Wednesday, November 13, 2013



An employee that worked for a company hired by the Mount Vernon City School District to administer the lunch program and oversee the management of buildings and grounds has plead guilty to stealing $35K from the lunch coffers of poor and underprivileged students. 

Karen Velasquez, an employee of Aramark, manipulated a computer software program to make it seem that the district was taking in less cash than it really was.  Aramark has been under intense scrutiny in recent week due to their negligent handling of the asbestos issue in Mount Vernon schools.  The school board last week voted on a resolution to have the Federal Investigators come in and take a look at 3rd party vendors and their associated contracts including Aramark.  School Board Trustee Elias Gootzeit was the author of the resolution that calls for increased federal scrutiny and an audit of school district finances, hiring practices, and construction projects.   

Many taxpayers question the need for having a contract with Aramark, whose current contract is set to expire this January.  The last contract between Aramark and the Mount Vernon City School District expired on June 30, 2013.  School Board Vice President Len Sarver, Assistant Superintendent of Business Timothy Costello, and Superintendent of Schools Judith Johnson tried ramming an extension to Aramark’s contract down Board Trustee’s throat, but that scheme was met with fierce resistance.  Why are Johnson and Sarver so adamant about continuing to do business with Aramark when it was proven that they provide less than inferior service to the Mount Vernon school district?

Aramark is also responsible for managing the buildings and grounds for the Mount Vernon City School District.  Aramark has not been staying on top of regular building maintenance and as such city school building are in a deplorable condition. 

The Mount Vernon City School District pays $315K annually for two employees of Aramark to oversee the buildings and grounds, however Aramark only has one employee working in the district.  What happened to the other employee that was supposed to be working in Mount Vernon as per the contract?  Aramark should return taxpayer funds if it does not intend to live up to its end of the deal.  Mount Vernon can no longer allow Aramark to bankrupt the school district.  Mount Vernon can no longer afford Aramark. 

Supplies and tools are regularly missing from city schools under the watch of Aramark, but Judith Johnson, Timothy Costello, and Len Sarver don’t seem to mind.  What are the real motives behind Johnson, Costello, and Sarver wanting to extend the Aramark contract?  Will they unjustly enrich themselves? What is the connection between Len Sarver and Timothy Costello? Are they secret business partners profiting at the expense of the poor and underprivileged children in the community? 

The Mount Vernon City School district is ripe for fraud and abuse because of a lack of internal controls.   This was made quite clear when an Aramark employee was able to manipulate a computer program that allowed her to unjustly enrich herself.  How come Mount Vernon school officials did not detect this fraud? When was the last fraud risk assessment conducted by the Mount Vernon City School District?

 All school district are subject to fraud risks and need to complete a fraud risk assessment for their school district at least every few years. Functions and services that need to be included in the assessment are Finance and Accounting, Human Resources Management (payroll), Purchasing and Contracting, and Information Technology. As a part of the assessment, school district need to look at control environment and information technology as both have a significant effect on fraud risk for most functions.


The control environment includes management’s attitude as to the importance of the establishment and maintenance of a strong internal control system; having organizational units clearly defined to perform the necessary functions of the school district; having qualified and properly trained personnel; delegation of authority or limitation of authority to provide assurances that responsibilities are effectively performed; having policies and procedures including a code of ethical conduct available to employees; and requiring background checks on personnel that have access to personal information, positions of accounting and financial oversight, and positions of trust.

In addition, the school district has personal computers and many school districts have other computer systems that are essential. Some computer systems have controls built in which are a benefit to internal controls, such as segregation of accounts payable input and approval duties. However, school district need to ensure that their users have the appropriate access and need to ensure that there is no unauthorized access.

                                             FRAUD RISK ASSESSMENT

 A fraud risk assessment should be performed periodically to identify potential schemes and events that need to be mitigated. This document provides guidance for conducting a fraud risk assessment; however, school district will need to make modifications to meet their individual needs and complexities.

An effective fraud risk management assessment should identify where fraud may occur and who the perpetrators might be. Therefore, control activities should always consider both the fraud scheme and the individuals within and outside the organization who could be the perpetrators of each scheme. If the scheme is collusive, 1preventive controls should be augmented by detective controls, as collusion negates the control effectiveness of segregation of duties.

Fraud, by definition, entails intentional misconduct, designed to evade detection. As such, the fraud risk assessment should anticipate the behavior of a potential fraud perpetrator. It is important to design fraud detection procedures that a perpetrator may not expect, requires a skeptical mindset and involves asking questions such as:

   How might a fraud perpetrator exploit weaknesses in the system of controls?
   How could a perpetrator override or circumvent controls?
   What could a perpetrator do to conceal the fraud?

With this in mind, a fraud risk assessment generally includes three key elements:

   Identify inherent fraud risk  
      Gather information to obtain the population of fraud risks that could apply to the organization. Included in this process is the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and IT fraud risks specific to the organization.

   Assess likelihood and significance of inherent fraud risk   
     Assess  the relative likelihood and potential significance of identified fraud risks based on historical information, known fraud schemes, and interviews with staff, including business process owners.

   Respond to reasonably likely and significant inherent and residual fraud risks   
      Decide what the response should be to address the identified risks and perform a cost-benefit analysis of fraud risks over which the organization wants to implement controls or specific fraud detection procedures.

School district should apply a framework to document their fraud risk assessment. This example begins with a list of identified fraud risks and schemes, which are then assessed for relative likelihood and significance of occurrence. Next, the risks and schemes are mapped to the people and/or departments that may be impacted and to relevant controls, which are evaluated for design effectiveness and tested to validate operating effectiveness. Lastly, residual risks are identified, and a fraud risk response is developed.

Risk Assessment Team

A good risk assessment requires input from various sources. Ideally, management should identify a risk assessment team, even if the team would only be 2 individuals, to conduct the risk assessment. Individuals from throughout the organization with different knowledge, skills, and perspectives should be involved in the risk assessment. Such members of the risk assessment teams should include personnel such as:

   Accounting/finance personnel, who are familiar with the financial reporting process and internal controls.
   Nonfinancial business unit and operations personnel, to leverage their knowledge of day-to-day operations.
   Legal and compliance personnel .
   Internal audit personnel.

Management should participate in the assessment, as they are ultimately accountable for the effectiveness of the agency’s fraud risk management efforts.

Fraud Risk Identification

The risk assessment team should go through a brainstorming activity to identify the agency’s fraud risks. Brainstorming enables discussions of the incentives, pressures, and opportunities to commit fraud; risks of management override of controls; and the population of fraud risks relevant to the school district. Other risks, such as regulatory and legal misconduct risk, as well as the impact of IT on fraud risks also should be considered in the fraud risk identification process.

The agency’s fraud risk identification information should be shared with the board or audit committee, if any, and comments should be solicited. If no board or audit committee, the information should be shared with senior management.

Incentives, Pressures, and Opportunities

Motives for committing fraud are numerous and diverse. The fraud risk identification process should include an assessment of the incentives, pressures, and opportunities to commit fraud.

Opportunities to commit fraud exist throughout organizations. These opportunities are greatest in areas with weak internal controls and a lack of segregation of duties. However, some frauds, especially those committed by management, may be difficult to detect because management can often override the controls. If possible, such opportunities are why appropriate monitoring of senior management by a strong board and audit committee, supported by internal auditing, is critical to fraud risk management.

Risk of Management’s Override of Controls

As part of the risk identification process, it is important to consider the potential for management override of controls established to prevent or detect fraud. Personnel within the school district generally know the controls and standard operating procedures that are in place to prevent fraud. It is reasonable to assume that individuals who are intent on committing fraud will use their knowledge of the agency’s controls to do it in a manner that will conceal their actions. For example, a manager who has the authority to set up new vendors and approve invoices may create and approve a fictitious vendor and then submit invoices for payment. Hence, it is also important to keep the risk of managements override of controls in mind when evaluating the effectiveness of controls; an anti-fraud control is not effective if it can be overridden easily.

Population of Fraud Risks

The fraud risk identification process requires an understanding of fraud risks and the subset of risks specific to the school district. This involves understanding the agency’s business processes and gathering information about potential fraud from internal sources by interviewing personnel and brainstorming with them and performing analytical procedures.

There are three general categories of fraud risk: fraudulent statements, misappropriation of assets, and corruption. These categories should be used as a starting point but a more detailed breakout can be developed to produce a school district-specific fraud risk assessment. For example, potential fraud risks to consider in the three general categories include:

 1) Intentional manipulation of financial statements, which can lead to:
a.    Inappropriately reported revenues.
b.   Inappropriately reported expenditures
c.  Inappropriately reflected balance sheet amounts, including reserves.
d.   Inappropriately improved and/or masked disclosures
e.   Concealing misappropriation of assets.
f.   Concealing unauthorized receipts and expenditures.

2)    Misappropriation of:
a.   Assets by:
i)  Employees. ii)            Vendors.
iii) Former employees and others outside the organization.

3) Corruption including:
a.   Bribery and gratuities
b.   Aiding and abetting fraud by other parties (e.g., vendors).
c.   Conflicts of interest
d.   Embezzlement

Fraudulent Financial Reporting

Each of the three general categories includes at least one scheme of how the fraud could occur. For instance, the improper recognition of expenditures can be achieved via numerous schemes, including holding bills to pay in the next billing cycle and improper coding to appropriation lines. Any scheme that could be relevant to the school district should be considered in the assessment.

For example, starting with the expenditure recognition component of fraudulent financial reporting, the assessment should consider the following questions:

   What are the agency’s appropriations and appropriation lines?
   Does the school district have several appropriation lines that could be used?
   Are there numerous transactions for a variety of expenses or is most expenses routine with little variety?
   Has the school district ever overspent appropriations in the past?

The types of fraudulent financial reporting that would be most probable for a school district would be to understate expenditures or miscode expenditures to avoid over spending of appropriations. Conversely, some school districts may overstate expenditures to use up appropriation authority. Any intentional misstatement of accounting information represents fraudulent financial reporting.

Another consideration involves fraud where the objective is not to improve the school district financial statements, but to cover up the misappropriation or misuse of assets. In this case, the fraud also includes fraudulent financial reporting.

Misappropriation of Assets

A school district’s assets can be misappropriated by employees, customers, or vendors. The school district should ensure that controls are in place to protect such assets. Considerations to be made in the fraud risk assessment process include gaining an understanding of what assets are subject to misappropriation, the locations where the assets are maintained, and which personnel have control over or access to assets. Common schemes include misappropriation by:

-    Creation of, and payments to, fictitious vendors.
-    Charging personal expenses on procurement cards
-    Payment of inflated or fictitious invoices.
-     Invoices for goods not received or services not performed
-    Theft of inventory
    Employees in collusion with vendors, customers, or third parties.
-    Payment of inflated or fictitious invoices.
-    Invoices for goods not received or services not performed.
-    Inflated or fictitious invoices.
-    Short shipments or substitution of lower quality goods.
-    Invoices for goods not received or services not performed.

Protecting against these risks requires not only physical safeguarding controls, but also periodic detective controls such as physical counts of inventory. Remember, a smart perpetrator may be thinking about such controls and design the fraud to circumvent or be concealed from those controls. Those conducting the risk assessment should keep this in mind when deliberating misappropriation of asset schemes and their impact to the school district.


Corruption is operationally defined as the misuse of entrusted power for private gain. There are various types of corruption, and could include such things as taking bribes to award contract, embezzlement, and aiding and abetting vendors to commit fraud.

 Information Technology and Fraud Risk

Organizations rely on IT to conduct business, communicate, and process financial information. A poorly designed or inadequately controlled IT environment can expose an organization to fraud. Today’s computer systems, linked by national and global networks, face an ongoing threat of cyber fraud and a variety of threats that can result in significant financial and information losses. IT is an important component of any risk assessment, especially when considering fraud risks. IT risks include threats to data integrity, threats from hackers to system security, and theft of financial and sensitive information. Whether in the form of hacking, of data, viruses, or unauthorized access to data, IT fraud risks can affect everyone. In fact, IT can be used by people intent on committing fraud in any of the three general fraud risk areas. Examples of those risks by area include:

Fraudulent financial reporting

   Unauthorized access to accounting applications Personnel with inappropriate access to the general ledger, subsystems, or the financial reporting tool can post fraudulent entries.
   Override of system controls General computer controls include restricted system access, restricted application access, and program change controls. IT personnel may be able to access restricted data or adjust records fraudulently.
Misappropriation of assets

   Theft of assets Individuals who have access to assets (e.g., cash, inventory, and fixed assets) and to the accounting systems that track and record activity related to those assets can use IT to conceal their theft of assets. For example, an individual may establish a fictitious vendor in the vendor master file to facilitate the payment of false invoices, or someone may steal inventory and record the assets as disposed of, thus removing the asset from the balance sheet.


   Misuse of customer data Personnel within or outside the organization can obtain employee data and use such information to obtain credit or for other fraudulent purposes.

Keep in mind, cyber fraudsters do not even have to leave their homes to commit fraud, as they can route communications through local phone companies, long-distance carriers, Internet service providers, and wireless and satellite networks. What is important is that any information — not just financial — is at risk, and the stakes are very high and rising as technology continues to evolve.

To manage the ever-growing risks of operating in the information age, an school district should know its
vulnerabilities and be able to mitigate risk in a cost-effective manner. Therefore, IT risk should be incorporated into a school district’s overall fraud risk assessment.

Regulatory and legal misconduct includes a wide range of risks, such as conflicts of interest, contract terms, and state and federal regulations. Depending on the particular school district and the nature of its business, some or all of these risks may be applicable and should be considered in the risk assessment process.

Assessment of the Likelihood and Significance
Of Identified Inherent Fraud Risks

Assessing the likelihood and significance of each potential fraud risk is a subjective process. All fraud risks are not equally likely, nor will all frauds have a significant impact on every school district. Assessing the likelihood and significance of identified inherent risks allows the school district to manage its fraud risks and apply preventive and detective procedures rationally. It is important to first consider fraud risks on an inherent basis, or without consideration of known controls. By taking this approach, management will be better able to consider all relevant fraud risks and design controls to address the risks. After mapping fraud risks to relevant controls, certain residual risks will remain, including the risk of managements override of established controls. Management must evaluate the potential significance of those residual risks and decide on the nature and extent of the fraud preventive and detective controls and procedures to address such risks.

Likelihood Management’s assessment of the likelihood of a fraud risk occurring is informed by instances of that particular fraud occurring in the past at the school district, the prevalence of the fraud risk in the agency’s industry, and other factors, including the number of individual transactions, the complexity of the risk, and the number of people involved in reviewing or approving the process. School district can have as many categories of the likelihood of potential frauds occurring as deemed reasonable, but three categories are generally adequate: remote, reasonably possible, and probable.

Significance Management’s assessment of the significance of a fraud risk should include not only financial statement and monetary significance, but also significance to criminal, civil, and regulatory liability. School district can also categorize the significance of potential frauds in as many buckets as deemed reasonable, but three categories are generally adequate: immaterial, more than significant and material.

People/department As part of the risk assessment process, the school district will have evaluated the incentives and opportunities for individuals and departments and should use the information gained in that process to assess which individuals or departments are most likely to have the opportunity to commit a fraudulent act, and, if so, via what means. This information can be summarized into the fraud risk assessment grid and can help the school district design appropriate risk responses, if necessary.

 Response to Residual Fraud Risks

Risk tolerance varies from school district to school district. While some school district want only to address fraud risks that could have a material financial impact, other school district want to have a more robust fraud response program. Many school districts will state that there is a zero tolerance policy with respect to fraud. However, there may be certain fraud risks that and school district considers too expensive and time-consuming to address via controls. Consequently, the school district may decide not to put controls in place to address such risks. If a fraud is discovered, zero tolerance for fraud will be applied.

An agency’s risk tolerance level provides management support on how to respond to fraud risk. Fraud risks can be addressed by accepting the risk of a fraud based on the perceived level of likelihood and significance, increasing the controls over the area to mitigate the risk, or designing internal audit procedures to address specific fraud risks. Management needs to implement the right level of controls based on the risk tolerance it has established for the school district. The key is to be selective and efficient. There are probably thousands of potential controls that could be put in place. The goal is a targeted and structured approach not an unstructured or haphazard approach — and efficient controls that deliver the most benefit for the cost of resources. The overall objective is to have the benefit of controls exceed their cost.

In addressing fraud risks, one should be careful to ensure that anti-fraud controls are operating effectively and have been designed to include appropriate steps to deal with the relevant risks. Where an internal control might be executed with limited skepticism (e.g., agreeing an expenditure to underlying support) an anti-fraud control would include an evaluation of the underlying support for consistency in application from prior periods and for potential inappropriate bias. Therefore, anti-fraud controls should be designed appropriately and executed by competent and objective individual.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.