The document discusses the complexities of fraud management, highlighting the vulnerabilities in organizational controls and the significance of fraud risk assessment, prevention, and detection mechanisms. It emphasizes the importance of governance, internal controls, and employee awareness in mitigating fraud risks, while detailing common fraud scenarios and prevention strategies. Key areas include the role of management, employee attitudes, and the need for comprehensive fraud risk management programs to safeguard organizational resources.

1. Fraud and Internal Controls: Fraud Prevention, Detection and Incident Handling John J. Hall, CPA Hall Consulting, Inc. [email_address]

2. Are Business Entities Inherently Susceptible to Control Breakdowns? All controls break down over time Inadequate segregation Limited resources Thin control capability Skill levels may not match needs Service focus Politics and personalities High level override is fairly easy

3. Where Our Issues Overlap

4. Prevention/Deterrence Prompt Detection Effective Response FRAUD RISK MANAGEMENT

5. Risk When Managed Creates Value

6. Risk Management Improve performance by acknowledging and controlling risks Solutions to protect and conserve the organization’s resources

7. Example Risk Universe Financial Operations Strategic Knowledge

8. Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today’s Largest Organizations www.protiviti.com

9. Protiviti Preventing Fraud Report Organizations are at different maturity points in their capabilities to evaluate, mitigate and monitor fraud risk. Organizations are struggling to understand what Fraud Risk Management means in the context of their daily operations. Education and awareness are critical issues that need greater attention in order to successfully manage fraud risk.

10. Example Risk Universe Financial Operations Strategic Knowledge Fraud

11. Fraud Risk Management Improve performance by acknowledging and controlling fraud risks Solutions to protect and conserve the organization’s resources from fraud exposures

12. Fraud Risk Management Includes: Theft Diversion Misconduct Deception Wrongdoing Misappropriation Irregularities Criminal Acts Other Similar Actions Impact: Financial Loss Cost of Investigation Reputation Damaged Relationships Negative Publicity Loss of Employees Loss of Customers Litigation Damaged Employee Morale

13. What do we mean by Fraud ?

14. Fraud Defined Managing the Business Risk of Fraud: A Practical Guide Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.

15. Error versus Intent to Deceive

16. Key Elements Clandestine Violates the perpetrator’s fiduciary duties to the victim organization Committed for the purpose of direct or indirect financial benefit Costs the organization assets, revenue or reserves

17. Three Categories Misappropriation Manipulated Results Corruption

18. Corruption Using influence in a transaction to obtain unauthorized benefit contrary to the person’s duty to the employer Usually perpetrated by management, but often involves collusion among internal and external parties SHADOW DEALS

19. Corruption Examples Accepting or paying a bribe Engaging in a business transaction where there is an undisclosed conflict of interest Extortion

20. MACRO micro systemic How Big?

21. MACRO Fraud Risks Actions by leaders / abuse Miss-use of restricted funds Lies in financial or program results Form 990 and other tax information Actions that damage reputation

22. MICRO Fraud Risks Embezzlement Receipts diversion/lapping Information technology Misuse of data Equipment Vendor schemes

23. SYSTEMIC Fraud Risks Expense reimbursement Fund raising assets Gift cards and travelers checks Payroll and benefits P-cards and debit cards Shared credit cards

24. Is it Wrong to Commit Fraud? ATTITUDE

25. DISCUSSION What keeps honest people honest? Beliefs, perceptions, attitudes Culture Fear No need No opportunity Inadequate opportunity

26. Three Cases – Four Attitudes The activity was within reasonable ethical and legal limits – that is, not “really” illegal or immoral. The activity is within the individual’s or organization’s best interest – that the individual would be expected to undertake the activity.

27. Three Cases – Four Attitudes The activity is “safe” as it will never be found out or publicized – the classic crime and punishment issue of discovery. Because the activity helps the organization, the organization will condone it and even protect the person who engages in it.

28. Single Largest Deterrent Belief you will be caught… and punished

29. DISCUSSION Therefore, why do some steal? CHANGE IN: Beliefs, perceptions, attitudes Culture Fear No need No opportunity Inadequate opportunity

30. Let’s Agree Who commits fraud, and why? Situations Change / People Change

31. Let’s Agree Who commits fraud, and why? And for some, it’s just what they do! Don’t let them in If they are already in, find them ASAP and get them out

32. Completely Dishonest Completely Honest Pressure Attitude Opportunity Honesty Scale

33. The Fraud Triangle Opportunity Pressure Attitude

34. INCENTIVE OR PRESSURE : Inadequate compensation levels coupled with an attitude of indifference by management and/or members of governing bodies may create an incentive for employees to commit fraud ATTITUDE : When employees are continually over-worked or asked to work out of class without additional compensation they may rationalize fraudulent acts as compensation for these additional hours or efforts OPPORTUNITY : The lack of personnel or the lack of sufficiently qualified personnel is prevalent in administrative and/or accounting and finance functions in both government and not-for-profit organizations.

35. For Consideration “ Beating the System” Largest threat comes from inside “the system”

36. Management Override Inherent “ Macro” Risk ???

37. Pause and ask, “ What if they are trying to fool me…”

38. Cold Hard Facts Most fraud is done by those we trust Most will do it…under the right (or wrong) circumstances Limited resources available to manage risks effectively Knowledge level needed may not be available internally

39. 13 High Opportunity Areas Remote locations Overseas locations Areas not understood well by leaders Costs allocated to other cost centers New functions or systems New products or services Areas experiencing rapid growth New technology

40. 13 High Opportunity Areas Locations or functions about to be closed or sold Areas or locations with a history of problems or poor performance Joint ventures or other similar arrangements Records are kept by outsiders Areas that are politically protected

41. SAS 99: Consideration of Fraud in a Financial Statement Audit Auditor Responsibilities: “ The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by fraud or error (AU sec. 110.02)”

42. SAS 99: Consideration of Fraud in a Financial Statement Audit Auditor Responsibilities: “ This statement [SAS 99] established standards and provides guidance to auditors in fulfilling that responsibility, as it related to fraud, in an audit of financial statements conducted in accordance with generally accepted auditing standards (GAAS).”

43. SAS 99: Consideration of Fraud Required audit team brainstorming session

44. SAS 99: Consideration of Fraud Introduces “ Human Psychology” into the audit process

45. Professional Skepticism Attitude involving two aspects Questioning mind recognize possibility of fraud set aside past experience and beliefs despite beliefs re: integrity Critical assessment of evidence not satisfied with less than persuasive evidence

46. Lessons from Psychology We self-correct for information that does not fit our assumptions Sources of assumptions Past history Personal experience Training and culture Our perceptions about those we audit probably are incomplete “ Categories” allow us to quickly analyze data – sometimes incorrectly

47. SAS 99: Consideration of Fraud Commission Conversion Concealment

48. SAS 99: Consideration of Fraud Required Skills Communication Technology Forensic Accounting

49. Comprehensive Fraud Risk Management Program

50. Fraud Risk Management Program Prevention and Deterrence Early Detection Effective Handling ORGANIZATIONS MUST BE PREPARED AT ALL THREE LEVELS

51. Level 1: Deterrence and Prevention

52. 9 Suggestions Effective Governance and Oversight Strong Control Procedures and Behaviors Fraud Policy Require Reporting Fraud Skills Training Hotline in Place and Trusted Fraud Exposure Analysis Be Ready to Respond Culture of “Doubting”

53. Internal Controls Preventive Detective Controls may be: Effective internal control often includes a combination of preventive and detective controls to achieve a specific control objective

54. COSO Control Framework

55. BALANCE Two Factors

56. HI LOW HI HARD CONTROLS SOFT CONTROLS

57. Internal Controls HARD CONTROLS Policies Procedures Systems Soft Controls Simply: The competence, attention and integrity of the people

58. Internal Controls A process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations

59. “ Business” Controls The processes designed to provide reasonable assurance regarding the achievement of business and operating objectives Effectiveness and efficiency of operations Measures HDWK

60. Managing the Business Risk of Fraud: A Practical Guide July 7, 2008

61. Key Points Suitable fraud risk management oversight and expectations exist (governance) – Principle 1 Fraud exposures are identified and evaluated (risk assessment) – Principle 2 Appropriate processes and procedures are in place to manage these exposures (prevention and detection) – Principles 3 & 4 Fraud allegations are addressed, and appropriate corrective action is taken in a timely manner (investigation and corrective action) – Principle 5

62. Fraud Risk Assessment: Key Elements How might a fraud perpetrator exploit weaknesses in the system of controls? How could a perpetrator override or circumvent controls? What could a perpetrator do to conceal the fraud?

63. Level 2: Early Detection

64. How Fraud is Detected Normal internal controls Managers and employees paying attention Internal auditors “ Whistle Blower” Change of management Anonymous tip-off External audit Other

65. Fraud Detection Steps Think like a thief Use discovery techniques aggressively Discovery testing Interviews Monitoring Determine the cause of all fraud indicators surfaced

66. PLAN with the PRESUMPTION That a Fraud Incident Has Occurred

67. Comprehensive Fraud Exposure Analysis By functional area By position By relationship End Result: Fraud Risk Inventory

68. Creation of a Fraud Risk Inventory What could go wrong? What has happened in the past? Can we prevent it? Can we catch it right away? Can we handle it?

69. FRAUD RISKS Cash Disbursements

70. FRAUD RISKS THINGS WE KNOW ABOUT Cash Disbursements - Fake Vendor Contractor Overcharges Inflate hours on time cards Travel expenses Others… THINGS WE DON’T KNOW ABOUT

71. FRAUD RISKS Cash Disbursements “ Fake Vendor Scheme”

72. Detection Prevention Indicator Fraud Risk Independent verification of all first time payments Periodic verification of “little known” suppliers Focus on service providers Verify receipt of goods or services prior to payment Use purchase orders Segregate duties Build in duplication Limit access Reconcile all bank accounts immediately upon receipt of the bank statement Examine all cancelled checks Periodically review all vendors and contractors for existence and legitimacy REVIEW ALL MONTH END TRANSACTION REPORTS 100% “ Positive Pay” Use Computer Data Mining Techniques to Surface Fraud Indicators Cash Disbursements – Fake Vendor: Fake documents are introduced into the payments system, The invoice is from a “consultant” for “services rendered” Approval signatures are forged Funds are disbursed by check, The check is deposited into the personal checking account of a volunteer The transaction is charged to Consulting Expenses in the accounting system Generic looking invoice Unknown vendor / contractor Address: Same as employee or volunteer PO Box Mailboxes, Etc. Prison… “ Hold check for pickup” No phone number on invoice Unknown charges on cost center reports Check: Clears too fast Funny endorsements Geography

73. Control to Detect Control To Prevent Indicator Fraud Risk Audit Program Steps Look for indicators Test prevention control Test detection control NATURE, TIMING and EXTENT of AUDIT PROCEDURES Cash Disbursements – Fake Vendor: Fake documents are introduced into the payments system, The invoice is from a “consultant” for “services rendered” Approval signatures are forged Generic looking invoice Unknown vendor / contractor Address: Same as employee or volunteer PO Box Mailboxes, Etc. Prison… “ Hold check for pickup” No phone number on invoice Independent verification of all first time payments Periodic verification of “little known” suppliers Focus on service providers Verify receipt of goods or services prior to payment Use purchase orders Segregate duties Build in duplication Limit access Reconcile all bank accounts immediately upon receipt of the bank statement Examine all cancelled checks Periodically review all vendors and contractors for existence and legitimacy REVIEW ALL MONTH END TRANSACTION REPORTS 100% “ Positive Pay”

74. Detection Indicator Fraud Risk: Cash Disbursements – Fake Vendor Scheme Reconcile all bank accounts immediately upon receipt of the bank statement Examine all cancelled checks Periodically review all vendors and contractors for existence and legitimacy REVIEW ALL MONTH END TRANSACTION REPORTS 100% “ Positive Pay” Use Computer Data Mining Techniques to Surface Fraud Indicators Generic looking invoice Unknown vendor / contractor Address: Same as employee or volunteer PO Box Mailboxes, Etc. Prison… “ Hold check for pickup” No phone number on invoice Unknown charges on cost center reports Check: Clears too fast Funny endorsements Geography

75. Detection Controls Prevention Controls Indicator Fraud Risk HARD CONTROLS Soft Controls

76. Fraud Controls HARD CONTROLS Soft Controls Simply: The competence, attention and integrity of the people Policies Procedures Systems

77. Monitoring

78. Level 3: Effective Handling

79. Effective Fraud Handling Response mechanism Investigation Loss recovery Control weaknesses External authorities Publicity Morale and HR concerns

80. Investigative Resources Experienced investigators Forensic accounting Computer forensics specialists Others

81. Override / Collusion Shadow Deals Time SPECIAL CHALLENGES

82. So, what should YOU do??? Acknowledge Expectations Examine Skills Identify Gaps Act to Fill the Gaps

83. … Last Thoughts Think like a thief Teach others what they need to know to be effective Look for fraud indicators. Design and perform discovery based steps When in doubt, doubt Follow up / formally refer all suspicions

84. BALANCE

85. John J. Hall, CPA PO Box 850 Vail, CO 81658 Cell: (312) 560-9931 www.hallconsulting.biz jhall @ hallconsulting.biz Further Questions or Comments??