Tag Archives for " Segregation of Duties "

Segregation of Duties
Sep 30

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.

Segregation of duties

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one sees us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring transforms Sméagol into a hideous creature–Gollum.

And what does this teach us? That which is alluring in the beginning can be destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.

Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.

YouTube player

Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Allow a second person to see the bank statements.

Segregation of duties

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Segregation of duties

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

internal control weaknesses
Jul 25

Internal Control Weakness Reporting

By Charles Hall | Auditing

Auditors often fail to capture and communicate internal control weaknesses, even though such communications are required by the audit standards.

But making our clients aware of control weaknesses can help them. How? It allows them to improve their accounting system. The result: prevention of future fraud and errors.

In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit services and you’ll help your client protect their business.

At the end of the post, you’ll also see a video that summarizes this information.

internal control weaknesses

A Common End-of-Audit Problem

You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness or tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you initially saw it).

Here’s a post to help you capture and document internal control issues as you audit.

Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to discover them
  2. How to capture them
  3. How to communicate them

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Now let’s take a look at discovering, capturing, and communicating control weaknesses. 

Internal control

1. Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

Internal control

2. Capture Internal Control Weaknesses

So, how do you capture the control deficiencies?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Control Capture Form

What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person identifying the issue and the date of discovery
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

After capturing the weaknesses, it’s time to communicate them. 

3. Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect (your client will let you know), you can make it right–before it’s too late. Additionally, discuss the control weakness with relevant personnel when you initially discover it. You don’t want to surprise the client with adverse communications in the written internal control letter. 

Internal Control Video Summary

Here’s a video that summarizes the information above.

YouTube player

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses
  3. Communicate significant deficiencies and material weaknesses in writing

These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

Stealing While Dying
Nov 17

Stealing While Dying: A Motive for Fraud

By Charles Hall | Asset Misappropriation

Some fraudsters steal while dying. What’s their motive? Possibly to avoid leaving their family with medical bills. Whatever the reason, it’s a strange thing. Today we visit a fraud that I encountered over twenty years ago.

Stealing While Dying

The Theft: Stealing While Dying

In one of the stranger frauds I’ve seen, the bookkeeper of a small health department, Susan, stole money. And she did so while she was dying. In the last months of her life, she fought a battle with cancer. In between the chemo treatments, she continued her work. I’m sure she believed she would survive. After all, she was only thirty-six. 

I had provided external audit services to this health department for years and knew Susan well. She sent me thank-you cards–yes, thank-you cards–for my audit work. She was polite and great at her job. If ever I thought there was someone who would not (and could not) steal, it was her.

But external circumstances can make the best of people do the unexpected. The medical treatments resulted in numerous medical bills, many of which she received while still working. She died just before my annual visit for the audit.

Knowing that Susan had passed away, I knew the audit would be challenging, especially since the health department board had not hired anyone to replace her.

Upon my arrival, I requested the bank statements, but the remaining employees could not locate them. I thought maybe she had taken the bank statements home and had not returned with them due to her illness, but that was not the case. After the employees searched for some time with no result, the health department requisitioned the bank statements and cleared checks from the bank.

In reviewing the cleared checks, I quickly noticed round-dollar checks written to Susan. The first one was for $7,000. My first thought was, “Not Susan, I’ve known her too long. No way. ” But then there was another and another…

The Weakness

The weakness was a lack of segregation of duties. Susan did the following:

  • Keyed payables into the general ledger
  • Created checks for signing
  • Had signature authority on the bank account
  • Reconciled the bank statements
  • Created the monthly financial statements

Are you noticing a recurring theme in the 30 Days of Fraud? Yes, a lack of segregation of duties. It’s fundamental. One person should not be allowed to do everything.

The Fix

Segregate the accounting duties. Most importantly, Susan should not have been on the bank’s signature card. Additionally, someone other than Susan should have been reconciling the bank statement and examining cleared checks. For small organizations, have the bank statements mailed to someone outside the accounting department (e.g., a board member). This outside person should open the statements and review the cleared checks—then the statements should be sent to accounting.

See my cornerstone fraud article: How to Prevent White-Collar Crime.

ghost employee fraud
Nov 05

Ghost Employee Fraud: Payroll Theft

By Charles Hall | Asset Misappropriation

In this article I explain ghost employee fraud and what you can do to prevent it.

The Theft: Ghost Employee Fraud

Last year I received a phone call. The payroll clerk of a local business had been monkeying around with the company’s direct deposits. As employees left the business, the payroll clerk left them in the system. Why? To steal those continuing payments. Auditors refer to this as ghost employee fraud–the employees are in the system, but they are not real.

Ghost employee fraud

The picture is courtesy of AdobeStock.com

Knowing no one was paying attention, the clerk changed the terminated employees’ direct deposit bank account numbers to her own. The result?She received multiple direct deposits each payroll. The clerk was able to steal over $800,000 before the theft was detected. 

Also, the payroll clerk had not filed tax returns, so the Internal Revenue Service rubbed salt into the wound by levying fines.

The Control Weakness

The owners trusted the payroll clerk too much and did not monitor her work. The clerk performed all payroll services with no supervision. While the owners were aware of the lack of segregation of duties, they took no steps to prevent the theft. (Even when a business doesn’t segregate its accounting duties, there are ways to lessen the threat of theft.)

Fixing the Control Weakness

Export all direct deposit bank account numbers along with employee names into an Excel spreadsheet and sort the bank account numbers. (The bank account numbers should be in one column and the employee name in a separate column.) Sort the bank account numbers, and the duplicate numbers will appear in adjacent rows. So once you sort the bank account numbers, see if there are any duplicates. If there are, see why.

Another fix is for the owners to review a list of all employees paid (just request a list of all employees paid for one or more payrolls). Since the owners normally know which employees have left, they will know if payroll payments are made beyond the departure dates.

Ghost employee fraud has been and continues to be a significant threat in most businesses. Make sure you consider this potential in your company. 

See my related post Auditing Payroll: The Why and How Guide.

>