A recent article in The Wall Street Journal* on employee fraud caught my attention. The premise of the article is that more employee frauds are being committed in these difficult economic times. Some business owners assume their business decline is due to the economy rather than a back office fraud. Or, they may make the connection after cash is depleted and the business is failing. How sad is that given that fraud is preventable.
The terms fraud prevention or fraud risk management are to me synonymous with the term “Internal Accounting Controls”. I will frame this discussion using that terminology. My recollection of the definition of Internal Accounting Controls (going back to graduate school and the CPA exam) goes something like this:
Internal Accounting Controls are those processes that provide reasonable, but not absolute, assurance that the misuse or misappropriation of assets is prevented or detected in the normal course of an accounting period and that financial statements are prepared on a timely basis and present fairly the results of operations and financial position of the entity. Internal Accounting Controls are documented and all transactions are authorized and correct as to account, amount and timing.
Many business owners or senior mangers often place greater importance on trust than on implementing fundamental Internal Accounting Controls. I once conducted a fraud investigation for a major non-for-profit medical foundation. Our investigation found that a long-time, trusted and popular employee had defrauded the foundation out of a significant sum of money. He had been there 17 years, never took vacation, volunteered for special projects and everyone liked him and his lovely wife. In fact, that profile is often typical of someone who commits a fraud; a long-term employee who never takes vacations, volunteers for special projects and is well liked. Think about it. They have been around long enough to earn trust, figure out what management will and will not look at, never take vacations and volunteer for special projects to ensure no one pokes around in what they are doing.
One take away from that experience is that the foundation’s executive director had some level of responsibility for his employee’s demise. The director presented an attitude of disdain for back office minutia. He had placed employee trust ahead of fundamental Internal Accounting Controls thereby creating an opportunistic environment. At that instance in time, the employee had a family member with mounting medical expenses. When the opportunity presented itself, the employee stole. As the economy continues on its present course, seemingly trustworthy people with increasingly desperate financial difficulties will do the same thing too.
Here are our top-ten steps for improving Internal Accounting Controls. This is certainly not a complete list and, as you can imagine, it is hard to keep it to ten. Nevertheless, it is a good start for any business owner or senior managers of any company.
- Control Cash Coming In the Door. There are essentially two means for doing this. (1) Log all checks received at a company’s offices into a bound journal book before forwarding to Accounting. Compare that day’s journal entries to the day’s deposit slips brought back from the bank. The person who sorts and opens customer payment envelopes, outside of Accounting, maintains this log and keeps the daily deposit slips. Periodically, the business owner or a senior manager compares the journal to the deposit slips and to the deposits (debits) in the Cash Account in the General Ledger, investigating any differences. (2) Utilize the services of a bank lock box so that checks are automatically deposited. This is an especially good solution in small offices that do not have good segregation of duties. These two solutions will help control the cash inflow side of the equation.
- Control Cash Going Out the Door. An analysis of each population of Purchasing, Accounts Payable and Cash Disbursement transactions will reveal that 20 percent of those transactions will represent 80 percent of the dollars. So, enhance the controls over the 20 percent of the transactions that represent 80 percent of the dollars by ensuring that those transactions are fully reviewed and approved by the business owner or a senior manager. For guidance on implementing the 80/20 rule, please visit our Our Thought Leadership web site page and peruse the article entitled “Controlling the Cost of Management Controls”. This will help control the cash outflow side of the equation.
- Inspect Checks and Bank Statements. The business owner or a senior manager should be receiving all bank statement envelopes unopened each month. That person should review the statements for any unusual transactions and should inspect the front and back of each check returned by the bank for unusual payees or endorsements that don’t match the payee name.
- Control Master File Records. By “Master File Records” we mean the Vendor addressing particulars in the Accounts Payable system and Employee addressing and pay rate particulars in the Payroll system. Initially, the business owner or a senior manager should inspect all Vendor records to look for unusual or unknown vendors. Likewise, this should be done for the Employee Master File Records in the Payroll system, looking for unknown or terminated employees, matching addresses or unusual pay rates. Once that is done, access to modify those records should be restricted to ensure that phony vendors or employees are not introduced or that addresses, direct deposit information or pay rates are not changed without authorization. Then on a monthly basis, these Master File Records should be re-reviewed. All Vendor payment envelopes or 1099s returned undeliverable by the Post Office should be routed directly to the business owner or a senior manager for investigation. Likewise, returned envelopes for Payroll checks, direct deposit remittance advices or W-2s should receive similar scrutiny.
- Conduct Surprise Payroll Payouts. In addition to locking up the Payroll Master File (item 4 above) Business Owners or senior managers should periodically perform an Audit procedure known as a Surprise Payroll Payout. In this procedure, each employee must obtain their Payroll check or Payroll remittance advice (for direct deposit people) in person from someone outside the Payroll department and must verify who they are by showing an ID card. Any unclaimed checks or deposit slips are investigated as that could represent a fictitious employee.
- Review All Company Credit Card Statements. I was speaking to an early-stage client recently and learned that the CFO/Controller, whom I had only met on several occasions, had perpetrated a credit card fraud amounting to over $100,000. He looked like a trustworthy fellow. He had been charging personal items to the company credit card, having the items delivered to his home. A growing trend is to pay vendors via a company credit card. This is not a bad thing since it provides for Accounts Payable process efficiencies and member reward points or airline miles. However, all too often the company credit card statements go to someone in Accounting and receive no greater scrutiny than a clerk expediting payment to avoid an embarrassment at a restaurant. All credit card statements should be reviewed by the Business Owner or a senior manager before being forwarded to Accounting for payment.
- Segregate Key Duties. The essence of this is that you want to segregate duties between people who have access to assets from those who account for the assets. You would also want to segregate duties between people who authorize transactions from those who account for transactions. This is not an easy thing to accomplish in a small office environment, but it is not impossible. It takes some thought to figure it out and it all depends on the organization of each specific office environment.
- Take a Look In the General Ledger. I was once a turnaround CFO/Controller for significant region of a publicly-held company. I was brought in as a “clean up batter” after the company had discovered significant Accounting fraud. Early into this situation I was working late one night preparing the upcoming year’s budget. I had asked an accountant to budget the office telephone and electric expenses by inflating the past year’s expenses by the forecasted CPI for the upcoming year. She came back with a budgeted expense amount that was some $350,000 more than I had expected. I asked her why and she said it was “because of the credits.” At first I didn’t get it but then it came to me. In an effort to hide losses, the prior CFO/Controller had credited these utility expenses with offsetting debits going to obscure accrual accounts that we had not yet analyzed. The lesson is that if someone is hiding something, one of the fastest ways of finding it is to look through the General Ledger for unusual transactions. Not many Business Owners or senior managers will know how to do that. It is time to learn how!
- Tighten Up Budgets and Insist On Timely Variance Reporting. Even with the best Internal Accounting Controls, it is still possible for a fraud to occur. You try to minimize the opportunities through “preventive controls” but it is not possible to eliminate them all. Then you have to fall back on “detective controls”. One of the best detective controls is to establish tight budgets and insist on timely monthly financial reports; i.e., variance reports. Investigate any variances from the expected for indications of a possible fraud.
- Document Accounting Processes and Procedures. A fundamental attribute of any system of Internal Accounting Controls is written process documentation to ensure training and ongoing compliance. I cannot tell you how many issues of non-compliance go undisciplined because of the excuse that processes were not written, hence you cannot expect compliance. Furthermore, in today’s regulatory environment, auditors and regulators are more often insisting on reviewing written procedural documentation at the start of any audit. If that documentation does not exist, is inadequate or out of date that becomes a major finding. For guidance on process documentation, please visit our Our Thought Leadership web site page and peruse the article entitled “The Process of Process Documentation”.
© 2009. The Fast Track Group, LLC. All Rights Reserved.
last edited on February 25th, 2009 at 2:25 PM