Monday, March 03, 2008

Dissecting Fraud.

In a recent article about embezzlements, the author stated that “embezzlers are driven by insatiable greed.” Webster’s defines insatiable as “incapable of being satisfied; quenchless.” Perhaps there are some fraud perpetrators driven by such wild-eyed greed. Most fraud perpetrators, however, are motivated by other, less-crazed factors.

The Typical White-Collar Criminal
Studies have shown that fraud perpetrators come from all walks of life, have wide ranges of educational and socio-economic backgrounds and, on the surface, look like all of us. Most fraud perpetrators are simply ordinary people who (a) find themselves faced with unbearable financial pressure and (b) perceive the opportunity to relieve that pressure without getting caught. Professor Steve Albrecht of Brigham Young University theorizes that, because of the everyman nature of the typical fraud perpetrator, most frauds are characterized by a “fraud triangle.” The three legs of the fraud triangle are motive, opportunity (or perceived opportunity), and rationalization. This third leg is what allows ordinary people to justify what they are doing without having to admit their dishonesty to themselves. Frequently used rationalizations include “I’m only taking what they really owe me;” “Management is a bunch of creeps, so I’m just giving them what they deserve;” “Everyone does it;” and the old stand-by, “I’m not stealing, I’m borrowing the money, and I’ll pay it back.” (A 62-year-old bookkeeper was recently found to have embezzled more than $1.4 million dollars. Despite her $38,000 per year income, she steadfastly insisted that she always planned to pay the money back. Using her full salary, it would have taken her 37 years to pay back the stolen money—not counting any interest on that debt, of course.)

So, Why Aren’t More Frauds Prevented?
Every auditor knows that most frauds can be prevented. Using Dr. Albrecht’s fraud triangle, the solution is seemingly simple. The one leg of the triangle that organizations can exert almost complete control over is opportunity. Take away the perpetrator’s opportunity and no matter how great the financial pressure (or even the insatiable greed), and the fraud won’t happen in your organization. So, as Ross Perot would say, “It’s just that simple.”
The problem is that the only way to remove opportunity is by installing and enforcing a strong system of internal control. There are three barriers to getting many organizations—especially small organizations—to focus on and devote necessary resources to strong control systems.

“It can’t happen here.”
Good managers are usually optimists. They don’t dwell on what might go wrong. If they focus at all on the risk of fraud, they usually conclude that it happens elsewhere, to other people. Unfortunately, the strongest believers in sound systems of internal control (besides auditors, of course) are often managers who learned their lessons the hard way—by being victimized.

“We only hire people we can trust.”
Many managers believe that the best guarantee against fraud is to hire trustworthy people. Certainly, it is wise to hire people you think you can trust. (If you doubt that, just consider the alternative). The problem is that it is impossible to assess with even partial accuracy any individual’s innermost thoughts, ethics, personal values, motives, and pressures. Further, even the most trustworthy individual’s circumstances may change to the degree that financial pressures become unbearable. Few things are more tragic and organizationally demoralizing than the discovery that someone in whom everyone had placed their trust has violated that trust. Several years ago, Ellen Cook was found to have embezzled $1.2 million dollars from the Episcopal Church’s national office. That organization has still not fully recovered from the resulting upheavals, guilt, accusations, trauma, and recriminations caused by that betrayal of trust.

Internal Control is Boring
Let’s face it. We all know that a discussion about internal control is one of the least interesting things auditors do, and probably the most uninteresting thing managers ever hear. (Would you have read this article if its title had been “Dissecting Internal Control Breakdowns”?) Internal control weaknesses are so commonplace and predictable that auditors keep a supply of standard findings on their computers to insert effortlessly into their reports. Managers know that the exit conference is all but over as soon as the auditors mention internal control findings.

A Case Study that Explains the Most Important Reason for Strong Controls
Ask any auditor or manager why internal control is important. Most will tell you that internal control is needed in order to prevent errors, irregularities, and fraud. There is, however, a much more important reason. Consider the following case study.

Recently, an audit of a small not-for-profit organization revealed that the organization had disbursed more than $177,000 to a vendor for supplies and services not provided. An investigation was initiated. Long before the investigation was completed, the following occurred:

*The executive director (who had recommended using the vendor and who had approved all of the bogus payments) was asked to resign. She never held another position of trust in any organization.
*The chief financial officer (who had signed the vendor contract and who maintained total control over the accounting function) resigned before being asked to resign. Under a cloud of suspicion, he retired soon thereafter and never sought another position of responsibility.
*The board chairman and all of the directors were forced to resign by the organization’s largest donor for failing to carry out their fiduciary responsibilities properly. None of them was ever asked to serve on another board.
*The CPA firm that discovered the improper payments was sued by the not-for-profit. (Although the firm found the improper payments in its most recent audit, it had failed to find similar improper payments in prior years.) The firm’s reputation was damaged, its liability insurance premium was tripled, the partner-in-charge of the audit was asked to resign, and many of the firm’s employees sought employment elsewhere.
*The vendor lost its four largest customers and declared bankruptcy not long afterwards.

Following a lengthy (and expensive) investigation, it was discovered that the vendor had had significant turnover in its bookkeeping department. One of the bookkeepers had programmed the accounting software to replicate invoice information, automatically including the invoice amount. Subsequent bookkeepers didn’t understand that they only needed to change invoice amounts to generate new invoices; they entered completely new invoices each month, and the automatically replicated invoices also got printed and mailed. The not-for-profit had poor controls surrounding invoice approvals. The executive director approved the invoices assuming that the CFO had ascertained that they were proper. The overworked CFO never bothered to routinely assure that all of the invoices were for goods and services received. The board had infrequent meetings and only focused on program performance. The CPA firm viewed the audit engagement as low risk. (The firm steadfastly maintained that none of the improper payments were material under the audit approach they used.) The vendor’s owner focused all of his attention on customer service and ignored accounting details as long as cash flow was positive.

In retrospect, as far as anyone could ever determine, everyone involved was impeccably honest. Nevertheless, all involved were subjected to suspicions of dishonesty—and their reputations and careers were ruined—simply because the lack of controls placed them all in positions where they could have been involved with the improper payments. They had opportunity.

Lessons Learned
We will have greater success convincing managers that controls are important if we explain that the most important reason they should establish and enforce strong control systems is to protect honest employees from unwarranted suspicion of wrongdoing. Most competent managers sincerely care about their employees. If we can get them to see and understand this most important reason for strong controls, they may give controls the attention they deserve. Furthermore, if employees can be made to understand the risky positions they are in if their organizations do not protect them by having sound controls in place, they will insist that the organizations take corrective action.

Dave Cotton is managing partner of Cotton & Company LLP in Alexandria, Virginia, a member of the VSCPA Litigation Services Committee, and author of Fraud in Governmental and Not-for-Profit Audits—the Auditor’s Responsibilities Under SAS 82, an AICPA continuing professional education course.

6 comments:

Anonymous said...

Not boring at all. Thanks, Mark.

We all want supervisors who can take into account the effect of their actions or who will act when the problems of the workplace are pointed out to them.

We just want them to solve problems, not create more. If they can't do that, they "should go someplace else."

Anonymous said...

Marla and Nick,
So you can't find the paper work. I would think you two should start looking for it!
This hole thing looks like racketeering to me!

Anonymous said...

Marla claims that the auditors have the paperwork they have been looking for. Is that right missy? Then why won't the auditors leave you alone? Request #3? Stop lying. The warehouse should have the paperwork the auditors are looking for. Thats where all the stored records are,right? Unless they've been shredded. Evil B!+(h.

Anonymous said...

With regard to the piano "scam", the auditors were looking into it as part of the "citizens concerns" investigation over the last couple of weeks they were at the ESC. Their requests for original documents on this went unfulfilled due to these originals no longer existing in any of the last 4 years of files. The former administrative assistant to Ms Miller spent a good deal of her time prior to her surprising early retirement shredding reams of paperwork. Ms Miller insisted that she had made copies of everything relating to this piano purchase and had provided them in a packet for the auditors. This information was not included in the file the auditors were given however, no matter how much Ms Miller insists it was. I believe we are left to conclude that these original documents providing proof as to who authorized the double payment of pianos to the "tune" of thousands of dollars (there was even an attempt to pay for them a 3rd time that was successfully halted in defiance of the insistence by Manny Juzon that the purchase go through) have mysteriously disappeared, probably during the mass shredding of what can now only be referred to as evidence. Again, if you're not guilty of anything then important documents should not go "missing". If you are not guilty of anything why do you lie about providing information to auditors and why do you continue to act so nervously?

Anonymous said...

Shes gaining weight as we speak. Comfort food? She should invest in a Hostess Depot!

Anonymous said...

I wonder if some smart employee realized the scam and made copies just in case. Auditors should talk to all BS employee maybe the documents are filed under JUST IN CASE file!!! After all we need to cover our butts working for the district.