 |
| KAREN VELESQUEZ CONVICTED OF STEALING $35K FROM LUNCH PROGRAM FOR POOR STUDENTS UNDER THE WATCH OF INTERIM SUPERINTENDENT OF SCHOOLS JUDITH JOHNSON |
An employee that worked
for a company hired by the Mount Vernon City School District to administer the
lunch program and oversee the management of buildings and grounds has plead
guilty to stealing $35K from the lunch coffers of poor and underprivileged
students.
Karen Velasquez, an employee
of Aramark, manipulated a computer software program to make it seem that the
district was taking in less cash than it really was. Aramark has been under intense scrutiny in
recent week due to their negligent handling of the asbestos issue in Mount
Vernon schools. The school board last
week voted on a resolution to have the Federal Investigators come in and take a
look at 3rd party vendors and their associated contracts including
Aramark. School Board Trustee Elias
Gootzeit was the author of the resolution that calls for increased federal
scrutiny and an audit of school district finances, hiring practices, and
construction projects.
Many taxpayers question
the need for having a contract with Aramark, whose current contract is set to
expire this January. The last contract
between Aramark and the Mount Vernon City School District expired on June 30,
2013. School Board Vice President Len
Sarver, Assistant Superintendent of Business Timothy Costello, and
Superintendent of Schools Judith Johnson tried ramming an extension to
Aramark’s contract down Board Trustee’s throat, but that scheme was met with
fierce resistance. Why are Johnson and
Sarver so adamant about continuing to do business with Aramark when it was
proven that they provide less than inferior service to the Mount Vernon school district?
Aramark is also
responsible for managing the buildings and grounds for the Mount Vernon City
School District. Aramark has not been
staying on top of regular building maintenance and as such city school building
are in a deplorable condition.
The Mount Vernon City
School District pays $315K annually for two employees of Aramark to oversee the
buildings and grounds, however Aramark only has one employee working in the
district. What happened to the other
employee that was supposed to be working in Mount Vernon as per the
contract? Aramark should return taxpayer
funds if it does not intend to live up to its end of the deal. Mount Vernon can no longer allow Aramark to
bankrupt the school district. Mount
Vernon can no longer afford Aramark.
Supplies and tools are
regularly missing from city schools under the watch of Aramark, but Judith
Johnson, Timothy Costello, and Len Sarver don’t seem to mind. What are the real motives behind Johnson,
Costello, and Sarver wanting to extend the Aramark contract? Will they unjustly enrich themselves? What is
the connection between Len Sarver and Timothy Costello? Are they secret
business partners profiting at the expense of the poor and underprivileged
children in the community?
The Mount Vernon City School district is ripe for
fraud and abuse because of a lack of internal controls. This was made quite clear when an Aramark
employee was able to manipulate a computer program that allowed her to unjustly
enrich herself. How come Mount Vernon
school officials did not detect this fraud? When was the last fraud risk
assessment conducted by the Mount Vernon City School District?
All school district are subject to fraud risks and need
to
complete a fraud risk assessment for their
school district at least every few
years. Functions and services that need to be included in
the assessment are
Finance and Accounting,
Human Resources
Management (payroll), Purchasing and Contracting,
and Information Technology. As a part of the
assessment,
school district need to look at control environment
and information technology as both have a significant effect on fraud risk for most functions.
The control
environment includes management’s attitude as
to
the importance of the establishment
and maintenance of a strong internal control
system; having organizational units clearly
defined to perform the
necessary functions of
the school district; having qualified and properly trained
personnel; delegation of authority or limitation of
authority to provide assurances that responsibilities are effectively performed; having
policies and procedures including a code of ethical conduct available
to
employees; and requiring background checks on
personnel that have access to personal
information, positions of
accounting and financial
oversight, and positions
of
trust.
In addition, the school district has personal computers and many school districts have other
computer systems that are essential.
Some computer
systems
have controls
built in which are a benefit
to
internal controls, such as segregation of accounts payable input and approval duties. However, school district need to ensure that
their users have the
appropriate access and need to ensure that
there is no unauthorized
access.
FRAUD RISK ASSESSMENT
An effective fraud risk
management assessment should identify where fraud may occur and who the
perpetrators might be. Therefore, control activities should always consider both the fraud
scheme and the individuals within and outside the organization who could be the
perpetrators of each
scheme.
If the scheme is
collusive, 1preventive controls
should be augmented by detective controls, as collusion negates the control effectiveness of segregation of
duties.
Fraud, by definition, entails intentional misconduct, designed to evade detection. As such,
the fraud risk assessment should anticipate the behavior of
a potential fraud perpetrator. It is
important to design fraud
detection procedures
that a perpetrator may not expect, requires a
skeptical mindset and involves asking questions such as:
• How might a fraud perpetrator exploit weaknesses in the system of controls?
• How could a perpetrator override or circumvent controls?
• What could a perpetrator do to conceal the fraud?
With this in mind, a fraud risk assessment generally includes three key elements:
• Identify inherent fraud risk
Gather information to obtain the population of fraud risks that could apply to the organization. Included in this process is the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and IT fraud risks specific to the organization.
Gather information to obtain the population of fraud risks that could apply to the organization. Included in this process is the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and IT fraud risks specific to the organization.
• Assess likelihood and significance
of inherent fraud risk
Assess the relative likelihood and potential significance of identified fraud risks based on historical information, known fraud schemes, and interviews with staff, including business process owners.
Assess the relative likelihood and potential significance of identified fraud risks based on historical information, known fraud schemes, and interviews with staff, including business process owners.
• Respond to reasonably likely and significant inherent and residual
fraud risks
Decide what the response should be to address the identified risks and perform a cost-benefit analysis of fraud risks over which the organization wants to implement controls or specific fraud detection procedures.
Decide what the response should be to address the identified risks and perform a cost-benefit analysis of fraud risks over which the organization wants to implement controls or specific fraud detection procedures.
School district should apply a framework to document their fraud risk assessment. This example begins with a list of
identified fraud risks and schemes, which
are then assessed for relative likelihood and significance of
occurrence. Next, the risks and schemes are mapped to the people
and/or departments that may be impacted and to relevant controls, which are evaluated
for
design effectiveness and tested
to
validate operating effectiveness.
Lastly, residual risks are identified, and a fraud
risk response is
developed.
Risk Assessment Team
A good risk assessment requires input from various
sources. Ideally, management should identify a risk
assessment team, even
if the team would only be 2 individuals, to conduct the risk assessment.
Individuals from throughout the organization with different knowledge, skills,
and perspectives should be involved
in the risk assessment. Such members of the risk assessment teams should include personnel such as:
• Accounting/finance personnel, who are familiar with the financial reporting process and internal
controls.
• Nonfinancial business unit and operations personnel, to leverage their knowledge of day-to-day operations.
• Legal and compliance personnel .
• Internal audit personnel.
Management should participate in
the assessment, as they are ultimately accountable
for
the effectiveness of the
agency’s fraud risk management efforts.
Fraud Risk Identification
The risk assessment
team should go through a brainstorming activity to identify the agency’s
fraud risks. Brainstorming enables discussions of the incentives,
pressures, and opportunities to commit fraud; risks of management override of controls; and the
population of
fraud risks relevant to the school district. Other risks,
such as regulatory and legal misconduct risk, as well as the
impact of IT on fraud risks also should be considered in the fraud risk identification process.
The agency’s
fraud risk identification
information
should be shared with
the board or
audit committee, if
any, and
comments should be solicited. If no board or
audit committee, the information should be shared with senior management.
Incentives, Pressures, and Opportunities
Motives for committing fraud are numerous and diverse. The fraud risk identification process should include an
assessment of the incentives, pressures, and opportunities to commit
fraud.
Opportunities to commit fraud exist throughout organizations. These opportunities are greatest in areas with weak internal
controls and a lack
of segregation of duties. However, some frauds, especially those committed by management, may be difficult to detect because
management can often
override the controls. If possible, such
opportunities are why appropriate monitoring of senior management by a
strong board and audit
committee, supported by internal
auditing, is critical
to fraud risk management.
Risk of Management’s Override of Controls
As part of the risk identification process,
it is
important to consider the potential for management override of controls established to prevent or detect fraud. Personnel
within the school
district generally know the controls and standard operating procedures that are in place to prevent fraud.
It is reasonable to assume that individuals who
are intent on committing fraud will
use their knowledge of the agency’s controls to
do it in a manner that
will conceal their
actions. For example, a
manager who has the
authority to set up new vendors and approve
invoices may create and approve a fictitious vendor and then submit invoices
for payment.
Hence, it is also
important
to
keep the risk of management’s override of
controls in mind
when evaluating the effectiveness of controls; an
anti-fraud control is not effective if
it can be overridden easily.
Population of Fraud Risks
The fraud risk identification process requires an
understanding of
fraud risks and the subset of
risks specific to the school district. This involves understanding the agency’s business processes and
gathering information about potential fraud from internal sources by interviewing personnel
and brainstorming with them and performing analytical procedures.
There are three general categories of fraud risk: fraudulent statements, misappropriation of assets, and corruption. These categories should be used
as a starting point but a more detailed breakout can be
developed to produce a school
district-specific fraud risk assessment. For example, potential fraud risks to consider
in the three general categories
include:
a. Inappropriately reported revenues.
b. Inappropriately reported expenditures
c. Inappropriately reflected balance sheet amounts, including reserves.
d. Inappropriately improved and/or masked disclosures
e. Concealing misappropriation of assets.
f. Concealing unauthorized receipts
and expenditures.
2) Misappropriation of:
a. Assets by:
i) Employees. ii) Vendors.
iii) Former employees and others outside the organization.
3) Corruption including:
a. Bribery and
gratuities
b. Aiding
and abetting fraud by other parties (e.g., vendors).
c. Conflicts of
interest
d. Embezzlement
Fraudulent Financial Reporting
Each of the three
general categories includes at least one scheme of
how the fraud could occur.
For instance,
the improper recognition of expenditures can be achieved via numerous schemes,
including holding bills
to pay in the next billing
cycle and improper coding to appropriation lines. Any scheme that could be relevant to the
school district should be considered
in the assessment.
For example, starting with the expenditure recognition component of fraudulent financial reporting,
the assessment should
consider the following
questions:
• What are the agency’s appropriations
and appropriation lines?
• Does the school
district have several appropriation lines that could be used?
• Are there numerous transactions for a variety of expenses or is most expenses routine with little variety?
• Has the school district ever overspent
appropriations
in the past?
The types of fraudulent financial
reporting that would be most probable for
a school district would be to understate expenditures or miscode expenditures to avoid over spending of appropriations.
Conversely, some
school districts may overstate expenditures to use up appropriation authority.
Any
intentional misstatement of accounting information represents fraudulent financial reporting.
Another consideration involves fraud where the objective is not to improve the school district financial statements,
but
to cover up the misappropriation or misuse of
assets.
In this case, the fraud also includes fraudulent financial reporting.
Misappropriation of Assets
A school district’s assets can be misappropriated by employees,
customers, or vendors. The
school district should ensure that controls
are in place to protect such assets. Considerations to be made in the fraud risk assessment process include gaining an understanding of
what assets
are
subject to misappropriation, the locations
where the assets are maintained, and which personnel have control over or access to assets.
Common schemes include misappropriation by:
• Employees
- Creation of, and
payments to, fictitious vendors.
- Charging personal
expenses on procurement cards
- Payment of inflated or
fictitious invoices.
- Invoices for
goods not received or services not performed
- Theft of inventory
• Employees in collusion with vendors,
customers, or
third parties.
- Payment of inflated or
fictitious invoices.
- Invoices for
goods not received or services not performed.
• Vendors.
- Inflated or fictitious invoices.
- Short shipments
or
substitution of lower quality goods.
- Invoices for
goods not received or services not performed.
Protecting against these risks requires not only physical safeguarding controls, but also periodic detective
controls
such as physical counts of
inventory. Remember, a
smart perpetrator may be thinking about such
controls
and
design the fraud to circumvent or be concealed
from those controls. Those conducting the risk
assessment should keep this
in mind when deliberating misappropriation of asset schemes and their impact to the school
district.
Corruption
Corruption is operationally defined
as the misuse of entrusted power for private gain. There
are various types of
corruption,
and could include such things
as taking bribes to award contract, embezzlement, and aiding and
abetting vendors to commit fraud.
Organizations rely on IT to conduct business, communicate, and process financial information. A poorly designed or
inadequately
controlled IT
environment can expose an organization to fraud. Today’s
computer systems, linked by national and global networks, face an ongoing threat of cyber fraud and a variety of threats
that can result in significant financial
and information losses. IT is an important component of any risk assessment, especially when considering fraud risks. IT risks include threats to data
integrity,
threats from
hackers to system security, and theft of financial and sensitive information. Whether in the form of hacking, of data,
viruses, or unauthorized
access to data, IT fraud risks can affect everyone. In fact,
IT can be used by
people intent on
committing fraud in
any
of the three general
fraud risk areas.
Examples of those risks
by area
include:
Fraudulent financial reporting
• Unauthorized
access to accounting
applications — Personnel with inappropriate access to the general ledger, subsystems, or the financial reporting tool can post fraudulent entries.
• Override of system controls — General computer controls include restricted system access,
restricted application access, and program change controls. IT personnel may be able to access restricted data or adjust records fraudulently.
Misappropriation of assets
• Theft of assets — Individuals who have access to assets (e.g., cash, inventory, and fixed assets) and
to
the accounting systems that track and record activity related to those assets can use IT to conceal
their theft of assets. For example, an individual may establish a fictitious vendor in the vendor master file to facilitate the payment of false invoices, or someone may steal inventory and
record the assets
as
disposed of, thus removing the asset from the balance sheet.
Corruption
• Misuse of customer data —
Personnel within or outside the organization can obtain employee data and use such information to obtain credit or for other fraudulent purposes.
Keep in mind,
cyber fraudsters do not even have to leave their
homes to commit fraud,
as they can route
communications through local
phone companies, long-distance carriers, Internet service providers, and wireless and satellite
networks. What is important is that any information
— not just financial —
is at risk, and the stakes are very high and rising as technology continues to evolve.
To manage the ever-growing risks of
operating in the information age, an school
district should know its
vulnerabilities
and be able to mitigate risk in a cost-effective manner. Therefore, IT risk should be incorporated
into a school district’s overall fraud risk assessment.
Regulatory and legal
misconduct includes a wide range of risks,
such as conflicts of interest, contract
terms, and state
and federal regulations. Depending on the particular school district and the nature
of its business,
some or
all of these risks may be applicable
and should be considered in the risk assessment process.
Assessment of the Likelihood and Significance
Of Identified Inherent Fraud Risks
Assessing the likelihood and significance of each potential fraud risk is a subjective process. All
fraud risks are
not equally likely,
nor will all frauds
have a significant impact on every school district. Assessing the likelihood and significance of identified
inherent risks allows the school district to manage its fraud risks and apply preventive and detective procedures rationally. It is
important to first consider fraud risks on an inherent
basis, or without
consideration of known controls.
By
taking this approach, management will be better able to consider all relevant fraud risks and design controls to address the risks.
After mapping fraud risks to relevant controls, certain residual risks will remain, including the risk of management’s override of established controls. Management must evaluate the potential
significance of those residual
risks and decide on the nature
and extent of the fraud preventive and detective controls and procedures to address such risks.
Likelihood — Management’s assessment of
the likelihood of a fraud risk
occurring is informed by instances of that particular fraud occurring in the past at the school
district, the prevalence of the fraud risk in the agency’s
industry, and other factors, including the number of individual transactions, the
complexity of
the risk, and the number of
people involved in
reviewing or approving the process. School district can have as many categories of the likelihood of potential
frauds
occurring as deemed reasonable, but three categories are
generally adequate:
remote, reasonably possible,
and probable.
Significance
— Management’s assessment of the
significance of
a fraud risk
should include not only financial statement and monetary significance, but also significance to criminal, civil, and regulatory liability. School
district can also categorize the significance of potential frauds in as many buckets as
deemed
reasonable, but three categories are generally
adequate: immaterial, more than
significant and material.
People/department — As part
of
the risk assessment process,
the school district will have evaluated the incentives and
opportunities for individuals
and
departments and should use the
information gained
in that process to assess
which individuals or departments are most likely to have the opportunity to commit a fraudulent act, and,
if so, via what means. This information can be summarized into the fraud risk assessment
grid and can help
the school district design appropriate risk responses, if necessary.
Risk tolerance varies from school
district to school district. While
some school district want only to address fraud risks that could
have a material
financial impact, other school
district want to have a more robust fraud response program. Many school districts will state that there is a “zero tolerance” policy with
respect to fraud. However, there may be certain
fraud risks that and school district considers too expensive and time-consuming
to address via controls. Consequently,
the school district may decide not to put controls in place to address such risks. If a fraud is discovered, zero tolerance for
fraud will be applied.
An agency’s risk tolerance level provides management support on how to respond to fraud risk. Fraud risks can be addressed by accepting the risk
of a fraud based
on the perceived
level of likelihood and significance,
increasing the controls over the area to mitigate the risk, or designing internal audit procedures to address specific fraud risks. Management needs
to implement the right level of controls based
on
the risk tolerance it
has established for the school district. The key is to be selective and efficient. There are probably thousands of
potential controls that could be put in place. The goal is
a targeted and structured approach — not an
unstructured or haphazard approach — and efficient controls that deliver the most benefit for the cost of resources.
The overall objective is to have the benefit of
controls exceed their
cost.
In addressing fraud risks,
one should be careful to ensure that
anti-fraud controls are operating
effectively and
have been designed to include appropriate steps to deal
with
the relevant risks. Where an internal control
might be executed with
limited
skepticism (e.g.,
agreeing an expenditure to underlying support) an
anti-fraud control would include an evaluation of the underlying support for
consistency in application from prior periods
and
for potential inappropriate bias. Therefore, anti-fraud controls should be designed
appropriately and
executed by competent and objective individual.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.