOC 2® ExaminationsSOC for Service Organizations: Trust Service Criteria

SOC for Cybersecurity

SOC 3® ExaminationsSOC for Service Organizations: Trust Service Criteria for General Use Report


– Both report on the fairness of the presentation of management’sdescription of the service organization’s system, and…

– Type 1 also reports on the suitability of the design of the controls toachieve the related control objectives included in the description.Controls as of a specified date. Engagement scope includes awalkthrough of the controls.

– Type 2 also reports on the suitability of the design and operatingeffectiveness of the controls to achieve the related control objectivesincluded in the description. Controls are in place for a period of time.Engagement scope includes testing operating effectiveness throughoutthe period.

Reports – Type 1 and Type 2Internal Controls – SOC

Overview of SOC 2® Reports– Intended to meet the needs of a broad range of users that

need to understand internal controls as they relate to the fivetrust service principles.– Security– Availability– Processing Integrity– Confidentiality– Privacy

– Use of this report is limited and intended for stakeholderssuch as management of user entities, regulators, businesspartners, suppliers, and others who have an understanding ofthe service organization and its controls.


– SOC 2® was put in place to address demands in themarketplace for assurance over non-financial controls

– If your client is an outsource for customers , where theyhandle information in different ways– Operate– Collect– Process– Transmit

– Store– Organize– Maintain, or– Dispose

Overview of SOC 2® ReportsInternal Controls – SOC

Trust Service Principles (Criteria in 2018)– Security - The system is protected against unauthorized access, use or

modification

– Availability – The system is available for operation and use ascommitted or agreed.

– Processing Integrity – System processing is complete, valid, accurate,timely, and authorized.

– Confidentiality – Information designated as confidential is protectedas committed or agreed.

– Privacy – Personal information is collected, used, retained, disclosedand destroyed in conformity with the commitments in the entity’sprivacy notice and with criteria set forth in generally accepted privacyprinciples (GAPP) issued by the AICPA and CPA Canada.


What do I do if I suspect Fraud?

What happens if I suspect fraud? Get the right experts involved (typically you would call your attorney

and also need to include a forensic specialist).

Limit who you involve and communicate with internally and externally.

Do not send anything via e-mail, text, etc. regarding the suspected fraud or the employee.

Perform an investigation and document the facts. Create a timeline of key facts and conversations.

Have a second person involved (preferably the attorney or forensic specialist) when meeting with the suspected employee.

Suspect Fraud

Possible Avenues of Recovery Insurance

Litigation Against Employee

Litigation Against Others

Restitution Through Criminal Procedures

Suspect Fraud

Possible Subjects for Internal Inspection Financial Statement Fraud

Environmental Violations

Tax Violations

Foreign Corrupt Practices Act Violations

Vendor Kickbacks

False Claims Act Violations

Medicare Fraud

Suspect Fraud

Some Issues in Internal Investigation Clear Line of Reporting Results

Privilege Issues

Possible Involvement of Highly-Placed Officers

Questions of Self-Reporting of Violations

Suspect Fraud

QUESTIONS?

Paul M. Perry, FHFMA, CISM, CITP, [email protected]

205-769-3251

INTERNAL CONTROLS AND FRAUD DETECTION

Documents

Transcript of INTERNAL CONTROLS AND FRAUD DETECTION