1
Top 10 Fraud Warning SignsMCTI Workshop
Stephanie O’Cain, CPA
Jackie F. Breland, CPA
September 9, 2010
2
Today’s Outline
Why fraud occurs, why you should care
and 10 financial warning signs
Internal control discussion
Fraud case studies
Types of fraud and tools you can
implement to protect your municipality
3
Key Message
Fraud can, and most likely will, happen to your municipality at some point.
Analyze your municipality for fraud potentials
Implement 3 prevention tools upon returning to your office
4
Why Does Fraud Occur?
Today’s employee environment:
– Rising interest rates
– Floating home mortgages
– Increasing gas prices
– Rising personal debt and less personal savings
– Cost of health care
5
Why does Fraud Occur
Today’s business environment:
– Organized and professional fraud rings are
becoming more prevalent and more
sophisticated
– Cyber-crime advances make it possible to
compromise large quantities of data
– Desktop publishing makes counterfeiting
checks relatively cheap and easy
6
Why Does Fraud Occur?
7
Why Does Fraud Occur?
Incentive – what drives an employee to commit fraud
Opportunity – this is created from too much trust, poor internal controls, lack of supervision, and no financial audit by independent CPAs
Rationalization – perpetrators of fraud convince themselves that they are not stealing
8
Who Commits Fraud?
Who are the internal perpetrators? Why they do
it?
– Disgruntled employees
– Stressed-out employees
– Employees who live above their means
– Employees who never take a vacation
– Employees experiencing financial difficulties
– Employees with drug problems
– Employees with gambling problems
9
Who Commits Fraud?
Who are the external perpetrators?
– Vendors who intentionally double bill
– Vendors who intentionally over bill
– Fraud rings that target various businesses
– Fraud rings that target identity theft
10
Why Municipalities Should
Care About Fraud
Potential impact from fraud:
– Financial loss
– Reputation
– Damaged relationships
– Loss of integrity with taxpayers
– Negative publicity
– Damaged employee morale
11
Why Municipalities Should
Care About Fraud
Estimated annual cost of fraud in U.S
– $652 billion was estimated to be lost to fraud in 2006 by the Assoc. of Certified Fraud Examiners (for all organizations)
– Government sector cases were 10% of the total reported to ACFE
In the government sector, billing schemes and non-cash theft were the most commonly reported forms of fraud
12
Top 10 Financial Warning
Signs of Fraud
1. Unexplained variances between budgeted and actual amounts
2. Large liabilities related to unexpected contracts
3. Significant internal control issues reported by external auditors
4. Appearance of personnel living beyond their means
5. Abnormal changes in account balances
13
Top 10 Financial Warning
Signs of Fraud
6. Unusual write-offs or other “out of the
ordinary” transactions
7. Shortages in cash, investments or other
assets
8. Complaints from taxpayers
9. Infrequent or late financial reports
10. Accounting staff is behind 3-4 months on
preparation of monthly bank reconciliations
14
Internal Controls – An In
Depth Discussion
Objectives of internal control
COSO framework and recent guidance
Fraud-specific internal controls
Roles and responsibilities in an internal
control system
What internal controls can and cannot do
15
Objectives of Internal Control
Safeguarding of assets
Compliance with policies, procedures, laws and regulations
Accomplishment of organizational objectives
Reliability and integrity of information for financial reporting
Economical and efficient use of resources
16
COSO Framework
This is a continuous, integrated process.
17
COSO Key Concepts
Internal control is a process. It is a means
to an end, not the end in itself.
Internal control is effected by people. It’s
not merely policy manuals and forms, but
people at every level of an organization.
18
Fraud-Specific Internal
Controls
Two major types of internal controls =
active and passive
Active controls = seek to prevent fraud
from occurring
Passive controls = seek to deter fraud by
significantly increasing the risk of
discovery
19
Active Internal Controls
Think of active controls like a sturdy padlock on a gate
Examples:
– Segregation of duties
– Separation of functions
– Physical asset control
– Physical restraints (e.g., locked file cabinets)
– Document matching
– Signatures, PINs
20
Passive Internal Controls
Passive internal controls seek to stop fraud
from occurring indirectly through
deterrence measures
Can be economical and effective
They create sufficient risk and make the
would-be perpetrator think “I don’t want
to go there!”
21
Passive Internal Controls
Examples:
– Audit trails
– Review processes and procedures
– Focused audits / Surprise audits
– Surveillance of key activities
– Rotation of key personnel
22
Fraud-Specific Internal
Controls
“Fraud-specific” internal control = system of
special purpose processes and procedures
designed for the primary purpose of
preventing fraud
Each city is different, with different needs.
A city’s internal control system must be
custom designed to have the maximum
effect upon fraud.
23
Roles and Responsibilities in
an Internal Control System
Everyone in a local government has responsibility for internal control.
Management (Mayor / City Manager)
– Ownership of the system
– “Tone at the top”
City Council
– Governance, guidance and oversight
– Can identify problems and intervene if management overrides internal controls
24
Roles and Responsibilities in
an Internal Control System
Other personnel / staff
– Should be explicit part of everyone’s job
description
– All personnel should be responsible for
communicating upward problems in
operations, noncompliance with code of
conduct, policy violations or illegal actions
– Do you have a whistleblower policy in place?
25
Internal Controls: What They
Can Do For a Municipality
What internal control can do:
– Helps a municipality achieve its objectives
and performance targets
– Prevents loss of resources
– Helps ensure reliable and accurate financial
reporting
– Helps a municipality comply with laws and
regulations
26
Internal Controls: What They
Can’t Do For a Municipality
What internal control can’t do:
– Change an inherently poor manager into a
good one
– Ensure success or survival, due to possible
shifts in government policies or economic
conditions
– Provide absolute assurance
– Prevent collusion between employees
27
Fraud Case Studies
Next, we will discuss specific fraud case
studies.
In each case, we will discuss:
– What fraud-specific internal controls might
have prevented the fraud from occurring?
– How could they have detected the fraud
sooner?
28
Review -- Why does Fraud
Occur?
The risk of external fraud is increasing due to new technologies– Fraud rings, cyber-crime, desktop publishing
The risk of internal fraud is increasing due to external pressures many employees are facing– Rising interest rates, adjustable rate home mortgages,
increasing gas prices, rising personal debt, cost of health care
29
Types of Fraud
Asset Misappropriations – Larceny,
skimming, fraudulent disbursements,
inventory, other assets
Corruption – Bid rigging, invoice kickbacks,
conflict of interest
Fraudulent Statements - Asset or revenue
overstatement, fictitious revenues, improper
asset valuation
30
Cash Misappropriations
Fraudulent disbursements– Causes organization to disburse funds through
some trick or device. This is the most common form of fraud
Larceny – Cash is stolen after it is recorded on the
municipalities’ books
Skimming – Cash is stolen before it is recorded on the
municipalities’ books
31
Fraudulent Disbursements
(Payment Fraud)
Check tampering
Counterfeit checks
ACH schemes
Expense reimbursement schemes
Payroll schemes
Vendor billing schemes
32
AFP’s 2007 Payment Fraud
Survey
Association of Financial Professionals (AFP) www.afponline.org
Purpose of the survey
– Review type and frequency of payment fraud in 2006
– Expose gaps in organizational defenses that could result in financial liability
– Determine whether new payment options are leading to new methods of fraud by criminals
– Promote awareness of protections organizations can take to guard against fraud
33
AFP’s 2007 Payment Fraud
Survey
Payment fraud is on the rise– 2004 55%
– 2005 68%
– 2006 72%
Checks were most often the vehicle for fraud –with ACH second
Check fraud is increasing in an environment of declining check volume
Banks bear the greatest financial burden for payment fraud losses
34
AFP’s 2007 Payment Fraud
Survey
Check Fraud
Over 9 out of 10 that experienced payment fraud included check fraud
Of the organizations that experienced check fraud
– 61% had altered payee names on checks issued
– 57% had counterfeit checks that had the organization’s MICR line, but used another name
– 41% had lost, stolen or counterfeit employee pay checks
35
AFP’s 2007 Payment Fraud
Survey
ACH Fraud
– The second most common payment fraud
– 35% of the organizations surveyed reported
ACH debit fraud
– 24% of the fraudulent checks returned by
positive pay were then presented as ACH
debits
36
AFP’s 2007 Payment Fraud
Survey
Organization losses due to:
– Internal fraud (i.e., employees)
– Accounts NOT reconciled timely or
fraudulent items not returned timely
– Positive pay NOT implemented (positive,
reverse or payee)
– The largest percentage of reported fraud was
carried out by third parties – not employees
37
AFP’s 2007 Payment Fraud
Survey
Checks are now being imaged and the images
are be exchanged and settled instead of the actual
paper checks. Of those organizations that
experienced check fraud, only 15% reported
check image fraud.
On the other hand, although over 1/3 of
respondents use remote deposit, there were no
reported incidents of fraud associated with this
service.
38
Positive Pay = Single Best Tool
for Check Fraud Prevention
Positive Pay
– Traditional positive pay
– Reverse positive pay
– Teller positive pay
– Payee positive pay
Positive pay implementation – what’s involved?
39
ACH Transactions
Overall volume of ACH transactions is rising.
Businesses still rely heavily on paper checks.
Why use ACH instead of checks?
– Bank fees less expensive
– Less human time than printing, sorting, matching,
mailing, etc.
– Supply cost less – check cost, MICR toner,
envelopes, postage
– Decrease in fraud opportunities
40
ACH Transactions
Fraud Controls
– ACH blocks or filters on accounts
– Separate accounts for checks versus ACH transaction
– Separate accounts for ACH debits vs. ACH credits
– ACH pre-notes
– Due diligence when setting up the vendor on ACH
41
ACH Future
ACH volume predicted to increase
More fraud controls expected at the bank level (i.e. payee ACH positive pay)
Universal Payment Identification Code (UPIC)
– Pay Pal concept for business to business transactions
– Looks and acts like a bank account without providing sensitive banking information
– Can be printed on invoices and displayed on internet
STP 820 - Establishes standards for remittance information with payment enabling invoices to be reconciled without manual intervention
42
Uniform Commercial Code
UCC Regulations 3 & 4
– Ordinary Care
– Comparative Negligence
Ordinary care = adequate internal controls for disbursements process, check stock storage, check stock security, timely reporting and timely bank reconciliations
See list of check stock security features
43
Vendor Verification
Google for address, phone number and other
verification
Use www.irs.gov e-services TIN lookup
Process should have the form being submitted by
one person and verified by another.
www.411.com to make sure not a residence
Have a “No TIN, No Payment” Policy
44
Vendor Verification
Minimize Vendor Record access to keep
from changing the address then changing
it back.
Review all changes via report weekly or
monthly
Review formally inactivated vendor files
for no recent activity
45
Top 10 Payment Fraud
Protections
1. Payee Positive Pay
2. ACH Protections
3. Payroll direct deposit and/or payroll card programs
4. Dual security administrators for electronic payments
5. Daily reconciliation of bank accounts (electronic and check)
46
Top 10 Payment Fraud
Protections
6. Security features on checks
7. Vendor Verification
8. Segregation of disbursement and reconciliation duties
9. Controlled access to payments processing areas
10. Strict policy of employees NOT sharing passwords
47
Duplicate Payments
Duplicate Payment Errors and Fraud
Consider outsourcing the disbursement
process
Consider cheap software for verifying
against database
Eliminate rush checks
Use data analysis products
48
Travel & Entertainment
Usually one of the easiest places for an employee to commit fraud
Fraud sometimes starts with T&E then spreads to other areas
Have a written T&E policy
Verify Expenses – mathematically, against the policy, against original receipts and against other documentation
49
Travel & Entertainment
Consider performing annual check by
reviewing reports for an entire year for a
few employees. Look for duplicates and
patterns
Consider eliminating cash advances
Consider verifying mileage with
mapquest, etc.
50
Identity Theft
Protect or eliminate paper information
Shred everything
Keep files from the public and accessible only to
employees on a need-to-know basis
Gramm-Leach-Bliley Act does not apply to non-
financial institutions
– http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshor
t.shtm
51
Purchasing Cards
GFO recommends that municipalities explore the
use of purchasing cards to improve the efficiency
of their purchasing procedures.
P-cards, T&E cards, One Cards
Benefits to Vendor
– Expedited payments
– Reduced paperwork
– Lowered risk of nonpayment (or late payment)
52
Purchasing Cards
Benefits to municipality:
– Simplified purchasing process
– Lower transaction processing costs
– Ability to set and control dollar limits
– Earn cash rebates for municipality
– Import file into AP system with GL codes
– 1099 reporting assistance
– Earn float on funds for 30 days
53
Purchasing Cards
Other Benefits
– Some have employee fraud protection
– Municipality logo printed on card
– Identify vendors for you that accept card
payment
– Department cards versus individual
– Built in approval hierarchy
– Ghost accounts
54
Purchasing Cards
3 Levels of Data
– Level 1 - basic level – same as personal cc
– Level 2 – includes sales tax
– Level 3 – includes line item detail – all information
above plus, product code, item description, item
quantity, units and price
Not all vendors send level 2 and 3, but this can be
negotiated with the vendors
55
15 Other Payment Fraud
Protections
1. Financial institution should provide multi-factor identification when using on-line banking services
2. Leverage ACH and on-line banking security (approval process, etc.)
3. Use Purchasing cards
4. Document policies and procedures including flow charts
5. Use blank check stock
56
15 Other Payment Fraud
Protections6. Perform audits of payment process
7. When designing controls use the old auditor trick “where are the weaknesses?
– If someone was to steal from you, how would they do it?
– Let them tell you the areas that need to be strengthened
8. Do not return check to the person who requested
9. Don’t automatically deposit every small dollar check that is received
57
15 Other Payment Fraud
Protections
10. Separate accounts for checks and electronic
payments
11. Further separate ACH debit and credits.
12. “Post No Checks” restrictions on electronic
payment accounts
13. Do not give out bank account numbers without
verifying that it is an active vendor and that it’s
a legitimate call
58
15 Other Payment Fraud
Protections
14. Create a master account listing of all
– Accounts
– Signers
– Account controls
– Review for updates
– Keep secure
15. Close any inactive accounts and shred remaining check stock
59
Resources
Association for Certified Fraud Examiners (ACFE) www.acfe.com
American Institute of Certified Public Accountants (AICPA) http://antifraud.aicpa.org
Association for Financial Professionals (AFP) www.afponline.org
Governmental Financial Officer Association (GFOA) www.gfoa.org
Fraud 101: Techniques and Strategies for Detection by Silverstone and Davia © 2005
60
Resources
Mary S. Schaeffer
– multiple books, articles, newsletters with practical
suggestions
– Accounts Payable and Sarbanes-Oxley: Strengthening
Your Internal Controls © 2006
– New Payment World: A Manager’s Guide to Creating
an Efficient Payment Process © 2007
– www.ap-now.com
61
Key Messages
Fraud can, and most likely will, happen to your municipality at some point.
Analyze your municipality for fraud potentials
Implement 3 prevention tools upon returning to your office
62
Top 10 Fraud Warning Signs
Questions and Answers
– Can we address any questions for you today?
E-Mail contact information: