Fraud: Who is responsible?

No organization is safe from fraud. In a recent report released by the Association of Certified
Fraud Examiners, the public sector industry ranks second in frequency of fraud with a median
loss of $100,000. The most common fraud schemes deal with misappropriation, or theft, of
assets. When it comes to the public sector, a variety of players are involved in the entitys
finances: the governing body, management, external auditors, and possibly internal auditors.
So why does fraud continue to occur, and who is responsible for preventing and detecting
fraud?
Back to basics
First, its important to remember the basics of fraud. Three factors are likely present for fraud
to occur:

Motive someone has a reason to steal

Rationalization someone determines that it is okay to steal

Opportunity someone can steal, potentially without detection

Motive and rationalization are factors that are beyond the control of management. These
factors are usually a result of outside influences, personal lives, and individual personalities.
Opportunity is the one factor that management can control; therefore, focus needs to be on
eliminating or reducing the opportunities to commit fraud.
Why are governments susceptible to fraud?
As noted earlier, the public sector ranks second in frequency of fraud when compared to other
industries. Governments continuously face pressures to keep costs down. Consequently, this
has the potential to reduce or eliminate the resources necessary to thoroughly assess the risks
of fraud and implement internal controls designed to reduce the risks of fraudinternal
controls such as segregation of duties.
Segregation of duties is key to protecting assets such as cash held in bank accounts. Adequate
segregation of duties separates the authorization, processing, and custodial functions. With
current staffing levels at many small- to medium-size governments, completely segregating
these three functions can be very challenging, if not impossible. Budget constraints might get
in the way of adding personnel. Time constraints might be a barrier to adding responsibilities
to current personnel. Even in situations where assigned responsibilities are adequately
segregated, there are often instances where staff is performing conflicting functions due to
vacations, illness, and turnover.
A lack of segregation of duties requires the governing body to be more involved with a
governments day-to-day activities and provide more oversight to the finance and accounting
functions. However, elected officials often have full-time jobs or other commitments that take
time away from their board or council responsibilities. While elected officials bring a wide
array of skills and knowledge to a board or council, extensive experience with finance and
accounting that allows for effective oversight of financial management is not always present
at every government. Boards and councils also turn over on a regular basis, which likely

results in a learning curve for its newest members. As a result, governing bodies tend to be
more trusting of management and employees out of necessity.
Some governments have decentralized operations where departments separate from the
treasurer carry responsibility for the custody of assets. In many cases, the assets may be in the
form of a small checking accounts, petty cash, trust accounts, etc. Generally, segregation of
duties is less extensive in outlying departments, thereby exposing the government to certain
risks within those departments that are not under the control of the treasury or accounting
function where internal controls are present.
Who is responsible for preventing and detecting fraud?
According to the auditing standards, the primary responsibility for the prevention and
detection of fraud rests with the governing body and management. Managements
responsibilities include creating an environment where fraud is not tolerated, identifying risks
of fraud, and taking appropriate actions to ensure that controls are in place to prevent and
detect fraud. The governing body is responsible for ensuring that management is carrying out
the tasks assigned to them in relation to fraud risk and prevention, as well as understanding
the environment to determine if management can override or influence the controls in place.
If a government is able to allocate resources to establish an internal audit function, some of
managements responsibilities for the prevention and detection of fraud can be delegated to
internal audit. Internal auditors are generally well-versed in evaluating the potential and
probability of fraud, errors, or noncompliance and can review internal controls for
effectiveness. If internal audit is structured so that they report directly to the board or council,
they are considered to be independent of those in management and are not influenced or
threatened by management.
Many governing bodies for entities without an operating internal audit function rely on
management as well as the external auditors for fraud prevention and detection. While
external auditors are responsible for assessing fraud risk within an entity and performing
procedures to address those risks, they are only responsible under the auditing standards for
providing reasonable assurance that the financial statements are free from material
misstatement, whether due to fraud or error. External auditors use a series of tests, sampling,
and analytics to reach their conclusions; however, every transaction is not reviewed or
audited. Due to the complexity of most fraud schemes, it is more difficult for external
auditors to detect misstatements resulting from fraud than misstatements resulting from
errors. In fact, the Association of Certified Fraud Examiners reports that less than ten percent
of frauds are detected by the external auditors.
With these facts in mind, it is evident that management and the governing body retain the
largest share of the responsibility for the prevention and detection of fraud. All parties should
exercise skepticism and maintain a trust-but-verify attitude. Skepticism involves a
questioning mind, a search for knowledge, and understanding or establishment of
expectations. When expectations are not met, seeking a response that is understandable and
logical is an important step in fraud prevention. Identification of fraud risks and designing
procedures to mitigate those risks are critical to protecting both employees and financial
assets of governmental entities.

Fraud prevention and detection necessitate an ever-changing, multi-faceted process; however,

even small steps to improve controls can lead to positive results.
(http://www.bakertilly.com/insights/fraud-who-is-responsible)

Here is the Five-Step Approach:

Know the Exposures

Know the Symptoms of Occurrence
Be Alert for Symptoms and Behavior Indicators
Build Audit Programs/Detective Processes To Look for Symptoms
Follow Through on All Symptoms Observed
In my previous articles of this series, I have discussed the importance of understanding fraud
exposures and symptoms of occurrence, not just for auditors, but also for finance and
accounting managers seeking to prevent unnecessary losses in their areas of operation. Once
you understand the risks, then it is time to look for those symptoms.

Most auditors do not include fraud detection steps in their audit programs, either because they
have been taught it is not the auditors job to find fraud, or because their programs are so
loaded with tests of controls that they feel it would be too time-consuming to add procedures
to look for double endorsements on the backs of checks, or use data mining to locate the one
bank account with 17 electronic paycheck transfers into it every 2 weeks.

For auditors to find fraud, it is essential to include symptom detection in their audit programs.
Symptoms are not control weaknesses: just because a check lacks a proper signature does not
mean the check is fraudulent. On the other hand, every fraudulent disbursement or expense
report I have seen in my career had an approval signature on it. So audit programs which ask
the auditor to seek approval signatures are woefully inadequate in their ability to direct an
auditor towards fraud.

If you manage an operational or finance/accounting unit, then you can structure an

environment hostile to fraud by designing processes to detect fraud symptoms. Managers
generally understand how to establish preventative controls: approval signatures for checks
over a certain amount, requiring original receipts on expense reports, three-way matching
approved purchase orders to invoices to packing slips. But managers often overlook
processes to detect frauds after the perpetrator has run the gauntlet of front-end controls. It is
like a rancher who builds a fence around his livestock but has no way to catch the thief who
has jumped the barrier.

For those auditors and managers who believe their budgets cannot handle extra detective
procedures, I would advise them to scan their normal procedures, determine which have
generally been ineffective, and replace those with more effective detection procedures.

Following are some audit tests/detective processes designed to catch the symptoms discussed
in the previous article.

Show up at odd hours to a department that is reporting high overtime or payroll expenses
coming in over budget; observe whether people are present performing work and compare
that to the hours they report.

Review time reports for trends of steady, upward increases in overtime, particularly where
there is no corresponding increase in output or sales.

On construction projects that contain a right to audit clause in the contract, visit the vendor
site and review documentation for all indirect expenses which exceed a reasonable percentage
of total billings.

Perform a bid analysis of recent vendor bid requests, listing out the date the bid was received,
goods/services descriptions, and price per unit. Group the vendors by bid request, and look
for patterns in the bidding which would indicate one vendor received information the others
did not.

Talk with bid losers and ask them if their contact at your company offered any unusual terms
for favored status.

In locations suffering odd unexplained or "miscellaneous" losses, perform an inventory count

of portable/high demand items and reconcile with system balances.

Secretly install cameras at locations in which your company is experiencing unexplained

inventory losses. Review for direct evidence of theft. At a minimum, ensure that every
shipment out over a period of time is supported by proper documentation and that upper
management is aware of the shipments.

Of course, the descriptions of some of these tests are too general to properly implement, but
they should provide you with an idea about how to construct detective audit tests or
procedures within your own environment.

(https://www.irmi.com/articles/expert-commentary/five-step-approach-to-fraud-detectionnumber-4-build-audit-programs-detective-processes-to-look-for-symptoms)

Fraud should be detected by personnel in the normal course of performing their duties, if
strong controls exist. Internal auditors should have sufficient knowledge of fraud to ensure
that they may identify indicators that fraud might have been committed. If significant control
weaknesses are detected, additional tests conducted by internal auditors should include tests
directed toward identification of other indicators of fraud. Internal auditors are not expected
to have knowledge equivalent to that of a person whose primary responsibility is to detect
and investigate fraud. Audit procedures alone, even when carried out with due professional
care, do not guarantee that fraud will be detected

Who is responsible for detecting fraud?

Fraud should be detected by personnel in the normal course of performing their duties, if
strong controls exist. Internal auditors should have sufficient knowledge of fraud to ensure
that they may identify indicators that fraud might have been committed. If significant control
weaknesses are detected, additional tests conducted by internal auditors should include tests
directed toward identification of other indicators of fraud. Internal auditors are not expected
to have knowledge equivalent to that of a person whose primary responsibility is to detect
and investigate fraud. Audit procedures alone, even when carried out with due professional
care, do not guarantee that fraud will be detected.

(http://www.marquette.edu/riskunit/internalaudit/fraud.shtml)