Small Organizations Need Internal Controls, Part One

Sylvia enjoyed being in control. As administrator of a small city’s court, she completely controlled the cash receipting function. Her supervisors thought she was doing a fine job. But that was until they discovered that she had misappropriated accounts receivable funds from civil fines and penalties for more than 6 ½ years. She stole $285,100 from 254 collection agency check payments to the court and $5,127 from 49 manual cash receipt payments from citizens. She wrote off these cash receipt transactions by entering false information into the court’s accounting system. This small city hadn’t properly monitored Sylvia’s work to ensure that all accounts receivable revenue was properly accounted for and deposited in the bank.

WHAT ARE THE KEY INTERNAL CONTROL ISSUES? 

Managers often ask me to discuss some of the key internal controls issues associated with fraud in small organizations. I ask them this simple question: What is the major problem you see in this environment? Most answer that one person does everything! This key, trusted employee, who works alone, is often responsible for the entire receipting and disbursing functions including payroll. A one-person operation precludes any possibility of internal controls. Therefore, a manager must perform tests focused on the risk of fraud to determine if all the organization’s resources are in the accounting records, deposited in the bank, and then disbursed for authorized purposes.

Over the years, I’ve found that managers usually know about this problem and really want to ask, “What can I do about it?” And, that’s a different story altogether. Here’s what I tell them. The shareholders or owners of private businesses, and the citizens of any government entity, have two primary expectations of their representatives who manage the organization’s resources: (a) safeguard the money while it’s under their control (cash receipts) and (b) spend the money wisely and for authorized purposes (disbursements).

Segregating Duties 

While internal controls are important to achieve the organization’s primary mission and financial objectives, it’s just as important for managers to implement policies and procedures that are designed to protect its employees. They can do this by appropriately segregating the duties of trusted employees and then monitoring key employee tasks to ensure the organization’s expectations have been met.

Of course, the objective of duty segregation is to reduce the likelihood that one person is able to completely control a process or function from beginning to end, but that objective is simply impossible in small organizations. When internal controls are weak, employees are tempted and even put at risk in work environments when managers don’t properly monitor them to make sure they’re doing their jobs well. Managers will give employees tasks and expect them to do them, but then won’t subsequently review their work once they’ve completed the jobs. This blind trust is at the heart of many fraud cases. Employees will develop the mistaken impression that the leadership doesn’t really care about the organization’s finances. Therefore, it doesn’t take long for an employee to decide that the organization’s money is their money. Fraud happens just as quickly as that.

CASE NO. 1: COURT REVENUE SPEEDS AWAY 

Let’s continue with the court case we began earlier. During normal processing of the daily bank deposit, a part-time court clerk (we’ll call her Jill) noticed an irregular cash receipt transaction and reported it to the finance officer. Jill knew that $300 in 100-dollar bills had been collected the previous day from a citizen during this transaction, but these funds were now missing. If Jill had reported the irregularity to Sylvia, she probably would have reassigned Jill while she processed the bank deposit herself. After all, why bother to investigate your own irregular cash receipting activity?

The finance officer’s independent review of this transaction subsequently determined that funds had been misappropriated from the court. The external auditor, who expanded the investigation from manual cash receipting activity to accounts receivables, found that Sylvia had used non-cash credit transactions for adjudications and community service to write off the account balances due from citizens in the court’s accounts receivable system and had concealed the losses from the city. But the most damaging internal control weakness was that no one at the city had reviewed these court accounts receivable adjustments to determine if they had been authorized, approved, and properly supported. Sylvia plea bargained with the county prosecutor to pay the city $290,227 in losses plus audit costs, and she was sentenced to 57 months in the state penitentiary.

Monitoring Employee Tasks
Managers must “trust but verify” when one employee controls all or practically all of a function or activity; shareholders and owners or volunteer citizens must monitor the tasks of key employees to ensure they’re meeting the organization’s expectations and not misappropriating funds. Monitoring also helps to detect frauds in their infancy when losses are relatively small.

CASE NO. 2: PARKS AND REC DIRECTOR STEALS HOME AND OTHER THINGS 

“Jack,” the director of a small parks and recreation district misappropriated $2,538 in athletic tournament and league fees over a one-year period. Jack failed to record cash receipt transactions when team representatives made payments to him on the athletic fields. He deposited some revenue checks into his personal bank account and cashed others at local financial institutions. He also simply stole currency that team reps had paid him. One team rep complained to a district board member that his check had been deposited into Jack’s personal bank account and provided a copy of the redeemed check to the district. The external auditors used the check as probable cause and subpoenaed Jack’s personal bank account to confirm the allegation. They also found that he had misappropriated district revenue checks from other teams.

During an interview with the auditors, Jack admitted misappropriating revenue from his employer. He was struggling financially from a recent divorce and said he used the district’s money to pay personal bills. The auditors couldn’t account for an additional $8,442 in recorded district cash receipts. Poor internal controls prevented the district from fixing responsibility for these additional losses to any specific individual because too many people had access to the money when it was stored in an office safe. Jack plea bargained with the county prosecutor to pay the district $2,538 in proven losses plus stipulated audit costs, and he was sentenced to a nominal period of time in the county jail.

WHO WILL PERFORM THE MONITORING FUNCTION? 

This is the next most common question I’m asked. My response is that someone independent of the small organization must periodically monitor the work of the key, trusted employee. There are two major ways to deal with this situation.

Option No. 1 The governing body or oversight board of any organization, regardless of size, is ultimately responsible for monitoring the internal control structure and the activities of its key employees, so it must perform this function. The board must find ways to tell employees that internal controls are important and that many of them are designed to protect them from ever being accused unjustly of doing something they didn’t do. In fact, it’s something auditors must inquire about and look for to meet fraud auditing standards (currently Statement on Auditing Standard No. 99 in the United States).

But the board must also “walk the talk” and set an ethical “tone at the top” example. A board should never simply say that internal controls are important and then not implement the appropriate procedures to install them. Employees continually watch the actions of the board and managers and know exactly what they do and don’t do; if employees perceive that internal controls aren’t important to the leadership, they won’t think they’re important either. It’s that simple. The employees often will commit fraud at a later date when the conditions are right.

Option No. 2 If the board of a small organization doesn’t or can’t monitor employees, it should find an independent party to do this on its behalf. Many volunteer professionals – accountants, bookkeepers, school teachers, and others from all walks of life – would be glad to monitor employees. The board can find these volunteers by including notices with routine utility bills and placing advertisements in local newspapers. However, I’ve found there’s no substitute for direct personal contact when recruiting. Once individuals agree to volunteer, put them to work immediately.

WHAT SHOULD MONITOR VOLUNTEERS DO?  

This is the follow-up question I’m always asked about the monitoring function. Boards must give clear, specific directions to volunteers, but, more importantly, volunteers must know why they’re doing these independent tasks.

Volunteers must first review internal controls, but they must also test them to determine if actual employee practices agree with the organization’s policies and procedures. Volunteers must specifically know that the primary focus of their monitoring activities should be to determine if employees have misappropriated funds from the organization.

Because volunteers who haven’t retired might have a limited amount of time, they schedule their internal control reviews on days off or on weekends. In certain situations, the organization might even allow volunteers to review its records at home.

LESSONS LEARNED 

Let’s review some of the finer points of fraud in small organizations:

• To achieve the organization’s primary mission and financial objectives, managers must implement internal controls to protect its resources and implement policies and procedures designed to protect the organization’s employees from false accusations.
• The shareholders or owners of private businesses and the citizens of any government entity expect managers to safeguard the money while it’s under their control and to spend the money wisely and for authorized purposes.
• The organization must first appropriately segregate the duties of key employees and then monitor key employee tasks to ensure that expectations have been met.
• The governing body, an oversight board, or some individual who’s independent of the organization, must periodically monitor the work of key, trusted employees.
• To have an effective monitoring program, boards must give clear direction to volunteers by telling them exactly the tasks to be accomplished, and more importantly, why.

MONITORING DETAILS 

The next two columns discuss in detail what volunteers need to do to monitor the internal control structure in small organizations as well as why. We’ll do cash receipts first and then complete the series with disbursements. These columns will provide a checklist that fraud examiners can use to review the financial activity of any size organization. Stay tuned!

Regent Emeritus Joseph R. Dervaes, CFE, CIA, ACFE Fellow, is retired after more than 42 years of government service. He is the vice chair of the ACFE Foundation Board of Directors.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.