INTERNAL CONTROLS AND FRAUD DETECTION
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of INTERNAL CONTROLS AND FRAUD DETECTION
INTERNAL CONTROLS AND FRAUD DETECTION
FROM A to Z andWHY to HOW
Paul M. Perry, FHFMA, CISM, CITP, CPAMember and Practice Leader
Presenter – Paul PerryPaul Perry has been with Warren Averett since2004 and is a Member in the Firm’s CorporateAdvisory Services Group – focusing on risk andcontrol related projects, such as internal control andinformation technology related projects, includingService Organization Control (SOC) engagements.
Paul is also a member of the Firm’s Data AnalysisGroup, a team of individuals within the Firm whoprovide data analysis solutions to both internal andexternal clients. For more than 11 years, he hasspecialized in accounting advisory and audit andreview assurance services.
Paul is also a published author, columnist andregular speaker on topics such as data analysis,internal controls and information technology foraccountants and auditors.
OUTLINE
- INTERNAL CONTROL KEYWORDS- COSO- FRAUD DISCUSSION- EFFECTIVE INTERNAL CONTROLS- RISK ASSESSMENT / MANAGEMENT- VENDOR RISK ASSESSMENTS- SERVICE AND ORGANIZATION CONTROLS- WHAT TO DO IF YOU SUSPECT FRAUD
Internal Controls
Everyone/Everyday
AnalyticsTone at the top
Communication RISK
Monitoring Segregation of duties
Zero toleranceFRAUD
Documentation
Key
Justification
Opportunity
P-D-C
Benfords
WeightNon-key
Governance
Integrity
Vulnerability
Limitations
pHysical safeguards
Quality Control
Uncertainty
eXamination
Year-end Review
Internal Controls – WHY?
COSO- Committee of Sponsoring Organizations (COSO)
- 1985
- American Accounting Association (AAA), the American Institute of CPAs (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA)
Internal Controls
COSO Enterprise Risk Management -Aligning Risk with Strategy and Performance- Replacing 2004 ERM – Integrated Framework
- Overall GoalTo continue to encourage a risk-conscious corporate culture and to help organizations improve the way they identify, evaluate, and manage risk and opportunity in achieving their strategy.
Internal Controls – Why?
COSO Three Lines of Defense
- Addresses how specific duties related to risk and control could be assignedand coordinated within an organization, regardless of its size or complexity.
- Directors and management should understand the critical differences in roles andresponsibilities of these duties and how they should be properly assigned
Internal Controls – Why?
COSO Three Lines of Defense- Senior Management are Owners
- Lies with the business and process owners whose activities create and/or manage the risks.
- Taking the right risks.
- Owns the risk, and the design and execution of the organization’s controls to respond to those risks.
Internal Controls – Why?
COSO Three Lines of Defense- Support management by providing
expertise, process excellence, and management monitoring
- Ensure that risk and control are effectively managed.
- Separate but are still under the control and direction of senior management
- Management and/or oversight function that owns many aspects of the management of risk.
Internal Controls – Why?
COSO Three Lines of Defense- Assurance to senior management and
the board.
- Not permitted to perform management functions to protect its objectivity and organizational independence.
- Usually a primary reporting line to the board.
- Assurance not a management function, which separates it from the second line of defense.
Internal Controls – WHY?
FRAUD TRIANGLE
RATIONALIZATION(Justification)
FRAUD SCHEMES1. Revenue & Cash Receipts
Schemes
2. Purchasing & Disbursement Schemes
3. Payroll & Expense Reporting
Internal Controls – WHY?
An employee with disbursement processing responsibilities who refuses totake more than a couple days vacation at a time.
Control Issues – An employee who is over-controlling or overprotective ofresponsibilities.
Behavioral changes indicating possible drug, alcohol, gambling addiction.
Employee lifestyle changes: financial or significant debt issues, divorce,expensive cars/homes, etc.
High employee turnover, especially in areas vulnerable to fraud.
Wheeler/Dealer Type Attitude.
Suspicious or defensive behavior.
Red Flags for Fraud
Behavioral Red Flags
0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% 50.0%
Addiction Problems
Irritability, Suspiciousness or Defensiveness
Divorce/Family Problems
"Wheeler-Dealer" Attitude
Control Issues, Unwillingness to Share Duties
Unusually Close Association with Vendor/Customer
Financial Difficulties
Living Beyond Means 45.8%
30.0%
20.1%
15.3%
15.3%
13.4%
12.3%
10.00%
Source: Report to the Nations on Occupational Fraud and Abuse
Internal Controls – WHY?
Common Internal Control Limitations- Human error- Fatigue- Distractions- Misunderstandings- Carelessness- Collusion- Too Much Change Occurring- Judgment / Trust
1. Organizations lose 5% of revenues to fraud annually (U.S. = $6.3 billion dollars)
2. Organizations with anti-fraud controls experienced frauds that were up to 50% less costly and detected up to 50% more quickly
3. Mostly first-time perpetrators, no criminal history
4. Perpetrators with higher levels of authority tend to cause much larger losses (Linear Relationship: Authority, Education, and Age to Loss)
Fraud Hurts Everyone…Even Perpetrators
Fraud Facts/Conclusions…
5. Red flags - living beyond means, financial difficulties, excessive control issues – identified in 79% of cases
6. Small businesses – disproportionately victimized by fraud and under-protected by anti-fraud controls
7. External audits should not be relied upon as the primary anti-fraud mechanism. Primary detection method in just 6% of cases
Fraud Facts/Conclusions…
Fraud Hurts Everyone…Even Perpetrators
Potential Payroll Schemes To Consider
1. Ghost Employees – someone paid who is not a real person, or hired
2. Duplicate/Overpayments – paying someone twice, a little extra, for hours not worked, for vacation not earned
3. Improper Commission – commission based on falsified sales records, or incorrect rates
PAYROLL RISK ASSESSMENT…
Preventive Controls to Consider1. Maintain Proper Segregation of Functions:
Personnel Records Should Be Maintained Independently from Payroll and Timekeeping Functions
Payroll Bank Accounts Should Be Reconciled by a Person who is not involved in PR Check Preparation, Check Signing, Payroll Processing, or Distribution
2. New Hires should be set up in PR system by HR3. Reference / Background Checks should be performed before Hire4. WH forms and Copies of SS Cards Obtained Upon Hire. Verify5. Approval of OT by Supervisors6. Two Levels of approval should be required for ALL changes in PR7. Commissions should be calculated by someone independent of sales
PAYROLL RISK ASSESSMENT…
Detection Controls to Consider1. Review of PR records for duplicate or missing SSNs 2. Comparison of PR and HR for terminations3. Review of PR cancelled checks for alterations4. Perform distribution of payroll checks by someone outside of payroll5. Comparison of payroll rates to pay amounts per paychecks6. Comparison of commissions to sales7. Review of direct deposit reports for duplicate entries8. Employee list should be checked for duplicate or missing home
addresses or telephone #s. 9. Verification of forms in HR to WH deductions10. Verification of timecards to hours
PAYROLL RISK ASSESSMENT…
Internal Auditors can assist
1. Periodic Review of Payrolls for Abnormalities2. Performance of Detection Controls Testing 3. Periodic Payroll Distribution Test4. Evaluation of Segregation of Functions
PAYROLL RISK ASSESSMENT…
Potential Schemes To Consider
1. Shell Company schemes– a fictitious (shell) company is created for the sole purpose of committing fraud
2. Non-accomplice vendor schemes – perpetrators intentionally mishandle payments owed to legitimate vendors. (double-payments, paying wrong vendor, overpaying)
3. Personal purchases schemes – perpetrators purchase personal items and submit invoice as if it was for the company (furniture, computers, equipment, material)
4. Credit card & purchasing card schemes– employees misuse company cards to purchase personal items, or allow unauthorized individuals to use the cards.
DISBURSEMENT RISK ASSESSMENT…
Potential Schemes To Consider (continued)
5. Check Tampering Schemes - employees steal their employer’s funds by intercepting, forging, or altering a check drawn on one of the organization’s bank accounts • Forged Makers• Forged Endorsements• Altered Payee• Concealed Checks• Authorized Makers
6. Expense Reimbursement Schemes- perpetrator makes false claim for reimbursement of personal expenses or of fictitious or inflated business expenses (mischaracterized, overstated, fictitious, and/or multiple reimbursements)
DISBURSEMENT RISK ASSESSMENT…
Preventive Controls to Consider
1. Maintain Proper Segregation of Functions: Separate the duties of AP processing, vendor master
file maintenance, check stock custody, check preparation, check signing, check mailing and bank reconciliation.
Separate requisition, purchasing & receiving functions
2. Restrict access to AP and Cash Disbursement systems – with physical and software controls (locked area, passwords)
3. Restrict access to vendor master file and flag any changes to file, periodically purge file for only active approved vendors
DISBURSEMENT RISK ASSESSMENT…
Preventive Controls to Consider
4. Maintain approved vendor list independently of the purchasing department
5. Use payable system to identify duplicate or multiple payments to vendor in same day.
6. Do not pay from statements, only from original invoices
7. Severely restrict the use of manual checks
8. Use positive pay systems
DISBURSEMENT RISK ASSESSMENT…
Preventive Controls to Consider
9. Require dual signature for payments over a certain dollar amount
10.Never sign blank checks
11.Restrict access to signed checks and ensure they are mailed as soon as possible after signing.
• Checks should be distributed by someone independentof AP and cash disbursement function
DISBURSEMENT RISK ASSESSMENT…
Preventive Controls to Consider
11.Have clear policy on what constitutes a reimbursable expense
12.Establish policies and procedures regarding travel and entertainment, including limits
13.Require original receipts for expense reimbursements - no photocopies
14.Require supervisory approval of expense reports
15.And……more
DISBURSEMENT RISK ASSESSMENT…
Detection Controls to Consider
1. Review purchases by vendors for abnormalities
2. Compare employee and payroll files for “like” addresses, phone #’s
3. Perform post disbursement audits - internal audit and with vendors
4. Review bank statement enclosures for reasonableness, compliance with established guidelines, other potential irregularities
DISBURSEMENT RISK ASSESSMENT…
Internal Controls
- 17 Principles
- 5 Components
- Applied to - Financial Controls- Operational Controls- Technology Controls
- Cyber Risks- Compliance Controls
COSO Model for Internal Controls
Internal Controls
Source: COSO
Illustrative Documents:- Illustrative Tools for Assessing Effectiveness of a System of
Internal Control
- Internal Control over External Financial Reporting: A
Compendium of Approaches and Examples
Internal ControlsPreventive – Detective – Corrective Preventive – prevent problems from occurring (Proactive)
• Policies• Training / Awareness
• Fraud • Hiring Practices (thorough background checks)• Reasonable Performance Controls• Mandatory Vacation / Job Rotation• Solid IT Controls• Ethics Policy• Internal Audit• Segregation of Duties• Monitoring• Adequate Documentation• pHysical safeguards
Weakness in Preventive Controls Increases the Burden on Detection Controls
Internal ControlsPreventive – Detective – Corrective Detective – identify problems after occurrence (Reactive)
• Data Analytics• Data-mining• Benford’s Law
• Physical Inspection• Benchmarking• Reviews• Quality Controls• Reconciliations• Whistleblower Policy / Hotline
Communication that Company has a Detection Plan = Strong Deterrent to Fraud
Internal ControlsPreventive – Detective – Corrective Corrective – prevent recurrence of problems
• Revisit Risk assessment process• Submit corrective journal entries after discovering an error.• Review Policies and Procedures
• Changes to processes or personnel responsible• Additional controls needed to prevent going forward
• Back-up Data so it can be restored in the event of a crash or improper transaction.
Remember - Risk Assessment is a Fluid Process.Not a “One and done and stick it in a drawer”
Internal Controls₋ All entities face uncertainty, and the challenge for management
is to determine how much uncertainty to accept…₋ Enterprise risk management enables management to effectively
deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value…
- Aligning risk appetite and strategy – evaluating alternatives, setting objectives and managing risk
- Enhancing risk response decisions – risk avoidance, reduction, sharing, and acceptance.
- Reducing operational surprises and losses – identify potential events and establish responses.
- Identifying and managing multiple and cross-enterprise risks- Seizing opportunities – identify and proactively realize opportunities.- Improving deployment of capital – assess overall capital needs and enhance
capital allocation.
Internal Controls
RISK MANAGEMENT IS A PROCESS!!- A process, ongoing and flowing through an entity
- Affected by people at every level of an organization
- Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
- Able to provide reasonable assurance to an entity’s management and board of directors
Internal Controls
A Company Can Not Outsource Responsibility!Target Breach
HVAC and Refrigeration Company
Network Credentials Stolen
Why did HVAC Company have Network Credentials?
A: to remote in and update software, patches
Malware was downloaded to point of sale registers
Credit Card Data Stolen
A Vendor Risk Assessment should be performed annually and include the following:
A listing of all vendors used by the company, including a description of the services provided by thevendor, the contract period covered, who is assigned to manage accountability of the vendorrelationship, and a determination whether each vendor is a critical vendor.
For critical vendors, need to evaluate the internal control structure and potential risks to thecompany. Most companies require their critical vendors to have an independent internal controlreport performed by an outside accountant or security specialist (such as a Service OrganizationControl report).
Each vendor should be assigned an overall risk rating. The risk rating will be based upon such itemsas the vendor internal control report findings, any issues experienced with the vendor, anyreputational issues the vendor has had, as well as any items that could potentially impact thesecurity, confidentiality, or availability of company data. The vendor risk rating should be evaluatedannually by management.
A contingency plan should be in place for all critical vendors relative to the services provided by thevendor.
Internal Controls
51
1
2
3
4
PlanningIdentify vendors providing critical activities and update vendor management policies and procedures.
Due Diligence & Third-party SelectionPerform due diligence procedures and a vendor risk assessment for potential critical vendors.
Contract NegotiationNegotiate a contract that clearly specifies rights and responsibilities of each party and periodically review contracts for critical vendors.
Ongoing MonitoringPerform annual due diligence procedures and update vendor risk assessment for current critical vendors.
5TerminationImplement a written contingency plan for critical vendors.
Internal Controls
52
Does the vendor host any systems for the company that store sensitive data?
Critical Vendor
If all of the above responses are no,
probably not a critical vendor.
If the vendor’s services were suddenly no longer
available, would it significantly impact the
company?
Does the vendor provide any type of core services
to the company?
YES
Does the vendor have access to the company's
systems?
YES
Internal Controls
Internal Controls – SOC
– Organizations are increasingly outsourcing systems,business processes, and data processing to serviceproviders.
– Cybersecurity and Information Security are topconcerns for Governance, Management andConsumers.
– Responsibility cannot be outsourced.
– Increase in client interest in SOC reports as a result ofcustomer and external audit demands.
– The AICPA released a series of reportingoptions called Service Organization Control(SOC) Reports to replace the former SAS 70report.
– SOC reports are designed to help serviceorganizations build trust and confidence intheir service delivery processes and controlsthrough a report by an independent CertifiedPublic Accountant.
Internal Controls – SOC
– Statement on Standards for Attestation Engagements No. 18(SSAE 18) replaced SSAE No. 16 and SAS No. 70 inApril 2017.
– Vendor Management and Risk Assessment/Analysis Focus– Retains the original purpose of SAS No. 70 / SSAE 16– Change name of report from an ‘SSAE 16’ to ‘SOC 1’– SAS 70 was not intended to give assurance over controls
related to non-financial subject matter
Internal Controls – SOC
SOC 1® Examinations (SSAE 18)SOC for Service Organizations: ICFR
SOC 2® ExaminationsSOC for Service Organizations: Trust Service Criteria
SOC for Cybersecurity
SOC 3® ExaminationsSOC for Service Organizations: Trust Service Criteria for General Use Report
Internal Controls – SOC
– Both report on the fairness of the presentation of management’sdescription of the service organization’s system, and…
– Type 1 also reports on the suitability of the design of the controls toachieve the related control objectives included in the description.Controls as of a specified date. Engagement scope includes awalkthrough of the controls.
– Type 2 also reports on the suitability of the design and operatingeffectiveness of the controls to achieve the related control objectivesincluded in the description. Controls are in place for a period of time.Engagement scope includes testing operating effectiveness throughoutthe period.
Reports – Type 1 and Type 2Internal Controls – SOC
Overview of SOC 2® Reports– Intended to meet the needs of a broad range of users that
need to understand internal controls as they relate to the fivetrust service principles.– Security– Availability– Processing Integrity– Confidentiality– Privacy
– Use of this report is limited and intended for stakeholderssuch as management of user entities, regulators, businesspartners, suppliers, and others who have an understanding ofthe service organization and its controls.
Internal Controls – SOC
– SOC 2® was put in place to address demands in themarketplace for assurance over non-financial controls
– If your client is an outsource for customers , where theyhandle information in different ways– Operate– Collect– Process– Transmit
– Store– Organize– Maintain, or– Dispose
Overview of SOC 2® ReportsInternal Controls – SOC
Trust Service Principles (Criteria in 2018)– Security - The system is protected against unauthorized access, use or
modification
– Availability – The system is available for operation and use ascommitted or agreed.
– Processing Integrity – System processing is complete, valid, accurate,timely, and authorized.
– Confidentiality – Information designated as confidential is protectedas committed or agreed.
– Privacy – Personal information is collected, used, retained, disclosedand destroyed in conformity with the commitments in the entity’sprivacy notice and with criteria set forth in generally accepted privacyprinciples (GAPP) issued by the AICPA and CPA Canada.
Internal Controls – SOC
What happens if I suspect fraud? Get the right experts involved (typically you would call your attorney
and also need to include a forensic specialist).
Limit who you involve and communicate with internally and externally.
Do not send anything via e-mail, text, etc. regarding the suspected fraud or the employee.
Perform an investigation and document the facts. Create a timeline of key facts and conversations.
Have a second person involved (preferably the attorney or forensic specialist) when meeting with the suspected employee.
Suspect Fraud
Possible Avenues of Recovery Insurance
Litigation Against Employee
Litigation Against Others
Restitution Through Criminal Procedures
Suspect Fraud
Possible Subjects for Internal Inspection Financial Statement Fraud
Environmental Violations
Tax Violations
Foreign Corrupt Practices Act Violations
Vendor Kickbacks
False Claims Act Violations
Medicare Fraud
Suspect Fraud
Some Issues in Internal Investigation Clear Line of Reporting Results
Privilege Issues
Possible Involvement of Highly-Placed Officers
Questions of Self-Reporting of Violations
Suspect Fraud