Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. An Organization-Wide Model of Fraud Protection By Gerard M. Zack, CPA, CFE, ACFE Fellow Partner – Wipfli, LLP Founder – Nonprofit Resource Center (301) 987-0287
  2. 2. Fraud – 2002 ACFE Study <ul><li>$600 Billion/Year </li></ul><ul><ul><li>Up from $400 billion estimate in 1996 </li></ul></ul><ul><ul><li>13.4% of cases studied involved nonprofits </li></ul></ul><ul><li>6% of Annual Revenue Lost to Fraud </li></ul><ul><li>Average Fraud Scheme Lasts 18 Months Before Being Detected </li></ul><ul><li>Small Organizations Are Most Vulnerable </li></ul>
  3. 3. Three Categories of Fraud <ul><li>Fraud committed against an organization </li></ul><ul><ul><li>Our focus today </li></ul></ul><ul><li>Fraud committed by an organization </li></ul><ul><ul><li>Financial reporting fraud </li></ul></ul><ul><ul><li>Fundraising fraud </li></ul></ul><ul><ul><li>Program fraud </li></ul></ul><ul><li>Fraud committed through an organization </li></ul><ul><ul><li>By employees against third parties </li></ul></ul><ul><ul><li>Credit card fraud or identity theft </li></ul></ul>
  4. 4. Fraud Committed Against Organizations <ul><li>Asset Misappropriations </li></ul><ul><ul><li>Theft or misuse of assets </li></ul></ul><ul><ul><li>85% of fraud cases involve this </li></ul></ul><ul><li>Corruption </li></ul><ul><ul><li>Inappropriate use of one’s influence in a business transaction </li></ul></ul><ul><ul><li>Kickbacks and conflicts of interest </li></ul></ul>
  5. 5. Asset Misappropriations <ul><li>Fraudulent Disbursements </li></ul><ul><ul><li>Most common type of asset misappropriation </li></ul></ul><ul><ul><li>Disbursement schemes, billing schemes, payroll and expense reimbursement schemes, check tampering </li></ul></ul><ul><li>Skimming </li></ul><ul><ul><li>Stealing cash prior to it being recorded on the organization’s books </li></ul></ul><ul><li>Cash Larceny </li></ul><ul><ul><li>Stealing cash after it has been recorded </li></ul></ul><ul><li>Theft of Noncash Assets (Inventory, etc.) </li></ul>
  6. 6. Our Goals <ul><li>Prevent as much fraud as possible </li></ul><ul><li>Utilize detect ive controls to catch what cannot be prevented </li></ul><ul><li>Insure against acts that are not prevented or detected </li></ul><ul><li>Accept a certain, minimal level of risk </li></ul><ul><li>Continually update our understanding of fraud risks and manage those risks </li></ul><ul><li>Utilize EVERYONE in an ongoing system of fraud deterrence </li></ul>
  7. 7. Factors Present in All Frauds <ul><li>Intent </li></ul><ul><li>Motive </li></ul><ul><ul><li>External (substance abuse, peer pressure, health problems, etc.) </li></ul></ul><ul><ul><li>Internal (feeling unfairly treated, job pressures, etc.) </li></ul></ul><ul><li>Opportunity </li></ul><ul><ul><li>Real or perceived weaknesses in controls </li></ul></ul><ul><li>Rationalization </li></ul><ul><ul><li>Depersonalization, entitlement, etc. </li></ul></ul><ul><li>Concealment </li></ul>
  8. 8. Fraud Prevention & Detection <ul><li>Financial Controls </li></ul><ul><ul><li>Preventive controls </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul><ul><li>Non-Financial Systems </li></ul><ul><li>Management Oversight and Behavior </li></ul>
  9. 9. For More on Fraud Protection, See: Fraud and Abuse in Nonprofit Organizations: A Guide to Prevention and Detection by Gerard M. Zack, CFE, CPA Published by John Wiley & Sons, Inc. June 2003
  10. 10. I. Financial Controls Over Frauds Against Organizations
  11. 11. Financial Controls <ul><li>Two Categories </li></ul><ul><ul><li>Preventive </li></ul></ul><ul><ul><li>Detective </li></ul></ul><ul><li>Maintain in Written Form </li></ul><ul><li>Certain Elements Common to all Cycles </li></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><li>Other Elements Unique to Specific Cycles </li></ul><ul><ul><li>Cash receipts </li></ul></ul><ul><ul><li>Cash disbursements </li></ul></ul><ul><ul><li>Payroll </li></ul></ul>
  12. 12. Segregation of Duties <ul><li>Goal : Make it Impossible to Commit and Conceal a Fraud </li></ul><ul><li>Example : Separate Functions Involved in Handling Funds From Those Involved With Recording </li></ul>
  13. 13. Examples of Revenue and Cash Receipts Frauds <ul><li>Skimming – Most Common and Our Focus Today </li></ul><ul><li>Theft of Donated Assets </li></ul><ul><li>Write-offs of Receivables and Unauthorized Credits </li></ul><ul><li>Lapping Schemes </li></ul><ul><li>Unrecorded Sales </li></ul>
  14. 14. Skimming <ul><li>“ Off-Book” Fraud - Stolen Prior to Entry on Books </li></ul><ul><ul><li>Mail receipts </li></ul></ul><ul><ul><li>On-site receipts at events </li></ul></ul><ul><ul><li>Unrecorded sales (retail, warehouse, etc) </li></ul></ul><ul><li>Checks are Just as Vulnerable as Cash </li></ul><ul><ul><li>Establish phony account in name of organization </li></ul></ul><ul><li>Contributions are Most Vulnerable </li></ul><ul><ul><li>No exchange (outflow of resources) </li></ul></ul><ul><li>Other Revenue Streams Also </li></ul><ul><ul><li>Dues, off-site events, seminars, late fees </li></ul></ul>
  15. 15. Revenue & Cash Receipts Controls <ul><li>Segregation of Duties (receipt of funds from recording, posting to A/R, etc.) </li></ul><ul><li>Dual Control </li></ul><ul><ul><li>Also rotation of duties, mandatory vacations </li></ul></ul><ul><li>Lockbox </li></ul><ul><li>Timely Reconciliations (A/R, etc.) </li></ul><ul><li>Reasonableness Testing of Income Accounts </li></ul><ul><li>Trend and Budget Variance Analysis </li></ul><ul><li>Ratio Analysis </li></ul>
  16. 16. Additional Controls for Contributions <ul><li>Dual Control or Lockbox </li></ul><ul><li>Use and Reconciliation of Business Reply Mail for Solicitations </li></ul><ul><li>Publication of Donor Names </li></ul><ul><li>Controls Over Acknowledgement Letters and/or Receipts (not very reliable as a control) </li></ul><ul><li>Periodic/Annual Donor Statements </li></ul><ul><li>Rotation of Duties and Analysis of Recorded Contributions </li></ul>
  17. 17. Examples of Purchasing and Cash Disbursements Frauds <ul><li>Billing Schemes (most common) </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><li>Check Tampering </li></ul><ul><li>Electronic Funds Transfers </li></ul><ul><li>Conflicts of Interest </li></ul><ul><li>Kickbacks </li></ul><ul><li>Fraudulent Bidding Processes </li></ul>
  18. 18. Billing Schemes <ul><li>Personal Purchases </li></ul><ul><li>Fictitious Vendor </li></ul><ul><li>Duplicate Payments </li></ul><ul><li>Refund Schemes </li></ul><ul><li>Financial Assistance Schemes </li></ul>
  19. 19. Fictitious Vendor Schemes <ul><li>Usually Service-Providers </li></ul><ul><li>May be Former Valid Vendors </li></ul><ul><li>Insertion of Fraudulent Invoice </li></ul><ul><li>Authorization: </li></ul><ul><ul><li>Perp is authorized to approve </li></ul></ul><ul><ul><li>Perp relies on “rubber-stamp” approval </li></ul></ul><ul><ul><li>Perp creates phony supporting documentation </li></ul></ul><ul><li>May or May Not Need to Intercept Payment </li></ul>
  20. 20. Duplicate Payments <ul><li>Submit Statement From Vendor, After Invoices Have Been Paid </li></ul><ul><li>Submit Copies of Invoices </li></ul><ul><li>Usually Need to Intercept Payment to Prevent Mailing to Valid Vendor </li></ul><ul><li>Conversion to Cash Via: </li></ul><ul><ul><li>Establishment of account in vendor name </li></ul></ul><ul><ul><li>Sign payment over to another payee </li></ul></ul>
  21. 21. Refund Schemes <ul><li>Common With Seminars, Conferences, etc. if not Properly Controlled </li></ul><ul><li>Refund Checks Generated in Connection With Registrants Who Have not Cancelled </li></ul><ul><li>Controls Over Refunds Often Much Weaker than Controls Over Other Cash Disbursements (Purchases) </li></ul>
  22. 22. Check Tampering <ul><li>Forgery of Signatures </li></ul><ul><ul><li>Most common method </li></ul></ul><ul><li>Altering Amounts or Payees </li></ul><ul><ul><li>Check-washing, erasing, etc. </li></ul></ul><ul><li>Duplicate Checks </li></ul><ul><ul><li>Create phony checks </li></ul></ul><ul><li>Need to Conceal Through Bank Reconciliation </li></ul>
  23. 23. Conflicts of Interest <ul><li>Insider has Undisclosed Interest (Direct or Indirect) in the Transaction </li></ul><ul><li>Often Involves Vendors or Subcontractors in Whom Board Members, Executives Have Interest </li></ul><ul><li>Can Also Involve Customers (i.e. authorizing below-market prices, discounts, etc.) </li></ul>
  24. 24. Kickbacks <ul><li>Payments From Vendors to Purchasing Agents </li></ul><ul><li>Associated With: </li></ul><ul><ul><li>Bid-rigging </li></ul></ul><ul><ul><li>Inflated prices </li></ul></ul><ul><ul><li>Unnecessary purchases </li></ul></ul><ul><ul><li>Billing for goods not delivered </li></ul></ul>
  25. 25. Purchasing & Disbursements Controls <ul><li>Segregation of Duties (esp. initial receipt of bank statement and checks from writing and recording) </li></ul><ul><li>Only Pay From Original Invoices (no copies or statements) </li></ul><ul><li>Mail all Vendor Payments – No Returning of Checks to Person who Requested </li></ul><ul><li>Matching with Supporting Documents </li></ul><ul><li>Analysis of Vendor Master File and Payment Histories </li></ul><ul><li>Use of “Positive Pay” System </li></ul>
  26. 26. Bank Reconciliation <ul><li>Review Statement for Duplicate Checks or Un-Numbered Checks </li></ul><ul><li>Investigate Gaps in Check Numbers </li></ul><ul><li>Review Statement for Other Debits </li></ul><ul><li>Examine Returned Checks </li></ul><ul><ul><li>Signs of alteration or forged signatures </li></ul></ul><ul><ul><li>Review endorsements for consistency </li></ul></ul><ul><li>Compare Payees With Check Register or Disbursements Journal </li></ul><ul><li>Verify Lists of Voided Checks </li></ul>
  27. 27. Other Detective Controls <ul><li>Budget to Actual Expense Analysis </li></ul><ul><li>Trend Analysis </li></ul><ul><li>Ratio Analysis </li></ul><ul><ul><li>Vertical analysis </li></ul></ul><ul><ul><li>Ratios involving non-financial factors </li></ul></ul>
  28. 28. Payroll Schemes <ul><li>Ghost Employees </li></ul><ul><li>Over-stating Hours Worked </li></ul><ul><li>Over-stating Pay Rates </li></ul><ul><li>Expense Reporting Schemes </li></ul><ul><ul><li>Duplicate or personal expenditures </li></ul></ul><ul><ul><li>Airfare schemes </li></ul></ul>
  29. 29. Ghost Employees <ul><li>Insert New Employee on Payroll </li></ul><ul><ul><li>Need access to payroll master files </li></ul></ul><ul><li>Fail to Remove Valid Departing Employee from Payroll </li></ul><ul><ul><li>Change address or direct deposit account information </li></ul></ul>
  30. 30. Over-Stating Hours Worked <ul><li>No Need to Have Access to Payroll Master Files – Simply Falsify Time Record </li></ul><ul><li>May Rely on Rubber-Stamp Approval of Supervisor </li></ul><ul><li>May Involve Changes to Record After Supervisor Approval </li></ul>
  31. 31. Over-Stating Pay Rates <ul><li>Need Access to Payroll Master Files </li></ul><ul><li>May or May Not Involve Collusion </li></ul>
  32. 32. Payroll Controls <ul><li>Segregation of Duties </li></ul><ul><ul><li>Especially H.R. duties (master file data) from Payroll Processing </li></ul></ul><ul><li>Data Analysis </li></ul><ul><ul><li>Cross-check addresses, direct deposit info., etc. </li></ul></ul><ul><ul><li>Look into employees with no deductions </li></ul></ul><ul><ul><li>Match checks/stubs with employees </li></ul></ul>
  33. 33. Expense Report Controls <ul><li>Travel Authorizations in Anticipation of all Trips </li></ul><ul><li>Limit Travel Advances and Have Employee Authorize Deduction From Pay if not Accounted for </li></ul><ul><li>Timely Preparation and Submission of Expense Report </li></ul><ul><li>Appropriate Supporting Documentation </li></ul><ul><li>Establish and Monitor Travel Budgets </li></ul><ul><li>Per Diems or Specific Documentation Requirements </li></ul>
  34. 34. Supporting Documentation <ul><li>Itemized Hotel Bills for Lodging </li></ul><ul><ul><li>Do not accept credit card receipts </li></ul></ul><ul><li>Receipts for Meals, Entertainment </li></ul><ul><li>Boarding Passes and Receipts for Airfare </li></ul><ul><ul><li>Proof that trip was taken – itineraries only show that a reservation was made </li></ul></ul>
  35. 35. Expense Report Review <ul><li>Match Authorized Dates of Travel With Supporting Documentation </li></ul><ul><ul><li>Watch for extra nights of lodging, etc. </li></ul></ul><ul><li>Original Supporting Documentation </li></ul><ul><ul><li>Vendor invoices (hotels, etc.), not just credit card receipts </li></ul></ul><ul><li>Documentation of Business Purpose, etc. per IRS Requirements </li></ul><ul><li>Compare all Information on Receipts </li></ul><ul><ul><li>Match airline ticket numbers </li></ul></ul><ul><li>Cross-Check to Co-Workers’ Reports </li></ul>
  36. 36. Internal Controls Were Responsible for the Initial Detection of Fraud in Only 15% of Cases Studied Source: 2002 ACFE Report to the Nation on Occupational Fraud and Abuse
  37. 37. Initial Detection of Fraud <ul><li>Tips From Employees (26%) </li></ul><ul><li>By Accident (19%) </li></ul><ul><li>Internal Audit (19%) </li></ul><ul><li>Internal Controls (15%) </li></ul><ul><li>External Audit (11%) </li></ul><ul><li>Tip From Customer (9%) </li></ul><ul><li>Tip From Vendor (5%) </li></ul>
  38. 38. Patterson & Kim Study <ul><li>Workers Spend an Average of 7 Hrs/wk Goofing Off </li></ul><ul><li>1 in 6 Workers Drank or Used Drugs at Work </li></ul><ul><li>50% Feel One Gets Ahead Based on Politics, not Hard Work </li></ul><ul><li>25% Expect to Compromise their Beliefs to Get Ahead on the Job </li></ul><ul><li>Only 20% are “Very Satisfied” With Jobs </li></ul>
  39. 39. What Does This Tell Us? <ul><li>Internal Controls Generally Need to be Strengthened, AND </li></ul><ul><li>Systems Other Than Traditional Financial Controls Play Integral Roles in Fraud Prevention and Detection </li></ul>
  40. 40. II. Non-Financial Systems
  41. 41. Non-Financial Systems <ul><li>Several Non-Financial Systems Play Roles in Controlling Fraud </li></ul><ul><li>Among the Most Important: </li></ul><ul><ul><li>Information Technology Systems </li></ul></ul><ul><ul><li>Human Resources Systems (our focus today) </li></ul></ul><ul><ul><li>Physical Security </li></ul></ul><ul><ul><li>Communications Systems (our focus today) </li></ul></ul><ul><ul><li>Insurance Protection </li></ul></ul>
  42. 42. H.R. Systems (1) <ul><li>Hiring Policies and Practices </li></ul><ul><ul><li>Identity verification </li></ul></ul><ul><ul><li>Background checks </li></ul></ul><ul><li>New Employee Orientation </li></ul><ul><ul><li>Establish tone </li></ul></ul><ul><li>Codes of Conduct </li></ul><ul><ul><li>Ethical behavior, policy on suspected misbehavior, etc. </li></ul></ul><ul><li>Performance Evaluation Systems </li></ul>
  43. 43. H.R. Systems (2) <ul><li>Grievance Policies </li></ul><ul><li>Compensation Adjustment Practices </li></ul><ul><ul><li>Must be viewed as fair in all respects </li></ul></ul><ul><li>Counseling of Troubled Employees </li></ul><ul><ul><li>Alcoholism, drug abuse, etc. </li></ul></ul><ul><li>Exit Interviews </li></ul><ul><ul><li>Conduct by H.R. and/or Someone Other than Direct Supervisor </li></ul></ul>
  44. 44. Communications <ul><li>Organization Chart </li></ul><ul><ul><li>Clear understanding of lines of communication </li></ul></ul><ul><li>Access to Audit Committee </li></ul><ul><ul><li>Or equivalent board-level representatives </li></ul></ul><ul><li>Hotlines </li></ul><ul><ul><li>Anonymous reporting of suspected fraud and abuse by employees </li></ul></ul><ul><li>External </li></ul><ul><ul><li>Crisis management </li></ul></ul>
  45. 45. Hotlines <ul><li>Allow for Anonymous Reporting of Suspected Wrongdoing </li></ul><ul><li>Utilize Third-Party Services (EthicsLine of the Association of CFE’s;Pinkerton Security; Other Services) </li></ul><ul><li>FraudNet, a Service of GAO to Report Wrongdoing Involving Federal Funds </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(202) 512-3086 </li></ul></ul>
  46. 46. Bonding Coverage <ul><li>Perpetrator Must be an Employee of Insured (Check Policy for Whether Volunteers are Covered) </li></ul><ul><li>Many Policies Require That Loss be Reported to Law Enforcement </li></ul><ul><li>Dishonest Act Must Occur and be Discovered During Bond Period </li></ul><ul><li>Policy May or May Not Cover Fidelity Claims Expenses (Costs of Investigation) </li></ul>
  47. 47. Bonding Coverage Denied If <ul><li>Loss not Reported Timely </li></ul><ul><li>Reasonable Precautions not Taken </li></ul><ul><li>Misleading or Incomplete Information Provided in Application </li></ul><ul><li>Failure to Provide Updated Information About Risks/Operations </li></ul><ul><li>Failure to Follow Policies That Organization Claims are in Place </li></ul>
  48. 48. III. Management Oversight
  49. 49. Management Oversight <ul><li>Day-to-Day Management Activities </li></ul><ul><li>Board of Directors </li></ul><ul><li>Financial Oversight </li></ul>
  50. 50. Day-to-Day Management <ul><li>Setting an Example – Follow all Policies </li></ul><ul><ul><li>“ Tone at the top” </li></ul></ul><ul><ul><li>Communicate seriousness of fraud control </li></ul></ul><ul><li>All Supervisors and Managers Have Responsibilities </li></ul><ul><li>Enforcement of Policies </li></ul><ul><ul><li>And reward ethical behavior </li></ul></ul><ul><li>Responding to Fraud </li></ul><ul><li>Open-Door Policies </li></ul><ul><li>Corrective Actions </li></ul>
  51. 51. Board of Directors <ul><li>Oversight Responsibilities </li></ul><ul><li>Establishment of Committees </li></ul><ul><li>Audit Committee </li></ul><ul><ul><li>External audit </li></ul></ul><ul><ul><li>Internal audit </li></ul></ul><ul><ul><li>Investigative </li></ul></ul><ul><li>Managing Conflicts of Interest </li></ul><ul><li>Direct Responsibilities Associated with Upper-Level Fraud </li></ul>
  52. 52. Audit Functions <ul><li>External Audit </li></ul><ul><li>Internal Audit </li></ul><ul><li>Special Audits and Investigations </li></ul>
  53. 53. External Audit <ul><li>Limited to Items That are “Material” to the Financial Statements </li></ul><ul><ul><li>Provides reasonable assurance that financial statements are free of material misstatement </li></ul></ul><ul><li>New Audit Standard SAS No. 99 Clarifies and Attempts to Provide Guidance to Auditors, But Does Not Change the Ultimate Level of Assurance You Get From an Audit </li></ul>
  54. 54. Internal Audit Function <ul><li>Provides for More Detailed Analysis in Areas or Greatest Risk </li></ul><ul><li>Need or Degree of Use Varies Based on Complexity & Risks of Organization </li></ul><ul><li>Important Detective Control </li></ul><ul><li>Average Loss From Fraud: </li></ul><ul><ul><li>With Internal Audit Function = $87,500 </li></ul></ul><ul><ul><li>Without = $153,000 </li></ul></ul>
  55. 55. Financial Oversight <ul><li>Budgeting </li></ul><ul><ul><li>Establishing budgets </li></ul></ul><ul><ul><li>Variance analysis </li></ul></ul><ul><li>Financial Analysis </li></ul><ul><ul><li>Analysis of financial statements </li></ul></ul><ul><ul><li>Trend analysis </li></ul></ul><ul><ul><li>Ratio analysis </li></ul></ul><ul><ul><li>Benchmarking </li></ul></ul>
  56. 56. Budgeting <ul><li>Early and Timely Completion </li></ul><ul><li>Board Involvement </li></ul><ul><li>Zero-Based Budgeting </li></ul><ul><li>Format to Facilitate Analysis </li></ul><ul><li>Accountability </li></ul>
  57. 57. Variance Analysis <ul><li>Timely – Throughout the Year </li></ul><ul><li>Involve All Who Are Accountable </li></ul><ul><li>Substantiate Explanations </li></ul><ul><li>Require Plans for Corrective Action Involving Variances and Projected Variances </li></ul><ul><li>Consider When Establishing Next Year’s Budget </li></ul>
  58. 58. Financial Analysis <ul><li>4-Step Process </li></ul><ul><ul><li>Develop Expectation </li></ul></ul><ul><ul><li>Identify Fluctuations/Variances </li></ul></ul><ul><ul><li>Investigate Fluctuations </li></ul></ul><ul><ul><li>Evaluate Likelihood of Fraud </li></ul></ul><ul><li>Identify Most Reliable Data on Which to Base Expectation </li></ul><ul><li>Benchmarking & Ratio Analysis </li></ul>
  59. 59. Analytical Procedures <ul><li>Reasonableness Testing </li></ul><ul><ul><li>Particularly useful for income accounts </li></ul></ul><ul><ul><li>Calculate “expected” revenue using information gathered from independent sources </li></ul></ul><ul><li>Ratio Analysis </li></ul><ul><ul><li>Financial </li></ul></ul><ul><ul><li>Financial and non-financial data </li></ul></ul><ul><ul><li>Particularly useful for expense accounts and to detect theft of assets (inventory, etc.) </li></ul></ul>