Last week, the Auditor General of Toronto issued a report estimating that in 2018 alone, the TTC lost $61 million due to fare evasion.
As both a frequent rider of the TTC and a forensic accountant specializing in fraud investigations, I found the report interesting (and disturbing) on both a personal and professional level, because many internal controls that I assumed were in place at the TTC to prevent fare evasion actually did not exist, while other controls that were in place were ineffective. The report highlighted the importance of investing in strong internal controls, and what can happen when that does not occur.
Here are some general tips for designing and implementing internal controls effectively.
1. Risk Assessment and Prioritization
The TTC has fare inspectors who verify that passengers riding subways and streetcars have paid their fares in full. The Auditor General found that fare inspectors do not check fares during peak rush hour, as TTC vehicles during these time periods are very congested. The report opined that fare evasion may be higher during rush hour as passengers would take advantage of the absence of inspectors. However, the TTC did not have any controls in place to address this issue.
Lesson: Before implementing internal controls, it is important to assess the risks in your organization. Where are you most likely to lose the most money? What areas of your business are most vulnerable to fraud? Once you identify the high-risk areas, appropriate internal controls can be put in place to specifically address and prioritize these risks.
2. Set Realistic Targets
The TTC calculates the fare evasion rate as the percentage of passengers inspected who are found to have not paid their fare or paid the incorrect fare. The Auditor General found that instead of recording the actual number of passengers inspected, fare inspectors were estimating the total number of total passengers that were on the TTC vehicle being inspected. This significantly understated the fare evasion rate.
When fare inspectors were asked why this was done, they stated they have an unwritten target of 500 inspections per 12 hour shift, which can be difficult to achieve. The inspectors felt that they may face discipline if they did not meet these targets.
The fare inspectors’ actions caused the TTC to underestimate the extent to which they were losing revenues due to fare evasion, preventing the organization from taking timely action to address the problem.
Lesson: Before designing implementing any controls, businesses should ensure that the information they will be collecting is timely and an accurate reflection of the nature and extent of the problem.
3. Use of Third Parties
Current TTC policy allows children age 12 and under to ride for free. Adult passengers often purchase and use child Presto cards to avoid paying full adult fares. Since adult and child Presto cards look the same, ticket collectors are unable to visually distinguish between the two cards, preventing them from detecting the misuse of the cards. The Auditor General noted that when the TTC asked Metrolinx to create a visual distinction between the two cards, Metrolinx declined to do so.
Lesson: Many organizations use third-party companies for services such as payroll processing, IT services, etc. Before entering into relationships with vendors, companies should:
- Understand the internal controls the vendors have in place that may impact the organization.
- Determine the willingness of the vendor to accommodate changes that may be required to improve internal controls on their end.
- Agree on who is responsible for covering any losses the business may incur as a result of any control weaknesses.
These issues should be negotiated prior to entering into any agreements.
In my journeys on the TTC, I have seen passengers jump gates and turnstiles, and wondered why fare collectors did not take any action to stop them. The Auditor General’s report explains that fare collectors are not allowed to leave their booths without permission, even if they witness fare evasion. On buses, if a passenger does not pay their fare, drivers are required to push a fare dispute key, and continue driving with the passenger on board. There are no immediate consequences for fare evasion, and this is likely well known, further contributing to the problem.
Lesson: Internal controls are only effective if people know that there are consequences for breaking the rules. Deterrence is an important part of any internal control system, as it discourages potential fraudsters, preventing losses from occurring.
The Auditor General’s report illustrates what can happen when organizations do not invest properly in fraud detection and prevention. Internal controls are the best defence that companies have to minimize losses caused by fraud, but they must be well designed and enforced. An ounce of prevention truly is worth a pound of cure.