Oct 05

A Fraudster’s Refuge: The Appalachian Trail

By Charles Hall | Asset Misappropriation

Some fraudsters funnel money into fraudulent bank accounts. Today, I show you how one controller did so and walked away with millions.

A Fraudster's Refuge: The Appalachian Trail


The Theft

In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.

How the Funds Were Stolen

The FBI reported the following:

Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.

“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”

So, Hammes opened a fraudulent bank account at another bank (one the company did not use) and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself.  Since he opened the account, he was the authorized check signer. Simple but effective.

The Weakness

If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.

Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.

The Fix

Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments dramatically increase, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies. 

You might also contact your company’s bank (and other local banks) and ask for a list of accounts in your company’s name. Then compare that list to your general ledger to see if the accounts match. If mismatches are present (there’s bank account listed but no corresponding account in the general ledger), follow up to see why.

Positive pay is another strong payables processing control.

correction of an error
Oct 04

Correction of an Error in Financial Statements

By Charles Hall | Accounting and Auditing

A correction of an error--also referred to as a prior period adjustment--is sometimes necessary. But when should such a correction be made? And are there situations where a prior period adjustment is improper? 

Below I explain what a correction of an error is, when it's appropriate, disclosure requirements, and implications for auditors.

correction of an error

Correction of an Error

In comparative statements (when two or more years are presented), the correction of a prior period error affects the prior period financial statements and opening balances in the current year. In single-year statements, the correction affects opening balances. Here's an example.

If Mountain Bikes, Inc. failed to accrue it's last two weeks’ payables in the prior year, a correction might be needed. Why do I say might? Well, if the amount is not material, then the correction of the error may not be required. If the amount is material, then a correction is necessary. 

Suppose you are auditing the financial statements of Mountain Bikes, Inc. for the year ended December 31, 2019, and you discover an error made in the December 31, 2018 financial statements. December 31, 2018 payables of $1 million were not accrued (and the amount is material). In this example, the invoices supporting the $1 million error existed and were on hand during last year’s audit, but, for whatever reason, the amount was not accrued. And the misstatement was not detected by the audit. Now, it's necessary to make a prior period adjustment.

If Mountain Bikes, Inc. provides comparative financial statements, the restated 2018 numbers must reflect the additional $1 million in payables and expenses. This adjustment will of course decrease net income for 2018 and retained earnings. So opening retained earnings (January 1, 2019) will decrease $1 million. The adjustment should not affect net income in 2019. 

Before suggesting any corrections, discuss them with your audit client.

Discuss the Error with Management

It’s time to discuss the error with management or the owners. Why? You want to make sure the error is real. If management disagrees, they will tell you, and they will provide an explanation. But if management agrees, it’s time to propose a prior period adjustment (technically referred to as a restatement in the FASB Codification).

Correction of Error Defined

FASB defines a correction of an error as follows:

An error in recognition, measurement, presentation, or disclosure in financial statements resulting from:

  • mathematical mistakes, 
  • mistakes in the application of generally accepted accounting principles (GAAP), or 
  • oversight or misuse of facts that existed at the time the financial statements were prepared. 

Correction of an Error Disclosures

If Mountain Bikes, Inc. presents single year financial statements, the prior period adjustment affects just the opening balance of retained earnings (January 1, 2019, in this example). The company should still provide a disclosure explaining the prior period adjustment.  

What should be in the note?

Provide a description of the nature of the error. For example, "The Company failed to record $1 million in payables as of December 31, 2018."

When comparative statements are provided, disclose the prior year numbers compared to the corrected numbers for each affected financial statement line items. (Consider displaying three columns: the uncorrected numbers as stated previously, the corrected numbers, and the difference.) FASB specifically requires disclosure of changes to retained earnings or other equity accounts for each prior period presented. 

If a single period financial statement is issued, disclose the effects of the restatement on beginning retained earnings and net income from the preceding period. 

Correction of Errors and Auditing

If you are the auditor, consider whether the error was intentional (fraudulent). What if, for example, the recording of the 2018 payables would have adversely affected the company's compliance with debt covenants? Then the understatement of payables may have been intentional.

Regardless, now that the misstatement is known, a prior period adjustment is necessary. Either management makes (accepts) the adjustment or you will need to qualify your opinion. Or, depending on the facts, withdrawal might be necessary. If the prior period adjustment is not made, you may need to contact your attorney and insurance company.

Additionally, if fraud is suspected in the prior period (2018, for example), it will have a bearing on the current year planning and risk assessment. You may be thinking, “But what if I discovered the error while performing the 2019 audit?” In other words, this potential fraud was not known during your 2019 audit planning. What then? Return to your audit plan and adjust accordingly. The audit plan is not static. It is living. The plan should reflect the facts, regardless of when they are discovered—in the early stage of the engagement or later.  

If you believe the prior year misstatement was intentional (fraudulent), then incorporate this element in your current year audit planning and responses.  

When a Prior Period Adjustment is not Merited 

Sometimes there is no error as defined above. If so, a prior period adjustment should not be made. For example, suppose the allowance for uncollectibles as of December 31, 2018 was adequate based on the facts that existed when the financial statements were created. However, in August 2019 (after the issuance of the 2018 statements) the company realizes it will not collect a material 2018 receivable, one that was previously believed to be collectible. Now what? Well, the allowance for uncollectibles should be adjusted in August 2019. A prior period adjustment should not be made. Changes in estimates are prospective. 

Sometimes a company might desire a prior period adjustment though one is not merited. Why? It’s a way to sweep problems under the rug. Consider the example in the prior paragraph. If the company incorrectly records the bad debt as a restatement of the January 1, 2019 retained earnings, the expense does not appear in the 2019 income statement. Now, if a single-year presentation is provided, the bad debt expense does not appear in the 2018 or 2019 income statements. (A correction of an error disclosure is required. But some companies don’t mind as long as net income isn't adversely affected.) 

Consider that bonuses may be based on net income. If so, this slight of hand could result in extra (fraudulent) compensation. A prior period adjustment might be desired for other reasons as well. Maybe the owners are sensitive to net income or management doesn’t want the embarrassment of declining net income. Whatever the reason, a correction of error should be made only when required by generally accepted accounting principles.

internal controls
Sep 26

Internal Controls: How to Understand and Develop

By Charles Hall | Accounting and Auditing , Risk Assessment

Many CPAs don't understand internal controls. Sure, we know that segregation of duties is a positive, but we are sometimes unaware of internal control weaknesses though they lie right before us. Why is this? Well, there are about a million ways that an accounting system can be designed, and no two businesses are the same. So seeing control weaknesses can be challenging. 

internal controls

If you work for a business, you need to understand controls so you can build a safer accounting system.

If you are an auditor, you need to understand controls so you can appropriately design your audit. 

Today, I show you how to design an accounting system with sound internal controls. And if you are an auditor, you'll better understand how to see control weaknesses. We'll start with the COSO framework and later we'll examine the importance of separation of duties.

The focus of this article is building an internal control structure that ensures financial statement accuracy and prevents fraud.

COSO Internal Control Framework

COSO provides a framework for developing internal controls. Think of this framework as your ecosystem to ensure a healthy internal control system. The five elements of the framework are:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Monitoring 
  5. Communication and information

Though accountants and auditors tend to focus on the third element, control activities, all five are important in the development of a sound internal control system. 

1. Control Environment

Control environment is often referred to as tone at the top. It's the leadership part of the organization, and it's here that internal controls live or die. 

If you are a board member, demand internal control reports from management. Those reports should explain the organization's processes and controls as well as monitoring activities. In other words, management should demonstrate not only that controls exist, but that they are working.

My experience with boards is they often don't think about internal controls until it's too late. When fraud happens, then the board wants to know how it happened and why. Boards need to know what is happening and why, before theft occurs. Then they can devote enough resources---hire the right people with the right experience--to ensure system development and monitoring. 

Developing a strong internal control system is an ongoing process. Companies need to constantly evaluate their accounting system and its operation. How? First, by performing risk assessments. 

2. Risk Assessment

An organization should determine if its accounting system allows misstatements. How? By examining the various transaction cycles such as billing and receipting; payables and disbursements; and payroll. As you examine each transaction cycle, ask what can go wrong?  Then create controls to address accounting system weaknesses.

Are daily receipts being reconciled to the general ledger? If not, then develop a control requiring that this be done. Are new vendors vetted for appropriateness? If not, require procedures to ensure the propriety of new vendors. (My book, The Why and How of Auditing, provides lists of questions to ask by transaction cycle. You'll find it on Amazon.)

The risk assessment process naturally leads to the develop of appropriate controls. Once you know what can go wrong, you fix it by developing a control. This is the third element of COSO: control activities. 

3. Control Activities

Control activities is the core component of internal controls. This is where the action is, where you develop your controls. The other four components of COSO (control environment, risk assessment, monitoring, and communication) support this central core. Examples of control activities include:

  • Bank reconciliations
  • Purchase orders
  • Signatures on checks by authorized personnel
  • Review of cash receipting activity by the receipts supervisor (after cash drawers are balanced at the end of a shift)
  • Periodic physical inventories of plant, property, and equipment 
  • Reconciliation of debt in the general ledger to amortization schedules

In risk assessment, we determine what could go wrong? Now we create a control to lessen the risk that the event could occur. For instance, with regard to cash, we might think, "cash balances could be incorrectly stated." Therefore, we implement a control--bank reconciliations--to ensure correctness. 

Separation of accounting duties is important in regard to control development. We'll discuss that area in more detail below.

4. Monitoring

Once controls are in place, you want to monitor them to ensure their use. What good is a control if it is not performed? An example of monitoring is having a supervisor inspect bank reconciliations to ensure that they were created (and that they are correct). 

So, the idea here is you develop internal controls and then monitor them. Why? To ensure the control is in use and that it is performed correctly.

Next, document the accounting system and controls to make them understandable. 

5. Communication and Information

In the fifth COSO element, we are documenting the internal control system. You can document the controls in several different ways including:

  • Memos
  • Flowcharts
  • Formal manuals
  • In Excel workbooks
  • Mindmaps

Which is best? That depends on the complexity of your system. Small organizations can use simple memos. Large entities should create formal manuals. 

What is the goal? To make sure everyone understands how controls work and the reason for their existence.

In many organizations (especially smaller ones), controls are never written down. They are passed down. What do I mean? When a new accountant is hired, he or she is told what to do. Often there is no manual explaining procedures and controls. These oral instructions may not explain why internal controls are performed or how they interact with other parts of the accounting system. Consequently, new employees blindly follow oral instructions without understanding their importance. Worse yet, some don't perform the controls at all. 

An added benefit of documenting controls is it makes system weaknessses more transparent. For instance, if you are documenting your accounts payable system, you might realize that an inappropriate person can add vendors. Or you might see that the payables process lacks segregation of duties. 

Now let's take a look at a key feature of developing an internal control system: separation of accounting duties. 

Separation of Accounting Duties

In the third COSO element above (control activities), we mentioned separation of accounting duties (also known as segregation of duties). What is this? It's dividing accounting responsibilities among multiple people in order to enhance safety. More eyes equals greater safety. Why? Well, if a mistake or theft occurs, it is more likely to be seen. 

separation of accounting duties

There are four actions that are performed in most accounting transaction cycles. They are:

  1. Authorization
  2. Bookkeeping
  3. Custody
  4. Reconciliation

A potential fraud danger exists when one person performs two or more of the above. For example, if Mark enters payments in the accounting system (bookkeeping) and signs checks (authorization), there is a threat that Mark will write checks to myself--especially if he knows that no one compares cleared checks to the general ledger.

The determination of whether danger exists is dependent on the full picture. If Mark knows that Joan--the person reconciling the bank statement--compares cleared checks to the general ledger and that she reviews the payee's on each check, then the danger of theft goes down. If Joan just compares the amount on the bank statement to the general ledger (and does not review the payee on the cleared check), the danger increases.

If all four of the above actions are performed by one person, then a significant control weakness exists. Auditors call this a material weakness. In such situations, it's advisable to include additional personnel in the accounting system. Why? So duties can be separated among various people. 

Some companies are unable create separation of duties. Why? There may not be enough people to do so (it's hard to segregate duties with only one person in accounting) and it costs money to hire additional personnel. Without a sufficient number of people, it is difficult to design a safe environment. Even so, there are still ways to make your accounting system safer

Financial Statement Misstatements

There are two ways that financial statements can be misstated: one is by mistake, and the second is intentionally. The first is just part of being human, the second is fraud. We need a system that reduces both threats. 

Misstatements Due to Mistakes

We all make mistakes. Entries are coded to the wrong chart of accounts line. We forget to enter an invoice in payables. We fail to reconcile our bank accounts. We use inappropropriate revenue recognition methods. 

How do we become aware of our mistakes? By review. These reviews are performed by the person that does the initial accounting work and by others--a supervisor, for example. The supervisor's review is an internal control. 

Some accounting systems point out our errors in real time. For example, if I try to enter the same invoice twice, the system will tell me. The accounting system notice is an internal control. 

So, internal controls can involve both humans (the review) and computers (input notices). The purpose of each is to ensure the correction of errors. 

Misstatements that are Intentional

Sometimes companies intentionally misstate their numbers. Why? Usually to make themselves look better than they are. If profits are declining, the CEO or CFO might pressure the staff to create fictitious entries. Consider that an organization can make one journal entry on the last day of a year to inflate it's profits such as:

                                            Dr.                                  Cr.

Receivables                    10,000,000

Revenue                                                    10,000,000

This is an example of financial statement fraud. Know that there are hundreds of ways that financial statement fraud can occur. Also understand that when assets are stolen from a business, fraudsters often hide theft with false accounting entries. 

In developing internal controls, you want to create a system that prevents these types of intentional misstatements. Even when a good accounting system exists, management override is always a concern. Consider the WorldCom fraud. What is management override? It's when management forces staff members to ignore internal controls and perform inappropriate procedures. 

Closing Comments

Now you have a better understanding of internal controls.

If you work for a business, nonprofit, or government, make your system better by applying these ideas.

If you're auditor, use the above to assist you in your risk assessments and walkthroughs. (See my article about documenting your walkthroughs.)

accountant's scanning system
Aug 27

Accountant’s Scanning System: How to Build

By Charles Hall | Technology

Are you overwhelmed by stacks of paper? Do you find it difficult to locate the information you know you have? Today, I teach you how to build an accountant’s scanning system.

accountant's scanning system

Accountant’s Scanning System

I have the privilege of visiting other CPA firms, and our firm has about 120 people, so I have the opportunity to see plenty of offices. It is my observation that some CPAs are paperless, but many are not.

One problem with “paper everywhere” is we can’t find what we need. We have it (somewhere), but we can’t find it. Scanning is the easiest way to capture and organize the paper monster.

To create order, take three steps:

  1. Buy a scanner
  2. Build a scanning structure
  3. Build scanning habits

1. Buy a Scanner

My scanner is a Fujitsu iX500. (There is a newer model now, the iX1500.) It sits just to my right in my office (see picture below), so I don’t have to leave my desk to scan. Convenience is key to creating order. Otherwise, you will think I’ll scan that later, but it doesn’t happen. Then the paper litters your desk–and distracts you.

accountant's scanning system

Picture of my office

The iX1500 costs $420, so it’s not a huge cash outlay. The scanner’s footprint is small (the dimensions are 11.5 x 6 x 6.3 inches) and it weighs 7.5 pounds. Also, the scanner comes with  software (ScanSnap) that offers you destinations such as these:

accountant's scanning system

ScanSnap File Locations

I often scan to Evernote, my cloud-based library. (Amazon also offers Fujitsu ScanSnap iX1500 Document Scanner with Evernote Premium.) If I were buying my first scanner and didn’t have cloud-based storage, this would be my choice.

Another favorite destination: Caseware, our paperless engagement software. 

2. Build a Scanning Structure

So, of course, when you scan, you need final resting places for your documents.

My two primary file locations are:

  • Evernote for non-engagement documents
  • Caseware for engagement documents

Non-Engagement Documents

If you’ve followed my blog, you know I’m a raving Evernote lunatic. Why? 

  • Ease of use 
  • Notebooks (you use notebooks to organize your documents)
  • Tags (you can tag each note with multiple tags, making it easy to find the material)
  • Feed-ability (I can feed Evernote from my scanner, email, clip-apps, drag and drop, and many other ways)
  • Find-ability (Evernote even recognizes hand-written notes making it possible to search electronically and find keywords–even if written)
  • Accessibility (I can access Evernote from my iPhone, iPad, and desktop)
  • Cost (paid version starts at $7.99 per month; they do offer a free version but with limitations)
  • Allows storage of a variety of documents (including Excel, Word, PDF, Audible files)

There are other cloud-based storage systems such as OneNote and Dropbox. Pick one and learn it well.

Engagement Documents

If your audit and tax services are not already paperless, consider making the leap. We have used Caseware for years and, personally, I love it. We use this software for storage of the following engagement files:

  • Tax
  • Audit
  • Reviews
  • Compilations
  • AUPs

My firm has built templates for each of these services, so everyone in our firm knows where documents (including scans) belong.

To scan promptly, you need to build habits, so creating a repeatable, mental system is critical to the process.

3. Build Scanning Habits

Build your scanning habits. My system is as follows:

  • If it takes less than two minutes to scan, scan now
  • If it takes more than two minutes, I place the paper in a file tray where I will later batch process
  • Scan all paper by the end of the day
  • Don’t leave unscanned paper on my desk (it’s a distraction)
  • Keep a shred box just below my scanner (where I place sensitive paper documents)
  • For long documents (e.g., CPE workbook), ask an assistant to break down the paper copy, scan it, and email it to me (I don’t use my Fujitsu scanner for heavy-duty scanning. We have a copy machine that will convert large scans to PDF.)

Like any new habit, new scanning actions will–at first–feel awkward and inconvenient. But push through the pain and the actions will become routine. (Some of the above thoughts come from David Allen’s book: Getting Things Doneone of the best productivity books you’ll find.)

Act Now

You may feel like the above will take too much time to implement, especially if you have lots of paper. So how do you eat an elephant? One bite at a time.

Schedule your scanning plan. Pick two days a week and put one hour a day on your calendar. Then attack. Slay your paper monster. I dare you.

More Evernote Information

For more information about Evernote, check out these posts:

Evernote for CPAs

Seven Ways to Feed Evernote

Tips on Searching Your Evernote Account

steps to prevent fraud
Aug 12

10 Powerful Steps to Reduce Fraud

By Charles Hall | Fraud

As businesses grow, the risk of theft increases. In this post, I offer ten powerful steps to reduce fraud.

Windows open. Curtains blowing. The sound of crickets and an occasional train in the distance. It was a simple childhood. It was my childhood. My mother parked her black Ford Falcon and left the keys in the ignition. The doors to our home were unlocked. We trusted our neighbors and they trusted us. And why would we not? We’d known each other forever.

steps to prevent theft


But then one night at the dinner table, my father said, “someone stole Miss Gussie’s Chevy.” Unthinkable. Our innocence was broken, and soon my mother took precautionary measures. Each evening, after parking, she would place the car keys under the car seat. No need to take chances. We began to close the windows at night, but still, the back door was left unlocked in case my father needed to go out for a smoke.

A couple of months later, I overheard my mother whispering to my grandmother that a man slithered into Miss Kidd’s house in the dead of night and had taken valuables. Miss Kidd lived diagonally from our home, just a stone’s throw away. To think that someone just walked–unannouncedinto the octogenarian’s home. How could this be?

Fear was palpable. Our neighborhood’s character shifted. No longer would Mom leave the keys in the car. No longer would we leave the windows open. No more cricket sounds. And my father even locked the back door.

Safely we would sleep, not because there were no threats, but because of protection.Continue reading