Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses.
He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.
Charles consults with other CPA firms, assisting them with auditing and accounting issues.
Some fraudsters split payments to circumvent approval requirements. In this article, I show you how this type of theft works and what you can do to prevent it.
The Theft
The maintenance supervisor, Billy, wants to make a fraudulent payment to ABC Hardware for $9,900. (ABC Hardware is owned by his cousin.) So, Billy wants to avoid his company’s review process. He knows that all checks over $5,000 require the physical signature of the finance director. All checks below $5,000 are signed by the computer. What’s a boy to do? Well, Billy can split the transaction–two checks for $4,950 each. That will work.
Billy asks his cousin for two ABC Hardware invoices of $4,950 rather than the one for $9,900. Afterwards, Billy approves each invoice, and the payments are made.
Picture is courtesy of AdobeStock.com
So, Billy tries the scheme again, and it works. Then, he does so repeatedly. His cousin rewards him with free trips to South Dakota, his favorite hunting destination.
The Weakness
No one is querying the check register for payments just below the threshold. Also, bids were not obtained.
The Fix
Download the check register into Excel (or any database package). Then, sort the payments and look for repeated payments–just below the threshold of $5,000–to the same vendor.
Require bids for significant expenses, and retain the bids as support for the payments.
Difference in Bribes and Gratuities
Learning tip: The hunting trip is referred to as a gratuity rather than a bribe. Why? Bribes are inducement payments made before the purchase decision. Gratuities–free trips in this example–are given after the vendor payments. The purpose of the gratuity is to reward the complicit person (Billy). Then, in the future, Billy knows the drill and expects more of the same.
White-Collar Crime
Splitting payments is a form of white-collar crime. There are many ways that professionals steal. Click here for more fraud-related examples (some of which are hard to believe).
Some people wonder Is using a company credit card for personal use embezzlement? It can be. Employees sometimes steal with company credit cards. Today, we look at a case where one employee was able to steal over $300,000 by misusing college credit cards.
The Theft
Donna Gamble made fraudulent purchases of over $300,000 using Georgia Tech purchase cards (credit cards).
Gamble was employed by Georgia Tech in the Parker H. Petit Institute for Bioengineering and Bioscience. As part of her job, she had access to Georgia Tech credit cards.
Gamble used the purchase cards to buy over 3,800 personal items. How did she hide her theft? She submitted false receipts to her supervisor and made fraudulent accounting entries. The thefts–taken from grant money provided to Georgia Tech by the National Science Foundation–occurred from April 2002 through April 2007. So money designed to advance educational learning was spent on personal items such:
A popcorn machine
Football tickets
A wave runner
Video games
Ms. Gamble was sentenced to two years and eight months in federal prison.
The Weakness
The internal control weakness that led to the theft was a lack of appropriate monitoring.
Credit cards provide a simple means to bypass normal purchasing policies. Most purchasing policies require the issuance of a purchase order prior to the purchase. Such purchase orders are provided by a second person–someone other than the purchaser. So, the authorization to purchase is separate from the bookkeeping. In other words, at least two people are involved in the purchase transaction. Having multiple people involved in such transactions strengthens the controls. Why? A single person can’t make purchases alone. Consequently, theft–when such controls are in place–requires collusion. Now, it’s more difficult to steal.
Many organizations don’t require purchase orders for credit card purchases. Therefore, one person can purchase without a second person’s involvement. Even when a second person authorizes purchases, theft can occur if that person doesn’t pay sufficient attention to purchase requests (and the related documentation).
The Fix
What’s the fix? The monitoring of credit card use. Persons using company credit cards must know that someone else sees their purchases. For instance, internal auditors should routinely audit credit card activity. And the users should know that such audits occur.
Theft, like the one above, occurs when the fraudster knows no one is looking–they believe they can steal, and no one will notice.
Here are some ideas to lessen the possibility of credit card fraud:
Limit the number of cards issued
Assign each card to one person
Set low credit limits
Keep all cards in a secure location
Restrict card usage to particular vendors (which can be done with a purchase card)
Require the person to provide support for each purchase
If appropriate support is not provided, disallow the use of the card
Reconcile monthly credit card statements to supporting documentation
Audit personnel (internal or external) should review credit card activity
Provide a summary credit card activity report for each employee to the governing body or owners of the company
For more information about white-collar crime, click here.
Payroll fraud is quite common. Sometimes the theft occurs as a payroll department employee secretly inflates payments to family and friends.
Payroll Fraud
One Friday evening, Jimmy and Rachel are sitting on the back porch drinking a cool lemonade and chatting about how long it’s been since the business gave them a raise–three years and counting. And everyone knows the owners just bought a beautiful cabin in Aspen. The cost: $10 million. Meanwhile, Jimmy and Rachel (cousins) are wiling away their time discussing what they could do to make more money.
“Don’t you control what people make,” Jimmy starts. Rachel laughs and says, “I may be in payroll, but I can’t give anyone a raise.”
Jimmy pauses and says, “I didn’t ask if you give raises? I mean, can’t you change pay rates, like you could increase mine. You know, quietly.” He grunts, “After all, the owners sure don’t need the money.”
Rachel ponders the request and replies, “I think I could. No one ever reviews what I do. I doubt anyone would ever notice. Come to think of it, I could do the same for myself. With over 300 employees, no one would know. The supervisors never look at the computer payroll files, only the physical personnel files.“
The next day Rachel increases her pay rate and Jimmy’s by 10%, just to test the waters. If anyone notices, she’ll say it was a mistake. But no one does. And after six months, she moves the rates even higher–another 30%. Easy money. Even if she’s caught, white collar crime is often lightly punished.
Payroll Fraud Control Weakness
No one is comparing–on a test basis–the pay rates in the payroll master file to the approved rates in the personnel files.
Correcting Payroll Fraud Weaknesses
Have someone in internal audit or an external CPA or CFE randomly select employees, comparing the master pay rates for each person to the personnel files. Let the payroll and human resources employees know that this test will be performed once a year. The knowledge of the test will be a deterrent to fraudulent increases in the master pay rate file. In particular, pay rates for payroll personnel should be reviewed.
How to Audit Payroll
For a detailed article about how to audit payroll, check out my post here.
In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.
How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.
And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.
Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.
Definitions of Control Weaknesses
A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.
Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.
How to Categorize a Control Weaknesses
Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.
Material Weakness
First, ask these two questions:
Is there a reasonable possibility that a misstatement could occur?
Could the misstatement be material?
If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)
Significant Deficiency
If your answer to either of the questions is no, then ask the following:
Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.
If the answer is yes, then it is a significant deficiency.
If no, then it is not a significant deficiency or a material weakness.
How to Communicate Material Weaknesses and Significant Deficiencies
The following deficiencies must be communicated in writing to management and to those charged with governance:
Material weaknesses
Significant deficiencies
The written communication (according to AU-C section 265) must include:
the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
sufficient information to enable those charged with governance and management to understand the context of the communication
the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
the fact that the auditor is not expressing an opinion on the effectiveness of internal control
that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication
Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).
How to Communicate Other Deficiencies
Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.
Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.
A Key Word of Warning
Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.
Additional Information
Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.
Some fraudsters steal while dying. What’s their motive? Possibly to avoid leaving their family with medical bills. Whatever the reason, it’s a strange thing. Today we visit a fraud that I encountered over twenty years ago.
The Theft: Stealing While Dying
In one of the stranger frauds I’ve seen, the bookkeeper of a small health department, Susan, stole money. And she did so while she was dying. In the last months of her life, she fought a battle with cancer. In between the chemo treatments, she continued her work. I’m sure she believed she would survive. After all, she was only thirty-six.
I had provided external audit services to this health department for years and knew Susan well. She sent me thank-you cards–yes, thank-you cards–for my audit work. She was polite and great at her job. If ever I thought there was someone who would not (and could not) steal, it was her.
But external circumstances can make the best of people do the unexpected. The medical treatments resulted in numerous medical bills, many of which she received while still working. She died just before my annual visit for the audit.
Knowing that Susan had passed away, I knew the audit would be challenging, especially since the health department board had not hired anyone to replace her.
Upon my arrival, I requested the bank statements, but the remaining employees could not locate them. I thought maybe she had taken the bank statements home and had not returned with them due to her illness, but that was not the case. After the employees searched for some time with no result, the health department requisitioned the bank statements and cleared checks from the bank.
In reviewing the cleared checks, I quickly noticed round-dollar checks written to Susan. The first one was for $7,000. My first thought was, “Not Susan, I’ve known her too long. No way. ” But then there was another and another…
Are you noticing a recurring theme in the 30 Days of Fraud? Yes, a lack of segregation of duties. It’s fundamental. One person should not be allowed to do everything.
The Fix
Segregate the accounting duties. Most importantly, Susan should not have been on the bank’s signature card. Additionally, someone other than Susan should have been reconciling the bank statement and examining cleared checks. For small organizations, have the bank statements mailed to someone outside the accounting department (e.g., a board member). This outside person should open the statements and review the cleared checks—then the statements should be sent to accounting.
