Internal Control

1
Internal Control Fraud Risks for Entities with
Limited Segregation of Duties

• Presented by Ken Al-Imam, C.P.A.
• MAYER HOFFMAN MCCANN P.C.
• CONRAD GOVERNMENT SERVICES DIVISION
• (formerly Conrad and Associates, L.L.P.)
• 2301 Dupont Drive, Suite 200
• Irvine, California 92612
• (949) 474-2020 Ext. 273
• kalimam_at_cbiz.com

2
Problem

• Integrity is difficult to measure

3
Identifying Persons Capable of Fraud

• We expect people to be like ourselves
• Honest and responsible
• Usually fraudsters are persons least expect
• Great actors

4
Classic Fraudster

• Employed for many years
• Loyal dependable employee
• Never complains
• Never asks for help
• Works long hours (comes in early, stays late,
  works weekends)
• Never takes vacation

5
Fraud

• 600 billion per year
• 6 of revenue lost to fraud
• Average scheme lasts 18 months before detected
• Average loss is 127,500 per entity

6
The Perpetrators

• The higher the education, the higher the loss
• The higher the age, the higher the loss
• 68 done by one perpetrator, 32 involved
  collusion
• 53.5 male, 46.5 female

7
Methods of Detection

• External Audit 10.9
• Internal Audit 23.8
• Internal Controls 18.4
• By Accident 21.3
• Tip 39.6
• Notified by Police 39.6

8
Factors present in all Frauds

• Motive
• Opportunity
• Rationalization
• Concealment

9
Ethics Policy

• Important
• Tone from top
• Emphasize policy and enforce violations

10
Cross-training/Mandatory Vacations

• Important
• Helpful when have turnover
• Some frauds are difficult to conceal if someone
  else is doing their job

11
Collusion

• Internal controls not designed to prevent
• Has own built-in control
• No honor among thieves
• Segregation between departments

12
Segregation Between Departments

• Not a focal point of standards
• Different persons in one department still
  requires collusion for fraud to occur
• Segregation between individuals is the focus

13
Internal Control

• Focus of internal control is on internal fraud
• Difficult to control external fraud

14
Segregation of duties

• Goal is to make it difficult to both commit the
  fraud and to conceal the fraud
• Usually segregate access to assets from
  recordkeeping

15
Understanding Fraud Scenarios

• Best way to develop alternative controls is to
  understand in detail how a fraud scenario for
  that transaction cycle would take place.
• Smoke out alternative control opportunities

16
Use of auditor

• Consult with your auditors
• Challenge your auditors with a detailed
  discussion of the fraud scenario

17
Revenue Fraud

• Checks (not just cash) are subject to theft
• Take money and destroy evidence of transaction
• Need system to ensure all money collected ends up
  in bank account

18
Revenue Fraud

• Establish control as early as possible in process
• Document totality of receipts immediately upon
  receipt
• This creates controlled documentation that can be
  matched to bank deposit

19
Revenue Fraud

• Cash register is best control
• Or uninterrupted sequence of receipt forms
• Watch for receipt substitutes (license
  certificates, permits, etc.)
• List of checks received in the mail (and what do
  with list)

20
Checks Received in Mail

• Controlled at opening
• List or copy amounts received
• Give copy to those maintaining records
• Minimize number of persons handling checks
  received prior to deposit

21
Revenue Controls

• Immediate restrictive endorsement
• Timely deposits

22
Controls Over Person Preparing Bank Deposit

• Often funds stolen at that point are not detected
  
• Support for bank deposit can be reviewed by
  independent person
• This can be done after the fact using the deposit
  confirmation notice

23
RevenuesAlternative Controls

• Independent review of support for deposit
• Can be done at the department level

24
Accounts Receivable

• Those posting payments to customer records should
  not have access to cash/checks
• Only give list or copies of checks
• Or list created by mail opener agreed to deposit
• Or independent agreement of system posting report
  to funds deposited

25
Control Over Adjustments

• Persons posting adjustments should not be
  handling cash/checks
• Independent approval of adjustments
• System produces report of adjustments that are
  reviewed

26
Voided transactions

• Should be independently approved
• Best for approval at time of void (in presence of
  paying party)

27
Cash Disbursement Frauds

• Fictitious Vendor
• Payment to vendor with same or similar name as
  real vendor
• Unauthorized disbursement
• Unsupported disbursement

28
Alternative Controls

• Positive Pay
• Vendor set up
• More than one knowledgeable person involved in
  every transaction (usually the knowledgeable
  approver will be in the same department as the
  initiator)

29
Duplicate Payment Schemes

• Multiple payments of invoices to legitimate
  vendors

30
Cash Disbursement Controls

• Canceling invoices (entered, etc.)
• Cancellation of invoice (not just check copy)
• No payments from copies or statements
• No return to initiator (or to person with access
  to vendor master file)

31
Bank Reconciliation

• Such a key control that it should always be
  segregated from access to assets

32
Review of Bank Reconciliation

• Not as effective as separate preparation
• Must be done in conjunction with examination of
  original bank statement

33
Review of Unopened Bank Statement

• Spot check debit memo charges
• Out of sequence checks
• Duplicate checks
• Trace transfers to authorizing document (with
  different initiator and approver)

34
Cancelled checks

• Obvious forgeries
• Evidence of check alteration
• Multiple endorsements

35
Review of Supporting Documentation

• Fraud cant happen because approval is required
• But review often done before checks are printed
• This cant detect unsupported checks created
  after this review
• Printed checks compared to support by someone not
  involved in data entry to create check

36
Review of Supporting Documentation

• Traditionally performed at time of check signing
• Some one other than accounts payable personnel
  can do after checks are printed
• Printed checks compared to support by someone not
  involved in data entry to create check

37
Review of Supporting Documentation

• Can be done on a spot check basis (with check
  register to make sure received all checks)
• Checks should not be returned to persons that
  initiated them

38
Review of Supporting Documentation

• Or A/P clerks switch (dont match support for
  those checks they created)
• Or payroll clerk print, match, and mail A/P
  checks and A/P clerk print and distribute payroll
  checks/check stubs

39
Procurement Fraud

• Difficult to prevent and detect (collusion)
• Bid rigging
• Employee aids a vendor to obtain a kickback
• Splitting purchases to avoid threshold for
  competitive quotes
• Drafting specs so that favored vendor is
  advantaged
• Only receiving quote from favored vendor and
  comparing to fictitious quotes

40
Procurement Fraud

• Providing advance notice to vendor and then
  issuing request for proposals with
  unrealistically short time frame
• Allowing favored vendor to propose late or with
  knowledge of other quotes

41
Procurement Controls

• Emphasize in ethics policy the unacceptability of
  these specific employee behaviors
• No purchase controlled by one person

42
Refund Schemes

• Controls are typically weaker than for standard
  vendor payments

43
Refund Schemes

• Cancellation of conference or travel
• Cancellation of memberships or subscriptions
• Returns of goods purchased

44
Expense Reimbursement

• Focus should be on payments prior to event
• Reimbursed but then not go and get refund
• Follow-up to received evidence trip actually
  taken

45
Payroll Fraud

• Focus is on fictitious employees
• Classic control is segregate
• Access to payroll master file
• Payroll processing

46
Payroll Fraud

• Often overlooked
• Keeping an existing employee on the system

47
Alternative Controls

• Review of payroll register
• Review of direct deposit report from bank
• Periodic spot-checking of a payroll register by
  HR

48
Alternative controls

• Comparing list of terminated employees to payroll
  register
• Department review of payroll register (labor
  distribution run) for their department
• Department monitoring of budget
• Reviewing cancelled checks for multiple
  endorsements

49
Questions or comments?

• Thank you for your attention!