We had another great webinar presented by Dave Hammarberg (Director of IT and Consulting Senior Manager) and Jim Shellenberger (Senior Manager) with McKonly & Asbury! Thank you to everyone that attended and received CPE credit.
We discussed what skimming is and went into a discussion of several examples and how to detect and prevent your organization from becoming a victim of skimming.
Check out our Upcoming Events page for news and updates on our future seminars and webinars.
For more information on this topic or to submit a question for Dave or Jim, use our contact page at www.macpas.com/contact.
www.macpas.com/webinar-recap-skimming-what-the-auditors-miss
5. A BIT ABOUT US
Jim Shellenberger
Senior Manager
Audit
Dave Hammarberg
Director of IT/Sr. Mgr.
Accounting and Fraud Certification
6. ABOUT MCKONLY & ASBURY
• Audit, Tax, and Risk Management Firm.
• Regional presence in Pennsylvania.
• Clients ranging from large construction, manufacturing, and other industries.
• Special capabilities in the risk management area.
• Best Places to Work and Best Accounting Firm.
8. FINANCIAL STATEMENT AUDIT
• Performed in accordance with auditing standards
generally accepted in the United States of America
• Statement on Auditing Standards No. 99
Issued by AICPA in 2002
Effective for audits of financial statements for periods beginning
on or after December 15, 2002
9. AUDITOR’S RESPONSIBILITY
• Plan and perform the financial statement audit to obtain
reasonable assurance that the financial statements are
free of material misstatement caused by:
Errors (unintentional misstatements or omissions)
Fraud (intentional misstatements or omissions)
Noncompliance with laws and regulations
10. MANAGEMENT’S RESPONSIBILITY
From Independent Auditor’s Report:
Management is responsible for the preparation and fair
presentation of these financial statements in accordance with
accounting principles generally accepted in the United States of
America; this includes the design, implementation, and
maintenance of internal control relevant to the preparation and
fair presentation of financial statements that are free from material
misstatement, whether due to fraud or error.
11. FINANCIAL STATEMENT FRAUD DEFINED
• An intentional act by one or more individuals among management,
those charged with governance, employees, or third parties,
involving the use of deception that results in a misstatement in
financial statements that are subject of an audit. (AU-C-240.11)
Although auditor may suspect or identify the occurrence of fraud,
auditor does not make a legal determination of whether fraud
has actually occurred.
12. TYPES OF FRAUD IN A FINANCIAL STATEMENT AUDIT
Fraudulent Financial Reporting Misappropriation of Assets
• Deceive financial statement users • Embezzling receipts
• Manipulation of accounting records • Stealing physical assets or intellectual
and supporting documents property
• Misrepresentation or intentional • Using company’s assets for personal
omissions of events, transactions, or use
facts
• Management override of controls • Usually accompanied by false or
misleading records
13. AUDITOR’S “FRAUD” OBJECTIVES IN A FINANCIAL
STATEMENT AUDIT
• Identify and assess the risks of material misstatement of
the financial statements due to fraud
• Design and implement appropriate responses to the
assessed risks of material misstatement due to fraud and
obtain sufficient appropriate audit evidence
• Appropriately respond to identified or suspected fraud
14. FRAUD REQUIREMENTS DURING A FINANCIAL
STATEMENT AUDIT
• Maintain Professional Skepticism
• Engagement Team “Brainstorming” Discussion
• Inquires of Management and Others
• Assess Fraud Risk
Preliminary analytical procedures, including procedures related to revenue
Other information obtained (not just inquires and brainstorming)
Presumption that there is a risk of material misstatement due to fraud relating
to revenue recognition
15. FRAUD REQUIREMENTS DURING A FINANCIAL
STATEMENT AUDIT
• Respond to Fraud Risk
Incorporate element of unpredictability
Can include test of controls, or substantive procedures
• Management Override of Controls
Journal entry testing
• Evaluate Audit Evidence and Identified Misstatements for
Indication of Fraud
• Communicate
16. COMMON EXAMPLE
• Unauthorized Disbursements
• Common to many business, often due to a lack of
segregation of duties
• If there is risk of material misstatement, audit
response is required.
18. WHAT DOES A FRAUD ENGAGEMENT OR
INVESTIGATION COVER?
• No two fraud engagement are alike
• Usually a fraud engagement will focus around a specific
area of the organization where irregularities were
found.
• Usually evidence found in a fraud engagement will
guide the rest of the engagement.
• Misallocation or Reporting Fraud.
19. SKIMMING – AN AREA OF FRAUD THAT MAY NOT
BE UNCOVERED DURING A NORMAL AUDIT
Wikipedia definition
A form of white-collar crime, skimming is a slang term that refers to taking cash "off
the top" of the daily receipts of a business (or from any cash transaction involving a
third interested party) and officially reporting a lower total; the formal legal term is
defalcation
Skimming is the theft of money before it has been recorded in the books of a business
as being received. Skimming sales is the theft of money received from a sale of goods
or services before it has been recorded. The 'sales' part of the name is simply a
description of what money is targeted (sales) and the 'skimming' part is a description
of when the attack takes place (before recording). A different fraud - usually a billing
fraud - is necessary once the receipt has been recorded and banked.
20. SKIMMING FACTS
• Skimming frauds are never meant to be discovered or paid back.
• In some cases frauds do not need to be hidden, and this is one of
those cases. This will depend on the controls over inventory or
whether a good or service was sold.
• Gateway Fraud – this type of fraud often leads to larger more
extensive frauds.
21. SKIMMING FACTS (CONT.)
• Hard to detect – often times cash is taken prior to the
recording of the transaction.
• Most common fraud in a cash business
• If a business owner fails to "ring up" a transaction and
pockets the cash the crime becomes tax evasion.
22. SKIMMING FACTS (CONT.)
• Skimming may additionally be the direct theft of the cash.
• In addition to hiding it from tax authorities, the perpetrator
hides the taking from an employer, business partners, or
shareholders.
• Other related usages can include things such as corrupt
government officials in a poor country "skimming" cash
received as foreign aid.
24. HOW TO DETECT SKIMMING
• Company Hotline
• Surveillance
• Comparisons/Trending
25. HOW TO PREVENT SKIMMING
• Training
• Company Hotline
• Surveillance
• Job rotation
• Segregation of duties
26. OBSERVATIONS
• Money/cash is vulnerable to fraud whenever it is handled by employees.
• Attacks on receipts can occur at any point of the business cycle. The two major areas are:
• (a) where sales (cash or otherwise) are made; and
• (b) where debtor's receipts are collected.
• Businesses without proper controls and those that are too reliant upon (trusting) one or a
few employees handling money and recording transactions provide an opportunity for this
fraud.
• Thefts can be hidden by the lapping of a series individual frauds, each covering the last.
Lapping is most easily uncovered by separating or rotating duties amongst employees, thus
taking away the opportunity of the fraudster to continue with the scheme.
27. ANOTHER TYPE OF SKIMMING: CREDIT CARD FRAUD
(OFTEN REPORTED BY THE MEDIA)
• Skimming has been described as one of the most
significant problems facing the credit card industry, as
it can happen anywhere a credit card is accepted.
• The best way for consumers to protect themselves
from skimming is by paying attention to the details of
credit card usage.
28. SKIMMING – CREDIT CARD FRAUD (CONT.)
• When a credit card is skimmed, data on the card, including the
account number, is electronically transmitted or stored.
• The credit card information can then be encoded onto a lost,
stolen, or counterfeit credit card and used anywhere in the
world.
• The best way for consumers to protect themselves from
skimming is by paying attention to the details of credit card
usage.
29. CREDIT CARD FRAUD SKIMMING EXAMPLES
• A collusive store employee completes a valid sale, and then captures a
second (unauthorized) swipe covertly on a portable device before
returning the card to the cardholder.
• A skimming device is added to the front of an ATM or gas pump and
captures the credit card information as the consumer attempts to use
the machine.
• A skimming device is added inside an ATM or gas pump and captures
information during a valid transaction. In many cases a covert camera is
also set up to capture the card holder’s personal identification (PIN)
number.
30. ATM 'SKIMMING' FRAUD SUSPECTED
IN LAKE FOREST
• Someone installed a hidden “skimming” device on a Lake Forest, IL ATM to steal
private information from bank customers, Lake Forest police announced
Thursday February 7, 2013.
• Police said the device likely was attached to an ATM in the lobby of Northern
Trust Bank, 265 E. Deerpath Rd. Police said it recorded customers’ account
numbers, PIN numbers or both during the last two to three months.
• That information was then used to make fraudulent withdrawals at numerous
ATMs in the Chicago area, police said in a release.
• Deputy Police Chief Karl Walldorf said the device was removed before bank
officials could recover it.
31. FOUR CHARGED IN MCDONALD'S CREDIT CARD
SKIMMING SCAM
Would you like some fraud with that?
• Four men have been charged with using a handheld skimming device to clone
nearly 300 cards from customers at a Tulsa, Okla., McDonald's. The alleged
crooks, the Associated Press reported, enlisted an unnamed employee at a South
Zurich Avenue outpost of the fast food chain to capture the customer's card
numbers for three weeks.
• Daniel Jefferson, 20, allegedly gave the McDonald's employee the skimming
device, and came to the employee's apartment after work each day to download
the skimmed credit card numbers — about 282 of them — onto a laptop. He
then cloned the cards and used the new fraudulent ones to buy iPads and
laptops.
32. WHAT DOES CREDIT CARD SKIMMING MEAN FOR YOUR
BUSINESS?
• Loss of business due to a bad reputation.
• Potential legal action by customers
33. HOW TO PREVENT CREDIT CARD FRAUD SKIMMING FOR
YOUR BUSINESS
• Surveillance cameras at each cash registers.
• Dummy cameras at each cash registers.
• Training for employees
• Fraud hotline
Note: This fraud is difficult to stop if employees are determined to
profit from the information they have access to (credit card
numbers).
34. HOW CAN YOU PREVENT OR DETECT CREDIT CARD FRAUD
SKIMMING FOR YOURSELF?
• Ensure your credit card is swiped only once at a register.
• Conceal your PIN as you enter it into an ATM or credit card reader.
• Subscribe to a service that checks your credit. (LifeLock)
• Review your credit card statements.
38. FRAUD ENGAGEMENT
FROM A TO Z
SAMUEL BOWERCRAFT, MSIS, CISA
&
DAVID HAMMARBERG,
CPA, CFE, CISSP, MCSE, WXYZ
13
1 / 20
3/2
Notas del editor
An audit involves performing procedures to obtain audit evidence about amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the Partnership’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Partnership’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.
Management of the entity and those charged with its governance have the primary responsibility for the prevention and detection of fraud.
Audit standards explicitly recognize that some misstatements might not be detected in a GAAS audit due to the inherent limitations of audits. The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one from error due to attempts to conceal its detection. ( AU-C 240.05 -.06) Fraud may involve sophisticated and carefully organized ways to conceal it, deliberate failures to record transactions, or deliberate misrepresentations to the auditor.
Fraudulent Financial Reporting – Intentional misstatement, including omissions of amounts or disclosures, in the financial statements. “Cooking the books” Misappropriation of Assets – involves the theft of a company’s assets resulting in materially misstated financial statements. (i.e. Stealing)
Skepticism - Maintaining professional skepticism includes considering that there is a possibility of material misstatement due to fraud, regardless of the auditor's past experience with the honesty and integrity of the management and those charged with governance. Required to investigate and disclose if something doesn’t feel right Investigate responses that are inconsistent, vague, implausible, or otherwise unsatisfactory Engagement team brainstorming session - how and where the financial statements might be materially misstated due to fraud, how such a fraud might be perpetrated and concealed, and how assets could be misappropriated. Has to involve the partner Should ignore beliefs about the honesty and integrity of the client Ask a lot of “what if” questions Discuss known internal or external factors that might incentive, opportunity, or rationalization for committing fraud. Discuss management override of controls Inquires – Management, Internal Auditors (if any), Those Charged With Governance (different than management. i.e. Board, significant shareholders, general partner.) Actual, alleged, or suspected fraud Their views of where the financial statements could be materially misstatement due to fraud How management and others identify, respond to, and monitor risks of fraud Financial statement auditors are directed to “step outside” just the accounting department Assessing Fraud Risk – at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures. Important: Not a conclusion about the level of fraud risk. Consider analytical procedures, including required Revenue Recognition Risk - Examples of inappropriate revenue recognition are recording fictitious revenues, prematurely recording revenue, or improperly shifting it to a later period. Audit procedures relevant to this risk include confirming certain contract terms with customers and observing shipments and performing appropriate sales cutoff procedures.
Respond to Fraud Risk Appropriately assign and supervise staff. Use of specialized staff with certain skills Evaluate client’s selection and use of accounting policies…especially those that involve complex transactions, measurements, estimates Unpredictability – testing different accounts, new locations, different sampling methods, etc. Obtaining more audit evidence from independent third parties Computer assisted audit techniques to gather more extensive evidence Inquiring of non financial personnel Testing transactions at or near the end of the reporting period Increasing sample sizes More detailed analytical procedures A risk of management override of controls exists in all entities because management is in a unique position to manipulate accounting records and prepare fraudulent financial statements. Test journal entries Review accounting estimates for bias Evaluate business rationale for significant transactions Journal Entry Testing Understanding of the entity’s process and controls for journal entries Inquire of individuals about inappropriate or unusual journal entry activity Select journal entries or adjustments made near the end of a reporting period Professional judgement is used to determine the nature, timing, and extent of journal entry testing. Many factors. Communicate If the auditor has identified fraud or obtained information that fraud may exist, communicate it to an appropriate level of management as soon as practicable, even if the matter is inconsequential. Communication to those charged with governance (board) fraud matters
Example, bookkeepers writing checks to themselves Substantive tests of the cash balance recorded in the financial statements may not be sufficient to respond to a material risk of fraudulent cash disbursements Consider the client's controls over disbursements: Segregation of duties and effective management oversight (for example, the owner/manager receives the bank statement unopened). Authorization and approval of transactions (for example, in purchasing or payroll disbursements) After considering controls, and in the auditor’s judgment, the risk that fraudulent disbursements could be material to the financial statements, an additional audit response is necessary. Auditors could perform all or some of following procedures : Performing extended analytical procedures on expense accounts. Reviewing selected disbursements for unusual payees, signatures, or endorsements. Reviewing vendor lists for unusual patterns. Reviewing payroll registers for unusual items. Performing paymaster procedures (that is, distributing payroll checks or observing their distribution). Proof of cash. Communication to those charged with governance regarding any significant deficiencies in internal control and if the results of the testing indicated that a fraud may have occurred.