Fraud and internal controls, Part 3: Internal fraud schemes

Transcription

1 Fraud and internal controls, Part 3: Internal fraud schemes By EVERETT COLBY, CFE, FCGA This is the third and final article in a series by Mr. Colby on Fraud and internal controls to be carried on PD Net. Introduction Cash receipts fraud Theft of non-cash assets Payroll fraud Expense reimbursement fraud Conclusion In Part 1 of this three-part series of articles, the discussion focused on why an organization needs to design or enhance their internal controls to protect against business threats and risks, what some of the threats and risks are that organizations face, and why the need to protect data is so important. In Part 2, Mr. Colby discussed the risk assessment approach to designing internal controls. He also looked at internal controls in a computerized environment and what their objectives are. Finally, Part 3 looks at some of the more important elements that have to be present to have an effective control environment. Introduction If you were asked to design a set of internal controls for a business where one of the primary objectives was the prevention of internal fraud, would you be able to do it? If you have had some training in fraud methodology, perhaps you could. If you have not had such training, how would you be able to design a set of internal controls to prevent or detect internal frauds if you do not know what you are looking for or what activity or behavior the control is trying to minimize or prevent? In this article, we will look at some of the most common internal fraud schemes. The purpose is to give you a better understanding of how internal frauds work and what some of the red flags are to watch for. With this knowledge, you should have a better understanding of internal frauds and will be better able to help design controls to minimize or prevent the risk of internal fraud from occurring. Internal fraud schemes are a three-step process: committing the fraud, concealing the fraud, and converting non-cash items to cash. When internal fraud occurs, there are usually signs that it has been committed or concealed. These are known as red flags. Examples of red flags include missing assets, fraudulent documents, or forged checks. Knowing and searching for red flags are two of the best ways to detect fraud. It is also important for designing controls to prevent or minimize the risk of these frauds from occurring. Red flags do not always mean fraud actually exists or has occurred. They are indicators that there is a greater probability that the internal fraud might exist or could occur. If red flags become evident, you must investigate to know whether an internal fraud has actually occurred. Most people are unaware of red flags, do not recognize them, or are too busy to notice them. If a red flag is noticed, it is often not investigated. As a result, many frauds go undetected. This is one of the results of a poor control environment. As discussed in Part 2, to help increase the awareness of employees, you need to enforce an effective control environment. Investigating red flags can lead to early detection of fraud, which saves the company money, and future fraud may be deterred.

2 Investigating the suspected frauds is how you catch the fraudster. Designing policies to minimize or prevent the frauds from occurring is the control. It is possible to design and implement controls to prevent or minimize the risk of particular fraud schemes being committed. Controls can often be put in place to make it difficult to commit or conceal the fraud. It is also possible, to a lesser degree, to implement controls to make it difficult to convert non-cash assets. The steps in the internal fraud process and the activities of management to catch perpetrators and prevent the fraud from occurring again are commonly referred to as the 5 Cs committing, concealing, converting, catching, and control. A familiarity with the 5 Cs will make it easier for you to understand internal fraud and to be better able to design and implement controls to prevent or detect the frauds from occurring. Internal frauds can be classified by the way they are concealed. There are two concealment methods: on-book frauds and off-book frauds. Off-book frauds are generally larger in amounts than on-book frauds. On-book fraud concealment methods occur within the business. Illicit payments or activities are recorded and generally disguised. An audit trail normally exists however obscure which can aid in the detection of the fraud. On-book frauds are normally detected at the point of payment. Off-book fraud concealment methods occur outside the accounting mainstream. No audit trail is likely to exist which makes these types of internal frauds more difficult to detect. Examples include skimming, bribery, and kickbacks. These types of frauds are normally proved at the point-of-receipt. We will now look at the most common internal fraud schemes and depict each scheme using the 5 Cs approach. First, we will discuss how each scheme is committed; next, we will look at how each is typically concealed; then, we will look at how the items are converted, if at all. From there, we will discuss the common red flags for each type of scheme which can lead to investigating and catching the fraudster. And finally, we will look at some controls that can be put in place to help prevent or minimize the organization s risk from loss due to the particular scheme. Cash receipts fraud Unrecorded sales This type of fraud commonly referred to as skimming typically involves stealing cash before it is entered into the company s accounting system. It is a fairly common type of internal fraud. It is difficult to detect because it is off-book. There is normally no record of the sale, no entries in the accounting system, and no audit trail. The company is often unaware that stolen funds were received. The most common types are: stealing cash receipts at the point-of-sale and not recording sale (unrecorded sales) stealing cash receipts received in the mail understating sales and receivables This type of internal fraud is committed when an employee sells goods or services, keeps the money paid, and does not record the sale. This is most common in retail store environments where cash is typically used to pay for goods or services. This type of fraud does not often need to be concealed because it is an off-book fraud. Typically, there is no accounting record or audit trail left of the transaction since it is not Fraud and internal controls, Part 3: Internal fraud schemes 2

3 recorded. Despite the fact that the cash does not need to be concealed, the employee must often conceal the fact that the sale took place. This may be accomplished by: not ringing up the sale, ringing up the sale as a no-sale, not creating a receipt, or destroying the sales record or register tape. As opposed to stealing physical assets, when cash is stolen, there is typically no need to convert it since it is already cash. Red flags of unrecorded sales which can help catch the perpetrator include: inventory is lower than records indicate gaps in pre-numbered documents missing register tapes or other records differences between customer and company records lower than expected revenue when particular person is working lower than expected revenue by location poor record-keeping or collection procedures Some controls that a business can consider to help minimize the risk of cash receipts fraud include: Using cash registers with internal tapes that cannot be manipulated. Conducting surprise cash counts and comparing cash receipt tapes with actual cash in the drawer. Segregating the duties of cash receipts, cash counts, bank deposits, and cash disbursements. Putting cash registers close together to make them more visible. Skimming does not normally involve collusion with other employees so the fear of being seen can be a strong deterrent. Installing video cameras on cash registers. Performing frequent spot inventory counts. Promoting customers asking for their receipts by stating they are required for returns. Sequentially numbering all cash receipts and performing frequent reconciliations. Taking out bond insurance on all employees handling cash receipts Stealing mail receipts This type of internal fraud is committed by stealing mail receipts when they are received. Since very little cash is sent by mail, most thefts of mail receipts involve cheques. This makes this type of theft one of the most difficult for the employee to conceal. The company expects the account receivable and, when payment is not received, the company may send out a late notice (a type of control). More often than not, when the notice is sent out, the customer complains and shows his or her cancelled cheque. Converting cheques is also very difficult because they have to be cashed or deposited in a bank account. This leaves a trail to trace back to the perpetrator. The most common form of concealment for this type of fraud is lapping; person B s payment is used to pay person A s receivable (which was stolen). Person C s payment is then used to pay person B s receivable and so on. Other forms of concealment include false discounts or credit memos to write off the receivable, intercepting and altering notices sent to customers, and creating journal entries to actually write the amount off to bad debts. Red flags of mail receipt theft which can help catch the perpetrator include: Customer and company show different amounts owing/paid. Amounts in A/R journal, cash receipts journal, and deposit slip do not match. Unauthorized or unexplained discounts or write-offs of customer accounts. Illogical debits used to balance accounts receivable. Fraud and internal controls, Part 3: Internal fraud schemes 3

4 Some controls that a business can implement to help minimize the risk of the theft of mail receipts include: Sending out monthly statements and late notices and performing reconciliations of customer information with company information on a quicker basis. Segregating duties between the receipt of payments and recording of accounts receivable payments. Requiring supervisory approval for write-offs, discounts, and any adjustments to A/R ledger. Monitoring A/R for unusually high numbers of write-offs, debits, or overdue accounts. Using a third-party (bank) lockbox service for A/R receipts. Creating an exception report for any alterations to accounts receivable. Understating sales and receivables This type of internal fraud is simply a variation of cash theft skimming and theft of mail receipts. The difference is that, in the first two methods, all the money is taken. In this method, only a portion of the money is taken and the rest is recorded. For example, the cash register clerk makes a $100 sale. The clerk records a sale for $75 instead of $100 and pockets the extra $25. Understating sales and receivables can be concealed using false discounts. The clerk would give the customer a full receipt and then issue a phony discount voucher to the bookkeeper. As with the theft of mail receipts, other forms of concealment include credit memos to write off the receivable, intercepting and altering notices sent to customers, and creating journal entries to actually write the amount off to bad debts. Red flags of understated sales and receivables are the same as for the theft of mail receipts. The same controls that a business would use to minimize the risk of the theft of mail receipts can be used to minimize the risk of understated sales and receivables. Theft of non-cash assets This type of fraud is committed by stealing assets other than cash. There are two typical ways employees misappropriate non-cash assets: they steal the asset with no intention of returning it, or they borrow the asset to misuse it or use it for purposes other than what the asset was acquired for. Many employees start by borrowing the asset then move to stealing it once they see nobody noticed it was missing in the first place. Non-cash assets that are typically subject to theft/misuse include: inventory supplies tools and equipment raw materials computers and other office equipment telephones (personal long distance) company cars When this type of theft occurs it is typically, although not exclusively, committed by employees in the warehouse, inventory clerks, shipping clerks, delivery drivers, and others who have easy access to the assets. There are a number of different methods for concealing the theft of non-cash assets. Some of the more common methods include misstating inventory counts, preparing false journal entries to reduce the inventory or asset values in the books and records, and creating false documentation to make it appear that a sale has taken place. This method can be concealed further if the sale is recorded to a large account receivable that is about to be written off. Other methods include writing off the asset as obsolete or scrap or recording it as a defective item. Fraud and internal controls, Part 3: Internal fraud schemes 4

5 Payroll fraud This type of fraud is less convenient for the perpetrator because he or she will generally have to convert the asset to cash in order to benefit from it. The asset can be sold to a competitor or customer, used in a home-based business, returned for a refund, or perhaps even used as a gift to someone else. Red flags of non-cash asset theft which can help catch the perpetrator include: regular inventory shortages missing tools or other assets poor physical access or movement controls excessive number of short shipments or receipts scrap or obsolete amounts exceed what is expected vendor invoices do not match receiving reports missing documents such as no sales receipt or shipping documents altered documents such as packing slips, shipping documents, etc. unexplained journal entries to inventory or asset accounts Some controls that a business can implement to help minimize the risk of the theft of noncash assets include: Using physical access controls for all assets and inventory and restricting access to inventory. Monitoring employees who have access for unusual patterns of entry and departure. Using electronic surveillance equipment such as video cameras. Using sequentially pre-numbered documents for inventory control. Segregating duties such as requisition of inventory, purchase of inventory, receipt of inventory, custody of inventory, and physical counts of inventory. Performing periodic surprise inventory and asset counts and reconciling the counts to the amounts recorded in the books and records. Using analytical review to monitor for unusual trends such as persistent or rising inventory shortages. Periodically comparing customer and vendor addresses to those of employees to prevent employees from shipping goods to themselves. This type of internal fraud is basically the theft of cash using the company s own payroll system. It is typically committed by an employee creating false documents such as phony time cards. This causes the company to pay out more in salary, commissions, or benefits than it should. There are several typical types of payroll fraud including ghost employees, overstatement of hours, false commission schemes, and false Workers Compensation claims. Some of the most common methods for concealing this type of fraud include misrepresenting the time you begin or complete a work shift, falsifying the supervisor s signature on the time card or having the time card rubber stamped by a supervisor that does not pay particularly close attention to the details, and falsifying the time on the card after the supervisor has approved it. When time records are automated, a common method is to have another employee punch you in or out. To conceal false commission schemes, the employee can falsify the amount of sales he or she has made or alter the prices contained on sales documents. Red flags of payroll fraud which can help catch the perpetrator include: poor segregation of duties in the payroll area no time clocks or inadequate control and supervision of time clocks the number of employees paid is higher than the number working a terminated employee that is still on the records Fraud and internal controls, Part 3: Internal fraud schemes 5

6 no independent review of payroll records failure to authorize bonuses, overtime, and commissions in writing Some controls that a business can implement to help minimize the risk of payroll fraud include: Proper segregation of duties in the payroll area including entering time data, authorizing time cards, commissions or bonuses, distributing payroll, transferring funds to payroll accounts, and reconciling the payroll bank account. Supervisor should be present at the beginning and end of shifts when an automated timekeeping system is used. Comparing the number of paychecks with the number of authorized workers. Examining all time cards submitted for proper authorization. Analytical review comparing sales commissions to sales to see if the relationship is consistent with established commission policy. Expense reimbursement fraud This type of fraud is typically committed by an employee who generates false claims for expenses to be reimbursed. It is as common as payroll fraud schemes. The losses with this type of scheme are relatively low compared to payroll fraud schemes. The methods for concealing this type of fraud are varied. Some examples include claiming personal travel as a business trip or listing dinner with a friend as business development. Other methods include overstating the actual cost of business expenses, altering receipts to show a higher amount, or substituting receipts (for example, purchasing an expensive and an inexpensive airline ticket, submitting the receipt for the expensive ticket for reimbursement, then using the inexpensive ticket to travel and getting a refund from the airline for the expensive ticket). Creating false receipts is very easy with today s desktop publishing tools. You can also obtain blank receipts from legitimate sources and fill them out and submit them. This type of fraud is typically perpetrated by high-level employees, owners, and officers because they are normally the only employees authorized to be reimbursed for expenses. Conversion for this type of fraud is easy because a company check is issued to the employee for an allegedly valid claim and he or she simply cashes or deposits the check. Red flags of expense reimbursement fraud which can help catch the perpetrator include: detailed expense reports are not required or not filled out original documents supporting claim are not required or not submitted expenses exceed historical amounts or budgets many receipts from the same vendor submitted receipts are consecutively numbered travel is not supervised and travel expenses are not reviewed Some controls that a business can consider to help minimize the risk of expense reimbursement fraud include: Requiring detailed expense reports to be completed including the name of client, business purpose, dates, and locations. Requiring original documentation for all expenses submitted. Requiring that all expense reimbursement claims be reviewed and approved by a supervisor. Reviewing all details prior to issuing the reimbursement. Requiring boarding passes for all airline or rail travel. Fraud and internal controls, Part 3: Internal fraud schemes 6

7 Conclusion Comparing reimbursement amounts to those submitted by other employees on the same trip. Comparing expense amounts to prior periods, budgeted amounts, and historical amounts. In this article, we discussed some of the most common internal fraud schemes and what some of the red flags are that they might be occurring. This is not an exhaustive listing of all internal fraud schemes. We discussed using the 5 Cs approach committing, concealing, converting, catching, and controlling to understanding internal fraud. The purpose of Part 3 is to give you a better understanding of how internal frauds work. With this knowledge, you should be better able to help design controls to minimize or prevent the risk of internal fraud from occurring. Fraud is a risk that all businesses face. It does not matter whether the business is large or small, they both face significant risks of loss due to fraud. Fraud can occur internally, externally, or in combination. Many fraud experts believe the most important thing a business can do to try and minimize its risk of loss due to fraud is to design internal controls that make it difficult to commit or conceal fraud. This three-part series started by looking at why businesses need to implement strong internal control systems to help deter fraudulent activity. It went on to provide some guidance on how to design controls to help curb the threat using the risk assessment approach to control design. It also discussed the objectives of various internal controls and why it is so important to put in place an effective control environment. Finally, this article discussed some of the most common internal fraud schemes faced by business today and how to detect and deter these risks. These principles are important because, although top management is ultimately responsible for protecting the organization s assets and resources, they will often look to their internal and external accountants for assistance in this regard. Because CGAs are well trained in understanding internal controls, they are in an excellent position to assist top management in fulfilling this responsibility. Everett Colby, CFE, FCGA, is a public practitioner who owns one of the offices of Porter Hétu International consistently ranked by The Bottom Line as one of Canada s top 30 accounting firms. Everett also owns a forensic accounting firm, North American Forensic Accountants and Fraud Investigators Inc. He is a member of CGA Ontario s Board of Governors, chairs CGA Canada s Tax and Fiscal Policy committee, and is a life member of the International Association of Certified Fraud Examiners. Mr. Colby is a frequent seminar presenter, across Canada and internationally, on topics including fraud, money laundering, the civil penalties, and ethics in today s business environment. This is the third and final article in a three-part series by Mr. Colby on Fraud and internal controls to be carried on PD Net. Fraud and internal controls, Part 3: Internal fraud schemes 7