In The Black

Troylynn Robichaux, CPA, CIA

Just as with any other policy and procedure that organizations embark on, determining the best means in protecting its data must also consider costs/benefit factors. Data classification provides a means for organizations of mitigating the risks associated with data exposure, while weighing the costs of protecting it.  Specifically, data is categorized into certain levels and security controls are implemented based on the specified level.

This article provides some guidance in performing data classification.  The first step is to evaluate the data’s value by determining whether it’s valuable indefinitely or just for the short-term.  For example, an organization’s sensitive personnel records would need protection in the short and long-term.  However, daily timesheet logs may only need to be maintained for one pay-period at a time. Therefore, determining whether data is indispensable or not and if so, whether in the short or long run is imperative in determining its value to the organization.

The second step is determining the level of security needed based on the value of the data.  Therefore, the costs/benefit in protecting the data must be factored in as well.  Specifically, classifying all data as “highly protected” would be very costly to the organization while hindering employee production.  Therefore, the organization should weigh the effort and resources needed to protect data based on how important it is and the amount of risks the organization is willing to take.

After the organization performs the two steps described above, a framework can then be designed as part of the risk assessment process in protecting data.  The article provides a very useful tool in classifying data and the related controls to put in place.  This provides a cost effective means in evaluating data protection.

Bookmark It

Hide Sites

Troylynn Robichaux, CPA, CIA

This article illustrates how performing due diligence during the procurement process, and effective monitoring of the process, can ensure responsible spending of resources.  The overspending of services such as what is described in the article could also been prevented by comparing what similar services costs in nearby area organizations.  Simply doing a little leg-work and requiring supporting comparison data in monitoring procurement procedures could save a lot of heartache in the long-run.

Bookmark It

Hide Sites

Troylynn Robichaux, CPA, CIA

We often forget about the importance of protecting information and the equipment it supports until a disaster happens.  Snow storms in the Mid-West, hurricanes in the Gulf-Coast, floods in Australia… all of these events could have a devastating impact on an organization’s most valuable product, its information.  This article lists some very valuable tips including designating a disaster recovery coordinator, identification of critical assets, testing and training, and other very useful guidelines in implementing a disaster recovery plan.

Bookmark It

Hide Sites

Leslie Wilks, CPA, CFE

The Association of Certified Fraud Examiners recently published the 2010 Report to the Nations on Occupational Fraud and Abuse. The statistics provided in the report give us important information about fraud trends over time and allow us to become better educated on how to prevent, deter and detect fraud within various types of organizations and industries. One statistic that I found interesting in the report is that 85% of the frauds in the study were committed by individuals who had never been charged or convicted for a fraud-related offense.  What this tells us is that often times a person does not set out to commit fraud. They see the opportunity and realize that the organization has either weak internal controls, or even worse, no internal controls, and they proceed to defraud the organization.  The study also reports that on average, fraudulent schemes occur for 18 months before being detected.  Individuals who commit fraud typically start out small, they get away with either a few extra charges on the company credit card, or $20 “borrowed” from a deposit here and $50 dollars there, often times with the intent to pay it back.  Over time, as nobody seems to notice, they will try to get away with more and the small amounts become larger and eventually turn in to thousands, even millions of dollars before being detected.

Another statistic in the report, one that has remained consistent with prior studies, is that individuals committing fraud will display behavioral warning signs.  Two of the most common red flags are living beyond one’s means and exhibiting control issues.  When an employee is committing fraud, they will tend to find excuses not to let someone else perform their duties, or refuse to take time off for extended periods.  It is important to note that in the summary of findings in the report, the study showed that anti-fraud controls appear to help reduce the cost and duration of occupational fraud schemes.  The report states “victim organizations with anti-fraud controls in place had significantly lower losses and time-to-detection than organizations without the controls.”

The report offers a fraud prevention checklist for organizations, which can be a useful tool in helping to understand and develop anti-fraud controls.  A copy of this checklist and the 2010 Report to the Nations on Occupational Fraud and Abuse can be found at by clicking here.

Bookmark It

Hide Sites

Amanda Eaves CPA

According to the Association of Certified Fraud Examiners 2010 Report to the Nations “Small organizations are disproportionately victimized by occupational fraud. These organizations are typically lacking in anti-fraud controls compared to their larger counterparts, which makes them particularly vulnerable to fraud.”  These small businesses typically do not have the staff size to allow for adequate segregation of duties and therefore should put in place other controls to prevent or detect fraud.  Prevention of fraud is much less costly than recovering your losses.

One underutilized control is the surprise audit.  A fraudster is less likely to commit fraud when they are fearful of being caught.  The surprise audits should be conducted regularly although not scheduled and the areas reviewed should be varied according to risk.  There should be no advance notice given which could allow for the fraudster to alter, destroy, or misplace records and other evidence.

Some typically higher risk areas to look at and procedures to include in a surprise audit are as follows:

Cash Accounts

1.       Are all cash accounts currently reconciled?  An un-reconciled cash account is wrought with risk for fraud.

-          If you have old outstanding items on your reconciliation investigate each of them to determine if they truly are outstanding and why.

-          If there are journal entries showing up in the reconciliation investigate those as they can be a sign of fraud.

2.       Review all wire activity for a valid business purpose.

Accounts Payable

Are your vendors real or fictitious?

-          Have someone who is very knowledgeable about the Company’s vendors and is outside of those responsible for authorizing, writing, or recording checks, review an annual check register and investigate any unfamiliar or unusual payees.

-          Investigate non-payroll payments made directly to individuals involved in the cash and accounts payable function.

Accounts Receivable

Are your receivables real or fictitious?

-          Review an accounts receivable aging report for reasonableness and consider confirming large balances with customers.

Also review accounts receivable account activity for unusual activity such as:

-          Voided and reissued invoices which conceal overdue invoices as current.

-          Journal entries other than the standard billing and cash receipt entries.

Payroll

-          Review annual W-2 reports for any unfamiliar names.  Keep ghosts off of the payroll.

-          Review changes to payroll master file information for selected periods.

Inventory

-          Conduct a surprise count.  Misappropriation of assets is often offset by inflating reported inventory balances.

-          Review general ledger activity for and investigate entries other than for the purchase and sale of inventory.

Bookmark It

Hide Sites

Troylynn Robichaux, CPA, CIA

The accounting industry has long been an advocate for whistleblowing policies. Procedures such as anonymous call centers are thought to be an effective means of detecting and preventing fraud.  In addition, recent governmental regulations instituted by the SEC, including the Subtitle B, under the Dodd-Frank Wall Street Reform and Consumer Protection Act give actual monetary incentives that result from SEC enforcement.  The program allows persons who provide information which leads to a successful SEC enforcement to receive 10% – 30% of the monetary sanctions over $1 million.^[112]:79 One would assume that emphasizing, both in the private and governmental sectors, mechanisms to encourage reporting of potential fraud matters would result in more effective fraud findings.  However, there has been some recent evidence questioning whether such policies and procedures are deemed credible and effective by the very individuals that oversee them.

Studies including the “The Effects of Reputation Threat and Whistleblowing Report Source on Chief Audit Executives’ Investigation Decisions,” (Guthrie 2008) and, “Effects of Anonymous Whistleblowing and Perceived Reputation Threats on Investigations of Whistleblowing Allegations by Audit Committee Members” (Hunton and Rose, 2010) summarizes chief audit executives and audit committee members’ perceptions and responses to whistleblowing reports.  It was determined that audit executives and audit committee members consider anonymous whistleblowing reports to be less credible than non-anonymous reports. The audit executives responded, however, that they are not influenced by whether the report is anonymous or not when deciding to investigate the report. The audit executives use this approach, despite that it may not be very effective.  According to the Gulthrie study, of the forty-two audit executives participating in the study, they indicated that 65.8 percent of all reports were anonymous. However, they found only 28.1 percent of these anonymous reports to be valid and believed that 34 percent were actually valid. In contrast, the report on audit committee members’ responses to whistleblowing allegations by Hunton and Rose found that audit committee members tend to focus more of their efforts on non-anonymous reports. This leads to the question: are anonymous whistleblowing reports taken seriously?

Another interesting aspect of whistleblowing procedures is that the callers sometimes do not have the purist of intentions.  Specifically, many audit executives found instances of calls referencing personnel-related issues and using the hotlines for personal gain. This likely further influences the approach to anonymous versus non-anonymous reports.

Some may believe that the audit executives may be more effective in following-up with allegations of fraud as they tend to follow-up on more reports than the audit committee members. I believe, however, that with limited resources, the approach of the audit executives surveyed makes more sense because the credibility of anonymous reports is often questionable. However, anonymous reports should not be ignored.  A balanced approach, considering the assessed risk of the area in question and other background information (such as grievances among employees), could help focus the efforts of those charged with whistleblowing follow-up.

Bookmark It

Hide Sites

Celina Miller, CPA

As business officials scramble to keep their organizations afloat during these tough economic times, it’s easy to put things like fraud risk assessment on the back burner.  Cost-saving measures are critical, but it is necessary for business officials to assess the risk of fraud that could compromise an entity’s viability. There is no scientific proof of a direct correlation between an economic recession and fraud. However, a study released by the Association of Certified Fraud Examiners (ACFE) indicated that more than 80 percent of the Certified Fraud Examiners surveyed believe there is more fraud during economic hardships.

Why does this occur? There are so many people dealing with financial woes such as less income per household as spouses lose their jobs and home values that fall short of mortgage balances– just to name a few. As these factors become a bleak reality in employees’ lives, they will make it a priority to survive—whatever the cost. When an employee is faced with pressure, opportunity and the ability to rationalize a certain action, an entity is more susceptible to fraud.

Although it is saddening to see what some individuals are experiencing, the ACFE study states that organizations should take seriously the threat posed by employees. In other words, even when budget cuts are necessary, organizations should not reduce spending on fraud-related internal controls. The study also indicates that if your organization is planning a reduction in force, internal controls should be strengthened. More specifically, the ACFE states “employees who remain after a round of layoffs often experience decreased morale, which – when combined with the added job responsibilities of former colleagues, few formal controls, and an increased pressure to perform—can lead to the perfect storm for fraud.”

As such, organizations should place much emphasis on its fraud risk assessment process and ensure that controls are strong enough to weather this financial storm.

Bookmark It

Hide Sites

Troylynn Robichaux, CPA, CIA

Many organizations that lack a sizable accounting department have been plagued with control findings reported by its auditors.  The risk assessment audit requirements, including the Risk Assessment Suite of Standards, SAS 104 through SAS 111, and reporting findings requirements pursuant to SAS 115, have brought a heightened awareness to this issue.  Although it is true that smaller organizations are particularly challenged with implementing effective control procedures simply as a result from a lack of staff, I believe that executing sound controls is doable no matter what size the organization is.

Here are a few pointers in doing so:

A sound control environment begins with the organization’s leadership. It is crucial for the leadership of any organization to promote a culture in which providing accurate financial information, preventing fraud, and demonstrating ethical behavior is of the utmost importance.

Some think that the “Tone at the Top” is just accounting industry jargon, but this concept is imperative in supporting a strong control environment. Many employees are only going to do that which is perceived to be important to management.  If employees observe or even sense that management is rewarding inappropriate behavior, employees will be more likely to commit fraud and take short-cuts in control procedures.

Management should identify the areas and activities that pose the most risk financially and operationally.  By doing so, management will know where to focus its efforts in implementing the most effective controls.

When determining financial risk, management should consider current and projected balances, and groups of transactions with a high-volume of activity.  For operational risk, management should determine the events that can result in the greatest risk of loss: disasters, legal matters, fire, hurricane or flood (the latter being very probable in the Gulf Coast area). Also, events that could impact the organization’s image and goodwill should also be considered. Forethought regarding such events by management of smaller organizations is particularly important as its impact could be very detrimental and recovery very difficult.

Ask, “What can go wrong given the control environment and procedures that are currently in place?” Management should then adjust/develop procedures accordingly, using practical and economical procedures that address what can go wrong.  Remember, arbitrary procedures are not controls.  They are just tasks that may cost time and money, yet don’t address the real risk at hand.

For example, in general, it’s a good segregation of duty that someone other than the AP clerk performs the bank reconciliation for the AP bank account.  However, if the person performing the bank reconciliation is just making sure that numbers “match” instead of focusing on the purpose and reasonableness of the transactions, there is room for fraud. If the AP clerk not only processes the checks, but can also change vendor information, make general ledger adjustments, signs the checks (or have access to the “signature stamp”); who’s to say that the AP clerk won’t cut a few checks for $5,000?  In this scenario a mitigating control could be that someone other than the AP clerk maintains a log of the checks processed and any “missing” checks are properly traced and accounted for.   The person performing the bank reconciliation could also use this check log.

Consider involving other departments/individuals to assist with the control process. Such individuals can bring a different perspective and often ask “common-sense” questions regarding the process or transactions in which they may be involved in.

For example, a board member may be assigned the duty to sign checks and review related documents. He/she can often see the big-picture regarding transactions and may be more apt to carefully review supporting documents that he/she is charged to sign-off on. The receptionist and other administrative staff can also be involved in control procedures.  There have been reports of very significant fraud occurring in organizations in which the receptionist or other administrators were not allowed to open the mail.  Directing administrative staff to open mail encourages a “full-disclosure” environment in an organization, which may reduce the temptation to commit fraud.

Consider auditor recommendations or other expert opinions. Let’s face it, as business leaders, no one wants their work to be commented on or scrutinized.  However, sound control procedures are for the betterment of the organization and comments provided by others should not be taken as management failure. In fact, seeking the expertise and insight of other professionals demonstrates a strong control environment in which management seeks to continue to improve the organization’s operations.  Therefore, recommendations made by auditors, consultants, and others can provide an enlightening perspective to strengthen the control environment.

This is not a once-a-year project.  Management should consistently evaluate controls and risk, particularly when there’s a change in business processes, procedures, and work environment.

Bookmark It

Hide Sites

Troylynn Robichaux, CPA, CIA

Click here to read about a corrections lieutenant that has been indicted on charges of financial fraud.

There are a few lessons to be learned from this situation.

#1- You can’t fully depend on others outside the organization to be a part of the organization’s control environment. (e.g. do we really think all bank tellers verify proper signatures on checks?).

#2- Hindsight is 20-20. Implementing and executing relatively simple controls could have avoided this situation.  For example, having the Accounts Payable Personnel match the invoices, purchase orders (to which in this case they would found that there were none), and delivery receipts (or other notification that the goods, in this case ammunition, were received by the organization) before paying the line-of-credit. Doing this could have prevented the level of fraud committed here.  This may have saved the town of Berkley, MA the loss of money that the alleged crook inflicted and the embarrassment of the entire situation.

#3- Listen to your gut. I find it hard to believe that the alleged crook did not show indications that he was living the “high-life” at the expense of the City.  Did anyone notice the new items he purchased with the credit cards?  Did he brag about the home projects he started with the goods purchased at Lowe’s and Staples?  Did anyone not find his constant contact with the vendors suspicious?  I’m not suggesting to start doing surveillance 24-7 just because he mentions installing a new island in his kitchen.  However, following up on some suspicions when there are clues that something just isn’t right, by reviewing documents, inquiring of individuals involved in the purchasing process, etc. would have given cause to start the 24-7 surveillance in this case.

Bookmark It

Hide Sites