Segregation of Duties
Nov 20

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size. 

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one will see us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that they are too costly. But is this true? I don’t think so.

Here’s two easy steps to create greater transparency and safety.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

management override of internal controls
Nov 11

Management Override of Internal Controls

By Charles Hall | Auditing , Fraud , Risk Assessment

Management can override internal controls, resulting in fraudulent financial reporting. Below I provide four ways that management can do so and how you can audit for these potential threats. 

Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls. 

Management Override of Internal Controls

Here are a few ways that management can override controls:

  1. Booking journal entries to inflate profits or cover up theft
  2. Using significant transactions outside the normal course of business to dress up the financial statements
  3. Manipulating estimates 
  4. Transferring company cash to their personal accounts 

Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits. 

First, let’s consider how management overrides controls with journal entries.

1. Journal Entry Fraud

Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override. 

Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December. 

Journal Entry Testing

Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:

  • Examine entries made to seldom-used accounts
  • Review consolidating entries (also known as top-side entries)
  • Test entries made at unusual hours (e.g., during the night) 
  • Vet entries made by persons that don’t normally make journal entries
  • Look at suspense account entries
  • Review round-dollar entries (e.g., $100,000)
  • Test entries made to unusual accounts

You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons. 

Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions. 

2. Funny Business

Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions. 

For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance? 

Next, we look at how management can juice up profits by manipulating estimates. 

management override of internal controls

3. Manipulating Estimates

Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results. 

For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income! 

Retrospective Review of Estimates

So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention. 

Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income. 

Now, let's look at how to document your retrospective review. 

Documenting Your Retrospective Review

Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses. 

Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:

  • Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
  • Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable. 

Other conclusion examples follow:

  • Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
  • Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
  • Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.

Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts. 

4. Transferring Company Cash to Personal Accounts

Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.  

Management Override of Internal Controls

In your future audits, consider that management override of internal controls is always a possibility.

So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years. 

iPad Apps for CPAs
Nov 02

iPad Apps for CPAs: The Tried and True

By Charles Hall | Technology

Here is a list of iPad apps for CPAs. You’ll find each one helpful in your daily work.

iPad Apps for CPAs

Checkpoint – A library of accounting and auditing publications by Thomson Reuters. You must pay for the books, but Checkpoint provides powerful search capabilities.

Notability – The best app I’ve found for taking notes. You can also record audio as you take notes and then quickly return to a specific part of the conversation by touching a written word with your iPad Pencil. I use this almost daily.

OmniFocusA high-end to-do list. It provides contextual listings, including a hotlist (to help me remember the most important things). You can add, for instance, a to-do item for a particular client or a trip to the hardware store. This app takes some time to understand, but very powerful. Consider taking David Sparks online OmniFocus class. I find it useful.

Box – A secure file storage system in the cloud. Very powerful. I started using Box about six months ago. There’s a learning curve, but it’s worth it. It’s pricey. I use this storage system for business files.

Dropbox – Cheaper than Box. A cloud-based storage system in the cloud. Dropbox is easy to use. I tend to use Dropbox for personal data. Dropbox seems to integrate more easily with other apps than Box does. I store large video or audio files here (rather than Evernote). This app feels like a large electronic sandbox.

Evernote – Storage app. I create “notes” inside Evernote and store whatever I desire. Evernote is my electronic library. I have saved thousands of articles and research. Apply several tags to each note, so you can quickly find the information you need.

Keynote – A slide presentation app. I use Keynote more than Powerpoint. The Keynote background slides are the best. I find it easier to create slide decks with my iPad than with my desktop.

WeatherWeather app. I start my day by checking the weather, and, when I’m going out of town, I check my destination’s weather before I leave.

Outlook – Email app. I tried Gmail for a while but returned to Outlook. It’s just easier to use. And it integrates with Office 365.

Dictionary – App used to define words and look for synonyms. Since I am a writer, I use this often. 

Scanbot – I take pictures of multiple pages, and the scan automatically loads to a specified Box folder.

Holy Bible – You Version Bible app. I start each day with this app. You Version is free and provides several different translations.

Explain Everything – Want your clients to see what you are drawing while you are online with them? Pull up a PDF and write on it with your iPad Pencil. Instantly your client sees what you are doing. Record the presentation (including sound) and store it. Then share the conversation with anyone. Crazy. 

AudibleAudible book app. I listen to books while I’m on the road (or when I am exercising). 

iThoughts – Want to brainstorm visually? iThoughts is your app. Create color-coded maps of your ideas. 

Pocket – An easy-to-use use app to capture internet articles as you see them. Don’t have time to read an article? Save the piece with Pocket with one click. The app shares the captured articles across platforms.

Documents – Write on PDFs or annotate them in other ways (like adding a red box to highlight an area). I don’t take paper copies of agendas or additional information to meetings. They are all here in Documents. It’s a great file manager that connects to file storage systems such as Dropbox. Documents works with all types of files, including Excel, Adobe Acrobat, Word, video files, images. 

Apple Pencil – Consider using an Apple Pencil with your apps. Cost is $129. I use one daily to write on electronic documents. (If you’ve tried other styluses and they’ve not worked, try this one.)

Your Thoughts?

What apps do you like?

Accountant's iPad
Nov 02

Getting More Done with My Favorite Accountant’s Device

By Charles Hall | Technology

Accountants use all types of electronic devices and software: Caseware, Excel, scanners, Powerpoint, Adobe Acrobat, monitors, QuickBooks, iPhones—just to name a few. For me, the iPad tops them all.

Accountant's iPad

I purchased my first iPad about six years ago for about $500.  Then, four years ago, I bought a second one. A year ago I picked up my third. Now, having spent hundreds of hours on iPads, I am smitten. 

You may be thinking, “Charles, you’re a CPA. How do you and why do you spend that much time on an iPad? Don’t you primarily use a desktop computer?” Yes, my work computer is my primary tool. But in terms of enjoyment, the iPad wins hands down. 

Ways I Use My iPad

“How do you use it?” you say. Here are few ways:

Convenience and Portability

Mostly, I use my iPad at home, seated on my couch. The portability of the device is its primary benefit. It’s large enough to read from and work on—and small enough to take wherever I go.

Your Favorite Device

So what’s your favorite tool and how do you use it?

Here are my favorite iPad apps.

Fictitious Vendor Transfer
Oct 03

Fictitious Vendor Fraud: How It Occurs and How to Prevent It

By Charles Hall | Asset Misappropriation

Fictitious vendor fraud is one of the most dangerous ways employees steal. Today we look at how this theft works and how to prevent it. I’ll conclude with a video explanation of fictitious vendor fraud.

The Theft

Your accounts payable director (Susie Jones) sets up a fictitious vendor: ABC Project Management. Susie keys the new vendor into the payables system using her sister’s—Joan Albert—personal home address. (The payables director is the only person tasked with reviewing new vendors.) Susie also creates fictitious consulting invoices to support payments made to ABC Project Management.

Fictitious Vendor Transfer

The computer signs the checks. Therefore, no one reviews the invoice prior to physically signing a check. Joan receives the signed checks through the mail.

Joan opens a bank account in the name of ABC Project Management. She is the sole authorized signer. She deposits the ABC Project Management checks into the new bank account. Then, she writes checks—from the ABC Project Management bank account—to herself and Susie.

The Weakness

What’s the weakness? Susie is the only person reviewing new vendors for appropriateness. No one outside of the accounts payable department is performing periodic reviews of the vendor files.

The Fix

If possible, have the company’s computer system automatically email Susie and the controller (a person outside of the accounts payable department) each time a new vendor is added. The email should provide the name and address of each new vendor, and the name of the person that made the addition.

Require the accounts payable department to archive vendor verification documentation such as:

  • Google search for the business
  • Google search using the vendor address (Google often provides a picture of the location)
  • Phone call made by an accounts payable employee to the new vendor
  • Physical visit to the vendor’s business

Additionally, the company can also compare payroll addresses to vendor addresses using software packages such as IDEA or ACL. (Sometimes an employee will use their personal address in a vendor fraud such as the one above, rather than that of an accomplice such as a sister.)

Also, ask an outside CPA or Certified Fraud Examiner to sample and verify selected vendors. Accounts payable personnel are less likely to steal when you consistently perform such tests.

For more information, read my article about auditing accounts payable.

Explanation of Fictitious Vendor Fraud

1 2 3 40
>