Cash Larceny, Part One: No fixed responsibility losses

We've just completed a series of articles on skimming - an off-book theft of the organization's revenue. With this column, we begin a new series about cash larceny - on-book frauds in which employees steal the organization's revenue after accountability for the funds has been recorded in the accounting records. While employees involved in skimming are often difficult to detect, quite the opposite is true for employees who commit cash larceny schemes. The strange thing that I've found in my practice is that these employees often make little or no effort to conceal the irregularities that eventually lead to their demise. I like it when they do this because it makes my job a lot easier! 

No fixed responsibility
Before we delve into specific cash larceny schemes, I first want to discuss a related issue involving the manner in which funds are all too often mishandled within the organization. In a recent two-year period, approximately 36 percent of the number of cash receipting cases in my state (Washington) involved no fixed responsibility for the loss. That statistic is way too high. It demonstrates that many managers incorrectly deal with this risk within their organizations today. The good news is that the amount of losses from these cases was only about $83,000 about 2.5 percent of the total amount of losses reported in my state during this period.

Normal business and operating cash shortages by cashiers and the theft of funds during breaking and entering events by outsiders have been excluded from this presentation. Organizations should keep informal records of cashier losses and periodically review it for undesirable trends. Sometimes certain employees just aren't suited for the cashier role. Police reports should also be promptly filed with the appropriate law enforcement agency when break-ins occur.

Here's a summary of these losses: 

• About 67 percent of these cases occurred during cash handling processes involving cashiers and other employees turning in funds from decentralized locations to central treasury functions. This condition represented the highest frequency of losses with no fixed responsibility during this period. (We'll analyze a case study discussing this area in the next column on cash larceny schemes.)
• Another 21 percent of these cases occurred while funds were stored in safes and vaults or where employees failed to make bank deposits. This condition represented the highest amounts of losses with no fixed responsibility during this period.

Employees are often careless in how they treat money. Sometimes they leave funds unattended in the office for brief periods of time or store money in unlocked desk drawers and filing cabinets during the business day, overnight, and on weekends. Thefts of these funds by others - including employees, passers-by, and facility janitors or custodians - frequently occur when there are lapses in internal controls. We all know this condition will occasionally occur. When it does, managers need to take any personnel actions they deem appropriate for the individual involved, if any, and then get on with normal business as quickly as possible using revised procedures appropriate to the circumstances.

However, the underlying internal control issue in these cases is that there's no fixed responsibility, when, not if, losses of funds actually occur. In the above cases, investigations - both by internal employees and external police - were unable to isolate these losses to a specific employee because organizations didn't have appropriate internal controls in place or lacked adequate documentation of accountability for the funds involved. Under these circumstances, employee's careers are often at risk because they are the first ones who are unjustly accused of stealing the missing money.

Too many organizations operate under the concept that everything is just fine as long as losses haven't occurred in the past. But, when these losses do arrive on their door step, everything isn't fine, internal controls are immediately changed, and employees are all too often blamed for the loss. This condition is similar to locking the barn door after all the horses have escaped. Why wait for the inevitable? It's time to take some basic preventative measures to deter these losses from happening in the first place.

The organizational response
I firmly believe that organizations must do a better job of protecting their employees - their most valuable asset - to remedy this undesirable condition. The most obvious management response is to establish procedures designed to safeguard funds from loss at all times. But what should be done? The organization must be able to fix responsibility for money to a particular employee, at a particular point in time, all the time. It's one of the life rules of my practice. If your organization can't do this, cash handling procedures need to be changed immediately to ensure that you act appropriately to protect employees. The ultimate question is: Who's responsible for the money right now?

Safeguarding assets from loss while funds are under your control is one of the major responsibilities of any organization. The other major responsibility is to spend funds wisely and for authorized purposes. One thing I've found is that cash larceny frauds account for almost all of the fraud losses in my state. These losses are about evenly split between cash receipting and cash disbursing losses. The fraud perpetrators are also about evenly split between men and women.

The following discussion includes some specifics about how to fix responsibility for funds while they're under the organization's control.

(1) Each cashier should have their own change fund and password for computer cash register systems. Major problems in my case studies have included the following:

• Multiple cashiers using a cash or till drawer in which cash collections are commingled into one container.
• Poor cash transmittal systems from one level of the organization to another such as from decentralized facilities to the central treasury function. In these cases, employees and couriers don't sign for bank bags and money or don't use locked or tamper-proof bank bags when accountability for funds is transferred from one person to another or when funds are transmitted to a central treasury function for deposit.
• When funds are transferred from one location to another, the decentralized location doesn't always obtain a receipt from the central treasury function. In addition, the decentralized location doesn't always reconcile the amount of funds turned in with the amount of revenue recorded in the accounting system each month (for example, reconciling accounting records to daily activity reports and bank deposits for agreement).
• When funds are received at the central treasury function from decentralized locations, two people aren't always present when transmittals are opened and counted - similar to banks when opening the night depository box - to protect the central treasury function employee from the decentralized location employee in the event of a significant variance in the amount of funds reportedly included in the transmittal.
• Sharing computer cash register passwords among employees, thus eliminating the capability to identify each cashier with their transactions in the database.
• Situations in which one cashier signs-on using their computer cash register password, periodically leaves the area without signing-off - such as on breaks and at lunch - and a relief cashier uses the computer during these time periods, thus eliminating the capability to identity each cashier with their transactions in the database.

(2) Each employee who stores funds overnight should have a separate locking container within the safe or vault. If this isn't possible, the organization should provide these employees with alternative storage options. Many organizations believe that simply securing funds overnight is sufficient. But this commingling of funds also eliminates the ability to fix responsibility for funds when losses subsequently occur.

Major problems in my case studies have included the following:

• Access to funds stored in safes and vaults wasn't limited to the fewest practical number of employees, and too many employees had knowledge of the combinations.
• Cashiers or other employees didn't have a separate locking container for funds stored overnight or over the weekend in a safe or vault. In one case, funds were stored in a vault even though the lock was broken. No one was surprised when the change funds and bank deposits were mysteriously missing one day. They immediately fixed the lock. Why didn't they do this before the loss?
• Employees didn't change safe or vault combinations in the correct frequency such as immediately after receipt from the organization and then periodically thereafter, and when employees terminated employment. (These same basic internal control procedures also apply to computer passwords.)
• Employees recorded the safe combination somewhere in the office thus compromising it and granting access to other employees, passers-by, and facility janitors or custodians. In one instance, the combination was painted on the dial of the safe! I never ask employees if they record the safe combination somewhere in the office. Instead, I look them directly in the eye and ask them where they recorded the combination. Their body language points directly to the location where they've recorded it, even if they don't want to tell you this information.

Learning objectives 

• Every organization should act to protect its employees from false accusations when, not if, losses of funds occur. An ounce of prevention is worth more than a pound of cure.
• Organizations shouldn't allow multiple cashiers to operate from one cash or till drawer or commingle cash collections into one container.
• Every organization should be able to fix responsibility for money to a particular employee, at a particular point in time, all the time.
• Employees should sign some type of transmittal or turn-in document to ensure that accountability for funds is properly transferred between individuals.
• Don't separate duties as an internal control measure if you destroy fixed responsibility for funds in the process.
• Cashiers should have separate locking containers for funds stored overnight in any safe or vault.
• Safe and vault combinations and computer cash register passwords should be changed periodically and when employees terminate employment and never compromised by sharing them with others or recording them somewhere in the office.

Next issue: dissecting a case
This discussion about no fixed responsibility will be continued in the next column to illustrate some of these concepts as we dissect a fraud case involving the transmittal of funds from decentralized locations to a central treasury function in a rather large city in my state. It will provide a lot a food for thought when establishing internal controls to safeguard funds from loss in this operating environment.

Case study No. 1
County department of corrections
Funds were reported missing from a safe at the County jail. A drug task force placed $20,000 in currency in a safe pending a court order providing authorization to seize the money as evidence in a criminal case. When the money was counted one week later, $10,000 was missing. Too many people had access to the funds in the safe. As a result, a police investigation determined that there was no fixed responsibility for this loss of funds.

Case study No. 2
School district
Funds were reported missing from a vault at the high school over a weekend. While a camera was present in the vault's vicinity, nothing out of the ordinary was noted to help determine why this $10,000 mysterious disappearance loss occurred. Too many people had access to the funds in the vault. As a result, a police investigation determined that there was no fixed responsibility for this loss of funds.

Case study No. 3,
County transfer and recycle center
One cashier worked alone at the transfer and recycle center. This employee collected revenue from customers, recorded transactions on a computer cash register, prepared a daily activity report reconciling cash collections with recorded cash register accountability, and then placed the change fund and daily cash receipts in a safe for overnight storage. The following morning another employee opened the safe, verified the accuracy of the daily activity report, and made the bank deposit. One day, a $10,400 deposit from the prior business day was reported missing. While the county believed it had segregated duties by having two employees involved in cash collecting and bank depositing, a police investigation found that there was no fixed responsibility for any loss of funds under these circumstances. In addition, too many people had access to the safe, and the combination hadn't been changed when prior employees terminated employment at the facility. Internal control procedures were revised to allow the transfer and recycle center cashier to be solely responsible for all financial activity including making the daily bank deposit. Also, an independent party monitored the cashier's bank deposits to ensure that all funds collected were properly deposited in the bank.

Regent Emeritus Joseph R. Dervaes, CFE, CIA, ACFE Fellow, is audit manager for special investigations for the Washington State Auditor's Office.