Fancy Rockbottom worked for Knottyville
Country Club (the Club), a member-owned, private country club, for twenty-two
years. Fancy worked as a general manager over the last six-year period from
2001 to 2006. In this period, she stole about $1.2 million from the Club by
asset misappropriation. After her fraud was discovered, she was sentenced to
fifteen years in prison.
Internal control weakness and weakness in
the monitoring system
As Fancy was in a variety of capacities in
the Club, the Club had a material weakness in internal control and monitoring system.
1. The lack of segregation of duties is
apparent. Segregation of duties involves four responsibilities: authorization,
custody, record keeping and reconciliation. No one can
take two or more responsibilities at the same time. In this case, Fancy was
in charge of ordering supplies, signing a check, recording transactions and reviewing
monthly reconciliation. It is an opportunity for her to take cash or transfer
bank funds for personal gain.
2. The requirement of two signatures on one
check is inefficient as Sarah often signed blank checks at Fancy’s request. Fancy
was free to write checks with invalid dual control. It also can be seen that
Sarah lacked trained on segregation of duties as she signed blank checks without
3. No oversight and review in the process
of bank reconciliation. As Fancy was responsible for all of the related activities
without supervision, the potential for errors and irregularities is increased.
as a bookkeeping was the only one who prepared financial statements for the company
and presented an annual budget to the approval board of the Club. She had too
much power in this process as she could hide anything unusual if she wants.
5. Fancy had an authority to handle checks and
cash and preparing billings, which is an opportunity for her to take cash and
stop subsequent billings or write off the account. She also had the ability to
charge extra dollars to clients’ bar bills. Clients’ bills should be based on
the expenses, so Fancy had no right to modify.
6. Fancy’s lavish vacations and luxury
cars went unnoticed for several years.
7. Fancy took money out of the paychecks of
employees to reconcile for loss of money that she embezzled.
8. Fancy was able to deposit money from
her personal account to take care of the balance in the club account.
9. Fancy had an authority to determine
suppliers. It is an opportunity for her to be in collusion with suppliers.
of Internal Controls and Monitoring Systems.
Fancy exploited the loopholes in ledger
system, weak internal control, and lax oversight. Fancy’s fraud was over six
years without being detected. It should be prevented in advance. The Club
should enhance its internal control to reduce the opportunities for employees
1. The Club should segregate the duties of
bookkeeping, custody, and reconciliation. The same people cannot have the right
to take two or more responsibilities. If an employee is in charge of
reconciliation, he or she cannot be in a charge of deposit.
2. The club should ensure that all checks
have two authorized signatures and should not provide a blank check in general.
An individual who takes a responsibility for paying the bills cannot have the
right to approve checks.
3. The club should set one employee except for
the individual who prepares bank reconciliation to take the responsibility of
custody of bank reconciliation.
of suppliers should be approved by the Board of Directors.
5. The club should strengthen the training
of employees to help them obtain a sense of fraud awareness and be aware of
their job responsibilities. If an employee’s lifestyle is beyond his or her salary,
it should raise the attention of red flags for fraud.
Enhance the security control by creating rules to protect employees’ payroll. Only
designated people have access to employees’ payroll.
Risk factors for Asset Misappropriation
The fraud triangle including pressure,
opportunity and rationalization is a type of red flags for fraud. Firstly, personal
vices such Fancy’s addiction to gambling is a form of pressure. Additionally, Fancy
was living a life of luxury. She went on expensive vacations and bought costly cars.
To maintain her lifestyle, her salary is hard to pay her bills. Her significant
changes in lifestyle and personal debt problems are all red flags.
Secondly, weakness in internal controls
and monitoring system in the Club gave Fancy opportunity to steal money. Those
are all red flags but not one notice. Fancy had access to blank checks and was in
charge of bookkeeping, reconciliation, ordering supplies and preparing
financial statements without supervision. The selection of suppliers was also determined
by her, which is a red flag to a manager.
Lastly, Fancy may give herself a rationalization
that he stole money just to pay off her debts and the members in the Club are
so rich that it is not a big problem to steal money from them.
of Audit Procedures
1. Hold a fraud brainstorming session at
the beginning of the audit. Set a tone of professional skepticism in the audit.
2. Make inquiries of management and other
employees. The responses might indicate an unusual change.
3. Considering the results of the
analytical procedures to identify the existence of unusual transactions or
events, and amounts, rations, and trends that might indicate matters. Year to
year analytical reviews for every account.
4. Considering fraud risk factors.
5. Evaluate the quality and effectiveness
of internal controls.
the company’s journal entries for any signs of manipulation
7.Compare the Bank reconciliation with the
accounts to see if any unusual transfers or outstanding checks over scope.
8. Check the list of suppliers and
contractors to verify that suppliers are approved by the board of directors. Recognition
that collusion may be likely.
9. Conduct an audit of the payroll account
to identify the payroll payments are calculated correctly.
Medicare Southwest (MSW) was a small subsidiary
of Acme Corporation (Acme). It processes Medicare claims from providers relying
heavily on Acme. After reviewing MSW and Acme’s claim processing procedures,
Bob and his staff who are in charge of auditing MSW find many areas of concern
in MSW and Acme.
Firstly, the paper claims are received and
sorted in the mailroom with all other mail for all subsidiaries, which means
there is no mail address specifically for claims. If something is urgent, there
is no guarantee of delivery. Secondly, because of the sharing of facility and
staff members are allowed, there is no guarantee of data security. The data
breach and the improper use of data may be unavoidable. Furthermore, as no one
reviews the physical access lists for data entry
personnel, if a fraud occurs, it is hard to identify the subject of the
In order to
ensure that physical access and logical access are properly controlled, auditors
firstly need to check if the system operates normally. Using a list of recently
terminated employees and a current list of employees with physical access to
the data entry and center facilities, auditors can test the access controls
over data. By comparing these two lists, auditors could find whether someone
logged in the system without permission or whether terminated employees still
can log in the system. The test can help auditors identify the protection and validity of the passwords. Good access
control should ensure that terminated employees’ credentials are removed.
current list of employees with logical access privileges to the claims
processing system can help auditors test if the number of users and administers
are limiting. Additionally, the access to users and administers should
completely within their job description.
to test the security software parameters to see if these parameters are
properly configured. For example, the more complex and longer of a password,
the tougher the passwords are to guess or hack. The system should designate
that a password should have a certain minimum of characters, a mix of uppercase
letters, numbers, lowercase letters and so on. The number of logon attempts
allowed is also an important parameter. If a person fails to login three times,
the system should lock out the account to prevent the unauthorized login.
In order to test
the security and effectiveness of the procedures for changes control, auditors need
to identify if all the recent changes, individuals who made these changes and
who authorized these changes are recorded.
Most of the
data entry personnel are temporary employees. The uncertainty of temporary
employees may increase the risk of safety as they deal with confidential
information. If those temporary employees are qualified for this position is
unknown. It is also difficult to define clear responsibilities as they all have
access to the data. Additionally, the manager is the only person who is in charge
of approving, deleting and reviewing the data that entered in the system before
submission, which means the manager is free to modify data without supervision in
the process. Furthermore, because the adjudication staff can resubmit claims
without further review, there is no guarantee of the accuracy and integrity of
the data, which could lead to fraud.
The duties of writing,
testing and approving changes to the claims processing system software should
be separate. If a single system programmer has too much power on a system, he
or she may change the system randomly which would affect the effectiveness and
security of the software. They may even use the software for personal gain as
no one supervises in the process.
Bob put 20 fictitious claims with real claims as
test data into the claims process program. This auditing technique is called Integrated
Test Facility (ITF). The
purpose of the ITF is to verify the effectiveness of the program by comparing the
processing of the test data with expected results.
Bob found that audit modules had been embedded
into the claims processing program. These modules flag abnormal claims and
records them in a special audit log. This auditing technique is called System
Control Audit Review File (SCARF). The purpose of SCARF is to continuously
monitor transactions and collect data on transactions for subsequent review or
subsequent use in another test.
As the accounts
paid were consistently slightly lower the amount submitted, these differences
are not the results of happenstance. It reveals the problems of the claim
processing program. SCARF may be used to test program logic by checking whether
the program operates properly.
Computer Audit Software is widely used by auditors for fraud detection. The data filter is set
to choose only those transactions that match or meet a certain criterion. Because
the claims for the deceased individual are invalid, the filter could choose those
individuals who are alive. Statistics can be used to detect fraud as it is easy
to identify outliers if the same patient performed medical procedures more than
once within a particular time period. For example, any amounts above one time
for a patient in the procedures of organ transplants are anomalies and are
outliers. Character classification is also a useful tool. For example, classify
gathers transactions by coma patients. When there are claims of physical
therapy to this group of coma patients, the claims should be invalid.
be used to determine if the five-cent discrepancy for every third claim was
fraudulent. Looking for outliers that exceed the average and any transactions
with amounts above 95% range are possible anomalies.