Category Archives for "Fraud"

Rita Crundwell
Jul 19

Rita Crundwell Story: Why Some Ranches Stink

By Charles Hall | Asset Misappropriation

Is it possible for one person to steal over $53 million from a city with an annual budget of less than $10 million? Yes. The Rita Crundwell story provides a cautionary tale for small businesses, governments, and nonprofits.

The Rita Crundwell Theft

Rita Crundwell, comptroller, and treasurer of Dixon, Illinois stole $53 million over a twenty-year period. The city of 16,000 residents held Crundwell in high esteem. One friend described her as “sweet as pie.” Another said: “You could not find a nicer person.”

So why did she steal? It appears Rita just enjoyed the good life. She used the money to fund one of the top quarter horse ranches in the country, and she did it with style: Some of the funds were used to purchase over $300,000 of jewelry and a $2.1 million motor coach vehicle.

Rita Crundwell
Her annual salary? $80,000.

The city’s annual budget? $6 to $8 million

Were yearly audits performed? Yes.

Were budgets approved? Yes.

But even with budgets and audits, the Dixon, Illinois scandal happened. 

Too Much Trust

So how did this happen? Rita Crundwell won the trust of those around her—especially that of mayor and council. In April 2011, finance commissioner and veteran council member, Roy Bridgeman, praised Crundwell calling her “a big asset to the city as she looks after every tax dollar as if it were her own.” Too much trust in a bookkeeper can lead to huge problems. 

It was a disturbing moment when Dixon Mayor James Burke presented the FBI with evidence of Crundwell’s fraud. Burke later recalled his emotions and words: “I literally became sick to my stomach, and I told him that I hoped my suspicions were all wrong.” Such a response is understandable given that Crundwell had worked for the city for decades. She had fooled everyone.

Secret Bank Account

According to the mayor, the city’s annual audits raised no red flags, and the city’s primary bank never reported anything suspicious. So how did she steal the money? In 1990, Crundwell opened a secret bank account in the name of the city (titled the RSDCA account: the initials stood for reserve sewer development construction account). Crundwell was the only authorized check signer for the account, and the RSDCA bank account was never set up on the city’s general ledger. The City’s records reflected none of the RSDCA deposits or disbursements.

Crundwell would write and sign manual checks from a legitimate city capital project fund checking account, completing the check payee line with “Treasurer.” (Yes, Crundwell had the authority to issue checks with just her signature—even for legitimate city bank accounts.) She would then deposit the check into her secret account. From the bank’s perspective, a transfer had been made from one city bank account to another (from the capital projects fund to the reserve sewer development construction fund).

Accounting Cover-up

While the capital project fund disbursement was recorded on the city’s books, the RSDCA deposit was not. A capital project fund journal entry was made for each check debiting capital outlay expense and crediting cash. But no entry was made to the city’s records for the deposit to the RSDCA account. Once the money was in the RSDCA account, Crundwell wrote checks for personal expenses—and she did so for over twenty years.

To complete her deceit, Crundwell provided auditors with fictitious invoices from the Illinois Department of Transportation; these invoices included the following notation: Please make checks payable to Treasurer, State of Illinois. (So the canceled checks made out to Treasurer agreed with directions on the invoice, but the words “State of Illinois” were conveniently left off the check payee line.) Remember Crundwell was the treasurer of Dixon. 

Those invoices and the related checks were often for round dollar amounts (e.g., $250,000) and most were for more than $100,000. In one year alone, Crundwell embezzled over $5 million.

Vacation Leads to Arrest

So how was she caught? While Rita was on an extended vacation for horse shows, the city hired a replacement for her. For some reason, Crundwell’s substitute requested all bank account statements from the city’s bank. As the bank statements were reviewed, the secret bank account was discovered. And soon after that, the mayor contacted the FBI.

The Control Weakness

Why was Rita Crundwell able to steal $53 million? Wait for it. A lack of segregation of duties.

Rita could:

  • Write checks
  • Approve payments
  • Create and monitor the budget
  • Enter transactions into the accounting system
  • Reconcile the bank statements

The Accounting Fix

Multiple people should perform accounting duties, not just one.

Moreover, accounting employees should annually take a one-week vacation (or longer). And while they are gone, someone else should perform the vacant person’s duties. The vacation itself is not the key to this control. The performance of the absent accountant’s duties is. Why? Doing so allows the replacement person to understand the work of the vacant employee. But, more importantly, the substitute can note any unusual or fraudulent activity.

Here’s another action to take: Periodically contact your organization’s bank and ask for a list of all bank accounts. Then compare the list to the bank accounts in your general ledger. If a bank account is not on the general ledger, see why. And request a copy of the related signature card from the bank.

What Happened to Rita Crundwell?

So, what happened to Rita? She was sentenced to 19.5 years in prison. Here are pictures from the Chicago Tribune that shed light on the fraud.

All the Queens Horses

Kelly Richmond Pope has masterfully captured the Rita Crundwell tale in the movie All the Queen’s Horses, available on Amazon. Think auditing is boring? Then watch the movie. It does a better job of explaining the psychological and financial damage of fraud than any textbook. 

earnings manipulation
May 30

Earnings Manipulation with Accounting Tricks

By Charles Hall | Financial Statement Fraud

Earnings manipulation is easy with the right–or should I say wrong–accounting tricks such as cookie jar reserves. In this article, we explore how businesses inflate profits and sometimes decrease the same, depending on what the company desires. Financial statement fraud is common, so let’s see how these schemes work. 

One Wall Street Journal article said a California company used “a dozen or more accounting tricks” including “one particularly bold one: booking bogus sales to fake companies for products that didn’t exist.” These machinations inflated earnings, making the company look more profitable than it really was. 

Today I show you how fraudsters use financial statement fraud to magically transform a company’s appearance. Then you will better know how to prevent these earnings manipulations.

earnings manipulation

What does it mean to inflate earnings? Inflating earnings means a company uses fraudulent schemes to make their earnings look better than they really are. 

Financial Statement Fraud

Companies can magically create earnings by:

  • Accruing fictitious income at year-end with journal entries
  • Recognizing sales for products that have not been shipped
  • Inflating sales to related parties
  • Recognizing revenue in the present year that occurs in the next year (leaving the books open too long)
  • Recognizing shipments to a re-seller that is not financially viable (knowing the products will be returned)
  • Accruing projected sales that have not occurred
  • Intentionally understating receivable allowances

Think about it: A company can significantly increase its net income with just one journal entry at the end of the year. How easy is that?

You may be thinking, “But no one has stolen anything.” Yes, true, but the purpose of manipulating earnings is to increase the company’s stock price. Once the price goes up, the company executives sell their stock and make their profits. Then the company can, in the subsequent period, reverse the prior period’s inflated entries.

Earnings Manipulation Control Weakness

Such chicanery usually flows from unethical owners, board members, or management. The “tone at the top” is not favorable. These types of accounting tricks usually don’t happen in a vacuum. Normally the top brass demands “higher profits,” often not dictating the particulars. (These demands are typically made in closed-door meetings with no recorders or written notes.) Then years later, once the fraud is detected, those same leaders will plead ignorance saying their lieutenants worked alone.

This why the control environment, an entity-level control, is so important. Codes of conduct and conflict of interest statements do matter. Moreover, communicating appropriate ethical requirements is critical to an organization’s integrity. 

Lower the Risk of Earnings Manipulation

The fix is transparency. This sounds simple, but transparency will usually remove the temptation to inflate earnings. If you work for a company (or a boss) that is determined to “win at any cost,” and repeatedly hides things (“don’t tell anyone about what we’re doing”), it is time to look for another job. When people hide what they are doing, they know it’s wrong–otherwise, why they wouldn’t hide it?

A robust internal audit department can enhance transparency. The board should hire the internal auditors. Then these auditors should report directly to the board (not management). The company’s internal auditors should know that the board has their back. If not, then you’ll continue to have opaque reporting processes. Why? The internal auditors’ fear of reprisal from management (or the board itself).

And what if the leaders of an organization won’t allow transparency? If possible, remove them. Unethical leadership will destroy a business.

Deflating Earnings (Cookie Jar Reserves)

Though much less likely, some businesses intentionally decrease their earnings with fraudulent accounting. Why would they do so? Maybe the business has an exceptionally good year, and it would like to save some of those earnings for future periods. For instance, management bonuses might be tied to profit levels. If those thresholds have already been met, it’s possible that the company will defer some current year earnings in order to ensure bonuses in the following year.

Deferring earnings is often called a cookie jar reserve. For example, if a company’s allowance for uncollectibles accounts is acceptable within a range (say 1% to 2% of receivables), it might use the higher percent in the current year. The higher reserve decreases current year earnings (the allowance is credited and bad debt expense is debited, increasing expenses and decreasing net income). Then in the following year, the company might use 1% to increase earnings (even though 1.75% might be more appropriate). This is called smoothing. 

Honest companies record their numbers based on what is correct, not upon desired results. But not all companies are honest. 

See my full article regarding how to audit receivables and revenues.

Fraudster’s refuge
Apr 17

Fake Bank Accounts and the Appalachian Trail

By Charles Hall | Asset Misappropriation

Some fraudsters funnel money into fake bank accounts. Today, I show you how one controller did so and walked away with millions—and then hid on the Appalachian Trail.

Fake bank accounts

Fake Bank Account

In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.

So how did he steal the money?

How the Funds Were Stolen

The FBI reported the following:

Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.

“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”

So, Hammes opened a fraudulent bank account at a bank that the vendor did not use and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself. Since he opened the account, he was the authorized check signer. Simple but effective.

You may be wondering how the theft could occur so long without detection.

Vendor Payment Controls Lacking

If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.

Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.

Vendor Payment Controls

Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments increase greatly, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies. 

Another test you can perform is to look for multiple addresses for the same vendor. There may be legitimate reasons for more than one address, but you want to create a list of vendor addresses and verify that they are appropriate. The same is true for electronic vendor payments: see if there are multiple bank accounts you are wiring payments to. Then determine if these are appropriate. Additionally, obtain the physical address of each vendor and determine if the company is real. Do not accept P.O. Box addresses for verification purposes; again, you need to know if the company exists. (See my article Fictitious Vendor Fraud: Preventing It.)

If your company pays hundreds of vendors, you may want your internal audit (or external auditors) to periodically test vendor payments for appropriateness. Tell your payables personnel this will be done from time to time on a surprise basis. This will help keep them honest.

Maybe with these controls, you can prevent payments to fake bank accounts and keep your employees off the Appalachian Trail.

For more information about auditing payables, see my article Auditing Accounts Payable and Expenses: A Guide.

Segregation of Duties
Nov 20

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.

 

Segregation of Duties

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one will see us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.

Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.

Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

management override of internal controls
Nov 11

Management Override of Internal Controls

By Charles Hall | Auditing , Fraud , Risk Assessment

Management can override internal controls, resulting in fraudulent financial reporting. Below I provide examples of management override of internal controls and how you can audit for these potential threats. 

Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls. 

Examples of Management Override of Internal Controls

Here are examples of management override of internal controls:

  1. Booking journal entries to inflate profits or cover up theft
  2. Using significant transactions outside the normal course of business to dress up the financial statements
  3. Manipulating estimates 
  4. Transferring company cash to their personal accounts 

Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits. 

First, let’s consider how management overrides controls with journal entries.

1. Journal Entry Fraud

Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override. 

Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December. 

Journal Entry Testing

Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:

  • Examine entries made to seldom-used accounts
  • Review consolidating entries (also known as top-side entries)
  • Test entries made at unusual hours (e.g., during the night) 
  • Vet entries made by persons that don’t normally make journal entries
  • Look at suspense account entries
  • Review round-dollar entries (e.g., $100,000)
  • Test entries made to unusual accounts

You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons. 

Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions. 

2. Funny Business

Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions. 

For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance? 

Next, we look at how management can juice up profits by manipulating estimates. 

management override of internal controls

3. Manipulating Estimates

Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results. 

For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income! 

Retrospective Review of Estimates

So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention. 

Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income. 

Now, let's look at how to document your retrospective review. 

Documenting Your Retrospective Review

Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses. 

Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:

  • Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
  • Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable. 

Other conclusion examples follow:

  • Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
  • Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
  • Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.

Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts. 

4. Transferring Company Cash to Personal Accounts

Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.  

Management Override of Internal Controls

In your future audits, consider that management override of internal controls is always a possibility.

So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years. 

1 2 3 10
>