AGA Risk and Fraud Webinar February 22, 2017 Let s Begin with the Basics 5% of revenues lost to fraud every year Median fraud duration from start to detection is 18 months Small organizations tend to suffer disproportionately large losses Small organizations fraud risks differ from large organizations Nearly 80% of fraud was committed by people working in accounting, operations, sales, executive/senior managers, customer service and finance The higher the perpetrator s level of authority, the greater the fraud losses tend to be. Fewer cases of fraud, but higher median fraud loss of $500,000 Collusion among employees enables larger fraud losses because it enables the evasion of independent checks and balances and anti-fraud controls Source: 2015 ACFE Report to the Nations on Occupational Fraud 1
Three Types of Fraud: Let s Begin with the Basics (Cont.) Asset Misappropriation: Most common fraud or about 85 % of the time and a median loss of $130,000 Corruption Schemes: Financial Statements: Occurred for about 37% of fraud cases and median loss of $200,000 Only 9% of cases reviewed, but resulted in the greatest median loss of $1,000,000 Source: 2015 ACFE Report to the Nations on Occupational Fraud Three Types of Fraud Defined: Let s Begin with the Basics (Cont.) Asset Misappropriation: Referred to as Insider Fraud. Entrusted people steal from within their organizations. Corruption Schemes: Financial Statements: Kickbacks/Bribes/Skimming/Ponzi Schemes. Buyer overpays and a vendor pays part of excess to fraudster. E-commerce increases risk to this vulnerability. Intentional misrepresentation of a financial statement. Think ENRON! Source: 2015 ACFE Report to the Nations on Occupational Fraud 2
Let s Begin with the Basics (Cont.) Organization, Culture, People Banking, Government, and manufacturing industries have the greatest number of fraud cases, The presence of anti-fraud controls reduces fraud losses and fosters faster fraud detection Organizations with hotlines are far more likely to catch fraud by a tip, which is the most effective way to detect and deter fraud Social media, texting, email, all used as hotlines The vast majority of occupational fraudsters were first-time offenders; Only 5% had been convicted of a fraud-related offense prior to committing crimes Source: 2015 ACFE Report to the Nations on Occupational Fraud Ken Lay: Tone From the Top! I take full responsibility for what happened at Enron. But saying that, I know in my mind I did nothing wrong. I can t take responsibility for criminal conduct inside the company. Any slots at the senior level including the CEO or other slots, will be filled internally. Andy Fastow: I knew it was wrong, but I didn t think it was illegal. Bernie Madoff: I was always able to rationalize [the fraud]. I tried to give moneys back to my clients They wouldn t take it back. Everyone said No, you can t do that. You can t send me my money back. I have been a friend of yours, or a client for years. Bernie Ebbers: I know what I don t know. I don t know technology, and I don t know finance and accounting. No one will find me to have knowingly committed fraud. 3
Tips/Hotlines Management Reviews Internal Audits By Accident Account Reconciliation Document Examination External Audits Surveillance/Monitoring Law Enforcement IT Controls 2% 3% 2% Confessions Other THE FRAUD TRIANGLE 4
RED FLAGS Culture, and Attitude Triangle 5
COLLABORATION A winning combination! COLLABORATION A winning combination! Investigators Steps and Tools to Pursue Fraud DCAA SUSPECTED IRREGULARITY REFERRAL FORM http://www.dcaa.mil/sap/0160_ap_consultant_services.pdf GAO Examples of Fraud Risk Indicators: (http://gao.gov/products/gao-12-331g) AICPA Fraud Risk Factors in Financial Statement Audits: http://www.aicpa.org/research/standards/auditattest/down loadabledocuments/au-c-00240.pdf DECISION MADE TO REFER FRAUD: Apply Criminal, Civil, and Administrative Considerations Use of Grand Jury or IG Subpoena Pursue financial and inventory records Obtain testimony under oath 6
Fraud Prevention Controls Ethical Culture and Tone From the Top Code of Conduct Know Your Employees Mandatory Ethics Training Anti-Fraud policy Surprise Audits Job Rotation/Mandatory Vacation Employee Assistance Programs Hotlines Protection and Rewards for Whistleblowers Fraud Awareness Training Internal Audit Program Management Reviews of Internal Controls Independent Audit Committee Types of Audits 7
The Risk and Fraud Criteria OMB Circular A-123: Management s Responsibility for Internal Controls and Enterprise Risk Management Auditors are responsible for: Keeping management informed about risks that it detects (including fraud risks) and, Providing such information to management to use in their identification and assessment of risks. OMB A-123 Refers to GAO Green Book Green Book Identifies Risk Assessment as a key component of internal control The Risk and Fraud Criteria GAO Green Book Standards for Internal Control in the Federal Government Risk Assessment is a key component of internal control Principle of Internal Control: Fraud risk Assessment used in the identification and assessment of risks. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. Managing Fraud Risk through Training: There is no substitute for knowledge. W. Edwards Deming Effective internal controls require the right training, tools, structure, incentives, and responsibilities is operational success possible. 8
GAO Green Book (continued) The Risk and Fraud Criteria Five components of Internal Control: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Risk Factors: (Nearly Identical to the Fraud Triangle) Incentive/pressure Opportunity Attitude/rationalization The Risk and Fraud Criteria 9
COMBATTING FRAUD ONE TEAM ONE FIGHT Auditors Guided by standards Test internal controls Conduct interviews Have access to records Report missing inventory Follow the money Recommend controls Report security weaknesses Investigators Guided by the law Conduct interviews Test if laws were broken Can seize records Recover stolen inventory Capture the money Enforce the law Provide security Case Study Number 1 Trusted purchase card holder No independent oversight No separation of duties Performed her job well Trusted with a $100,000 limit Charged car repair unnoticed Started living large Purchased airline tickets Auditors perform surprise audit Find weak control environment/improper charges Examined airline ticket purchases Noted tickets for personal use Expanded audit to other purchases Two SUVs Vacations Electronics Motorcycle Cosmetic surgery 10
Findings sent to investigators CASE STUDY 1 (CONTINUED) Detailed improper purchases Potential theft of $200,000 Identified items purchased Did not cooperate about location of missing items Investigators accept findings Interview card holder Breaks down and confesses Agrees to return purchases Search warrant located missing items Confirmed fraud of $200,000 CASE STUDY 2 Trusted employees Did not live large Access to military equipment No oversight If it ain t broke, don t fix it Delivery justifies the means High volume of transactions No separation of duties Easy access to Internet sales sites Investigators receive tip Discover Internet sales scheme Confirm items stolen Locate fraudulent bank accounts Interviewed under oath Confession received Fraudster confessed there was collusion with others Requested audit to detail losses 11
Case Study 2 (Continued) Fraud scheme sent to auditors Identified stolen items Identified suspects Confirmed collusion Requested assistance to determine: How much was stolen? Why was the theft unnoticed? Fraudsters sent to prison Determined that $2.5 million was stolen Reconciled orders and shipments No separation of duties Records either missing or illegible No independent oversight Abused high priority designation Recommended control improvements Served as expert witness Thank you for your participation! 12