Roving signature stamp

Pamela Johnson, a low-level accounts assistant, had a hidden gambling problem and the trust of the Tompkins Consolidated Area Transit. Here's how she exploited her employer's confidence and how the external auditors actually discovered the devastating three-year fraud.

The Tompkins Consolidated Area Transit (TCAT) controller sat at his desk looking at the document request for JTD Enterprises from an external independent auditor. "I didn't know we had a vendor named JTD Enterprises," he said to himself. This was the beginning of many difficult days when TCAT learned that nearly a quarter of a million dollars was missing from its coffers.

TCAT is a private, not-for-profit organization that provides public transportation for Ithaca and Tompkins County, New York. Three primary funders — the City of Ithaca, the County of Tompkins and Cornell University — support TCAT. Three representatives of each entity comprise the nine-member board of directors. The 2015 operating budget was approximately $13.5 million. TCAT has about 120 employees.

In March of 2014, that inquisitive external independent auditor discovered a TCAT accounts assistant, Pamela Johnson, a TCAT employee since 2009, had diverted nearly $250,000 in cash out of TCAT accounts from 2010 through 2013 via a fraudulent check scheme. Because of a lack of adequate safeguards in the internal control system, she was able to create a fictitious vendor — JTD Enterprises — within the accounts payable system without prior approval.

During the three-year period, she submitted approximately 65 fictitious invoices in the JTD name for payment. Management later determined that she used the TCAT general manager's signature stamp to sign all the checks. She deposited those checks to a bank account in her husband's business name, Johnson Tool Design, which she had access to and controlled.

Where were the auditors?

Thankfully, the independent auditing firm found this fraud during its routine annual audit of the 2013 financial statements (although the fraud was already three years old). However, often when an auditor doesn't discover a fraud, the members of the board of directors will commonly ask, "Where were the auditors?" This is because of the common misconception that an external auditor is responsible for preventing and detecting all fraudulent behavior. Let's look a bit deeper.

External auditors, when planning audits, are required to follow the AICPA's Auditing Standard AU Section 312, "Audit Risk and Materiality in Conducting an Audit," which encompasses the overarching consideration of materiality judgments and procedures for audit risks that auditors must complete. Auditors are supposed to use AU 312 to plan their audits so they can be reasonably sure that financial statements are free from material misstatements, regardless of whether these misstatements were caused by error or fraud. (The standard outlined in AU 316 — that auditors' use in conjunction with AU 312 — defines fraud as an intentional act resulting in a material misstatement in financial statements.)

According to AU 312.07, two types of misstatements resulting from fraud are relevant to the auditor's consideration in conducting a financial statement audit: those resulting from fraudulent financial reporting and from the misappropriation of assets, also known as theft. (In a broader definition of fraud, the ACFE's Fraud Tree provides three major classifications: corruption, asset misappropriation and fraudulent misstatements.)

AU 312.03 says that the concept of materiality "recognizes that some matters, either individually or in the aggregate, are important for fair presentation of financial statements in conformity with generally accepted accounting principles, while other matters are not important. In performing the audit, the auditor is concerned with matters that, either individually or in the aggregate, could be material to the financial statements."

The key concept that the standard notes is that an auditor is able to obtain "reasonable, but not absolute, assurance that material misstatements are detected" (AU 312.02). This implies that — based on the auditor's judgment of materiality — the auditor is only responsible for items or inconsistencies that are independently, or in their aggregate, larger than that materiality threshold.

Because of the importance of materiality in an audit, another statement, Financial Accounting Standards Board (FASB) Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information, further delves into this topic. No. 2 defines materiality as "the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement" (page 6).

Hence, the calculation of materiality in planning the audit becomes a matter of the auditor's professional judgment, although the auditor can alter that judgment during the course of the audit when he or she discovers new or updated information. (Fraud examiners, as compared to auditors, search for evidence of fraud and not necessarily materiality after they determine predication. A fraud examination is a methodology of resolving signs or allegations of fraud from inception to disposition using the fraud theory approach. For more information see the 2015 Fraud Examiners Manual, "Fraud Examination Methodology," 3.104.)

We don't know TCAT's independent auditing firm's actual computation of materiality for 2013. However, we worked through Practitioner's Publisher's Company (PPC) form NPO-CX-2.1, "Financial Statement Materiality Worksheet for Planning Purposes," a popular audit planning tool that many firms use, to gain some insight as the scope of materiality an auditor might consider on a 2013 TCAT audit.

The form's instructions note "the purpose of the form is to determine and document the materiality amount that will be considered suitable for audit planning purposes." Figure 1 (below) summarizes two variations of the completed PPC form.

The numbers in Figure No. 1 demonstrate two different possible materiality thresholds, which are computed based on two different metrics. The first number, $140,000 (in the far-right column, under "Result"), is derived by using the total asset number from the 2013 balance sheet. However, using the total revenue line from 2013 income statement, the threshold is $116,000 (at the bottom of that column) thus further demonstrating the variability in possible materiality levels in the same organization.

Despite the differences, we can reasonably assume that materiality could range from $116,000 to $140,000 at the maximum based on the 2013 numbers, the PPC guidance and the auditor's judgment. It would be reasonable to assume the materiality for the prior years is comparable in magnitude. For the sake of being conservative, let's assume materiality is $116,000 — the low end of the range.

Based on court documents we obtained from the Tompkins County Courthouse, Figure 2 (below) summarizes the total annual amount of each year's fraudulent activity.

Based on the previously calculated materiality value using the PPC guidelines, it's possible that the fraud exceeded the materiality threshold in year 2013 when the independent auditors discovered the actual fraud. We can only speculate the cause-and-effect relationship of the amount exceeding materiality and the auditors' ultimate discovery of the fraud. However, it's comforting to see that following the mandated standards proved to be a success — at least in this particular case.

Responsibility of the board of directors and management

The board of directors of any entity plus management have total responsibility to design, implement and maintain a sound system of internal controls within a strong control environment. The Committee of Sponsored Organizations of the Treadway Commission (COSO) has laid out an integrated framework for organizations to follow to help create or maintain an effective internal control system and environment.

The five crucial parts of this framework include control environment, risk assessment, control activities, monitoring activities, and information and communication. The control environment is the tone of the organization, which management and the board primarily promulgate.

The control environment serves as a base for the rest of the internal control system because in order to implement and maintain a system there have to be strong and ethical leaders passing these values down the chain of command.

In a good risk-assessment process, management objectively analyzes its organization and identifies potential threats and risks to the system and plans to determine how to alleviate those risks.

Outside of the COSO framework, auditors are also required under Auditing Standard 12 to perform risk assessments in their planning of audits. An independent auditor begins by gathering information about a client's industry to assist in their judgments of later audit procedures. The auditor also should ask management about the firm's control environment, which includes its control activities plus accounting policies and procedures.

Then the auditor should test these internal-controls assertions if he or she plans to rely on the controls during the audit. These tests include sampling, analytical procedures and discussions with management and the engagement team. The auditor can revise his or her assessment once testing is complete.

The control activities component of the COSO framework includes proper segregation of duties with no overlap between authorization, recording and custody. COSO also stresses the importance of monitoring an established internal control system. This process considers the quality of the system over time by examining the daily management of employees and actual performance of duties.

The monitoring process also attempts to reduce the prevalence of internal control deficiencies and communicates those issues to the board when needed. Finally, the information and communication component of the COSO framework is persistent throughout the other four parts. An internal control system will only work when an organization captures and processes the correct information and then regularly communicates it to the proper parties. The key to the entire system's efficiency is ensuring accuracy and timeliness.

In addition to the COSO framework, Statement on Auditing Standard 99 dictates how an auditor should consider fraud in an audit of financial statements. Foremost, the standard requires that an engagement team consider potential areas that could be susceptible to fraud.

Also, the team should always proceed with professional skepticism and not stop gathering evidence unless the documentation persuades them otherwise. The team should gather this evidence via inquiry of management and employees throughout all levels of the organization. However, inquiry alone is insufficient; team members should follow up with proper documentation and testing.

After the team completes the control evaluation, the independent auditor should decide if the controls are strong enough to rely on, whether there should be more internal control testing or if they will take a purely substantive audit approach.

Two fatal flaws

In TCAT's case, two substantive flaws in the system of internal controls in the procurement process allowed for the implementation of Johnson's scheme. Johnson was able to create a fictitious vendor in the payable system. As an accounts payable assistant, she shouldn't have had the authority to create a new vendor without an approval from a manager at least one level higher in the organization.

At a minimum, TCAT's controller should have had to approve JTD Enterprises as a vendor. Of course, this basic lack of segregation of duties for the expenditure cycle allowed Johnson to perpetrate her fraud.

The second internal control blunder was that Johnson could access and use a signature stamp to sign checks made payable to JTD Enterprises. Clearly, any organization should secure its signature stamp under lock and key and make it available to a select few top managers. TCAT only intended for its general manager — whose signature was on this stamp, — to sign checks. He should have kept it under his control and documented in writing who should have access to it in his absence; Johnson certainly wouldn't have been on that list.

On April 3, 2014, the TCAT board of directors published this statement on the TCAT website and in Mass Transit Magazine: "The TCAT Board of Directors and the TCAT management team are taking their obligations very seriously in the wake of these grave allegations. … The TCAT board and management team are firmly committed to ensuring that such incidents do not occur in the future. We are reviewing all of our accounting processes and will implement all necessary changes."

Fraud Triangle analysis

At least two sides of the Fraud Triangle are evident in this case. Johnson's attorney, Frank Policelli, said publicly that she has a gambling addiction. Johnson would be at a casino "from a Friday to a Monday," said Policelli at a December 2014 court hearing before Tompkins County Judge John C. Rowley, according to an Ithaca Voice article. (See Records: Woman who stole $247K from TCAT was addicted to gambling, by Jeff Stein, Dec. 16, 2014.) "Policelli says that Johnson is essentially a good person who suffered from ‘compulsive … pathological' gambling problems," according to the Ithaca Voice article.

We believe that this gambling addiction probably created an unshareable pressure — a financial burden on Johnson — that led her to commit her fraudulent acts.

And she obviously had the opportunity because of the lack of internal controls in her TCAT responsibilities. The ability to create new vendors in accounts payable systems linked together with access to a signature stamp is a deadly combination for fraud.

We haven't heard yet about her rationalization behavior — whether she intends to repay the funds or if she felt she was underpaid or underappreciated.

One sharp prosecutor

On April 2, 2014, the Tompkins County District Attorney's office, spearheaded by Assistant District Attorney Dan Johnson (no relation to the fraudster) filed second-degree grand larceny charges against Johnson. She pleaded not guilty to the charges, and she was later set free on her own recognizance.

Following her not-guilty plea, the assistant district attorney determined that Johnson and her husband, Robert A. Johnson, held a variety of assets, including bank accounts, pension assets and real property in Cortland, New York. He petitioned Supreme Court Judge Robert C. Mulvey for an ex parte order of attachment against $247,785 of assets owned by the couple.

Court documents showed that on May 21, 2014, Mulvey granted, in part, the assistant district attorney's request for the ex parte order of attachment, which effectively froze sufficient assets to satisfy a future order of restitution in the criminal case.

Resolution and changes at TCAT

On June 24, 2015, Judge John Rowley sentenced Johnson (after she changed her plea to guilty to second-degree grand larceny) to serve 90 days in the Tompkins County jail, 90 days under house arrest and five years of probation. "I think it's lenient. I'm not even sure it is appropriate," Rowley said.

Full restitution of the $247,785 is assured because of the court's earlier ex parte order of attachment ruling. The county also has recovered the proceeds of recent real property sales by Johnson and her now ex-husband, held them in escrow and forwarded them to TCAT.

The court awarded the reimbursement of legal and audit costs incurred by TCAT — $7,200 and $29,898 — respectively, to TCAT. Per New York state law, this restitution can't come from the funds already held by the county from the ex parte order of attachment. Hence, TCAT has to collect this judgment.

TCAT engaged a Rochester, N.Y., forensic auditing team to evaluate the internal controls and systems in place at the organization. Here are some of the improved procedures that emerged from that process:

1. A purchase requisition is now required to generate a purchase order.
2. All purchase orders are now attached to the accounts payable invoices.
3. Management reviewed and modified employee access levels to the accounting system. 
4. TCAT removed inactive and obsolete vendors from the accounts payable system.
5. The front office staff now opens the daily mail, makes a list of any checks received and restrictively endorses all checks.
6. TCAT implemented password security procedures for the computer system.

Ironically, the external forensic auditing team didn't mention the wandering signature stamp in its recommendations.

Nobody can dispute that a low-level accounts assistant duped TCAT. But it can take certain comfort that its board of directors and management acted decisively after the external independent auditors discovered the fraud. They allowed the auditors to investigate to determine the full extent of the defalcation. They then brought in forensic experts to validate the auditor's findings and make recommendations. Management quickly implemented those controls. Throughout the process, the board and management were transparent, publicly admitted responsibility and promised immediate action. They collaborated with the county district attorney to prosecute the embezzlement and ultimately received restitution in full.

This incident was certainly a painful learning experience for the organization. As TCAT's assistant general manager said in an Ithaca Journal news article (see Former TCAT worker gets jail, by Kelsey O'Connor, June 25, 2015), "Johnson's theft was not a crime against an individual, but against a whole community."

Listen to the accompanying ACFE Fraud Talk podcast with John E. "Jack" Little, CFE, CPA, Accounts Payable Clerk Steals $250,000 from Local Transit Entity.

John E. "Jack" Little, CFE, CPA, is the senior lecturer of accounting at the Dyson School of Applied Economics and Management at Cornell University in Ithaca, New York, and a local practitioner. He's a former managing partner at the Ciaschi, Dietershagen, Little, Mickelson & Company CPA firm. No information in this article came from the auditing firm. All material came directly from TCAT, Tompkins County Court documents or from newspaper accounts. His email address is: jack.little@cornell.edu.

Jason H. Grossman recently graduated from the Dyson School of Applied Economics and Management at Cornell University with a Bachelor of Science in Accounting and Finance. He works in the New York City office of Ernst & Young and recently completed all four parts of the Uniform CPA Exam. His email address is: jhg275@cornell.edu.