Category Archives for "Fraud"

how to audit property
Mar 28

City Manager Pockets Cash from the Sale of Excess Property

By Charles Hall | Asset Misappropriation

The Theft

Is it possible to convert large pieces of excess property to cash–all without anyone knowing? Apparently yes.

Two men, Alfred Ketzler (the city manager) and Alfred Fabian, were found guilty of wire fraud and theft from the city of Tanana, Alaska.

Illegal sales of government property

Picture is courtesy of AdobeStock.com

Department of Justice Indictment Press Release

So what happened?

First, the Department of Justice stated “Ketzler would acquire surplus federal property that was stored at several different locations without notifying the mayor of Tanana or the city council for the city of Tanana of the federal excess and surplus property obtained on behalf of the city of Tanana.”

The Department of Justice went on to say “that Fabian, for his part, would transport federal excess and surplus property obtained on behalf of the city of Tanana to storage locations in and around Fairbanks, Alaska, including his own residence.”

Finally, the indictment stated that once the excess property was received, Ketzler would sell the equipment to individuals and businesses, telling them the property belonged to the City of Tanana. He asked that the checks be made out to him personally. The indictment continued by saying Ketzler would deposit the checks in his personal account and make payments to Fabian.

The indictment stated that the men received approximately $122,000 in illegal funds.

The property sold included:

  • Trucks
  • Fork Lifts
  • Bulldozers
  • Other industrial equipment

Department of Justice Sentencing Press Release

A June 2014 Department of Justice press release stated:

Anchorage, Alaska – U.S. Attorney Karen L. Loeffler announced today that two Fairbanks men were sentenced on Friday, June 6, 2014, in federal court in Fairbanks after being found guilty of wire fraud and theft from a local government receiving federal funds.

Alfred Richard Ketzler, Jr., also known as “Bear” Ketzler, 57, of Fairbanks, Alaska, was sentenced to 16 months in prison to be followed by two years of supervised release by Chief U.S. District Court Judge Ralph R. Beistline. Ketzler pled guilty in March 2014. Ketzler has already paid restitution to the City of Tanana in the amount of $116,500.

Alfred McQuestion Fabian, 62, of Fairbanks, Alaska, was sentenced to six months in prison to be followed by two years of supervised release by Chief U.S. District Court Judge Ralph R. Beistline. Fabian pled guilty in March 2014.

The Weakness

The city may have had appropriate inventory controls (the DOJ press releases did not say). Most noteworthy, this case appears to reflect a circumvention of controls. The city manager had the power and ability to consummate transactions that were (apparently) not recorded on the city’s records. The indictment states that Ketzler did not provide the city with appropriate notice of the receipt and sale of the excess property. Also the payments received were not recorded on the city’s books.

The Fix

Organizations should do all they can in the hiring process to bring people in that are honest. How? Background checks and the calling of references are critical.

It is imperative that all property be included in inventory—as soon as title transfers to the city. And, obviously, all payments should be made to the city (in this case) and not to individuals. A receipt should be issued to the payor that details the reason for the payment, the amount, and who made it.

Segregation of Duties
Mar 21

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size. 

Segregation of Duties

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one will see us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that they are too costly. But is this true? I don’t think so.

Here’s two easy steps to create greater transparency and safety.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

auditing for fraud
Feb 23

Auditing for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

Auditing for fraud is important, but some auditors ignore this duty.

So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.

Here’s an overview of this article:

  • Auditor’s responsibility for detecting fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Detecting Fraud – AU-C 240

I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.

Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.

Even so, auditors should not turn a blind eye to fraud.

Turning a Blind Eye to Fraud

Why do auditors not detect fraud?

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.” 

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.

So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.

But what if control weaknesses are noted?

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.

What we discover in risk assessment informs the audit plan. In other words, it has bearing on what we do in the days ahead, in the substantive procedures we perform.

The Auditor’s Responsibility for Detecting Fraud – AU-C 240

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”

Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.

The Why and How of Auditing: A Blog Series About Basics

Have you been following my series of posts: The Why and How of Auditing? If not, you may want to review the prior posts:

Also, subscribe to my blog to receive future installments in this series (I have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. Join now.

See my book The Why and How of Auditing on Amazon.

Oct 05

A Fraudster’s Refuge: The Appalachian Trail

By Charles Hall | Asset Misappropriation

Some fraudsters funnel money into fraudulent bank accounts. Today, I show you how one controller did so and walked away with millions.

A Fraudster's Refuge: The Appalachian Trail

 

The Theft

In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.

How the Funds Were Stolen

The FBI reported the following:

Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.

“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”

So, Hammes opened a fraudulent bank account at another bank (one the company did not use) and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself.  Since he opened the account, he was the authorized check signer. Simple but effective.

The Weakness

If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.

Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.

The Fix

Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments dramatically increase, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies. 

You might also contact your company’s bank (and other local banks) and ask for a list of accounts in your company’s name. Then compare that list to your general ledger to see if the accounts match. If mismatches are present (there’s bank account listed but no corresponding account in the general ledger), follow up to see why.

Positive pay is another strong payables processing control.

steps to prevent fraud
Aug 12

10 Powerful Steps to Reduce Fraud

By Charles Hall | Fraud

As businesses grow, the risk of theft increases. In this post, I offer ten powerful steps to reduce fraud.

Windows open. Curtains blowing. The sound of crickets and an occasional train in the distance. It was a simple childhood. It was my childhood. My mother parked her black Ford Falcon and left the keys in the ignition. The doors to our home were unlocked. We trusted our neighbors and they trusted us. And why would we not? We’d known each other forever.

steps to prevent theft

 

But then one night at the dinner table, my father said, “someone stole Miss Gussie’s Chevy.” Unthinkable. Our innocence was broken, and soon my mother took precautionary measures. Each evening, after parking, she would place the car keys under the car seat. No need to take chances. We began to close the windows at night, but still, the back door was left unlocked in case my father needed to go out for a smoke.

A couple of months later, I overheard my mother whispering to my grandmother that a man slithered into Miss Kidd’s house in the dead of night and had taken valuables. Miss Kidd lived diagonally from our home, just a stone’s throw away. To think that someone just walked–unannouncedinto the octogenarian’s home. How could this be?

Fear was palpable. Our neighborhood’s character shifted. No longer would Mom leave the keys in the car. No longer would we leave the windows open. No more cricket sounds. And my father even locked the back door.

Safely we would sleep, not because there were no threats, but because of protection.Continue reading

1 2 3 10
>