How to Lessen Segregation of Duties Problems in Two Easy Steps

Fraud prevention in two easy steps

Darkness is the environment of wrongdoing.

Why?

No one will see us–or so we think.

As you’ve seen many times, fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.

It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?

Yes.

Below I propose two processes to reduce fraud:

  1. Bank account transparency and
  2. Surprise audits.

1. Bank Account Transparency

Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

One set of eyes on an accounting process is not a good thing. So how can we shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Second Person Sees the Bank Statements

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.

Even the appearance of transparency creates (some) safety.

Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as the following:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).

Sample Inspection Ideas

Here are some sample inspection ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Review two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (to see that the report was appropriately created)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.

Again multiple people seeing the accounting processes reduces the threat of fraud.

Shine the Light

The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.

What other procedures do you recommend for small entities?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

How to Account for Cash Overdrafts

Alternative presentations for negative cash balances

How should you account for cash overdrafts (also called negative cash balances) on a balance sheet and in a cash flow statement?

It is year-end and your audit client has three bank accounts at the same bank. Two of the accounts have positive balances (the first with $50,000 and the second with $200,000). The third account has a negative cash balance of $400,000. Since a net overdraft of $150,000 exists, how should we present cash in the financial statements?

Cash overdrafts

Picture Courtesy of DollarPhoto.com

Balance Sheet

In the balance sheet, show the negative cash balance as Cash Overdraft in the current liabilities. Or you can also include the amount in accounts payable.

If you are netting the three bank accounts, consider using the Cash Overdraft option. If you bury the overdraft in accounts payable, the financial statement reader may think, “there is a mistake, where is cash?” Using Cash Overdraft communicates more clearly. (The right of offset must exist in order to net bank accounts. The right of offset commonly exists for multiple bank accounts with one bank.)

Some companies have multiple bank accounts with multiple banking institutions. In such cases, the net balance of one bank might be positive and the net balance of the second bank might be negative. Then the company would reflect the positive balance as cash and the negative cash balance (of the second bank) as an overdraft.  

Suppose a company has bank accounts with two different banks and the net balance of the first bank is $1,350,000 and the net balance of the second bank is an overdraft of $5,000. Then show cash as one amount on the balance sheet ($1,345,000). The $5,000 overdraft is not material.

Cash Flow Statement

Some companies do not include cash overdrafts in the definition of cash; instead, they include the overdraft in accounts payable. Consequently, the company treats the overdraft as an operating activity (change in accounts payable). So, the company includes the overdraft as a change in a liability in the operating section of the cash flow statement. (Some accountants treat overdrafts as a financing activity, but overdrafts clear quickly. Therefore, an operating activity classification is more appropriate.)

Alternatively, include the overdraft in the definition of cash (rather than in accounts payable). In doing so, you combine the cash overdraft with other cash (that with positive balances) in the cash flow statement. The beginning and ending cash–in the cash flow statement–should include cash overdrafts.

FASB ASC 230-10-45-4 requires that the total amounts of cash and cash equivalents in the cash flow statement agree with similarly titled line items or subtotals in the balance sheet. If a cash overdraft is included in the definition of cash, the cash captions in the statement of cash flows should be revised accordingly (e.g., Cash (Cash Overdraft) at end of year).

If the balance sheet contains a positive cash balance in assets and a cash overdraft in liabilities, provide a reconciliation at the bottom of the cash flow statement (or in a disclosure). In the reconciliation, show the composition of cash (cash overdraft)–one line titled Cash, one line titled Cash Overdraft, and a total line titled Total Cash (Cash Overdraft)

One Other Consideration

If checks are created but not released by year-end, reverse the payment. Merely printing checks does not relieve payables. Payables are relieved when payment is made (checks are printed and mailed, or electronic payments are processed).

Restricted Cash

FASB recently issued a new standard dealing with how restricted cash is to be reported in the cash flow statement. Click here for more information.

How to Steal Money with Altered Check Payees

This simple fraud occurs all too often

Some fraudsters steal money with altered checks.

As a kid I once threw a match in a half-gallon of gasoline – just to see what would happen. I found out. Quickly. In a panic, I kicked the gas container–a plastic milk jug–several times, thinking this would somehow put the fire out. But just the opposite occurred, and when my father found out? Something else was on fire.

Steal money with altered check payees

Some accounting weaknesses create unintended consequences. Show me an accounting clerk who (1) can sign checks (whether by hand, with a signature stamp, or with a computer-generated signature), (2) posts transactions to the accounting system, and (3) reconciles the bank statements, and I will show you another combustible situation. Here’s how one city clerk created her own blaze.

Altered Check Example

Using the city’s signature stamp, the clerk signed handwritten checks made out to herself; however, when the payee name was entered into the general ledger (with a journal entry), another name was used – usually that of a legitimate vendor.

For example, Susie, the clerk, created manual checks made out to herself and signed them with the signature stamp. But the check payee was entered into the accounting system as Macon Hardware (for example). Also, she allocated the disbursements to accounts with sufficient remaining budgetary balances. The subterfuge worked as the expense accounts reflected appropriate vendor activity and expenses stayed within the budgetary appropriations. No red flags.

Check

The accounting clerk, when confronted with evidence of her deception, responded, “I don’t know why I did it, I didn’t need the money.” We do a disservice to accounting employees when we make it so easy to steal. Given human nature, we should do what we can to limit the temptation.

How?

Controls to Lessen Check Fraud

First, if possible, segregate the disbursement duties so that only one person performs each of the following:

• Creating checks
• Signing checks
• Reconciling bank statements
• Entering checks into the general ledger

If you can’t segregate duties, have someone (the Mayor, a non-accounting employee, or an outside CPA) review cleared checks for appropriateness.

Secondly, have a second person approve all journal entries. False journal entries can used to hide theft. With sleight of hand, the city clerk made improper journal entries such as:

                                                Dr.                 Cr.

Supply Expense              $5,234

Cash                                                        $5,234

 

The check was made out to Susie, but the transaction was, in this example, coded as a supply expense paid to Macon Hardware. You can lessen the risk of fraud by preventing improper journal entries.

Thirdly, limit who has access to check stock. It’s usually wise to keep blank check stock locked up until needed.

Finally, limit who can sign checks, and deep-six the signature stamp.

A word to external auditors looking for a fraud test idea (or those just looking for check fraud): Consider testing a random sample of cleared checks by agreeing them to related invoices. Work from the cleared check to the invoice. It is best for the auditor to pull the invoices from the invoice file; if you ask someone in accounting to pull the invoices, that person might create fictitious invoices to support your list (not hard to do these days). If the payee has been altered, you will, in many cases, not find a corresponding invoice. Pay particular attention to checks with payees that are company employees.

Financial Reporting Framework for Small- to Medium-Sized Entities: Questions and Answers

This framework greatly simplifies financial statement reporting

CPAs have asked for relief from the burden of complying with GAAP for many years. So, a few years back the AICPA created the Financial Reporting Framework for Small- to Medium-Sized Entities (aka FRF for SME). The following is a Q&A that will assist you in understanding this reporting framework.

FRF for SME

What is FRF for SMEs?

It’s an other comprehensive basis of accounting (OCBOA) that can be used as an alternative to generally accepted accounting principles (GAAP) as issued by the Financial Accounting Standards Board.

Who created FRF for SME?

The AICPA.

What is the size of FRF for SME?

A little over 200 pages.

What is the size of GAAP?

Thousands of pages.

How often will FRF for SME change?

About once every three to four years. That’s one of the beauties of it: Stability.

Why was FRF for SME created?

GAAP had become too complex for small- to medium-sized private businesses, driving up the costs of creating GAAP-compliant financial statements. Existing OCBOA (e.g., modified-cash basis) lacked standardization.

Does FRF for SME define a small- to medium-sized entity? Is there a dollar threshold?

No. It’s subjective. There is no dollar threshold.

Is “FRF for SME” GAAP?

No. It’s not GAAP.

Can entities with debt covenants requiring GAAP use FRF for SMEs?

No. But they can see if the lender will amend the debt agreement to allow its use.

Can financial statements created using FRF for SME be audited, reviewed or compiled?

Yes (for all three).

What are some of the characteristics of companies that might use FRF for SME?

  • For-profit
  • Closely-held
  • Not a public company
  • No regulatory requirements for GAAP
  • Individuals with controlling ownership also manage the company

What entities should not use FRF for SME?

  • Nonprofits
  • Those with complex transactions
  • Governments

Is FRF for SME principles-based?

Yes. Use the flexibility and disclose the accounting policies used.

Do the FRF for SME financial statements look like GAAP statements?

Yes. This is a downside (at least to me). I do think a user might mistakenly believe the financial statements are GAAP. You will need to clearly disclose that FRF for SME was used. Also, your opinion or SSARS report will refer to FRF for SME (rather than GAAP).

What are some key points of FRF for SME?

  • No comprehensive income
  • Investments will be at historical cost (market value used when held-for-sale)
  • Derivatives (e.g., swaps) are not recognized on the balance sheet
  • There is no hedge accounting
  • Goodwill amortized over the same period as that used for tax purposes or 15 years
  • All intangibles are amortized over their economic life
  • Income taxes recognized using taxes payable method (what you owe at period-end) or the deferred income tax method (as GAAP requires)
  • No requirement to accrue uncertain tax positions (no FIN 46)
  • Leases are recognized as operating or capital leases 
  • Policy choice to consolidate subsidiaries or account for them using the equity method
  • Parent-only presentation is allowed (use equity method accounting for subsidiaries)
  • Variable interest entities are not consolidated
  • No assessment of long-lived assets for impairment
  • Going concern assessment required by management 
  • Revenue recognition is principles-based (disclose how you recognize revenue); percentage-of-completion can be used by contractors
  • Stock-based compensation not booked as a liability (disclosure only)
  • Defined benefit plan liabilities can be recognized using contribution payable method (record current pension plan payments not made; no projected benefit obligation required)
  • Disclosure requirements are greatly simplified

Can’t I just continue issuing tax-basis financial statements?

Yes. But tax-basis statements do not incorporate some of the more traditional accounting concepts of FRF for SME.

How will the use of FRF for SME change the peer review process?

No change; FRF for SME is just another OCBOA – like tax-basis or modified-cash basis.

Does the AICPA offer any implementation tools?

Yes. Click here for toolkits.

 

Consolidating Not-for-Profit Entities

The rules for consolidating nonprofit entities

How would you respond to the question, “how do I know when a not-for-profit entity should consolidate a related not-for-profit entity?”

Here’s a brief overview.

Key Consolidation Issue

The main key in determining whether a not-for-profit should consolidate another entity is control.

FASB defines control as the direct or indirect ability to determine the direction of management and policies through ownership, contract, or otherwise.

Consolidation Decision

The FASB Codification addresses not-for-profit (NFP) consolidations as follows:

  • Consolidation is required for 1. through 3. below.
  • Consolidation is permitted but not required for 4. below.
  • Consolidation is not permitted for 5. below.

Controlling Financial Interest

1. 958-810-25-2 – The reporting entity is the sole corporate member of the related NFP
2. 958-810-25-2 – The reporting entity has a controlling financial interest through direct or indirect ownership of a majority voting interest in the other NFP

Control Combined with an Economic Interest

3. 958-810-25-3 – The reporting entity controls another NFP through a majority voting interest in its board and has an economic interest in that other entity (e.g., reporting entity appoints 3 of the 5 voting members of the related NFP)
4. 958-810-25-4 – The reporting entity controls an NFP through a form other than majority ownership, sole corporate membership, or majority voting interest in the board of the other entity and has an economic interest in that other entity (control may be established by contract or an affiliation agreement)

Other

5. 958-810-25-5 – If the reporting entity does not have both control of and an economic interest in the related NFP, then consolidation is not permitted.

Note – There are additional rules for consolidating for-profit entities into NFP financial statements.

Providing Fraud Prevention Services to Compilation Clients

How many small businesses do you compile financial statements for? For most small- to medium-sized CPA firms, the answer is plenty. Now let me ask one more question (please).

What is the greater risk for such small businesses?

  • Financial statements are misstated or
  • The bookkeeper (or someone else) can steal substantial sums of money from the business
iStock_000025203171XSmall

Courtesy of iStockphoto.com

You say, “I’m not engaged to look for potential theft.” In most cases, you probably aren’t. But notice my question is about your client (and your potential opportunity to provide a valuable service).

I find that most compiled small business financial statements are basically correct – often because of the CPA’s involvement. The risk of material misstatement is driven down, and obviously, this is a good thing, but what about the potential for theft?

It seems to me that CPAs seldom talk with their clients about the potential for theft, even though we know, for instance, that the client’s accounting staff consists solely of one bookkeeper.

Theft may occur prior to the CPA’s compilation work, but when theft occurs, bookkeeping clients will sometimes say things like, “surely my CPA is in some way responsible” – even though compilations are not designed to prevent (or detect) fraud.

Defining Your Compilation Service

Let me ask two questions at this juncture:

  1. Do you get compilation engagement letters signed?
  2. Do you verbally explain the limits of your engagement (that you are not providing fraud prevention or detection services)?

These two actions will mitigate your risk when you only provide compilation services.

Providing Fraud Prevention Services

Now let’s consider another service that you can add: fraud prevention.

Do you ever suggest to your client that he or she have you (or someone else trained in fraud prevention) review the accounting system and make fraud prevention suggestions? Here is where, I believe you can add value in addition to the compilation service. I also believe it is largely an untapped source of revenue for small- to medium-sized CPA firms.

If you provide fraud prevention services, you need to create an engagement letter that addresses the boundaries of your work. It is wise to say what you are providing and, more importantly, what you are not providing.

I normally will state that I am providing the additional fraud prevention service to mitigate fraud risk and that the additional work will not provide absolute assurance that fraud will not occur. I go on to say that once the work is complete, “fraud may still occur.” (Check with your insurance carrier for appropriate language.)

In other words, your engagement is to mitigate fraud risk, not eliminate it – a reasonable proposition. (The risk of fraud can seldom, if ever, be fully eliminated.)

Additional Risks for the CPA

But doesn’t providing fraud prevention services create additional risks for the CPA?

Yes.

Providing any additional service creates additional risks for the CPA. So this is ultimately a business decision for you and your firm.

Independence

Will providing fraud prevention services impair your independence? Under existing AICPA independence standards, the answer is often “yes” (because you are assisting with the design of the internal control system). You can offer such a service to a compilation client, but you will need to state your lack of independence in the compilation report.

Agree or Disagree?

What do you think about offering fraud prevention services to compilation clients?