Fraud — A Risk for Your Organization 1

Fraud - A Risk for Your Organization 1 FLORIDA COURT CLERKS AND COMPTROLLERS ANNUAL CONFERENCE JUNE 12, 2013 SAM M. MCCALL, PHD, CPA, CGFM, CIA, CGAP, CHIEF AUDIT OFFICER FLORIDA STATE UNIVERSITY

Session Outline 2 Public Expectations for Public Officials Internal Control and Risk The Elements of Internal Control Weaknesses in Internal Control can Result in Fraud and Illegal Acts Case Studies Reviewing Internal Control and Identifying Fraud, Illegal Acts, and Abuse Summary and Wrap Up

Public Expectations for Public Officials 3 High ethical and moral behaviors Public employees will conduct business within policy and procedures Public resources will not be wasted, abused, lost or stolen Yellow Book – management should conduct operations Economically Efficiently Effectively Ethically Equitably

Terms of Importance 4 Misfeasance Malfeasance Nonfeasance Abuse Fraud Internal controls

What Is Misfeasance? 5 A misdeed or trespass The improper or wrongful performance of some act that a person may lawfully do

What Is Malfeasance? 6 Ill conduct, evil doing The commission of an act that is unlawful Comprehensive term including any wrongful conduct that interferes with the performance of official duties The doing of an act that a person should not do at all

What is Nonfeasance? 7 Nonperformance of an act that a person is obligated or has a responsibility to perform Not doing what you should do Total neglect of duty

What Is Abuse? 8 Improper or inappropriate program management Misuse of authority or position Everything that is contrary to good order Can be intentional or unintentional Does not have to violate a law, regulation, or contract provision

What Is Fraud? 9 A false representation of a matter of fact Concealing that which should be disclosed – deceiving to cause legal injury Intentional perversion of the truth To deceive another such that they rely on the false representation and surrender a valuable thing or a legal right

Components of Internal Control 10 Control Environment Risk Assessment Control Activities Information & Communication Monitoring

11

12

Who is Responsible for Internal Control? 13 Management!! Not the Auditor!!

Components of Internal Control – Control Environment 14 The building block for all other components: Integrity & ethical values Commitment to competence Independent audit committee Management philosophy & operating style Organizational structure Assignment of authority & responsibility Human resource policy & practices

Components of Internal Control – Risk Assessment 15 Segmenting department into organizational components Analyze general control environment Analyze inherent risk Develop appropriate control activities

Annual Audit Plan Risk Assessment Criteria 16 Program Fiscal Impact Strength of Management Sensitivity and Public Relations 20 20 15 Risk of Loss, Noncompliance, Corruption or Fraud Complexity of Activity Risk to Public Welfare 10 20 15 100

Risk 17 Risk are essentially the opposite of control objectives If the objective is to safeguard assets, the risk is that assets will be lost or stolen. Therefore, without knowing the risk, one cannot decide on the appropriate control activities Conduct brainstorming sessions to identify risk and potential areas for fraud

Risk – Questions to Consider 18 Chance of Occurrence - How likely is it to go wrong? (High, Medium, Low) Impact of Occurrence - What will happen if it goes wrong (assets lost, clients not served, noncompliance with law, damage to the reputation of the government, etc. ) (High, Medium, Low) Assessment of Risk (High, Medium, Low)

Components of Internal Control – Control Activities 19 Link to objectives Accountability for resources Direct activity management Top level reviews Segregation of duties Physical controls Execution & recording of transactions & events

Components of Internal Control – Information and 20 Communication Information – Reports Communication – Dissemination of Reports

Components of Internal Control Monitoring 21 Ongoing monitoring Separate evaluations Reporting deficiencies

Internal control 22 The plan of organization and policies and procedures established by management to accomplish organization goals and objectives No individual person should have access to assets and also maintain summary accounting records relating to those assets – no one should control all phases of a transaction There should be periodic comparison of assets of record (recorded accountability) to physical existence In instances where cost of control exceeds resources, there should be mitigating controls

Who Commits Fraud? 23 Married Between 18 and 36 Has 2 children Owns a home Does not have a drug or alcohol problem Does not recognize harm to victims Bright Strong sense of challenge and game playing Versed in technology and skillful Has a position of trust

Reporting Fraud – Employees Do It Best 24 Tip from employee Accidental discovery Internal Audit Internal controls External audit Tip from customer Anonymous tip Tip from Vendor Notification from law enforcement

Who Has the Responsibility for Detecting/Reporting Fraud? 25 Management Employees External Auditors Internal Auditors Government Vendors Public

Management Responsibilities 26 Adopt and implement internal control policies Establish a control environment Assess and analyze risks Establish control activities to address risks Develop information and reporting systems Monitoring activities Understand communicate your organizations ethics policies

Management Responsibilities Relating to Audits 27 Help in the identification of areas susceptible to fraud and abuse Address audit findings & recommendations and maintain a process to track their status Follow sound procurement processes when contracting for audits or attestation engagements

Employee Responsibilities 28 Be aware of where fraud can occur Look for irregularities Report suspicious activities (don’t assume others know) Conduct work in an ethical manner and perform work in accordance with policies and procedures

External Auditors Responsibilities 29 Examine the government’s financial statements and express an overall opinion Design the audit to detect fraud that is material to the financial statements Conduct fraud brainstorming sessions and be alert to possible fraud as it relates to the financial statements Review internal controls over financial reporting

Government Internal Auditor Responsibilities 30 Review department, division, unit and/or program internal controls Review transactions for possible waste, fraud and abuse Design the audit such that fraud significant to the audit objectives will be detected If abuse come to the auditors attention, follow up on that abuse to determine if its presence is significant to the audit objectives

Vendors Responsibilities 31 Be aware of how and where fraud can occur in their operations Look for irregularities Report suspicious activities (don’t assume others know)

Public Responsibilities 32 Report suspicious transactions or behaviors

Approach to Detecting Fraud 33 Exercise professional judgment Exercise professional skepticism Balance between a questioning mind and doubting everyone Critical assessment of evidence

Management Red Flags 34 Reluctance to provide information when requested High employee turnover in high risk areas Lack of segregation of duties in a high risk area Excessive number of checking accounts Increase in purchase of inventory but no increase in productivity Abnormal inventory shrinkage Lack of physical security over assets Payments to vendors not on approved vendor list

Employee Red Flags 35 Employee lifestyle changes (expensive cars, jewelry, homes, etc. ) Behavior changes (drug, alcohol, gambling) Reluctance to provide information when requested Refusal to take vacation or sick leave Excessive purchasing of supplies Inappropriate overtime hours

How to Improve Your Chance of Detecting Fraud? 36 Assume anyone can commit fraud Good documentation does not mean something happened – only that someone said it happened Pay attention to detail (numbers, dates, amounts, alterations, reasonableness, etc. ) Pay attention to hints or rumors of wrong doing Look for patterns or unusual transactions

Potential Red Flags 37 Erased or crossed out figures Inconsistent inks and typefaces Unusual dates, amounts, notes, phone numbers and calculations Consecutively numbered invoices Excessive voids or refunds Invoices in large even sums Multiple invoices to the same vendor just under $10, 000

Potential Red Flags (Continued) 38 Invoices printed on other than prepared forms Vendor address change Unusual number of payments to one payee Inadequate description of item purchased Delay in responding to request for documentation Stale invoice dates

What Conditions Make Fraud Easier 39 Weaknesses in Internal Controls relating to: Control Environment Risk Assessment Control Activities Information and Communication Monitoring The Fraud Triangle Incentive (Pressure) Opportunity Rationalization

40

Fraud Triangle Pressure such as a financial need, is the “motive” for committing the fraud. Pressure includes living beyond ones means or family and relationship situations. Rationalization The person committing the fraud frequently rationalizes the fraud. Rationalizations may include, “I’ll pay the money back”, “They will never miss the funds”, or, “I will just do this just one time” or “They don’t pay me enough. ” Opportunity The person committing the fraud sees an internal control weakness and, believing no one will notice if funds are taken, begins the fraud with a small amount of money. If no one notices, the amount will usually grow larger. In any organization, the risk of fraud can be reduced. Internal control procedures can particularly diminish the “opportunity” point of the Fraud Triangle. * Of the above three, the one that management can control is “_____” 41

Case Study One Auditor General Report on 42 OKALOOSA COUNTY BOARD OF COUNTY COMMISSION OVERSIGHT OF THE TOURIST DEVELOPMENT COUNCIL AND THE USE OF TOURIST DEVELOPMENT TAXES AND FUNDS RECEIVED FROM BRITISH PETROLEUM REPORT NO. 2013 -085 JANUARY 2013

Weaknesses in Internal Controls 43 Organizational Oversight Fraud Controls and Control Risk Assessments Procurement of Goods and Services Travel Special Events Grants and Sponsorships Allowable Use of Restricted Resources Motor Vehicles Accounting Controls Electronic Funds Transfers Information Technology Controls Public Records

Background 44 In May 2012, the Auditor General received a request to conduct and audit of the Tourist Development Council and the Board of County Commissioners use of tourist development taxes and funds received from BP. For the two year period 5 -31 -10 to 5 -31 -2012, revenues totaled $36. 4 million.

Organizational Oversight and Budget Monitoring 45 The BCC, TDC, and CCC did not exercise sufficient control over funds received and invoices processed did not demonstrate or document the public purpose served Budgets were not adopted at the level of their restriction Spreadsheets prepared were not used to reject invoices when sufficient funds were not available at the ordinance restricted level.

Monitoring 46 The TDC acted in an action Conflicts of interest oriented manner rather than in an advisory role. As a result they authorized expenditures without BCC approval. The TDC did not continuously review expenditures or regularly receive summary or detailed reports of expenditures. were present as purchases were made with companies that had ties with BCC members, a TDC member, and a TDC subcommittee member. Risk assessments were not performed by the BCC to identify the potential for fraud

Support for Invoices 47 Purchases were made without obtaining written quotations There was failure to document the selection process for two advertising and marketing firms Contracts with marketing firms did not required them to competitively procure goods and services. Contracted marketing firms were not required to submit invoices, including invoices from third parties in sufficient detail to allow for adequate preaudit to ensure goods were actually received and the correct amounts charged. The firms were paid $12. 1 million without adequate review or oversight

Support for Invoices 48 A payment for promotion and advertising services had been misappropriated for the purchase of a house by the TDC Executive director. The county paid $747, 000 from the BP grant on an advertising and marketing invoice as “Boast the Coast National Television Campaign and Promotion. ” After payment was made to the firm, the TDC Director instructed the firm to wire the monies to a designated bank account. The monies were then used to by the ED for the purchase of the house titled to a revocable trust for him and his wife.

Example Purchases 49 $155, 400 paid to vendors and invoices inadequately described the goods or services purchased $48, 000 described as “prize for 2010 -2011 Internet/viral video contest. ” Actually purchased a Porsche titled to the former TDC Executive Director $47, 000 described as “convention center marketing expenses” included $19, 620 for a County Christmas Party, A TDC holiday party, and a harbor cruise for employees and $5000 donated to a charity. $31, 400 identified as “Harbor Walk/Destin Advertising” was actually for furniture for the TDC office including $6, 250 in furniture located at the former TDC Executive Director’s home Had the BCC or CCC required adequate documentation, the payments may have been denied.

Competitive Procurement 50 The County purchased a yacht for $710, 000 without evidence of formal bids. Three vehicles were purchased for a total amount of $129, 808 without evidence of written quotes 508 beach towels purchased for $8, 832 without written quotes Over $12 million was expended through outside firms and those firms were not required to competitively procure goods and services or follow County purchasing policies and procedures. Results in limited assurance that costs were reasonable.

Advance Payments 51 Payments were made in advance and there was evidence that in many instances services paid for were not received. 187 days of drivers services paid for and 43 days provided 32 day of spokesman services paid for and 23 days provided $25, 000 paid for a musical group and no concerts were performed Advance payments increase the risk that goods and services may not be provided

P-Card and Travel Expenditures 52 There was no evidence $41, 225 in travel-related that the former TDC Executive Director’s pcard expenditures were approved by another employee. $14, 680, 20 of 60 purchases tested, did not document the public purpose of expenditures made. expenditures were not supported by travel vouchers The TDC Director directed travel be paid for a candidate for a position and was denied. The TDC Director then had an advertising firm pay the travel and the cost was then billed back to the TDC

Special Events and Sponsorships 53 Special events and sponsorships totaled over $800, 000 Policies and procedures had not been developed for these type services Written agreements were not entered into to guide the terms and conditions and provision of services

Compliance 54 $1, 912, 095 in TD taxes were used to fund lifeguarding and beach patrol and were not allowable from this source $564, 000 in TD taxes were used to fund beach shuttle services and these expenditures are not expressly authorized from this source County records supporting funds paid to two advertising and marketing firms were inadequate and a portion resulted in questioned cost $207, 304 in debit card purchases and use were questioned

Accounting Controls and Minutes 55 Transactions were recorded to the wrong accounts $97, 766 in vehicles were recorded as contracted services – public relations rather than as capital outlay – machinery and equipment $81, 237 for a marquee was recorded as contracted services – advertising rather than as capital outlay – infrastructure $2, 208 for televisions were recorded as motor vehicles rather than as machinery and equipment. Inaccurate records can lead to incorrect management conclusions Minutes were not recorded for TDC and TDC Subcommittee meetings

Summary 56 In general, the BCC and CCC agreed with the findings and recommendations New policies were written and implemented There was significant “reputational risk” for this type operation and as a result of the above, there has been significant reputational damage. It is up to the governing body to address these issues in an accountable and transparent manner in order to restore the public trust.

Case Study One 57 Any weaknesses in: Control environment Control risk Control activities Information and communication Monitoring

Case Study Two City of Tallahassee Fleet Department 58 Parts supervisor could order, receive, and issue parts. Could also open closed work orders and adjust the inventory Suspicious transactions with three vendors identified Collusion with one vendor Losses totaled almost $3 million over five years. City employees and vendors prosecuted Theft was not material to each years internal service fund financial statements

See Page 2 for Invoices 59

Number of large dollar invoices all for the same amount 60

Notice instructions Valid Invoice 61

Notice instructions Improper 62

Same Amounts and Consecutive Invoice # 63

Same Amounts No Description Consecutive # 64

High Dollar Items 65

Invoice Altered with Whiteout 66

67

ZZ 4 / 350 Engine 355 horsepower out of a small block aluminum head engine! The evolution of the ZZ series, this engine powers thousands of street rods, drag racers, and show cars. With 405 ft/lbs of torque, the ZZ 4 is the best way to put a high performance small block engine under your hood! 68

69

70

71

72

73

74

75

76

77

Summary for Case Study Two 78 Any weaknesses in: Control environment Control Risk Control Activities Information and Communication Monitoring

Where do you Place Responsibility 79 With the City? With the vendors? With Both?

Case Study Three - Leon County Research and Development Authority 80 Organizational Background Board Composition – Nine Members Staff – An Executive Director and an Office Manager External Auditors – Same for several years Financial Statements – Clean opinions Monthly budget to actual statements - prepared by the office manager Treasurer reports – prepared by the office manager Audit Committee – well-intentioned but absent strong financial members

Discovery of a $650, 000 Fraud 81 A change in auditors in 2010 led to the discovery of a $650, 000 fraud that spanned 5 years The previous auditors focused on the revenue side of the audit believing the expenditure side was not a significant risk and therefore doing minimal testing of expenditures.

Fiscal Year Number of Total Fraudulent Amount of Checks Written 2005 2006 – 11 $41, 075 Total Operating Expenses – Salaries, Depreciation & Other $1, 014, 203 2006 2007 – 13 $80, 947 $1, 159, 355 2007 2008 – 30 $172, 948 $628, 398 27. 5% 2008 2009 – 39 $239, 684 $1, 387, 237 12. 47% (1) Note: Salaries and Depr. Were $758, 000 Approxim ately 25% $481, 410 49. 78% 2009 -2010 19 $112, 797 Total $647451 Audit year in progress 113 82 Percent Total ther O Fraud of Expenses Total Operating Expenses 4. 04% $402, 495 Percent of Fraud of Other Expenses (Not Including Salaries and Depreciation 10. 2% 6. 98% $468, 114 17. 3%

Internal Controls - The Office Manager 83 Received and opened the mail to include receiving tenant rental payments, vendor invoices for services provided, and monthly bank statements to include cancelled checks Had custody of check stock Had signature stamps Prepared invoices for payment to include preparing checks for dual signature by someone other than herself Maintained the accounting records and prepared and presented monthly financial and budget reports for Board meetings Reconciled the check book to the bank statement for review by the Executive Director. Cancelled checks were not provided to the Executive Director

What Was Not Known by the Previous Auditors or the Board 84 The Office Manager was fired by her former employer and found guilty of a felony for embezzlement of over $100, 000 During the time the Office Manager worked for the Board (during the day), she also performed community service at night at the County jail as part of her previous sentence No background check was performed by the Board upon employment of the Office Manager – the previous auditors were aware of no background check through inquiry, noted this in the working papers, but took no further action

The Office Manager 85 Drove an expensive vehicle Lived in an expensive home Was married with children and was a devoted parent Was well liked Was praised by the previous auditors in their audit report for being helpful to them

Discovery of the Fraud by the New Auditors 86 The Office Manager failed to timely respond to records request The new auditors observed the Manager’s lifestyle The auditors checked and verified through the county records a criminal history The auditors noticed a check that appeared unusual The auditors made a direct request to the bank for copies of cancelled checks The auditors notified the Audit Committee Chair of their concern as well as the Board Chair

The Office Manager Asked to Explain Herself at a Board Meeting 87 The Office Manager accused one of the Board Members admitted that she did not of sexual harassment tell the Board when she The Office Manager was hired that she was subsequently convicted and previously fired by her sentenced to prison former employer for embezzlement – she said To date the Board has she was not asked received little monies back from the former employee. The Office Manager It recovered $100, 000 from denied any wrongdoing its insurance company and while with the Board additional monies from the external auditors

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

The City Auditor was Appointed by the Mayor to Represent the City on the Board 103 Officially joined the Was elected to become Board October 1 The Board had a new Chairperson and several new Board members Named to the Audit Committee upon joining the Board Worked on and received Board approval of an Audit Committee Charter Treasurer in mid. November to replace the current Treasurer Asked the question - Is there any liability of the previous auditors for not detecting the fraud? Was requested to pursue the issue with the Board Attorney and to represent the Board

What Was the Board’s (and /or Audit Committee)Responsibility 104 To establish an adequate system of internal control The control environment Control risk Control activities Information and communication Monitoring Other specific responsibilities Have policies and procedures Meet with the auditors to discuss the planned audit, and any concerns about risk and the system of internal control To follow up on audit findings and recommendation and to take corrective actions

What was the Auditor’s Responsibility 105 To conduct the financial Specific GAGAS statement audit in accordance Follow up on previous with Generally Accepted significant findings Government Auditing Standards. Exercise professional skepticism To plan the audit to obtain Use professional judgment reasonable assurance Consider lower materiality levels To use professional judgment for government entities To consider fraud in a financial Report on significant statement audit and to provide deficiencies and material reasonable assurance on whether weaknesses in internal control the f/s are free of material over financial reporting misstatement, whether caused by error or fraud To brainstorm about fraud risk

Opportunities to Detect Fraud 106 Confirm vendor payments or year-end payables Obtain copies of cancelled checks directly from the bank or review checks on-line. Instead, cancelled checks on hand were traced to vendor invoices and accounting records Review the organization process for performing background checks Request were made to the accountant to review specific checks. Bank statements were not reviewed (when I reviewed bank statements, all fraudulent checks had been removed - the review took approximately one hour). The auditors stated in the W/P’s there was no need to review bank statements W/P’s indicate no conditions susceptible to fraud in amounts material to the financial statements Audit procedures did not vary from year to year This was not a complicated fraud

The Subsequent Auditors Report for 2009 (Two audits have subsequently been issued) 107 5 material weaknesses 6 significant deficiencies 4 additional weaknesses in internal control Weaknesses reported were not new

Reputational Risk 108 This fraud made the front page of the local paper on numerous occasions Previous Board members were embarrassed The name of the Board (Park) was linked to the fraud as opposed to its mission for many months Subsequent clean audits - for the last two years – have helped For the most recent audit, there were no material weaknesses, significant deficiencies, or management comments. This was also reported in the newspaper

Comment from Office Manager to previous auditor’s inquiry about any knowledge of 109 fraud: “I can honestly say that I know of none, nor do I know of any allegations of fraud. ”

Where Do you Place Responsibility? 110 With the Board? With the Auditors? With both?

Case Study Three 111 Was there a weakness in Control environment Control risk Control activities Information and communication Monitoring

What are Some Suggestions 112 Be aware that fraud and abuse can exist Exercise professional judgment and professional skepticism Ask about background checks Discuss risk and fraud with organizations management and determine whethere are mitigating controls Brainstorm with staff and supervisor on risk, controls, and testing to be done. Document discussions Look for persuasive factbased evidence Document adequacy of responses to questions

High Risk Areas Susceptible to Fraud 113 Travel reimbursements Time & attendance Overtime Cash collections Petty cash purchases Use of vehicles and equipment P-card transactions

What to Do When You Suspect or Discover Fraud? 114 Do not pursue so as not to interfere with potential future investigations or legal proceedings Secure documentation Notify your supervisor Notify upper management (department directors) if you do not feel that your concerns have been investigated satisfactorily, or Call the Auditor

Potential Red Flags 115 One person opening the mail that contains money Individuals collecting money in the field Using only certain vendors when quotes would be more logical Lack of dual check signatures over a certain amount The person having check stock and check writing authority also reconciling the bank statement Receipt of bank statements by the check writer

10 Tips on How to Deter Fraud in Your Organization 116 1. 2. 3. 4. 5. Integrity at the Top Positive Reputation New-hire Screening Process Ethics Programs Written Fraud Program with Expectation of Consequences

10 Tips on How to Deter Fraud in Your Organization 117 (Continued) Communicate Policies to Vendors 7. Proper Handling of Investigations 8. Independent Internal Audit Function 9. Effective Internal Controls and Auditing 10. Open Internal Reporting 6.

Questions? 118

Comments/Questions 119 Thank you!!! Sam Mc. Call 850 6440651 [email protected]. edu