1. ARE FUNDS IN
JEOPARDY?
IDENTIFYING FRAUD, WASTE AND ABUSE
ALANNA GOODMAN, CFE
AUDIT SUPERVISOR, SPECIAL INVESTIGATIONS DIVISION
DAVID J. MORA, CFE
AUDIT SUPERVISOR, SPECIAL INVESTIGATIONS DIVISION
2. WHAT IS FRAUD?
• Fraud is defined as any intentional act or omission
designed to deceive others and resulting in the victim
suffering a loss and/or the perpetrator achieving a gain.
The Association of Certified Fraud Examiners
The American Institute of Certified Public
Accountants
The Institute of Internal Auditors
3. WHAT IS FRAUD?
• According to the State Audit Rule (Section 2.2.2.7 (F)(4) NMAC):
“Fraud” includes, but is not limited to, fraudulent financial reporting, misappropriation
of assets, corruption, and use of public funds for activities prohibited by the
constitution or laws of the state of New Mexico. Fraudulent financial reporting means
intentional misstatements or omissions of amounts or disclosures in the financial
statements to deceive financial statement users, which may include intentional
alteration of accounting records, misrepresentation of transactions, or intentional
misapplication of accounting principles. Misappropriation of assets means theft of an
agency’s assets, including theft of property, embezzlement of receipts, or fraudulent
payments. Corruption means bribery and other illegal acts.
5. WHAT IS WASTE?
• “Waste” includes, but is not limited to, the act of using or
expending resources carelessly, extravagantly, or to no purpose.
Importantly, waste can include activities that do not include abuse.
Rather waste relates primarily to mismanagement, inappropriate
actions, and inadequate oversight. Waste does not necessarily
involve fraud or illegal acts. However, waste may be an indication
of potential fraud or illegal acts and may still impact the
achievement of defined objectives. (GAO-14-704G federal internal
control standards paragraph 8.03.)
6. WHAT IS ABUSE?
• “Abuse” includes, but is not limited to, behavior that is deficient or improper
when compared with behavior that a prudent person would consider
reasonable and necessary business practice given the facts and circumstances
but excludes fraud and noncompliance with provisions of laws, regulations,
contracts, and grant agreements. Abuse also includes misuse of authority or
position for personal interests or for the benefit of another or those of an
immediate or close family member or business associate. (GAGAS latest
revision.) Abuse does not necessarily involve fraud or illegal acts. However,
abuse may be an indication of potential fraud or illegal acts and may still impact
the achievement of defined objectives. (GAO-14-704G federal internal control
standards paragraph 8.03.)
8. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
9. FRAUD 101
100 points
Any intentional act or omission designed to deceive others and
results in the victim suffering a loss and/or the perpetrator
achieving a gain.
10. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
11. FRAUD 101
200 points
Part of the Fraud Triangle that relates to the financial or
emotional force pushing someone towards fraud.
12. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
13. FRAUD 101
300 points
The fraudulent failure to reveal information which someone
knows and is aware that in good faith he/she should
communicate to another.
14. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
15. FRAUD 101
400 points
A form of dishonesty or a criminal offense which is undertaken
by a person or an organization which is entrusted with a position
of authority, in order to acquire illicit benefits or abuse power for
one's personal gain.
16. GOVERNMENTAL FRAUD
• What are some of the factors that can lead to
Governmental fraud?
• Governments spend large amounts of taxpayer / grant funds.
• Government entities are a major employer within their local
areas.
• Governments may lack the resources to combat fraud.
• Inadequate data sharing.
18. CORRUPTION
• Pressure: Possibly politically or family related
• A family member of the superintendent is an electrician who can do the work
needed on the new school construction.
• Opportunity: Lack of internal controls or override of internal controls.
• Importance of a Chief Procurement Officer position within an agency and
governance over approving contracts.
• Rationalization: Reasoning that the action is allowable.
• “The agency needs this work done and my brother owns a contracting business. It’s
not like the work is not getting done. We saved money else ware on the project. We
have to spend the money or we’ll lose it”
19. BILLING FRAUD
• Pressure: Possibly financially related
• “I just need a little extra money this time of the month to pay my bills.”
• Opportunity: Lack of internal controls or override of internal controls.
• Importance of segregation of duties and purchasing pre-approvals.
• Rationalization: Reasoning that the action is allowable.
• “The agency received a large federal grant. No one will notice if I inflate the cost of
supplies billed under this grant or purchase extra supplies for myself personally.”
20. NONCASH & PAYROLL FRAUD
• Pressure: Possibly family related or financial pressures
• The need to pick up a child by a certain time or personal debts.
• Opportunity: Lack of internal controls or override of internal controls.
• Created when no one really looks at time sheets and timesheets are just approved.
• Rationalization: Reasoning that the action is allowable.
• “I’ll take a shorter lunch tomorrow” or “I’m always working extra this just evens it all out.”
23. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
24. TYPES OF FRAUD
100 points
The offering, giving, receiving, or soliciting of anything of value
to influence an act or a decision.
25. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
The offering, giving, receiving, or soliciting of anything of value to influence an act or a decision.
26. TYPES OF FRAUD
200 points
The theft of an employer’s cash before it is recorded in the
victim’s accounting system
27. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
28. TYPES OF FRAUD
300 points
A person who is on someone’s payroll, but who does not actually
work for the company.
29. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
30. TYPES OF FRAUD
400 points
The fraudulent practice of sending text messages purporting to
be from reputable companies in order to induce individuals to
reveal personal information, such as passwords or credit card
numbers.
31. PREVENTING FRAUD, WASTE AND ABUSE
• What can Government entities do to prevent fraud?
• Implement effective Internal Policies.
• Maintain compliance with all applicable laws, regulations and
internal policies.
• Ensure independent internal audits or risk assessments are
conducted on a regular basis.
• Hire competent employees
• Fraud training for management and employees
• Implement employee/management Codes of Conduct
32. PREVENTING FRAUD, WASTE AND ABUSE
Lack of Internal Controls was the
primary weakness that contributed to
occupational fraud.
33. INTERNAL CONTROL: CONCEPTS
• Control Environment: (e.g. pervasive and provide the foundation for other internal
control components, standards, processes, structures.)
• Risk Assessment: (e.g. What could go wrong?)
34. INTERNAL CONTROL: CONCEPTS
• Control Activities: (e.g. mitigate the risks to entity objectives)
• Information and Communication: (e.g. information necessary to carry out
internal control responsibilities to achieve objectives)
• Monitoring Activities: (e.g. monitor internal controls by management, board
of directors)
36. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
37. FRAUD RED FLAGS
100 points
Excessive amounts of these in the accounting software may be
used to cover money that was misappropriated.
38. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
39. FRAUD RED FLAGS
200 points
A policy of mandatory _______ for employees can be a way to
detect fraud when other employees are performing different job
duties.
40. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
41. FRAUD RED FLAGS
300 points
Business entities often used by fraudsters to hide illegal funds
and the identity of beneficial owners.
42. OSA JEOPARDY
Fraud 101 Types of
Fraud
100
200
300
400
100
200
300
400
100
200
300
400
Fraud
Red Flags
Preventative
Detective
Corrective
100
200
300
400
43. FRAUD RED FLAGS
400 points
A situation in which a person is in a position to derive personal
benefit from actions or decisions made in their official capacity.
44. INTERNAL CONTROL: TYPES
Internal controls are the policies and
procedures that an entity puts into place
in order to protect its assets, ensure its
accounting data is correct, maximize the
efficiency of its operation and promote an
atmosphere of compliance among its
employees.
45. INTERNAL CONTROL:
MANAGEMENT RESPONSIBILITY
Management is responsible for internal controls!
• Management of the Entity
• Which employees make up “management”
• Role and authority of each
• Small versus large entities
• Simple versus complex entities
• Tone at the top
46. INTERNAL CONTROL:
MANAGEMENT RESPONSIBILITY
What should Management do to fulfill this responsibility?
• Develop and maintain a system of internal control.
• Audit committee can provide a monitoring function.
• Internal audit can provide information regarding
• internal control effectiveness.
• Compliance with entity policies and procedures.
56. PHISHING AND SPOOFING
• Spoofing is the technical measure of sending an email using a
fraudulent or mimicked email account.
• Phishing is the attempt to get the recipient to hand over sensitive
information. (see also Smishing and vishing)
• What are the differences?
• Phishing is a method of retrieval, while spoofing is a means of delivery.
57. PAYROLL/VENDOR PHISHING SCAMS
• The email phishing scheme spoofs the email account of
a known, often high-level manager or leader, and seeks
users to change their direct deposit information for
payroll or payment information utilizing spoofed email
accounts.
• Warning signs include:
• Urgent language with a specific request, which places
pressure on the recipient to expedite the request.
• The request prompts the recipient change bank account
information associated with direct deposit to fraudulently
redirect the payroll into an unknown and unauthorized
bank/financial institution account.
58. PAYROLL/VENDOR PHISHING SCAMS
What can you do to protect yourself?
• Validate the domain of the sender as genuine. ( @0sa.s1ate.nm.us)
• Do not share bank/financial institution account information via
email or make any changes to redirect funds without validating the
request.
• Validate any suspected phishing attempts and suspected
fraudulent requests through an alternate source.
59. PAYROLL/VENDOR PHISHING SCAMS
What can you do to protect yourself?
• Change passwords and never reveal your confidential information;
• Review internal controls and operational handbooks for how to
report phishing schemes and alert appropriate IT professionals;
• Conduct a special training and alert team members of phishing
and spoofing schemes.
60. RANSOMWARE DEFENSE
• Ransomware is a serious cybersecurity threat caused most
often by spam email, compromised websites, and other
malware.
• Warning signs include:
• Receiving emails with irrelevant headers and/or subject lines
or no subject at all;
• Being CC’d on an email from a sender or other receivers that
are unknown;
• Attachments that don’t make sense or are executable files;
or hyperlinks imbedded that link to a different site.
61. RANSOMWARE DEFENSE
What can you do to protect yourself?
• Change passwords frequently and use different passwords for all
websites.
• Take proactive measure to ensure all software is up to date.
• Utilize pop-up blockers and close unwanted pop-ups by using keyboard
command strokes (Ctrl + X) instead of clicking on the dialog box.
• Ensure any antivirus program protects against spyware and that it is a
reliable program.
62. RANSOMWARE DEFENSE
What can you do to protect yourself?
• Safeguard important files by ensuring they are properly and frequently backed up.
• Exercise caution when clicking on links or downloading attachments and be cautious of
suspicious emails.
• Ensure controls are in place that prevent the launch of executable files from emails.
Executable files have the ability to run code when opened. Common executable files are:
.BAT, .EXE, .BIN, and even .COM
• If faced with ransomware, agencies should not send money; and they should immediately
report the incident to local law enforcement and inform the OSA.
71. CYBER FRAUD SCHEMES
800 points
This occurs when sensitive data (personal or financial
information) is leaked from a secure location. Afterwards, it can
be used in an untrusted environment at a corporate or personal
level.
72. • The Office of the State Auditor (OSA) regularly conducts special
audits and examinations through the OSA’s Special Investigations
Division.
• The Division, which consists of (currently) five auditors, handles
hundreds of cases each year related to allegations of governmental
fraud, waste and abuse.
• In Fiscal Year 2021, the OSA received almost 350 complaints.
SPECIAL AUDITS AND INVESTIGATIONS
73. • Conflicts of Interest / Favored Treatment
• Employee Fraud
• Time Theft
• Procurement / Contracting Improprieties
• Improper Loans to Executives or Governing Body members
• Excesses in Benefits, Travel and/or Meal Allowances
• Financial and Cost Reporting Irregularities
SPECIAL AUDITS AND INVESTIGATIONS
TYPES OF ISSUES HANDLED BY OSA
74. • Fraudulent Insurance and/or Licensing
• Policy Issues / Public Record Requests (IPRA)
• Procurement Process Questions or Challenges
• Product or Service Quality Concerns
• Misuse of Confidential or Proprietary Information
• Whistleblowers Protection Act
• Public Safety
• Security
SPECIAL AUDITS AND INVESTIGATIONS
TYPES OF ISSUES HANDLED BY OTHER AGENCIES
75. • Environmental Protection
• Wage and Hour Issues Unemployment Compensation
• Customer Relations Open Meetings Act Violations
• Discrimination and/or Sexual Harassment
• Employee Relations
• Workplace Violence Substance Abuse
SPECIAL AUDITS AND INVESTIGATIONS
TYPES OF ISSUES HANDLED BY OTHER AGENCIES
84. FRAUD, WASTE OR ABUSE
800 points
The Special Investigations Division of the OSA handles hundreds
of cases each year related to allegations of ______ in NM
governmental agencies.
85. Reports may be made anonymously through the OSA Hotline by visiting
our website and submitting a compliant through our online portal or by
calling 1-866-OSA-FRAUD (1-866-672-3728).
You may also speak to an investigator by calling
505-476-3800
You may write to the office at:
New Mexico Office of the State Auditor
2540 Camino Edward Ortiz, Suite A
Santa Fe, NM 87505
www.osafraud.org
SUBMITTING A REPORT OR COMPLAINT
ALLEGATIONS OF GOVERNMENTAL FRAUD, WASTE, AND ABUSE
86. SUBMITTING A REPORT OR COMPLAINT
ALLEGATIONS OF GOVERNMENTAL FRAUD, WASTE, AND ABUSE
87. SUBMITTING A REPORT OR COMPLAINT
ALLEGATIONS OF GOVERNMENTAL FRAUD, WASTE, AND ABUSE
An agency or IPA reporting potential criminal violations involving
the financial affairs of an agency must file a 12-6-6 Notification
with our office.
The notification must be in writing.
• It can be emailed to our office at reports@osa.state.nm.us,
sent by mail or faxed.
*Please do not use the Fraud Hotline for filing a 12-6-6
Notification
88. SUBMITTING A REPORT OR COMPLAINT
WHAT INFORMATION SHOULD BE INCLUDED?
• The specific allegation (violation of law, rule or policy) and the governmental
entity involved.
• The parties involved and any witnesses.
• When the act(s) occurred.
• The amount of any financial loss.
• Whether the issue has been reported to any other oversight body or law
enforcement agency, and if so, which ones.
• Include a copy of any police report filed.
• Any supporting documentation that may be available.
90. OSA FINAL JEOPARDY
This phrase means to spend or owe more money than one is
earning or is able to repay and is the top behavioral red flag for
fraud.
91. OSA BONUS JEOPARDY
The amount of “Days of Awesome” that
Brian Colón, Esq., CFE, has been
NM State Auditor.
93. THANK YOU
Alanna Goodman, CFE
Audit Supervisor, Special Investigations Division
Email: Alanna.Goodman@osa.state.nm.us
Phone: (505) 476-3820
David J. Mora, CFE
Audit Supervisor, Special Investigations Division
Email: David.Mora@osa.state.nm.us
Phone: (505) 476-3851
Editor's Notes
Intros
I know last year everyone was into the music jeopardy game so can anyone guess the song reference in the first slide?
Greg Kihn Band “Jeopardy” 1983
“Weird Al” Yankovic “I Lost on Jeopardy” 1984
So, what is Fraud? Well according to the Association of Certified Fraud Examiners, Fraud is any intentional act or omission designed to deceive others that results in a sustained loss for the victim and a gain for the perpetrator.
The State Audit Rule also provides a definition for the term “Fraud”. It includes, but is not limited to, fraudulent financial reporting, the misappropriation of assets, corruption, and the use of public funds for any activity that that is prohibited by the State Constitution or state law.
The State Audit Rule also defines fraudulent financial reporting as intentional misstatements or omissions of amounts or disclosures within financial statements that deceive users of such statements.
Examples of fraudulent financial reporting may include the alteration of accounting records, transaction misrepresentation, or the misapplication of accounting principals.
Misappropriation of assets is defined as the theft of assets. This may include the theft of property, embezzlement of receipts, or fraudulent payments.
The State Audit Rule further defines Corruption as bribery or other illegal acts.
Random Poll: How many people here are Certified Fraud Examiners? This will probably look familiar to you.
Donald Cressy’s Fraud Triangle Theory is essentially how auditors approach fraud. His theory has been around since the 1950s.
Pressure: could be financial or emotional. Extra money may be needed to cover specific “life issues”.
Some examples could be: • Family issues • Gambling, alcohol, or drug addictions • Overwhelming desire for financial gain • Pressure to meet professional goals • Dissatisfaction at work
What can create opportunity?
*Position or function within the organization • Personal traits and abilities • Confidence in one’s ability to commit undetected fraud • An Ability to talk one’s way out of trouble • Dealing well with stressful situations may also create opportunity.
Agencies can also create opportunity by giving too trust or having a poor tone at the top. A lack or limited internal controls can also create opportunity. Remember that even with established internal controls, opportunity could still exist if there is no monitoring or enforcement in place, or if the controls are ineffective.
Rationalization: most often is involves some sort of disconnection from reality in some way or another. It’s the ability to persuade oneself into believing the act is perfectly okay.
A way to justify in the person’s consciousness that the act of fraud is not so bad. The Person believes that they are owed the stolen money. The preparator is just “borrowing” until they can pay it back. And lastly, the “Everyone else is doing it” justification.
Another theory by Wolfe and Hermanson, the Fraud Diamond Theory, also add Capability to Cressy’s theory. Which basically means that in addition to Pressure, Opportunity and Rationalization, the perpetrator would also need the skills and ability to commit fraud. Capability incorporates the person’s position/job function within the organization; their intelligence/creativity and ego; and their ability to coerce, deceit and control stress.
This is the definition according to the State Audit Rule (Section 2.2.2.7 (W) NMAC)
Examples include:
• The extravagant, careless, or needless expenditure of government funds.
• Programmatic or operational mismanagement.
• Consumption of government property that results from deficient practices, systems, controls, or decisions.
• Abuse of resources to the detriment (or potential detriment) of the government agency.
• Incurring unnecessary costs resulting from inefficient or ineffective practices, systems, or controls.
This is the definition according to the State Audit Rule (Section 2.2.2.7 (A)(3) NMAC)
Examples Include:
• Creating unneeded overtime.
• Requesting staff to perform personal errands or work tasks for a supervisor or manager.
• Performing tasks related to a personal business during working hours and on government equipment.
• Misusing the official's position for personal gain (including not only the official's personal interests but the interests of family members or others).
• Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive. • Making procurement of vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.
Ok, we are going to start with some Jeopardy questions. Our first category will be “Fraud 101”.
Answer: What is Fraud?
Answer: What is Pressure?
Answer: What is concealment?
Answer: What is corruption?
Fraudulent activity can occur anytime within governmental entities. What are some of the factors that can lead to fraud within governmental entities?
Large expenditures of monies from taxpayer and grant funds.
Being a major employer within their local areas.
Inadequate resources to combat fraud.
Inadequate data sharing.
So, what are the most common types of fraud within governmental entities?
This chart was copied from the ACFE 2022 Report to the Nations.
Corruption was the most common fraud scheme. So basically, fraud by a person of authority, misusing their position to gain a benefit.
Second was billing. This could mean: fake invoices for goods or services that were completely made up, altered invoices, invoices for personal purchases. Or an employee creates a shell company and sends fake invoices to bill the agency.
Tied for third were Noncash and payroll schemes. Noncash are schemes involving other assets of the agency, like stealing inventory or equipment. And payroll could involve
Corruption was the most common fraud scheme. So basically, fraud by a person of authority, misusing their position to gain a benefit.
There are many types of corrupt actions that can occur during a procurement process.
Acceptance of Bribes, which are the giving or receiving of a “thing” of value to corruptly influence the actions of another person or organization. Bribes may be in the form of
Kickback – A kickback is a type of bribe paid by the contractor after they have received payment for the project.
Corrupt Payment – Any benefit given with the intent of influencing the recipient. Things of value can include: Gifts (Travel, entertainment, etc.), Loans (to be repaid or not), Cash, Fees or commissions.
Corrupt Influence – which can include: Paying too much for or buying too many of an item; qualifying an untested/unqualified vendor; improper contract awards; Knowingly accepting low quality goods/services; Exclusion of other, qualified, bidders.
The pressure to commit procurement fraud may be politically or family related. For example, a family member of a school superintendent is an electrician who can do the work needed on construction of a new school. The opportunity was created by a lack of internal controls or the override of internal controls. The Importance of a Chief Procurement Officer within an agency and governance over approving contracts is critical to detect any potential conflict as in our example. The School District rationalized the action as allowable because the work has to get done and money was saved elsewhere on the project. “The money has to be spent or we’ll lose it” justification.
Billing Fraud. Some schemes include:
Double Billing or Invoices - A contractor will submit multiple invoices for works/expenses that were only incurred once. An insider may aid in this process by associating the different invoices to different projects.
Falsified Billing or Invoices - In which a contractor/supplier will submit an invoice that is either false or inflated. Another scenario is that a procurement officer can submit invoices from a fictitious vendor, likely paying themselves or a family member.
Personal Purchases with Agency funds - When an employee submits an invoice for personal purchases to the company for payment, or when an employee uses a company credit card for personal purchases.
Non-Cash Schemes involve noncash assets of the agency. Misuse or theft of inventory, or equipment and other property of the government agency.
One of the most frequent complaints reported to our office is timesheet/payroll related fraud. The only aspect the agency can control here is opportunity .
One of the most common schemes is the falsification of payroll or wages. For example, an employee may report X number of hours that they did not work over a 6-month time period, resulting in huge overpayments. What can cause this issue? Timesheet approver did not monitor the number of hours actually worked by the employee.
In this example: the pressure may have been family related or exceeding financial pressures. The time was needed to pick up a child by a certain time or face additional costs for childcare. The opportunity was created by a lack of internal controls or the override of internal controls. No one was paying attention to falsified timesheets and were subsequentially approved. The employee rationalized the action as allowable by taking a shorter lunch or working extra time to make up the difference.
What are some of the Red Flags?
Blaming the system for pay errors • Overrides on the time clock • Unknown employee in pay records
What to monitor:
• Reconcile monthly account ledgers • Approval of timesheets
It was noted in the Report that in the ACFE’s study, government and public administration was the industry with the second greatest number of cases of fraud.
Additionally, the ACFE noted that federal government agencies had a higher median loss, but that over half of the reported government fraud cases were in state and local government agencies.
And that leads us to our next Jeopardy category, “Types of Fraud”
Answer: What is bribery?
Answer: What is skimming?
Answer: What is ghost employee?
Answer: What is smishing?
What can we do to prevent or at least minimize the risk of fraud? Well, we can implement effective internal policies, maintain compliance with applicable laws, and regulations, and ensure that regular internal audits or risk assessments are conducted.
Before I go to the next slide does anyone know what the ACFE found as the top internal control weakness that contributed to occupational fraud?
This one might be hard to read, but the top internal control weakness that contributed to occupational fraud was:
Lack of Internal Controls – 29%
Override of Existing Controls – 20%
Lack of Management Review – 16%
Poor tone at the top -
Internal Controls are the key to any successful fraud detection program. Control Environment and five principals – INTEGRITY AND ETHICAL VALUES are the MOST important and must be present.
Control Environment concept is the technical competence and ethical commitment to combating fraud. (Everyone knows their jobs and are committed to doing what is right). Getting buy in from the top, down is very important.
INTEGRITY AND ETHICAL VALUES are the MOST important and MUST be present. Accountability is also essential when the values of the agency are not adhered to. If there is no accountability, then the control environment breaks down.
Risk Assessment – can include Internal Audit, Office of Inspector General, and/or internal risk review process. Risk assessment is important to identify areas that may have weaknesses and maybe policies/procedures need updating. Risk assessment is not a one-time activity. Agencies should regularly be assessing risk and whether or not policies in place address the issues. Seeking input from employees of how they can better do their job may equal more buy in. Risk assessment asks “What could go wrong?”
Control Activities are the detailed policies and procedures that mitigate the identified risks. Risk assessment asks “What could go wrong?” And the control activities are the ways to prevent what could go wrong, or at least lesson those instances. This is why you prep for emergencies.
Examples: segregation of duties, levels of review (built into and required by accounting system as well as non-system levels of review)
example – budget process for request. Who has access to what?
Information and Communication – what is the communicated tone? How are the internal controls communicated? Emails and meetings – a commitment to do what is right? Regular updates on policies or procedures. Does management welcome input from employees about changing procedures?
Monitoring Activities – Internal Controls are not static. Regular review/evaluation of effectiveness and compliance to. Quarterly financial review – process of comparing balances close to year end or before.
During the pandemic, many people were working from home. Were there sufficient policies that considered the internal controls necessary to prevent fraud? For instance, having a paper form signed by a supervisor for pre-approval of leave or travel? Does your agency have policies and procedures that address internal controls while working-from home? Have any new policies and procedures been addressed with staff through meetings or just an email? Are employees required to affirmatively state they have read any new policies? What did your agency do when employees began returning to the office? Did the prior policies get reinstated or did the interim policies become permanent?
Answer: What are adjusting entries or write-offs?
Answer: What are vacations/paid leave/annual leave or job/duty rotation?
Answer: What are shell companies/corporations?
Answer: What is a conflict of interest?
There are three types of internal controls that work together to prevent fraud, waste, or abuse.
Detective internal controls are designed to find errors after they have occurred. They serve as part of a checks-and-balances system and to determine how efficient policies are. Examples include surprise cash counts, taking inventory, review and approval of accounting work, internal audits, and enforcement of job descriptions and expectations. Detective internal controls also help protect assets. For instance, if a field office does not know when inventory will be counted, it may be encourage honesty.
Preventative Internal Controls
Preventative internal controls are put into place to keep errors and irregularities from happening. While detective controls usually occur irregularly, preventative controls usually occur on a regular basis. They range from locking the building before leaving to entering a password before completing a transaction. Other preventative controls include testing for clerical accuracy, backing up computer data, employee screening and training programs, segregation of duties, enforced vacations, obtaining approval before processing a transaction and having physical control over assets (locking money in a safe, for example).
Corrective Internal Controls
As the name suggests, corrective internal controls are put into place to correct any errors that were found by the detective internal controls. When an error is made, employees should follow whatever procedures have been put into place to correct the error, such as reporting the problem to a supervisor. Training programs and progressive discipline for errors are other examples of corrective internal controls.
Limitations
It is important to keep in mind that internal controls, while effective, are not a guarantee that an organization’s objectives will be met. In addition, internal controls assume employees are honest and that they would not bypass guidelines or alter data to benefit themselves.
Well, technically EVERYONE is responsible, however it starts at the top. If management does not have a commitment to ethics that is enforced from the top – down, there will be a break down in internal controls, and the good ethical employees that you have will leave the entity if they do not have a feeling that management is fair and accountable.
Employees that make up management vary by organization.
Small versus large – a mid-level employee (business manager) may make up management whereas CFO at larger agency may be considered management. Organizations should self assess who management is when it relates to internal controls and the proper internal control structure.
Tone at the top should be a strong message of commitment to ethical behavior and integrity.
Audit Committee and Internal Audit can provide – but not if the function isn’t what it was indented to be. Internal Audit should have ability to report independently.
Management/governance compliance with entity policies and procedures is one that comes up frequently. Do you work somewhere where you feel like the same rules don’t apply to management? This concept is key. In order for everyone to feel that management does take internal controls seriously, there needs to be a feeling of fairness. If employees need pre-approval from supervisors to travel to a conference, then this should also apply to management/governance as well? And if policies and procedures are not followed, the CPO of the agency needs to be able to freely state to their superior any deficiencies they see in following procedure. “We need your travel form to include this information, and this is what we will reimburse for, and receipts are required.” It is a difficult situation if an employee feels intimidated to reimburse for an expenditure, if they do not have the control environment where feedback is encouraged.
Answer: What is detective?
Answer: What is preventative or corrective?
Answer: What is preventative or detective?
Answer: What is preventative?
One of the most common cyber fraud schemes is Phishing and Spoofing. What are Phishing and Spoofing?
Spoofing occurs when someone sends an email using a forged or mimicked email address. Typically, the sender’s name or email address and the body of the message may be changed to mimic a legitimate source such as a vendor, bank, newspaper, or other recognized entity. Spoofed emails often originate from what appears to be a known source that may include another government entity or government employee.
While Phishing is the attempt to get the recipient to hand over sensitive information. A hacker may target a victim through email, telephone or text often posing as a legitimate business or known source to lure the victim into providing sensitive data such as banking information or passwords. The information provide can then be used to access bank accounts, resulting in financial loss.
Phising attempts have over time become more sophisticated. Malicious software can be installed on network computers through spoofed emails containing affected attachments or URLs.
So, what are the differences between the two? Although both involve methods to trick the recipient into carrying out an action. Phishing is a method of retrieval, while spoofing is a means of delivery.
Email Phishing schemes often use spoofed or forged email accounts of a known, often high-level manager seeking to redirect that person’s direct deposit information for payroll to a fraudulent bank account.
Some warning signs of a phishing scheme include:
Urgent language with a specific request applying pressure on the recipient to expedite the request.
The request prompts the recipient to change the existing bank account information to an unknown bank account.
It’s important to note that once a transfer of direct deposit funds has been redirected to a fraudulent bank account, it can be difficult to recover the funds. A swift response to the fraudulent activity is the best option at recovering lost funds.
The OSA has received notice of several instances of attempted Email Phishing Schemes that requested to redirect employee payroll deposits and also vendor payments. We know that several state agencies, school districts, higher education institutions, and county governments have all been targeted and we recommend you be on high-alert. It’s important that your internal controls include independent verification of the employee payroll information/vendor payment information either by phone, video chat, or in person upon each request.
So, what can you do to protect yourself or agency?
Validate the domain of the sender as genuine. It is not uncommon for spoofed emails to contain a mis-spelled word or name, or any other inconsistency within email address.
Do not share personal bank account information via email or make any changes to redirect employee payroll without validating the request.
Validate the request with the employee through an alternative source.
Other preventive measures you can take to protect yourself include:
Regularly change passwords and never reveal your confidential information.
Regularly review your agency’s internal controls and operational handbooks for instructions on reporting phishing schemes and alert appropriate IT professionals.
Provide staff training to properly identify and report any phishing and spoofing schemes.
Another common cyber fraud scheme are Ransomware attacks. Ransomware is a type of malicious software or malware that prevents you from accessing your computer files, systems, or networks and demands a ransom payment in order to restore your access. It is a serious cybersecurity threat caused most often by spam email, compromised websites, and other malware.
Some of the warning signs of a ransomware attack include:
Receiving emails with irrelevant headers and/or subject lines or no subject at all.
Being copied on emails from unknown senders or other receivers.
Attachments that do not make sense or are executable files.
Or hyperlinks imbedded that link to a different site.
The OSA receives numerous reports each year of potential criminal violations and suspected fraud associated with ransomware. Ransomware can be a costly risk. Not only can data be compromised but in the few instances that we know of we have seen losses totaling over $1 million for recovery and repairs.
The OSA strongly advises the public, business owners, and agencies be aware of the potential risks associated with these cybersecurity threats.
How do you protect yourself or your agency?
Change passwords frequently and use different passwords for all websites.
Take proactive measures to ensure all software is up to date.
Utilize pop-up blockers and close unwanted pop-ups by using keyboard command strokes instead of clicking on the dialog box.
Ensure your antivirus software is reliable and protects against spyware.
Safeguard important files by ensuring they are properly and frequently backed up.
Exercise caution when clicking on links or downloading attachments and be cautious of suspicious emails.
Ensure controls are in place that prevent the launch of executable files from emails. Executable files have the ability to run code when opened.
If faced with ransomware, agencies should not send money; and they should immediately report the incident to local law enforcement and inform the OSA.
The OSA further advises reviewing internal controls and developing procedures to aid in the prevention and detection of cybersecurity threats that may potentially lead to fraud, waste or abuse.
Answer: What is hacking?
Answer: What is ransomware?
Answer: What is cryptojacking?
Answer: What is a data breach?
Audits do not often find fraud, waste and abuse within an entity. That is not the purpose of an audit. Auditors only test sample transactions and if something is immaterial or too small of an amount, it may not even be tested. This is why the OSA has a Special Investigations Division--to investigate reported instances of governmental fraud, waste and abuse and then refer those matters to our Independent Public Accountants or IPAs to perform further test work.
The OSA’s Special Investigations Division reviews various types issues that include conflicts of interest, employee fraud, procurement improprieties, improper loans to Executives of Governing Body members, excess of benefits, and financial and cost reporting irregularities.
However, there are several types issues are not investigated by the OSA’s Special Investigations Division. These issues fall within the jurisdiction of other agencies. Some of those include Fraudulent insurance or licensing, IPRA Requests, Procurement process questions or challenges, product or service quality concerns, misuse of confidential or proprietary information, Whistleblowers Protection Act, public safety, and security.
Occasionally we receive complaints against nonprofit organizations as well.
And rest-assured that even if it is a complaint that is out of OSA jurisdiction, we will refer the issue to the appropriate oversight agency or even law enforcement if we can’t handle the complaint.
Additionally, we may investigate a complaint and find there are additional issues that another agency may handle, like the NM Ethics Commission or NM Attorney General for example, and we will refer the case to them as well.
Answer: What is abuse?
Answer: What is waste?
Answer: What is fraud?
Answer: What is fraud, waste or abuse?
Whistleblower/member of public: You can submit a complaint by calling, writing, or visiting us online.
The website to submit a complaint is www.osafraud.org
Agency or IPA reporting potential criminal violations involving financial affairs of the agency 12-6-6 reporting requirements in writing – reports@osa.state.nm.us
You are our eyes and ears, we can’t know everything that may be occurring but your complaints allow us to take a closer look at potential problem areas. If you see something, say something. That’s how we can work together for improved governance and quite frankly greater accountability.
Why do we have our hotline? Because tips from employees are the top ways fraud, waste and abuse are detected.
We all know that external audits are not looking for fraud. And according to the ACFE, an external audit only detected fraud 4% of the time.
Agency or IPA reporting potential criminal violations involving financial affairs of the agency 12-6-6 reporting requirements in writing – reports@osa.state.nm.us
You are our eyes and ears, we can’t know everything that may be occurring but your complaints allow us to take a closer look at potential problem areas. If you see something, say something. That’s how we can work together for improved governance and quite frankly greater accountability.
If you do submit a compliant there are a few things that we need that are especially helpful in our reviews.
Please be sure to include a detailed summary of the specific allegation, include a list of the parties involved and any witnesses, when the act(s) occurred, the amount of financial loss (if any), whether the matter has been reported to another oversight body or law enforcement, and any support documentation.
While it may be difficult to provide all of this we certainly encourage you to provide as much as possible.
