The most recent news headline from Dixon, Illinois, has pushed the issue of fraud in the public sector into the spotlight. To date, the prosecutors allege that the City comptroller stole more than $53 million since the 1990s from public funds through a secret bank account. While this story would seem like an isolated incident, the truth is, fraud is more widespread than you might think. According to a just-released report, “2012 Report to the Nations - Association of Certified Fraud Examiners, Inc.," the cost of fraud amounts to $3.5 trillion on a global scale. Their findings also bring to light that 20 percent of fraud cases are for an amount greater than $1.0 million. The data included in the 2012 report indicates that the most frequent type of fraud is asset misappropriation at approximately 86 percent, while corruption equates to around 33 percent, and financial statement fraud is approximately 8 percent. The public sector ranks second in frequency by industry with a median loss of $100,000, while banking holds the top spot with an average of $232,000 in losses. These findings show that no organization is safe from the harmful effects of fraud and stress the importance for organizations to create a fraud risk assessment plan and to ensure that proper internal controls are in place.
No matter how small the municipality, internal controls need to be in place! It is beneficial for the organization to implement internal control processes that will provide reasonable assurance regarding the achievement of objectives, effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
The first step for a governing body is to complete a fraud risk assessment of their organization. This risk assessment should include such things as:
Our experience is that governments have not taken this very important first step.
A resource for you is the internal control framework that has been established by COSO (Committee of Sponsoring Organizations). This framework stresses the importance of board and council involvement. Management also plays a key role. The "tone" at the top is critical for implementation and ongoing assessment of any risk assessment program. These key players must be involved in ensuring that the organization’s policies, procedures, and mission are followed.
According to COSO, there are five elements of the COSO control framework:
We have seen the following instances of fraud through the lens of an auditor: employees writing checks to themselves, purchasing equipment for personal use, credit card abuse, wire abuse, missing cash, and fictitious vendors, to name a few. These all resulted from breakdowns in, or a lack of, segregation of duties.
On the employee level, distinguishable factors lead to fraud. The first one is pressure to commit fraud, possibly due to an economic factor (such as debt, gambling, substance abuse, etc.). The second criteria involves an opportunity where an individual has access to cash and the ability to conceal abuse of that access. The last factor is rationalization, e.g., the employee can justify their decision to commit fraud. For example, this can occur if the employee is unhappy and feels that the organization has committed an injustice to them by not properly compensating them for their work.
There are many internal control opportunities. The following is a partial list for your consideration:
While all of these items should be evaluated when implementing an effective internal control system, oftentimes budget constraints necessitate careful evaluation of the cost and benefit of each, then proceeding with what is realistic. The main objective should be to tailor your approach and reduce your risk to an acceptable level.
In addition, training on internal controls is important and should be rolled out to any employee who handles cash. Open communication between all levels is key. It is also important to document current policies and procedures to ensure consistency and provide a mechanism for monitoring. Documentation will provide the plan continuity for new personnel and guidance for current personnel. Remember, no plan is completely foolproof—nor will it completely eliminate your risk of fraud. However, taking a few steps can go a long way toward protecting your organization from fraud.