In this blog, we're looking at how to write a fraud action statement using the payroll function as a way to understand the starting process for a fraud audit.
But first, here are the answers for the trivia from the last blog:
1. What was the biggest corporate lawsuit settlement? $206 billion, paid by the nation’s four largest tobacco companies.
2. Excluding the tobacco lawsuit, what is the aggregate dollar value of the next 10 large corporate settlements? $88 billion dollars.
3. What is a stockholder derivate lawsuit? One brought by a shareholder or group of shareholders on behalf of the corporation against the corporation's directors, officers, or other third parties who breach their duties.
4. Are banks being sued for how they administered the first-come first-serve provision of the PPP Loan program? Yes, customers of Bank of America, JP Morgan Chase, and Wells Fargo have sued the banks in federal court.
5. What cost Walmart more money to settle the FCPA allegations - fines & penalties or forensic accounting and legal fees? The fines totaled $282 million whereas the professional fees totaled $870 million.
6. Are lawsuits an indicator of weak internal controls? (This is an opinion question versus a fact statement). In my opinion, the answer is an unequivocal yes. My guess is that if you study large corporate lawsuits, you will find weaknesses in the governance aspect of COSO. My further guess is the tension between revenue generation and warranties for customers causes adverse tension. My last guess is that they all involve senior management, not necessarily all senior management, but one or more.
Are you sure you are focusing on high-risk?
Fraud Action Statements in Payroll
Summary of Fraud Action Statement for the Payroll Function
- Primary is the entity.
- Secondary is the purpose of the financial gain.
- Primary is the person committing the scheme.
- Secondary is the fraud action but focusing on the frequency or the amount of overtime.
- Primary is the fraud action statement: gross pay, net pay, or withholdings.
- Secondary is the fraud action but focusing on the frequency or amount of the false adjustment.
- Primary is the fraud action statement.
- Secondary is the purpose of the financial gain.
- Primary is the fraud action statement.
- Secondary is the financial gain as to paper check or electronic payment.
Creating the Ghost Employee Fraud Risk Statement
Primary Element: Entity
The entity segment is the primary element. So, our first step is to identify the entity permutations. In this step, I have identified the entity structure and provided a brief explanation of the entity structure.
1. Fictitious employee occurs by creating an identity for a person that does not exist in real life.
2. Assumed identity employee occurs by taking over the identity of a real person for either a temporary period or permanently.
3. Assumed identity by reactivating a terminated employee for either a temporary or permanent period.
4. Assumed identity of a real person who is not complicit in the scheme and is added to your human resource database.
5. Real employee complicit in the fraud action. In payroll, complicity is defined as the real employee receiving the payroll payment.
6. Real employee not complicit in the fraud action. In payroll, complicity is defined as the real employee does not receive the payroll payment.
Secondary Element: Financial Gain
The secondary element is financial gain. I believe there are two primary items, theft of monetary funds or paying a bribe to someone.
Person Committing Element
The first person is always the person with direct access, so the correct answer is the payroll function. The next answer is the person with indirect access, so the correct answer is the department manager or senior member of manager. If we consider cybercrime, then we could state computer hacker.
Fraud Action Statement Element
The fraud action statement is the same for every ghost employee fraud risk statement; “Paid for services not performed”.
Fraud Risk Statement
Now that we have identified all of the parts, it is time to combine the elements into a fraud risk statement. We start with the primary element and then change the person committing or the financial gain. The following four examples illustrate the methodology.
- Payroll function causes a fictitious person to be added to the payroll system and compensated for services not performed resulting in the theft of monetary funds.
- Senior members of management cause a fictitious person to be added to the payroll system and compensated for services not performed for the purpose of paying bribes.
- Computer hackers cause a fictitious person to be added to the payroll system and compensated for services not performed resulting in the theft of monetary funds.
- The payroll function causes a terminated employee to be reactivated (temporary or permanent?) and compensated for services not performed resulting in the theft of monetary funds.
Etc.
As a reminder,
- In real life, your next step is to identify or understand the fraud scenarios for each fraud risk statement.
- A fraud scenario will identify how the fraud risk statement could occur in your organization.
- Your goal in the scenario stage is to understand how and where your organization is vulnerable.
Now we can start creating the fraud audit program.
Next month we will show you how to link the audit program to the fraud risk statement.
Trivia for the Holidays
I thought we needed a break from fraud trivia, hope you enjoy it.
1. Was Christmas ever illegal? True or False?
2. Is KFC one of the most popular Christmas meals in Japan? True or False?
3. What retail store created Rudolph the red nose reindeer?
4. Which band had the most Christmas hits?
5. Which countries write the most letters to Santa Claus?
6. Which country has the cleverest postal code for Santa Claus?
7. Who wrote the most Christmas songs?
8. Which food group is named after Christmas?
FYI, I was surprised at most of the answers.
