Many small governments suffer losses from theft since they lack a sufficient number of employees to segregate accounting duties. There are, however, steps you can take to protect your resources. In this post, I provide ideas for fraud prevention in small governments.
Most government officials don’t realize that external audits are not designed to detect immaterial fraud (immaterial can be tens of thousands of dollars – sometimes even more). Such officials incorrectly believe that a clean opinion means no fraud is occurring in their locale – this is a mistake. External financial statement opinion audits are not designed to look for fraud at immaterial levels. Even if your government has an external audit, consider implementing fraud prevention procedures.
In a typical small government accounting setting, the city of In Between (as in between two stop lights) (population 1,202) has a mayor and three council members. The city has one bookkeeper (we’ll call him Dale) who orders and receives all purchased items; he writes all checks, reconciles bank statements, and keys all transactions into the accounting system. Dale also receipts all collections and makes all deposits. Mayor Chester signs all checks (vendor and payroll). (In a long-standing tradition, the mayor also graces the city Christmas parade float as Santa Claus.) With so little segregation of duties, what can be done?
The smaller the government, the greater the need for fraud prevention – even if Santa Claus in involved. And yet, these are the governments that most often don’t have the resources–whether the money to pay for outside assistance or employees to segregate duties–to prevent fraud. Here are few ideas for even the smallest of governments.
Low-Cost Fraud Prevention
First, let’s look at low-cost fraud prevention options:
Have all bank statements mailed directly to Mayor Chester who will open and inspect the bank statement activity before providing the bank statements to Dale; alternatively, provide online access to Mayor Chester who reviews bank statement activity and signs a monthly memo documenting his review
Once or twice a year, have council members pick two months at random (e.g., May and September) and review key bank statement activity (e.g., the operating and payroll accounts)
Once or twice a year, have council members randomly select checks (e.g., ten vendor checks and ten payroll checks) and review supporting documentation (e.g., invoices and time sheets)
Once or twice a year, have the mayor and council review receipt collections and related documentation (e.g., for two days deposits); agree receipts to bank deposits and to the general ledger
Provide monthly budget to actual reports to mayor and council
Provide monthly overtime summaries to mayor and council
Do not allow Dale to sign checks
Require two signatures on checks above a certain level (e.g., $5,000); have two of the council members (in addition to the mayor) on the bank signature cards; supporting documentation (e.g., invoice) should be provided to check signers for review
Require Mayor Chester and Dale to authorize any wire transfers
Have Dale provide the mayor with monthly bank reconciliations; the mayor should document (e.g., initial the reconciliation) his review
Don’t provide Dale with a credit card
If Dale is provided a credit card, provide him with one card; use a low maximum credit limit (e.g., $1,000); Dale’s credit card statements should be provided to the mayor when he signs the related check for payment
Use a centralized receipting location (if possible); receipts should always be written upon collection of a payment
Higher Cost Fraud Fraud Prevention
Now let’s examine some higher cost options (that are probably more effective):
Have an outside CPA or CFE map your internal control system and make system-design recommendations
Have an outside CPA or CFE make surprise unannounced visits (e.g., two per year) to examine the receipting system, payroll, and the payment system; at the beginning of the year, tell Dale that the surprise visits will occur (details of what will be tested should not be communicated to Dale)
Install a security camera to record all of Dale’s collection and receipting activity
Purchase fidelity bond to cover elected officials and Dale
Keep in mind that you can limit the cost of the outside CPA. The contract might read Surprise audit of vendor payments with cost limited to $1,500. Try to contract with a CPA or CFE with governmental experience. The surprise audits and the fidelity bond recommendations are, in my opinion, the most critical steps.
Some states like New York audit local governments for fraud; consequently, if your local government is frequently audited by a state agency, there may be less of a need to hire an outside CPA or CFE to perform fraud prevention procedures.
Additional Fraud Prevention Resources
Click here for a list of local government controls to consider.
The purpose of the standard is to improve the consistency and quality of forensic services provided by CPAs.
It appears the AICPA is being responsive to a growing demand for forensic services. A report created by IBISWorld (a market research firm) showed that employment in forensic accounting grew at an annualized rate of 18% from 2012 to 2017.
Services Covered by SSFS 1
SSFS 1 covers the following types of forensic services (per paragraph .01 of the proposed standard):
A legal opinion can not be provided regarding the occurrence of fraud, and
Forensic services can't be provided on a contingent fee basis
Why can't a member provide a legal opinion regarding fraud? The final determination of whether fraud exists is determined by the "trier-of-fact," according to paragraph .08 of the standard.
The standard would apply to all AICPA members, AICPA members firms, and employees of AICPA member firms.
Paragraph .03 of the standard states "the key consideration of this Statement's applicability is the purpose (e.g., Litigation or Investigation) for which the member was engaged." The applicability is not based on a particular service provided such as data analysis. But if data analysis, for example, is performed in relation to litigation or investigative services, then the statement would apply.
Understanding with Client
The understanding with the client regarding the nature, scope, and limitations of the services can be written or oral.
Chances are, theft is occurring in your business as you read this–or at least within the last thirty days. Those you trust may be taking you for a ride. That’s usually how fraud occurs. Therefore, you need to know how to prevent white-collar crime. Below I provide you with plenty of free understandable resources to help you stop fraud. Take a look.
White Collar Crime Happens!
For most organizations, it’s not a matter of if fraud will occur, it’s a question of how much will be taken. The Association of Certified Fraud Examiners’ biennial survey shows that the average business loses 5% of its revenues to fraud. Imagine adding that amount to your bottom line, because when theft occurs, your net income is reduced by the amount taken.
Learn About Fraud Prevention
Subscribe to get our latest weekly newsletter by email.
Success! Now check your email to confirm your subscription.
No One Steals from My Business
Most business owners, board members, governments, and nonprofits think “fraud may happen in other organizations, but not in our place.Our people are honest.” Well, let me say I’ve seen plenty of “honest” people steal.
In almost every fraud I’ve seen, the business owners and fellow employees are greatly surprised by the theft–usually by a trusted employee.
And these trusted people steal because they can. You may be thinking, “What?” Let me repeat, the reason people steal is because they can. In fraud prevention parlance, we call it “opportunity.”
And, how do trusted employees steal? Here’s the typical cycle:
We hire a likable, trustworthy person
The employee serves the organization well
He moves to higher positions (where he has greater opportunity to steal)
No one monitors the employee because he is honest–or at least, he appears that way
The employee believes he can steal without detection
Small amounts of money are taken to test the water
Larger amounts are taken when he is sure no one is watching
So, the employee goes from trusted employee to fraudster. The transformation occurs gradually. Then when the discovery of fraud occurs, everyone is shocked.
Examples of People Who Steal
And what kinds of trusted people steal?
I have seen the following individuals take money:
Chief executive officer
A lady who was dying
Swim club volunteer
Seminary Foundation employee
I could go on, but you get my point. People who we think would never steal, do.
So, how can we prevent–or at least lessen–the threat of fraud? Transparency is a key.
Transparency Lessens Fraud
If transparency is important, why don’t businesses create it?
Small businesses often lack the ability to segregate accounting duties, and this lack of segregation creates opportunities for theft. Why? One employee controls several critical accounting processes, resulting in the ability to steal without detection.
To lessen the possibility of fraud, we must create transparency in accounting processes. Employees are less likely to steal when their actions are visible to others. That’s why segregation of duties is necessary–more eyes see the accounting activity, making it more difficult for theft to occur without detection. Even if an organization has few employees, it’s possible to create transparency and lessen the threat of theft.
How CPA Hall Talk Helps
CPA Hall Talk is designed to provide you with fraud prevention information.
While I can’t visit everyone that needs fraud prevention assistance, I can provide (free) information about how theft occurs and how you can lessen the threat of fraud.
Here are some of my fraud prevention posts (each with a clickable link):
What is an auditor’s responsibility for detecting fraud? Today, I’ll answer that question.
Let’s take a look at the following:
Auditor’s responsibility for detecting fraud
Turning a blind eye to fraud
Signs of auditor disregard for fraud
Incentives for fraud
Discovering fraud opportunities
Inquiries required by audit standards
The accounting story and big bad wolves
Documenting control weaknesses
Brainstorming and planning your response to fraud risk
Auditor’s Responsibility for Detecting Fraud – AU-C 240
I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.
Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems can make it extremely difficult to discover fraud. Third, the number of fraud schemes—there are thousands—makes it challenging to consider every single possibility. And, finally, some frauds are so well hidden that auditors won’t detect them.
Even so, auditors should not turn a blind eye to fraud.
Turning a Blind Eye to Fraud
Why do auditors not detect fraud?
We don’t look for fraud because we don’t understand it
We disregard the importance of walkthroughs
We believe that auditing the balance sheet is enough
Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.
Signs of Auditor Disregard for Fraud
A disregard for fraud appears in the following ways:
Asking just one or two questions about fraud
Limiting our inquiries to as few people as possible (maybe even just one)
Discounting the potential effects of fraud (after known theft occurs)
Not performing walkthroughs
We don’t conduct brainstorming sessions and window-dress related documentation
Our files reflect no responses to brainstorming and risk assessment procedures
Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
The audit program doesn’t change though control weaknesses are noted
In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.
So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.
Incentives for Fraud
The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).
Fraud comes in two flavors:
Cooking the books (intentionally altering numbers)
Cooking the Books
Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.
If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls.
Discovering Fraud Opportunities
My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:
What can go wrong?
Will existing control weakness allow material misstatements?
In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.
Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.
Inquiries Required by Audit Standards
Audit Standards (AU-C 240) state that we should inquire of management regarding:
Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures
Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?
Management develops control systems to lessen the risk of fraud.
Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.
So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.
The Accounting Story and Big Bad Wolves
Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.
The purpose of writing the storyline is to identify any “big, bad wolves.”
The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.
Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.
Documenting Control Weaknesses
I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.
Brainstorming and Planning Your Responses
Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.
The risk assessment procedures—discussed above and in my prior post—provide the fodder for the brainstorming session.
Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative.
In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.
What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.
The Auditor’s Responsibility for Detecting Fraud – AU-C 240
In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”
Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:
The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments,the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
The purpose of fraud risk assessmentsis not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.
Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:
Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds may not be discovered.
The Why and How of Auditing: A Blog Series About Basics
Have you been following my series of posts: The Why and How of Auditing? If not, you may want to review the prior posts:
Also, subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process.
Can you steal like a boss? White collar crime takes special skills and thoughts. Do you have what it takes? Here’s my tongue-in-cheek look at how I would steal.
Six Steps to Steal Like a Boss
To steal, I need to:
Have a Cause
Calm My Conscience
Develop My Plan
Execute My Plan
If Caught, Settle Out of Court
1. Be Believable
Look trustworthy. The more age, experience, and education I have, the better. The longer I work for the organization, the more I am trusted.
And while I’m at it, I’ll do what I can to move to positions of higher authority which will provide me with greater opportunities. Being in authority enables me to steal like a boss.
If possible, I will gain the ability to authorize or initiate purchases. Kickbacks (paid to those who authorize payments) are difficult to detect, even by professional fraud examiners, and the dollars can be significant. Like taking candy from a baby.
But before I steal, I need motivation.
2. Have a Cause
Any financial pressure will do–a gambling or drug habit, an affair, medical bills, or maybe I just want to appear more successful than I am. If I don’t have a need, I will create one. I am my own cause.
My unshareable need (cause) must not be known by others lest they suspect my need for cash.
One problem I must take care of before I steal is my conscience.
3. Calm My Conscience
I hate when that little voice starts talking: “Charles, you can’t do this. You’ll embarrass your wife.” It takes skill and fortitude, but I must calm my conscience. All the more reason to have a cause (see point 2.). The nobler I can make my reasons, the better. Something like, “I’ve earned this. The company should realize my greatness and provide me with appropriate compensation. I have three kids in college, and they need my support. You know I want to be a good provider for my family.”
I may need to start stealing borrowing or compensating myself in small amounts and then build up. Such wise reasoning will make it easier to calm my conscience.
Thinking correctly is important. When that little voice speaks, I will rephrase the words. I know I can. After all, I’ve done so for years.
Now I need to develop a plan.
4. Develop My Plan
I will pay attention to control weaknesses.
Our auditors have told us for years that we lack appropriate segregation of duties in regard to purchasing. Opportunity awaits.
If I am going to steal be compensated appropriately, I need to make it worth my while. Be bold. Think big. I have noticed that one of our key vendors has been very kind to me, a free week-long trip to Vegas for the last three years.
A key contract renewal is coming up. The vendor should be more generous to me. Besides, last year the CFO received a nicer trip than I did (two weeks in Austria). And bribes gifts don’t hurt anyone; the vendor pays for them (though I have noticed the vendor’s pricing seems to be increasing…actually, exploding).
It’s game time. I need to “just do it.” But how?
5. Execute My Plan
Take I must compensate myself in a steady under-the-radar kind of way. Most folks get greedy. I must be diligent to work in a measured way, not taking receiving noticeable amounts. Greed is my enemy. Excess might land me on the front page of the paper.
Also, I think I can steal borrow money from the receipts cycle since I am in charge of daily deposits and all related accounting duties. This might cost me my vacation though. I need to be on the job to continue to hide perform my duties. But if the funds taken compensation is enough, it might be worth it.
But what if my actions become known to others?
6. If I Get Caught, Settle Out of Court
If I am discovered someone notices that I have borrowed funds, then I may have to beg for forgiveness and promise to pay it back. And, of course, I need to make sure the company understands my concern for its reputation. News like this does not support the company’s mission statement: Honesty and Compassion for Those We Serve.
I don’t need a criminal record, especially if I need to steal borrow funds from my next employer. It is comforting to know that in many cases companies don’t prosecute for fear of public embarrassment.