Chapter 2

Preventing Cash Losses from Embezzlement and Fraud

In This Chapter

Putting business controls in context

Checking out the internal control checklist

Realizing the limits of internal controls

When the infamous bank robber Willie Sutton was asked why he robbed banks, he's reputed to have said, “Because that's where the money is!” The cash flows of a business are a natural target for schemers who see an opportunity to siphon off some cash from these streams of money.

Making a profit is hard enough as it is. There's no excuse for letting some of your profit slip away because you didn't take appropriate precautions. This chapter discusses controls and preventive measures that a business should consider adopting in order to prevent and mitigate cash losses from dishonest schemes by employees, customers, and other parties it deals with.

This chapter is directed to business managers; it isn't a detailed reference for accountants. The chapter takes the broader management view, whereas accountants take a narrower view. Accountants focus on preventing errors that may creep into the accounting system of the business and quickly detecting errors if they get by the first line of controls. In addition to these internal accounting controls, the accounting department typically has responsibility for many of the other controls discussed in this chapter, as covered in the sections that deal with particular controls.

Setting the Stage for Protection

Most people are honest most of the time. You can argue that some people are entirely honest all the time, but realistically this assumption is too risky when running a business. In short, a business has to deal with the dishonesty of the few. A business can't afford to assume that all the people it deals with are trustworthy all the time. The risk of fraud in business is a fact of life. Fraud is defined as willful intent to deceive. One function of business managers is to prevent fraud against their business, and it should go without saying that managers shouldn't commit fraud on behalf of the business. (But some do, of course.)

A business is vulnerable to many kinds of fraud from many directions — customers who shoplift, employees who steal money and other assets from the business, vendors who overcharge, managers who accept kickbacks and bribes, and so on. The threat of fraud is ever present for all businesses, large and small. No one tells a business in advance that he or she intends to engage in fraud against the business, and compounding the problem is that many people who commit fraud are pretty good at concealing it.

So every business should institute and enforce internal controls that are effective in preventing fraud. Keep in mind the difference between controls designed primarily to stop fraud (such as employee theft) versus procedures designed to prevent errors from creeping into the accounting system. Both types of precautions are important. Even if it prevents theft, a business may lose money if it doesn't have accounting controls to ensure that its financial records are accurate, timely, and complete.

Preventing loss with internal controls

The procedures and processes that a business uses to prevent cash losses from embezzlement, fraud, and other kinds of dishonesty go under the general term internal controls. Internal means that the controls are instituted and implemented by the business. Many internal controls are directed toward the business's own employees to discourage them from taking advantage of their positions of trust and authority in the business to embezzle money or to help others cheat the business.

Many internal controls are directed toward the outside parties that the business deals with, including customers (some who may shoplift) and vendors (some who may double bill the business for one purchase). In short, the term internal controls includes the whole range of preventive tactics and procedures used by a business to protect its cash flows and other assets.

Weighting internal control costs and benefits

Some businesses put the risk of cash losses from fraud near the bottom of their risk ranking. They downgrade these potential cash seepages to a low priority. Accordingly, they're likely to think that internal controls consume too much time and money. Most businesses, however, take the middle road and assume that certain basic internal controls are necessary and cost effective — because without the controls, the business would suffer far greater losses than the cost of the internal controls.

Some companies boldly assume that the company's internal controls are 100 percent effective in preventing all embezzlement and fraud. A more realistic approach is to assume that some theft or fraud can slip by the first line of internal controls. Therefore, a business should install an additional layer of internal controls that come into play after transactions and activities have taken place. These after-the-fact internal controls serve as safety valves to catch a problem before it gets too far out of hand. The principle of having both kinds of controls is to deter and detect.

Understanding collusion

Collusion is broadly defined as two or more parties working together to commit fraud. Internal controls operate based on two assumptions:

• Employees are basically honest. If assets are lost or mishandled, the loss is likely due to an employee mistake, not fraud.
• Internal controls are designed to catch errors and fraud when one party is involved. If more than one employee is involved, most internal controls won't catch the error or fraud. If the transaction is discovered, it may be long after the fact.

The strongest fraud deterrent is the likelihood of being caught. Even so, desperate people still take their chances of being caught.

Recognizing the dual purpose of internal accounting controls

Many internal accounting controls consist of forms to submit and procedures to follow in authorizing and executing transactions and operations. A business's accounting department records the financial activities and transactions. So, naturally, the accounting department is put in charge of designing and enforcing many core internal controls.

Many accounting internal controls have a dual purpose:

• To detect and prevent both errors and fraud: For example, employees can be required to punch their timecards on a work clock as they start and end each day, or they can have their hours entered in a payroll log signed by their supervisor. This sort of internal control helps prevent employees from being paid for time they didn't work.
• To ensure that the amounts posted to the accounting records are reliable: The clock-in procedure also tells the accountant which expense account to charge for each employee's time worked and produces a record of the transaction that helps eliminate (or at least minimize) errors in processing the wage data needed for financial records. The accounting system of a business keeps track of the large amount of information needed in operating a business, and these internal controls are designed to ensure the accuracy, completeness, and timeliness of information held in the accounting system.

Internal accounting controls need to be kept up-to-date with changes in a business's accounting system and procedures. For example, an entirely new set of internal controls had to be developed and installed as businesses converted to computer-based accounting systems. The transition to computer and Internet-based accounting systems brought about a whole new set of internal accounting controls, to say nothing of all the other internal controls a business had to install to secure its databases and communications.

Struggling with fraud committed by the business

Fraud comes in two forms: fraud against a business and fraud by a business. The first type of fraud can be classified by who does it, and unfortunately, a business is vulnerable to all kinds of fraud attacks from virtually everyone it deals with — vendors, employees, customers, and even one or more of the business's own mid-level managers. The other side of the coin is the conscious behavior of the business itself that is sanctioned by top-level owner/managers.

Considering fraud committed by the business

The truth of the matter is that some companies carry on unethical practices as their normal course of business, including bribing government and regulatory officials, knowingly violating laws covering product and employee safety, failing to report information that's required to be disclosed, misleading employees regarding changes in their retirement plans, conspiring with competitors to fix prices and divide territories, advertising falsely, discriminating against employees, and so on.

Frauds perpetrated by businesses may very well be illegal under state and federal statutes and common law. Restitution for damages suffered from the fraud can be sought under the tort law system. In some cases, businesses deliberately and knowingly engage in fraudulent practices, and their managers don't take action to stop it. Basically, managers are complicit in the fraud if they see fraud going on in the business but look the other way. The managers may not like it and may not approve of it, but they often live with it due to unspoken pressure to follow the “three monkey” policy — see no evil, hear no evil, speak no evil.

Considering external auditors and detecting fraud

Independent CPA auditors (auditors from outside the company) test a company's internal accounting controls that are designed to prevent financial reporting fraud. However, audits aren't always effective. As you see in the “Understanding collusion” section earlier in this chapter, internal controls aren't designed to catch all fraudulent acts involving collusion. For more on financial reporting fraud, refer to John A. Tracy's How to Read a Financial Report (Wiley).

If you ask a CPA to audit your financial statements, the CPA may have to refuse you as a new client (or dump you if you're already a client) if your internal controls are inadequate. If your internal controls are too weak, the CPA auditor can't rely on your accounting records, from which your financial statements are prepared. And the CPA may have to withdraw from the engagement if the auditor discovers high-level management fraud. CPAs can't knowingly be associated with crooks and businesses that operate with seriously weak internal controls.

If you own or run a business, establish a no tolerance policy for fraud at all levels. Fraud begets fraud. If employees or people doing business with the company see fraudulent practices sanctioned by top-level managers, the natural inclination is to respond in kind, adopting an attitude of entitlement and committing some fraud of their own. And they may be very good at it.

Putting Internal Controls to Work

This section discusses important steps and guideposts that apply to virtually all businesses in establishing and managing internal controls. You find out both what kinds of tools are available to protect your business and what particulars you need to consider when choosing and using them.

Because this chapter is directed to business managers, not accountants, it doesn't delve into the details of internal accounting controls. If you or your accountant wants to find out more about internal controls, visit the websites of the Institute of Internal Auditors (www.theiia.org) and the American Institute of Certified Public Accountants (www.aicpa.org). Both of these professional associations publish an extensive number of books on internal controls.

This chapter uses the term fraud in its most comprehensive sense. It covers all types of cheating, stealing, and dishonest behavior by anyone inside the business and by anyone outside that the business deals with. Examples range from petty theft and pilferage to diverting millions of dollars into the pockets of high-level executives. Fraud includes shoplifting by customers, kickbacks from vendors to a company's purchasing managers, embezzlements by trusted employees, padded expense reports submitted by salespersons, deliberate overcharging of customers, and so on. A comprehensive list of business fraud examples would fill an encyclopedia.

The following discussion of internal controls assumes that the business is behaving ethically, that the people it conducts business with (employees, customers, and so on) are treated fairly, and that the managers haven't cooked the books. It assumes that the business isn't facing a generally hostile or “let's get even” attitude on the part of its employees, customers, vendors, and so on. In other words, the business faces the normal sort of risks of cash losses from fraud that every business encounters. Extraordinary safety measures that a business operating in a high-crime area may have to use, such as stationing armed guards at doors, is beyond the scope of this chapter.

Going down the internal controls checklist

Businesses have a large and diverse toolbox of internal controls to choose from. The following sections provide a checklist for managers in deciding on internal controls for their business.

Watching over high-risk areas

Strong and tight controls are needed in high-risk areas. Managers should identify which areas of the business are the most vulnerable to fraud. The most likely fraud points in a business usually include the following areas (some businesses have other high-risk areas, of course):

• Cash receipts and disbursements
• Payroll (including workers’ compensation insurance fraud)
• Customer credit and collections, and writing off bad debts
• Inventory purchasing and storage

Segregating duties

Where practicable, two or more independent employees should be involved in authorizing, documenting, executing, and recording transactions — especially in the high-risk areas. This arrangement is called segregation of duties — requiring two or more people to complete a task, so they'd have to collude in order to commit and conceal fraud. For instance, two or more signatures should be required on checks over a certain dollar amount. For another example, the employee preparing the receiving reports for goods and materials delivered to the company shouldn't have any authority for issuing a purchase order and shouldn't make the accounting entries for purchases. Concentration of duties in the hands of one person invites trouble. Duties should be divided among two or more employees, even if it causes some loss of efficiency.

Performing surprise audits

Making surprise counts, inspections, and reconciliations that employees can't anticipate or plan for is very effective. Of course, the person or group doing these surprise audits should be independent from the employees who have responsibility for complying with the internal controls. For instance, a surprise count and inspection of products held in inventory may reveal missing products, unrecorded breakage and damage, products stored in the wrong locations, mislabeled products, or other problems. Such problems tend to be overlooked by busy employees, but inventory errors can also be evidence of theft. Many of these errors should be recorded as inventory losses.

Encouraging whistle-blowing

Encourage employees to report suspicions of fraud by anyone in the business, and allow them to do so anonymously (in most situations). Admittedly, this policy is tricky. You're asking people to be whistle-blowers. Employees may not trust upper management; they may fear that they'll face retaliation for revealing fraud. Employees generally don't like to spy on one another, but on the other hand they want the business to take action against any employees who are committing fraud.

The business must adopt procedures to effectively safeguard anonymity for potential whistle-blowers. It also has to convince employees that they won't be ostracized if they report their suspicions.

Leaving audit trails

Insist that good audit trails be created for all transactions. The documentation and recording of transactions should leave a clear path that can be followed back in time when necessary. Supporting documents should be organized in good order and should be retained for a reasonable period of time. The Internal Revenue Service (www.irs.gov) publishes recommended guidelines for records retention, which are a good point of reference for a business.

Limiting access to accounting records and end-of-year entries

Access to all accounting records should be strictly limited to accounting personnel, and no one other than the accounting staff should be allowed to make entries or changes in the accounting records of the business. Of course, managers and other employees may ask questions of the accounting staff, and they may ask for special reports on occasion. The accounting department can provide photocopies or scanned images of documents (purchase orders, sales invoices, and so on) in response to questions, but the accounting department shouldn't let original source documents out of its possession.

Checking the background of new employees

Before any new employees are hired, management should have a thorough background check done on them, especially if they'll be handling money and working in the high-fraud-risk areas of the business. Letters of reference from previous employers may not be enough. Databases are available to check a person's credit history, driving record, criminal record, and workers’ compensation insurance claims, but private investigators may have to be used for a thorough background check.

A business should consider doing more extensive background and character checks when hiring mid- and high-level managers. Studies have found that many manager applicants falsify their résumés and list college degrees that they in fact haven't earned, and any dishonesty could very well be a bad omen about future conduct.

Periodically reviewing internal controls

Consider having an independent assessment done on your internal controls by a CPA or other professional specialist. This step may reveal that certain critical controls are missing or, conversely, that you're wasting money on controls that aren't effective. If your business has an annual financial statement audit, the CPA auditor is required to evaluate and test your business's internal controls. But you may need a more extensive and critical evaluation of your internal controls that looks beyond the internal accounting controls. See the earlier section “Struggling with fraud committed by the business” for more on the benefits and possible consequences of hiring an outside CPA.

Appraising key assets regularly

You should schedule regular “checkups” of your business's receivables, inventory, and fixed assets. Generally speaking, over time these assets develop problems that aren't dealt with in the daily hustle and bustle of business activity. Here are some examples:

• Receivables may include seriously past-due balances, but these customers’ credit may not have been suspended or terminated.
• Products in inventory may not have had a sale in months or years. This may indicate that the inventory is obsolete — not sellable. If that's the case, the obsolete inventory should be written off as an expense.
• Some fixed assets may have been abandoned or sold off for scrap value, but the assets haven't been properly removed from the books.

One principle of accounting is that losses from asset impairments (damage, aging, salability, abandonment, and so on) should be recorded as soon as the diminishment in value occurs. The affected assets should be written off or the recorded (book) value of the assets should be written down to recognize the loss of economic value to the business. The decrease in asset value is recorded as a loss, which reduces profit for the period, of course. Generally, fraud isn't lurking behind asset impairments — although it can be. In any case, high-level managers should approve and sign off on asset write-downs.

Implementing computer controls

Computer hardware and software controls are extremely important, but most managers don't have the time or expertise to get into this area of internal controls. Obviously, passwords, firewalls, anti-virus software, and other security tools should be used to protect the system and prevent unauthorized access to sensitive data. Every business should adopt strict internal controls over e-mail, downloading attachments, updating software, and so on.

If the business isn't large enough for its own IT (information technology) department, it has to bring in outside consultants. The business accounting and enterprise software packages available today generally have strong security features, but you can't be too careful. Extra precautions help deter fraud.

Curbing indifference to internal controls

Internal controls may look good on paper. However, the effectiveness of internal controls depends on how judiciously employees execute the controls day in and day out. Internal controls may be carried out in a slipshod and perfunctory manner. Managers often let it slide until something serious happens, but they should never tolerate a lackadaisical attitude regarding the performance of internal controls by employees.

Sometimes a manager may be tempted to intervene and override an internal control, not out of indifference but because bypassing the control will be more efficient or serve another purpose. This break in procedure, however well intentioned, sets an extremely bad example. And, in fact, in some cases it may be evidence of fraud by the manager.

Special rules for small businesses

The lament of many small business owners/managers is, “We're too small for internal controls.” But even a relatively small business can enforce certain internal controls that are very effective. Here are basic guidelines for small business owners/managers:

• Sign all checks: The owner/manager should sign all checks, including payroll checks. This precaution forces the owner/manager to keep a close watch on the expenditures of the business. Under no conditions should the accountant, bookkeeper, or controller (chief accountant) of the business be given check-signing authority. These people can easily conceal fraud if they have both check-writing authority and access to the accounting records.
• Mandate vacations: The owner/manager should require that employees working in the high-risk areas (generally cash receipts and disbursements, receivables, and inventory) take vacations of two weeks or more and, furthermore, make sure that another employee carries out their duties while they're on vacation. To conceal many types of fraud, the guilty employee needs to maintain sole control and access over the accounts and other paperwork used in carrying out the fraud. Another person who fills in for the employee on vacation may spot something suspicious.
• Get two sets of eyes on things: Although segregation of duties may not be practical, owners/managers should consider implementing job sharing in which two or more employees are regularly assigned to one area of the business on alternate weeks or some other schedule. With this arrangement, the employees may notice if the other is committing fraud.
• Watch out for questionable spending: Without violating their privacy, owners/managers should keep watch on the lifestyles of employees. If the bookkeeper buys a new Mercedes every year and frequently is off to Las Vegas, you may ask where the money is coming from. The owners/managers know the employees’ salaries, so they can make a judgment on what level of lifestyle the employee can afford.

Considering some important details of internal control

Even when you know what internal controls you want to use, you must take care to implement them in ways that are legal, practical for the company, and effective. And you also need to know what to do if the controls fail and you have a case of fraud on your hands. The following sections address these important details that you may overlook in your eagerness to implement controls and get back to business.

Considering legal implications

Pay careful attention to the legal aspects and enforcement of internal controls. For example, controls shouldn't violate the privacy rights of employees or customers, and a business should be very careful in making accusations against an employee suspected of fraud. At the other extreme, the absence of basic controls can possibly expose a manager to legal responsibility on grounds of reckless disregard for protecting the company's assets.

As an example, a business may not have instituted controls that limit access to its inventory warehouse to authorized personnel only, with the result that almost anyone can enter the building and steal products without notice. The manager could be accused of neglecting to enforce a fundamental internal control for inventory. You may need to get a legal opinion on your internal controls, just to be safe.

Evaluating cost effectiveness

One obvious disadvantage of internal controls is their costs — not just in money but also in the additional time required to perform certain tasks. Internal controls are an example of “managing the negative,” which means preventing bad things from happening as opposed to making good things happen. Rather than spending time on internal controls, employees could be making sales or doing productive activities. But putting it in a more palatable way, internal controls are needed to manage certain unavoidable risks of doing business.

The mantra you often hear is that internal controls should be cost effective, meaning that the collective benefits of a company's internal controls should be greater than the sum of their costs. But measuring the cost of a particular internal control or the total cost of all internal controls isn't practical, and the benefits of internal controls are difficult to estimate in any quantitative manner. In general, basic internal controls are absolutely necessary and worth the cost. In the last analysis, the manager has to make a judgment call on what level of internal controls to implement. The goal is to achieve a reasonable balance between the costs and the benefits.

Balancing internal controls and efficiency

Generally, internal controls should be as unobtrusive as possible to the outside parties the business deals with. Ideally, your customers and vendors shouldn't notice them. Your staff should be trained to implement internal controls without losing too much efficiency.

People are sensitive about accusations (real or imagined) that you think they may be crooks. Then again, people accept all kinds of internal controls, probably because they have become used to them. For example, bookstore customers hardly notice the small electronic chip placed in books, which is deactivated at the point of sale. On the other hand, bookstore customers probably would object to having to show a detailed receipt as they leave the store for all the books they have in their bag.

The exception to this rule is when a business wants to make an internal control obvious to help deter crime or to remind employees and customers that the business is watching them to help prevent fraud. For example, surveillance cameras may be positioned to make them clearly visible to customers at checkout counters. If you've been to Las Vegas, you probably noticed several internal controls in the casinos. But these controls are only the ones you can see. Casinos use many other internal controls they don't want you to see.

Following procedures when fraud is discovered

The main advice offered in the professional literature on fraud advises businesses to establish and vigilantly enforce preventive controls. The literature has considerably less advice to offer regarding what course of action managers should take when an instance of fraud is discovered, other than recommending that the manager plug the hole that allowed the fraud to happen. The range of options facing managers upon the discovery of fraud, assuming that the facts are indisputable, include

• Beginning an investigation, which may require legal advice regarding what you can and can't do
• Immediately dismissing employees who commit fraud or putting the person on paid leave until a final decision is made
• Starting legal action, at least the preliminary steps
• If applicable, notifying the relevant government regulatory agency or law enforcement

Recognizing Limitations of Internal Controls

A good deal of business is done on the basis of trust. Internal controls can be looked at as a contradiction to this principle. On the other hand, in a game of poker among friends, no one takes offense at the custom of cutting the deck before dealing the cards. Most people see the need for internal controls by a business, at least up to a point. The previous sections of this chapter discuss the need for and various aspects of internal controls. This section offers two final thoughts for managers: the need to maintain management control over internal controls and ways of finding fraud that's not detected by the internal controls of the business.

Keeping internal controls under control

Many businesses, especially smaller companies, adopt the policy that some amount of fraud has to be absorbed as a cost of doing business and that instituting and enforcing an elaborate set of internal controls isn't worth the time or money. This mindset reflects the fact that business by its very nature is a risky venture. Despite taking precautions, you can't protect against every risk a business faces. But on the other hand, a business invites trouble and becomes an attractive target if it doesn't have basic internal controls. Deciding how many different internal controls to put into effect is a tough call.

Internal controls aren't free. They take time and money to design, install, and use. Furthermore, some internal controls have serious side effects. Customers may resent certain internal controls, such as checking backpacks before entering a store, and take their business elsewhere. Employees may deeply resent entry and exit searches, which may contribute to low morale.

So even if your business can afford to implement every internal control you know of, remember that more isn't always better. Limiting the business to a select number of the most effective controls may provide a good balance of protection and customer and employee tolerance.

Finding fraud that slips through the net

Internal controls aren't 100 percent foolproof. A disturbing amount of fraud still slips through these preventive measures. In part, these breakdowns in internal controls are the outcome of taking a calculated risk. A business may decide that certain controls aren't worth the cost, which leaves the business vulnerable to certain types of fraud. Clever fraudsters can defeat even seemingly tight controls used by a business.

Internal controls should be designed to quickly detect a fraud if the first line of internal controls fails to prevent it. Of course, responding to this detection is like closing the barn door after the horse has escaped. Still, discovering what happened is critical in order to close the loophole.

In any case, how can you find out whether fraud is taking place? Well, the managers or owners of the business may not discover it. Fraud is discovered in many ways, including the following:

• Internal reports to managers my raise red flags; for example, an unusually high inventory shrinkage for the period that has no obvious cause.
• Performing account reconciliations on a regular basis — and investigating exceptions — often reveal signs of fraud.
• An internal audit may find evidence of fraud.
• Employees may blow the whistle to expose fraud.
• Customers may give anonymous tips pointing out something wrong.
• Customer complaints may lead to discovery of fraud.
• A vendor may notify someone that it has been asked for a kickback or some other under-the-table payment for selling to the business.

In financial statement audits, the CPA tests internal controls of the business. The auditor may find serious weaknesses in the internal controls system of the business or detect instances of material fraud. In this situation, the CPA auditor is duty bound to communicate the findings to the company's audit committee (or to management, in the absence of an audit committee).

Large businesses have one tool of internal control that's not practical for smaller businesses — internal auditing. Most large businesses, and for that matter most large nonprofit organizations and governmental units, have internal auditing departments with broad powers to investigate any of the organization's operations and activities and report their findings to the highest levels in the organization. Small businesses can't afford to hire a full-time internal auditor. On the other hand, even a relatively small business should consider hiring a CPA to do an assessment of its internal controls and make suggestions for improvement. In fact, hiring a CPA for this job may even be of more value than having an independent CPA audit the business's financial statements.