IRENE MAE C.

GUERRA
FINAL REQUIREMENT IN IT AUDIT
1. What factors contributed to this opportunity to commit fraud?
Every organization faces some risk of fraud from within. No matter how dedicated your
financial team is or how secure your processes are, you'll still be vulnerable to fraud, whether by
an employee or a third party. Unfortunately, Liberty Bell Hospital is a victim. An employee fraud
was discovered and under investigation by the internal audit manager, Mr. Alan Walters and the
security director, Mr. Theodore Block. But how does the fraud exist and why does the perpetrator
commit such criminal deception? Fraud is defined as an intentionally deceptive action designed to
provide the perpetrator with an unlawful gain or to deny a right to a victim. There are different
types of fraud and one of it is business fraud, which refers to the illegal or unethical and deceptive
actions committed either by a company or an individual acting in their capacity as an employee of
the company.
The perpetrator, Matt Harris committed fraud to Liberty Bell Hospital. At first, he was
hired as a temporary accounts payable clerk but was called by the Internal Audit Manager for
nepotism due to the fact that he was the son of Sharon Harris, senior A/P clerk and was decided
by the committee to have Matt be treated as any independent contractor and during September
2002, Matt was given the opportunity to apply for a full-time position without deleting his
information in the system as independent contractor. And that’s where the opportunity of fraud
arises.
There is this so-called fraud diamond theory proposed by David T. Wolfe and Dana R.
Hermanson. This composed of the four (4) elements of fraud to know the how’s and why’s it
occurs, 1st element is Opportunity, next is Pressure, third is rationalization and lastly, Capability.
Matt has all of these factors when he commits fraud. He had the opportunity because he
has the position in LBH, he can access to blank checks, forge the check payable to him as his name
was not deleted as independent contractor, he has all the access when his boss was on vacation, he
performs semi-weekly cash disbursement run, printing and mailing of the physical checks to LBH
vendors. He was also allowed to access the main safe where the pre-signed checks were stored.
Another opportunity is the weakness of internal controls by LBH example is that there is no
separation of duties, the head all endorses his role to Matt when he is away which allows him all
access, hiring Matt without due process like background check, etc., lack in management
oversight, knowing that Matt was already hired as a full time employee but didn’t delete his
information in the system, and poor documentation process in the sense that the authorization for
cash disbursement form lacks description on what is the purpose of the disbursement, certification
to justify the disbursement which will be approved by another person, budget certification as where
to get the funds for this disbursements and the lack of signatories, LBH has only one authorized
signatures, it should be signed by the head of the finance department, financial systems manager,
treasurer and the budget director.
 He has pressure in committing the fraudulent crime due to his health problem; a terminal
illness and he has no personal assets or health insurance which leads to his financial problem; a
credit card bill of $50,000 incurred by him to pay for his experimental drugs that may possibly
cure him.
Next is that the fraudulent act was rationalized by Matt. Rationalization exist when the
perpetrator explains or justifies why he committed the illegal act. Matt knows that he committed
the act but due to the situation he is facing he justifies the crime to himself in a way that it makes
it acceptable or justifiable why he committed it.
Lastly, Matt has the capability to commit such. He has the ability example is his knowledge
in the process and control in the accounts payable department; the issuance of check which do not
require a second signature if the check issued was for less than $15,000, he has the idea that his
name was not deleted in the system as one of the roosters in the independent contractor and he has
all the access. Greed, dishonesty, weak in character are some of the traits of Matt that caused him
to act fraudulently. The ability can be considered as opportunity factor while the traits is one of
the components of pressure.
2. What breakdowns in internal control could have been improved so that this fraud
could have been prevented?
Internal controls are designed to assist an organization protect itself and achieve its goals.
It helps to reduce risks and preserve assets by ensuring record accuracy, increasing operational
efficiency, and encouraging compliance with policies, rules, regulations, and laws. Management
is responsible for establishing internal controls. In order to maintain effective internal controls,
management should maintain adequate policies and procedures; communicate these policies and
procedures; and monitor compliance with policies and practices. In LBH’s case, the Chief
Financial Officer, Mr. James Smith even though he was aware of the policy he rejected the
warnings of Alan Waters, Manager of Internal Audit, and evaded the company's nepotism policy
which jeopardized the LBH’s control environment. Fraud may be avoided if they had followed the
rules.
Another is that, if only LBH follows its general administrative policy on nepotism
(favoritism in appointment of a job based on kinship) it could have prevented fraud to exist and
might lead to collusion from his mother who is also working within the same department. If LBH
followed the correct processes on hiring an employee from background check (as one of the
standard operating procedures for employees in sensitive positions), giving chance to other
candidates by letting the public know so they can also apply, or those which are already in LBH
for them to be promoted. If Matt is hired a necessary background check including his medical
records, credit history would have revealed his financial difficulties i.e., high credit card debts,
gaps in employment history.
Internal control regarding no separation of duties, the head all endorses his role to Matt
when he is away which allows him all access, placed him in a position to authorize payments to
himself, physically issue checks to the himself, and record the transactions, lack in management
oversight, Matt's vendor account should have been deactivated or erased from the financial
information system, making it impossible for him to enter this information and also he shouldn't
have had access to the pre-signed checks in the main safe.
Lastly, LBH should also maintain safeguarding its assets over access. Matt is a newly hired
employee and should not be allowed to have access and only those who are head should be allowed.
In other company’s only the treasury departments head are allowed to access the safe because they
are the one who issues and release the checks.
3. Other than Matt Harris, who bears some responsibility for this fraud?
Aside from Max who directly and personally accountable of committing fraud, Tracy
Downs is also at fault, she could help in preventing the fraud if only she followed the standard for
insisting a background check. Another person who is responsible is James Smith for ignoring the
nepotism issue the fraudulent act might not even existed.
4. Did the Alan Walters, Internal Audit Manager do the right thing?
Internal operating controls, processes, and practices are the responsibility of internal audit
managers. They may also suggest adjustments and improvements to existing policies and
controls to ensure that they are current, adequate, functioning, and used in compliance with
government and corporate standards. In LBH, Alan Walters, performed his tasks correctly.
5. Explain how general computer controls and application-level controls could have
helped prevent and detect this fraud?
The aim of general computer controls (GCC) audits is to see if computer controls properly
support information system confidentiality, integrity, and availability. It includes controls over the
information technology (IT) environment, computer operations, access to programs and data,
program development and program changes. While application-level controls is an information
security approach that involves using whitelisting and blacklisting strategies to prevent illegal
programs from running.
In LBH case, its planning and organization were the primary flaws that contributed the
most to the eventual scam. The issue isn't simply with the perpetrator's acts; it's with the planning
and organization processes that permitted existing controls to be ignored. Some preventive
procedures were in place, but managers dodged them. Segregation of duties is the critical process
domain in LBH. They should not allow only one person the financial process of issuing the check,
accessing the safe, and delivering such. The hiring of Matt and his job assignment procedures
resulted in a severe failure in segregation of duties.