Internal Control & Fraud Risks for Entities with Limited Segregation of

DutiesPresented by Ken Al-Imam, C.P.A.

MAYER HOFFMAN MCCANN P.C.

CONRAD GOVERNMENT SERVICES DIVISION(formerly Conrad and Associates, L.L.P.)

2301 Dupont Drive, Suite 200Irvine, California 92612(949) 474-2020 Ext. 273

kalimam@cbiz.com

2

Problem

Integrity is difficult to measure

3

Identifying Persons Capable of Fraud • We expect people to be like ourselves• Honest and responsible• Usually fraudsters are persons least expect• Great actors

4

Classic Fraudster

• Employed for many years• Loyal dependable employee• Never complains• Never asks for help• Works long hours (comes in early, stays late,

works weekends)• Never takes vacation

5

Fraud

• $600 billion per year• 6% of revenue lost to fraud• Average scheme lasts 18 months before

detected• Average loss is $127,500 per entity

6

The Perpetrators

• The higher the education, the higher the loss

• The higher the age, the higher the loss• 68% done by one perpetrator, 32%

involved collusion• 53.5% male, 46.5% female

7

Methods of Detection

• External Audit 10.9%• Internal Audit 23.8%• Internal Controls 18.4%• By Accident 21.3%• Tip 39.6%• Notified by Police 39.6%

8

Factors present in all Frauds

• Motive• Opportunity• Rationalization• Concealment

9

Ethics Policy

• Important • Tone from top• Emphasize policy and enforce violations

10

Cross-training/Mandatory Vacations• Important • Helpful when have turnover• Some frauds are difficult to conceal if

someone else is doing their job

11

Collusion

• Internal controls not designed to prevent• Has own built-in control• “No honor among thieves”• Segregation between departments

12

Segregation Between Departments

• Not a focal point of standards• Different persons in one department still

requires collusion for fraud to occur• Segregation between individuals is the

focus

13

Internal Control

• Focus of internal control is on internal fraud

• Difficult to control external fraud

14

Segregation of duties

• Goal is to make it difficult to both commit the fraud and to conceal the fraud

• Usually segregate access to assets from recordkeeping

15

Understanding Fraud Scenarios

• Best way to develop alternative controls is to understand in detail how a fraud scenario for that transaction cycle would take place.

• Smoke out alternative control opportunities

16

Use of auditor

• Consult with your auditors• Challenge your auditors with a detailed

discussion of the fraud scenario

17

Revenue Fraud

• Checks (not just cash) are subject to theft• Take money and destroy evidence of

transaction• Need system to ensure all money collected

ends up in bank account

18

Revenue Fraud

• Establish control as early as possible in process

• Document totality of receipts immediately upon receipt

• This creates controlled documentation that can be matched to bank deposit

19

Revenue Fraud

• Cash register is best control• Or uninterrupted sequence of receipt forms• Watch for receipt substitutes (license

certificates, permits, etc.) • List of checks received in the mail (and

what do with list)

20

Checks Received in Mail

• Controlled at opening• List or copy amounts received• Give copy to those maintaining records• Minimize number of persons handling

checks received prior to deposit

21

Revenue Controls

• Immediate restrictive endorsement • Timely deposits

22

Controls Over Person Preparing Bank Deposit• Often funds stolen at that point are not

detected • Support for bank deposit can be reviewed

by independent person• This can be done after the fact using the

deposit confirmation notice

23

Revenues—Alternative Controls

• Independent review of support for deposit• Can be done at the department level

24

Accounts Receivable

• Those posting payments to customer records should not have access to cash/checks

• Only give list or copies of checks • Or list created by mail opener agreed to deposit • Or independent agreement of system posting

report to funds deposited

25

Control Over Adjustments

• Persons posting adjustments should not be handling cash/checks

• Independent approval of adjustments• System produces report of adjustments

that are reviewed

26

Voided transactions

• Should be independently approved • Best for approval at time of void (in

presence of paying party)

27

Cash Disbursement Frauds

• Fictitious Vendor• Payment to “vendor” with same or similar

name as real vendor• Unauthorized disbursement• Unsupported disbursement

28

Alternative Controls

• Positive Pay • Vendor set up• More than one knowledgeable person

involved in every transaction (usually the knowledgeable approver will be in the same department as the initiator)

29

Duplicate Payment Schemes

• Multiple payments of invoices to legitimate vendors

30

Cash Disbursement Controls

• Canceling invoices (“entered”, etc.)• Cancellation of invoice (not just check

copy) • No payments from copies or statements• No return to initiator (or to person with

access to vendor master file)

31

Bank Reconciliation

• Such a key control that it should always be segregated from access to assets

32

Review of Bank Reconciliation

• Not as effective as separate preparation• Must be done in conjunction with

examination of original bank statement

33

Review of Unopened Bank Statement• Spot check debit memo charges• Out of sequence checks• Duplicate checks• Trace transfers to authorizing document

(with different initiator and approver)

34

Cancelled checks

• Obvious forgeries• Evidence of check alteration• Multiple endorsements

35

Review of Supporting Documentation• “Fraud can’t happen because approval is

required”• But review often done before checks are printed• This can’t detect unsupported checks created

after this review• Printed checks compared to support by someone

not involved in data entry to create check

36

Review of Supporting Documentation• Traditionally performed at time of check

signing • Some one other than accounts payable

personnel can do after checks are printed• Printed checks compared to support by

someone not involved in data entry to create check

37

Review of Supporting Documentation• Can be done on a spot check basis (with

check register to make sure received all checks)

• Checks should not be returned to persons that initiated them

38

Review of Supporting Documentation• Or A/P clerks switch (don’t match support

for those checks they created)• Or payroll clerk print, match, and mail

A/P checks and A/P clerk print and distribute payroll checks/check stubs

39

Procurement Fraud• Difficult to prevent and detect (collusion) • Bid rigging• Employee aids a vendor to obtain a kickback• Splitting purchases to avoid threshold for

competitive quotes• Drafting specs so that favored vendor is advantaged• Only receiving quote from favored vendor and

comparing to fictitious quotes

40

Procurement Fraud

• Providing advance notice to vendor and then issuing request for proposals with unrealistically short time frame

• Allowing favored vendor to propose late or with knowledge of other quotes

41

Procurement Controls

• Emphasize in ethics policy the unacceptability of these specific employee behaviors

• No purchase controlled by one person

42

Refund Schemes

• Controls are typically weaker than for standard vendor payments

43

Refund Schemes

• Cancellation of conference or travel• Cancellation of memberships or

subscriptions• Returns of goods purchased

44

Expense Reimbursement

• Focus should be on payments prior to event

• Reimbursed but then not go and get refund• Follow-up to received evidence trip

actually taken

45

Payroll Fraud

• Focus is on fictitious employees• Classic control is segregate:

– Access to payroll master file– Payroll processing

46

Payroll Fraud

• Often overlooked• Keeping an existing employee on the

system

47

Alternative Controls

• Review of payroll register• Review of direct deposit report from bank• Periodic spot-checking of a payroll

register by HR

48

Alternative controls• Comparing list of terminated employees to

payroll register• Department review of payroll register (labor

distribution run) for their department• Department monitoring of budget• Reviewing cancelled checks for multiple

endorsements

Questions or comments?

Thank you for your attention!