IIA El Paso Chapter 100113 - Institute of Internal Auditors El... · –Medical problems ... • A red flag is a set of circumstances that is ... Professional Practice of Internal

10/01/2013

© 2013 McHard Accounting Consulting LLC 1

Beth A. Mohr, CFE, CAMS, PI, MPANM-PI #2503; AZ-PI #1639940

Janet M. McHard, CPA, CFE, MAFF, CFFMcHard Accounting Consulting LLC

IIA El Paso ChapterOctober 1, 2013

Fraud Seminar

© 2013 McHard Accounting Consulting LLC


Agenda

• Fraud Basics and Red Flags of Fraud for Internal Auditors

• Internal Investigators for Internal Auditors with Case Studies

Fraud Seminar:Fraud Basics and Red Flags


10/01/2013



Occupational Fraud

• The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets


Occupational Fraud• Has four common elements:

– Is clandestine– Violates the perpetrator’s fiduciary duties to

the victim organization– Is committed for the purpose of direct or

indirect financial benefit to the perpetrator– Costs the employing organization assets,

revenue or reserves


How much does fraud cost?

• The Association of Certified Fraud Examiners’ 2012 Report to the Nations on Occupational Fraud and Abuse estimates losses at 5% of annual revenues, that’s $3.5 trillion when applied to the World Gross Product.

10/01/2013



Who loses?• According to the 2012 Report:

– Private organizations represented 39.3% of the frauds reported with a median loss of $200,000.

– Public organizations represented 28.0% of the frauds reported with a median loss of $127,000.

– Nonprofit organizations represented 10.4% of the frauds reported with a median loss of $100,000.

– Government organizations represented 16.8% of the frauds reported with a median loss of $81,000.


Who loses?• According to the 2012 Report:

– Companies with less than 100 employees account for 31.8% of all occupational fraud and abuse with a median loss of $147,000.

– Companies with 100 to 999 employees account for 19.5% of all occupational fraud and abuse with a median loss of $150,000.

– Companies with 1000 to 9999 employees account for 21.8% of all occupational fraud and abuse with a median loss of $100,000.

– Companies with more than 10,000 employees account for 20.6% of all occupational fraud and abuse with a median loss of $140,000.


Portrait of a Thief

• Those who steal most often:– Employee/manager – 79.1%– Male –65.0%– Aged 36 to 45 – 37.6%– Tenure 1 to 5 years – 41.5%– Never charged or convicted – 87.3%– Never punished or terminated – 83.7%

10/01/2013



Portrait of a Thief

• Those who steal the most money:– Owner/executive - $573,000– Male - $200,000– Aged 51 - 55 - $600,000– Tenure 10+ years - $229,000

Cressey’s Hypothesis:The Fraud Triangle

Non-Sharable Financial Problem

Opportunity

Rationalization



Non-sharable Financial Problem• Examples:

– Alimony payments– Addictions– High personal debt– Extra-marital affairs– Medical problems– Living beyond one’s means

10/01/2013



Rationalization• Examples:

– Company overlooked me– I’m just borrowing the money– They owe it to me - I’m underpaid– Everyone else does it– They don’t even know who I am– Double the work with the same pay


Opportunity

– Temptation– Trust– Lack of Controls– Lack of Punishment


Red Flags of Fraud

• A red flag is a set of circumstances that is unusual in nature or varies from normal activity. It is a signal that something is out of the ordinary and probably should be investigated further.

• In short - something doesn’t smell right.

10/01/2013



Two Cautionary Notes

• Do not ignore a red flag.

• Sometimes an error is just an error.


Management Red Flags• Generally, management fraud is financial

statement fraud• Reluctance to provide information to

auditors• Excessive number or frequent changes in

bank accounts• Significant downsizing in healthy market• Complete computer system loss, even

back up


More Management Red Flags• Continuous rollover of loans

• Any transaction that doesn’t make common or business sense

• Great donation/grant figures but no cash

• Missing documents

• Inconsistent, vague or implausible responses

10/01/2013



Employee Red Flags

• Lifestyle changes

• Behavioral changes

• High turnover in areas more vulnerable to fraud

• Refusal to take leave


Cash/AR Red Flags

• Excessive voids/discounts/returns• Not reconciled in timely manner• Unauthorized or dormant bank accounts• Customer complaints (payments not

applied)• Large number of write-offs of accounts• Discrepancies between deposits and

postings


Payroll Red Flags

• Overtime inconsistent with cost center, business cycle or position

• Duplicate SSN, names or addresses

• Employees with no voluntary deductions

• Frequent manual checks

10/01/2013



Purchasing Red Flags

• Abnormal inventory shrinkage• Sales without shipping documents• Vendors without physical addresses• Vendor addresses that match

employee addresses• Excess and slow turnover inventory• Sequential invoice numbers


Sanctions Don’t Deter Fraud

Simply punishing perpetrators is not an effective way to deter fraud.– Fraudsters do not anticipate getting caught.– They do not see their actions as something

that should be sanctioned.– Sanctions are a secondary consideration to the

fraudster.


Increasing the Perception of Detection

Perception of detection may well be the most effective fraud prevention method.– Employee education

• Management oversight• Dishonest acts will be punished

– Reporting activities– Hotlines– Rewards

10/01/2013



Initial Detection• Tip – 43.3%• Management review – 14.6%• Internal audit – 14.4%• By accident – 7.0%• Account reconciliation – 4.8%• Document examination – 4.1%• External audit – 3.3%• Notified by police – 3.0%• Surveillance/monitoring – 1.9%• Confession – 1.5%• IT controls – 1.1%• Other – 1.1%


Sources for Tips• Tips from employees – 50.9%• Tip from customer – 22.1%• Anonymous tip – 12.4%• Tips from other sources – 11.6%• Tip from vendor – 12.1%• Tip from shareholder/owner – 2.3% • Tip from competitor – 1.5%


Effectiveness of Controls • Management review: with $100,000 median

loss, $185,000 without• Employee support programs: with $100,000

median loss, $180,000 without• Hotlines: with $100,000 median loss, $180,000

without• Fraud training for mgmt/execs: with $100,000

median loss, $158,000 without

10/01/2013



Impact on Duration• Management review: with 14 months

duration, 24 months without• Employee support programs: with 16 months

duration, 21 months without• Hotlines: with 12 months duration, 24 months

without• Fraud training for mgmt/execs: with 12

months duration, 24 months without


Tone at the Top• It is ESSENTIAL that upper management,

owners, and C-level executives visibly and actually support all fraud prevention controls and actions.

• Top officials should be present at the roll-out and should support, by example, the hotline and results from the hotline and other anti-fraud measures.


From PWC’s Study:

• “When management introduces anti-fraud values and an ethics code into its brand – and these are understood and supported by employees – their employees often become the best guardians of the company brand and its ethics.”– PriceWaterhouseCoopers 2005 survey

10/01/2013



What Kind of Controls?

• According to the PWC survey:– “Companies that classified their prevention attitude

as control-oriented rather than trust oriented reported a higher number of frauds.”

– “People who identify with their organization are less likely to damage it as the psychological barriers to this are higher.”

Fraud Seminar:Investigations for Internal Auditors with Interactive

Case Studies



Fraud Examination

• A methodology of resolving fraud allegations from inception to disposition

• Includes:– Obtaining evidence and taking statements

– Writing reports

– Testifying to findings

– Assisting in the detection and prevention of fraud

10/01/2013



Initiating the Investigation

• Sources (tip, audit finding, other)

• Determining predicate

• Evaluating tips– Revenge

– Genuine concern

– Money


Steps in a Fraud Examination

• Document Examination

• Neutral Third Party Witnesses

• Cooperative Witnesses

• Co-Conspirators

• Subject


Selecting the Investigation Team• Certified Fraud Examiners• Internal Auditors• Security• Human resources• Management representative• Outside consultant• Forensic accountants and investigators• Legal counsel

10/01/2013



Legal Definition of Fraud

• Material misrepresentation

• Intent

• Relied upon by the victim

• Damage/Loss


Proving Intent

• Required for all criminal fraud cases

• Two methods:– Direct admission

– Indirect/circumstantial evidence


Indirect/Circumstantial Proof of Intent• Suspect:

– Could not have had a legitimate motive for actions

– Altered documents, destroyed evidence, or attempted to obstruct the investigation

– Gave false, misleading statements concerning the matters under investigation

– Repeatedly engaged in activity of apparent wrongful nature

– Personally gained from the fraudulent act

10/01/2013



Definition of Evidence

• Anything perceivable by the five senses and any proof legally presented at a trial to prove a contention and induce a belief in the minds of a jury– Direct evidence

– Circumstantial evidence


Burden of Proof• Criminal cases

– Beyond a reasonable doubt– Juries must rule unanimously

• Civil cases– Standard of proof is much lower– May be decided on preponderance of the

evidence– Jury decision does not have to be

unanimous


Admissibility of Evidence

• In order to be admissible, evidence must be both relevant and material.– Relevance - Tends to make some fact in issue

more or less likely than it would be without the evidence

– Material - Is important in the decision-making process of the victim

10/01/2013



Legal Issues in Internal Investigations

• The right to investigate fraud is implicit in our business, accounting, and legal systems

• No special authority required

• Examiner must act on predication


Legal Issues in Internal Investigations

• A fraud examiner who acts irresponsibly can be liable for the following actions:– Defamation

– Invasion of privacy• Publicity of private facts

• Intrusion

– False imprisonment

– Wrongful discharge


Rights and Duties of Employees• Employees’ duty to cooperate• Employees’ contractual rights• Whistleblowers

– False Claims Act• Qui tam suits for fraud against the U.S.

government• Information must be original or not publicly

disclosed

– Dodd-Frank Act• Whistleblower incentives• Protection against retaliation

10/01/2013



Rights and Duties of Employees

• Employees’ constitutional rights

• Workplace searches– Reasonable expectation of privacy

– Exclusive control

– Reasonable grounds

– Company policy regarding searches


Internal Auditor Responsibilities

The Institute of Internal Auditors (IIA)

International Standards for the Professional Practice of Internal Auditing

Practice Guide: Internal Auditing and Fraud


1210 - ProficiencyInternal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. 1210.A2 - Must have sufficient knowledge to

evaluate the risk of fraud and the manner in which it is managed, but are NOT expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

10/01/2013



1220 - Due Professional Care

Apply the care and skill expected of a reasonably prudent and competent internal auditor.

Due professional care does not imply infallibility.


1220.A1Exercise due professional care by considering the: Extent of work needed Relative complexity, materiality, or significance

of matters Adequacy and effectiveness of governance, risk

management, and control processes Probability of significant errors, fraud, or

noncompliance Cost of assurance in relation to potential

benefits


1220.A3

Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources.

10/01/2013



2110 - GovernanceInternal audit must assess and make recommendations for improving the governance process in its accomplishment of:

• Promoting appropriate ethics and values

• Ensuring effective organizational performance

• Communicating risk and control information

• Coordinating the activities of and communicating information among the board, auditors, and management


2120 - Risk ManagementInternal audit must evaluate the effectiveness and contribute to the improvement of risk management processes.

2120.A1 - Must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:

• Reliability and integrity information

• Effectiveness and efficiency of operations

• Safeguarding of assets

• Compliance with laws, regulations, and contracts

2120.A2 - Must evaluate the potential for fraud and how the organization manages fraud risk.


2130 - ControlInternal audit must evaluate the effectiveness and efficiency of controls.

2130.A1 - Must evaluate the adequacy and effectiveness of controls, in responding to risks, regarding the: • Reliability and integrity of information• Effectiveness and efficiency of operations• Safeguarding of assets• Compliance with laws, regulations, and

contracts

10/01/2013



2210 - Engagement ObjectivesObjectives must be established for each engagement.

• 2210.A1 - Must conduct a preliminary assessment of risks. Objectives must reflect results of this assessment.

• 2210.A2 - Must consider the probability of significant errors, fraud, noncompliance, etc., when developing objectives.


IPPF - Practice Guide: Internal Auditing and Fraud

• Helps auditors comply with responsibilities pertaining to fraud

• Not mandatory, but strongly recommended

• Topics covered:

– Fraud awareness

– Potential fraud indicators

– Roles and responsibilities for fraud prevention and detection


IPPF - Practice Guide: Internal Auditing and Fraud

• Topics covered (continued):

– Internal auditor’s role during audit engagements

– Fraud risk assessment

– Fraud prevention and detection

– Fraud investigation

– Forming an opinion on internal controls related to fraud

10/01/2013



IPPF—Practice Guide: Internal Auditing and Fraud

Internal audit’s role in fighting fraud:

• Consider fraud risks in internal control design and audit steps

• Have sufficient knowledge of fraud to identify red flags

• Be alert to opportunities that could allow fraud

• Evaluate management’s performance with respect to fraud risk management

• Evaluate the indicators of fraud

• Recommend investigation when appropriate



Internal auditors must exercise professional skepticism in all audit work.

Professional skepticism: an attitude that includes a questioning mind and a critical assessment of audit evidence.



Other roles and responsibilities for fighting fraud:• Board of directors• Audit committee• Management• Legal Counsel• External auditors• Loss prevention manager• Fraud investigators• Other employees

10/01/2013



Case Studies


The Conflict of Interest


Facts

• Entity is a large rural school district.

• More than $400,000 spent to upgrade technology.

• Technology purchased from one specific vendor as “sole source.”

• PC-based system.

• The technology buyer had acknowledged working for the vendor during “off contract” times.

10/01/2013



Questions• Markers of fraud? • Predicate?• Additional information?• Possible scheme?• Investigation?• How perpetrated?• Collusion?• Controls to prevent?• Other policies or procedures to prevent?


The Absentee Owner


Facts• Suspects manage a large ranch and have

access to bank accounts and credit cards.

• Owner lives back east.

• Ranch is not profitable.

• Copies of cancelled checks “doctored” to show different payee.

• Suspects make large purchases without authorization.

10/01/2013





Expense Reports: A Way to Extra Compensation


Facts• Entity is a rural public university. • A professor was rumored to be padding

expense reports.• The professor had three grants to promote

college attendance among high school students.

• The grants provided for “prizes” to high school students who attend college study sessions.

10/01/2013





The Conflicted CPA


Facts• The CPA owns a portion of the client’s

business and has signatory authority over bank accounts.

• The CPA has signed for lines of credit without the client’s knowledge.

• He prepares taxes for all owners of the business as well as the business.

• He has paid himself over $800k in fees.

10/01/2013





The Credit Card Factory


Facts• After arrest, hundreds of credit cards with

different names are found in suspect’s car.

• Suspect is carrying multiple drivers’ licenses with multiple names.

• Boxes with credit cards are labeled “30 days”, “90 days” and “no good”.

• Suspect has several women’s purses stuffed full of jewelry.

10/01/2013





References• All stats are from the 2012 Report to the

Nation, Published by the Association of Certified Fraud Examiners – released July 2012– http://www.acfe.com/rttn.aspx

• Global Economic Crime Survey 2005, Published by PriceWaterhouseCoopers –released November 2005– http://www.pwc.com/gx/eng/cfr/gecs/PwC_2005

_global_crimesurvey.pdf

Beth A. Mohr, CFE, CAMS, PI, MPANM-PI #2503; AZ-PI #1639940

Janet M. McHard, CPA, CFE, MAFF, CFFMcHard Accounting Consulting LLC

Albuquerque, New Mexicowww.TheMcHardFirm.com

(505) 554-2968

Fraud Seminar


Documents

IIA El Paso Chapter 100113 - Institute of Internal Auditors El... · –Medical problems ... • A red flag is a set of circumstances that is ... Professional Practice of Internal