Fraud Risks Affecting Private Schools
0 Facts About Fraud
• Estimated that typical organization loses 5% of its annual revenue
• $7+ billion was the total loss caused by the cases in the study
• The median loss was $130,000
• 22% of these cases caused losses of at least $1 million
• 9% of these results were applicable to NPOs with a median loss of $75,000
• 16% of these results were applicable to government with a median loss of $118,000
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
1 1 Facts About Fraud
Asset misappropriation was most common (89% of cases), causing the smallest median loss of $114,000
Financial statement fraud was least common (10% of cases), causing the most median loss of $800,000
Corruption was in the middle, with (38% of cases), causing a median loss of $250,000
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
2 2 Facts About Fraud
The longer a fraud lasted, the greater the financial damage it caused
While the median duration of the fraud was 16 months, the losses rose as the duration increased
At the extreme end, schemes that lasted more than five years are 20x more costly
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
3 3 ACFE’s 2018 Report on Occupational Fraud
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
4 4 Facts About Fraud
In 97% of cases, perpetrator took efforts to conceal fraud
Most common concealment methods were creating & altering physical or electronic documents
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
5 5 Facts About Fraud
Most common detection method was tips (40% of cases); organizations that had reporting hotlines were much more likely to detect fraud through tips than organizations without hotlines (46% compared to 30%, respectively)
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
6 6 Facts About Fraud
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
7 7 Facts About Fraud
In cases detected by tip at organizations with formal fraud reporting mechanisms, telephone hotlines were the most commonly used method (42%)
However, tips submitted via email (26%) & web-based or online forms (23%) combined to make reporting more common through the internet than by telephone
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
8 8 Who Reports Occupational Fraud
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
9 9 Organizations without hotlines were more than twice as likely to detect fraud by accident or by external audit
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
10 10 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
11 11 Internal Control Weaknesses that Contributed to Fraud 2018
Lack of internal controls (30%)
Lack of management review (18%)
Override of existing internal controls (19%)
Poor tone at the top (10%)
Lack of competent personel in oversight roles (8%)
Lack of independent checks/audits (4%)
Lack of employee fraud education (2%)
Lack of clear lines of authority (2%)
Lack of reporting mechanism (<1%)
Other (6.0%)
12 12 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
13 13 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
14 14 Facts About Fraud
Fraud perpetrators ALMOST ALWAYS display warning signs they are engaging in illicit activity (85% of the cases reported had at least one of these red flags)
15% of occupational fraudsters had been charged or convicted of a fraud-related offense & 72% had been punished or terminated by an employer for fraud-related conduct
Employee education is the foundation of preventing & detecting occupational fraud. Staff members are an organization’s top fraud detection method; employees must be trained in what constitutes fraud, how it hurts everyone in the company & how to report any questionable activity
Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse
15 15 Behavioral Red Flags Displayed by Perpetrators
Instability in life circumstances
Other
Excessive family/peer pressure for success
Complained about lack of authority
Past employement-related problems
Refusal to take vacations
Past legal problems
Social isolation
Excessive pressure from within organization
Complained about inadequate pay
Addiction problems
Irritability, suspiciousness or defensiveness
"Wheeler-dealer" attitude
Divorce/family problems
Control issues, unwillingness to share duties
No behavioral red flags
Unusally close association with vendor/customer
Financial difficulties
Living beyond means
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
16 16 Motives for NPO Fraud
Bonus, raise or promotion based on reported results
Positive performance evaluation
Retaining job based on reported results
Obtain a new grant/impress grantors/donors
Impress watchdog group
Obtain bank financing or meet bond/loan covenants
Meet grant requirements
Private inurement—related party—don’t have to pay taxes
17 17 Understanding Internal Controls
•Evaluate design of controls •Verify implementation of controls
18 18 Process vs. Control
Process Control
Captures data, changes data & Does not change; prevents or potentially introduces possible detects & corrects errors errors introduced through processes
19 19 Three-Step Process to Understand Controls
•What process is used to complete a transaction? •What could go wrong? •What controls are in place to prevent errors?
20 20 Example Analysis
Cash Receipts Process What Could Go Wrong Control
Set Up Contributor Fictitious contributor Review of new donors
Set Up Receivable Balance Wrong amount, wrong aging, wrong restriction, wrong period Supervisor review & approval
Donor reports or questions any changes or Acknowledgment Letter Sent Sent to wrong contributor, wrong amount mistakes
Revenue/Rec. JE Created Input/processing error, data lost, access issues Supervisor review & approval of entry
Cash Received Cash stolen, record wrong amount Reconciliation & review
Create Cash Receipts Listing Cash stolen, record wrong amount Reconciliation & review
Cash JE Created Wrong account, period, amount Review & approval
JE Posted to GL Input error – account, period, amount Review
Financial Statements Created Wrong line item Management review & budget comparison
21 21 Control Analysis
•What controls are in place? •Are there any gaps that need to be addressed? •Do the controls in place provide an effective & efficient organization/operation?
22 22 #1: The Control Environment
Tone at the top – YES, YOU MAKE THE BIGGEST DIFFERENCE TO PROTECTING YOUR ORGANIZATION
Typical management exceptions
COSO
o Integrity & ethical values
o Commitment to competence
o Board of directors & audit committee
o Management’s philosophy & operating style
o Organizational structure
o Assignment of authority & responsibility
o Human resource policies & procedures
23 23 Strong Control Environment
•Strong controls environment (manual & application controls) •Management oversight & involvement throughout process •Preventive controls •Detective controls
24 24 #2: Segregation of Duties – Understanding
One-person accounting staff
o Bookkeeper Two-person accounting staff
o Bookkeeper
o Controller Three-person accounting staff
o Bookkeeper
o Accounting clerk
o Controller
25 25 #2: Segregation of Duties
No single individual is responsible for receiving, recording & depositing funds or writing & signing checks
No single individual is permitted to request, authorize, verify & record expenditures
Flowchart the process
Journal entries
26 26 #2: Segregation of Duties (Continued)
Receipts process
Payroll process
Bank reconciliation process
Disbursement process
Use executive director or other people to best segregate duties
Use of board members
Use of volunteers
Use of third-party vendors
27 27 #3: Controls over Payroll & Hiring Process
Time sheet approval
Encourage/require a direct deposit requirement for payroll
Separate bank account for payroll
Use third-party administrator/staffing services
Background & credit checks
Exit interviews
Reference checks—beware of internal referrals
Past work experience checks
28 28 #4: Controls over Disbursements/Contracts
Set up approved-vendor list
Invoice approval procedures – delegation of authority
Petty cash
Check processing & don’t forget wires
Limit employee advances & reimbursements
Periodic review by an objective person of the list of all vendors receiving fees/checks from the not-for-profit (because a common scheme involves creating a fictitious vendor)
29 29 Case Examples
A bookkeeper was sentenced to two years in prison in 2016 for stealing $800,000 from National Veterans Service Fund in Connecticut from 2009 to 2014, writing checks to herself & then altering the ledgers to make it appear the money went to veterans
A not-for-profit dedicated to helping the rural poor in Southeast Asia, reported its then-president diverted $950,000 for his personal use in 2012 when the group was based in Boston. The charity said the executive promised to make full restitution as part of a settlement, but a former director said no one was ever prosecuted
30 30 Case Examples (Continued)
From a Washington Post article, a former employee of the Association of American Medical Colleges was able to create fake invoices in the names of legitimate groups that she then approved for payment. When the checks were ready, she had them returned to her, not sent to the vendors
Under that system, a spelling change of just four letters allegedly netted $3.7 million for her when she purportedly created nearly 200 false invoices in the name of the well-known Brookings Institution policy center, but deposited the checks into accounts she opened for her own “Brookings Institute”
31 31 #5: Controls over Bank Reconciliations
Bank reconciliation procedures
o Time frame to be completed
o System access
o Reconciliation to the general ledger
o Who does the reconciliation
o Approval procedures
o Bank statements Wire transfer procedures
Mail handling; random checks
32 32 #6: Controls over Credit Card Purchases
Don’t have them (time requirement to keep up with credit cards can easily be a day’s worth of work)
Policies & procedures
Number of users
Limits
Authorization
Review
Preapproval
33 33 Corporate Credit Cards
Problems in Many Organizations Include
Wasteful & improper spending
Lack of documentation, e.g., receipts, invoices
No explanation of business purpose
Personal charges to be “reimbursed later”
Lack of adequate policies
Expectations not communicated to employees
Lack of second review of all charges
Lack of adequate review of charges by key employees (& any relatives of who also are employees)
34 34 Expense Reimbursement/ Credit Cards/P-Card Schemes
•Any scheme in which an employee makes a claim for reimbursement of fictitious or inflated business expenses
o Employee files fraudulent expense report, claiming personal travel, nonexistent meals, etc., as incurred business expenses o Employee purchases personal items & requests reimbursement from the employer
35 35 Expense Reimbursement/ Credit Card Fraud Schemes
2016 2014 2012 2010
Estimated $40,000 $30,000 $26,000 $33,000 median loss
Median 24 months 24 months 24 months 24 months duration
< 100 16.7% 13.1% 13.7% 14.2% employees
100+ 13.9% 16.5% 17.3% 16.8% employees
36 36 Red Flags for Expense Reimbursement/Credit Card Schemes
Purchases that do not appear to be business related
Missing original documents supporting expenses
Altered receipts
Many receipts from the same vendor
Submitted receipts are consecutively numbered
Expenses in round dollar amounts
Expenses just below receipt submission threshold
Segmenting expenses across periods to remain below receipt submission threshold
Cash payment for expenses typically paid with credit card
37 37 Ideas for Improving Processes
Create clear policies & procedures o Update current policies as necessary Employee signature to agree to comply with policies Get supporting documentation for purchases o Original receipts – not just credit card statement o Documented business purpose Second review of charges at all levels o Be sure to address possible/known weaknesses in review process . No review/weak review . Wrong person doing the review Periodic outside review of charges Question any potentially inappropriate purchases
38 38 Ideas for Improving Expense Reimbursement Processes
Review & update reimbursement policies
Formalize expense reimbursement process
Review work/vacation schedules
Institute use of mileage tracking apps
39 39 Ideas for Improving Credit Card Process
Monitor credit card holders & implement two-step approval process
Limit use of personal credit cards
Do not allow personal purchases on corporate credit cards/P-cards as a standard practice
Set reasonable/lower credit limits
Merchant code blocking (P-cards)
Electronic analysis of charges
40 40 Using Electronic Data to Monitor Credit Cards
Data benefits
o High-quality data o External data source o Standard formats o Industry standards (merchant category codes) o Level III data o Ability to quantify usage . By vendor . By card . By department
41 41 Using Electronic Data to Monitor Credit Cards (Continued)
Ability to quickly/fully analyze
o Transactions in round amounts o High-risk merchants . Online merchants . Foreign merchants
o Split transactions o Transactions on leave days . Weekend . Holiday . Vacation
o Outlier transactions
42 42 Example
A former elementary school bookkeeper is accused of cashing $55,239 worth of checks from the PTA between 2011 & 2015
The bookkeeper was in charge of purchasing items for the PTA on a district-issued credit card; PTA would then cut checks to reimburse the school account
The bookkeeper would cash the checks personally & pocket the money
43 43 #7: Controls over Receipts
Use a lockbox
Involve a second person in cash receipts processing
Verify cash logs
Make bank deposits daily
Don’t forget volunteers (safety/security)
Receiving credit card donations/receipts (Paypal)
Physical movement of cash (wires)
44 44 #8: Controls over Physical Safeguards
Limiting access (locking cabinets, doors, etc.)
Don’t forget controls over collections & inventory
Fireproof safes
Reconcile physical inventory of furniture & equipment
Fundraising events
Physical inventory of gifts donated (silent auctions)
45 45 #9: Controls to Help Prevent & Detect Potential Financial Statement Fraud
Watchdog organizations – expense classification Donor restrictions – help ensure a system to identify restrictions before they are recorded Grant compliance Budget to actual Comparison to prior year Does the board truly understand how to read the FS? Distribute financial reports to staff Flash reporting – financial & nonfinancial data—critical areas to review—dashboard sheet
46 46 #10: Electronic Controls
• Protecting confidential • Encryption technology information of donors, clients etc. (this often is a legal • Anti-virus protection requirement) • Back-up system • Websites • Cellphones/thumb drives • Passwords • Database management • Appropriate access for systems • Cybersecurity
47 47 Cyberthreats
Average annualized cost of cybersecurity (USD) $11.7M
Percent increase in cost of cybersecurity 22.7% in a year $6.0 Average number of security breaches each 130 Trillion year (per company) Cost of cybercrime damage by 2021 Percent increase in average annual 27.4% number of security breaches Source: Ponemon Institute LLC, “The Evolving Role of CISOs and their Importance to the Business,” Ponemon Institute LLC, “2017 Cost of Cyber Crime Study”
48 48 Cyberthreats
% Increase from Previous Year 250% 212% 200% 200%
150%
100% 54%
50%
0% Malware Injections Web Application Vulnerabilities Mobile Malware
Source: Osterman Research, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud,” April 2018.
49 49 Cyberthreats
In February 2018, there was
o One phishing attempt in every 3,331 emails &
o One piece of malware for every 645 emails
o On average, an organization of 500 email users who receive a median of 100 emails per day, the security infrastructure will receive 15 phishing attempts & 77 pieces of malware each day
There continues to be targeted ransomware campaigns focused on specific industries like health care & government, among others
50 50 Cyberthreats
Cybercriminal organizations are successful because
o They are generally well funded o They have technical resources to create new & increasingly more capable attack methods
o They are highly collaborative in nature
Motivations Behind Attacks 2016 3.4% 2017 4.3% 4.7%
14.2% 14.5% 9.2% 77.4% 72.1%
Cyber Crime Cyber Espionage Cyber Crime Cyber Espionage Hacktivism Cyber Warfare Hacktivism Cyber Warfare
Source: Hackmageddon, http://www.hackmageddon.com/2018/01/17/2017-cyber-attacks-statistics/
51 51 Cyberthreats
According to IBM’s “Cyber Security Intelligence Index,” 95% of all security incidents prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information
59% of respondents agree that most information technology security threats that directly result from insiders are the result of innocent mistakes rather than malicious abuse of privileges
52 52 Cyberthreats
INSIDER RISKS
Source: Bogmar Privileged Access Threat Report 2018
53 53 Cyberthreats
INSIDER RISKS
Source: Bogmar Privileged Access Threat Report 2018
54 54 Cyberattacks to Watch Out For
1. Phishing
2. Pretexting
3. Baiting
4. Quid pro quo
5. Tailgating
6. Ransomware
55 55 Phishing
Phishing is crafting a message (typically an email) & is designed to influence the recipient to “take the bait” via a simple mouse click Seek to obtain personal information, such as names, addresses & Social Security numbers That bait is most often a malicious attachment but also can be a link to a page that will request credentials or drop malware
56 56 Phishing
May use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate (Bitly, TinyURL, Ow.ly, etc.)
o From: https://securityintelligence.com/the-role-of-human-error-in- successful-security-attacks/
o To: https://ibm.co/1PO3b9x Fake/disposable email address generators
o Yahoo Mail, Dispostable, Guerrilla Mail, GMX Mail, etc. Messages tend to incorporate threats, fear & a sense of urgency in an attempt to manipulate the user into acting promptly
57 57 Phishing (Continued)
Some phishing emails are more poorly crafted than others to the extent that their messages often exhibit spelling & grammar errors
In a normal (median) organization, 78% of people don’t click a single phish all year. That’s pretty good news
On average, in any given phishing campaign, 4% of people will click it – The vampire only needs one person to let them in
Only 17% of phishing campaigns were reported. Additional training also should be bestowed on users who don’t report the phishing!
58 58 Phishing Examples
Fake sender Bad grammar domain (hover &/or misspellings mouse over) [email protected]
Suspicious Hovering over content link reveals suspicious URL
http://www.southmountainlaw.com/options/htaccesss.html
59 59 Phishing Examples (Continued)
60 60 Phishing Examples (Continued)
61 61 Pretexting
Pretexting is a more focused method compared to phishing Involves the creation of a false narrative to obtain information or influence behavior
Could be a phone call, text message, email, etc., designed to steal victims’ personal information
Scammer pretends they need certain bits of information from their target in order to confirm their identity
Pretexting also may involve impersonating co-workers, police, bank, tax authorities, clergy, insurance investigators, auditors, etc.
62 62 Pretexting (Continued)
The pretexter must simply prepare answers to questions that might be asked by the victim
In some cases, all that is needed is a voice that sounds authoritative, an earnest tone & an ability to think on one’s feet to create a pretextual scenario
Unlike phishing emails, which use fear & urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim
The attacker may develop a relationship & even help the victim execute the exploit
63 63 Email-Based Pretexting Example
Warns of a “Fraud Alert” on your bank account
Link to official- looking site that asks for PII
64 64 Phone-Based Pretexting Examples
New credit card
Past-due bill/collection call
Delinquent taxes
65 65 Baiting
Baiting is the promise of an item or good that hackers use to entice victims to get login credentials to a certain site
Baiting attacks are not restricted to online schemes. Attackers can deliver malware via the use of physical media
Many people will pick up USBs & plug them into their computers without thinking
The USBs may automatically activate a keylogger that allows access to observe an employee’s online activity & login credentials or install malware
66 66 Quid Pro Quo
The quid pro quo usually assumes the form of a service
May impersonate IT service people & spam call as many direct numbers that belong to a company as they can find, or a pop-up box warning
o These attackers offer IT assistance
o Eventually they will reach someone with a legitimate problem
o The user will be grateful & will eagerly follow their instructions
o The fraudsters will promise a quick fix in exchange for the employee disabling their anti-virus program that assumes the guise of software updates
o The attacker then gets the user to install malware on their computer
67 67 Tailgating
Another social engineering attack type is known as tailgating or “piggybacking”
These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area
68 68 Ransomware
Attacks are inevitable
Around half of business victims pay the ransom
Most are able to retrieve data after payment
Many would pay again
Ransomware will continue to be one of the most prevalent attacks
Perpetrators are being greatly assisted by the emerging Ransomware as a Service (RaaS) Source: Telstra Security Report 2018
69 69 Ransomware
City of Atlanta, Georgia (March 2018) Five of Atlanta’s 13 government offices were “hijacked.” What
made Atlanta such an easy target—even for a relatively According to the common form of ransomware—was its incredibly outdated use Telstra Security Report 2018, four out of technology; old computers running on nonsupported of five ransomware platforms. Cost to date $2.7 million victims who paid a ransom to recover their files said they Colorado Department of Transportation (February–March would pay the 2018) SamSam ransomware morphed into something new & ransom again to recover data if no reinfected CDOT computers that had already been cleaned. In backup files are April, 80% of functionality had been restored at an estimated available cost of up to $1.5 million after a computer virus forced the department's back-end operations offline
City of Leeds, Alabama (March 2018) Paid $12K in bitcoin to remove lock
70 70 Recommendations – Basics
Educate
o Technology is no substitute for employee education
o Educate & re-educate the entire organization, not just IT
o Include the board, executives & vendors
o Knowledge is power
o Do not discourage false-positive reporting
o Document your security policies in a knowledge database so everyone understands exactly what is going on & why
o Develop & rehearse a robust incident response program
71 71 Recommendations – Basics (Continued)
Patch
o Applications
o Databases
o Operating systems – servers, workstations, etc.
o Anti-virus/anti-malware – engines & signatures
o Third-party applications
72 72 Recommendations – Basics (Continued)
Limit
o Control use of administrative privileges o Limit access based on need-to-know (least privilege) o Limit & control remote access o Do not share credentials. Consider a password safe o Consider multifactor authentication o Limit the use of portable media o Be situationally aware for potential physical security issues o Make your trash unattractive to dumpster divers o Consider disabling macros
73 73 Recommendations – Basics (Continued)
Check
Lock down everything that is not needed
Generate logs & review them. Don’t forget to document your review
Escalate potential security issues
Limit & monitor vendor access
Filter out suspicious emails addressed to employees
Implement a policy for dealing with suspected phishing & pretexting
74 74 Recommendations – Basics (Continued)
Prevent
o Lock your laptop whenever you are away from your workstation
o Do not give out personal or company confidential information on the phone, through the mail or over the internet unless you have initiated the contact or know whom you are dealing with
o Monitor inbound & outbound traffic for unusual patterns
o Encrypt data at rest & in motion. Don’t just protect the perimeter (firewall), also protect the data
o Segment critical data. Encrypt data within crown-jewel segments
75 75 Recommendations – Basics (Continued)
Backup
o Implement a regularly scheduled backup program that meets your business & records retention requirements
o Put some distance between your primary & secondary sites
o For critical applications, perform a full restoration or fail-over test at least annually
o Back up & restore not only data, but also the applications
o Understand the differences between cloud storage & cloud backup
76 76 Cyber Trends for 2018
Experian projects the top data breach trends of 2018 include the following
The United States may experience its first large-scale attack on critical infrastructure, causing chaos for governments, companies & private citizens
Failure to comply with new European Union regulations will result in large penalties for U.S. companies
Perpetrators of cyberattacks will continue to zero in on governments, which could lead to a shift in world power
Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless
Vulnerabilities in internet of things (IoT) devices will create mass confusion, leading to new security regulations
77 77 Example of Phishing
The American Museum of Natural History in New York City reported it lost $2.8 million in 2015 after an employee fell for an email scam & erroneously wired the money
The museum reported the incident to police, but the perpetrators have yet to be identified or return the money
78 78 Best Practices
Review & update policies & procedures annually
Perform walk-through of controls either annually or on a rotating basis to determine reliability
Annual review of user access rights
79 79 Questions?
80 Joseph Blatt, CPA Partner
Joseph Blatt is a partner at BKD. He has been actively engaged in work with both health care and not-for-profit organizations for over 30 years. Mr. Blatt provides both audit and consulting services to a variety of organizations, including private schools and other educational institutions as well as health care facilities, housing, social services organizations, drug rehabilitation, museums and cultural arts centers, fundraising organizations, foundations, religious and other organizations.
Mr. Blatt has also provided audits in accordance with Government Auditing Standards. Mr. Blatt participates closely with his clients on an on-going basis, not only on accounting and auditing problems, but also in various managerial and consulting roles, including budgeting, cash flow forecasting, development of accounting controls, development of accounting policy and procedure manuals, management problem solving, and as a board advisor.
Joseph Blatt received his degree from Queens College with a B.A. degree in accounting. He is a member of both the American Institute of Certified Public Accountants (AICPA) and the New York State Society of Certified Public Accountants (NYSSCPA). Mr. Blatt is a member of the NYSSCPA Not for profit committee and NJAIS Not for Profit interest group.
Mr. Blatt frequently presents at training and educational seminars on auditing, accounting and reporting of not-for-profit and health care organizations.
[email protected] Telephone # 212-867-4000 x13112
81 Thank You! bkd.com/nonprofit | @BKDNFP
82