Playing Monday Morning Quarterback and the Importance of Modernizing Internal Controls
By David Ross
Check tampering, theft of cash, inventory theft, expense reimbursement fraud, ransomware attacks, DDoS and TDoS attacks, vendor payment fraud, procurement fraud, account lapping, etc. These are just a handful of fraudulent schemes common to local government operations. There are dozens upon dozens of additional ones, and it seems like someone is always trying to steal from or otherwise cause harm to local government operations. Without updating and modernizing internal controls, employees in the organization might be able to commit occupational fraud, or they might unknowingly help facilitate an external fraud against the organization (phishing and spear fishing examples come to mind).
Assessing Fraud Risks
While you should always assess potential fraud risks during your planning phase for any engagement, it is equally important to consider an engagement that focuses solely on a comprehensive internal control and fraud risk assessment. Think about the last time you created an engagement plan to assess the organization’s fraud risks and internal controls from the perspective of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework. Technologies change, fraudsters adapt and become more sophisticated, and controls should be regularly updated. Ensuring your controls are modernized and your fraud risks assessed could mean the difference in keeping the organization out of the negative news headlines from a fraud event having occurred or at least helping to reduce the severity of an ongoing incident should it be occurring.
Your organization’s relationship with its internal control environment is just that—a relationship—and the effort you put into it could dictate the results you see. Sometimes these results are fine, but other times they are devastating. The negative ones might not reveal themselves for years because of the covert nature of fraud incidents. When they are revealed, they catch the organization’s senior officials off guard and often result in immediate changes to internal controls. Proactively addressing unknown weaknesses is an even better approach.
Finance and audit professionals understand the importance of internal controls. Most everyone likely thinks their controls are at least adequate, but unless you have recently assessed your entire control environment, you cannot have confidence in that belief. Unfortunately, the mindset of “everything must be okay since nothing has happened” has led to some devastating results for many local government organizations. Here are just three quotes taken from online articles showing interviews with government officials after the discovery of an embezzlement in their organizations:
Headline: Former Surprise employee stole $836,000
Quote: “It’s pretty embarrassing for the City to have that happen right under our noses” – City council member
Length of embezzlement: Approximately eight years
Source: AZcentral.com, April 27, 2016
Headline: Why was she hired? Was there oversight? Harrisburg officials tightening controls after $180k theft
Quote: “We were all shocked. Disbelief, disappointment. It was an overwhelming amount of emotion” – District spokesperson
Length of embezzlement: Approximately two years
Source: Pennlive.com, March 1, 2018
Headline: Columbia County Sheriff’s Office Employee Arrested after Embezzlement
Quote: “When Columbia County Commissioners realized that a long-term employee was embezzling funds, we were shocked. Our first thoughts were ‘how could this person, this trusted employee of 30 years, do this?’” – County Commissioner
Length of embezzlement: Approximately 16 years
Source: iape.org, May 3, 2018
No auditor, finance professional, local government manager, or elected official wants to be on the receiving end of any negative news headline, especially one so emotion-stirring as that of a local government fraud incident.
A Real Issue for Local Governments
According to the Association of Certified Fraud Examiners 2018 Report to the Nations, organizations that regularly assessed fraud risks and completed a formal fraud risk assessment saw a 50 percent reduction in the duration of a fraud event.1 Organizations that did not regularly assess their risks and complete formal fraud risk assessments saw a 62 percent greater financial loss from fraud.
Why is a proactive approach to ensuring modern and comprehensive internal controls important if an annual auditor gives an unqualified opinion in the audit report and does not list any significant deficiencies or material weaknesses? The answer is simple. There have been hundreds of recent local government fraud cases, including ransomware attacks, vendor payment fraud schemes (fraudulent changes to a vendor payment account), and occupational fraud incidents in which government organizations lose millions—sometimes with a continuing fraud scheme occurring over the course of several years.
A data review from an internet search of known occupational fraud cases where government employees embezzled from their employer revealed the employee stealing worked in a variety of classifications throughout the organization, their ages generally were between 40 and 60, and the dollar amount embezzled was certainly enough to get the attention of the local citizenry (numerous cases over $100,000 and many in the millions of dollars). The most infamous known case is that of Rita Crundwell and the City of Dixon, Illinois, in which she embezzled $53.7 million over 20 years. These incidents occurred in local government organizations with professional finance staff and regular annual audits.
If you really want an eye-opener, consider typing into a search engine one of the following: city, county, or school district. Next to the term you just typed, add the word embezzlement, fraud, or scammed (i.e., “city scammed” or “county embezzlement”). Then click on the “news” link. You will be able to scroll through hundreds of known government incidents from recent years.
What Can You Do?
A comprehensive review of your organization’s fraud risks and internal control effectiveness should include analyses for over 200 areas across these main categories:
- Purchases, expenses, and vendor management
- Cash and cash handling
- Checks and check handling
- Financial controls
- Information technology
- Internal audit and analytics
- Human resources and payroll
It all comes down to protecting your organization’s finances, preserving public trust, and the importance of professionalism. Trusting employees is important; however, trust-but-verify is essential. According to a case study on the Dixon, Illinois embezzlement, the trust in the city’s embezzler was based on coworkers’ and others’ usual propensity to trust, which facilitated the opportunity to carry out such a crime over many years. 2
Of the hundreds of preventive and detective internal controls that should be in place within a local government organization, here are some things that you should consider:
- Does your organization ensure all bank statements are reconciled within 30 days of receipt of the statement? Most do, but this is not only to help identify financial anomalies that need investigation, but also to use the Uniform Commercial Code to help protect your organization (U.C.C. Article 4 – Bank Deposits and Collections (2002) Part 4 Relationship Between Payor Bank and its Customer §4-406). Failure to discover and report unauthorized signatures or alterations to the bank within 30 days of receiving your bank statement could result in your organization’s inability to file a claim with its bank.
- Does your organization employ multi-factor authentication for changes to established vendor payment accounts? Several local governments have recently been victimized by this fraud scheme. Requiring multifactor verification for any vendor payment change to an already established payment account is a way to reduce the risk that a fraudster will convince a local government employee to change a vendor’s bank account information, causing the local government to send an actual vendor’s payment to the fraudster. Multifactor authentication can occur in a variety of ways, and it requires the person requesting a change to existing bank account information to provide verification of whom they purport to be. Examples of multifactor verification that can work in a local government setting include:
- Using a third-party account verification service (to verify ownership of the newly changed account information).
- Using a PIN, password, and/or security question that was established when the vendor initially sets up their information with the local government to verify identity.
- Outgoing SMS messages or phone calls to a predetermined phone number, set up at the time the original account data was provided, for verification.
- Using a branded form that they complete and return to you, having provided a secure password or details about prior payments received that only they should know.
- Confirm data received on the branded ACH form by calling or emailing. Never hit “reply” to answer an email from a vendor wanting to modify their account information. Always type in the known vendor’s contact email address, and do not let it auto-populate in case a fraudster’s email is similar and is already in your system.
- Does your organization use Positive Pay or Payee Positive Pay? Most organizations use this technology, but if for some reason you are not familiar with it, check with your organization’s bank to see about how they can help protect your organization from check fraud.
- Have you considered the benefits of using Universal Payment Identification Codes (UPIC) to encrypt your organization’s bank account information and how the use of ACH blocks and filters can help reduce risk? The use of UPIC and ACH blocks and filters are an excellent way to help protect your organization’s finances from falling victim to payment fraud.
- Has your organization implemented any new technology recently? Implementation of new technology means a need to evaluate internal controls related to that technology. Failure to do so could leave your organization vulnerable to fraud.
Those are just five examples of areas of internal control risk. With hundreds of areas of preventive and detective controls to review, consider improving your relationship with your organization’s internal controls in these three ways:
- Follow the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control Integrated Framework to assess your existing internal controls. This includes understanding each of the Framework’s five integrated components: control environment, risk assessment, control activities, information and communication, and monitoring activities. Weaknesses in any of these areas can create a situation in which you unintentionally facilitate someone’s ability to steal from your organization. Reducing the opportunity for someone to commit a fraud is one of the best actions you can take.
- Perform an annual fraud risk assessment for your entire organization, using the Framework to guide that assessment. Technologies change, fraud schemes become more elaborate, and your risk environment is fluid. An annual fraud risk assessment is not associated with any particular known fraudulent scheme but rather is a means for the government to assess its own risks, to discuss ways in which misconduct can occur, to determine the likelihood it will occur based on existing controls, to determine how significant it will be to the organization if something happens (in terms of both financial and reputational harm), and to identify areas in which additional controls might be appropriate (or conversely, existing controls are no longer necessary).
- Complete a comprehensive review of your internal controls, in all departments, at least every three years. Data show that those accused of government embezzlements work in a wide variety of departments in all types of job classifications. It is realistic to assume that employees in any job classification within your organization could steal from you. Asset misappropriation, fraud, embezzlement, time theft—none of it looks good to the public.
Internal controls are an ever-changing environment, and they deserve regular attention. It is OK to play Monday morning quarterback with how your organization protects itself from what seems like the countless different fraud risks that exist. While internal control and fraud risk assessments are time consuming and might not be viewed as “exciting,” you will be helping to protect your organization from those terrible news headlines that occur far too frequently.
About the Author
Dr. David M. Ross is a senior manager with the Matrix Consulting Group. He has investigated over 400 actual fraud cases, he is a certified fraud examiner, a certified internal control auditor, holds a COSO Certificate in Internal Controls. He completed Harvard University’s Senior Executives in State and Local Government program, and he has a Ph.D in financial management with a dissertation in local government internal controls. He can be reached at 480-386-5344 or firstname.lastname@example.org.
1 Association of Certified Fraud Examiners (2018) Report to the Nations 2018 Global Study on Occupational Fraud and Abuse. Retrieved from: https://www.acfe.com/report-to-the-nations/2018/default.aspx.
2 Ross, D.M. (2016). A Case Study of Municipal Government Financial Management and Effective Internal Controls. Published in ProQuest #10092247.