For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Another Layer to the Green Book

When I was younger, I was often unpleasantly surprised to find out that responsibilities have layers.  I thought I had gone through the final step… but no!  Instead I realized there was another step, another layer of complexity that needed to be embraced.  And then I found another layer and another layer.

I remember one moment of frustration regarding my ‘dream’ car vividly. When I was 16 I wanted a cool car so I could have more freedom, but first I had to pass the driving test.  Check.  Then I had to learn how to change a tire and add water and oil. Check.  Next, Dad withholds cool car and instead buys me a junky car because he imagined that I would bang up my first car (he was right). Check.

Dad decides I can handle a somewhat cooler car when I am 18.  Sweet!  Check.  Proceed to drive the somewhat cooler car slowly through a notorious speed trap in Houston only to get a ticket for having an expired inspection sticker.  What?  Wait.  What the heck is an inspection sticker? Nobody told me about annual inspections.  How much does that cost?

Well, I don’t want you finishing up this book about internal controls and then gasp, “Inspection stickers!  No one told me about inspection stickers!”  My dad’s response to my complaint was, “What did you think that big square thing with the date on it in the driver’s side window was?”  No good answer for that.

So I want to pause to cover another important layer of the COSO model that you may not have considered yet – although it sits right in the introduction of the Green Book– the requirement that the controls work together in an integrated manner.

Green Book: OV2.04 … The five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. 

Integrate the controls

What does ‘integrate’ mean?  Integrate means that various parts are linked together or coordinated.

Maybe an example will demonstrate what integrated controls look like.  Let’s say that your control objective is to prevent unallowable charges on credit cards issued to the buildings and maintenance folks.

The ideal controls sound like they both help satisfy the control objective AND belong together.  See if you can see how these controls fit together:

Control Environment:  Hire accountants skilled at performing reconciliations
Control Activity: Require buildings and maintenance employees submit receipts and invoices to support credit card charges
Monitoring: Accountants match receipts to invoices each month and evaluate charges for allowability.
Information and communication: Accounting emails a report detailing unallowable charges and un-reconciled/undocumented charges to the executive team each month

Several people have been very proud to show me their tricked out, ‘dream’ Green Book spreadsheet. One of my favorites was a spreadsheet that listed the 17 principles along the left hand side as row titles.  And then the 12 compliance items for federal programs were listed along the top as column headers.  The controls in place were the contents of the cells.  But I had to inform the proud creator that simply listing a control in a cell wasn’t all that needed to be done, the controls also needed to be integrated.  They were not happy.  Layer, layer, layer.

Iterative

Just like learning how to take care of a car, the process of creating controls is long and full of little surprises.  Whenever I see the word iterative, I now know what they really mean is you are now embracing the ‘never ending quest for improvement’.  Iterative also means that it will never be perfect, which is hard for some folks to tolerate.  Anybody who has tried to design a control process, document a control process, and implement a control process can attest to it being imperfect and never, ever done.

And the Green Book goes on to say that simply copying other people’s control system probably isn’t going to work either.  Bummer.

Green Book: OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

Where we have been and where we are going

I hope you have been enjoying the book so far.  First we had to learn what the top, side, and front of the cube meant, from a very broad view.  Then we took a deep dive into risk assessment.  Next it is time to mitigate the risks we have identified.  We will endeavor to embrace our responsibilities and avoid unpleasant surprises by layering on controls for the remaining four components of the COSO model: control activities, information and communication, monitoring, and control environment.

If you would like to catch up on what I have written so far about the Green Book, please see these article/chapters.

Internal controls a la GAO’s Green Book

Chapter 2: Grounding the Green Book in Reality

Chapter 3: The Face of the Cube

Chapter 4: The remaining dimensions of the cube

Chapter 5: Ranking What You Care About: The Risk Assessment Component

Fraud Risk per the GAO’s Green Book

Fraud Risk Factors a.k.a. the Fraud Triangle

Completing the risk assessment

The next chapter should sound very familiar if you have every worked on controls before.  We will use concepts like ‘segregation of duties’ and ‘authorization.’   We are far from done. Iterate, integrate, iterate, integrate….

Fraud Risk per the GAO’s Green Book

Just because you’re unaware of the risk, doesn’t mean it isn’t there

Just because you aren’t conscious of something dangerous, doesn’t mean it isn’t lurking.   One of the most important themes of the GAO’s Green Book (and the 2013 COSO model it is sourced from) is consciousness.  Instead of just playing along with the crowd without regard to the risk, the Green Book encourages you to become conscious of risk, imagine the worst, and then plan to prevent it.

Do you think that people in the 1940’s had a sneaking suspicion that smoking was unhealthy?  Or do you think their desire to be glamorous like all those smoldering (forgive the pun) Hollywood movie stars overrode their common sense?

And in the 70’s my mom and dad slathered themselves with olive oil and lay in the sun to get a reddish brown ‘tan’.  Coppertone products promised to magnify the power of the sun.  Now my dad gets skin cancer removed from his face, arms, and hands every six months or so.

Everybody went nuts buying non-stick cookware in the 80’s only to find out that the Teflon emits dangerous gasses into your food when heated.  In the 90’s we all started drinking bottled water with no concern for the environmental impact, and in the 2000’s we went ‘wireless’ and may be exposing our brains to harmful radio waves.  Lately, we all have to concede that if we transact with the world at all, our personal data is out there and available to criminals in Russia.

I am thinking of that classic parental line here, “If your crazy friend Carl jumped off a bridge, would you do it to?”  Going along with the crowd can be dangerous.

Sometimes you can pre-empt negative consequences

It is all very nice to look back in hindsight and realize that you shouldn’t have followed the crowd and jumped off that bridge.  But sometimes, you can work ahead of a problem to prevent bad results.

For instance, I opened a new business account at a bank recently.  And I know that it is dangerous to give my bank account number to folks who are making deposits into my account and/or who have the power to withdraw money from my account.  But I put the risk out of my mind because I didn’t think I could do anything about it.

Hand me the Coppertone, I’ll play along!  My thinking was, “That’s how business is done and I want to play.”

But my new bank has thought about this risk and offered me not one, but two checking accounts.  I can share one checking account number with vendors and customers who are coming in and out of my account and the other account – where the bulk of my money is – is accessible and known only to me and my bookkeeper.  Nice.

Fraud is real but it isn’t entirely unavoidable

The Certified Fraud Examiners estimate that 5% of an organization’s annual revenue is lost to fraud.   http://www.acfe.com/rttn2016/docs/Staggering-Cost-of-Fraud-infographic.pdf

And although the Certified Fraud Examiners don’t say it outright, they are implying that most organizations suffer fraud.   If an organization grows to over 100 employees, someone is probably doing something squirrely.

I spent a year writing a self-study book on Fraud for Government Auditors.  Unfortunately, I wrote it in 2008 as our economy was crashing.   As I wrote, I became hyper-aware of bad behavior and fraud everywhere I went.  It was exhausting and disheartening to see fraud every time I left the house or read the news, so 8 years later, I have turned the consciousness dial down quite a bit and become mostly numb to it once more. There is only so much moral outrage you can muster day after day after day.

The Green Book asks the leaders of the organization to think about fraud before it happens.  It is asking them, for at least a few days while they prepare a risk assessment, to muster some moral outrage before the organization actually suffers fraud so that they can plan around it, just like my new bank.

Fraud risk specifically

So in our last chapter, we discussed inherent risk in general and how the Green Book encourages us to think about the risk of death, injury, shame, loss of money or non-achievement of goals.

Now, we are going to focus on fraud risk specifically.  Fraud can cause injury, shame, loss of money, or non-achievement of goals.  But occupational fraud, the fraud discussed in the Green Book, is not likely to cause death.

The GAO dedicates a good portion of the chapter in the Green Book on risk assessment to assessing fraud risk.

Principle 8 states: 8.01: Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 

Luckily, the GAO’s green book doesn’t stop there, but instead, shares several models that will help us be more conscious of fraud as we are assessing fraud risk: the fraud tree and the fraud triangle. We are going to discuss each in turn.

Like a good spiritual guide, the fraud tree and fraud triangle enhance consciousness

Both the fraud tree and the fraud triangle have helped me see fraud where I didn’t see it before.  And once your consciousness has been raised, you see new things everywhere.

You may have experienced this with your car.  I am the happy owner of a plain white Lexus sedan.  Before I owned a Lexus, I was oblivious to how many were on the road. Now I see them everywhere.  You remember that weird movie called The Sixth Sense… where the lead declares “I see dead people!”?  I see Lexi.

A broad overview of the fraud tree

As a supplement to this article, I am also going to publish a series of chapters from my book on fraud so you can get to know the fraud tree in more detail.  Be looking for those over the next few weeks. But in this short article, we are just going to do a broad overview of the fraud tree.

So don’t read any of those newsletters or read the rest of this newsletter unless you want to see fraud everywhere.

THE FRAUD TREE

A fraud investigator once told me, fraud is lyin’, cheat’n, and steal’n.  But the Certified Fraud examiners are more formal about classifying fraud and use much better grammar.  The Certified Fraud Examiners came up with a whole taxonomy of occupational fraud which they dubbed the ‘fraud tree.’  If you are having a hard time reading the graphic below, visit the Certified Fraud Examiners page at http://www.acfe.com/fraud-tree.aspx for a clearer graphic.

Fraud Tree

The fraud tree divides fraud into three categories:

Corruption

Misappropriation of assets

Fraudulent reporting

Corruption includes bribery and extortion – which are flip sides of the same coin.  When a person without power pays a person in power for a favor, it is a bribe. When a person in power demands payment from someone who needs a favor, it is extortion.

A contractor with a Texas county told me that he and all of the other contractors knew that in order to win contracts, they would have to give expensive gifts to the county purchaser. Whenever requests for proposals were discussed with contractors, the purchaser would mention things he needed for his house – like a new grill or a lawnmower.  The contractors knew that whoever was first to buy the grill or lawnmower would win the contract. Eventually, the purchaser’s requests became more extravagant and frequent. The contractors had to take turns bidding on contracts, so they could distribute the extra expense more evenly among them.

Corruption also includes illegal gratuities.  An illegal gratuity is when you reward or pay someone in advance in hope of future favor. This is the way the US Congress works. Corporations and lobbyists support campaigns and slather favors on Congressmen in hopes that the Congressman’s decisions on future legislation will be favorable to them.

The last category in corruption is conflict of interest.  This is a wide category of bad behaviors where favors are granted to friends and family.  My friend has recently been elected treasurer of her homeowner’s association.  She has already found out that the chairman of the board is awarding work to companies that his daughters own.  My friend suspects, but cannot prove yet, that the chairman owns the companies and that the daughters are owners on paper only.

The second branch of the tree is misappropriation of assets. Misappropriation of assets is when cash or other assets of the organization are stolen or misused.  Notice that the fraud tree has two main branches under misappropriation of assets – 1. cash and 2. inventory and other assets.

fraud2

Cash can be stolen in three ways; cash can be taken after it has been captured in the accounting records (larceny), or before it hits the accounting records (skimming), or it can be disbursed in what looks like legitimate transactions for illegitimate purposes, like payments to fake (ghost) emplo

yees or fake (shell) companies.  As you can tell from the tree, cash misappropriation includes a wide variety of creative categories for fraudsters to choose from.

Other assets, like inventory and fixed assets can be stolen or misused.  The mail clerk in a state agency I worked for was using the state’s van on weekends to deliver pizzas!

And the last category is fraudulent statements.  We are all aware of the infamous financial statement fraud scandals at Enron and WorldCom that wreaked havoc on our national economy.  But we might not be as well acquainted with non-financial statement fraud.  A false claim or statement for personal gain falls into this category.  Fifty-eight percent of hiring managers said they’ve caught a lie on a resume per a Career Builder Survey concluded in 2014. http://www.careerbuilder.com/share/aboutus/pressreleasesdetail.aspx?sd=8%2F7%2F2014&id=pr837&ed=12%2F31%2F2014  And many governments use performance measures to convince grantors and the citizenry that they are doing a good job handling public resources. But as you can imagine, sometimes these performance measures are altered, manipulated, or even completely made up.

One of my favorite stories about fraudulent performance measures is about the Public Works Department in the City of San Deigo. Their Public Works Department said they filled potholes within a week, when the truth is most potholes took months to repair.  When asked about the discrepancy, the Public Works Department said that their definition of repaired does not meet most people’s definition of repaired.  Tricky?  Yes.  Fraudulent?  I’d say so because the managers in the Public Works Department benefited from exaggerating the Department’s effectiveness.  See the amusing article about this fraud here: http://www.voiceofsandiego.org/topics/government/the-citys-false-pothole-pledge/

When I audited performance measures at a state department of criminal justice (the state prison system), I found that most measures were pulled directly out of the sky.  They were estimates that made the department look good, not measures of real results.

If you were reading closely, you might have noticed a small difference in wording

I don’t really know why the GAO and the COSO model chose to leave out non-financial statement fraud from their literature, but they did.  Here is the quote referring to the fraud tree in the Green Book:

Green Book 8.02 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks.  Types of fraud are as follows:

  • Fraudulent financial reporting - Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
  • Misappropriation of assets - Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.
  • Corruption - Bribery and other illegal acts.

See how the Green Book doesn’t talk about fraudulent statements in general but fraudulent financial statements only.

If you are an aficionado of SAS 99 (now AU 316), the AICPA’s guidance on an auditor’s responsibility for detecting fraud, you may recognize that the AICPA focuses their discussion of fraud on fraudulent financial statement reporting only.  This makes sense because the AICPA is clear about its audit objective – to opine on whether the financial statements are created in accordance with an accounting standard (usually GAAP).  But the Green Book – because it covers an entire organization, should include all components of the fraud tree.

If you know the reason for this, please share.  Otherwise, I am going to say it is a flaw of the Green Book until someone can convince me otherwise.

Next time, we will discuss the fraud triangle and do an example fraud risk assessment.

Stay Up-To-Date

Sign up here to have the lastest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

×

Login

Lost your password?