Useful Governmental Internal Controls that You Need Know

By Charles Hall | Fraud , Local Governments

Below I provide useful governmental internal controls that you need to know.

Why am I providing this list of useful controls? Most small governments struggle with establishing sound internal controls. So, the list provides a foundation for preventing theft in your government. While not a comprehensive list, I thought I would share it.

Many of the internal controls listed below are also pertinent to nonprofits and small businesses as well. You will find this same checklist in The Little Book of Local Government Fraud Prevention (available on Amazon) which provides many more fraud prevention ideas.

I am providing general fraud prevention controls and then transaction-level controls for:

• Cash receipts and billing
• Cash payments and purchasing
• Payroll

Useful Governmental Internal Controls

General Internal Controls

1. Have bank statements mailed directly to someone outside of accounting; recipient should peruse bank statement activity before providing it to accounting
2. Perform surprise audits (use outside CPA if possible)
3. Elected officials and management should review the monthly budget to actual reports (and other pertinent financial reports)
4. Map internal control processes by transaction cycle (preferably done by a seasoned CPA); once complete, provide the map to all employees involved in the cycle; when control weaknesses exist, institute additional controls (see 11. below)
5. Use a whistleblower program (preferably use an outside whistleblower company)
6. Reconcile bank statements monthly (have a second person review and initial the reconciliation)
7. Purchase fidelity bond coverage (based on risk exposure)
8. Periodically request from the government’s bank a list of all bank accounts in the name of the government or with the government’s federal tax I.D. number; compare the list to bank accounts set up in the general ledger
9. Secure computer access physically (e.g., locked doors) and electronically (e.g., passwords)
10. Do not allow the electronic transmission (e.g., email) of sensitive data (e.g., social security numbers) without the use of protected transmission technology (e.g. Sharefile); create policy and train staff
11. Where possible, segregate who (1) authorizes transactions, (2) records transactions, (3) reconciles records, and (4) has custody of assets; when segregation of duties is not possible, require documented second-person review and/or surprise audits

Transaction Level Controls

Cash Receipts and Billing Controls

1. Use a centralized receipting location (when possible)
2. Assign each cash drawer to a separate person; require daily reconciliation to receipts; require second person review
3. Deposit cash timely (preferably daily); require the composition of cash and checks to be listed on each deposit ticket (to help prevent check-for-cash substitution)
4. Immediately issue a receipt for each payment received; a duplicate of the receipt or electronic record of the receipt is to be retained by the government
5. A supervisor should review receipting-personnel adjustments made to accounts receivable
6. Do not allow the cashing of personal checks (e.g., from cash drawers)

Cash Payments and Purchasing Controls

1. Guard all check stock (as though it were cash)
2. Do not allow hand-drawn checks; only issue checks through the computerized system; if hand-drawn checks are issued, have a second person create and post the related journal entry
3. Do not allow the signing of blank checks
4. Limit check signing authorization to as few people as possible
5. Require two employees to effectuate each wire transfer
6. Persons who authorize wire transfers should not make related accounting entries
7. Require a documented bidding process for larger purchases (and sealed bids for significant purchases or contracts); specify procedures for evaluating and awarding contracts.
8. Limit the number of credit cards and the chargeable maximum amount on each card
9. Allow only one person to use an individual credit card; require receipts for all purchases
10. Require a street address and social security or tax I.D. numbers for each vendor added to accounts payable vendor list (P.O. box numbers without a street address should not be accepted)
11. Signed vendor checks should not be returned to those who authorized the payment; mail checks directly to vendors
12. Compare payroll addresses with vendor addresses for potential fictitious vendors (usually done with electronic audit tools such as IDEA or ACL)

Payroll Controls

1. Provide a departmental overtime budget/expense report to governing body or relevant committee
2. Use direct deposit for payroll checks
3. Payroll rates keyed into the payroll system must be supported by proper authorization in the employee personnel file
4. Immediately remove terminated employees from the payroll system
5. Use biometric time clocks to eliminate buddy-punching
6. Check for duplicate direct-deposit bank account numbers
7. A department head should provide written authorization for overtime prior to payment

Your Recommendations

What additional controls do you recommend? Share your thoughts below.

Splitting Payments to Circumvent Approval Requirements

By Charles Hall | Asset Misappropriation

Some fraudsters split payments to circumvent approval requirements. In this article, I show you how this type of theft works and what you can do to prevent it.

The Theft

The maintenance supervisor, Billy, wants to make a fraudulent payment to ABC Hardware for $9,900. (ABC Hardware is owned by his cousin.) So, Billy wants to avoid his company’s review process. He knows that all checks over $5,000 require the physical signature of the finance director. All checks below $5,000 are signed by the computer. What’s a boy to do? Well, Billy can split the transaction–two checks for $4,950 each. That will work.

Billy asks his cousin for two ABC Hardware invoices of $4,950 rather than the one for $9,900. Afterwards, Billy approves each invoice, and the payments are made.

Picture is courtesy of AdobeStock.com

So, Billy tries the scheme again, and it works. Then, he does so repeatedly. His cousin rewards him with free trips to South Dakota, his favorite hunting destination.

The Weakness

No one is querying the check register for payments just below the threshold. Also, bids were not obtained.

The Fix

Download the check register into Excel (or any database package). Then, sort the payments and look for repeated payments–just below the threshold of $5,000–to the same vendor.

Require bids for significant expenses, and retain the bids as support for the payments.

Difference in Bribes and Gratuities

Learning tip: The hunting trip is referred to as a gratuity rather than a bribe. Why? Bribes are inducement payments made before the purchase decision. Gratuities–free trips in this example–are given after the vendor payments. The purpose of the gratuity is to reward the complicit person (Billy). Then, in the future, Billy knows the drill and expects more of the same.

White-Collar Crime

Splitting payments is a form of white-collar crime. There are many ways that professionals steal. Click here for more fraud-related examples (some of which are hard to believe).

The Little Book of Local Government Fraud Prevention

By Charles Hall | Fraud , Local Governments

How to Capture and Communicate Internal Control Deficiencies

By Charles Hall | Auditing

Too many times auditors fail to capture control deficiencies in the audit process. So, today I’ll show you how to capture and communicate internal control deficiencies.

A Common End-of-Audit Problem

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not clearly communicate the weakness or how to fix it. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

How to Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

1. How to communicate them
2. How to discover them
3. How to capture them

Picture is courtesy of AdobeStock.com

As we begin, let’s define three types of weaknesses:

• Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
• Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
• Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

• Reasonable possibility
• Material misstatement
• Less severe
• Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

2. How to Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

1. Planning – Risk assessment and walkthroughs
2. Fieldwork – Transaction-level work
3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

• Custody of assets
• Reconciliations
• Authorization
• Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

• Theft that is material (material weakness)
• Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
• Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

• Do the monthly financial statements ever contain errors?
• Are invoices mistakenly omitted from the payable system?
• Do employees forget to obtain purchase order numbers prior to buying goods?
• Are new employees ever unintentionally left off the payroll?
• Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

3. How to Capture Control Weaknesses

So, how do you capture the control weakness?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

1. You may not be on the engagement when it concludes (because you are working elsewhere) or
2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Picture is courtesy of AdobeStock.com

Internal Control Capture Form

 What should be in the internal control form? At a minimum include the following:

1.  Check-mark boxes for:
   • Significant deficiency
   • Material weakness
   • Other control deficiency
   • Other issues (e.g., violations of laws or regulations) 
2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
   • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
4. The cause of the condition
5. The potential effect of the condition
6. Recommendation to correct the issue
7. Person who identified the issue and the date when the issue was identified
8. Whether the issue is a repeat from the prior year
9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
10. Reference to related documentation in the audit file

Summary

The main points in capturing and communicating internal control deficiencies are:

1. Capture control weaknesses as soon as you see them
2. Develop a form to document the control weaknesses

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

Understand and Communicate Material Weaknesses and Significant Deficiencies

By Charles Hall | Auditing

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

1. Is there a reasonable possibility that a misstatement could occur?
2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

• Material weaknesses
• Significant deficiencies

The written communication (according to AU-C section 265) must include:

• the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
• a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
• sufficient information to enable those charged with governance and management to understand the context of the communication
• the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
• the fact that the auditor is not expressing an opinion on the effectiveness of internal control
• that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
• an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

By Charles Hall | Auditing

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.” 

You remember a blog post addressing how fraud can sting auditors, and you think, “What can we do?”

Picture from AdobeStock.com

Five Disbursement Fraud Tests

Here are five disbursement fraud tests that you can perform on most any audit.

1. Test for duplicate payments

Why test?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer commonly does not examine supporting documentation and the payee name.

How to test?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes may be used).

The check-signer will not recognize the payee name as fictitious.

How to test?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test?

The accounts payable clerk may add a fictitious vendor (one in which no similar vendor name exists, as we saw in the preceding example).

The fictitious vendor address? You guessed it: the clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How to test?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the businesses to check for validity; if necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses

Why test?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How to test?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How to test?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Ideas

Those are a few of my ideas. Please share yours.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out on Amazon by clicking here. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Assessing Audit Control Risk at High (and Saving Time)

By Charles Hall | Auditing

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

Picture is from AdobeStock.com

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then—if controls are appropriately designed and working—we can assess control risk (CR) at whatever level we desire. If CR is assessed at below high, then controls must be tested to support the lower risk assessment.

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

1. Assess control risk at high and not perform additional tests of controls, or
2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue

Now, let’s look at audit planning decisions.

To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?

Yes.

If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.

Why Assessing Control Risk at High is (Often) More Efficient

Conclusion

I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

How to Steal Money with Altered Check Payees

By Charles Hall | Asset Misappropriation

Some fraudsters steal money with altered check payees.

As a kid I once threw a match in a half-gallon of gasoline—just to see what would happen. I quickly found out. In a panic, I kicked the gas container—a plastic milk jug—several times, thinking this would somehow kill the fire. But just the opposite happened. And when my father found out, something else was on fire.

Some accounting weaknesses create unintended consequences. Show me an accounting clerk who (1) can sign checks (whether by hand, with a signature stamp, or with a computer-generated signature), (2) posts transactions to the accounting system, and (3) reconciles the bank account, and I will show you another combustible situation. Here’s how one city clerk created her own blaze.

Altered Check Example

Using the city’s signature stamp, the clerk signed handwritten checks made out to herself; however, when the payee name was entered into the general ledger (with a journal entry), another name was used—usually that of a legitimate vendor.

For example, Susie, the clerk, created manual checks made out to herself and signed them with the signature stamp. But the check payee was entered into the accounting system as Macon Hardware (for example). Also, she allocated the disbursements to accounts with sufficient remaining budgetary balances. The subterfuge worked as the expense accounts reflected appropriate vendor activity and expenses stayed within the budgetary appropriations. No red flags.

The accounting clerk, when confronted with evidence of her deception, responded, “I don’t know why I did it, I didn’t need the money.” We do a disservice to accounting employees when we make it so easy to steal. Given human nature, we should do what we can to limit the temptation.

How?

Controls to Lessen Check Fraud

First, if possible, segregate the disbursement duties so that only one person performs each of the following:

• Creating checks
• Signing checks
• Reconciling bank statements
• Entering checks into the general ledger

If you can’t segregate duties, have someone (the Mayor, a non-accounting employee, or an outside CPA) review cleared checks for appropriateness.

Secondly, have a second person approve all journal entries. False journal entries can used to hide theft. With sleight of hand, the city clerk made improper journal entries such as:

                                                Dr.                 Cr.

Supply Expense              $5,234

Cash                                                        $5,234

The check was made out to Susie, but the transaction was, in this example, coded as a supply expense paid to Macon Hardware. You can lessen the risk of fraud by preventing improper journal entries.

Thirdly, restrict access to check stock. It’s wise to keep blank check stock locked up until needed.

Finally, limit who can sign checks, and deep-six the signature stamp.

A Fraud Test for Auditors

Here’s a word to external auditors looking for a fraud test idea (or those just looking for check fraud): Consider testing a random sample of cleared checks by agreeing them to related invoices.

Work from the cleared check to the invoice. It is best for the auditor to pull the invoices from the invoice file; if you ask someone in accounting to pull the invoices, that person might create fictitious invoices to support your list (not hard to do these days). If the payee has been altered, you will, in many cases, not find a corresponding invoice. Pay particular attention to checks with company employees on the payee line.

Click here for more white-collar crime examples.

10 Powerful Steps to Reduce Theft

By Charles Hall | Fraud

Windows open. Curtains blowing. The sound of crickets and an occasional train in the distance. It was a simple childhood. It was my childhood. My mother parked her black Ford Falcon and left the keys in the ignition. The doors to our home were unlocked. We trusted our neighbors and they trusted us. And why would we not? We’d known each other forever.

But then one night at the dinner table, my father said, “someone stole Miss Gussie’s Chevy.” Unthinkable. Our innocence was broken, and soon my mother took precautionary measures. Each evening, after parking, she would place the car keys under the car seat. No need to take chances. We began to close the windows at night, but still the back door was left unlocked in case my father needed to go out for a smoke.

A couple of months later, I overheard my mother whispering to my grandmother that a man slithered into Miss Kidd’s house in the dead of night and had taken valuables. Miss Kidd lived diagonally from our home, just a stone’s throw away. To think that someone just walked–unannounced–into the octogenarian’s home. How could this be?

Fear was palpable. Our neighborhood’s character shifted. No longer would Mom leave the keys in the car. No longer would we leave the windows open. No more cricket sounds. And my father even locked the back door.

Safely we would sleep, not because there were no threats, but because of protection.Continue reading

The New COSO Framework

By Charles Hall | Accounting and Auditing , Fraud , Local Governments

Rita Crundwell, the former comptroller for Dixon, Illinois, stole over $53 million from a city of 16,000 people with an annual budget of $6 to $8 million. In the early 1990s, she opened a secret bank account in the name of the city and began transferring funds (disguised as payments to the Illinois DOT). The monies (in the secret account) were used by Rita to fund one of the nicest quarter horse ranches in the world.

The theft was simple. The damage was massive.

Picture courtesy of DollarPhoto.com

Losses from fraud and other risks can happen to any organization that lacks sufficient internal controls. Therefore, it’s imperative that your business, government, or nonprofit create a sound working internal control system.

Why COSO?

Prior to 1992 (the year COSO’s internal control framework came into existence), internal control guidance was sparse. Accountants knew that controls were needed, but many had no model to follow.

COSO to the Rescue

The Committee of Sponsoring Organizations (COSO), consisting of five organizations, such as the AICPA, came together to develop an internal control framework that accountants could use in any organization. Those standards have served well over the last twenty years, but with many changes in technology (e.g., cloud computing), the uptick in laws and regulations (e.g., Sarbanes Oxley), the increase in outsourcing (e.g., payroll), and the higher incidence of fraud, it became apparent that the framework needed amendments. So the COSO did just that, releasing the updated framework in May 2013; the effective date of the guidance is December 15, 2014.

The Hip Bone Connected to the Leg Bone

COSO added greater definition and guidance in regard to the five internal control components created back in 1992:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring

As the 1992 framework states, these five components should be holistically integrated to create a healthy and safe control environment for business, nonprofits, and other organizations.

And what does this integration look like?

Every entity needs ethical leadership (the control environment). Those leaders identify key risk areas, usually in terms of likelihood and dollar impact. Once the risk areas are known, controls are designed and implemented (control activities) to ensure the creation of financial information (information and communication). Lastly, the organization monitors the system to ensure that it all works as planned (monitoring).

Most auditors (and those who design internal controls) usually emphasize the control activities component. The reason? Audit opinions relate to financial statements and deficiencies in control activities often allow misstatements to occur. The result? The reporting of significant deficiencies and material weaknesses. As auditors issue control deficiency letters, they tend to focus on control activities, though those communications can and should address deficiencies in the other four internal control components.

What changed in the new COSO framework?

Key changes in the 2013 framework include:

• The addition of 17 principles (each related to one of the five control components listed above)
• The addition of points of focus (each applicable to one of the 17 principles)
• An increased focus on fraud
• An increased focus on governance
• An increased focus on information technology
• An increased focus on compliance with laws and regulations

Why should I care about these changes?

Think of the COSO framework as the fountainhead of all that is good in internal control land. And once COSO speaks, other important bodies (e.g., the AICPA Auditing Standards Board) listen and absorb what is published. Remember SAS 109, Understanding the Entity and Its Control Environment, issued in 2006? Guess where the five control components (control environment, risk assessment, control activities, information and communication, and monitoring) came from? Don’t be surprised if you see the 17 new COSO principles–and possibly the points of interest–embedded in future audit standards.

In any event, the new COSO guidance is a great place for any business or organization to develop a control system that identifies and mitigates risks.

Then disasters–like the one in Dixon, Illinois–can be avoided.

Deeper Dive

If you are interested in more information about the new COSO guidance, consider purchasing the book Executive’s Guide to COSO Internal Controls by Robert Moeller. Mr. Moeller provides a nice summary of the framework along with implementation steps.

You can buy the COSO Framework here.