Internal Controls: The
Unique Challenges of
Small Firms
Presented by
Daniel J. Rozema, CPA
FM01
Friday, 9/20/2013
10:30 AM - 11:45 AM
Internal Controls: The Unique
Challenges of Small Firms
Topics
• Common Internal Control Weaknesses
• Preventing Asset Misappropriation Through
Internal Controls
• Considerations for all organizations regardless
of size
1
Common Internal Control
Weaknesses
Common Internal Control Weaknesses
•
•
•
•
•
•
Lack of segregation of duties
Lack of physical safeguards
Lack of independent checks
Lack of proper authorization on documents,
and records
Overriding existing controls
An inadequate accounting system
2
Lack of Segregation of Duties
• Certain activities should not be performed by
the same person or even by the same
department.
• If different personnel are assigned the
functions of cash receipts and accounts
receivable, respectively, then the opportunity
to commit accounts receivable fraud has been
substantially reduced .
• Includes access to necessary accounting
software modules.
Lack of Physical Safeguards
• Physical safeguards should be in place to
protect the assets of an organization from
theft or destruction.
• Cash and marketable securities should be
secured in a locked vault.
• With access limited to approved personnel.
3
Lack of Independent Checks
• Independent checks serve as a deterrent
because if people know that their work is
being watched, then they won’t commit fraud.
• When this is not occurring or a review is
conducted by a person who is not
independent of the function, then the chances
for fraud increase.
Lack of Proper Authorization on
Documents, and Records
• Proper authorization and documentation is,
and has always been a deterrent to fraud.
• Documents and authorization create an audit
trail, and thus a deterrent.
4
Overriding Existing Controls
• When controls are overridden, especially
when a pattern is found, a suspicion for fraud
should exist.
An Inadequate Accounting System
• An effective accounting system will impede
fraud because it provides an audit trail for
discovery and makes it more difficult to hide.
• With a weak accounting system, identifying
fraud or determining if there is fraud or errors
becomes more difficult.
5
Documentation of Policies and
Procedures
Minimum Suggested Documentation
of Policies and Procedures
• Overview of procedure for each significant
process (cash receipts and billing, cash
disbursements, and payroll)
– More detail the better
• Identify key controls in each process
6
Preventing Asset Misappropriation
Through Internal Controls
Preventing Asset Misappropriation
Through Internal Controls
Three major categories of employee fraud:
• Financial statement fraud,
• Asset misappropriations, and
• Corruption.
7
Asset Misappropriation Schemes
Can be broken down into two major categories:
• cash schemes (stealing money)
• non-cash schemes (theft or misuse of
inventory and other physical assets)
Three Categories of Cash Frauds
• Skimming
• Fraudulent disbursements
• Cash larceny
8
Preventing Fraudulent Skimming and
Disbursements
Four categories of skimming and fraudulent
disbursements are:
• Billing schemes
• Check tampering
• Payroll schemes
• Expense reimbursement schemes
Billing Schemes
•
•
•
•
•
Shell company schemes
Not recording invoices sent to clients
Fictitious services
Overpriced services
Personal items which the fraudster charges to
the employer and bills client
9
What red flags are associated with
billing schemes?
• No segregation of duties in the accounting,
billing, and cash receipts function.
• Aged client accounts receivable.
• Duplicate payments to a vendor.
• Unexplained decrease in revenues.
How can billing schemes be
prevented?
• Adequate segregation of duties in the billings,
accounting, and cash receipt function.
• Periodically search for business licenses issued
to entities with a similar name.
• Review appropriateness of any write-off of
accounts receivable.
• Review aging of receivables.
10
Check Tampering Schemes
•
•
•
•
•
Forged maker schemes
Forged endorsement schemes
Altered payee schemes
Concealed check schemes
Authorized maker schemes
What red flags are associated with
check tampering?
• No segregation of duties in the check cutting
function.
• Unusual or excessive number of journal
entries to cash accounts.
• Excessive number of voided checks.
• Signatures on canceled checks that do not
match the signature file.
• Cash account shortages.
11
What red flags are associated with
check tampering?
• Any check payable to “cash” or non-payroll check
payable to an employee.
• Cancelled check that do not match postings in the
disbursements journal.
• Out-of-sequence checks or duplicate check
numbers on the bank statement.
• Payments to unknown vendors.
• Unexplained increases in expenses.
• Unexplained changes in vendor files such as
temporarily changing the name or address.
What red flags are associated with
check tampering?
• Cancelled checks that appear to have been
printed on inferior stock.
• Cancelled checks with dual endorsements.
• Vendor complaints about non-payment.
• Payments to unknown vendors.
12
Preventing check tampering
• Adequate segregation of duties in the
disbursements function.
• Blank check stock should always be safeguarded
and access restricted.
• Those who sign company checks should not have
access to blank checks and should not post
disbursements.
• Those who prepare checks for signature should
not have access to checks after they have been
signed.
• Maintain an approved vendor list.
Preventing check tampering
• Checks should be mailed immediately after
they are signed.
• The bank statement should be reconciled by
someone who is independent.
• Access to vendor files should be restricted.
• Establish a threshold amount over which dual
signatures are required on a check.
• Purchases should only be made with
management approval.
13
Other schemes
• Payroll
– Ghost employees
– Falsified hours
• Expense reimbursement
– Inflated or fictitious
– Personnel in nature
Other schemes (continued)
• Trust fund misappropriation
– “Borrowing” money from trust fund
– Taking money from trust before it is earned
– Trust account theft
– Failing to properly track client funds
• Not putting client name on trust fund checks
• Failing to maintain an individual ledger for each client
14
Other schemes (continued)
• Phishing
– The act of attempting to acquire information such as
usernames, passwords, bank or credit card account
numbers, social security or other PII by masquerading
as a trustworthy entity in an electronic
communication.
– Purporting to be IRS, banks, representatives of foreign
governments.
– Best method to combat training to recognizing
phishing attempts.
– Don’t assume spam software will prevent.
Considerations for all
Organizations Regardless of Size
15
Engaging the Partners
• In most small law firms, the dominance of the
managing partner’s attitude and actions
determine the effectiveness of control
procedures and monitoring activities.
Engaging the Partners – Best Practices
• If successful in engaging, consider the
following be performed by the Partner:
– Signing all checks with detail review of supporting
documentation.
– Determining or approving salaries and wages,
reviewing payroll records periodically, and signing
all paychecks.
– Opening the mail.
– Receiving bank statements directly and reviewing
canceled checks and account activity.
16
Engaging the Partners – Best Practices
• If successful in engaging, consider the
following be performed by the Partner (continued):
– Performing or monitoring credit and collection
policies.
– Handling inquires from clients or vendors
regarding their accounts.
– Reviewing bank reconciliations
• This should be performed timely and not saved for slow
periods.
What to do When the Partners
Will Not Engage
17
Make Use of All Firm Employees
• Use the receptionist to open the mail and log
cash receipts.
• Use staff attorneys when appropriate.
Selecting the Right Employee
•
•
•
•
•
•
Past Employment Verification
Criminal Conviction Checks
Drug Screening
Reference Checks
Education and Certification Verification
Get the Consent of the Candidate
18
Safeguarding Networks and
Accounting Systems
• Limit access to employees who need to work
in system or module.
• Grant appropriate access rights.
– Make use of read only rights when appropriate.
• Remote access should be controlled.
• Access should be revoked immediately for
terminated employees.
• Utilize access and user logs when available.
Increasing the Perception of Detection
May well be the most effective fraud prevention
method.
• Employee education
 Management oversight
 Dishonest acts will be punished
• Reporting activities
• Hotlines
• Rewards
19
Minimize Employee Pressures
• Open-door policies
• Employee support
programs
• Management tone
• Ethics policy
• Pro-active audit policies
– Increased use of
analytical review
– Fraud assessment
questioning
– Enforcement of
mandatory vacations
– Job rotation
– Surprise audits
Ethics Program
• A written ethics policy is an excellent method by
which management can objectively communicate
its philosophy and develop a successful Ethics
Program.
• The collection of a person’s beliefs and morals
makes up a set of principles known as ethics.
• Ethics are the judgments about right and wrong
or, more specifically, a person’s moral obligations
to society that determine a person’s actions.
20
12 components are necessary to develop, implement,
and manage a comprehensive ethics program:
1. Focus on ethical
leadership
2. Vision statement
3. Values statement
4. Code of ethics
5. Designated ethics
official
6. Ethics task force or
committee
7. Ethics communication
strategy
8. Ethics training
9. Ethics help and fraud
report telephone line
10. Ethical behaviour
rewards and sanctions
11. Comprehensive
system to monitor and
track ethics data
12. Periodic evaluation of
ethics efforts and data
• Questions?
21
Thank you
Presented by:
Thank you
Daniel J. Rozema
Presented by
KPMG, LLP
drozema@kpmg.com
Daniel J. Rozema
KPMG LLP
907-265-1217
drozema@kpmg.com
22