Fraud Risk Assessment
CASH RECEIPTS / 6-2015
This questionnaire was developed to assist your municipality in identifying fraud risks within the cash receipts business cycle. This questionnaire is intended to cover many of the more significant areas of fraud risk that are inherent with the typical Massachusetts municipality’s cash receipts cycle. Each municipality is unique and therefore this questionnaire cannot be relied upon to address 100% of your municipality’s fraud risks within this business cycle. However, you can use the concepts contained within this questionnaire to expand its scope to specific fraud risk areas within your municipality.
Definitions of Fraud
Fraud is a broad legal concept and generally can be defined as any intentional act committed to secure an unlawful gain. Within municipalities, fraud is primarily seen in the areas of theft, misappropriation of assets, embezzlement and corruption.
Occupational fraud, often referred to as employee dishonesty, is the use of one’s employment to commit fraud for personal enrichment through the intentional misuse or abuse of his/her employer’s resources and assets.
Fraud Risk Assessment in an Internal Control System
Fraud risk assessment is a critical component in any internal control system. Internal controls consist of several interrelated components that, when operating effectively provide the Town reasonable assurance that it not only meets its strategic and operational business objectives, but also its financial reporting and compliance objectives. This process is driven by the Town’s governing bodies and management and executed each day by departments like yours.
The most widely adopted internal control methodology used by organizations throughout the world is referred to as COSO framework. The COSO framework was originally published in 1992 and, after several updates, was last updated in 2013. The COSO framework contains five key components or principles:
1) Control environment;
2) Risk assessment;
3) Control activities;
4) Information and communication;
5) Monitoring activities.
Effective fraud risk assessment takes place at (i) the entity level, (ii) the process level and (iii) the account level.
Entity level fraud risks relate primarily to the fraud risks present within a municipality as a whole. In assessing entity level fraud risks, we generally look closely at the overall ethical tone of the municipality, or its control environment.
Account level and process level fraud risks are essentially one in the same for the purposes of this business cycle specific fraud risk assessment. These are fraud risks that are specific to the cash receipts business cycle.
I. Fraud Risk Assessment at the Entity Level
The Control Environment is best described as the organization’s culture and is often referred to as the “tone from the top.” Does your municipality promote ethical behavior? How are the values of the municipality’s governing board, manager or administrator and elected/appointed board perceived by its residents, tax payers, vendors and employees? Often times, these values are communicated through handbooks, trainings, municipal website, staff and department meetings. The most effective means of communicating these commitments is leading by example.
A series of questions will be posed below. Indicate your response with an “x” or a “ü” and, if yes document the control in place in the space provided (examples have been provided for your reference). If you indicate no to any of the questions below, determine whether this is a significant gap that needs to be filled. If so, you have a deficiency that needs remediation.
Our Culture / Yes / No / Describe the Control(s) in Place1. Does the Town’s governing body and its management demonstrate a commitment to integrity and ethical behavior by their day-to-day activities?
Examples of controls in place to support this may include:
- Formal code of ethics policy posted on Town website
- A fraud policy has been adopted and clearly defines fraudulent activities
- Periodic ethics trainings conducted at all levels of town management
- Bi-annual state mandated ethics training and testing is communicated to all employees and board/committee members; and the Town has mechanisms in place to monitor compliance and follow up
- Conflicts of interest statements are required for all Selectmen and department heads
- Employees are required to sign an acknowledgement that the Town’s code of ethics was provided to them and that they understand it
2. Does the Town have a mechanism for employees to anonymously raise concern regarding ethics, fraud or questionable business activities?
Examples of controls in place to support this may include:
- A fraud policy has been adopted and prohibits retaliation against whistle blowers
- A confidential whistle blower hotline has been established
- Signs are posted in all common employee areas like break rooms and cafeterias with the IG’s fraud hotline number
- Employees should be educated as to the long-term benefits of exposing or identifying possible fraud vs. the short-term convenience of not communicating what they witnessed
3. Is there a protocol for handling confidential complaints?
Examples of controls in place to support this may include:
- A fraud policy has been adopted and prohibits retaliation against whistle blowers and details to whom and how complaints are addressed and investigated
4. Have duties and responsibilities of each employee been clearly described to them?
Examples of controls in place to support this may include:
- Job descriptions have been provided to each employee
- Each employee receives an annual performance review, which is included as part of their personnel file
- Departments periodically conduct departmental meetings to organize resources, communicate goals and provide instruction
5. When making new hires, does the Town perform sufficient background checks on the potential new hire’s technical knowledge and skills?
Examples of controls in place to support this may include:
- Job descriptions are provided to each job candidate
- Resumes and/or job applications are reviewed by all involved in hiring decisions
- References are contacted and these discussions are documented
- CORI checks are performed for required employees and considered for all employees
- Credit checks are performed for all employees in financial or managerial positions that have direct access to budgets
- Online service offering background check is utilized to identify potential issues not disclosed by candidate or references
6. When promoting from within, does the Town promote the most qualified and capable candidate?
Examples of controls in place to support this may include:
- Job descriptions are provided to each job candidate
- Past performance reviews are reviewed and updated prior to promotion
- Candidates for promotion are interviewed in a similar fashion as external candidates
7. Does the Town adequately compensate employees in order to retain and attract qualified individuals?
Examples of controls in place to support this may include:
- HR and department heads evaluate salary levels based on surrounding towns and other benchmarks
8. Does the Town have a process to identify incompetent or ineffective employees?
Examples of controls in place to support this may include:
- Each employee receives an annual performance review, which is included as part of their personnel file
- Underperforming employees are placed on notice and provided a plan for improvement
- Educational or training programs are made available to increase an employee’s skill levels to a productive level
9. Are there consequences for employees who commit fraud and are those consequences fair and consistent?
Examples of controls in place to support this may include:
- A fraud policy has been adopted that clearly details the ramifications and penalties to those caught defrauding the Town
- Signs are posted in common areas requesting that employees confidentially report fraud and that the Town will prosecute to the fullest extent of the law
- The Town promptly terminates employees caught stealing from the Town and when appropriate communicates the Town’s actions to employees through e-mail communications to deter future events
10. Do employees in key “trust areas” within the Town show “red flags” that may suggest a change in personal or financial situations?
Examples of controls in place to support this may include:
- Recognition that age, experience, and seniority of personnel are not preventive controls of fraudulent activities
- Management has been trained to recognize “red flags”
- Management understands that such “red flags” demand their additional attention (talk with employee, quietly perform additional, periodic checks for errors or inconsistencies in work performed, etc.)
11. Is there an annual, thorough review for inefficient or deficient processes within the offices that could lead to fraud or errors in transactional processing?
Examples of controls in place to support this may include:
- Recognition that age, experience, and seniority of personnel are not preventive controls of fraudulent activities
- Employees are encouraged to provide suggestions or feedback as to how their work could be performed better
- Management has annual meetings with software vendors to identify new or improved options in electronic processing software that are available to be implemented or could be requested for improvement
12. Does management contemplate the risks associated with electronic processing (including those through the Internet)?
Examples of controls in place to support this may include:
- Employees are trained in how to identify or avoid electronic intrusions or “attacks” on their workstations or through external communications
- Management has on staff or hires an information technology consultant to periodically evaluate system weaknesses
II. Fraud Risk Assessment at the Process Level – Cash Receipts
The municipality’s key objective is to provide municipal services to its residents today and in the future and safeguard its assets. To do so, the municipality’s operating plan calls for continued revenue growth and cost management. The municipality is subject to many risks in connection with this operating plan – some internal and some external. The process in which these risks are analyzed is referred to as Risk Assessment.
A series of control statements will be posed below. These control statements are specific to the business cycle identified above. Areas in which no control is in place may indicate that there is a gap in your internal controls that needs to be filled.
Common Fraud Risks With Billings (Tax & User Charges) / Control(s) in Place(Yes/No) / Are the Controls Communicated / Are the Controls Being Followed / Are the Controls Being Monitored / How Often Are Controls Being Monitored
13. Parcel and component(s) valuations or meter readings are reconciled to master listings to insure completeness and accuracy.
Commitments are supported by master listings that can be matched by the total number of items or locations to determine if any are missing from the billing calculation. Utilizing consecutive generated billing numbers strengthens this process. Those departments with billings usually have sufficient personnel to perform independent checks and balances or involve multiple departments where one department may cross-check another department. Risk is that a taxpayer or customer may not be billed due to error or intentional manipulation of data.
If applicable, describe the control(s) in place.
14. Billing calculations (value/usage * rate) are mathematically verified for accuracy.
Electronic systems typically have reports or processes built-in to assist with this evaluation. Otherwise, the system includes a process that selects a sample of bills and conducts manual recalculations verifying that billing amounts are as expected based on the data. Certain billings involve multiple authorizations or reports (Tax Recap, Commitment Reports, Billing Reports, Assessor Warrants, etc.) which can be used to reconcile amounts for consistency and reconciliation). Risk is that a taxpayer or customer may be incorrectly billed due to error or intentional manipulation of data.
Common Fraud Risks With Billings (Tax & User Charges) / Control(s) in Place
(Yes/No) / Are the Controls Communicated / Are the Controls Being Followed / Are the Controls Being Monitored / How Often Are Controls Being Monitored
If applicable, describe the control(s) in place.
15. Committed billings are compared to budget and prior periods at an appropriate level of detail for each billing cycle.
The budget is a key component of the internal control system. Timely and regular budget to actual reviews by the Assessor, Collector, Town Accountant and department heads can serve as a valuable tool in discovering receipts fraud or errors.
If applicable, describe the control(s) in place.
Common Fraud Risks With Department Receipts
16. Fees charged are reconciled to pre-numbered receipt logs and rates are agreed to authorizations to assure fees are proper and correct.
Most fees charged are either statutorily set by the Commonwealth or by an executive level vote (Board of Selectmen, City/Town Council); fees charged can be compared to those authorized and approved amounts. It is now common for departments to have electronic systems or cash registers that can monitor and calculate fees based on services or documents requested. Risk is that a customer may be incorrectly billed due to error or intentional manipulation of data.
If applicable, describe the control(s) in place.
17. Departments with fee based services or goods are provided with an adequate system to reconcile activity to original source documents.
A significant number of municipal fees involve the sale of goods or services that could be monitored through a consecutively generated pre-numbered receipt system.
Common Fraud Risks With Department Receipts (Cont.) / Control(s) in Place
(Yes/No) / Are the Controls Communicated / Are the Controls Being Followed / Are the Controls Being Monitored / How Often Are Controls Being Monitored
Electronic systems more frequently provided to departments should be capable of generating permits, certificates, and receipts directly; this provides an electronic transaction database for subsequent review and reconciliation. Manual systems (handwritten or Excel) are highly susceptible to manipulation or error and should require significantly more internal review and checks. Risk is that a customer may pay the fee but an inadequate or flawed system is subject to misappropriation or error since no evidence of the transaction existing occurs.
If applicable, describe the control(s) in place.
18. Fee based receipts are compared to budget and prior periods at an appropriate level of detail for each type of fee charged.
Budgets for fee-based transactions are only a limited component of the internal control system, as activity is subject to inconsistencies from estimated activity. Timely and regular budget to actual, or year to year revenue comparison reviews by department heads and the Town Accountant can serve as a valuable tool in discovering receipts fraud, since differences from expectations should be properly investigated and explained to differentiate those resulting from real customer activity versus those resulting from fraud or errors.