A Few Key Controls Could Save Your Company Millions

By Boyd E. Foster Jr., CFE, CPA
It was the largest private embezzlement in Massachusetts history. The crime lasted nearly six years and amounted to $7 million. Yet it took only one week for our team of law enforcement authorities, accountants, attorneys, the business owner, and his key employees to unravel the fraud scheme and discover that the loss would reach into millions of dollars. Our investigation revealed that it was the trusted bookkeeper who had stolen directly from the company's cash accounts and deposited the money to several of her and her husband's personal bank accounts. 

As this case began receiving publicity, one question was on everyone's mind. How could this happen? For external auditors and fraud examiners, the answer is the key to understanding how similar employee embezzlements can be prevented through management oversight and sound internal controls. 

In small businesses it's common for employees to have multiple responsibilities. It keeps overhead costs low and lets managers focus on operations and staying profitable. Employees say they enjoy their jobs because of the variety of functions they perform; owners like to think of it as "doing more with less." For auditors and fraud examiners it often indicates a lack of segregation of duties and raises concerns of internal control weaknesses. 

The victimized company in our fraud examination was no exception. As the owner of several construction companies, "John" had become successful because he was able to get the most out of his employees. This included one longtime employee, "Beatrice," who was responsible for keeping the books for all his companies. Beatrice was such a trusted employee that she had unsupervised access to the signature stamps with the CFO's name so she could prepare and distribute checks more efficiently. This freed John and his CFO to concentrate on operations. Unfortunately, this was one of several control weaknesses that created the opportunity for Beatrice to steal. 

Beatrice's theft began soon after she had started working for the company. The first check we identified was taken in June 2000. She drafted it for $2,694.83 payable to herself and forged the CFO's signature using the stamp. Her scheme was off and running. Nearly six years later in May 2006, she wrote herself the final check for $45,135.68, stamped the CFO's signature on it, and deposited it to her bank account. As we conducted our investigation, it was clear Beatrice quickly had spotted opportunities and took advantage of them. Beatrice modified her methods as accounting circumstances changed. 

The accounting records for most of John's companies were maintained on off-the-shelf accounting software. While these software packages provide a cost-effective way for small companies to record their transactions, they easily can be manipulated; in the hands of a mischievous employee, they can be downright dangerous. During our initial interview, Beatrice admitted she was able to print checks to herself and subsequently delete all record of the transactions. She did this by listing herself as a vendor, entering a fictitious payable amount, and printing the check. After each check printed, the accounting software asked if it had printed correctly. Beatrice answered that the check hadn't printed correctly, and thus she erased all record of the transaction. 

However, as any good bookkeeper knows, a cancelled check without a corresponding transaction in the books will raise red flags when the bank statement arrives. But this was no problem for Beatrice because she both received the bank statements in the mail and prepared the monthly reconciliations. Beatrice opened the bank statements and destroyed the original cancelled checks made payable to her. She even went one step further to cover her tracks. To make the books agree with the bank statement, Beatrice created fictitious payable transactions on the accounts of legitimate vendors in the amounts of the stolen checks and entered fake invoices for the same amounts under legitimate vendors. 

As the stolen amounts increased in size, she entered multiple invoices to avoid any suspicion about unusually large invoices from these vendors. Outwardly it appeared the cash had paid for actual goods. Beatrice was careful to use only vendors to whom the company made frequent payments. She also made sure the fake invoice numbers were consistent with the vendors' actual invoice numbers. 

As the embezzlement continued through the years, Beatrice expanded her theft to several of the companies. One company had more-sophisticated accounting software with controls that weren't as easily circumvented. Beatrice wasn't deterred. She explained to us how she simply took the company's blank check stock and printed checks to herself using a word processing program and her laser printer. Beatrice even practiced on a blank sheet of paper to be certain that the amounts lined up correctly on the check stock. She then created false transactions to legitimate vendors to reconcile the bank activity with the books. 

Eventually, the owner switched banks and the new bank provided photocopies of all cleared checks with the monthly statements instead of returning the originals. Beatrice knew it would be more difficult to continue her theft, so she found another way to steal from John. Because of her familiarity with all of the companies, Beatrice knew of a dormant bank account for a related company. There was no activity on the account, but it hadn't been closed. And best of all, the new bank didn't return cleared checks or photocopies with the bank statement. So Beatrice wrote checks from the operating companies that she made payable to the dormant company. 

She deposited the checks into the dormant account and wrote checks to herself from that bank account. Even if the operating companies' bank statements were reviewed, they'd only show payments to a related company. From that point forward, no checks with Beatrice's name would make their way back to the company. With a complex series of intercompany journal entries she masked the payments back and forth between companies. This was a lucrative practice for Beatrice that yielded her nearly $2.5 million over just the last 10 months of her embezzlement. The embezzlement went completely undetected until company personnel discovered several suspicious transactions. 

"Tom," general manager for one of John's operating companies, was skeptical of Beatrice's financial reports so he hired another experienced bookkeeper, "Sally," who quickly suspected someone was stealing from his company. 

Several weeks later, Sally identified several suspicious transactions. As usual, Beatrice entered all the questionable items as purchases from the company's actual vendors. Sally called the vendors and found that none of the invoice numbers were legitimate. She checked with the bank and discovered that the checks had been cashed but were payable to one of John's dormant companies. 

John sent his CFO to the bank to examine cleared checks from the dormant company. The CFE found a $44,000 check made payable to Beatrice. Within several days, Beatrice would admit that her thefts could be as high as $9 million. 

In hindsight, Beatrice's fraud seems simple and easily prevented. And the length of her scheme supports the premise that such frauds are easier to prevent than to detect. (2006 ACFE Report to the Nation on Occupational Fraud & Abuse). Beatrice had quickly identified several control weaknesses and repeatedly used them to her advantage. Fraud examiners and external auditors can do the same to a company's advantage. They must be able to identify these control weaknesses to protect their clients from major losses. With the American Institute of CPAs' risk assessment standards (SAS Nos. 103 - 111) now requiring external auditors to evaluate and test private companies' internal controls and SAS No. 112 requiring the auditors to communicate to management the deficiencies in those controls, it's more important than ever for professionals to evaluate when a company has good controls and when it creates opportunities for theft. Of particular importance are controls over cash accounts. The ACFE Report to the Nation showed that more than 90 percent of the cases reported were asset misappropriations and in 87.7 percent of those frauds, cash was the asset of choice. With a median loss of $150,000, cash misappropriations represent a significant loss to any organization. 

So what can companies do to limit their exposure to these thefts? 

Control authorization devices. First and foremost, companies that don't have adequate personnel to allow for proper segregation of duties should consider eliminating signature stamps for signing checks and automatic check-signing machines. If a company issues a large volume of checks making it prohibitively time-consuming to manually sign them all, then it should put in place procedures to control access to the signature stamp. Keep the stamp locked in the authorized signer's desk and make sure he or she is the only one with a key. 

If the signer is someone other than the owner, the owner should make it clear the stamp is to stay with the authorized signer at all times. If the company uses a check-signing machine, make sure it's in a secure location. Additionally, check-signing machines typically have an internal meter that records the number of processed checks. The owner should keep a log and frequently review it to ensure that extra checks aren't being issued. The company should also be sure that it updates the signature cards on file with its bank and that cards name only those individuals who are authorized check signers. 

Open the mail. The owner or designated general manager should receive the unopened bank statements and be the first person to review them. The bank could deliver them to the owner's home address to avoid interception at the office. The owner should scan cleared checks, whether photocopies or originals, to see if anything looks unusual. If the company is small and the bookkeeper who reconciles the bank statements also manages the accounts payable or accounts receivable, it's critical for the owner to do this review before the bookkeeper receives the statement. 

While this measure might not prevent an employee from forging a check, it will identify a theft in a timely manner. More importantly, it lets employees know you're keeping a close watch over the bank accounts. 

Our investigation showed that no one performed independent reviews of the bank statements. In a month when no legitimate checks exceeding $500 were drawn on a particular company bank account, three consecutive checks for just under $10,000 cleared the bank. All three of these checks were deposited to one of Beatrice's bank accounts. A quick review of the cleared checks listed on the bank statement would have raised concern and might have ended the embezzlement years earlier. 

See the documentation. Companies should issue checks only when purchase orders, invoices, and receiving documents support the payments. Before signing a check, the authorized signer should make sure documentation has proper approvals. Company policy should require designated employees to approve purchases and reject any payment that doesn't have an approved purchase order. As a back-up, the company could also request from its suppliers a list of all issued and paid invoices. If someone has entered fictitious invoices in the company's ledgers, a quick comparison to the vendor's invoices will reveal the phonies. 

Close dormant bank accounts. Owners should maintain an inventory of the company bank accounts and be sure that any dormant accounts are closed. Because such accounts tend to be overlooked, they become an invitation to a scheming employee. 

Oversee the vendor list. Only the owner or a designated manager should supervise creation of new vendors and review the list frequently. Also, the company should establish passwords and user access limits to protect the creation of vendors. Even the simplest off-the-shelf accounting software usually has functionality to limit tasks to certain individuals by password access. 

All these controls can easily be implemented and are critically important to deterring cash misappropriations. As our experience illustrates, failing to have key controls and management oversight of cash disbursements can be an expensive proposition for small businesses. With the growing emphasis on the identification and examination of private companies' internal controls, fraud examiners can be important advocates to their small-business clients. The fraud examiners' knowledge of the fraud risks and appropriate preventative and detective controls enables them to play a key role in ensuring that clients are protected against major losses. 

Boyd E. Foster Jr., CFE, CPA, is manager of Sullivan & Company CPAs LLP in Providence. R.I.   
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.