EXAMPLE Fraud Prevention Controls This is an example protocol.

Before using any part of this material, Practices should check the contents and adapt the text to suit their circumstances and style Key Fraud Prevention Controls 1. This document outlines a number of best practice controls which should be in place to combat the more common types of fraud perpetrated against public sector bodies. It is not an exhaustive list, but if all of these controls are in place and are being complied with, Practices can significantly reduce the risk of loss from fraud in these areas by either prevention or detection at an early stage. It is worth pointing out however, that many controls will fail in the face of collusion. 2. It should be noted that these controls are only those specifically identified as fraud prevention controls and do not represent our idea of what should constitute the total control framework in these areas. 3. The controls are presented in a format that allows management to assess whether they comply with the control requirements by entering a comment in the right hand column. 4. Although none of the systems noted in the following section are specific to the practice, the application of the controls under payment of creditors and payroll and expenses will guard against fraud in relation to the main expenditure items in the budget. RISK MANAGEMENT POLICY The practice has responsibility for minimising the risk of incurring losses by theft or fraud. To do this it expects that the partners and all senior staff will :1. Identify risk areas and assess the scale of risk for each. 2. Delegate responsibility for managing these areas of work to appropriate personnel, advising them of the potential risks involved. 3. Prepare written operating procedures for all risk areas incorporating, wherever possible, forms of internal control, and provide staff with formal training on these. 4. Carry out periodic reviews to ensure that the systems are being operated in the prescribed manner. 5. Promote general awareness amongst staff of the risks to the practice and develop an environment which promotes compliance with internal controls. It is essential that senior members of staff are seen to adhere to all control measures.

6. Familiarise themselves with common fraud techniques and be aware of signs which could indicate that fraud is taking place.

1. Recruitment Example risks: Persons not suitably qualified for post are appointed. Good practice in recruitment procedures are not complied with. Best Practice Management Comment More than one person should be involved in the interview and selection process. Detailed application form, including statement from applicants in relation to past criminal record and medical condition. Confirmation of references and past employers in writing, backed up by phone discussions if there is any doubt about an applicants background. Reliance should not be placed only on character references and at least one reference should be from a past, ideally the most recent or current, employer. Verification of educational and professional qualifications. Provider before appointment is made to ensure above checks have been undertaken. 2. Payroll and Expenses Example risks: Existence of ghost employees. Employees are paid amounts to which they are not entitled. Best Practice Management Comment Periodic print out taken of all new data fields established and amendments to existing data and subject to review by partners. Managerial confirmation of all hours worked by employees. Documented support to all overtime and expense claims, including receipts where applicable. Each claim subject to authorisation by practice manager who is likely to have knowledge of the details of the claim. Exception reports on payroll data exceeding pre-set criteria taken and subject to management review. Pre payment review and authorisation of payroll.
2

3. Cash and Banking Example risks: Theft or loss of cash. Best Practice Management Comment List of signatories authorised to sign cheques. Example signatures issued to the bank. Delegation levels for signing cheques, with two signatures required over a certain threshold. Regular banking of cash and receipts at varied times. Immediate banking of significant sums received. Security over cash and controlled stationery. Periodic surprise checks of cash holdings. Two signatures needed for any electronic funds transfer. Monitoring of bank charges paid and interest received. Petty cash held securely and subject to independent cash counts. Petty cash floats kept to minimum value and frequency of replenishment monitored. Regular and independent bank reconciliations.

4. Payment of Creditors Example risks: Payment made for goods and services not received. Payment to ghostsuppliers. Best Practice Management Comment Matching of payments to invoice and/or documentary evidence of receipt of services/goods. Register of approved suppliers. Management authorisation of new suppliers added to finance system and exception report of all newly established creditors. Exception reports reviewed prior to payment run. Senior management authorisation of payment run. Random checks of authorisation of a sample of payments to back up documentation. Retention of all documentation.
3

Regular and independent supplier statement reconciliations. Regular management accounts prepared and subject to management review.

5. Income Receipt Example risks: Theft or loss of cash and cheque receipts. Best Practice Management Comment Register of income, subject to management checks. Issue of receipts. Segregation of duties between receipt of cash and banking. Two people to receive and open mail. Register of cheques and cash received through the mail. Exception reports on income received. All donations should be centrally recorded, receipted and funds promptly banked. Where provided for a specific purpose monitoring of the use of funds should be performed. Regular and independent bank reconciliations. Regular management accounts prepared and subject to partners review.

6. Safeguarding Assets Example risks: Theft or loss of assets. Tampering with assets. Best Practice Management Comment Maintenance of asset register and a regular programme of physical inspections. Delegated responsibility for the safeguarding of assets by location/department. Health and safety checks on applicable equipment at the appropriate intervals.

7. Training Example risks: Staff are not provided with training or instructions to perform tasks in accordance with HTBS policies and procedures. Frauds are undetected due to unawareness of responsibilities for prevention and detection. Best Practice Management Comment

Formal induction training for each new member of staff. Review of training needs as part of annual staff appraisal system. Instruction and discussion of control and probity issues as part of staff induction. Formal staff training in relation to key/high risk tasks, backed up by adequate written guidance in the form of manuals and/or desk instructions. Issue of staff notice on fraud. Publication of practice policy on fraud. Regular notices introducing significant changes to financial procedures.

8. Procurement and Stock Control Example risks: Theft of stock. Goods purchased for private not practice consumption. Best Practice Management Comment Centralised procurement function. Strict guidance on financial thresholds for obtaining quotes and authorising orders. Periodic management checking of compliance with above. Security of controlled stationery. Phone and fax orders only to be used in emergency and to be backed up by written documentation. Use of official stationery to order goods. Checking of goods received against delivery documentation. Segregation between functions of ordering, receipt, maintenance of stock records and authorisation to pay. Documented arrangements for silent hours/emergency access to stock. Periodic usage reviews to identify slow moving, obsolete stock. Regular, independent stock checks.

Top Ten Internal Controls to Prevent And Detect Fraud!

A recent KPMG Fraud Survey found that organizations are reporting more experiences of fraud than in prior years and that three out of four organizations have uncovered fraud. The NYS Office of Mental Health's Bureau of Audit has provided the following list of internal controls to assist you in preventing and detecting fraud at your agency. 1. Use a system of checks and balances to ensure no one person has control over all parts of a financial transaction.
o

Require purchases, payroll, and disbursements to be authorized by a designated person. Separate handling (receipt and deposit) functions from record keeping functions (recording transactions and reconciling accounts). Separate purchasing functions from payables functions. Ensure that the same person isnt authorized to write and sign a check. When opening mail, endorse or stamp checks For Deposit Only and list checks on a log before turning them over to the person responsible for depositing receipts. Periodically reconcile the incoming check log against deposits. Require supervisors to approve employees time sheets before payroll is prepared. Require paychecks to be distributed by a person other than the one authorizing or recording payroll transactions or preparing payroll checks. If the agency is so small that you cant separate duties, require an independent check of work being done, for example, by a board member. Require accounting department employees to take vacations.

o o o

2. Reconcile agency bank accounts every month.

o

Require the reconciliation to be completed by an independent person who doesnt have bookkeeping responsibilities or check signing responsibilities or require supervisory review of the reconciliation. Examine canceled checks to make sure vendors are recognized, expenditures are related to agency business, signatures are by authorized signers, and endorsements are appropriate. Examine bank statements and cancelled checks to make sure checks are not issued out of sequence.
6

Initial and date the bank statements or reconciliation report to document that a review and reconciliation was performed and file the bank statements and reconciliations.

3. Restrict use of agency credit cards and verify all charges made to credit cards or accounts to ensure they were business-related.
o o

Limit the number of agency credit cards and users. Establish a policy that credit cards are for business use only; prohibit use of cards for personal purposes with subsequent reimbursement. Set account limits with credit card companies or vendors. Inform employees of appropriate use of the cards and purchases that are not allowed. Require employees to submit itemized, original receipts for all purchases. Examine credit card statements and corresponding receipts each month, independently, to determine whether charges are appropriate and related to agency business.

o o

4. Provide Board of Directors oversight of agency operations and management.

o

Monitor the agency's financial activity on a regular basis, comparing actual to budgeted revenues and expenses. Require an explanation of any significant variations from budgeted amounts. Periodically review the check register or general ledger to determine whether payroll taxes are paid promptly. Document approval of financial procedures and policies and major expenditures in the board meeting minutes. Require independent auditors to present and explain the annual financial statements to the Board of Directors and to provide management letters to the Board. Evaluate the Executive Director's performance annually against a written job description. Participate in the hiring/approval to hire consultants including the independent auditors.

5. Prepare all fiscal policies and procedures in writing and obtain Board of Directors approval. Include policies and/or procedures for the following:
o

cash disbursements
7

o o o o o o

attendance and leave expense and travel reimbursements use of agency assets purchasing guidelines petty cash conflicts of interest

6. Ensure that agency assets such as vehicles, cell phones, equipment, and other agency resources are used only for official business.
o

Examine expense reports, credit card charges, and telephone bills periodically to determine whether charges are appropriate and related to agency business. Maintain vehicle logs, listing the dates, times, mileage or odometer readings, purpose of the trip, and name of the employee using the vehicle. Periodically review the logs to determine whether usage is appropriate and related to agency business. Maintain an equipment list and periodically complete an equipment inventory.

7. Protect petty cash funds and other cash funds.

o

Limit access to petty cash funds. Keep funds in a locked box or drawer and restrict the number of employees who have access to the key. Require receipts for all petty cash disbursements with the date, amount received, purpose or use for the funds, and name of the employee receiving the funds listed on the receipt. Reconcile the petty cash fund before replenishing it. Limit the petty cash replenishment amount to a total that will require replenishment at least monthly. Keep patient funds separate from petty cash funds.

o o

8. Protect checks against fraudulent use.

o o o

Prohibit writing checks payable to cash. Deface and retain voided checks. Store blank checks in a locked drawer or cabinet, and limit access to the checks.

Require that checks are to be signed only when all required information is entered on them and the documents to support them (invoices, approval) are attached. Require two signatures on checks above a specified limit. Require board member signature for the second signature above a higher specified limit. (Ensure that blank checks are not pre-signed.) Mark invoices Paid with the check number when checks are issued. Enable hidden flags or audit trails on accounting software.

o o

9. Protect cash and check collections.

o

Ensure that all cash and checks received are promptly recorded and deposited in the form originally received. Issue receipts for cash, using a pre-numbered receipt book. Conduct unannounced cash counts. Reconcile cash receipts daily with appropriate documentation (cash reports, receipt books, mail tabulations, etc.) Centralize cash receipts whenever possible. Avoid or discourage related party transactions.

o o o

10.
o

Require that a written conflict of interest and code of ethics policy is in place and that it is updated annually. Require that related party transactions be disclosed and be approved by the Board. Require competitive bidding for major purchases and contracts. Discourage the hiring of relatives and business transactions with Board members and employees.

o o