Monthly Archives: November 2017

Material Weaknesses and Significant Deficiencies

By Charles Hall | Auditing

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

1. Is there a reasonable possibility that a misstatement could occur?
2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

• Material weaknesses
• Significant deficiencies

The written communication (according to AU-C section 265) must include:

• the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
• a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
• sufficient information to enable those charged with governance and management to understand the context of the communication
• the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
• the fact that the auditor is not expressing an opinion on the effectiveness of internal control
• that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
• an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

Stealing While Dying: A Motive for Fraud

By Charles Hall | Asset Misappropriation

Some fraudsters steal while dying. What’s their motive? Possibly to avoid leaving their family with medical bills. Whatever the reason, it’s a strange thing. Today we visit a fraud that I encountered over twenty years ago.

The Theft: Stealing While Dying

In one of the stranger frauds I’ve seen, the bookkeeper of a small health department, Susan, stole money. And she did so while she was dying. In the last months of her life, she fought a battle with cancer. In between the chemo treatments, she continued her work. I’m sure she believed she would survive. After all, she was only thirty-six. 

I had provided external audit services to this health department for years and knew Susan well. She sent me thank-you cards–yes, thank-you cards–for my audit work. She was polite and great at her job. If ever I thought there was someone who would not (and could not) steal, it was her.

But external circumstances can make the best of people do the unexpected. The medical treatments resulted in numerous medical bills, many of which she received while still working. She died just before my annual visit for the audit.

Knowing that Susan had passed away, I knew the audit would be challenging, especially since the health department board had not hired anyone to replace her.

Upon my arrival, I requested the bank statements, but the remaining employees could not locate them. I thought maybe she had taken the bank statements home and had not returned with them due to her illness, but that was not the case. After the employees searched for some time with no result, the health department requisitioned the bank statements and cleared checks from the bank.

In reviewing the cleared checks, I quickly noticed round-dollar checks written to Susan. The first one was for $7,000. My first thought was, “Not Susan, I’ve known her too long. No way. ” But then there was another and another…

The Weakness

The weakness was a lack of segregation of duties. Susan did the following:

• Keyed payables into the general ledger
• Created checks for signing
• Had signature authority on the bank account
• Reconciled the bank statements
• Created the monthly financial statements

Are you noticing a recurring theme in the 30 Days of Fraud? Yes, a lack of segregation of duties. It’s fundamental. One person should not be allowed to do everything.

The Fix

Segregate the accounting duties. Most importantly, Susan should not have been on the bank’s signature card. Additionally, someone other than Susan should have been reconciling the bank statement and examining cleared checks. For small organizations, have the bank statements mailed to someone outside the accounting department (e.g., a board member). This outside person should open the statements and review the cleared checks—then the statements should be sent to accounting.

See my cornerstone fraud article: How to Prevent White-Collar Crime.

Bribery in Businesses: How to Lessen

By Charles Hall | Corruption

The World Bank estimates that over $1 trillion in bribes are offered each year. Bribery in business is costly. Today we look at how bribery works and how you can prevent it.

A Bribery Story

The FBI performed a sting operation involving two mid-Georgia city council members. The Bureau’s court complaint alleged that two city council members contacted a city vendor requesting a bribe. The vendor, according to the complaint, had previously provided services to the city. But when the contract came up for renewal, the city officials sought monetary encouragement (also known as cash) to continue the arrangement.

The vendor’s president, once aware of the proposed bribe, contacted the FBI, which in turn conducted the sting. On the arranged date, the company CFO delivered $20,000 in cash to the city council members. The conversation was recorded as the payment was made. The arrests followed soon thereafter.

The bribe was unsuccessful in this case, but, all too often, the bad guys receive the cash, and the organization suffers. How?

Vendors usually don’t absorb the cost of the bribe. They pass the expense along to the organization in the form of increased invoice billings, or the vendor will, in some cases, provide substandard products or services. Either way, the organization suffers, and the villain walks away with cash or a free vacation or a free car or…well, you get the picture.

Bribery Control Weaknesses

Bribery in business increases as dishonest people lead. Organizations should vet each key employee before hiring, making sure the person has historically acted in an upright manner. (In the case above, the citizens must vote for ethical leaders.)

The city had no fraud hotline. The Association of Certified Fraud Examiners biennial survey has repeatedly shown that corruption is often unearthed by tips–often through a fraud hotline. What is a fraud hotline? It is any means that an organization provides its employees to report a potential theft. (See below.) Bribery can occur even when organizations have the best of controls, but hotlines are a key defense.

Entity’s-level controls such as a code of ethics are just as important as activity-level controls.

Bribery in Business: How to Lessen

Organizations can increase communications about potential theft by:

• Providing a 24/7 phone number–it can be a 1-800 number (employees call and report any information anonymously)
• Provide employees with an email address where they can report suspected fraud
• Ask employees to report red flags (signs of fraud) to a designated person in your organization

To mitigate corruption, implement these controls (there are others, but these will help):

• Require sealed bids that are opened in the presence of multiple people (mainly for larger purchases)
• Implement a whistleblower program (include vendors)
• Require announced periodic vendor audits
• Implement a conflict of interest policy
• Implement a bribery prevention policy (include gifts)
• For significant construction contracts, monitor all phases of the project, including solicitation of bids, awarding of the bid, development of the contract, on-site construction, and related billing, and contract change orders (don’t trust the builder to do this for you).

Inflated Invoices: An Easy Way to Steal

By Charles Hall | Asset Misappropriation

Fraudsters can steal with inflated invoices. In the story below, you’ll see that a school maintenance director was able to take millions by doing so. Today, we look at how this scheme works and how you can prevent it.

Inflated Invoices

The school maintenance director, Derek Brown, purchases materials from two local hardware stores; also, the school contracts with a nearby electrical services company. Each of these businesses is owned by relatives of Derek. While the school board knows about the familial relationships, they are accustomed to the use of these vendors. After all, it’s been that way for years.

What the board doesn’t know is that Derek often receives inflated invoices from these related parties. For example, if the school orders $30,000 of supplies, it receives an invoice for $45,000. Derek approves the purchase orders, the physical receipt of the goods, and the payment of the invoice. (At times, one of Derek’s assistants counts the physical goods received, but he is party to the fraud as well.) It’s easy for Derek to approve the overstated bills. 

Additionally, some of Derek’s business friends (persons doing business with the school) send invoices to the school for services never provided. He approves these payments as well. 

About once a month, the related-party vendors pay Derek 50% of the excess billings.

The above fraud example is based (partially) on an ongoing case involving the Floyd County Schools where millions were stolen.

Internal Control Weakness

The weakness lies in the lack of segregation of duties. Derek approves:

• The purchase orders
• The physical counts of goods or services received
• The approval of the invoices

A contributing element is the school board going to sleep–these types of relationships should be vetted. If no other vendors are available–often the reason for using such local businesses–then additional scrutiny should be brought to bear upon the related payments.

Stopping Inflated Invoice Fraud

Segregate the duties, especially the purchase order approval. A conflict-of-interest policy should be adopted requiring all school officials and key administrative personnel to disclose questionable relationships. If key conflicts are not eliminated, the related activity should be subject to audit by an outside CPA or Certified Fraud Examiner.

Additional Fraud Prevention Assistance

If you work with local governments, you will find my fraud book useful in identifying and preventing fraud. See the book on Amazon by clicking the icon below.

 

How to Steal by Double Paying a Vendor

By Charles Hall | Asset Misappropriation

The Theft

Fraudsters can steal by double paying a vendor. In this article, I show you how duplicate payments sometimes end up in an employee’s pocket and how to prevent this fraud.

John, an accounts payable clerk, works for Zoom Inc. Last year, he accidentally sent two checks to the same company for the same invoice. To recover the second disbursement, John called the vendor, and they quickly returned the extra payment. While he was embarrassed about his mistake, he realized that had he not recovered the check, no one would have noticed.

Steal by Double Paying the Vendor

John has the itch to buy a new BMW. He saved some money, but he needs more–much more. Then he remembers the accidental double payment and has an epiphany. Yeah…that might work.

John intentionally pays the company’s vendor, River Merchants, twice for the same invoice of $47,540. The checks are signed electronically by computer, so no one is physically inspecting the checks or invoices. Liz, John’s coworker, mails all vendor payments. Consequently, he can’t steal the second check before mailing.

Liz mails the checks. The next day John calls River Merchants saying, “Sorry, but I just realized I sent two payments to you for the same invoice. Would you please return the second check? My address is…”

John receives the second check Monday morning. Now he converts the check to cash by opening a bank account in the name of River Merchants and depositing the check. John is the authorized check signer on the account, so he writes a check to himself. He’s soon cruising the boulevard in his new red Beemer.

The Weakness

No one is monitoring the accounts payable process. While the company did implement the policy of having a second person mail the checks, no one is reviewing check disbursements for double payments.

The Fix

Periodically download the check register to Excel; you only need the following columns:

1. Vendor name
2. Check number
3. Invoice number
4. Check amount (amount paid)

Sort the payments by vendor name; then scan the list for same amounts paid to the same vendor. If you see payments to the same vendor with the same invoice number and the same dollar amount, then dig deeper. (Accounts payable software should not allow the processing of two checks with the same invoice number–even so, some systems allow overrides; alternatively, the fraudster may bypass this restriction by altering the invoice number.) If it appears that a double payment has occurred, call the vendor to see if a refund has been issued.

Obviously, some payments to vendors should be for the same amount (such as rent)–these should be ignored for this test.

Sometimes, in performing this test, you will find double payments–made by mistake–that the vendor has not returned. The first time I did this test, I found such a payment for over $75,000.

More Fraud Prevention Tips

For more information about fraud prevention, check out my book on Amazon. Click the book icon below.