1. What a Steal: Putting internal
.
controls in place to prevent fraud and
protect your organization
Bob McAdams, CPA
Eddie Guerra, CPA
BDO USA, LLP, a Delaware limited liability partnership, is the U.S.
member of BDO International Limited, a UK company limited by
guarantee, and forms part of the international BDO network of
independent member firms. BDO is the brand name for the BDO
network and for each of the BDO Member Firms.
2. An Introduction to Fraud
What is fraud?
An intentional act that results in material misstatement of the financial
statements.
Who commits fraud?
Usually older than other criminals.
Often married with stable family situations.
Above average education.
Typically, the person earns less than $50,000 a year and has worked for the
nonprofit for at least three years.
However the most costly fraud is perpetrated by managers and executives
earning between $100,000 and $150,000 a year.
Perpetrators that have been with organizations more than 10 years generated
median losses of $230,000
–
Information from the Association of Fraud Examiners
Client name - Event - Presentation title
Page 2
3. Fraud is difficult to predict but…
Predictive characteristics include employees: with high debt, live
beyond their means, refuse to take vacations, work in organizations
that don’t enforce clear lines of authority and have weak internal
controls
Fraud in nonprofits occurs most by accounting and upper management
and sales personnel (skimming, billing schemes and cash larceny)
Client name - Event - Presentation title
Page 3
4. The Fraud Triangle
– Incentive
– Opportunity
– Rationalization
Client name - Event - Presentation title
Page 4
5. Excerpted from the BDO Ac’sense 2009 self-study course – Focus on Fraud:
Fraud and Misconduct in the Corporate World accessible at
http:// www.bdo.com/acsense/events/Focus-on-FraudSept09%20.aspx.
Client name - Event - Presentation title
Page 5
7. Types of Misstatements
Types of misstatements caused by fraud:
– Misstatements resulting from fraudulent financial
reporting.
– Misstatements resulting from misappropriation of assets.
Client name - Event - Presentation title
Page 7
8. Fraudulent Financial Reporting
Stages:
• Misstatement.
• Concealment.
Financial statements misstated as a result of:
• Misapplication of accounting principles involving
measurement and resulting in misstatement of
amounts.
• Omission or misrepresentation about transactions or
events.
• Recording fictitious transactions.
• Recording sham transactions.
Client name - Event - Presentation title
Page 8
9. Misappropriation of Assets
Stages:
• Misstatement.
• Concealment.
• Conversion.
Opportunity to commit and conceal exist only when:
• Assets are susceptible to misappropriation.
• There is a lack of antifraud programs and controls to prevent or detect
it.
Client name - Event - Presentation title
Page 9
10. Other Fraud Considerations
Off-the-books versus on-the-books fraud.
– Off-the-books schemes, such as kickbacks or skimming cash sales, do
not involve a documentary trail or manipulation of the company’s
books.
– On-the-books schemes may relate to either misappropriation of assets
or fraudulent financial reporting.
Information technology and fraud.
– Automated systems are used to generate false documents or
manipulate accounting records to affect or conceal the fraud.
Client name - Event - Presentation title
Page 10
11. Other Fraud Considerations (continued)
Fraud conditions:
– Incentives/pressures to commit fraud.
– Opportunities to commit fraud.
– Attitudes/rationalizations.
Other characteristics of fraud:
–
–
–
–
Management override of controls.
Concealment.
Collusion.
Falsifying documents or records.
Client name - Event - Presentation title
Page 11
12. Responsibility for Fraud Detection
Management’s responsibility for fraud detection.
– Management is responsible for designing and implementing agency
programs and controls to prevent, deter, and detect fraud.
Auditor’s responsibility for fraud detection.
– To obtain reasonable assurance that the financial statements are free
of material misstatement, whether caused by error or fraud
Immaterial misstatements caused by fraud.
– The expectation gap.
Exercising professional skepticism.
Client name - Event - Presentation title
Page 12
13. Board and Management Responsibilities
Board and management should set the proper tone, create and maintain a
culture of honesty and high ethical standards and establish controls to prevent,
deter and detect fraud. When management and those responsible for oversight
of the financial reporting process fulfill those responsibilities, the
opportunities to commit fraud can be reduced significantly
Financial questions you should ask
Systems that protect NPOs
• Internal controls
• Accounting policies and procedures
• Board committees
• External audits
Understand the financial statements
Client name - Event - Presentation title
Page 13
14. What Are Auditors’ Required to Do?
Access Fraud Risk
The fraud risk assessment process
Hold a discussion among engagement team members to consider
the susceptibility of the client’s financial statements to material
misstatement due to fraud.
Obtain other information needed to identify risks of material
misstatement due to fraud.
Identify risks that may result in material misstatement of the
financial statements due to fraud.
Assess the identified risks after taking into account the company’s
antifraud programs and internal controls.
Respond to the results of the risk assessment.
Evaluate internal controls
Report material fraud and material and significant weaknesses in
internal control
Client name - Event - Presentation title
Page 14
15. Professional Skepticism
We tend to overemphasize information that supports our assumptions and
ignore what doesn’t
We take shortcuts to knowledge based on categories of information
Healthy skepticism neither completely trusts nor completely distrusts – it
is NEUTRAL
Client name - Event - Presentation title
Page 15
16. Tone at the Top
Communicating a code of conduct
-
Adopt a code of conduct policy or an ethics policy
Give examples of ethical challenges
Management and Board live the code
Conflicts of interest
Whistleblowers policy
Outside internal control review
Actual agency culture should support
Client name - Event - Presentation title
Page 16
17. Ten Key Financial Questions You Should Ask
1. Is our organization being run in a business-like fashion?
2. Are our key sources of income rising or falling?
3. Are our key expenses, especially salary and benefits, under
control?
4. Do we have sufficient reserves?
5. Is our board truly supportive of our fundraising needs?
6. Where are we compared with budget?
7. Is our financial plan consistent with our strategic plan?
8. Is our staff satisfied and productive?
9. Are we filing on a timely basis all the reporting documents we
are supposed to be filing?
10. Are we fulfilling our tax-exempt purpose as granted by the
IRS?
Client name - Event - Presentation title
Page 17
18. What are Internal Controls?
Systematic measures (such as reviews, checks and balances, methods and
procedures) instituted by an organization to:
conduct its business in an orderly and efficient manner
Safeguard its assets and resources
Deter and detect errors, fraud and theft
Ensure accuracy and completeness of its accounting data
Produce reliable and timely financial and management information
Ensure adherence to its policies and plans
Client name - Event - Presentation title
Page 18
19. What are Internal Controls?
Systematic measures (such as reviews, checks and balances, methods and
procedures) instituted by an organization to:
Conduct its business in an orderly and efficient manner
Safeguard its assets and resources
Deter and detect errors, fraud and theft
Ensure accuracy and completeness of its accounting data
Produce reliable and timely financial and management information
Ensure adherence to its policies and plans
Client name - Event - Presentation title
Page 19
20. Some common internal control procedures
(see outline)
General & cash controls
Investments
Payroll
http:// www.bdo.com/acsense/events/Focus-onFraudSept09%20.aspx.
Allocating expenses
Stewardship & accountability
Budgeting & financial planning
Grant funding
Staff training
Client name - Event - Presentation title
Page 20
21. Types of Controls
― Activity Level Controls
― Entity Level Controls
Client name - Event - Presentation title
Page 21
22. Basic Internal Controls
Basic Internal Controls for the prevention of fraud can be grouped into 3
categories:
Physical Access
Job Description
Accounting Reconciliation and Analysis
Client name - Event - Presentation title
Page 22
23. Physical Access
The need to control access to your organization’s tangible and intangible assets.
Tangible assets – FF&E, inventory, supplies
Intangible assets – donor records, financial records, bank records, credit
card information
Locks, Supervision, employee ID’s, computer passwords, access keys,
surveillance systems
Limit access by job function
Client name - Event - Presentation title
Page 23
24. Job Description
Detail an employee’s job responsibilities and expectations.
Generally, employees should not perform duties outside of their job
description without authorization.
Include division or segregation of duties.
Client name - Event - Presentation title
Page 24
25. Account Reconciliation and Analysis
Regular, documented and reviewed reconciliations and analysis makes
concealment difficult.
Should be prepared for:
― Bank Accounts
― Investment accounts
― Accounts Receivable
― Accounts Payable
― Significant other assets and liabilities
Variance Analysis
― Actual to budget
― Current year vs. prior year
― Vertical analysis of revenue and expenditures as a percentage of total
Strong Supervision
― Fraud awareness
― Approval, review, recalculation
Client name - Event - Presentation title
Page 25
26. Mitigating External Fraud
• Restricting access to the organization’s network system to designated IT
personnel
• Implementing virus protection on the organization’s network
• Disallowing the downloading of programs from internet
• Educating employees about malicious email scams
• Requiring employees to change passwords every 90 days
• Setting policy that passwords are not shared
• Checking bank transactions on a daily basis to detect any outside
intervention
• Avoiding promotional scams, it something sounds too good to be true it
probably isn’t true
Client name - Event - Presentation title
Page 26
27. Fraud Risk Assessments
Process aimed at proactively identifying and addressing an organization’s
vulnerabilities to internal and external fraud
Ongoing, continuous process
Identifier and prioritizing fraud risk in an organization
Client name - Event - Presentation title
Page 27
28. COSO Internal Control Integrated Framework
See Executive Summary in outline
Components of Internal Control
Control environment
Risk assessment
Control activities
Information & communication
Monitoring activities
Client name - Event - Presentation title
Page 28