real world perspective: how to be an effective · pdf filereal-world perspective: how to be an...

© 2015 Association of Certified Fraud Examiners, Inc.

Real-World Perspective:

How to Be an Effective Gatekeeper

Lisa Duke, CFE, CPA, MAFF

Real World Perspective: How to Be an Effective

Gatekeeper


New York State Comptroller’s Office

Email: [email protected]

mailto:[email protected]

Objective

Overview of auditors’ failure to detect fraud

Examples of auditors' failure to detect fraud (case studies)

Consequences of auditors failing to detect fraud

Deploying an effective fraud-detection model

Forensically accepted best practices of effective gatekeepers

Fraud Headlines

Audit Failures

Definition of audit failure:

• A U.S. Government Accountability Office

study defined the term “audit failure,” in part,

as “audits for which audited financial

statements filed with the SEC contained

material misstatements whether due to errors

or fraud.”

http://www.gao.gov/new.items/d04217.pdf

http://www.gao.gov/new.items/d04217.pdf

Audit Failures

Definition of audit failure:

• An audit failure is a situation in which an audit

wrongly states that a company’s accounts are

correct when they contain mistakes or false

statements.

• When an audit of a company’s financial records

does not find things it should, there could be fraud.

• Basically, it is when the auditor “missed the boat.”

Arthur Levitt Jr., chairman of the

Securities and Exchange Commission

under President Bill Clinton, said in a

speech at New York University in 1998

that corporate managers, auditors, and

analysts were taking part in a “game of

nods and winks.”

In a recent article, the Public Company

Accounting Oversight Board’s chief

auditor is quoted by The Wall Street

Journal as saying, “When we look at an

audit, the rate of failure has been in a

range of around 35 to 40%.”

February 27, 2014 | CFO.com

http://mobile.blogs.wsj.com/cfo/2014/01/24/one-in-three-audits-fail-pcaob-chief-auditor-says/



www.company.com

Expectation Gap

Public Perception

Accounting standards should prevent fraud from going undetected.

Public is surprised that presumably the auditors followed the standards and still missed the fraud.

Case Studies in Fraud

Company Year Events

Zzzz Best 1986 Barry Minkow ran a Ponzi scheme.

Phar-Mor 1992 Factictious inventory on the books to cover operating losses. Mail

fraud, wire fraud, bank fraud.

Sybase 1997 Inconsistencies in profit reporting from overseas division.

Cendant 1998 SEC charge: Company deliberately and fictitiously manufactured

about $500 million in fake revenues over a three-year period.

Waste Management,

Inc.

1999 Inflated earnings

MicroStrategy 2000 Earnings manipulation

Unify Corporation 2000 Overstated sales and revenue

Computer Associates 2000 Inflated sales

Case Studies in Fraud 2001‒2002

Xerox K-Mart Enron Adelphia

Bristol- Myers Squibb

Mirant AOL CMS

Halliburton

Merrill Lynch

Dynegy El Paso Corp.

Freddie Mac

Nicor Homestore

s.com ImClone systems

Case Studies in Fraud

Company Year Events

Peregrine Systems 2002 Overstated sales

Qwest Communications 2002 Inflated revenues

Reliant Energy 2002 Round-trip trades

Sunbeam 2002 Overstated sales and revenues

Symbol Technologies 2002 Overstated sales and revenue

Tyco International 2002 Improper accounting

WorldCom 2002 Overstated cash flows

Royal Ahold 2003 Inflating promotional allowances

Parmalat 2003 Falsified accounting documents

Chiquita Brands International 2004 Illegal payments

AIG 2004 Accounting of structured financial deals

Bernard L Madoff 2008 Massive Ponzi scheme

Lehman Brothers 2010 Failure to disclose Repo 105 transactions to investors

Roslyn School District—OSC

Over $11 M of district funds were used for personal expenses.

Top-level managers—district superintendent, assistant superintendent

(Gluckin) and account clerk (Gluckin’s niece)—overrode the system and

processed payments outside the normal flow of transactions.

“The external auditors, the CPA firm that audited the district once a year,

had conflicts of interest and performed an audit that was so flawed and so

far below professional standards that it failed to identify the millions that

were apparently misappropriated.” NYS Comptroller, 2005

A Clean Bill of Health from Auditors

How did the auditors miss detecting the fraud?

Are the auditors at fault for missing these massive

frauds?

Did they look but didn’t look deep enough?

Are auditors in on the fraud, either looking the

other way or actively helping clients hide the

deception?

Reasons Why Audits Fail

Reliance on control system when controls are weak

Improper planning, including not revising audit plan after the initial assessment of fraud

Inappropriate methodology for selecting sample size

Lack of training and appropriate supervision

Audit team lacking in skill

Reasons Why Audits Fail

Not designing test to look for the fraud

Audit team not gathering sufficient appropriate evidence to support the basis of their conclusion

Lack of effective quality assurance at the audit shop

Audit staff failure to exercise due professional care

Relying on management information and lack of professional skepticism

Auditee-Related Reasons

Misapplying accounting policies

Collusion involving high-level officials who

circumvent controls

Scope limitations

Audit impairments

Management not cooperative with the audit

Occupational Frauds

Occupational frauds can be classified into three primary

categories:

1. Asset misappropriations

2. Corruption

3. Financial statement fraud

How Frauds Are Caught

19

Consequences of Audit Failures

Negative impact on investors’ confidence

Impact on our financial structure

Impact on government programs and service delivery—OSC

case study of MTA. Fraud comes in all sizes and shapes.

Reputational harm to the audit firm

Legal and regulatory consequences

Expense associated with attempted recovery of stolen assets

Expense associated with investigation

New York State Comptroller Audit Report

Report on Preschool Audits Finds Fraud and

Inappropriate Billing of $20 Million in Questionable

Costs in 2014

About 81,000 preschool students with disabilities

receive Special Education Itinerant Teacher (SEIT)

services in New York, at an annual cost of $1.4 billion.

Services in New York are predominantly provided by

for-profit and not-for-profit private contractors.

New York State Comptroller Audit Report

Eleven new audits identified:

More than $6.7 million in public funds that

special education providers misspent or

misused

Including cases of possible fraud that

have been referred to law enforcement

The auditor’s responsibility is to provide

reasonable assurance.

This is accomplished by reducing audit risk

to appropriate levels. The auditor needs to

keep detection risk low so that he or she

can provide reasonable assurance.

The auditor may fail to detect material

misstatements caused by fraud but that

does not preclude auditors from detecting

fraud.

Effective Auditing

SAS 99, as Amended— AU Section 316

• Requires brainstorming sessions to discuss how

and where the entity’s financial statements might

be susceptible to material misstatement due to

fraud

• Have the discussions of fraud at every stage of the

audit.

• During the brainstorming sessions, auditors must

exercise professional skepticism.

SAS 99, as Amended— AU Section 316

The standards require the following:

Obtain information from management and others

within the organization.

Analytic procedures

Consideration of fraud risk factors

Other sources

Other High-Risk Areas

Consider the human dimension to fraud.

Remain objective with long-time clients.

Follow up on the gray area between legitimacy

and outright fraud.

“Ask the final question and turn over the last rock,”

–Frank Patone, OSC

Audit Example #1— Special Education Associates

Special Education Associates (SEA) is a for-profit

provider based in Brooklyn.

For FY 2007‒08 and FY 2008‒09, SEA received

$12.5 million in state money.

What the Auditors Missed

• Executive director essentially created a $150k/year

no-show job for his wife, the assistant executive

director.

• The assistant executive director had a full-time job

at City University of New York.


DeptID Pay Period

End Name ID Earn Code Descr Hours Earnings Earns Begin Earns End

70 1/2/2008 Name # RGS Regular Pay Salary Employee 80 3671.98 12/20/2007 1/2/2008










70 5/7/2008 Name # RRS Retro Regular Pay Salaried 0 856.55 12/20/2007 4/23/2008





Other Findings:

• Food and holiday gifts claimed as office supplies and postage

• Leased car for the assistant executive director, who was

working elsewhere

• Paid 12-year-old granddaughter for clerical work and claimed

her as an independent contractor instead of an employee, and

therefore didn’t pay employment taxes.

Results

OSC audit team disallowed $324,881 for the assistant executive director’s salary

for the two years, which we reported was fraudulently claimed.

There was another $225K since this fraud started. Executive director paid

restitution.

Executive Director

• Pled guilty to one count of defrauding the government (felony)

• Sentenced to probation

Assistant Executive Director

• Pled guilty to offering a false instrument (misdemeanor)

Both are also barred from ever participating in an SED-funded program … for life.

Incorporate Emerging Technology

• Consider the cost/benefit trade-off in

investing in fraud detection technology.

• Data analysis identifying anomalies and

patterns may point to areas that are high-

risk and may require closer attention.

• Team should have data analytics and

computer forensic skills.

Audit Example #2— Lawrence Bruckner and Other Brooklyn Dentists

Result of Data Analysis

Audit of dental services provided to Medicaid patients

Should be for essential services only

Billings for services provided at two locations by six dentists

Received $6.9 million from Medicaid between January 2007

and June 2011

Fraud Detection with Data Analysis

Billed for duplicate procedures by different dentists

For one patient, two dentists did the same work on different

days.

For another, two dentists provided services on the same day.

Poor-quality work

Unreadable or incorrect x-rays

Filled cavities rather than pulling teeth

Fraud Detection with Data Analysis

Of the $6.9 million paid to the six dentists, $2.3 million was

considered possibly fraudulent.

One dentist pleaded guilty to numerous felonies.

Required to pay restitution

Attorney General may also pursue jail time.

Second dentist agreed to a civil settlement.

Establish an Ethical Culture

Areas to review:

Does the organization have a formal ethics and values

policy?

Does the organization have an ethics officer?

Are employees continuously trained on ethics policies?

Does the internal audit plan include a review of the

organization’s culture and ethical risks?


• Internal audit should work with senior management to

make ethical behavior and tone at the top a priority.

• Ensure that members are held to the highest ethical

standard as required by their organization’s Code of

Professional Conduct (Code).

• The public must be confident that the profession can

regulate itself.


• Have clearly defined expectations.

• Internal audit should make recommendations on the development of

the governance framework.

• Establish a whistleblower hotline and periodically assess it.

• Gather information from all levels of the organization.

• This includes the tone in the middle and the tone at the top.

Effective Gatekeeping

Understand the complex organizations being audited:

• Know your client and the environment your client

works in.

• What is your audit universe?

• What data can you capture from your universe

that can be used for your analysis?

Effective Gatekeeping

• Schemes based on department

Different kinds of fraud risks might exist within the various

departments of an organization.

By analyzing the types of schemes that occur in various

departments, management and the audit department can

develop controls to specifically address the highest fraud

risks in any given area.

Tap into your valuable tool: experience gained through

working in different areas of the business (and regions

around the globe).

Identify High-Risk Areas

• Perform an annual update of the high-risk areas and develop an audit plan.

• Look beyond control weakness.

• Don’t look for process; instead look for outcomes.

• Look for the red flags. This may require a little digging.

• Look at areas where there are yearly repeats of deficient internal control.

Develop Fraud-Detection Audit Steps

• Design an environment hostile to fraud by implementing fraud-detection

processes.

• Deploy an element of surprise in your audit program:

– For payroll fraud—Conduct analysis of highest overtime employees.

– Conduct site visits/observations at locations where employees are

reporting high overtime to determine whether they are performing work

during the time they are paid.

– For inventory checks—Do not share with the auditee the location for the

inventory check.

– Look for transactions that are on the organization’s bank statement but

should not be on the statement.

• Look for supporting transactions that should be there but are not.

Effective Audit Supervision

Have a subject matter expert on the audit team.

Train new auditors to review last year’s work papers and direct them to

perform additional audit steps on the next audit.

Continuously train employees on potential fraud risk factors.

Have adequate staffing mix.

Conduct talent development, recruitment, and succession planning.

Maintain strong external relationships with other audit shops/organizations.

Other Areas for Effective Oversight

• Increasing the sample size may assist in detecting

the fraud.

• Consider the impact time constraints can have on

audit failure.

• Design the audit program to cover the established

objectives.

Other Areas for Effective Oversight

Be mindful of the following:

• Creative or aggressive accounting techniques

• Income and expenses are free from manipulations.

• Manipulation or mismanagement of an organization’s earnings

• Financial statements and records are free of misstatement or omission.

• Make inquiries of management and others within the organization.

“It is true that you may fool all the people

some of the time; you can even fool some

of the people all the time; but you can’t

fool all of the people all the time.”

‒Abraham Lincoln

Real World Perspective: How to Be an Effective

Gatekeeper

? ? ?


Email: [email protected]

mailto:[email protected]

real world perspective: how to be an effective · pdf filereal-world perspective: how to be an...

Documents