For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Little frauds are a big deal in government.

Please enjoy Chapter 1 of An Auditor’s Responsibilities for Fraud in the Government Environment, available at


  • Differentiate between auditing for fraud in the government environment and auditing for fraud in the commercial environment

Fraud – it’s a costly thing! Whether it is committed in the government environment or the commercial environment, those who practice it leave victims in their wake and rob taxpayers and businesses of their money.

You’ve heard the stories about the small town sheriff who used prisoners to landscape his backyard. Or the court clerk who takes bribes to dismiss traffic tickets. Or the school lunch lady who takes home a portion of the kids’ lunch money every day.  Cities are going bankrupt because their leaders rewarded themselves with huge salaries, perks, and pension benefits.  These stories of fraud crop up every day in the press and make us think badly of our government leaders.

But we also see similar stories in business.  Let’s not fool ourselves into believing that corporations are any better than the government at running things. I have had the privilege of working at a dozen or so Fortune 500 companies and they all have their quirks, and all have suffered from employee fraud.

Maybe it is just the people with whom I hang out, but most dinner conversations eventually include a few criticisms of our government.  And the tacit agreement among most of my friends and family is that corporations operate more effectively and efficiently than government.  But I think they are wrong.  I think both corporations and governments are flawed.  I have never encountered a perfect organization.  Have you?

My husband recently treated me to an Apple laptop – which I love by the way. And I was curious about how Apple had created such great products so I watched a MSNBC business documentary about Apple. It turns out that Apple folks argue, and fail, and torment each other while creating products.  Time is wasted, people get their feelings hurt, and the company loses massive amounts of money. But, they create a great product in the end, don’t they?

Governments, with all of their faults, create great products and services for us, too.  They pick up our trash, fix our roads, educate our children, and respond to emergencies.  Even the tiniest cities are responsible for a wide range of services, from police and fire protection to courts, water and sewer, garbage disposal, inter‑government relations, health programs, parks and recreation, bus systems, and airports. No wonder things get out of hand every so often.  The more stuff there is to manage, the more opportunities for fraud to be committed.

Fraud Defined

Unfortunately, leaders and managers of government programs and of businesses engage in bad behaviors such as fraud, illegal acts, violations of contracts, abuse, and unethical behavior. This text focuses on fraud that occurs in government: more specifically, what you should do when you detect fraud in government.

In this text, I hope to give you the ability to discern between fraud and other bad behaviors in government.  I also hope that you will be able to recognize fraud when you see it and know what your professional responsibilities are regarding fraud.

So, first you need to know what fraud is.

According to the dictionary[1], fraud is: “deceit, trickery; specifically: intentional perversion of truth in order to induce another to part with something of value from someone else or to surrender a legal right.

This is how the Government Accountability Office (GAO) defines fraud in the Yellow Book:

8.73     …Fraud involves obtaining something of value through willful misrepresentation. …

Basically, fraud is a willful act in order to gain something for personal use. In super simple terms, fraud is lying, cheating, and stealing. When it happens in business it is bad. When you have fraud in government it is often much, much worse.

Victims of Fraud in Government

When a bookkeeper steals money from a businessman, it is ugly and wrong.  But how much nastier is it when a bookkeeper takes monies destined to feed impoverished children? The elderly? War veterans?  Take your pick of disadvantaged or deserving groups, and the government probably helps them in some way.  When fraud occurs in the government, there are many helpless victims, and it is a crying shame.  It is one thing for business owners or corporations to lose their resources but another when fraud consumes the resources that are destined to become school lunches, infant formula, military armor, or low-income housing.

When I was in public accounting, auditing a car parts manufacturer in Eagle Pass, Texas, my ultimate customer was the owner of the business or the banker who used the audit report.  But when I audit a HUD project, a low-income apartment complex, whom is my ultimate customer?

Yes, HUD, the feds, the state, the city, the management of the housing project all are involved and concerned about the project.  But my ultimate customer is a 3 year-old toddler living in the complex with her single mother who works two jobs to keep the family together.

I have had the opportunity to work for a variety of governmental audit organizations including federal, state, and local government audit organizations. The stories I hear about and witness regarding governmental waste, fraud, and abuse are numerous and sad.

A Higher Purpose

When government works well, it is a wonderful thing.  And our job, as government auditors, is to make the government work better.

The 2018 version of the Yellow Book contains an introductory statement letter from Gene Dedaro, the Comptroller General of the GAO.  He said, in part:

Given the current challenges facing governments and their programs, the oversight provided by auditing is more critical than ever. Government auditing provides the objective analysis and information needed to make the decisions necessary to help create a better future.

The Yellow Book itself states:

1.07     Engagements performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations.

One city auditor has a personal mission that transcends the day-to-day work of auditing.  He believes his ultimate goal is to make sure that the city’s resources are directed to those who don’t have a voice, to those who are disenfranchised and in need of help.  Bravo! I am glad to know he is on the job.

3.08     A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.


Little Misbehaviors can be a Big Deal in Government

If you have not worked in government before, I need to warn you that little things can easily become a big deal.

One of my buddies got a job as a city manager of an east Texas town.  Early in his tenure, a scandal rocked his office.  His executive assistant used the city’s stamp machine to mail her Christmas cards.  The local press went wild over the whopping $60 in postage and painted his office as wasteful and out of control.  He had to let her go to save his job and the jobs of others in his department.

This boils down to for whom we work when we work for the government: the citizens.  Citizens own the government.  They work hard, pay their taxes, and choose lawmakers to create programs to do very specific things – such as build a library, feed low-income children, or clean up the beach.  It really upsets and angers them when their money is misspent or flat out stolen.

Materiality in Government

And that brings us to the topic of materiality.  Materiality is a term used in auditing to indicate the importance of a matter in relationship to other matters.  Risk-based auditing requires auditors to delineate between important or risky matters and insignificant matters. The auditor cannot and should not look under every rock for problems, examine every transaction, or consider every risk because they will never finish the audit project!

You may hear an auditor saying something like, “That is not material.”  And what he is really saying is, “I am not going to look at that because I don’t care as much about that as I do something else.”  For instance, an auditor may not examine a petty cash account of $200 but will examine equipment worth $70,000.

One wise auditor in a class I held in California pointed out that many of his corporate clients are high-flying, incredibly busy executives who could care less about a small fraud.  Small frauds could be managed by front line managers and do not warrant inclusion in the audit report.

In a corporation, access to the stamp machine, the copy machine, goodies, cake, and spa retreats are all perks of the job.  Remember when AIG spent $500K on a spa retreat for executives one week after the feds bailed them out?  The public was outraged, and AIG simply said, “Oh, we always do that. What’s the big deal?”

But in government, expectations for what is acceptable behavior are different. One federal inspector general for whom I work forbids his employees from holding birthday celebrations or eating in the office on government time. He does not want to be perceived as wasting taxpayer dollars.  When I work for a government, I have a hard time finding a cup of coffee, much less a pastry or a massage!

Once I attended the annual picnic at a state audit organization where they gave out awards for the most stupid finding of the year.  A guy named Jesse won the award for writing up a finding for a questioned cost of 52 cents.  Yep.  The federal grantor had told the state auditor they wanted to know about everything they had found. Jesse was just doing his job, literally!

While the AICPA (American Institute of Certified Public Accountants) standards are primarily written for audits of financial statements of commercial entities, the GAO (Government Accountability Office) standards are written for audits of governments.  The GAO counsels us – but doesn’t require us – to set a lower materiality level on government engagements than on engagements following AICPA standards. Here is their reasoning:

6.03     …Additional considerations may apply to GAGAS financial audits of government entities or entities that receive government awards. For example, in audits performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Over and over, the GAO’s Government Auditing Standards distinguish between the purpose of their standards and the AICPA’s purpose for their standards.  And here the GAO says that government programs are more visible and sensitive.  In other words, little things matter in government! And what do we know about government? They care about it all!  Little, big, all of it!  So, a broader range of bad behaviors is reportable in this realm.

Do you think the federal grantor who doesn’t want employees eating cake on government time would care about the stamp machine incident?
Probably.   So while you might not report a small fraud for a business owner, you probably should in government.

The 2018 version of the Yellow Book identifies several methods by which you can report fraud depending on its significance or materiality.

If the fraud is material, then the auditor must write a finding and include it in the audit report. This language is excerpted from the financial audit standard, but the performance audit standards say something similar:

6.41 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect … 2 fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 

And if the fraud is not material, but still warrants the attention of management, the auditor should communicate with management in writing:

6.44 Auditors should communicate in writing to audited entity officials when …b. the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 

Accountability is an Ideal for Which We Strive

The GAO likes the concept of accountability so much that they changed their name from the General Accounting Office to the Government Accountability Office.  They even refer to auditors in their literature as “accountability professionals.”

Because we citizens are the owners of our government, we have a right to see where our money goes. Good governments seek transparency in their actions and their financial information. And if we know what the government does because they are transparent, we can hold those working for the government accountable for their actions.  That is the theory, anyway.

1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.1.03 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations.Legislators, oversight bodies, those charged with governance,and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, ethically, and equitably.

But accountability can be hard attribute to any one person in government.  Because of the complexity of government and the vast array of services the government offers to its citizens, losses due to fraud, waste, and abuse in government are often absorbed into the complex bureaucracy, and no one is held accountable.

When my children were small, we visited my aunt in Jefferson County, Alabama. My aunt lives  just outside of Birmingham, and she warned my children not to get in or touch the pretty lake on which she live because it was contaminated. In 1993, Jefferson County, Alabama was prosecuted for contaminating local creeks with raw sewage.

To fix the contamination problem, the county issued bonds to finance water treatment facilities.  The project has been plagued with corruption and the county commissioner was jailed in 2010 for accepting bribes.

And to add insult to injury, an unscrupulous Florida investment banker talked the county into defeasing the bonds using a complicated swap.  Then the county suffered from low tax collections in 2008, and had to lay off 1400 workers.  For a time, it appeared that the county would go bankrupt and default on the bonds.

No one, including the state of Alabama, wants the county to go bankrupt! Birmingham is the state’s most vibrant city. A failure there would make Alabama look less appealing to investors and industry. So the initial $3 billion dollars in bond debt was renegotiated and reduced to less than $1.4 billion.

Is anyone in government in jail for these poor decisions regarding the bonds? Did anyone responsible lose his or her jobs? And who ate the other $1.6 billion?  These mysteries may never be solved because so many were involved in the decisions.[2]But the citizens of Jefferson County deserve better.


Fraud occurs in both corporations and governments. Government auditors have a higher purpose, and that is to protect the recipients of government programs and citizens from fraud, waste, and abuse of their resources.

When auditing for fraud in the government, you need to be aware that:

  • Victims of fraud in government are ultimately the individuals that government intends to help.
  • You should reduce your materiality level when auditing governments.
  • Citizens want and deserve government leaders to be held accountable (and for every penny) for fraudulent activities.

[1]“Fraud.” Online Merriam-Webster Dictionary. April 10, 2012.
[2]Matthew Bigg. “Alabama’s Jefferson county sees hope for debt deal.” Reuters[London]. April 9, 2010.

163 Times!

The 2018 version of the Yellow Book mentions audit objectives 163 times in one chapter; Chapter 8 the Performance Audit Fieldwork chapter. That tells me that objectives run the show!

A few years ago, I created a white paper on objectives.  The concepts covered in the white paper are even more important today.  Please find a copy of it here.

And if you want to experience creating and refining objectives along with me, please join me in Austin on September 6 &7.

Audit on!


The 2018 Yellow Book is OUT!

The GAO issued the 2018 version of Generally Accepted Government Auditing Standards Tuesday.

Find the online version here:

Find an audio summary of the changes to the standards here:

I suggest you scan chapter 4 and specifically section 4.16 to make sure you are compliant with the CPE requirements.

Also notice that the GAO has defined the roles of a supervisor and a reviewer inside the quality control chapter in sections 5.36-5.40.

And that the Green Book (Standards for Internal Control in the Federal Government) are mentioned several times in the document: 4.23, 6.30, 7.32, 8.41 & 8.130.

I’ll get back to you soon with a more thorough analysis of the changes and what they mean for you.

Stay cool!

What is an auditor?

Please enjoy this first chapter of self-study book Essential Skills for Government Auditor  available on

So here you are, an auditor. No other job title is more likely to be a conversation stopper at a dinner party.  No one likes to be audited.

But auditors do have an important role to play because, unfortunately, government leaders can’t trust program managers when they say, “Everything here is fine.  Don’t worry about us!” Government leaders and citizens do worry and want assurance from someone they can trust that everything is going well.  The auditor is that professional whom the leaders and the citizens can trust.

One definition of auditor is:  An independent professional who evaluates a subject matter against agreed-upon criteria.

This definition has several important components: independence, subject matter, and criteria.  Let’s look at each of those components in turn.


Auditors must be independent of their clients and the subject matter they are auditing.  But who are these clients?

The Government Accountability Office (GAO), the federal audit organization that writes the governmental auditing standards (a.k.a. the Yellow Book) has a very broad definition of client.  The GAO says, “A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest.” And they define public interest as “the collective well-being of the community and entities the auditors serve.”  Did you know you had such a noble job?

CPAs are held to the same standard. They are certified “public” accountants after all. They have a primary responsibility to the public and a secondary responsibility to their audit client.

Clients in the government realm include management of the auditee, governing bodies, oversight bodies, special interest groups, other citizens, and the people who actually benefit from the government’s services.

If you think about it, auditors are often the only professionals involved in an organization or in a program who can comfortably speak the truth because they are, hopefully, shielded from backlash because they are independent.

GAGAS (Yellow Book) 20113.04     Auditors and audit organizations maintain independenceso that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objectiveand impartial judgment on all issues associated with conducting the audit and reporting on the work.

The recipients of governmental funds aren’t likely to uncover their own risks or highlight their own weaknesses because they could lose their funding. And the oversight bodies might be so far removed from the program that they don’t have a sense of what is really happening.

You can make quite a difference in an organization. The GAO’s Yellow Book says that you are “essential to the nation’s governing process!” Wow, that is quite a responsibility!

Consulting vs. Auditing

Some professionals who call themselves auditors are actually consultants. They help the client implement systems or spend months working to help the client with a technical issue. Consultants are allowed to get involved in the day-to-day operations of a department.

The Institute of Internal Auditors (one of the standard setting bodies that I will explain further in the next chapter) encourages consulting and has created consulting standards for their members.

The Government Accountability Office (GAO) calls consulting by another name, “non-audit services,” and puts up numerous barriers to prevent auditors from also serving as consultants. The GAO believes that you cannot both consult regarding an audit subject matter and later serve as objective, independent evaluator of the same subject matter.

In this text, our focus will be on auditing and auditing standards.

Subject matter and criteria

Auditors opine or conclude on whether a subject matter meets a certain criteria.

All auditors struggle to keep their audits limited in size and scope. It is extremely easy to create monstrous projects that are hard to reign in and report on.

In response to this struggle, most audit standards require that you develop a finite objective and scope for each engagement.   Imbedded in the audit objective are the audit subject and the criteria the auditor will use to evaluate the audit subject.

The GAO has this to say about the audit objective and scope in the Yellow Book:

GAGAS6.08The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria. The term “program” is used in GAGAS to include government entities, organizations, programs, activities, and functions.GAGAS 6.09

Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.

The objective and scope define what the project is, as well as what it is not. Objectives are assessed against agreed upon criteria, which are benchmarks established by law, governing organizations, or company policies and procedures. (For more on criteria, read Chapter 6.)

To satisfy the audit objective, you will gather and document audit evidence.  The techniques that you use to gather evidence are called audit methodologies.

6.10     The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors perform to address the audit objectives. Auditors should design the methodology to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives and to reduce audit risk to an acceptable level.

All three of these elements – the objective, scope, and methodology – are essential to describe what you seek to accomplish on the audit. (For more on methodology, see Chapter 15.)   The GAO requires that auditors both document these three defining elements in the working papers and disclose them in the audit report.

Audit deliverables

As Stephen Covey says, you should begin with the end in mind.  So before we dig in to the steps of conducting an audit, let’s look at what you will have when you are all done.  Auditors create three deliverables from an audit project:

  • The answer to the audit objective – called either an audit conclusion or an audit opinion
  • Findings – issues that the auditor would like to see addressed or corrected by the client
  • Working papers –documentation of the evidence the auditor gathered to support the conclusions and the findings.

If you are following GAO’s audit standards (The Yellow Book) for performance audits, you must put this promise – word for word – in your audit report:

7.30     We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

As you seek to satisfy your audit objectives, you will gather evidence using audit methodologies.  Some auditors call audit methodologies audit tests or audit program steps.  The results of applying these methodologies must be documented.

6.79     Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to conduct the performance audit. These competencies and skills include an understanding of (1) the performance audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit objectives, and (4) issues related to the audited entity’s environment.6.80     Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.

Questions auditors answer

In order to give the client assurance regarding an audit subject, you must answer questions that naturally arise as you seek the answer to your audit objective.

Notice that these questions assume that something is wrong.  Auditors tend to think that way!  Because of time constraints, auditors focus on risks, negative events, and the issues that need fixing instead of proving the good that occurs in an organization.  In that way, auditors are like journalists.

  1. What is the current state of affairs? (condition)
  2. What should be the current state of affairs? (criteria)
  3. What has caused the current state of affairs? (cause)
  4. Why is the current state of affairs undesirable? (effect)
  5. What should be done to correct the current state of affairs? (recommendation)

You will see these questions used in later chapters and referred to as the “elements of a finding.” Auditors following IIA & GAO standards use them to write audit findings when they find something that needs to be corrected, such as an internal control weakness, non-compliance, fraud, and/or abuse.

What I hope to do in this text is show you the steps auditors follow to create their three main deliverables (the conclusion/opinion, the findings, and the audit documentation) as well as give you the tools to answer these questions for your clients.

Let’s tweak that definition of an auditor

Now that we have discussed independence, audit subject matter, audit criteria, and audit deliverables, we should tweak our definition of an auditor. We began the chapter with this definition: An independent professional who evaluates a subject matter against agreed-upon criteria.

Please allow me to enhance it a bit based on what we just read: An auditor is an independent professional who concludes whether a subject matter meets an agreed upon criteria by gathering evidence through performing custom-designed audit methodologies.  Aren’t you glad I didn’t start with that?

Yellow Book Ethics

Enjoy this excerpt from the self-study text: The Yellow Book Interpreted which qualifies for 15 hours of CPE.


The GAO has a few things to say about a government auditor’s ethical responsibilities and, thus, added a large section on ethics to the 2007 revision of the Yellow Book.  The same ethical principles appear in the 2017 exposure draft.

Themes of GAGAS
GAGAS is a very high-minded document.  And, in order to understand the GAO’s perspective on ethics, we need to talk about three themes of the Yellow Book that kick off the first chapter of the standards.

These three themes — accountability, transparency, and service -­- put us in the right frame of mind when auditing in the government environment.

What is accountability? I had heard the term tossed around the government so frequently that I never even thought about its meaning.  Now I know that accountability does not mean that you got it right. It just means that you take ownership of it.

I met a cowboy auditor in West Texas who said, “You might be right or you might be wrong, but you’d better the hell document it.”  That sums up accountability quite nicely.  When things go bad, you are there to say, “Yes, that was me.  I’m sorry.”  When things go well, you can keep your job.

Recently on CNN, I saw a high school coach who was responsible for the death of one of his teenage football players.  And instead of being contrite, he said something like, “Everyone is forgetting that I suffered a loss, too, and that I will hold on to this for the rest of my life.”  That is not exactly what the parents of that boy wanted to hear. He deflected accountability and tried to engender empathy for himself.  I doubt that will serve him well in his community.

The GAO repeatedly reminds us that we are accountable to the taxpaying public for our actions and that we, as auditors, have a role in holding government leaders accountable.

1.01      The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.

1.03     Government auditing is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public. Audits provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

One of the tough things about the GAO standards is they are not written for government officials (although government officials are mentioned a few times); they are written as standards for auditors.  So, while we hold public officials and employees accountable for their actions, we are accountable for our actions, too.

Actions and information that is transparent is open for everyone’s inspection and review.

1.05     Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability and transparency for resources and results.

The state of Texas has put every single transaction online – LIVE— and rates the transparency of local government as well.  I can, with a few clicks of the mouse, see that the Texas Department of Transportation bought a van, how much the van was, who they bought it from, why they need it, and what color of funds (general revenue, special revenue, enterprise revenues) paid for it.

Why?  Because citizens own the government, and we have a right to know.  Google “windows on Texas state government” to start your own exploration.

If you audit Hurst Construction, your ultimate audience for the audit report is Mr. Hurst, his board of directors, and the bank.  But, if you audit a public housing project, your ultimate clients are not the managers of the project, the boards of directors, or the banks.  Your ultimate beneficiaries of the report are not even the grantors.  The ultimate beneficiaries of your work are the low-income children who live in the housing project.

We have to remember, as governmental auditors, that we are checking to see whether tax dollars are being used for their intended purpose and whether the public is being served by our auditee’s efforts.

1.16      A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

We hold our clients to a higher standard of behavior than we do in the commercial sector. While it was OK for AIG to go on a lavish $500,000 spa junket before the US taxpayers bailed them out, it certainly was not OK after the bailout.

Later, we will see that the GAO asks you to report even more bad behaviors than the AICPA does.  If Mr. Hurst wants to put his jet-setting, never-worked-a-day-in–their-life kids on the payroll, more power to him. Auditors in the commercial realm do not have a responsibility to say anything about that. But in the government realm, we call that abuse, and we do have a responsibility to report it.  We’ll discuss more about abuse later.

Five main sections of the ethics section
The ethics discussion is divided into five main principles:

a.   The public interest
b.   Integrity
c.   Objectivity
d.   Proper use of government information, resources, and position
e.    Professional behavior

Let’s discuss each one in turn.

The public interest 
A city auditor once told me that he sees a higher purpose in his work.  It is his job to make sure that the monies collected by the city are turned back to support those who need services and who may not have a voice in the government.  He works on the citizens’ behalf, and because of this higher purpose, he doesn’t care whether he makes his auditees upset with his reports.  Now that is integrity!

1.15      The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment.

In my business I transfer in and out of two worlds – the government world and the commercial world – and indeed they are different.

An auditor from the GAO made the distinction between the two by saying that in the commercial world fortunes are made by doing what is not expressly prohibited; in the government world action won’t be taken unless it is expressly permitted.

Commercial entities do not seek transparency.  At the Apple corporate headquarters store, they sell a T-Shirt that says, “I visited the Apple Corporate Offices in Cupertino… and that is all I can say about it.”

But government auditors must shine light in dark places in order to serve their customer, the public.  And taxpayers get very, very upset if even a tiny bit of their hard-earned tax dollars are squandered.

Not long ago, I was helping a government employee retirement system develop a training event. Afterwards, to celebrate our success, we all went out to a first-rate steakhouse in Dallas – you know the type, where you pay $45 for an à la carte steak. We had wine and appetizers, and one guy ordered a $35 brandy. I was very uncomfortable. I thought that if any of their members walked in and recognized them as the folks in charge of their retirement funds, the retirement system would have a lot of explaining to do. The retirees don’t want their money squandered on high living for government employees!

If you work for a corporation, go ahead and enjoy the perks and the luxuries. But when you work for government, don’t be surprised if you can’t even get a cup of coffee!

Integrity & Objectivity
Many seasoned professionals have told me that they believe that auditor independence is an unattainable ideal; an external auditor’s independence is compromised when the auditee writes a check to pay the auditor’s fee and an internal auditor takes a salary from the entity they audit. They argue, that at best, an auditor can provide an objective viewpoint and maintain integrity by making sure that external pressures do not force them to cover up the truth.

Later in this text, when we examine the GAO’s guidance for independence, the concepts of integrity and objectivity introduced here in the ethics chapter are raised again.

Both the integrity and objectivity sections of the ethics chapter of the Yellow Book mention auditor independence and freedom from political or ideological bias.

1.17      Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports… 

1.18      … In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.

1.19      The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest…The concepts of objectivity and independence are closely related…

Proper use of government information, resources, and position
A professor at UT Arlington teaches ethics and leadership to government leaders in Romania. He develops case studies for them to ponder each week.

One case study asked the students to discuss the ethical dilemma posed when a mayor used city employees to build a brick barbecue pit in his backyard – clearly an improper use of government resources. The professor didn’t hear back from his students in Romania for a month.

After several Skype conversations, the Romanians finally admitted that they just didn’t understand the ethical issue in the scenario. Using the labor of government employees for personal benefit is one of the perks of being a government leader in Romania! That professor has a lot of work to do!

1.20     Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

1.23     Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.

Professional behavior
Any behavior that could cause someone to question your professionalism can detract from your credibility. And credibility helps sell audit recommendations.

1.24     High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient…

Consider the following true scenario (with a few small changes to protect identities): You are the internal audit director of a large city. You recently hired a new auditor fresh out of college and assigned him to conduct a performance audit of your city’s police department.

Everything has been going well until last week when you saw a photo of him in the local newspaper at the city’s Mardi Gras celebration. He was pictured near the top of a street light without his shirt wearing dozens of bead necklaces. The police stood below and appeared to be yelling at him to come down.

You show him the picture and he becomes immediately defensive and tells you that what he does on his own time is none of your business. He reasoned that he had some college buddies in town and it was natural for him to show them a good time.

This standard on professional behavior does not mention that it applies only to an auditor’s work life. But does this auditor’s behavior during his personal time compromise his credibility with the police force? Yes, indeed!  How is he going to face the officers during an exit conference?

To maintain your shop’s professional image, you will probably have to remove this young auditor from the engagement and replace him with another auditor from your shop.

Auditors are paid for our credible, objective, high integrity opinions and conclusions about an audit subject.  And this young man blew all that away with his antics.

Borrowing from the later discussion on independence in chapter 3:

3.04     Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.

In our next chapter, we will address the types of audits covered by Yellow Book standards.

Pulling It All Together

What’s the matter with the crowd I’m seeing?
“Don’t you know that they’re out of touch?”
Should I try to be a straight-A student?
“If you are then you think too much.
Don’t you know about the new fashion, honey?
All you need are looks and a whole lot of money?”
It’s the next phase, new wave, dance craze, anyways
It’s still rock and roll to me.
Everybody’s talkin’ ‘bout the new sound
Funny, but it’s still rock and roll to me.
It’s Still Rock and Roll to Me, Billy Joel


  • Sequence the steps of developing an internal control structure

Whew!  You made it. We are in the last chapter! Congrats, you have held on through a long case study and a complicated model.

In this final chapter, we are taking another look at the steps of creating a control structure from scratch which will also serve as a review of this text. I will quote various excerpts from the Green Book as I go.  Also, we will address what happens when auditors visit to evaluate your controls.

Steps of developing controls

As I see it, the steps of developing controls are as follows:

1.Choose a subject matter

Maybe you have been asked to develop controls for a whole organization or just a segment of an organization.  In either case, you will benefit from breaking your subject matter down into smaller more defined segments because it is easier to imagine controls for something specific than to imagine controls for something broad.

For instance, if I asked you to control the University of Michigan, you would probably walk out the door never to come back!  But if I asked you to control student financial aid at the University of Michigan, you would feel better.  If I asked you to set up controls to make sure that student financial aid at the University of Michigan is distributed on time, you’d feel super because that is very doable!

The side of the COSO cube prompts us to break the subject matter down into segments.  In the COSO and Green Book literature, the side of the cube is dubbed the ’levels of organizational structure.’  I think of it instead as ‘what’ you are planning to control.

2. Focus on what is risky

Now that you have broken the organization up into segments, you can hone in on the segments that are the most likely to cause trouble.

Risk assessment is the second control component on the face of COSO model, but it is, in practice, the first component you consider when establishing controls.

For each piece, you ask four questions:

  1. What could go wrong?
  2. So what?
  3. How big of a deal is the ‘so what?’
  4. How likely are things to go wrong?

Here are the terms the Green Book uses for all of these questions:

  1. What could go wrong? The Green Book calls the answer to this question ‘identified risks.’
  2. So what?  The Green Book calls this ‘significance.’
  3. How big a deal is the so what?  The Green Book calls this ‘magnitude.’
  4. How likely are things to go wrong?  The Green book calls this ‘likelihood.’

From the Green Book:

7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective. 

7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined. 

3. Decide if you want to tolerate the risk

When you are confronted with a risk, you have four choices of how to handle it:  you can accept it and live with the possible consequences, you can avoid it by not doing the activity, you can mitigate it by layering on controls or you can ask someone else to take on responsibility for it.

If you choose to keep on doing or to tolerate the activity that causes the risk, but you’d rather not suffer from this choice, you will proceed through the rest of the steps laid out here to help you create the controls to mitigate the risk.  Mitigate is a fancy word for ‘reduce.’

From the Green Book:

7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: 

  • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. 
  • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. 
  • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. 
  • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses. 
8.06 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks…

4. Come up with a control objective

In order to focus your efforts and make sure that everyone is clear about what you are working toward, the Green Book recommends you come up with a clear control objective.

The Green Book talks about objectives in two layers.  In one layer, they ask you to consider ‘why’ you want to control something.   Is it because you are concerned about operations, compliance or reporting? The GAO calls these ‘categories of objectives’ and they are listed on the top of the cube.
Description: Macintosh HD:Users:Leita:Dropbox:+TOPICS:controls:coso model picture:Slide1.jpg

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories: 

  • Operations - Effectiveness and efficiency of operations 
  • Reporting - Reliability of reporting for internal and external use 
  • Compliance - Compliance with applicable laws and regulations 

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals. 
Operations Objectives 

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives. Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources. 

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission. 

Reporting Objectives 

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories: 

  • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. 

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively. 

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity. Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. 

But later in the book, the GAO drills down into the categories and describes the need for a specific, customized control objective.

6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. 

6.03 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals. 

6.04 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. 

Our objective was, “Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?”

5. Compare the baseline to the ideal

Now it is time to talk to managers and find out if there are any existing controls in place.  This will be your baseline of controls.

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system. 

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system. 

Next, you will compare the baseline to the ideal:  the list of 17 principles.  When management has not already addressed a principle with a control or two, then you will need to design a control for that principle.  Remember, in order to judge a control system as effective, all five components and the underlying 17 principles should be in place!

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

Appendix I: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements of the Green Book are as follows: 

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  2. The oversight body should oversee the entity’s internal control system. 
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
  6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 
  7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 
  8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 
  9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 
  10. Management should design control activities to achieve objectives and respond to risks. 
  11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
  12. Management should implement control activities through policies. 
  13. Management should use quality information to achieve the entity’s objectives. 
  14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 
  15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
  16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 
  17. Management should remediate identified internal control deficiencies on a timely basis. 

6. Consider cost 

Before you run out and implement all of the controls you designed in the last step, stop and think about how much each of the controls is going to cost you.  Do you need to invest in technology to make the control work?  Or do you need to beef up your staff?  Also, consider whether the new controls will slow down processes and frustrate employees, suppliers and customers.  Excessive controls are also known as ‘red tape’ and ‘burdensome bureaucracy!’

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. 

7. Does it prevent, detect or correct?

Again, before you proceed with the hard work of implementing the controls you designed, take some time to evaluate whether each control is preventative, corrective, or detective.  Detective controls are nice, but stopping the risk before it happens would be better than cleaning up the mess after it happens. This is especially true when it comes to unacceptable risks such as death and injury.  Make sure you have a good mix of all three types of controls with a preponderance of preventative controls.

8. Document

At this point, you are working with a large volume of information.  Just in case you get a little overwhelmed and forgetful, you’d better write down everything you have worked on so far.  The GAO is pretty firm about documentation:

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows: 

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06) 
  • Management develops and maintains documentation of its internal control system. (paragraph 3.09) 
  • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02) 
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09) 
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05) 
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06) 

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively. 

9. Evaluate the design vs. operation

Once you have organized your thoughts and chosen controls for all five components and the 17 principles, someone has to put them into action.  That could take a while.  As usual, it is best to be patient and thorough instead of agitated and spotty.  Ha.  Agitated and spotty is a great title for a teen romance novel!

The GAO takes pains to mention the difference between the design of a control and the implementation of a control in over a dozen places in the Green Book.  Here are a few quotes:

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. 

10. Evaluate whether you can declare your controls effective!

Sorry to say that your work isn’t done when you finish designing, documenting and implementing controls.  True to the monitoring component of the COSO model, you can’t just set things up and forget them.  You need to come back and evaluate whether everything you have set up is working, correct any unintended consequences of your efforts, improve controls and start the cycle all over again.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

This is a great place to introduce auditors back into our conversation because they may be able to help you ensure that the controls you designed are functioning properly.  That is what we will do in our next newsletter.

Fraudulent Disbursements – Billing Schemes and Payroll Schemes

More in the series on getting to know the fraud tree better. To get a better sense of where we are on the fraud tree and which branch we are talking about in this newsletter, please see the entire fraud tree at

Learn to do good;
seek justice, correct oppression;
bring justice to the fatherless,
plead the widow’s cause.
Isaiah 1:17

Misappropriating cash through fraudulent disbursements is a sizable portion of the fraud tree because there is a lot of room for creativity.  See an illustration of the fraud tree here:   In this newsletter, we will cover billing schemes & payroll schemes.  In future newsletters we will cover expense reimbursement schemes, check tampering, and register disbursements.  Five creative categories under fraudulent disbursements in all!

With fraudulent disbursements, the fraudster causes an organization to disburse funds through some trick or device such as submitting false invoices or forging checks.  The disbursement is often disguised as a legitimate business activity so that it can slide through the accounting system undetected by controls.

And with these sorts of schemes, the fraudster is usually caught when they get too bold or too greedy.  If they would just keep it small, they could supplement their income for decades!

Billing Schemes

Here the fraudster creates a valid looking bill and causes the organization to issue payment for the fraudster’s personal benefit. The Association of Certified Fraud Examiners classifies billing schemes into three categories:

  1. Shell companies
  2. Non-accomplice vendors
  3. Personal purchases

Shell Companies 

In this creative scenario, the fraudster creates a fake company that has a valid sounding name and then sends checks from the victim company to their fake, or shell, company.

In my hometown, LouAnne Aponte stole over $800,000 from a large not-for-profit, Family Connections, for which she was the executive director. For six years she forged a well-known local CPA firm’s name on audit reports to avoid questioning by auditors and to satisfy federal grant requirements.

In March 1993, Aponte formed a business named Excite and Challenge, and then paid Excite and Challenge from Family Connections funds.  She used the money to pay her mortgage for a home in a tony Austin neighborhood and bought herself a convertible Mercedes.

For a decade LouAnne Aponte also volunteered as the treasurer for the Texas Association of Child Care Resources and Referral Agencies.  Aponte was accused of stealing over $100,000 from that organization.

Aponte had a history of theft dating back to the 1980s when she stole about $60,000 from two employers. In 1987, she served only four months of a four-year prison sentence for her crimes. Unaware of Aponte’s past, the nonprofit Austin Families hired Aponte in 1990 when she was still on parole.

Having served only two and a half years of her 25-year sentence for the crimes against Family Connections, Aponte was up for parole in May 2013.[1]

Straw students are like shell companies, aren’t they?

Creating fake students has always been a popular scam when it comes to milking money out of student financial aid programs.  When you actually see students in a classroom in college environments, it is hard to keep a scammer from succeeding – but how do you verify online students?

Between 2006 and 2009, Trenda Halton defrauded Rio Salada College in Arizona for over a half a million dollars.  Having discovered how to defraud the registration system of Rio Salado College, Halton worked with four accomplices to create 136 “straw” students.

In her scheme, she recruited “straw” students who prepared and filed bogus admissions applications, financial aid applications, and Pell Grant applications in the students’ names. The financial-aid recipients received aid money after Rio Salada deducted tuition.

Halton’s cover was blown when a Rio Salado employee noticed that the applications all had the same handwriting and the students were enrolled in the same classes. In 2009, Halton was indicted with 64 other defendants and charged with offenses such as conspiracy, mail fraud, financial aid fraud, and making false statements in connection with financial aid.

Rio Salada’s small distance learning college was a prime digital target for Halton. Other colleges that have been victimized by online financial-aid fraudsters include the University of Phoenix’s Axia College, Michigan’s Lansing Community College, and Texas’ Dallas County Community College.[2]

Non-Accomplice Vendors

My small business has several names, and I have been married 15 times.  OK, OK, I have wed only twice.  But I have three last names!  And the bank will take any check from me using any of my last names or business names.

A banker in one of my classes told me that the bank doesn’t check endorsements or names on the check if the amount is under $10,000.  The volume of checks is just too high for them to watch.  Banks also put on the back of your bank statement that you have 60 days from the date of the statement to resolve any discrepancy, otherwise the bank is not responsible.

So imagine taking a valid vendor name – say ABC Pest Control – that your organization would spend money on and changing the address on the payment to your own PO Box.  And if you have already succeeded depositing checks under ABC Enterprises, the bank will take it. You will enjoy the money, and your organization probably won’t know the difference.

Personal Purchases

Whether personal purchases are considered fraud by an organization depends on the type of organization.  In the corporate environment, use of the company credit card to buy golf equipment while entertaining clients could be perfectly valid.

2 shoesIn government, we never entertain!  OK, we seldom entertain, but governments would seldom find the purchase of golf equipment valid.  Remember our discussion about what fraud is, what abuse is, and whether something is worthy of the attention of those in charge of governance? That applies to personal purchases, big time.

But HP wasn’t as lenient with their money as some other corporations.  They ousted their CEO, Mark Hurd, in 2010 for expense report irregularities and for hiring a model/actress that he had a personal relationship with to represent HP at trade shows for $5000 to $10,000 a pop.[3]

Payroll Schemes

Another way employees can extract money from their employers using a false disbursement scheme is to make false claims for compensation.  The fraud tree is divided into four parts under payroll schemes:

  1. Ghost employees
  2. Commission schemes
  3. Workers compensation
  4. Falsified wages

Ghost Employees

In this scheme, the government is charged for employee wages for fake employees or, if you prefer, “phantom” employees.

3 ghostsDo you remember Paul Bremer? He was the administrator of the Coalition Provisional Authority (CPA), the transitional Iraqi government. In 2007, Bremer acknowledged to the House Committee on Oversight and Government Reform that during the 2003 to 2004 rebuilding of Iraq, for which he was responsible, America had paid nonexistent “ghost employees.”

Bremer suggested that the organization feared the consequences of stopping payments to determine who were truly employed. Those who were employed supplied the Iraqi ministries with security, and Bremer did not want to anger these 74,000 armed men.

The problem of the “ghost” employees was just one piece of the puzzle of the missing $8.8 billion that the CPA distributed to Iraqi ministries. Stuart Bowen, the Special Inspector General for Iraq Reconstruction stated that the problem was not a major reason that so much money was unaccounted for. He blamed the lack of transparency for the missing funds.[4]

Commission Schemes


The Pyramid

Although I can’t imagine this happening in government, or that a commission/pyramid would be relevant in government, you may have personally been the victim of a pyramid scheme in your past.  In a pyramid scheme, the fraudster promises consumers or investors large profits if they can recruit others to join the program.  Some schemes purport to sell a product, but the product is really just a cover for the pyramid.

Victims of a pyramid scheme are often asked to inventory load – or buy stock inventory of a product in order to sell.  In this way, the company does make profit, and the folks on the top of the pyramid profit, but the front-line salesmen are stuck with a bunch of inventory they can’t sell!

Also beware of claims that the product is selling like hotcakes!  Who is buying the hotcakes: actual customers or just players in the pyramid?[5]

A few cautions about marketing ‘spin’!

I remember my mother buying a horrible car – a Ford Taurus – in the 90s because the dealer told her it was the best selling car in America.  Yes, it was, but only because Ford made incredible deals to get the rental car industry to buy beaucoup of them. Consumers hated the car and for good reason.  Ah, marketing spin wins again!

A well known vitamin company in the US is advertising that they are the first vitamin company to get clearance from an organization they say is an independent evaluator of vitamin quality.  Only problem is that the vitamin company founded, funds, and shares staff with this independent evaluator.

And it isn’t just creative Americans: Customer complaints against four of the United Kingdom’s largest energy firms led to an investigation of nPower, Scottish Power, Scottish and Southern Energy, and EDF Energy by the energy regulator Ofgem.

Many of the complaints were against door-to-door salespeople and telemarketers who were persuading customers to switch suppliers. Customers were given misleading information and quotes, which resulted in the customers being in worse positions than before switching suppliers.

Confirming the customer complaints, Ofgem’s 2008 investigation showed that changing firms at the persuasion of pushy door salespeople left almost half of gas customers and electricity customers worse off.

As of September 2010, energy regulators were considering fining suppliers a portion of their annual revenue if customer complaints proved true.[6]

A bit about the the Ponzi

Although a Ponzi scheme is not specifically mentioned on the fraud tree, it is definitely worth talking about!  A Ponzi scheme is similar to a pyramid scheme, except there is no product to sell, and the schemer doesn’t pay a commission to salespeople to find new recruits. A Ponzi schemer uses the money from new recruits to pay existing members.

The most notorious Ponzi schemer of our day is Bernie Madoff who defrauded investors out of $60 billion.  Madoff paid investors significant returns using money he collected from new investors, which he never truly invested.

Enticing new investors by paying his investors more money allowed Madoff to keep the scheme rolling for about two, maybe three, decades. Madoff told investors that their investments were earning high returns and would give them large payouts to keep them onboard.

While he probably believed that his venture could last forever, it couldn’t withstand the decline of the stock market. In 2008, he could no longer keep up his lie. Investors weren’t paid on time because of his inability to yield sufficient cash out of his holdings.

On March 10, 2009, Bernie Madoff was charged with eleven felony charges including securities fraud, investment adviser fraud, mail fraud, wire fraud, three counts of money laundering, false statements, perjury, false filings with the United States Securities and Exchange Commission (“SEC”), and theft from an employee benefit plan.  On June 29, 2009, Madoff was sentenced to 150 years in prison.[7]

Workers Compensation

5 boxI like to work, don’t you?  I like to get something done and create new things.  But not everyone is motivated to create – some people think the world owes them a living, and false workers comp claims are an easy route to income without exertion.

It makes me very sad to see a video on 60 minutes of a guy moving a piano who has been claiming workers comp for three years.  Can you imagine being related to that guy? How could he, and you, stand it?

Here is an executive summary from a report by the GAO on fraudulent benefits:

Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits[8]


This testimony discusses the results of our investigation of the disability programs managed by the Social Security Administration (SSA). SSA administers two of the nation’s largest cash benefit programs for people with disabilities: the Disability Insurance (DI) program, which provides benefits to workers with disabilities and their family members, and the Supplemental Security Income (SSI) program, which provides income for aged, blind, or disabled people with limited income and resources.

In 2008, the DI program provided about $104 billion to some 9 million beneficiaries, and the SSI program provided about $38 billion in financial benefits to some 7.5 million recipients. Given the magnitude of these cash benefit payments, it is important for SSA to have effective fraud prevention controls in place to minimize fraudulent and improper payments.

This statement summarizes our most recent report, describing cases of federal workers, commercial drivers, and commercial vehicle company owners who fraudulently or improperly received disability benefits. The objectives of the investigation were to (1) determine whether federal employees and commercial vehicle drivers and company owners may be improperly receiving disability benefits and (2) develop case study examples of individuals who fraudulently and/or improperly received these benefits. In conducting this investigation, we compared DI and SSI benefit data to civilian payroll records of certain federal agencies and carrier/driver records from the Department of Transportation (DOT) and 12 selected states.

We found the following:

1) Thousands of federal employees, commercial drivers, and owners of commercial vehicle companies received Social Security disability benefits during fiscal year 2008, though we could not determine the extent to which beneficiaries improperly or fraudulently received payments. Because further investigation is required to determine whether these individuals are entitled to receive payments, our analysis provides only an indicator of potentially improper or fraudulent activity. Federal salary data from selected agencies for October 2006 through December 2008 show that about 1,500 federal employees may be improperly receiving payments. These employees were (1) DI beneficiaries who received federal salary above the earnings threshold for more than 12 months after the start date of their disabilities or (2) SSI recipients who received more than 2 months of federal salary above the maximum SSA earnings threshold for the SSI program after the start date of their disabilities. Based on their SSA benefit amounts, we estimate that these federal employees received about $1.7 million in benefits a month.

2) Based on our overall analysis above, we selected 20 nonrepresentative examples of federal employees, commercial drivers, and registrants of commercial vehicle companies who received disability payments fraudulently and/or improperly. The 20 cases were primarily selected based on our analysis of SSA electronic and paper files for the higher overpayment amounts, the types of employment, and the locations of employment, and thus they cannot be projected to other federal employees, commercial drivers, or commercial vehicle owners who received SSA disability payments. In each case, SSA’s internal controls did not prevent improper and fraudulent payments, and as a result, tens of thousands of dollars of overpayments were made to individuals for 18 of these 20 cases. For the 20 cases, our investigations found the following: (1) For five cases, we believe that there is sufficient evidence that the beneficiaries committed fraud to obtain or continue receiving Social Security disability payments by withholding employment information. (2) For 10 cases, SSA improperly increased the benefit amounts of the disability payments because the individuals had increases in the reported wages on which the disability benefit payments are based.

(3) Several individuals from our cases were placed in long-term, interest-free repayment plans for improperly accepting disability overpayments, even though SSA can charge interest. One individual’s $33,000 repayment plan was in $20 monthly installments–resulting in a repayment period of 130 years. For 10 cases, the individuals were continuing to receive disability benefits as of October 2009. For 18 of these 20 cases, the individuals also received $250 stimulus checks as part of the American Recovery and Reinvestment Act of 2009 (Recovery Act) while they were improperly receiving SSA disability payments. According to SSA officials, most of these individuals were entitled to and would have received the $250 stimulus checks even if SSA had properly suspended the disability payments to them. Specifically, SSA officials stated that beneficiaries covered under the DI program would have been covered under an extended period of eligibility (EPE), which is a 36-month period in which SSA does not pay any benefit amounts (i.e., payments are suspended) if the beneficiary has earnings above the substantial gainful activity (SGA) threshold. According to SSA officials, all working DI beneficiaries covered by an EPE received the $250 stimulus check.


Falsified Wages

Here is a report from the NY Attorney General regarding contractors who falsified employee wages:6 nurse

Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects[9]

State Attorney General Spitzer and New York City Department of Investigation Commissioner Rose Gill Hearn today announced that three construction contractors were arraigned on felony and misdemeanor charges arising out of their falsification of records that made it appear that $367,000 in legally required prevailing wages were paid to 19 workers on New York City Housing Authority projects, when, in fact, such wages were not paid.

Mohammed Abdur Rashid, and his company Columbus General Construction Inc., and Tarcisio Ferreira and Harrison Jarvis, whose construction companies are now defunct, were charged with failure to pay wages, falsification of business records, false filings and perjury in connection with Housing Authority contracts at the Edgemere and Arverne Houses (Ocean Bay) located in Far Rockaway.

The defendants entered “not guilty” pleas in Queens County Criminal Court, and were ordered to return to court on October 15, 2003.

“The message is clear: falsifying records and failing to pay the prevailing wages on a public work project are serious violations of the law. Contractors who engage in such tactics can expect criminal sanctions,” Spitzer said.

“These contractors unjustly chose to enrich themselves rather than pay employees their rightful wages. DOI will not tolerate this type of fraud or other acts of dishonesty and will investigate them with vigor. Upon recovering any improprieties, DOI will seek to prevent the company in question from obtaining future contracts with the City,” said Commissioner Gill Hearn.

The joint investigation by the Attorney General’s office and the Department of Investigation’s Office of the Inspector General for the Housing Authority revealed that between July 2, 2001 and December 31, 2002, Rashid, Ferreira, Jarvis, and their respective companies employed nineteen workers at the Edgemere and Arverne Houses. The work was subject to federal and state prevailing wage laws, which dictate the hourly rates that must be paid to employees working on public projects. In each case, the defendants are alleged to have failed to pay workers prevailing wages, and attempted to conceal their wrongdoing by filing false payroll showing that their employees were paid properly. The workers received between $70 to (sic) $110 per day instead of up to $48.53 per hour, which they were entitled to by law.

The Attorney General is also seeking restitution for the underpayment of wages to employees, which totals more than $367,000.

As a result of the continuing cooperation between the OAG and DOI, over one million dollars in wage restitution orders have already been obtained this year. 

Next time… more on fraudulent disbursement schemes including expense reimbursement schemes.

[1] Andrea Ball. “Woman who stole from nonprofit up for parole two years into 25-year sentence.” Austin American Statesman. May 14, 2013.

[2] Marc Parry. “Online Scheme Highlights Fears About Distance-Education Fraud.” The Chronicle of Higher Education. January 13, 2010.

[3] Ben Worthen and Joann S. Lublin. “Mark Hurd Neglected to Follow H-P Code.” Wall Street Journal. August 8, 2010.

[4] Melinda Henneberger. “Bremer paid ‘Ghost Employees’ to avoid ‘Real Trouble.’” Huffington Post. February 6, 2007.

[5] Debra A. Valentine.  Prepared statement. “What is a Pyramid Scheme and What is Legitimate Marketing?” International Monetary Fund’s Seminar On Current Legal Issues Affecting Central Banks. Washington, D.C. May 13, 1998.

[6] Tim Webb. “Ofgem investigates doorstep gas and electricity sales agents.” The Guardian [UK]. Web. September 2, 2010.

[7] New York State. Department of Justice. United States v. Bernard L. Madoff and Related Cases. FBI, August 5, 2009.

[8] United States. Govt. Accountability Office. Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits.  August 4, 2010.

[9] New York. Office of the Attorney General. Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects. Media Center. September 2003.

Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]



Lost your password?