No organization is safe from fraud. In a recent report released by the Association of Certified Fraud Examiners, the public sector industry ranks second in frequency of fraud with a median loss of $100,000. The most common fraud schemes deal with misappropriation, or theft, of assets. When it comes to the public sector, a variety of players are involved in the entity’s finances: the governing body, management, external auditors, and possibly internal auditors. So why does fraud continue to occur, and who is responsible for preventing and detecting fraud?
Back to basics
First, it’s important to remember the basics of fraud. Three factors are likely present for fraud to occur:
- Motive – someone has a reason to steal
- Rationalization – someone determines that it is okay to steal
- Opportunity – someone can steal, potentially without detection
Motive and rationalization are factors that are beyond the control of management. These factors are usually a result of outside influences, personal lives, and individual personalities. Opportunity is the one factor that management can control; therefore, focus needs to be on eliminating or reducing the opportunities to commit fraud.
Why are governments susceptible to fraud?
As noted earlier, the public sector ranks second in frequency of fraud when compared to other industries. Governments continuously face pressures to keep costs down. Consequently, this has the potential to reduce or eliminate the resources necessary to thoroughly assess the risks of fraud and implement internal controls designed to reduce the risks of fraud—internal controls such as segregation of duties.
Segregation of duties is key to protecting assets such as cash held in bank accounts. Adequate segregation of duties separates the authorization, processing, and custodial functions. With current staffing levels at many small- to medium-size governments, completely segregating these three functions can be very challenging, if not impossible. Budget constraints might get in the way of adding personnel. Time constraints might be a barrier to adding responsibilities to current personnel. Even in situations where assigned responsibilities are adequately segregated, there are often instances where staff is performing conflicting functions due to vacations, illness, and turnover.
A lack of segregation of duties requires the governing body to be more involved with a government’s day-to-day activities and provide more oversight to the finance and accounting functions. However, elected officials often have full-time jobs or other commitments that take time away from their board or council responsibilities. While elected officials bring a wide array of skills and knowledge to a board or council, extensive experience with finance and accounting that allows for effective oversight of financial management is not always present at every government. Boards and councils also turn over on a regular basis, which likely results in a learning curve for its newest members. As a result, governing bodies tend to be more trusting of management and employees out of necessity.
Some governments have decentralized operations where departments separate from the treasurer carry responsibility for the custody of assets. In many cases, the assets may be in the form of a small checking accounts, petty cash, trust accounts, etc. Generally, segregation of duties is less extensive in outlying departments, thereby exposing the government to certain risks within those departments that are not under the control of the treasury or accounting function where internal controls are present.
Who is responsible for preventing and detecting fraud?
According to the auditing standards, the primary responsibility for the prevention and detection of fraud rests with the governing body and management. Management’s responsibilities include creating an environment where fraud is not tolerated, identifying risks of fraud, and taking appropriate actions to ensure that controls are in place to prevent and detect fraud. The governing body is responsible for ensuring that management is carrying out the tasks assigned to them in relation to fraud risk and prevention, as well as understanding the environment to determine if management can override or influence the controls in place.
If a government is able to allocate resources to establish an internal audit function, some of management’s responsibilities for the prevention and detection of fraud can be delegated to internal audit. Internal auditors are generally well-versed in evaluating the potential and probability of fraud, errors, or noncompliance and can review internal controls for effectiveness. If internal audit is structured so that they report directly to the board or council, they are considered to be independent of those in management and are not influenced or threatened by management.
Many governing bodies for entities without an operating internal audit function rely on management as well as the external auditors for fraud prevention and detection. While external auditors are responsible for assessing fraud risk within an entity and performing procedures to address those risks, they are only responsible under the auditing standards for providing reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error. External auditors use a series of tests, sampling, and analytics to reach their conclusions; however, every transaction is not reviewed or audited. Due to the complexity of most fraud schemes, it is more difficult for external auditors to detect misstatements resulting from fraud than misstatements resulting from errors. In fact, the Association of Certified Fraud Examiners reports that less than ten percent of frauds are detected by the external auditors.
With these facts in mind, it is evident that management and the governing body retain the largest share of the responsibility for the prevention and detection of fraud. All parties should exercise skepticism and maintain a trust-but-verify attitude. Skepticism involves a questioning mind, a search for knowledge, and understanding or establishment of expectations. When expectations are not met, seeking a response that is understandable and logical is an important step in fraud prevention. Identification of fraud risks and designing procedures to mitigate those risks are critical to protecting both employees and financial assets of governmental entities.
Fraud prevention and detection necessitate an ever-changing, multi-faceted process; however, even small steps to improve controls can lead to positive results.