How to Lessen Segregation of Duties Problems in Two Easy Steps

Fraud prevention in two easy steps

Darkness is the environment of wrongdoing.

Why?

No one will see us–or so we think.

As you’ve seen many times, fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.

It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?

Yes.

Below I propose two processes to reduce fraud:

  1. Bank account transparency and
  2. Surprise audits.

1. Bank Account Transparency

Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

One set of eyes on an accounting process is not a good thing. So how can we shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Second Person Sees the Bank Statements

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.

Even the appearance of transparency creates (some) safety.

Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as the following:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).

Sample Inspection Ideas

Here are some sample inspection ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Review two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (to see that the report was appropriately created)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.

Again multiple people seeing the accounting processes reduces the threat of fraud.

Shine the Light

The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.

What other procedures do you recommend for small entities?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

Here are five fraud tests you can use on your audits

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.” 

You remember a blog post addressing how fraud can sting auditors, and you think, “What can we do?”

disbursement fraud audit tests

Picture from AdobeStock.com

Five Disbursement Fraud Tests

Here are five disbursement fraud tests that you can perform on most any audit.

1. Test for duplicate payments

Why test?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer commonly does not examine supporting documentation and the payee name.

How to test?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes may be used).

The check-signer will not recognize the payee name as fictitious.

How to test?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test?

The accounts payable clerk may add a fictitious vendor (one in which no similar vendor name exists, as we saw in the preceding example).

The fictitious vendor address? You guessed it: the clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How to test?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the businesses to check for validity; if necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses

Why test?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How to test?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How to test?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Ideas

Those are a few of my ideas. Please share yours.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out on Amazon by clicking here. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Have you ever desired to become a fraud prevention champion? In this half-day course, we will peer into real-life governmental fraud cases and see how they occurred. You will leave the class with practical fraud prevention steps for any national, state or local government. The course location is the Capital Hilton Hotel in Washington DC.

Date:August 9, 2017
Time:8:00-11:35 a.m.
Event:Charles Hall Speaking at AICPA Governmental Accounting and Auditing Update Conference
Topic:How to Become a Super Fraud-Prevention Champion
Sponsor: AICPA
Public:Public
Registration:Click here to register.

Wire Transfer Theft: How to Prevent It

How to steal $6.9 million in less than an hour

In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.

Preventing wire transfer theft

Picture from AdobeStock.com

Wire Transfer Theft is Easy

It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company  accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.

As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.

Wire Transfer Internal Controls

Organizations should do the following to mitigate wire transfer fraud:

  1. Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
  2. Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
  3. If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
  4. The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
  5. Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
  6. Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
  7. Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
  8. Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
  9. Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
  10. Use all bank-provided wire transfer controls
  11. Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO

Use Fraud Prevention Controls Offered by Banks

Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.

Closing Words

If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.

Video from Gary Zeune

You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)

The AICPA Consulting Standards: Another Arrow in Your Quiver

Many CPAs don't know that these standards exist, but they can be quite helpful

I find that many CPAs aren’t aware of the AICPA Consulting Standards. So, here’s a post about them.

Are you ever asked to perform an atypical engagement (e.g., creating a schedule of water losses for a city)–and then you wonder “what professional standards should I follow?”

Audit standards? No, you’re not opining on anything.

Maybe the compilation and review standards? No, a schedule is not a financial statement.

How about agreed upon procedures? Well, no again–AUPs normally include tests and conclusions.

We need another arrow in our quiver!

AICPA Consulting Standards

Picture from AdobeStock.com

Most CPAs are familiar with compilation and review standards (Statement on Standards for Accounting and Review Services – SSARS) and audit standards (Statement on Auditing Standards – SAS) and even attestation standards (Statement on Standards for Attestation Engagements – SSAEs – commonly used for agreed upon procedures), but many are not familiar with the consulting standards (Statement on Standards for Consulting Services – SSCS).

Why?

I’m not really sure. But I seldom see consulting standard CPE classes. Yet many services are subject to this guidance.

AICPA Consulting Standards Primer

You might call the AICPA Consulting Standards the CPA’s swiss army knife.

AICPA Consulting Standards

What services fall under the consulting standards?

The consulting standards specifically address six areas:

  1. Consultations – e.g., reviewing a business plan
  2. Advisory services – e.g., assistance with strategic planning
  3. Implementation services – e.g., assistance with a merger
  4. Transaction services – e.g., litigation services
  5. Staff and other support services – e.g., controllership services
  6. Product services – e.g., providing packaged training services

CPAs often provide consulting services such as the following:

  • Consultations with regard to complex transactions
  • Fraud investigation services
  • Internal control services
  • Bankruptcy services
  • Divorce settlement services
  • Controllership services
  • Business plan preparation
  • Cash management
  • Software selection
  • Business disposition planning

When can I use the consulting standards?

Usually when the information will not be provided to a third party.

When performing work under the consulting standards, you are not attesting (providing comfort) on the work performed. Usually, you need to follow the SASs, SSARS, or SSAEs if you are attesting (providing comfort to an outside party).

Characteristics of a Consulting Engagement

  • Generally nonrecurring
  • Requires a CPA with specialized knowledge and skills
  • More interaction with client
  • Generally performed for the client (usually, no third party sees the information)

Consulting Work Paper Requirements

Consulting work paper requirements are minimal. Nevertheless, documentation is always wise.

The understanding with the client can be oral or in writing (I recommend the latter).

The consulting standards do not require the CPA to prepare work papers, but you should do so anyway – the work papers are the link between your work and your report. Also the general standards of the profession, contained in the AICPA Code of Professional Conduct, apply to all services performed by members. The general standards state:

Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

Consulting Reports

The report content and format are up to you and your client.

No Opinion or Accountant’s Report

For consulting engagements, the CPA does not issue an opinion or any other attestation report (e.g., accountant’s report on agreed-upon procedures ).

Subject to Peer Review?

Are products created using the Consulting Standards subject to peer review? No.

Where Can I Find the AICPA Consulting Standards?

You can see the consulting standards here.

Photos above are courtesy of iStockphoto.com.

Omission of MD&A from Governmental Financial Statements

Governments can exclude the MD&A from their financial statements

According to AU-C 730, the auditor’s report on the financial statements should include an other-matter paragraph that refers to the required supplementary information (RSI). In governmental financial statements, the management, discussion, and analysis (MD&A) is considered RSI. Though the MD&A is “required” supplementary information, governments can–strangely enough–exclude it from the financial statements.

omission of management, discussion and analysis

Picture from AdobeStock.com

Omitting the MD&A – Effect on an Audit Opinion

If the required supplementary information is omitted, the auditor should include an other-matter paragraph in the opinion such as the following:

Management has omitted the management, discussion, and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board, who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. Our opinion on the basic financial statements is not affected by this missing information.

Notice the omission of the MD&A does not affect the opinion rendered (in other words, it does not result in a modified report).

RSI Audit Standard

AU-C 730 is the audit standard for required supplementary information. Click here for an overview of the supplementary information audit standards. The former supplementary information standards were SASs 118, 119 and 120; those standards are now–under the Clarity Standards–AU-C sections 720, 725, and 730.

Omitting the MD&A – Effect on a Compilation Report

In compilation reports, the language is as follows:

Management has omitted the management, discussion and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board which considers it to be an essential part of financial reporting and for placing the basic financial statements in an appropriate operational, economic, or historical context. 

The Little Book of Local Government Fraud Prevention

Whether your government is small or large, this book provides guidance in reducing theft

Do you desire to fight fraud in governments? Or maybe you are just curious about how fraudsters get away with their wily schemes. See my book The Little Book of Local Government Fraud Prevention. You can purchase it on Amazon as a paperback. Also, the ebook is available as a Kindle download.

Local Government Fraud Prevention

Fraud occurs in local governments in a multitude of ways, yet many cities, counties, school systems, authorities, and other public entities are ill-prepared to prevent or detect its occurrence. Why is this so? Some governments place too much reliance on annual audits as a cure-all, but clean audit opinions don’t mean that fraud is not occurring. And some governments fail to understand how vulnerable they are–until it’s too late.

Why is local government fraud so common? Many small governments don’t have a sufficient number of employees to segregate accounting duties. It is also these smaller governments that place too much trust in their accounting personnel. This combination of a lack of segregation of duties and too much trust in key employees often leads to significant losses from theft.

The Little Book of Local Government Fraud Prevention provides several real-life stories of fraud. The stories will inform you about how local government employees steal. Then I provide you with prevention techniques to assist you in mitigating fraud risks. In one story, for example, the book shows how a single municipal employee stole over $53 million dollars, all from a city of just 16,000 citizens.

If you audit governments, you will find this book helpful in pinpointing common areas where governmental fraud occurs. The book also includes fraud audit checklists and fraud detection procedures. Whether you are an internal or external auditor, you will find fresh ideas for prevention and detection.

The Little Book of Local Government Fraud Prevention will assist you if you are a:

1. Local government accounting employee
2. Local government elected official
3. Local government auditor
4. Local government attorney
5. Certified Public Accountant
6. Certified Fraud Examiner

Even if you don’t work with governments, you’ll find this book useful. I provide fraud prevention steps for transaction cycles such as billing and collections, payables and expenses, payroll, and capital assets.

Together we can bring down the risk of fraud and corruption in our local governments. Come join the team. We’ll all be better for it.

If you don’t desire to spend money on the book, here’s a free list of controls.

How to Make Your Business More Profitable by Funding Depreciation

Money in the bank for capital purchases

From time to time, I have clients ask me “What is funding depreciation?” And more importantly, they ask, “How can this technique make my organization more profitable and less stressful?”

Here’s a simple explanation.

Funded depreciation is the setting aside of cash in amounts equal to an organization’s annual depreciation. The purpose: to fund future purchases of capital assets with cash.

Funding Depreciation

Picture Courtesy of Canva

Funding Depreciation

Suppose you buy a $10,000 whiz-bang gizmo – a piece of equipment – that you expect to use for ten years, and at the end of the ten years you expect it to have no value. Your annual depreciation is $1,000.

In this example, a $1,000 depreciation expense is recognized annually on your income statement (depreciation decreases net income) even though no cash outlay occurs. The balance sheet includes the cost of the whiz-bang gizmo, but at the end of ten years, the equipment has a $0 book value, being fully depreciated.

The smart manager will annually set aside $1,000 in a safe investment – such as a certificate of deposit or money market account – for the future replacement of the whiz-bang gizmo.

If the company does not annually invest the $1,000, it has a few options at the end of the ten-year period:

  • Borrow the full amount for the replacement cost
  • Seek outside funding (e.g., grants)
  • Use other funds from within the organization
  • Ask U2 to do a special benefits concert – just kidding

Obviously, if you borrow money to replace the equipment, you will have to pay interest – another cash outlay. Suppose the rate is 10%. Now the organization must pay out $1,100 each year. If the organization funds the depreciation (invests $1,000 annually), it earns interest. If the entity chooses not to fund depreciation, it will pay interest.

Businesses that fund depreciation are always making money from interest (granted not much these days) rather than paying for it.

Another advantage to funding depreciation: you know you will have the money to purchase the capital asset. You’re not concerned with whether a creditor will lend you the money for the acquisition. You’re financially stronger.

Why Doesn’t Every Entity Fund Depreciation?

So why doesn’t everyone fund depreciation?

  • Some don’t understand the concept
  • Some had rather spend the cash flows for the ten years (e.g., owners taking too much in distributions)
  • Some need the money just to run the organization
  • In governments, elected officials desire to keep tax rates low while they are in office
  • In growing businesses, the owners may need the money to fund the growth of the company
  • Most importantly, it may require two cash payments (more in a moment)

Concerning the last point, if the business had to borrow money to purchase the initial capital asset, then it must make the debt service payments (cash outlay 1). If the company also funds depreciation for that same asset (making investments equal to the annual depreciation), another cash flow occurs (cash outlay 2).

If the business can ever get into a position where it pays cash for new equipment, it will be better off. Then only one cash outlay (investment funding) occurs, and the company is making–not paying–interest.

What if the organization cannot–due to cash flow constraints–fund depreciation for all new equipment purchases? Consider doing so for just one or two pieces of equipment–over time, the entity may be able to move into a fully funded position.

Who Should Fund Depreciation?

So, who should fund depreciation?

Organizations with sufficient cash flow and discipline. It’s the smart thing to do.

Imagine a world with no debt, a world where you don’t have to wonder how you will pay for equipment. Dreaming? Maybe, but funded depreciation is worth your consideration.

Are You Looking for an Easy-to-Understand Fraud Prevention Book?

Do you lie awake at night wondering if theft is occurring in your organization?

Do you lie awake at night wondering if theft is occurring in your organization? Are you looking for an easy-to-understand guide to fraud prevention?

Find simple but insightful guidance in The Little Book of Local Government Fraud Prevention.

Written by a Certified Public Accountant and a Certified Fraud Examiner with over thirty years experience, you’ll find loads of great ideas to stop fraud dead in its tracks.

Fraud Prevention Book

How This Fraud Prevention Book Empowers You

While the book focuses on local government fraud, you’ll find fraud prevention techniques for nonprofits and small businesses as well.

The books enables you to:

  • Understand what fraud is (and what it is not)
  • Implement powerful fraud prevention techniques
  • Recognize the red flags of theft
  • Understand how frauds occur at the transaction level (e.g., accounts payable fraud)

You don’t have to be a CPA to understand this book–or to use the guidance. The book is useful to laypeople and fraud prevention experts alike.

You will also find transaction-level checklists for implementing internal controls (for example, questions prompting you to evaluate your payroll process).

Be empowered to guard your organization from fraud. See the book on Amazon by clicking here.

Praise for the Book

Here are a few comments from Amazon Reviews:

Bought it this morning and read it all in one sitting. It was clear, concise and kept my attention with practical examples. I often find that some of the books I read on fraud topics are abstract and confusing. This one was just the opposite. Thanks for authoring this book Charles.

Christopher Arsenault

Charles captures key controls required not only in government entities, but all entities and illustrates what can happen in absence of those controls. If you are an auditor, accountant, manager, or board member you will find this information useful.

Donald Vieira

The book highlights several real world case studies of fraud and abuse. This book describes various levels of controls, separation of duties and the value of a Certified Fraud Examiner. Great book!

Paul

I am looking forward to speaking the the Georgia Association of School Business Officials in Augusta, Georgia on November 8th. We’ll review a few school fraud cases and then look at how to prevent thefts in local school systems.

Date:November 8, 2016
Time:9:00 a.m. - 4:00 p.m.
Event:Charles Hall providing fraud prevention class at the Georgia Association of School Business Officials Conference
Topic:Prevention of Fraud in Local Schools
Public:Private