Fraud Risk Questionnaire - CD - Roselli, Clark



Massachusetts MunicipalFraud Risk AssessmentCASH RECEIPTS6-2015This questionnaire was developed to assist your municipality in identifying fraud risks within the cash receipts business cycle. This questionnaire is intended to cover many of the more significant areas of fraud risk that are inherent with the typical Massachusetts municipality’s cash receipts cycle. Each municipality is unique and therefore this questionnaire cannot be relied upon to address 100% of your municipality’s fraud risks within this business cycle. However, you can use the concepts contained within this questionnaire to expand its scope to specific fraud risk areas within your municipality.Definitions of FraudFraud is a broad legal concept and generally can be defined as any intentional act committed to secure an unlawful gain. Within municipalities, fraud is primarily seen in the areas of theft, misappropriation of assets, embezzlement and corruption.Occupational fraud, often referred to as employee dishonesty, is the use of one’s employment to commit fraud for personal enrichment through the intentional misuse or abuse of his/her employer’s resources and assets.Fraud Risk Assessment in an Internal Control SystemFraud risk assessment is a critical component in any internal control system. Internal controls consist of several interrelated components that, when operating effectively provide the Town reasonable assurance that it not only meets its strategic and operational business objectives, but also its financial reporting and compliance objectives. This process is driven by the Town’s governing bodies and management and executed each day by departments like yours.The most widely adopted internal control methodology used by organizations throughout the world is referred to as COSO framework. The COSO framework was originally published in 1992 and, after several updates, was last updated in 2013. The COSO framework contains five key components or principles:Control environment;Risk assessment;Control activities; Information and communication; Monitoring activities.Effective fraud risk assessment takes place at (i) the entity level, (ii) the process level and (iii) the account level. Entity level fraud risks relate primarily to the fraud risks present within a municipality as a whole. In assessing entity level fraud risks, we generally look closely at the overall ethical tone of the municipality, or its control environment.Account level and process level fraud risks are essentially one in the same for the purposes of this business cycle specific fraud risk assessment. These are fraud risks that are specific to the cash receipts business cycle.I. Fraud Risk Assessment at the Entity LevelThe Control Environment is best described as the organization’s culture and is often referred to as the “tone from the top.” Does your municipality promote ethical behavior? How are the values of the municipality’s governing board, manager or administrator and elected/appointed board perceived by its residents, tax payers, vendors and employees? Often times, these values are communicated through handbooks, trainings, municipal website, staff and department meetings. The most effective means of communicating these commitments is leading by example.A series of questions will be posed below. Indicate your response with an “x” or a “” and, if yes document the control in place in the space provided (examples have been provided for your reference). If you indicate no to any of the questions below, determine whether this is a significant gap that needs to be filled. If so, you have a deficiency that needs remediation.Our CultureYesNoDescribe the Control(s) in Place1. Does the Town’s governing body and its management demonstrate a commitment to integrity and ethical behavior by their day-to-day activities?Examples of controls in place to support this may include:Formal code of ethics policy posted on Town websiteA fraud policy has been adopted and clearly defines fraudulent activitiesPeriodic ethics trainings conducted at all levels of town managementBi-annual state mandated ethics training and testing is communicated to all employees and board/committee members; and the Town has mechanisms in place to monitor compliance and follow upConflicts of interest statements are required for all Selectmen and department headsEmployees are required to sign an acknowledgement that the Town’s code of ethics was provided to them and that they understand it2. Does the Town have a mechanism for employees to anonymously raise concern regarding ethics, fraud or questionable business activities?Examples of controls in place to support this may include:A fraud policy has been adopted and prohibits retaliation against whistle blowersA confidential whistle blower hotline has been established Signs are posted in all common employee areas like break rooms and cafeterias with the IG’s fraud hotline number Employees should be educated as to the long-term benefits of exposing or identifying possible fraud vs. the short-term convenience of not communicating what they witnessed3. Is there a protocol for handling confidential complaints? Examples of controls in place to support this may include:A fraud policy has been adopted and prohibits retaliation against whistle blowers and details to whom and how complaints are addressed and investigated4. Have duties and responsibilities of each employee been clearly described to them?Examples of controls in place to support this may include:Job descriptions have been provided to each employeeEach employee receives an annual performance review, which is included as part of their personnel fileDepartments periodically conduct departmental meetings to organize resources, communicate goals and provide instruction 5. When making new hires, does the Town perform sufficient background checks on the potential new hire’s technical knowledge and skills?Examples of controls in place to support this may include:Job descriptions are provided to each job candidateResumes and/or job applications are reviewed by all involved in hiring decisionsReferences are contacted and these discussions are documentedCORI checks are performed for required employees and considered for all employeesCredit checks are performed for all employees in financial or managerial positions that have direct access to budgetsOnline service offering background check is utilized to identify potential issues not disclosed by candidate or references6. When promoting from within, does the Town promote the most qualified and capable candidate?Examples of controls in place to support this may include:Job descriptions are provided to each job candidatePast performance reviews are reviewed and updated prior to promotionCandidates for promotion are interviewed in a similar fashion as external candidates7. Does the Town adequately compensate employees in order to retain and attract qualified individuals?Examples of controls in place to support this may include:HR and department heads evaluate salary levels based on surrounding towns and other benchmarks8. Does the Town have a process to identify incompetent or ineffective employees?Examples of controls in place to support this may include:Each employee receives an annual performance review, which is included as part of their personnel fileUnderperforming employees are placed on notice and provided a plan for improvementEducational or training programs are made available to increase an employee’s skill levels to a productive level9. Are there consequences for employees who commit fraud and are those consequences fair and consistent?Examples of controls in place to support this may include:A fraud policy has been adopted that clearly details the ramifications and penalties to those caught defrauding the TownSigns are posted in common areas requesting that employees confidentially report fraud and that the Town will prosecute to the fullest extent of the lawThe Town promptly terminates employees caught stealing from the Town and when appropriate communicates the Town’s actions to employees through e-mail communications to deter future events10. Do employees in key “trust areas” within the Town show “red flags” that may suggest a change in personal or financial situations?Examples of controls in place to support this may include:Recognition that age, experience, and seniority of personnel are not preventive controls of fraudulent activitiesManagement has been trained to recognize “red flags”Management understands that such “red flags” demand their additional attention (talk with employee, quietly perform additional, periodic checks for errors or inconsistencies in work performed, etc.) 11. Is there an annual, thorough review for inefficient or deficient processes within the offices that could lead to fraud or errors in transactional processing? Examples of controls in place to support this may include:Recognition that age, experience, and seniority of personnel are not preventive controls of fraudulent activitiesEmployees are encouraged to provide suggestions or feedback as to how their work could be performed betterManagement has annual meetings with software vendors to identify new or improved options in electronic processing software that are available to be implemented or could be requested for improvement 12. Does management contemplate the risks associated with electronic processing (including those through the Internet)? Examples of controls in place to support this may include:Employees are trained in how to identify or avoid electronic intrusions or “attacks” on their workstations or through external communicationsManagement has on staff or hires an information technology consultant to periodically evaluate system weaknessesII. Fraud Risk Assessment at the Process Level – Cash ReceiptsThe municipality’s key objective is to provide municipal services to its residents today and in the future and safeguard its assets. To do so, the municipality’s operating plan calls for continued revenue growth and cost management. The municipality is subject to many risks in connection with this operating plan – some internal and some external. The process in which these risks are analyzed is referred to as Risk Assessment.A series of control statements will be posed below. These control statements are specific to the business cycle identified above. Areas in which no control is in place may indicate that there is a gap in your internal controls that needs to be mon Fraud Risks With Billings (Tax & User Charges)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored13. Parcel and component(s) valuations or meter readings are reconciled to master listings to insure completeness and accuracy. Commitments are supported by master listings that can be matched by the total number of items or locations to determine if any are missing from the billing calculation. Utilizing consecutive generated billing numbers strengthens this process. Those departments with billings usually have sufficient personnel to perform independent checks and balances or involve multiple departments where one department may cross-check another department. Risk is that a taxpayer or customer may not be billed due to error or intentional manipulation of data.If applicable, describe the control(s) in place.14. Billing calculations (value/usage * rate) are mathematically verified for accuracy.Electronic systems typically have reports or processes built-in to assist with this evaluation. Otherwise, the system includes a process that selects a sample of bills and conducts manual recalculations verifying that billing amounts are as expected based on the data. Certain billings involve multiple authorizations or reports (Tax Recap, Commitment Reports, Billing Reports, Assessor Warrants, etc.) which can be used to reconcile amounts for consistency and reconciliation). Risk is that a taxpayer or customer may be incorrectly billed due to error or intentional manipulation of mon Fraud Risks With Billings (Tax & User Charges)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being MonitoredIf applicable, describe the control(s) in place.15. Committed billings are compared to budget and prior periods at an appropriate level of detail for each billing cycle.The budget is a key component of the internal control system. Timely and regular budget to actual reviews by the Assessor, Collector, Town Accountant and department heads can serve as a valuable tool in discovering receipts fraud or errors.If applicable, describe the control(s) in mon Fraud Risks With Department Receipts16. Fees charged are reconciled to pre-numbered receipt logs and rates are agreed to authorizations to assure fees are proper and correct.Most fees charged are either statutorily set by the Commonwealth or by an executive level vote (Board of Selectmen, City/Town Council); fees charged can be compared to those authorized and approved amounts. It is now common for departments to have electronic systems or cash registers that can monitor and calculate fees based on services or documents requested. Risk is that a customer may be incorrectly billed due to error or intentional manipulation of data.If applicable, describe the control(s) in place.17. Departments with fee based services or goods are provided with an adequate system to reconcile activity to original source documents.A significant number of municipal fees involve the sale of goods or services that could be monitored through a consecutively generated pre-numbered receipt system. Common Fraud Risks With Department Receipts (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being MonitoredElectronic systems more frequently provided to departments should be capable of generating permits, certificates, and receipts directly; this provides an electronic transaction database for subsequent review and reconciliation. Manual systems (handwritten or Excel) are highly susceptible to manipulation or error and should require significantly more internal review and checks. Risk is that a customer may pay the fee but an inadequate or flawed system is subject to misappropriation or error since no evidence of the transaction existing occurs.If applicable, describe the control(s) in place.18. Fee based receipts are compared to budget and prior periods at an appropriate level of detail for each type of fee charged.Budgets for fee-based transactions are only a limited component of the internal control system, as activity is subject to inconsistencies from estimated activity. Timely and regular budget to actual, or year to year revenue comparison reviews by department heads and the Town Accountant can serve as a valuable tool in discovering receipts fraud, since differences from expectations should be properly investigated and explained to differentiate those resulting from real customer activity versus those resulting from fraud or errors.If applicable, describe the control(s) in place.19. The employee involved in calculating the user or service fee is not the same person collecting payment. Most municipalities do not have adequate staffing numbers within departments for this level of duty segregation; therefore, other mitigating processes and systems should be considered to deter or identify fraud. Mitigating controls could include: 1) eliminate manual tracking or recording processes (handwritten and Excel schedules are easily subject to data adjustment and manipulation – replace with automated system with input and edit controls and report capabilities; 2) pre-numbered or auto-numbered records for all transactions; and 3) department heads take an active (not passive) role in reviewing employee mon Fraud Risks With Cash Handling (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being MonitoredIf applicable, describe the control(s) in place. 20. Employee who opens the mail is not responsible for processing the payment.Given the nature of the mail system, whether or not a payment is actually delivered and received is always subject to denial. Less controlled opportunity exists to take the payment and not input receipt of payment claiming it was not received. Inherent control also exists from payers who submit payment which is not credited to their account and may also mail a letter disputing non-payment; opportunity exists for employee to also hide or destroy dispute correspondence. If applicable, describe the control(s) in place.21. Employees who regularly handle payments from taxpayers, users, and customers, or that process deposits, are adequately covered under the entity’s fidelity bond.Many municipal entities have “blanket” or umbrella fidelity coverage to insure peripheral departments outside of the Treasurer or Collector Offices against fraud and theft. An annual review of which offices are collecting monies and a conscience effort to verify that ALL of those offices are adequately disclosed to the insurance provider as necessary should be performed by the Treasurer’s Office. Note: Fidelity bond policies have limited coverage clauses; therefore, events of significant theft may not be fully covered. Furthermore, significantly deficient internal controls or controls (documented or undocumented) which were ignored could cause the insurance provider to invalidate the policy and refuse payment.If applicable, describe the control(s) in place..Common Fraud Risks With Cash Handling (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored22. Co-mingling of collections by multiple employees into a single “cash drawer” is prohibited.In the event of fraud, determining the employee responsible can become difficult when collections are pooled by multiple employees prior to the daily reconciliation of payments against the transaction records for the day, therefore segregating drawers is a process that should be practicedIf applicable, describe the control(s) in place.23. An independent review and verification of daily collection batches or activity is conducted prior to deposit.Requiring a separate individual who was not involved in the actual collection of funds to review and verify daily proofs and be the person who either prepares the turnover form to the Treasurer or arranges for deposit of those funds into the bank if their department is so authorized is a detective control against misappropriation of funds and detection of errors. If applicable, describe the control(s) in mon Fraud Risks With Cash Handling (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored24. Cash drawers/boxes have limited access and are stored in a secure location.Cash drawers/boxes should be maintained during the day in a location not accessible to the public. Ideally, cash drawers should be locked between transactions or access controlled via mechanical mechanisms such as a cash register. Policies should prohibit “making change” for employees, advances of monies to employees, and the cashing of checks for employees (payroll, personal, etc.) using cash drawer/box monies.If applicable, describe the control(s) in place.25. Segregation of monies by employees in irregular locations (i.e. desk drawer, purse, home, car etc.) is prohibited.Employees should never be allowed to store or place monies in unapproved locations. Past fraud events have demonstrated that employees perpetrating fraud may try to manipulate the daily processing and reporting of cash activity in order to hide their theft. Claims of “falling behind on processing turnovers” or “investigating daily batch variances” over an extended period of time can indicate a kiting form of fraud is being committed. When such circumstances are identified, the problem for which holding funds is being blamed should be immediately addressed and corrected – preferably by someone who was not involved in the initial collections, so as to prevent an employee from covering their fraud, if it has occurred.If applicable, describe the control(s) in place.26. Overnight storage of money not turned over to Treasurer shall be maintained in an approved and secure location.Cash drawers/boxes should always be stored in a safe or other secure location overnight that has no access by the public and limited access by employees. Locked closets with poor locks and weak construction (wood) or desk drawers are NOT highly secure locations and should be avoided. Employees should never be allowed to take money home or store it in the mon Fraud Risks With Cash Handling (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being MonitoredIf applicable, describe the control(s) in place.27. Office locations where monies are collected are secure from external risks such as robberies. Evaluation of the physical layout and location by offices collecting monies should be made to ascertain if reasonably adequate measures have been taken to detour such theft from occurring. Areas of concern could include locations not visible from open areas/main walkways (being out of site makes robbers more comfortable), locations with very limited staff (strength of numbers deters robbers), access to restricted locations (ability to get behind counters or reach a safe undeterred can empower a robber to attempt a theft). If applicable, describe the control(s) in place.28. Offices that collect significant cash should be secured with alarm systems, panic buttons or electronic monitoring (cameras) of office activities. Significant cash collection offices such as the Treasurer/Collector Office should be considered for equipping with a silent alarm to the Police Department. Any department which stores monies or sensitive personal or town records should be considered for installation of alarm systems. More recently, electronic surveillance systems are being installed, and with costs of cameras and software having dropped significantly it has become very cost effective for Towns to install. Not only does this deter outside theft from robbers, but it also provides for an inherent control that aids in deterring employees from theft because they know their actions are on camera and being recorded. If applicable, describe the control(s) in mon Fraud Risks With Cash Handling (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored29. Cash turnover forms are properly completed and sufficient supporting documentation of the monies being turned over exists.Many instances of fraud can be hidden or challenging to identify because the departmental turnover forms to the treasurer (Form 910) have little or no information detailing the source and the number of transactions comprising the turnover amount. Additionally, illegible writing can make identification and proof of fraud more difficult to determine. With more departments being provided electronic processing systems, and nearly all having access to software such as Excel, the requirement to submit detailed batch reports or printed schedules detailing the activity comprising the turnover amount should be considered for required submission to the Treasurer along with the Form 910. Another significant control enhancement to the standard Form 910, is to require the submitting department to detail on the form how much of the turnover is comprised of checks, cash, and more frequently now credit/debit card payments; this deters the manipulation of the turnover monies by taking the cash and replacing it with a check (a core component of a kiting fraud). Any requirement to substantiate the turnover amount is effectively a control to deter or identify fraudulent actions.If applicable, describe the control(s) in place.30. Turnover forms are verified in-person and properly signed. Treasurer’s Office employees should be required to count and verify that monies presented equal the amount on the turnover form while the department representative waits. The department representative should then be immediately given back their copy of the signed turnover acknowledging the money and turnover amount agreed or noting that there was a discrepancy. This should prevent and deter any “missing” money as a result of the hand-off between departments.If applicable, describe the control(s) in mon Fraud Risks With Cash DepositsControl(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored31. Adequate supporting documents exist to reconcile combined turnover amounts to the deposit slip amount. Generally, multiple turnover amounts are combined to arrive at a single deposit amount; adequate documentation should detail which specific turnover amounts are included in the deposit. To enhance controls, the process should require that a single turnover amount be deposited in whole to the same bank. Checks and cash should not be separately deposited if submitted to the Treasurer’s Office on the same turnover form. If cash and checks are to be separately deposited, they should be processed on separate batch reports and separate turnovers. The splitting of batch and turnover amounts weakens the transaction trail and provides more opportunities for hiding fraudulent activities. If applicable, describe the control(s) in place.32. Prior to deposit, an employee (separate from the person compiling the deposit and completing the deposit slip) reviews and verifies that the deposit is mathematically accurate, deposit slip is properly completed, and matches supporting documents. Every phase of the cash handling process, particularly when it relates to the combining of multiple turnovers should be reviewed through a checks and balance process to provide adequate level of segregation of duties. A copy of the deposit slip should be included with the deposit batch.If applicable, describe the control(s) in place.33. Making deposits is an assigned duty of a specific employee(s). Deposits may be collected by a security service and transported to the bank; however, if not, the task of making deposits should be assigned to a specific employee and one other backup. Ideally, not the person who posts the deposit to the Cashbook. If applicable, describe the control(s) in mon Fraud Risks With Cash Deposits (Cont.)Control(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored34. Verification of deposit receipt is completed at the time of deposit. The actual deposit receipt generated by the bank should be promptly filed with the deposit batch and the applicable supporting documentation. The amount should be verified as agreeing to the deposit slip amount.If applicable, describe the control(s) in place.35. All deposits are posted to the Treasurer’s Cashbook at the time of deposit. Every deposit should be posted immediately to the Treasurer’s Cashbook when the deposit batch is proved and the deposit slip compiled. The Cashbook should be properly designed to track cash activities for each bank account, separately. Ideally, this would be entered by the employee who is assigned the responsibility of completing the deposit slip and not the individual who makes the deposit. If applicable, describe the control(s) in place.36. All deposits are posted to the Accountant’s general ledger in a timely manner. Whether deposits post automatically to the Accountant’s general ledger based on amounts entered in the Treasurer’s Office (centralized system), or if the Accountant’s Office has to manually enter journal entries based on paper turnover reports provided by the Treasurer’s Office (decentralized system), it remains the Accountant’s responsibility to ensure that the posting is properly and timely entered and posted. If applicable, describe the control(s) in mon Fraud Risks With Abatements and RefundsControl(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored37. Abatements are valid and substantiated.Any abatement process should require the individual or entity requesting an abatement to provide the necessary contact, financial, and documentation supporting the reason for their request that is required under the law and/or deemed necessary to assist those responsible for reviewing the request in making their decision.If applicable, describe the control(s) in place.38. Abatement authorizations are properly authorized and distributed. Policies should exist that clearly delineate what boards, commissions, or department heads are authorized to issue abatements of amounts owed for taxes or services rendered. Once authorized, copies of such forms or memos should be distributed to both the Collector and Accounting Offices for them to individually record or verify that their systems properly reflect the abatements in the correct accounts.If applicable, describe the control(s) in place.39. Segregation of duties exists in the processing of refunds. Because of the nature of refunds, it is very important that an adequate and effective level of segregation of duties exist. The person reviewing and approving the request should be separate from the person adjusting the customer’s account on the collection system. Additionally, the employees reviewing and adjusting the collection system should be separate from the employee tasked with distributing the check refunding the tax.If applicable, describe the control(s) in mon Fraud Risks With Financial ManagementControl(s) in Place(Yes/No)Are the Controls CommunicatedAre the Controls Being FollowedAre the Controls Being MonitoredHow Often Are Controls Being Monitored40. Passwords to the accounting systems and bank accounts are required to be changed periodically. Static passwords represent a risk to any internal control system; the periodic requirement to update passwords enhances the IT access controls and lessens the risk that an unauthorized party can initiate fraudulent transactions. Particularly within the Treasurer/Collector Offices, passwords (and even safe combinations and keys) should be immediately changed whenever an employee leaves.If applicable, describe the control(s) in place.41. Bank reconciliations are prepared and reviewed on a timely basis. The reconciliation process is a key element in any internal control system, provided the reconciliations are performed timely. Ideally, the employee tasked with reconciling all of the cash accounts should be separate from the person compiling the receipts and entering the deposit amounts into the Cashbook. Generally, all bank accounts should be reconciled between the bank statements and Treasurer’s Cashbook within two to three weeks of each month end.If applicable, describe the control(s) in place.42. The Treasurer/Collector and Accountant regularly reconcile cash and receivable balances with each other. The reconciliation process is a key element in any internal control system, provided the reconciliations are performed timely. Ideally, reconciliations between these offices should be performed monthly, but any adequate control system would suggest never less than quarterly.If applicable, describe the control(s) in place. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download