fraud risk questionnaire - cd - roselli, clark &...

Massachusetts MunicipalFraud Risk Assessment

PAYROLL

6-2016

This questionnaire was developed to assist your municipality in identifying fraud risks within the payroll business cycle. This questionnaire is intended to cover many of the more significant areas of fraud risk that are inherent with the typical Massachusetts municipality’s payroll cycle. Each municipality is unique and therefore this questionnaire cannot be relied upon to address 100% of your municipality’s fraud risks within this business cycle. However, you can use the concepts contained within this questionnaire to expand its scope to specific fraud risk areas within your municipality.

Definitions of Fraud

Fraud is a broad legal concept and generally can be defined as any intentional act committed to secure an unlawful gain. Within municipalities, fraud is primarily seen in the areas of theft, misappropriation of assets, embezzlement and corruption.

Occupational fraud, often referred to as employee dishonesty, is the use of one’s employment to commit fraud for personal enrichment through the intentional misuse or abuse of his/her employer’s resources and assets.

Fraud Risk Assessment in an Internal Control System

Fraud risk assessment is a critical component in any internal control system. Internal controls consist of several interrelated components that, when operating effectively provide the Town reasonable assurance that it not only meets its strategic and operational business objectives, but also its financial reporting and compliance objectives. This process is driven by the Town’s governing bodies and management and executed each day by departments like yours.

The most widely adopted internal control methodology used by organizations throughout the world is referred to as COSO framework. The COSO framework was originally published in 1992 and, after several updates, was last updated in 2013. The COSO framework contains five key components or principles:

1) Control environment;2) Risk assessment;3) Control activities; 4) Information and communication; 5) Monitoring activities.

Effective fraud risk assessment takes place at (i) the entity level, (ii) the process level and (iii) the account level.

Entity level fraud risks relate primarily to the fraud risks present within a municipality as a whole. In assessing entity level fraud risks, we generally look closely at the overall ethical tone of the municipality, or its control environment.

Account level and process level fraud risks are essentially one in the same for the purposes of this business cycle specific fraud risk assessment. These are fraud risks that are specific to the payroll business cycle.

1

I. Fraud Risk Assessment at the Entity Level

The Control Environment is best described as the organization’s culture and is often referred to as the “tone from the top.” Does your municipality promote ethical behavior? How are the values of the municipality’s governing board, manager or administrator and elected/appointed board perceived by its residents, tax payers, vendors and employees? Often times, these values are communicated through handbooks, trainings, municipal website, staff and department meetings. The most effective means of communicating these commitments is leading by example.

A series of questions will be posed below. Indicate your response with an “x” or a “” and, if yes document the control in place in the space provided (examples have been provided for your reference). If you indicate no to any of the questions below, determine whether this is a significant gap that needs to be filled. If so, you have a deficiency that needs remediation.

Our Culture Yes No Describe the Control(s) in Place

1. Does the Town’s governing body and its management demonstrate a commitment to integrity and ethical behavior by their day-to-day activities?

Examples of controls in place to support this may include:- Formal code of ethics policy posted on Town website.- A fraud policy has been adopted and clearly defines

fraudulent activities.- Periodic ethics trainings conducted at all levels of Town

management.- Bi-annual state mandated ethics training and testing is

communicated to all employees and board/committee members; and the Town has mechanisms in place to monitor compliance and follow up.

- Conflicts of interest statements are required for all Selectmen and department heads.

- Employees are required to sign an acknowledgement that the Town’s code of ethics was provided to them and that they understand it.

- Town executive and operations management’s response to fraud when discovered sets the tone for zero tolerance of such behavior.

2. Does the Town have a mechanism for employees to anonymously raise concern regarding ethics, fraud or questionable business activities?

RCA2015-06-15

3

Examples of controls in place to support this may include:- A fraud policy has been adopted and prohibits retaliation

against whistle blowers.- A confidential whistle blower hotline has been established.- Signs are posted in all common employee areas like break

rooms and cafeterias with the IG’s fraud hotline number.- Employees should be educated as to the long-term benefits

of exposing or identifying possible fraud vs. the short-term convenience of not communicating what they witnessed.

- Management demonstrates a willingness and openness to listen to employee concerns about potential fraudulent behavior.

3. Is there a protocol for handling confidential complaints?

Examples of controls in place to support this may include:- A fraud policy has been adopted and prohibits retaliation

against whistle blowers and details to whom and how complaints are addressed and investigated.

4. Have duties and responsibilities of each employee been clearly described to them?

Examples of controls in place to support this may include:- Job descriptions have been provided to each employee.- Each employee receives an annual performance review,

which is included as part of their personnel file.- Departments periodically conduct meetings to organize

resources, communicate goals and provide instruction.5. When making new hires, does the Town perform sufficient background checks on the potential new hire’s professional history, technical knowledge, and skills?

Examples of controls in place to support this may include:- Job descriptions are provided to each job candidate.- Resumes and/or job applications are reviewed by all

involved in hiring decisions.- References are contacted and discussions are documented.- CORI checks are performed for required employees and

considered for all employees.- Credit checks are performed for all employees in financial

or managerial positions that have direct access to budgets.- Online service offering background check is utilized to

identify potential issues not disclosed by candidate or references.

RCA2015-06-15

4

6. When promoting from within, does the Town promote the most qualified and capable candidate?

Examples of controls in place to support this may include:- Job descriptions are provided to each job candidate.- Past performance reviews are reviewed and updated prior to

promotion.- Proper evaluation is made as to whether the municipality

(not the employee) is best served by seniority based hiring versus merit based hiring.

- Candidates for promotion are interviewed in a similar fashion as external candidates.

7. Does the Town adequately compensate employees in order to retain and attract qualified individuals?

Examples of controls in place to support this may include:- HR and department heads evaluate salary levels based on

surrounding towns and other benchmarks.- Executive management understands the functions, time

commitments, and office challenges of management personnel so as to properly and fairly evaluate their value to the community as they perform their job functions.

- Avenues of training and goal attainment exist for employees to improve their skills and job commitment in the performance of their duties.

8. Does the Town have a process to identify incompetent or ineffective employees?

Examples of controls in place to support this may include:- Each employee receives an annual performance review,

which is included as part of their personnel file.- Does the Town have a standard (but adaptable by

department) performance checklist available to department heads and supervisor to assist in fairly evaluating an employee.

- Underperforming employees are placed on notice and provided a plan for improvement.

- Educational or training programs are made available to increase an employee’s skill levels to a productive level.

- Adequate policies and procedures exist to guide prompt and effective action when an employee is deemed unable to properly and knowledgably perform their assigned tasks.

RCA2015-06-15

5

9. Are there consequences for employees who commit fraud and are those consequences fair and consistent?

Examples of controls in place to support this may include:- A fraud policy has been adopted that clearly details the

ramifications and penalties to those caught defrauding the Town.

- Signs are posted in common areas requesting that employees confidentially report fraud and that the Town will prosecute to the fullest extent of the law.

- The Town sets a zero tolerance tone towards fraud; thereby, inherently deterring employees from considering or following through on fraud, as their risk of getting caught and penalized is believed to be too high if perpetrated.

- The Town promptly terminates employees caught stealing from the Town and when appropriate, communicates the Town’s actions to employees through formal communications to deter future events.

10. Do employees in key “trust areas” within the Town show “red flags” that may suggest a change in personal or financial situations?

Examples of controls in place to support this may include:- Recognition that age, experience, and seniority of personnel

are not preventive controls of fraudulent activities.- Management has been trained to recognize “red flags”.- Management understands that such “red flags” demand

their additional attention (talk with employee; quietly perform additional, periodic checks for errors or inconsistencies in work performed, etc.).

- Employees are required to perform their functions only during normal office hours.

- Personnel involved in money handling procedures are required to take at least a week vacation annually.

- All employees should be required to provide adequate cross-training of their duties to an assigned backup (a lack of willingness to show others how to perform their job tasks may be a “red flag” to cover improper activities).

- Unannounced monitoring by manager while financial procedures are performed (for all employees).

- Supervisor periodically evaluates an employee’s work and ascertains if they can re-create the work, and arrive at the same result without any unexplainable anomalies.

RCA2015-06-15

6

11. Is there an annual, thorough review for inefficient or deficient processes within the offices that could lead to fraud or errors in transactional processing?

Examples of controls in place to support this may include:- Recognition that age, experience, and seniority of personnel

are not preventive controls of fraudulent activities.- Employees are encouraged to provide suggestions or

feedback as to how their work could be performed better.- Management has annual meetings with software vendors to

identify new or improved options in electronic processing software that are available to be implemented or could be requested for improvement.

- Employees are adequately trained to understand why or for what purpose they are performing certain duties.

12. Does management contemplate the risks associated with electronic processing (including those through the Internet)?

Examples of controls in place to support this may include:- Employees are trained in how to identify or avoid electronic

intrusions or “attacks” on their workstations or through external communications (e-mail, phone, web browsing, etc.).

- Town has staff, or hires an information technology consultant, to periodically evaluate system weaknesses.

- Intrusion detection and prevention software installed on workstations and software is updated regularly.

- Strong password formats are required and are periodically required to be changed.

- Employees understand the importance of not sharing passwords.

- System access restrictions are appropriate for the duties performed – no more, no less.

- Persons no longer employed, immediately have their electronic systems access terminated across all electronic processing platforms.

- Adequate lines of communication exist for employees to address any access issues with IT personnel (prevents the need for the employee to find “other ways”).

- System reports include highly sensitive personal information data fields but that information is partially hidden or blocked on printouts.

(i.e. social security number: xxx-xx-1234)

RCA2015-06-15

7

II. Fraud Risk Assessment at the Process Level – Payroll

The municipality’s key objective is to provide municipal services to its residents today and in the future and safeguard its assets. To do so, the municipality’s operating plan calls for continued revenue growth and cost management. The municipality is subject to many risks in connection with this operating plan – some internal and some external. The process in which these risks are analyzed is referred to as Risk Assessment.

A series of control statements will be posed below. These control statements are specific to the business cycle identified above. Areas in which no control is in place may indicate that there is a gap in your internal controls that needs to be filled.

Common Fraud Risks With Payroll Database Management Control(s) in Place(Yes/No)

Are the Controls Communicated

Are the Controls Being Followed

Are the Controls Being Monitored

How Often Are Controls Being

Monitored

13. Inappropriate segregation between hiring managers and those in charge of inputting personnel data into payroll system.

Unauthorized additions to payroll (i.e., new hires); pay rates or may be falsified in the payroll system; or payroll payments may be re-routed to incorrect bank account(s) or addresses.In an optimal environment, HR specialist(s) update payroll master files for new hires, terminations, promotions, pay raises and contractual changes. In many municipalities, this is done by the payroll clerk. In that case, mitigating controls like the review of audit reports/change logs need to be employed.If applicable, describe the control(s) in place.

14. Access to payroll database is uncontrolled.

Controlling the access to the master payroll database prevents unauthorized parties from making fraudulent changes to employee list or payroll data. Strong computer and application access controls are needed (i.e., strong passwords, digital certificates and other IT security controls).If applicable, describe the control(s) in place.

15. Access within payroll system is uncontrolled.

User rights and permissions are properly established and set.If applicable, describe the control(s) in place.

RCA2015-06-15

8

Common Fraud Risks With Payroll Database Management (Cont.)

Control(s) in Place(Yes/No)





Monitored

16. Multiple authorized employees have not been cross-trained on maintaining the payroll database.

Having a single authorized party responsible for maintaining the payroll database exposes the Town to risk. Cross-training is needed and periodic transfer of duties in this area, particularly during a mandatory vacation period, this lends itself to better internal control.If applicable, describe the control(s) in place.

Common Fraud Risks With Payroll Processing Control(s) in Place(Yes/No)





Monitored

17. Payroll data is inaccurately input into payroll system

Few municipalities have a truly integrated time reporting system. Most towns will have employees complete time sheets; department heads review and approve the time sheets; and an employee in treasury or accounting input the data into the payroll system. There is a risk that the payroll hours input into the payroll system are inaccurate, either due to human error or fraud. To prevent this, one or more of the following can be employed:- Pre-filled payroll input sheets that have authorized

employees for each department and their pay rates printed automatically out of the payroll system master database.

- Batch/hash total comparisons can use used.- The final payroll register can be reviewed and reconciled to

control totals by an appropriate level of management (i.e., Treasurer, Accountant, Finance Director ...).

- Current payroll amounts and number of payees should be compared to the previous payroll and differences documented and investigated.

- Budget to actual reviews are performed timely by department heads and senior Town management.

If applicable, describe the control(s) in place.

RCA2015-06-15

9

Common Fraud Risks With Payroll Processing (Cont.) Control(s) in Place(Yes/No)





Monitored

18. Generation and tracking of hourly employees’ hours worked.

A variety of options exist for how municipal departments can track employee hours worked. Much of the time, there is no all-encompassing solution that would work efficiently and effectively for all departments. The key is to evaluate the system(s) in place within each department and ascertain if it is the best (and most cost beneficial) solution that can be utilized.- Some small departments may work file just maintaining a

hand-written log on a calendar.- Others may be able to utilize a generic electronic worksheet

to track basic hours for each departmental employee.- Finally, some departments have numerous hourly

employees who may receive different type of compensation and need their hours segregated in more detail. Such departments should likely be utilizing a formal time tracking software-based system.

- If time clocks are used, what safeguards are in place to prevent falsifying of payroll hours (i.e. punching in/out at incorrect times or having another employee sign in or out for them). Consider pin codes or fingerprint scanners security options for entering data into the time clock.


19. Overtime, holiday and other similar payroll items are improperly processed.

Analysis of payroll data versus union contracts/Massachusetts employment laws should be performed periodically. Processes should be in place for specific and notated authorization by department heads for overtime pay submitted. Follow up is made for overtime that is reported for a salaried employee or someone that doesn’t typically receive overtime.If applicable, describe the control(s) in place.

20. Vacation, sick and other authorized, compensated absences

RCA2015-06-15

10

are not processed.

Excluding vacation/sick hours from timesheets results in the accumulation of these compensated absences and unjust enrichment on the part of the employee. To prevent this, one or more of the following can be employed:- Review of time sheet submissions by department heads to

properly identify such errors, whether by fraud or oversight.- Systems should be in place to accurately track the

accumulation and use of vacation/sick hours. Data is important for persons exiting employment that qualifies for payment of unused compensated absences and for reporting of liabilities on the annual audited financial statements.

- Those responsible for the tracking of this data should also be familiar with the various union contract parameters and Town policies that government vesting time, carryover time limits, and pay rate limits.

- Understand the risks involved if a community provides a “bonus” for not taking sick days all year, and an employee request reclassification of previously submitted sick days to be vacation days.


21. Payroll is paid to invalid employees.

Payroll may be processed to ghost employees. To prevent this, one or more of the following can be employed:- Periodic review of payroll registers versus employee

records should be performed in high risk departments that operate outside the town hall.

- Use of pre-filled system reports of employees within the payroll database for approval each pay period.

- Comparison may be made to health insurance records.- Compare SSN’s, addresses and bank routing numbers for

duplicates.- Regular budget to actual reviews should be performed by

department heads and senior management.- Require annual check/check stub pickup in person.If applicable, describe the control(s) in place.

RCA2015-06-15

11

Common Fraud Risks With Payroll Processing (Cont.) Control(s) in Place(Yes/No)





Monitored

22. Outsourced payroll processor is not accurate, reliable or competent.

Many municipalities (particularly smaller ones) often outsource payroll processing.- Trade references should be sought for strengths and

weaknesses prior to engaging such vendors and then constant comparison with peer groups also being serviced should be made to identify or pre-empt risks.

- Monitor and inquire of payroll processing vendor’s ability to adapt to emergency situations or if it loses key person(s) unexpectedly and how their system would be maintained and how the Town’s payroll would get processed.

- Payroll processing vendor should provide Service Organization Control (SOC) reports on the vendor’s internal controls relative to processing of Town payroll data.


23. Calculation of gross pay and withholdings is manual.

This risk likely affects only a small population of Massachusetts municipalities (if any). Standard algorithms within automated payroll systems (internal and outsourced) perform significant payroll calculations to mitigate the risk of error, whether due to human error or fraud.If applicable, describe the control(s) in place.

24. Inappropriate segregation between those inputting and processing payroll data and those reconciling payroll in the accounting system.

The employee processing payroll should not be the same person reconciling payroll bank or general ledger accounts.If applicable, describe the control(s) in place.

RCA2015-06-15

12

Common Fraud Risks With Payroll Disbursement Control(s) in Place(Yes/No)





Monitored

25. Payroll checks are internally prepared and are endorsed with a signature chip/digital file that is embedded in printer.

Many payroll systems have the ability to print manual checks on a dedicated printed that has a signature card. As a result, any check printed is, for banking purposes, authorized. To prevent this, one or more of the following can be employed:- A check log is maintained to account for the sequence of

payroll checks issued.- Blank payroll check stock is maintained securely in the

Treasurer’s Office with access limited to those authorized.- What segregations exist between those processing payroll

versus those who print and distribute payroll checks.- Printer with the signature chip/file is located in an office

that provides for adequate segregation of duties and internal controls (in recent years convenience to employees has won over maintaining adequate internal controls).

- Payroll cash accounts are timely reconciled.- Subscribe to bank’s “positive pay” program.- All manual payroll checks are hand signed.- Mandate direct deposit as the only method of distributing

payroll.If applicable, describe the control(s) in place.

26. Reconciliation of various payroll processing reports to payroll warrant amounts and general ledger withholding accounts.

Because of the increasing difficulty in the processing of payroll as a result of various different withholding and deduction options, payroll disbursement methodologies, and differences in cash requirements as a result of timing of payments to withholding based vendors, it has become a temptation to only review and verify portions of the various payroll processing reports and not validate and obtain an understanding of the whole amount of payroll transactions being processed:- Payroll warrant totals should equal the gross payroll being

posted to the various general ledger payroll expense accounts, plus the employer’s portion of Medicare and in

RCA2015-06-15

13

some cases the Town’s portion of health and other insurance costs when using a Health Trust Fund for self-insured payroll. Avoid basing the payroll warrant on the amount of cash processed, instead base it on the actual expenses posted to the general ledger.

- Perform a monthly reconciliation of the various payroll withholding account balances on the general ledger to validate that the liability balances represent the accurate amount of withholdings and deductions awaiting payment to applicable vendors.


RCA2015-06-15

14

fraud risk questionnaire - cd - roselli, clark &...

Documents