Community Bank Auditors Group A/P, Procurement and Credit Card Internal Controls June 4, 2014 by: Scott Baranowski, CIA MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C.
Agenda Accounts Payable and Corresponding Internal Controls Procurement and Credit Cards and Corresponding Internal Controls Case Study 2
Fraud Detection Key Findings and Highlights of the 2012 Report to the Nations include: CFE 3
Accounts Payable 1. Reconcile your accounts payable entries and your bank s related DDAs monthly. 2. Look for invoice oddities. 3. Check out check amounts. 4. Vet your vendors. 5. Smile and dial. 6. Trace transactions. 7. Be aware of the human factor. 4
Data Mining Use accounting, database, and spreadsheet software to go through your accounts payable quickly and accurately, looking for signs of trouble. Detection tip: Merge the files for your employees and your vendors to scan for matching addresses, phone numbers, bank account numbers, and other identifiers. 5
Accounts Payable Risks Risk Red Flags Tools/Best Practices Misdirected Payments Payments are misdirected to someone posing as a legitimate vendor. No proper documentation or approval of additions, changes, or deletions to vendor master file. Verify that all changes to vendor records (name, address change, bank account) are submitted by an authorized vendor signatory, and approved by an agency signatory. This is to prevent theft or misappropriation of funds. Vendor addresses do not agree with vendor approval application. Segregate duties between processing of accounts payable invoices and updates to vendor master files. 6
Accounts Payable Risks Risk Red Flags Tools/Best Practices Duplicate Payments A Red Flag for duplicate payments is spending in excess of budgeted or normal amounts. Interestingly, a vendor's failure to claim a discount due might also indicate that he has been paid twice and doesn't want to engender additional review of his account. Convert payments to ACH or other electronic methods - ACH or electronic payment methods take more time to initially establish compared to simply printing a check to a vendor thus are less likely to include fraudulent transactions. Credit balances in the accounts payable subsidiary ledger might indicate a duplicate payment. 7
Accounts Payable Risks Risk Red Flags Tools/Best Practices Overpayment Excessive purchases of unneeded items. Frequent shipments to P.O. boxes. Weekend or holiday delivery dates on invoices. Same person signs both the purchase order and the receipt. Data analytics for: Vendor Summary Totals Period Comparison Descriptive Statistics / Benford s Law Analysis Above Average Payments To A Vendor Duplicate Payment Testing Employee to Vendor Address Match Payments Made After Period End for Valid Liabilities at Period End Identify Exceeded Purchase Orders 8
Benford s Law 9
A/P Overpayment Prevention Tools Reconcile checking accounts promptly. Keep blank check stock and signature stamps under lock and key. Centralize your check writing function to minimize the need for review. Immediately update related policies, procedures and controls when there is a change approval authorizations. 10
Accounts Payable Risks Risk Red Flags Tools/Best Practices Kickback Scheme Consistent preferential (early) payments to one vendor. Separate check writing and checking account reconciliation. Look for invoices that do not have the folds that come from having been mailed. No folds, may point to potential fraud. Sequential invoice numbers from the same vendor or invoice numbers with an alpha suffix. Payments made based on copies of invoices, not originals. Vendor invoices are received by department other than accounts payable (purchasing). Never have the person who writes the checks also be the person who reconciles the checking account, this is asking for trouble. Tax ID numbers on the vendor invoice reinforce the invoice's legitimacy. Segregate duties between processing of accounts payable invoices and updates to vendor master files. 11
A/P Takeaways Prevention is the best remedy: Monthly reconcile accounts payable and your DDA Regularly review accounts payable for red flags Rotate different employees through the job of paying bills with the help of required cross-training Consider mandatory vacations for workers in that department. 12
Cards 13
Best Practices in Corporate Card Protection Misuse of corporate payment cards by employees is not typically considered fraud by card issuers; therefore, the company is responsible for any loss. It is imperative, then, that organizations have prevention processes in place. 14
Fraudulent Payment Methods 15
Loss by Payment Method 16
Card Types Procurement/Purchasing T&E Ghost or Virtual One Card Fleet 17
Card Frauds by Type 18
P- Card Risk P-Cards Risk Red Flags Inappropriate segregation of duties. Purchase/payment limits higher than required. Refusal of cardholders to accept transfers or promotions. Increasing costs of supplies from year to year. Controls over vendor type non-existent. 19
Card Red Flags Fraud investigations identified a series of red flags: Monthly reconciliations were always late or not performed. The person may be attempting to avoid any review of the purchases made. Certain receipts were not included in the monthly reconciliation. The individual had been placed on probation for performance issues. The person may believe he or she is about to be terminated and has nothing to lose by misusing the p-card. 20
Card Red Flags The employee presented several reconciliations at a time or stated that the reconciliations needed to be signed quickly due to a deadline. This technique reduces the amount of time for review, thus allowing unauthorized transactions to be hidden. The employee submitted receipts with a long list of purchase items. Personal items can be hidden within lengthy lists. Purchases were made after business hours from restaurants, gas stations or other merchants. The person can use the excuse that it was a mistake and used the wrong card. Supervisors were not taking the time to examine the monthly reconciliation. The supervisor trusts the person or has too many more-important tasks to perform. 21
Preventative Controls The following preventive controls should be in place for any p-card program: Background checks: Giving an employee a p-card is tantamount to providing the cardholder access to one of the organization's most liquid assets: cash. Dollar limits: Tailor the limits to each cardholder, reduces the total dollars at risk. 22
Preventative Controls Merchant Classification Codes: MCC should be used to prohibit transactions at various establishments, such as cash advances, liquor stores, big box stores and movie theaters. Probation: Place the p-card on hold status until the person is off probation. Education: Educate all p-card holders, administrators and supervisors on their card-related roles and responsibilities on an annual basis. At the conclusion of the education, all p-card holders must sign an updated cardholder acceptance form that reiterates the appropriate uses of a p-card. See Exhibit A 23
Detective Controls Reconciliation review: Perform reviews of transactions, explanations and receipts in a timely manner. The receipts should be reviewed with a specific focus on each receipt's date and time, items purchased and the reasonableness of the expenses. Placing p-card on hold status: Place the card on hold status (not allowed to make purchases) until the reconciliation has been completed, reviewed and approved by the appropriate supervisor. The approver should send an email requesting the card be reactivated only after all processes are completed. Track the number of times a person is late or has an incomplete reconciliation (missing receipts). 24
Detective Controls Three-strike rule: If a person repeatedly abuses the p-card (for example, routine tardiness in reconciliation or charging personal items), cancel the p-card and do not allow the person to get it reinstated. Monthly reports: The overall card administrator should generate a monthly report and forward it to the appropriate manager. The report should include spending trends, potential split transactions and dollars by merchant. This will provide additional oversight regarding appropriate use. Strong policy: The policy should state clearly what the card can and cannot be used to purchase. The policy also should identify the disciplinary action for accidental misuse versus intentional misuse. 25
Detective Controls Anonymous tip line: As outlined in the Association of Certified Fraud Examiners (ACFE's) 2010 Report to the Nations, most frauds are discovered as the result of a tip. A tip line allows employees to report suspected p-card misuse. 26
No Control Framework Is 27
Purchasing Cards: Still a Prime Target Among the many techniques used in perpetrating employee corporate card fraud are: Misuse: A true cardholder uses the card for purchases not authorized by the company. Embezzlement: A person within the company with authorized access to credit card information uses that information to defraud the company. False fraud: The true cardholder claims charges are invalid in order to get out of paying or to avoid reparations at work. 28
Fraud Attacks 29
Company Types 30
J.P. Morgan Survey Identified key internal measures as most important in detecting and preventing corporate credit card fraud: Secure senior management to champion your card compliance program and work to foster full company buy-in. Create checks and balances via logical segregation of responsibilities (e.g., purchase request, authorization and execution). 31
J.P. Morgan Survey Support consistency across the organization Mandate training for all card users and managers Establish preventative controls upfront, such as transaction and monthly limits and the blocking of unauthorized vendors. Partner with an issuer that provides Web-based payment management tools, including enhanced reporting and real-time visibility into spending. 32
J.P. Morgan Survey Audit for red flags spending limits, off-hour purchases or purchases of a personal nature. Foster cooperation that encourages cardholder feedback. Conduct peer reviews before official audits to mitigate improper card usage and help support Sarbanes- Oxley requirements. Network to learn valuable lessons from other program administrators. 33
J.P. Morgan Survey One way that companies are reducing card fraud is through the use of Single-use Accounts. A Single-use Account is an electronic credit cardbased payment solution that acts like a check. Combining these factors contribute to a much reduced level of fraud. 34
Case Study Stealing Funds for a Nest Egg An executive assistant uses a corporate credit card, gift checks, and an online payment account to embezzle US $1.5 million. Paul C. Sutphen, CPA, CFE Partner, RGL Forensic Accountants & Consultants Exhibit B 35
Stealing Funds for a Nest Egg- Lessons Learned 1. Allowing employees to charge personal items on a company account is never a good idea. 2. A lower threshold likely would have required more frequent approvals by Collins supervisor. 3. Accepting only the marketing expense form and payment coupon as support for the charges. 4. Poor control over access to the president s computer. 5. Having a supervisor inspect or have the opportunity to inspect billings, bank statements, and other relevant documentation before the responsible employee receives the information. 36
Stealing Funds for a Nest Egg- Lessons Learned 6. Couple e-mail authorization for expenditures with another form of control. 7. Collins boss received a periodic report directly from accounts payable showing expenditure approvals, it may have deterred her from exceeding the approval threshold, possibly reducing the amount she stole. 8. Had the Audit Department maintained a stronger presence at the Build Right division, it would have established a perception of detection that may have deterred Collins from her fraudulent activities. 37
3 Essential Controls 1. A formal credit card policy. 2. Substantiation. 3. Regular statement reviews. 38
Final Thoughts Additional controls to remember: Set monthly and overall credit limits for all employees who are issued credit cards. Perform initial and annual credit checks on all employees who are issued a credit card. Disallow cash advances. Set up monitoring rights with the credit card issuer to allow online review and notification of any unusual activity. Compare expense amounts to prior periods and to budgeted amounts. 39
Thank You Scott Baranowski, CIA Director, Internal Audit Services 617-428-5413 sbaranowski@wolfandco.com 40