The most recent news headline from Dixon, Illinois, has pushed the issue of fraud in the public sector into the spotlight. To date, the prosecutors allege that the City comptroller stole more than $53 million since the 1990s from public funds through a secret bank account. While this story would seem like an isolated incident, the truth is, fraud is more widespread than you might think. According to a just-released report, “2012 Report to the Nations - Association of Certified Fraud Examiners, Inc.," the cost of fraud amounts to $3.5 trillion on a global scale. Their findings also bring to light that 20 percent of fraud cases are for an amount greater than $1.0 million. The data included in the 2012 report indicates that the most frequent type of fraud is asset misappropriation at approximately 86 percent, while corruption equates to around 33 percent, and financial statement fraud is approximately 8 percent. The public sector ranks second in frequency by industry with a median loss of $100,000, while banking holds the top spot with an average of $232,000 in losses. These findings show that no organization is safe from the harmful effects of fraud and stress the importance for organizations to create a fraud risk assessment plan and to ensure that proper internal controls are in place.
Fraud risk assessment
No matter how small the municipality, internal controls need to be in place! It is beneficial for the organization to implement internal control processes that will provide reasonable assurance regarding the achievement of objectives, effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
The first step for a governing body is to complete a fraud risk assessment of their organization. This risk assessment should include such things as:
- Identify where fraud could occur (e.g., decentralized departments).
- What could go wrong (financial risk, regulatory risk, compliance with laws and regulations)?
- What is the likelihood that something could go wrong?
- What is the potential magnitude (high, medium, low)?
- What internal controls already exist?
- Are the internal controls functioning?
- What new internal controls should be put in place (need to consider cost v. benefit)?
Our experience is that governments have not taken this very important first step.
A resource for you is the internal control framework that has been established by COSO (Committee of Sponsoring Organizations). This framework stresses the importance of board and council involvement. Management also plays a key role. The "tone" at the top is critical for implementation and ongoing assessment of any risk assessment program. These key players must be involved in ensuring that the organization’s policies, procedures, and mission are followed.
According to COSO, there are five elements of the COSO control framework:
- Control Environment - Foundation, discipline, and structure of internal control system
- Risk Assessment - Identification and analysis of risks by management
- Control Activities - Policies, procedures, and practices to carry out management objectives
- Information and Communication - Support all other control components by communicating control responsibilities to employees
- Monitoring - External oversight of internal controls by management and other parties outside the process
What have we seen?
We have seen the following instances of fraud through the lens of an auditor: employees writing checks to themselves, purchasing equipment for personal use, credit card abuse, wire abuse, missing cash, and fictitious vendors, to name a few. These all resulted from breakdowns in, or a lack of, segregation of duties.
On the employee level, distinguishable factors lead to fraud. The first one is pressure to commit fraud, possibly due to an economic factor (such as debt, gambling, substance abuse, etc.). The second criteria involves an opportunity where an individual has access to cash and the ability to conceal abuse of that access. The last factor is rationalization, e.g., the employee can justify their decision to commit fraud. For example, this can occur if the employee is unhappy and feels that the organization has committed an injustice to them by not properly compensating them for their work.
Top control opportunities your organization should be implementing
There are many internal control opportunities. The following is a partial list for your consideration:
- Multiple layers of approvals and signatures
- Require backup documentation
- Never pre-sign checks
- Segregation of duties (one individual should not be responsible for an entire financial transaction)
- Conduct background checks
- Fixed asset inventories
- Board/Council involvement/oversight
- Encourage whistleblowers
- Automated controls
- Educate employees using discussion of fraud risks and internal controls
While all of these items should be evaluated when implementing an effective internal control system, oftentimes budget constraints necessitate careful evaluation of the cost and benefit of each, then proceeding with what is realistic. The main objective should be to tailor your approach and reduce your risk to an acceptable level.
In addition, training on internal controls is important and should be rolled out to any employee who handles cash. Open communication between all levels is key. It is also important to document current policies and procedures to ensure consistency and provide a mechanism for monitoring. Documentation will provide the plan continuity for new personnel and guidance for current personnel. Remember, no plan is completely foolproof—nor will it completely eliminate your risk of fraud. However, taking a few steps can go a long way toward protecting your organization from fraud.