Skip to main content Skip to navigation Skip to footer

Fraud Risk Assessment

Main Image

Download the PDF (including Questionnaire) here.
Download just the Questionnaire PDF here.
Download the Preparation Checklist PDF here.

Background

The Office of the State Auditor (Office) regularly receives complaints of fraud or abuse by local government officials. The Office is also aware of internal investigations performed by local governments of their own officials and employees. Some of these situations receive significant media coverage, while others are resolved with less publicity. In either case, the level of concern by the public and local and state officials is significant. Many have asked the Office for more direction on how to prevent such occurrences in the future. The program outlined in this guide is designed to help measure and reduce the risk of undetected fraud, abuse, and noncompliance in local governments of all types and sizes. This assessment is a starting point, it is the hope of the Office that local governments will add to and adapt this form to improve how they manage their internal controls and the risk of fraud, waste and abuse.

Internal Controls as a Discipline

Professional literature, as well as our own experience, indicates that the solution to the reduction of fraud risk lies in effective internal controls. Internal controls are the policies, practices, and processes that ensure the operations of an organization are performed effectively and efficiently. Internal Controls are also intended to deter or prevent the misuse of public funds. Since internal controls require time and resources, entities should seek to reduce risk to an acceptable level, not eliminate risk altogether. In other words, a lock should never cost more than the item it is intended to protect.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a group of organizations dedicated to providing frameworks and guidance on risk management, internal control, and fraud deterrence. COSO publishes a document “Internal Control – Integrated Framework” (the COSO Framework). The COSO Framework is noted as the gold standard for designing and implementing an entity-wide internal control program for all organizations including governments. The Government Accountability Office (GAO) publishes its own guidance for proper internal controls in government entities known as the Green Book. The Green Book follows the COSO Framework, but adds some specific context that is unique to the government environment. We used both of these publications as resources for this project.

The COSO Framework includes five principles:

  • Tone at the Top
  • Risk Assessment
  • Control Activities
  • Communication
  • Monitoring

Incorporating these five principles into an organization is a recommended but complex endeavor. Most accountants and auditors have been trained on these principles, but full implementation requires additional training and a commitment throughout the organization to be effective. We recommend every organization with the resources use COSO, GAO, GFOA, or any other reputable source as an aid to implementing a comprehensive internal control program.

Due to the expense, most local governments in Utah lack the resources necessary to completely implement the COSO Framework. Our goal is to take the concepts of the COSO Framework and boil them down to specific measures that every local government can incorporate at minimal cost. If properly implemented, we believe these measures will reduce the risk of undetected fraud, abuse, and noncompliance. We have also developed a risk assessment model that provides a basic evaluation of an entity’s fraud risk, based upon required separation of duties and our recommended measures.

Recommended Measures

1. Separate Duties over Cash Accounts (Crucial)

Widely recognized as a crucial internal control, separation of duties includes separating the powers of the treasurer and clerk (the person who performs the accounting function, regardless of title), as required by state law. If the roles and responsibilities of treasurer and clerk are not 1) separate, 2) independent, and 3) monitored by the governing board, the risk of financial fraud and abuse increases.

In general, the treasurer is responsible for the collection and custody of funds while the clerk validates payment requests, ensures compliance with policy and budgetary restrictions, prepares checks, and records all financial transactions. In situations where proper separation of duties are not maintained, mitigating controls must be implemented. Because of the extreme importance of this control, we have developed a separate questionnaire (see attached) to help determine if basic separation of duties or mitigating controls are in place.

2. Require a Commitment of Ethical Behavior

Purpose

A critical, fundamental, and far-reaching problem facing government today is the lack of public trust and confidence. Government officials are expected to perform their government duties without using their position for personal benefit. A written statement on ethical behavior will provide clarity and serve as a physical reminder of the aspirations of the organization.

Overview

Maintaining an ethical environment requires setting an example and communicating proper expectations at every level of the organization. Training and re-enforcement of ethical standards must be continuous and applicable. Expectations must point to the highest standards and not excuse bad behavior by anyone for any reason.

Implementation

We recommend the entity set clear expectations and exercise consistent enforcement. We recommend instilling a culture rewarding high ethical standards, rather than rewarding cutting corners or engaging in questionable or self-serving behavior. We recommend that every entity have a written policy and strong practices that address a standard of ethical behavior, including prohibited activities, required disclosures, and clear directions on how and to whom disclosures should be submitted and reviewed. We also recommend that the entity require elected or appointed officials and employees to annually commit in writing to abide by the entity’s standards of ethical behavior. This practice will provide an opportunity to review the policy and identify any potential or actual conflicts of interest. Requiring periodic confirmation will deter individuals from acting unethically and identify issues before they become problematic.

3. Adopt and Put Into Practice Written Policies

Overview

The governing body should evaluate policies to make sure they establish proper oversight and direct the organization toward the desired outcomes. The following are key policies along with certain elements that we have identified that are either required by law or best practices to improve the internal control system. As a matter of practical implementation, template policies that contain these elements are available on the Office’s website at resources.auditor.utah.gov.

a. Conflict of Interest
  1. Specifies who is required to declare conflicts.
  2. States that if a new conflict arises during course of business it must be reported.
  3. Requires each public official/employee to complete a disclosure form on an at least an annual basis.
  4. Identifies the individual/position responsible to gather disclosure forms.
  5. Disclosure forms provide the user a way to disclose conflicts or indicate that they have no conflicts.
  6. Disclosure forms must list the name and position of the public official/employee.
  7. Disclosure forms must list the name of the business entity and ownership interest or position for a business regulated by the entity for which there is a conflict.
  8. Disclosure forms must list the name of the business entity and ownership interest or position for businesses doing business with the entity.
  9. Disclosure forms must list any investments that may create a conflict with the entity.
  10. The disclosure shall be made in a sworn statement filed with the entity’s governing body.
b. Procurement

Seek the best value for the entity and promote a competitive purchasing process.

  1. Specifies a small item threshold allowing employee or department discretion.
  2. Specifies documentation required for each level of purchasing (e.g. small purchases, medium purchases and purchases requiring competitive bid).
  3. Specifies purchasing procedures (e.g. advertising methods and time frames, rejection of bids, appeals) for items requiring competitive bid.
  4. Lists exemptions and documentation needed for not following regular bidding requirements (e.g. sole source provider, emergency purchases etc.).
  5. Addresses improper or illegal conduct:
    1. Prohibits dividing a procurement to avoid following policy (Utah Code 63G6a-2404.3)
    2. Prohibits kickbacks (Utah Code 63G-6a-2404)
    3. Requires disclosure of conflicts of interest (Utah Code 63G-6a-2406)
    4. Prohibits cost-plus-a-percentage-of-cost contracts (Utah Code 63G-6a1205)
    5. Lists other specific activities that are not allowed (Utah Code 67-16 applies to the state and all political subdivisions)
  6. Designates a purchasing agent, specify who may sign contracts including requirement for contracts that must go before the governing body.
  7. Has an ethics provision and/or reference Utah Code 67-16.
  8. Documents consequences of violating the policy (e.g. formal reprimand, suspension, termination or criminal prosecution).
c. Ethical Behavior
  1. Prohibits participation in decisions or actions in which the employee or official has real or reasonably perceived conflict (see conflict of interest policy).
  2. Prohibits use of authority for personal gain or that of close friends, family, or business associates.
  3. Prohibits receiving gifts, loans or bribes.
  4. Requires confidentiality regarding any information not subject to GRAMA.
  5. Prohibits violation of nepotism laws (Utah Code 52-3).
  6. Prohibits misuse of public resources or property (Utah Code 76-8-4).
  7. References the Utah Public Officer and Employee Ethics Act (Utah Code 67-16).
  8. Establishes individual accountability, including consequences for noncompliance (e.g. suspension, termination).
d. Reporting Fraud and Abuse
  1. Requires the reporting of inappropriate actions or behavior.
  2. Provides reporting structure, including alternatives if the employee’s normal supervisor is involved.
  3. Provides guidance on the type of actions and behaviors which must be reported.
  4. Provides guidance on the information to be provided (e.g. names, dates, times, descriptions, effects) when reporting fraud or abuse.
  5. Provides whistleblower protection or referrers to Utah Code 67-21-3.
  6. Provides for the evaluation, investigation and possible consequences of the alleged action or behavior.
  7. Provides for feedback to the employee reporting the action and the governing body.
e. Travel
  1. Establishes a process to authorize travel expenditures (i.e. preauthorization).
  2. Defines what constitutes allowable and unallowable travel and clearly establishes reasonable limits.
  3. Establishes a reporting structure with senior management reporting to the governing body.
  4. Establishes individual accountability, including consequences for noncompliance (e.g. suspension, termination, recovery of funds, inability to travel).
  5. Requires adequate record keeping (documentation of time, place, business purpose, and authorization).
  6. Communicates the public nature of purchase records.
  7. Ensures enough information is gathered and communicated to maintain accountability and measure performance.
  8. Has a provision to comply with external reporting requirements (e.g. IRS, Utah Public Finance Website reporting).
f. Credit/Purchasing Cards
  1. Credit/purchase card issuance should be approved by governing body.
  2. Establishes procedures for independent review and reconciliation of each card.
  3. Establishes card holder accountability including consequences for noncompliance (e.g. suspension, termination, recovery of funds, or loss of card privileges).
  4. Establishes required practices to ensure the security of the card (e.g. signing, storing, and who can use the card).
  5. Establishes procedures for card use (e.g. documentation required, timelines, reconciliations, restrictions).
g. Personal Use of Entity Assets
  1. Establishes allowable uses, or disallows use, of entity assets and rates if applicable (e.g. making photocopies, use of heavy equipment).
  2. Establishes individual accountability, including consequences for noncompliance (e.g. suspension, termination, recovery of funds or loss of privileges).
h. IT & Computer Security
  1. Establishes allowable uses of information systems, computer equipment, and the internet.
  2. Discloses to the user that the entity has the right to monitor and limit the activities on entity IT systems.
  3. Establishes individual accountability, including consequences for noncompliance (e.g. suspension, termination, recovery of funds, or loss of privileges).
i. Cash Receipting and Deposit
  1. Establishes a timeline for entering receipts into the accounting system.
  2. Establishes a timeline for depositing funds in the bank that complies with the Utah Money Management Act (3 days).
  3. Establishes security measures for holding funds before deposit (e.g. safe, vault).
  4. Establishes a receipting process for giving the customer documentation of the transaction and also provide sufficient information to understand the purpose of the transaction for management review or audit.
  5. Establishes a procedure for entering credit card and ACH transactions into the accounting system.
  6. Establishes a separation of duties between the person receiving payments and the person making deposits (smaller entities may require dual sign-off on deposits).
  7. Establishes required documentation for voiding or altering a cash receipt, including that it be reviewed by someone that didn’t make the correction.
  8. Requires system-generated or sequentially-numbered receipts to allow for a review of completeness.
  9. Requires cash deposits and receipts to be reconciled and/or reviewed by someone not receiving cash.

4. Hire and Train Qualified Staff

Purpose

In order to ensure the effective and efficient delivery of government services, each entity should identify the knowledge, skills, and abilities (KSA) needed by its management and employees. In technical areas, KSA often align with formal credentials, such as a degree or license. Accounting is an area where degrees and professional designations usually indicate a level of proficiency.

Overview

A licensed Certified Public Accountant (CPA) is the most common designation of a person who possesses the KSA needed to oversee the day-to-day financial operations of an entity. There are several other designations that may indicate similar KSA, such as Certified Government Financial Manager (CGFM), Certified Management Accountant (CMA), Certified Internal Auditor (CIA), Certified Fraud Examiner (CFE), Certified Government Auditing Professional (CGAP), and Certified Public Finance Officer (CPFO). At a minimum, we recommend that every entity have someone with a bachelor’s degree in accounting as part of its staff.

Implementation

While not every local government entity needs a full-time CPA, every entity should utilize a qualified accountant to ensure that its finances are protected and accurately reported. Most accounting firms and professional bookkeeping services provide a variety of services on an as-needed basis. We recommend every local government evaluate the level of KSA possessed by its accounting staff and consider contracting with an accounting professional. The accounting professional could perform some or all of the accounting and ensure that the entity has effectively implemented internal controls and meets reporting requirements. To aid local government entities in identifying and procuring the services of qualified accounting professionals, the Office maintains a qualified vendor list included on the Office’s website at resources.auditor.utah.gov. The firms on this list have met the requirements set forth by the Office to provide bookkeeping, compliance reporting, or financial statement preparation for local governments.

5. Provide Effective Training

Overview

Training is vital to any organization, especially governments, where services are essential to economic prosperity and basic human needs. Public officials and key employees need to possess at least a basic understanding of the legal requirements of their entity. We encourage entities to consider the KSA needed to support the services provided by their entity, then determine the appropriate level of training that is needed to maintain those KSA. The entity should provide resources to attend sufficient and appropriate training on an ongoing basis.

Implementation

The Office provides comprehensive but basic training on financial topics for local government board members and finance officers. However, this training serves only as an introduction for those who are new or previously untrained in local government financial matters. We recommend board members and finance officers identify and participate in organizations that provide more advanced training. These organizations may be specific to the government type (e.g. counties, charter schools), a specific type of operation (e.g. sewer, water), or a specific job within the organization (e.g. treasurer, finance officer).

At a minimum, board members should view our online basic but comprehensive training every four years (see training.auditor.utah.gov). Also, at least one member of the finance team, preferably the chief finance officer, should have 40 hours of financial training each year. Financial training includes: auditing, accounting, budgeting, reporting, internal controls, fraud prevention and detection, software, and any other topic that is related to the management of finances.

6. Implement a Hotline

Definition

A hotline is a means by which the public and employees can anonymously report concerns about improper behavior of an entity’s officers or employees or concerning practices of the entity.

Overview

Fraud losses are 50% smaller at organizations with hotlines than those without hotlines. According to the Association of Certified Fraud Examiners, 40% of reported instances of fraud are discovered through a tip. More than half of these tips were provided by an employee of the organization and 46% of fraud cases detected by tip were reported through a hotline.

Implementation

An effective hotline can be implemented at virtually no cost and can be as simple as providing an email address or phone number. Hotline submissions should be sent directly to a person who has the resources and objectivity to evaluate the concern and investigate if warranted. All complaints and the results of investigations should be presented to the audit committee of the entity in a timely fashion.

Hotlines should be promoted and easy to access (most entities put a link to their hotline on the main page of their website). Every entity should have a written policy that includes the following:

  1. Methods for receiving complaints (e.g. email, phone number).
  2. A provision for anonymous complaints.
  3. Sufficient direction to ensure complaints are given adequate treatment as follows:
    1. An initial screening of complaints to be performed by an office not involved in the complaint (this could be accomplished by having it performed by more than one office if an independent internal audit function does not exist or it could be sent directly to the audit committee).
    2. Audit committee:
      1. Reviews available evidence.
      2. Determines if further investigation is merited. If so;
        1. Sets the scope of audit
        2. Sets a budget
        3. Sets a timeline
        4. Provides resources
    3. Audit results are reported to the audit committee.
    4. Audit committee approves findings and recommendations.
    5. Audit committee ensures that findings and recommendations are addressed by the appropriate officers or employees.
    6. Feedback provided to the complainant, if requested.

7. Implement an Internal Audit Function

Definition

An internal audit function is an organizational initiative to monitor and analyze the entity’s own operations in order to determine how well it conforms to a set of specific criteria, such as laws, policies, or best practices. Internal auditors are independent of the work they audit, but are very familiar with it so as to allow them to determine compliance with the requirements for that work.

Overview

An internal audit may focus on financial operations, systems, processes, or compliance. As part of the internal audit plan, auditors try to find discrepancies between operational design and operational reality. Internal audits also help uncover evidence of fraud, waste, or abuse. If internal auditors find discrepancies or inappropriate activities, they document and report them to entity leadership who can prioritize and direct corrective action.

The frequency of internal audits will depend on the department or process being examined. Some types of operations may require daily audits for quality control, others may require only an annual audit of records.

Internal audit plans act as a pre-emptive step in maintaining operational efficiency and financial reliability, as well as safeguarding assets.

Implementation

An internal audit function should be formalized by the adoption of an Internal Audit Charter which identifies who is responsible to oversee the internal audit function and who will perform the internal audits.

Those responsible for internal audits should adopt an audit plan which identifies what will be audited and when it will be audited. The audit plan should be reviewed regularly, usually once per year.

Adaptation for small entities

Only the largest of our local governments can justify a full-time internal auditor. Most local governments can execute an effective internal audit program by contracting with an audit professional to work a few days a year. To eliminate added costs entirely, some entities may coordinate with peer entities and utilize each other’s financial staff to act as internal auditors. Keep in mind, internal auditors need a solid understanding of audit principles and should use work programs that are designed to effectively identify violations of the laws or policies they are auditing.

8. Use an Audit Committee

Purpose

An audit committee assists the governing body in its financial oversight responsibilities.

Membership

We recommend that members of the audit committee are a subset of the governing body. An audit committee should have a financial expert who is not a member of management. This can be achieved by having a governing body member who is a financial expert, or acquiring the assistance of a volunteer or paid professional financial expert. Finance officers from other local governments should be considered when looking for a financial expert, as they are independent and have a working knowledge of government accounting issues.

Functions

An audit committee must ensure the following:

  1. Management develops and enforces systems that ensure the entity accomplishes its mission effectively and efficiently while complying with laws and regulations.
  2. The internal audit function objectively assesses the effectiveness of management’s internal control program.
  3. Financial statement audits are performed by a qualified, independent accounting firm and issues identified during those audits are reviewed and resolved as appropriate.
  4. Hotline complaints are investigated and findings are addressed by the governing body.

Risk Score

We have developed a five-level assessment score that is intended to communicate the entity’s risk of undetected fraud, abuse, or noncompliance. The levels are based upon points assigned to each of the recommended measures. Since some measures are more effective than others, the most effective measures are assigned the most points. As more measures are adopted the score improves. The higher the score, the lower the risk.

The scale and corresponding levels are as follows:

  • Very Low
  • Low
  • Moderate
  • High
  • Very High

See the Fraud Risk Assessment Questionnaire for specific points assigned to each measure and how point totals correspond to the risk scale.

Download the PDF (including Questionnaire) here.
Download just the Questionnaire PDF here.
Download the Preparation Checklist PDF here.