Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.
Darkness is the environment of wrongdoing.
No one sees us. Or so we think.
Fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring transforms Sméagol into a hideous creature–Gollum.
And what does this teach us? That which is alluring in the beginning can be destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.
What’s the solution? Transparency. It protects businesses, governments, and nonprofits.
But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.
It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.
But this segregation of duties is not always possible.
Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.
Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.
Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.
First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statements first (before the bookkeeper) include the following:
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?
Allow a second person to see the bank statements.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.
Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.
When you audit cash, see if these types of controls are in place.
Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.
Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs.
Here are some surprise audit ideas:
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.
I will say it again. Having multiple people involved reduces the threat of fraud.
In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.
What other procedures do you recommend?
For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.
Get my free accounting and auditing digest with the latest content.
Do you desire to increase your knowledge of fraud prevention and detection? This book will get you there quickly. Click the "buy now" button to see the book on Amazon.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
[…] example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you […]
[…] accounting duties appropriately segregated with regard […]
Yes, the person entering information and the person reconciling the information should be different (not the same person). When the bank statements are reconciled, that person should compare the cleared check’s payees with the information in the general ledger—they should be the same.
The bookkeeper shouldn’t be the person reconciling the account. Someone without access to change the account should perform this task and report any discrepancies immediately.
Walter, yes, it’s always good for the bookkeeepers to know others are paying attention.
Decades ago, our firm added a step. In addition to sending the bank statements to a businees owner’s home, the owner would bring the envelope to the office asking questions about one or two checks. The bookkeepers would often comment about the ownwer’s forgetfulness, not realizing it was an act so that the bookkeeper knew the owner was watching.
One of the greatest roadblocks to implementing this or any kind of new internal control is the wail that, “You don’t trust me/us!”
One method to deflect this is to play good cop bad cop. Have an outsider like the CPA firm or new board member insist on these new procedures and make sure the entire board agrees unanimously. You can simultaneously blame the outsider and explain that these new controls only protect the innocent employees from inappropriate suspicion if something goes south.
The above suggestions are excellent. Based on my many years of I auditing experience, I like to add “quarterly audits.” Unfortunately, most management people would think this is a waste of money; however, it is far from true. I can relate to both worlds, NFP and FP. In the NFP world, many, many years ago a major USA city contracted with NFPs awarding federal, state and local grants. The NFP could select the audit firm but once selected, the NFP could not change auditor, only the City could do that, an assurance of auditors’ independence. Who benefit most from this policy? The NFPs. It resulted NFPs having the best management I have ever seen, no headaches; the cost was insignificant.
In the FP world, I spent a significant amount of time performing audits in the garment industry. Those companies that adopted quarterly audits or reviews were highly profitable. Again, the cost of the audit or review was insignificant.
Highly recommendable. If he entity has merchandise, I would suggest to include periodic inventory physical count and reconcile it to the book inventory, as often as possible.
Yes, Armando. Those physical counts are crucial!
Without a doubt a second person should receive the bank statement every month. On problem with having it first go to someone else is that it can delay the bookkeeper from reconciling the account, and if the second person feels hurried, it’s less likely they will scrutinize the statement much if at all. I recommend the bank send a duplicate statement to the designated person directly. The problem with online access is that people are busy and will just get out of the habit of looking.
I don’t like the surprise audit idea because there is often not adequate training or experience available. I prefer a quarterly quick review of the items you list by the firms accountants or a professional bookkeeping firm. It doesn’t have to be very expensive. If not quarterly, then at least twice a year.
Benson, I agree with you about your online banking comment. The physical bank statements begs for attention. I also agree that an outside professional firm should perform the “surprise audit,” if possible. Thanks for your comments.
All of the above suggestions are good. The problems I have had with the smaller organization are that usually they do not have qualified board members, relying on the “good-dedicated” person handling the accounting books. We know that the internal control should start at the top; but what if the board members do not understand the need for the internal control.
Good point Armando. If you don’t have reliable board members (or members who don’t understand their duties), you really can’t include them as a part of the controls. Competence and dependability is a must.
Yes, simone. I see this often. Many times companies wait too long to expand staffing in an effort to keep expenses low; this sometimes leads to more costs than if they had timely filled the position.
Thanks for the reminder. To expand on your thought – a review of duties and assignments to see that the (usually lean) staff are not handling incompatible duties. Often this leads to discovery that more resources are needed (part time, intern, outsource) so that all the work gets done on a timely basis and then is more likely to be accurate. As companies grow they sometimes look at the staffing last, when errors, or worse, occur.