Effective Internal Controls for Small Businesses
39
Effective Internal Controls for Small Businesses Publication Date: April 2017
Transcript of Effective Internal Controls for Small Businesses
Effective Internal Controls for Small
Businesses
Publication Date: April 2017
2
Effective Internal Controls for Small Businesses
Copyright © 2016 by
Mill Creek Publishing LLC
P.O. Box 11, Zionsville, IN 46077
Updated March, 2017
All rights reserved. No part of this course may be reproduced in any form or by any means, without
permission in writing from the publisher.
The author is not engaged by this text or any accompanying lecture or electronic media in the rendering
of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting issues
discussed in this material have been reviewed with sources believed to be reliable, concepts discussed
can be affected by changes in the law or in the interpretation of such laws since this text was printed. For
that reason, the accuracy and completeness of this information and the author's opinions based thereon
cannot be guaranteed. In addition, state or local tax laws and procedural rules may have a material impact
on the general discussion. As a result, the strategies suggested may not be suitable for every individual.
Before taking any action, all references and citations should be checked and updated accordingly.
This publication is designed to provide accurate and authoritative information in regard to the subject
matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional service. If legal advice or other expert advice is required, the services of
a competent professional person should be sought.
--From a Declaration of Principles jointly adopted by a committee of the American Bar Association and a
Committee of Publishers and Associations.
3
Contents Learning Objectives ....................................................................................................................................... 4
Course Introduction ...................................................................................................................................... 5
Fundamental Operational Controls .............................................................................................................. 6
Segregation of Duties ................................................................................................................................ 6
Cash Disbursements .................................................................................................................................. 7
Cash Receipts .......................................................................................................................................... 10
Accounts Receivable ............................................................................................................................... 12
Accounts Payable .................................................................................................................................... 13
Inventory ................................................................................................................................................. 13
Fundamental Accounting Controls ............................................................................................................. 14
Fundamental Internal Control Environment ............................................................................................... 17
Case Study – Koss Corporation ................................................................................................................... 20
Other Factors to Consider ........................................................................................................................... 29
Controls over Information Technology ................................................................................................... 29
HR Procedures ......................................................................................................................................... 29
Risk Assessment ...................................................................................................................................... 30
Review Questions........................................................................................................................................ 31
Glossary ....................................................................................................................................................... 33
Index............................................................................................................................................................ 34
Exam Questions .......................................................................................................................................... 35
Answers to Review Questions..................................................................................................................... 37
4
Learning Objectives
Upon completion of this course, you should be able to:
• Identify and define appropriate internal controls for a small business entity
• Define ways to overcome lack of segregation of duties
• Associate certain internal controls with the prevention or detection of fraud
• Identify where multiple approval levels may be appropriate in the cash disbursement process
5
Course Introduction
Small business enterprises sometimes take the position that effective internal controls cannot be
achieved. There aren’t enough employees for adequate segregation of duties. Many, if not most, have
no internal audit function. However, even within the confines of these and other challenges, small
businesses can achieve an effective internal control structure.
To overcome an inability to segregate duties as well as other issues, small businesses must look for
mitigating controls. The most pervasive mitigating control is the direct oversight of management. This
oversight may take the form of financial statement review, approving disbursements, signing checks as
well as other review processes. While there are other considerations as to whether the oversight of
management may mitigate a lack of segregation of duties and other internal control challenges, if done
correctly, this is one of the best ways to overcome these inherent issues.
There are internal control fundamentals that are appropriate for small businesses. This course discusses
fundamental operational and accounting controls and also reviews the optimal company culture for an
effective internal control environment.
6
Fundamental Operational Controls
Segregation of Duties
Achieve the best segregation of duties possible
In a small business setting, there is a high likelihood of overlapping responsibilities. The accounts
payable position may also reconcile certain balance sheet accounts and prepare journal entries. A
person tasked with cash application of accounts receivable may function as the backup to the accounts
payable person. The accounting manager or controller may be involved in the entire process, from
beginning to end.
It is important to have the best segregation of duties that may be possibly achieved, given operational
constraints. Remember, internal controls are a company-wide effort and are not the sole responsibility
of accounting personnel. Senior management from another function may also be involved in the
internal control process as an informed reviewer. An informed reviewer must have an understanding of
the business process, but does not need to be an expert. Enough knowledge to ask meaningful
questions when something does not make sense is all that is required. Senior management in most
small businesses should be able to function as an informed reviewer in most areas.
The involvement of senior management in the internal controls process is essential when proper
segregation of duties cannot be otherwise achieved. Within the ranks of senior management, it is
important to also attempt to segregate duties as much as possible. If the company has a CFO, he or she
should not be the person ultimately responsible for reviewing everything. Review and authorization of
disbursements may be delegated to an operations executive or the President as these people should
have adequate knowledge to be an informed reviewer. Similarly, the review of accounts receivable
balances and aging may also fall to an operations executive or the President as, once again, each could
function as an informed reviewer.
Reviews of cash reconciliations and account reconciliations may need to fall to the CFO in this example
as he or she would be the most likely to understand the reconciliation process and challenge any
reconciling items. If the reconciling items are not subjected to informed scrutiny and review, the
reconciliation process is no longer a control.
This is the most important point of attempting to achieve segregation of duties in a small business.
Management review must be performed by management who are both able and willing to challenge
items that are unusual. Without any questions, any internal control achieved is rendered useless.
Within the context of the examples provided earlier, if the accounts payable person also has journal
entry responsibilities and balance sheet account reconciliation responsibilities, that person should not
be involved in any journal entries related to accounts payable nor should that person reconcile the
accounts payable or cash balance sheet account. That responsibility should fall upon the accounting
7
manager or controller or, if any of these positions are extensively involved in the process, a senior
manager who can act as an informed reviewer should be involved to achieve the control objective. The
cash application person who acts as the backup to accounts payable should also have no responsibility
for any journal entries or account reconciliation related to either accounts payable or accounts
receivable. Each person’s ability to adjust individual customer or vendor accounts should also be
limited.
In the case of an accounting manager or controller that does everything from beginning to end,
involvement of senior management is essential. The controller that is extensively involved an all
accounting activities should only be able to approve minor disbursements, with larger disbursement
approval delegated to key managers and senior executives in amounts appropriate for their
responsibilities. Material amounts should require dual approval. Check signing, approval of ACH
disbursements and wire transfers should also be separate from the accounting manager or controller’s
duties in this case. These duties should fall to other members of senior management with material
amounts requiring two levels of authorization. A banking partner will be able to assist in establishing
the approval authority hierarchy for your checking account.
Balance sheet account reconciliations should be reviewed by the CFO or another informed reviewer.
The reconciliation of the cash account should have particular scrutiny. All accounts reviewed should be
signed by the reviewer to evidence the procedure. The President or other member of senior
management should review agings of accounts receivable for reasonableness. Manual journal entries
should be reviewed by the CFO or other informed member of senior management and there should be a
detailed financial statement review by the CFO, if applicable, and President for both reasonableness and
comparison to a budget or plan. Any variances noted should be explained.
By involving more than just accounting personnel in the internal control process, it is possible to
mitigate problems with segregation of duties. It is important to select people who are both willing and
able to provide the mitigating controls. Willingness is evidenced by the actual performance of the
procedure. Ability generally means that the person has the knowledge and background to act as an
informed reviewer. As stated earlier, if the person reviewing the cash account reconciliation has no idea
whether a reconciling item is valid and only looks to see that the two amounts at the bottom are the
same, any potential control becomes ineffective.
In small businesses, the high risk areas are cash disbursements, cash receipts, accounts receivable,
accounts payable and inventory. Internal controls over these areas are discussed in detail in the
following sections.
Cash Disbursements
Have a written contract and disbursement approval policy and stick to it
A written contract and disbursement approval policy ensures that everyone understands who in the
organization is able to enter into contracts on behalf of the company and approve expenditures.
8
Regarding entering into contracts, this ability should be limited within the organization. A contract binds
the company. Accordingly, the ability to enter into contracts should be limited to senior management of
the organization. This will ensure that any contract aligns with organizational objectives and is
subjected to the appropriate review by company counsel to ensure that the terms are in the best
interest of the organization. You want to be very careful with whom you permit to sign contracts. If this
ability is not controlled, you could wind up with a binding legal agreement, not in your company’s best
interest, in which your organization is still legally obligated to pay the contract amount.
For the disbursement approval, it is important to align the approval process with the appropriate
responsibilities and organizational level. You don’t want the VP of Sales, who may have no idea what is
being spent on facilities repair and maintenance, to be the first approver of facilities related invoices.
Ideally, you want the person who manages the process or who is authorized to negotiate with the
vendor as the first approver.
The first approver will attest that the service contracted for is complete and satisfactory or the items
ordered have been delivered and are satisfactory. For material amounts, you’ll also want a second
approver.
What is a material amount? This varies by organization. It is the amount that the organization considers
to be important relative to its sales and profits as well as organizational culture. This amount is a
subjective determination. Some entities pick an amount such as $2,000 and anything above that
amount requires second approval. Others may select an amount that is higher or lower. It depends on
the risk tolerance of the organization.
The second approver should approve any invoice that is material as specified on the written
disbursement approval policy. This person should be in a senior management position and give the
invoice a “sanity test” to ensure that the disbursement makes sense. It should also be someone who
isn’t scared to ask questions.
Returning to the facilities example, if the maintenance manager just approved an invoice for $10,000 for
lawn mowing for one month on your 0.5 acre front yard, this may trigger some questions. Why is it so
high? Could there be a kickback arrangement between the facilities manager and the mowing service?
Is this in accordance with the original agreement? Was the original agreement entered into by an
authorized member of management?
Require two check signers for larger checks and restrict approval of wire transfers and ACHs
Even after all invoices have the required approvals, it is still a good idea to have controls over the actual
checks going out the door. It provides an extra layer of review. Check signers should be senior
members of management.
Larger checks, those that are material, should have two signatures. The material amount to be used is
subjective and should be dictated by the risk tolerance of the organization. Once again, this provides an
extra layer of review. The recommendation of using senior management results from the expectation
9
that senior management will not hesitate to ask questions regarding a check amount or payee that is
not understood or reasonable.
In addition to an extra layer of review over the disbursement process, this also ensures that controls
over disbursement authority are functioning as designed. Authorized check signers should also review
the associated invoices for proper approval when signing checks. While this places an additional burden
on an accounts payable employee to organize the invoices by check number, it is worth it for the extra
level of control provided.
Only certain senior managers should have the ability to approve wire transfers. Once wires have been
approved, the money is gone. Working with your depository bank, there should be adequate controls
over wire transfers that separate the ability to initiate a wire from the ability to approve a wire and
require more than one approver in the event of a material amount. The ability to approve a wire
transfer should be password controlled. Who may approve wires and in what amounts should be
outlined clearly on the disbursement approval policy.
If payments are made by ACH, there should be controls similar to wire approval over ACH batches. The
ability to initiate an ACH should be separate from the ability to approve an ACH batch. Only senior
management should have the ability to approve ACH batches and the approval should be outlined on
the disbursement approval policy.
Possible Banking Controls - The company’s bank may offer an ACH fraud control feature. If this is
available, it is very effective at preventing both internal and external ACH fraud. Generally, this feature
uses an approved ACH vendor list and a maximum approval amount. If the entity to whom the ACH
payment is being remitted is not on the list or the amount exceeds the maximum approved amount, the
ACH payment is placed in a hold status pending review. To be paid, a designated member of
management must release the ACH payment. This deters those external thieves who will try to debit an
account once the routing and account number is known to them.
Control access to checks and account for the pre-numbered sequence of checks
By locking up checks and only permitting limited authorized members of senior management access, the
likelihood of a check being written without authorization is reduced. Checks should be kept in a locked
file cabinet, closet or any other location that can be secured. Anyone charged with creating checks
should not have access. Access should be limited to a few members of senior management who only
provide the number of checks requested for cash disbursements.
During the bank account reconciliation process, the pre-numbered sequence of checks should be
examined. If checks are maintained in the pre-numbered order, access is limited, and only those checks
necessary of disbursements are provided, then all checks cashed should be in a pre-numbered
sequence. Any out-of-sequence checks should be investigated.
This further highlights the importance of someone independent of the disbursement function
reconciling the cash account. Cash reconciliation controls are discussed later in the course.
10
Possible Banking Controls - Another useful feature offered by many banks is Positive Pay. This feature
permits you to upload check information into the systems of your company’s bank. When checks are
paid, the uploaded information is compared to the actual check being processed. Any mismatches are
not paid and reported to the company. This stops check forgers, who may print a check using your
company’s banking information, as well as someone who may have stolen check stock.
Payroll
In many businesses, the cost of labor is a significant cost. Payroll disbursements should be reviewed by
an independent member of management prior to payment. The review should include hours, rate and
any overtime, bonuses and incentives paid. The review should be for both overpayment and
underpayment. However, the focus should be on overpayment since employees tend to tell you very
soon if there has been an underpayment while overpayments are seldom reported. The member of
management performing this review should be an informed reviewer. The individual should have
adequate knowledge to review hours, rates, bonuses and incentives. He or she does not need to know
exactly how many hours each person worked, but should check for proper approval of hours and rate
and have just enough knowledge to challenge an entry that may not make sense.
The setup of new employees should be an independent function, if possible. If not possible, the payroll
reviewer should have a knowledge of employee names to ensure that there are no employees being
paid who are not working. This is a fraud scheme known as a “ghost employee” scheme which is
normally perpetrated by a person who can both establish new employees and also has access to payroll.
The ghost employee’s pay usually winds up with the fraudster.
Cash Receipts
If not a retail environment, log all incoming checks and reconcile the deposit to the log or use a
lockbox for receipts
If you have accounts receivable, how do you ensure that all incoming receipts are properly deposited
and applied to accounts receivable? If you have actual cash receipts, how do you ensure that all cash
makes it to the bank and is properly applied to any accounts receivable? The answer to this question is
to use a dedicated person, unrelated to the cash application process, to log cash and checks as they are
delivered. The daily log of cash and checks should be compared to the daily deposit to ensure that all
monies received made it to the bank.
If your company has a receptionist, this is a good person to use. This job is unrelated to reconciling cash
as well as accounts receivable. If you do not have a receptionist, a person whose job functions do not
entail reconciling cash or posting accounts receivable should work. This is an attempt to segregate this
duty from accounting personnel.
11
By having an independent person create a log of cash receipts, it provides a control that the amounts
received are actually deposited in the bank. A person who had access to accounts receivable records
could divert checks or take cash and then fabricate accounts receivable transactions to cover up the
missing funds. From a financial accounting standpoint, this is a good control to ensure that all cash
receipts are deposited and a proper accounting is performed. Comparison of the bank deposit to the
daily credit in accounts receivable will ensure that all amounts deposited have credited accounts
receivable. Periodic statements should be sent to customers to ensure that the correct amounts were
credited to customer accounts and any complaints regarding customer balances should be investigated
by management and resolved timely.
A bank lockbox also serves very well for this control. When using a bank lockbox, the payment is
remitted directly to the bank and independent bank personnel aggregate the payments, deposit them
and apply them to the customer account based on remittance forms that accompany the payment.
If a retail environment, have a process to ensure that all cash receipts get into the cash register and
reconcile cash register totals to the deposit
In a retail environment, the essential control is that all sales make it to a cash register. As long as this
happens, there is a good total against which daily receipts may be reconciled. Without a daily total of
receipts, there is no way to ensure that all goods that were purchased had accompanying payment.
Have you ever seen a note to customers at a retail cash register that said “If you are not provided a
receipt for this transaction, please contact John Doe at xxx-xxx-xxxx. You will be provided a coupon for a
free meal.” Why is this there? It is a control that uses the customer to help ensure that all receipts
make it into the cash register. A customer has the incentive of a free meal if he or she is not provided a
receipt. A receipt evidences that the transaction was entered into the cash register.
A cash transaction that doesn’t make it into the cash register is likely to wind up in the pocket of an
employee. This customer control is a good one for a retail environment. If you’re comfortable that
receipts are in the cash register, then the cash totals of that register, less any initial change put in at the
beginning of the day, should equal the day’s cash sales on the register totals. You may arrive at cash
sales by accumulating total sales, then deducting credit card sales and any checks that may be in the
register till. Employees should be held responsible for any cash over/under situations that are
encountered as part of this comparison.
Some concession stand operators have used cups and containers as a tool. As an example, if a
concession stand sells soft drinks and sells large drinks for $5 and small drinks for $3, you know that if
100 large cups and 200 small cups were used during the day, the total receipts should be $1,100 (100 x
$5 plus 200 x $3). By making the employees responsible for the cups used and comparing cups used to
cash register totals, it ensures that no product is given away to friends and also ensures that there is an
accounting for all sales.
12
For retail, there are other controls that may be utilized such as visual monitoring using cameras. These,
too, are effective. However, the simple control of providing an incentive to customers who are not
provided a receipt is both inexpensive and effective.
Accounts Receivable
Send periodic statements to customers
Customer statements are the best control over accounts receivable. Customers will complain if the
balance is misstated and these complaints should be directed to a member of senior management. A
review of account aging will also help in this regard. If an account receivable is past due when the
customer thinks it’s current or a member of senior management thinks that the account should be
current, you may have a lapping scheme going on.
In lapping, an employee may take a payment from customer A. to conceal the theft, the employee posts
a subsequent payment made by customer B to customer A’s account. Then, a payment made by
customer C will be posted to customer B’s account. It is a fraud that requires a lot of manual work on
the part of the employee. Most lapping schemes are detected when the employee orchestrating the
scheme leaves or goes on vacation. At any periodic statement or financial reporting cutoff, customers
who are not really past due will be reflected as past due.
Produce aging reports of accounts receivable with a management review
If controls are in place to assure that receipts are deposited and posted to accounts receivable, the
question becomes how to know if the detail balances in accounts receivable are properly stated. A
periodic review of customer aging by senior management should help to answer this question.
Questioning a past due balance by a member of senior management may result in contacting the
customer to verify the past due status. If the information does not corroborate a past due status or the
customer insists that the balance is really current, then more investigation is necessary. Improper
agings could be indicative of a fraud scheme or could also be indicative of sloppy posting procedures and
poor financial controls.
Review of the account agings by senior management who ask questions will help detect both
misstatement of customer balances and any defalcation schemes. The key in this instance is to ask the
appropriate questions. If, after review, it turns out that there really are old accounts receivable
balances, this will also point out the need for an accounting adjustment to properly reflect any risk of
customer nonpayment on the financial statements.
Control access to account credits and write-offs
13
In a payment diversion scheme, customer payments are diverted to an employee’s bank account and
then credited off the customer’s account. To make this scheme work, an employee must have access to
customer funds and also be able to generate customer account credits or write off customer balances.
From both a fraud prevention standpoint as well as a financial control standpoint, the ability to generate
account credits and write offs should be independent of the cash application process. A report of
credits and write-offs should also be produced that is reviewed by senior management.
Accounts Payable
Review and approve vendors
You only want to pay vendors that have been approved. With unapproved vendors, you run the risk of
shoddy products or service as well as less favorable pricing and terms. All vendors should be approved
by a member of senior management. The process of adding a vendor should be controlled by someone
separate from the day to day accounts payable operation or the approved vendor list should be
periodically reviewed by a knowledgeable member of senior management. A vendor approval process
with separate personnel setting up vendors or a periodic review of vendors is necessary to ensure that
all vendors provide the optimum service and price to the organization.
From a fraud prevention viewpoint, an unapproved vendor may be a means of employee theft. If the
person who cuts the checks is able to set up a vendor, that individual could easily set up a vendor
company that is controlled by him or her and issue payments. While this may be caught during the
invoice review or check signing process, it is a better preventative control to limit access to vendor
setup.
Review invoices for proper approval prior to payment
When signing checks, it is suggested that the authorized signers review the associated invoices for
proper approval. This ensures that all invoices being paid have been properly approved by an
authorized person. If this control is performed, the members of senior management who function as
check signers perform two controls in one process. There is a second review of disbursements for
reasonableness and there is an overall review that all disbursements are properly authorized.
Only pay from original invoices
If you have an accounts payable system that detects and highlights a duplicate invoice number, this
control may not be necessary. However, paying from only original invoices lessens the likelihood of
duplicate payment of the same invoice to the same vendor.
Inventory
14
Separate the issuance of purchase orders from receiving
When purchasing inventory, the authorization of the purchase in the form of a purchase order should be
separate from the receiving function who attests that the purchased inventory was physically received.
This helps to ensure that inventory ordered in actually received. If this process was controlled by the
same person, inventory could be ordered and recorded as received, but not actually make it into the
warehouse due to theft.
Before paying for inventory, match to P.O., receiver and invoice
This matching of the purchase order, receiver and invoice assists in the prevention of fraud and is also a
financial accounting control. As long as the receiving function is separate from the purchasing function,
you have assurance that the purchase was authorized, was physically received by the company in the
correct items and quantity as authorized by the purchase order. If this information is then matched to
the invoice and the invoice prices also match the purchase order, it should be paid as the authorized
items and quantities have been delivered at the agreed upon prices.
While this serves as an effective control against fraud, there is also a financial accounting control. This
helps ensure that all purchases have been properly authorized and lessens the likelihood that
unauthorized shipments from vendors will be received and wind up as overstock, excess or obsolete
inventory.
Safeguard inventory from theft
Inventory should be kept in a locked storage facility as a safeguard against theft. Depending on the
value of the inventory, it may be prudent to have additional safeguards such as a fence surrounding the
facility, guards, security systems and video surveillance. You should be aware of not only external theft,
but the possibility of employee theft as well.
While no control absolutely safeguards against theft, you can make it as difficult as possible and the
controls listed above may also act as a deterrent to theft.
Fundamental Accounting Controls
Ensure that all balance sheet accounts, especially cash, are reconciled timely and reviewed by
independent management
15
This is a key control. All balance sheet accounts must be reconciled to the general ledger, especially
cash. If false or erroneous entries are made, this reconciliation process should catch the entry.
As an example, a significant maintenance cost may be charged to fixed assets. The process of
reconciling fixed assets to the general ledger by reviewing the detail of additions and deletions of fixed
assets should point out this error.
Another example that occurred at a small business related to a balance sheet account called “Accrued
Bonuses”. Since this account was reserved for executive bonuses, no member of the accounting staff
was supposed to reconcile it. It was considered too confidential. Knowing this, the controller of the
company used this account to write checks to himself. The theft was not discovered until after he left
the firm and someone else reconciled the account.
A review of balance sheet account reconciliations is important to ensure that people are not just “going
through the motions”. The review should be done by an informed reviewer and should be signed and
dated. An informed reviewer is necessary to ensure that a review is meaningful. Once again, the
informed reviewer does not have to be an expert. However, he or she should know enough to challenge
an item that doesn’t make sense. As an example, in the case of maintenance cost erroneously charged
to fixed assets, the reviewer should know the difference between a capital expenditure and
maintenance expense and be familiar with the recent work performed.
Cash reconciliations are generally the most important control. Most revenues and expenses of a
company ultimately flow through the cash account. Accordingly, this is a very important account to
control.
As part of the reconciliation process, the pre-numbered sequence of checks should be reviewed and any
out-of-sequence checks should be investigated. All journal entries to cash should be highlighted and
investigated. Any other item that looks out of place should also be highlighted and investigated. This
would include customers whose checks “bounced” to ensure that the amount was properly added back
to the customer receivable.
An informed reviewer is especially needed for this process. A bank reconciliation can get complicated.
While an expert is not required, someone with adequate knowledge to ask meaningful questions is
necessary. In this case, a member of senior management with an accounting background would be
optimal. If the reviewer merely looks to see that the book balance matches the bank balance with no
further investigation, this would not be much of a control.
All journal entries approved
Journal entries are fraught with the possibility of both error and fraud. Erroneous journal entries impact
the integrity of financial reporting. An approval process for those journal entries that are significant to
the financial statements of the business is important to lessen the likelihood of financial statement
misstatement.
16
Unfortunately, journal entries are also used to conceal fraudulent activities. Once again, a process to
ensure that all journal entries are approved will lessen the likelihood of fraud. If this approval process is
used in conjunction with the balance sheet account reconciliation process, the control is further
strengthened. As an example, if the independent preparer of the balance sheet account reconciliation
notices a journal entry to the account, part of the reconciliation process should be to ensure that the
journal entry was properly approved.
There is a way to cutoff journal entries in the accounting system once the financial statements are
complete
As noted above, journal entries are subject to both error and fraud. Once an accounting period has
been closed, it is important that the particular accounting period may not be re-opened so that
unauthorized journal entries may be made. While good account reconciliation processes should catch a
post-closing journal entry, it is a good control to cutoff journal entries once the applicable financial
statements have been reviewed and approved.
Monthly review of financial statements with explanations for material variances
The review of financial statements by informed reviewers should highlight material errors or fraud.
Most senior managers are aware of certain key data such as sales and margin rates. To help with the
review process, a comparison to prior month or the same period of the prior year should also be
performed to highlight major changes. Explanations of material variances should always be provided.
If there is a budgeting or forecasting process in the company, a comparison to budget or forecast should
also be performed. Once again, material variances should be explained.
Management’s review of financial information is a great control over financial reporting. This also helps
to make the financial statements a source of decision useful information for key personnel.
17
Fundamental Internal Control Environment
What is the company culture?
The company culture can best be described as the tone at the top of the organization. Is there a tone
that conveys succeed at any cost or maybe one that conveys to employees that the end justifies the
mean? These could indicate problems with the company culture.
Many small businesses are entrepreneurial. The founder may be driven to succeed. While this drive is
admirable, it must be tempered with messages of ethics, integrity and doing things the right way so that
the appropriate message is delivered. In an environment where the prevailing philosophy of senior
management is just get it done, some employees may feel empowered to take shortcuts or perform
inappropriate or unethical tasks to accomplish an objective.
In the accounting realm, this is especially important. There have been a number of businesses whose
results did not meet objectives where the controller or CFO have, in effect, manufactured earnings. The
example of Diamond Foods follows.
Diamond Foods started in 1912 as a walnut grower cooperative that bought walnuts from California
growers, processed them and sold the walnuts to retailers. It became a public company in 2005 and
expanded into the snack food business. By 2010, its product lines included potato chips, popcorn and
nuts. Diamonds’ brands included Diamond of California, Pop Secret, Emerald and Kettle.
Michael Mendes was promoted to CEO and President in 1997 and he was made a member of the board
of directors in 2005. Prior to becoming CEO, he was VP of International Sales and Marketing.
As CEO, Mendes was a proponent of high growth. After Diamond acquired Pop Secret from General
Mills in 2008, he reportedly called employees together at the corporate offices and declared that “size
matters”. His ambitious growth philosophy was characterized in reports as “bigger is better”.
As reported results exceeded expectations, Diamond’s stock value also increased. This was an
important element in a planned acquisition of the Pringles potato chip brand from Proctor & Gamble.
This acquisition would have made Diamond the second largest snack food distributor in the United
States. Only PepsiCo would be larger.
Diamond’s CFO, Steven Neil, took the position in 2008. Prior to this, Neil was a member of Diamond’s
board of directors and was also chairman of Diamond’s audit committee. While CFO, Neil stayed on as a
member of the board, but was no longer a member of the audit committee.
To continue the growth in reported earnings, Neil orchestrated the underreporting of walnut costs in
the years 2010 and 2011. In reported financial results, walnut growers were ostensibly paid an amount
for walnuts that was below the applicable market price. To keep the growers happy, another payment
was made for the difference between the market value of the walnuts and what had been reported.
However, this payment for the difference was accounted for as a future period cost rather than the
18
period to which the payment actually applied and was called a “continuity payment” in an attempt to
conceal that the payment was for walnut purchases in the current, rather than future periods. In effect,
a portion of walnut costs were being rolled into future periods in order to enhance current period
margin and net income.
The scheme unraveled when Wall Street analysts started to question Diamond’s accounting. Initially,
these questions were rebuffed by Diamond. However, upon further investigation and contacts with
growers, it became apparent that Diamond had understated its walnut costs.
This example demonstrates the extremes that even members of senior management will go to in an
environment of winning at all costs. Once again, it is important to temper business enthusiasm with a
tone that also conveys ethics, integrity and responsibility.
Procedure manuals
Procedure manuals may seem a bit mundane and unnecessary. However, they serve an important
internal control purpose. These manuals serve to reinforce proper procedures and also help train new
personnel when there is turnover.
In businesses, a process works because people follow the procedures. When procedures are not
followed, the process can break down. Procedure manuals ensure that the proper process is followed.
As an example, you have hired a new accounts payable clerk. The procedure is that invoices are only
paid if (a) it is from an original invoice, (b) it is properly approved and (c) prior to payment, a member of
senior management reviews and approves the disbursement.
The controller becomes busy and simply instructs the new clerk to pay the bills. There are several faxed
invoices in the stack that are duplicates of invoices that have already been paid. Since the new accounts
payable clerk was unaware of the proper procedure, duplicate invoice payments were made. The added
controls of proper authorization and management review of the ultimate disbursement was also
ignored.
If a procedure manual had been in place, the new accounts payable clerk would have at least been
aware of the proper procedure, avoiding the duplicate payment.
Open door policy
Most employees want to do a good job. When they see something that, in their opinion, is not right,
they also want to inform management. An open door policy is a good employee motivator. It can also
be a good internal control.
Personnel performing the day to day tasks are in a better position than most members of management
to see process errors in addition to fraud. You want to encourage them to tell management when things
do not seem right. While this may result in some wasted time, it may also point out a major control
deficiency in the organization.
19
All complaints make it to senior management
If a vendor complains that it’s not being paid or a customer claims that payments are not being posted
in accounts receivable, these are all indicators of possible internal control issues. Senior management
members should be aware of all complaints so that they may be properly investigated. Some members
of senior management may not want to be bothered with vendor or customer complaints. However,
these complaints are many times the early alarm that there is an internal control breakdown.
Senior management must be aware of and investigate vendor and customer complaints regarding
account balances. While many may not be valid or are not indicative of an internal control issue, there
may be one that is the “tip of the iceberg” of a larger issue in your organization.
Mandatory vacations
Everyone deserves a vacation, right? Well, in terms of detecting fraud, a mandatory vacation is a good
method to use as long as you ensure that someone else performs that persons’ duties while he or she is
away.
Most frauds require the time and effort of the fraudster. If they’re not there to put in the time and
effort, the fraud has a much greater chance of being uncovered. So, if an employee has stolen funds
and used a balance sheet account reconciled by him or her to conceal the theft, the employee
performing this persons’ duty while on vacation may question and investigate the reconciling item and
uncover the fraud.
Budgets and forecasts
Budgets and forecasts are a good idea for the operation of the business. Did you know that they had an
internal control value as well? As noted earlier when discussing management review of financial
information, a comparison of financial statements to a budget or forecast may uncover an accounting
error or fraud. By focusing on financial statement elements that are materially different from budget or
forecast, proper questions are posed and investigations are performed to determine that cause of the
difference. By asking the questions and directing the investigations to be made, both financial
statement errors as well as fraud is more likely to be detected.
20
Case Study – Koss Corporation
Koss Corporation started as a television rental business in Milwaukee, Wisconsin. It was founded in
1953 by John Koss and named the J.C. Koss Hospital Television Rental Company. In 1958, John Koss and
a partner developed the stereophone. A stereophone was essentially a headphone used for listening to
stereo music. It was novel at the time since headphones were only used for communications, not music.
The stereophone was created as a gimmick to promote the stereo sound of a new portable phonograph.
In an unanticipated event, the stereophone, not the portable phonograph, became an instant hit with
consumers. This was the birth of the Koss Headphone.
Koss developed a national and international following for the stereo headphone. By the 1970’s Koss had
40% of the world stereo headphone market. By the 1980’s tough competition from Japan reduced Koss’
sales and market share. The newly introduced Sony Walkman and other Sony products was a major
component of this competitive pressure.
Competition as well as an ill-timed expansion into other consumer electronic products led to a
bankruptcy reorganization in the mid 1980’s. This led to the re-focus on mass market headphones. The
company emerged from bankruptcy in 1985.
In 1991, John Koss was replaced by his son, Michael Koss, as president and CEO. Under Michael,
revenues grew from about $25 million in the early 1990’s to approximately $40 million by 1997. Sales
stayed in the general $40 million range in the early 2000’s and peaked at $49 million in 2008.
Koss Corporation is a public company whose stock is traded on the NASDAQ exchange. It is classified as
a smaller reporting company as it has less than $75 million of public float. More than 70% of the
outstanding shares of the company are controlled, either directly or indirectly, by Michael Koss and his
family.
In 1989, a temporary employee named Sujata (Sue) Sachdeva was hired. Within six months, Sue was
promoted to Vice President of Finance. Michael Koss served as CFO and COO as well as his duties as
CEO of the company.
Sachdeva started embezzling from Koss. No one except Sue Sachdeva knows exactly when it started,
only that it started small. During the years that were quantified, fiscal years ending June 30, 2005-2010,
the amounts embezzled by Sachdeva were reported to be:
• FY 2005 - $2.3 million
• FY 2006 - $2.4 million
• FY 2007 - $3.5 million
• FY 2008 - $5.1 million
• FY 2009 - $8.5 million
• FY 2010 - $10.3 million
21
For a company with revenues in the $40-$49 million range over these years, each year is significant. The cumulative amount for the 6 year period aggregates over $32 million and, according to SEC documents, the overall amount was estimated to be $34 million. What motivated the embezzlement? Sue Sachdeva, according to her defense in court, suffered from compulsive shopping disorder and was an alcoholic. She would spend extravagantly on clothing, jewelry, travel, shoes, furs, household items, art, charity and cars, among other things, and then panic when the bills for these items were sent to her office or she received calls from creditors for unpaid bills. As bills would become due or creditors’ calls were received, she would have what were described as panic attacks. In her panic and desperation to pay her shopping bills, she used Koss funds to pay for them as the bills became due. During the investigation of the fraud, reports indicated that Sachdeva’s purchases became so voluminous that she sometimes would forget to have items picked up or would buy duplicate items at stores. When store personnel pointed out that she had already purchased a particular item, she reportedly became upset. After Sachdeva’s arrest, it was reported that it took 30 FBI agents three days to pack 22,000 items into two long U-Haul trailers. There were 65 racks of clothing, designer handbags, 461 pairs of shoes, jewelry, statues, Waterford crystal, Louis Vuitton luggage, crystal vases, chandeliers, 30 sets of Neiman Marcus china, 34 full length fur coats, 32 sort furs and 5 fur throws. She had purchased so many items that most of this was in rented storage space. Mechanics of the fraud The fraud started with the use of cashier’s checks. Either Sachdeva or a Senior Accountant, Julie Mulvaney, would call Koss’ bank, and request a cashier’s check made out to a particular retailer. To obscure the use of the funds, initials would be used on the cashier’s checks. As an example, Neiman Marcus would be NM or Saks Fifth Avenue would be SFA. The use of cashier’s checks was considered to be preferable as these checks were returned directly to the bank rather than to the company. Only one signature was required on cashier’s checks and Sachdeva was an authorized signer. No other authorization was required other than a Koss internal control policy that said Michael Koss had to approve any invoices greater than $5,000. This control was plainly circumvented. Many cashier’s checks exceeded $5,000 and some exceeded $100,000. There were more than 500 cashier’s checks issued to cover Sachdeva’s purchases. The aggregate of these cashier’s checks was approximately $15 million. Wire transfers replaced cashier’s checks as the embezzlement grew. The switch to wire transfer from cashier’s checks was apparently prompted by the realization that no one would need to go to the bank and pick up a check. The VP of Operations was supposed to review documentation for wire transfer payments to vendors. This control was also apparently ineffective.
22
Wire transfers were made directly from the Koss account, primarily to American Express, to pay Sachdeva’s bill. Fraudulent wire transfers amounted to approximately $16 million. Smaller amounts of the fraud were also in petty cash and the use of traveler’s checks. Sachdeva and Mulvaney wrote numerous checks to petty cash. No outside approval was required as long as the check amount did not exceed $5,000. This amounted to an additional $390,000 of embezzled funds. Traveler’s checks were also written for a much smaller amount. How were these significant embezzled amounts concealed?
To conceal the missing cash in the financial records, Mulvaney and Sachdeva would manipulate sales,
expenses, accrued liabilities and accounts receivable. Some journal entries were simple, such as
debiting sales and crediting cash, debiting expenses and crediting cash or debiting accrued liabilities and
crediting cash. Others were more complex, such as the complete reversal of an entire sales transaction.
Other manipulations occurred that increased cash balances. Sales at the company store were not
recorded so that the cash balance would increase by these amounts. Additionally, at year end, receipts
of accounts receivable would not be recorded, increasing the cash balances. It is important to note that
the reason the customers did not complain about the overstated receivable balance is that statements
were not sent to customers. No one ever investigated the significant reported increase in accounts
receivable at the end of the year versus the other months in the year.
It was reported that Mulvaney kept track of these adjustments in files that were color coded by year.
These became known as the “rainbow files”.
What internal controls were in place?
Lack of internal controls and lack of enforcement of existing internal controls seemed to be a primary
element in permitting this embezzlement to perpetuate. There was little segregation of duties. It was a
small accounting department and Sachdeva had the authority to sign checks, approve wire transfers and
approve bank reconciliations and other general ledger account reconciliations. There was no review and
approval of this process outside of the accounting function. Any review that may have taken place was
performed by the same people who initiated or recorded the transaction (Sachdeva or Mulvaney).
While controls called for supporting documentation for all journal entries, there was no review of
journal entries outside of the accounting function, even post-closing entries. Given the abundance of
journal entries to conceal the embezzlement, and that most were in even numbers such as $20,000 or
$200,000, this is fairly evident.
Controls also called for all invoices greater than $5,000 to be approved by Michael Koss and the VP of
Operations to review documentation for wire transfers used for payments to vendors. As fraudulent
cashier’s checks amounted to about $15 million and fraudulent wire transfers amounted to about $16
million, it is also evident that these controls were ineffective.
23
Koss Corporation had a computerized accounting system, but it was over 30 years old. Month and year-
end figures could not be locked. This allowed Sachdeva and Mulvaney to bypass a stated internal
control requiring Michael Koss’ approval on any post-closing journal entries. There was also no audit
trail of journal entries available on the system.
Koss also had an audit committee. However, no member of the audit committee listed any direct
experience in accounting or auditing.
Did Koss Corporation have an annual audit?
As a public company, Koss Corporation was required to submit audited financial statements to the SEC.
Koss used Grant Thornton for its audits from the period of 2004-2009. For audits during this period,
Grant Thornton was paid approximately $700,000.
During testimony at trials after the fraud was uncovered, Sachdeva testified that all requested schedules
were provided to Grant Thornton and that the documentation provided to them contained journal
entries prepared to cover up the embezzlement. She also testified that Grant Thornton personnel never
questioned disbursements or wires, including those to American Express, never questioned internal
controls and never questioned journal entries even when a majority of the journal entries were in even
dollar amounts such as $20,000 or $200,000.
How was the fraud discovered?
The primary recipient of wire transfers, American Express, notified Michael Koss that Koss Corporation
funds were being used to pay Sachdeva’s personal American Express bill.
Who benefitted from the embezzlement?
It appears that only Sachdeva benefitted. While it appears that Mulvaney participated in the fraud, she
did not benefit from it. Sachdeva’s husband was not implicated in the crime and it appears that he had
no knowledge of it.
What happened after the fraud was uncovered?
After the fraud was uncovered by American Express, Sachdeva and Mulvaney were both fired. Another
accountant at Koss Corporation was also fired. Even though this person did not participate in the
scheme, she didn’t report it.
Grant Thornton was released and Baker Tilly Virchow Krause LLP was hired.
Sachdeva was tried and pled guilty to 6 counts of wire fraud. Federal prosecutors sought a sentence of
15-20 years. Her sentence was 132 months in prison (approximately 11 years) and restitution in the
amount of $34 million to Koss Corporation. Her restitution was ordered to be paid in the amount of
$500 per month. If she complies, it will take 68,000 months or about 5,667 years to pay this in full.
24
There was also a SEC complaint against Mulvaney for aiding and abetting a fraud. During the SEC
investigation, Mulvaney asserted that her journal entries were at the express direction of Sachdeva and
claimed that Sachdeva assured her that all entries were appropriate and legitimate. She also claimed
that she did not know that Sachdeva had engaged in a massive theft from the company.
Mulvaney was sentenced in November, 2012 in a settlement with prosecutors. She was ordered to pay
disgorgement of $22,600, prejudgment interest of $5,000 and a $40,000 civil penalty.
There was also a SEC complaint filed against Koss Corporation and Michael Koss. This complaint is titled
SEC v. Koss Corporation and Michael J. Koss. This complaint alleges:
• The yearly amounts stolen were significant relative to Koss’s sales and shareholders’ equity. For
example, during fiscal year 2009, Sachdeva stole approximately $8.5 million, while Koss
reported total sales of approximately $41.7 million and retained earnings of approximately
$17.1 million at year-end.
• Sachdeva and Mulvaney were able to hide the substantial embezzlements in Koss’s financial
records in part because Koss and Michael J. Koss did not adequately maintain internal controls
to reasonably assure the accuracy and reliability of financial reporting.
• While Koss’s internal controls policy required Michael J. Koss to approve invoices of $5,000 or
more for payment, its controls did not prevent Sachdeva and Mulvaney from processing large
wire transfers and cashier’s checks outside of the accounts payable system to pay for
Sachdeva’s personal purchases without seeking or obtaining Michael J. Koss’s approval.
• As a result, Sachdeva, with Mulvaney’s assistance, was able both to initiate and authorize wire
transfers of Koss’s funds to her personal creditors totaling approximately $16.3 million, and to
order cashier’s checks payable to credit card companies and her designated payees totaling
approximately $15.5 million.
• Koss’s computerized accounting systems were almost 30 years old and access to the accounting
systems could not be locked at the end of the month and there was no audit trail. Sachdeva and
Mulvaney were thus able to make undetected post-closing changes to the books and bypass an
internal control requiring Michael J. Koss to authorize those changes.
• Many account reconciliations were either not prepared or were not maintained as part of
Koss’s accounting records. To the extent that reconciliations were conducted, they were
improperly performed by the same persons who initiated or recorded the transactions (i.e.
Sachdeva or Mulvaney), enabling those persons to make modifications to the reconciliations to
cover up fraudulent entries.
• While Sachdeva provided Michael J. Koss with reporting certifications for his review, he did not
conduct an adequate review of Koss’s accounting in connection with these certifications.
• Based on the fraudulent accounting books and records prepared by Sachdeva and Mulvaney,
Koss prepared, and Michael J. Koss certified, materially inaccurate audited financial statements
and materially inaccurate current, quarterly and annual reports.1
1 SEC v. Koss Corporation and Michael J. Koss, Civil Case No. 2:11-cv-00991, USDC, E.D., Wisc.
25
In a settlement with the SEC over this case, Koss Corporation and Michael Koss agreed to put internal
controls in place to ensure accurate financial reporting and Michael Koss repaid bonuses of $450,000
and $160,000 of stock options to Koss Corporation.
Grant Thornton was sued twice. The first was a shareholder class action suit. The second was a suit
filed by Koss Corporation for negligence.
The shareholder class action against Grant Thornton was dismissed. The judge ruled that fraud and a
subsequent failure to detect the fraud did not imply willful, knowing or reckless behavior on the part of
Grant Thornton. The suit filed by Koss Corporation for negligence was settled for $8.5 million.
There was also a shareholder suit filed against Koss Corporation and Michael Koss. This was settled for
$1 million.
Koss Corporation sued American Express, alleging that American Express waited too long to report the
fraudulent wire transfers from Koss accounts. This suit was dismissed.
Lastly, the 22,000 items that the FBI recovered from Sachdeva were ordered to be sold to repay Koss
Corporation.
What internal controls would have prevented or detected the financial statement fraud or the
embezzlement?
Segregation of duties
In this case, all cash receipt, cash disbursement, accounts receivable, accounts payable, account
reconciliation responsibilities as well as the entire accounting and financial statement preparation
process were contained in a small accounting function. There was no segregation of duties nor was
there an attempt to achieve some segregation of duties through management oversight and
supervision. Senior management was not involved in any review and approval. As a result, Sachdeva,
with the help of the senior accountant Mulvaney, was able to embezzle millions and cover up the
embezzlement in the financial records.
Disbursement approval policy
There was a disbursement approval policy. It required that the president of the company, Michael Koss,
approve all invoices over $5,000. Additionally, the VP of Operations was supposed to approve all wire
transfers. While there was a policy, it was apparently ignored. Policies without follow-up are not an
effective control.
Require two signatures and restrict approval of wire transfers
If Koss had a policy of requiring two signatures on every material check, the embezzlement and
accompanying financial statement fraud would most likely have been avoided. Having another member
of senior management scrutinize the check disbursements to retailers such as Saks Fifth Avenue would
26
hopefully raise some questions. The embezzlement scheme relied on Sachdeva’s ability to solely sign or
initiate large disbursements.
Regarding wire transfers, it is very important to have a dual approval process over material wires. In the
Koss situation, Sachdeva was able to authorize and approve all wire transfers, resulting in approximately
$16 million of unauthorized wire transfers from Koss accounts. If Koss’ banking arrangements had
required dual approval, this embezzlement mechanism would have been circumvented.
While it would likely have not had any effect in this case due to the relationship of Sachdeva and
Mulvaney, it is also important to segregate the person who may initiate a wire transfer from the
person(s) who are able to approve a wire transfer.
Control access to checks
One area not controlled by Koss was the ability of Sachdeva and Mulvaney to obtain cashier checks. The
ability to generate this type of disbursement should be highly controlled and limited to a select few as
cashier’s checks can be used to circumvent other internal controls (authorization and approval of
invoices, check pre-numbering, etc.). This was evident in Sachdeva’s use of cashier’s checks to embezzle
approximately $15 million. Additionally, any cashier’s checks authorized should require two signatures.
Accounting for cash receipts
There did not seem to be any controls to ensure that cash receipts related to customer payments were
posted to accounts receivable. One method used by Sachdeva and Mulvaney to conceal the fraud was
to not record customer payments at year end so that cash balances could increase in a manner that
served to conceal the cash embezzlement. Controls over the posting of cash receipts to the proper
customer account were lacking.
Periodic statements sent to customers
Statements were not sent to customers. This is an easy financial and operational control. Since the
customers had no statements detailing their balance, cash receipts could go unposted to conceal
embezzled amounts and a customer would not notice the lack of credit to the account for a payment.
Accounts receivable aging reports reviewed by management
Since customer cash receipts generally went unposted during the final month of the fiscal year, accounts
receivable balances increased during that month. If aging reports had been reviewed by management,
this would have been apparent. However, there was no review of accounts receivable aging, so no one
ever noticed this disparity.
Review and approve vendors
There did not appear to be any formal vendor approval process. This, coupled with the lack of
independent review over the entire disbursement process, proved disastrous for Koss. Since there was
27
no vendor approval process (as well as no independent review of disbursements), vendors unrelated to
Koss such as Neiman Marcus and American Express were being paid millions from Koss accounts.
Review invoices for proper approval prior to payment
The stated control was that Michael Koss was to review all invoices greater than $5,000. Apparently,
this control was never performed. Had Mr. Koss even requested a listing of vendors who had been paid
more than $5,000 after the fact, he would have at least detected the fraud.
Only pay from original invoices
For the fraudulent disbursements, there was no original invoice to Koss. If there was a requirement that
a member of senior management review all invoices along with signing the checks, it would have been
evident that invoices did not exist for these material transactions.
All balance sheet accounts, especially cash, are reconciled and reviewed by independent management
Accounts manipulated to conceal the embezzlement included cash, accounts receivable, accrued
liabilities, sales and expenses. The SEC complaint noted that “many account reconciliations were either
not prepared or were not maintained as part of Koss’s accounting records. To the extent that
reconciliations were conducted, they were improperly performed by the same persons who initiated or
recorded the transactions (i.e. Sachdeva or Mulvaney), enabling those persons to make modifications to
the reconciliations to cover up fraudulent entries.” A senior management review of balance sheet
account reconciliations by an informed member of management should have caused an investigation
into the nature and amount of the needed reconciling items to conceal an embezzlement of this
magnitude.
All journal entries approved
It’s pretty clear that there was no approval process for journal entries outside of the accounting
function. Mulvaney and Sachdeva would manipulate sales, expenses, accrued liabilities and accounts
receivable. Some journal entries were simple, such as debiting sales and crediting cash, debiting
expenses and crediting cash or debiting accrued liabilities and crediting cash. Others were more
complex, such as the complete reversal of an entire sales transaction.
An approval process for journal entries along with management follow-up and account reconciliation
with senior management review and approval would have highlighted these fraudulent journal entries.
Cut off journal entries once financial statements are complete
Post-closing journal entries were made to conceal the embezzlement. If there were other internal
controls in place, such as account reconciliations, these post-closing entries would have made the fraud
more difficult to detect. Since the lack of controls was so prevalent, this control was not as important in
the case of Koss.
Review of financial statements with explanations for material variances
28
In theory, simply comparing the financial statements to the prior month or the same month of the prior
year should have shown significant disparities, given the level of manipulation in sales, expenses,
accounts receivable and accrued expenses. It does not appear that this simple comparison was
performed nor does it appear that there was any review of the financial statements on an interim basis.
Given the level of manipulation, there should have been some red flags in sales levels, margin rates and
in computed ratios such as days sales outstanding.
If a budget or forecast had been prepared, comparisons to the budgeted or forecasted amounts would
likely also have significant differences that required explanation. This simple step may have been
adequate to detect the existence of the embezzlement and accompanying financial statement fraud.
Mandatory vacations
While we don’t know if Sachdeva was required to take a vacation, it is likely that another person filling in
for her would have noticed the lack of internal controls, the lack of account reconciliations and
insufficiencies in the cash reconciliation process.
Budgets and forecasts
The preparation of budgets and/or forecasts provides management with performance expectations. It is
a good operational tool. It can also be a good internal control. When things don’t turn out in a way that
they are expected to turn out, inquiries should be made and explanations provided. In the case of Koss,
comparisons of manipulated financial results to a budget or forecast would likely have shown large
differences given that millions of dollars were being embezzled each year. The questions and related
explanations would have likely played a role in detecting the embezzlement and fraud much earlier.
29
Other Factors to Consider
Controls over Information Technology
Use test data that contains pre-determined results to ensure that the system functions as expected
Just because data comes from a computerized system, doesn’t mean that the data is correct. There
have been many examples of unwarranted reliance on a computerized process that was providing
incorrect information. While it’s easy to blame the system, the end result is that the information is still
bad.
One easy way to test the system is to have your information technology resource establish a test
environment. The test environment is just a copy of the system being used by the company in a place
where the data being entered doesn’t impact the company’s actual data.
Assemble some test data that is simple and for which you already know results that should be presented
by your system. As an example, If the system processes sales orders and your test data is 5 orders at
$100 each, then the expected result is that the system will process and post $500 in sales. Use this test
data in the test environment and compare the actual results to the expected results.
If the actual results are as expected, then your computerized system is likely functioning as expected. If
there is a difference, that should be investigated.
Roll forward balances daily or monthly that result from computerized system
A manual roll forward of key amounts will help isolate any system errors on an ongoing basis. Using
accounts receivable as an example, if your sales system indicates credit sales of $500 and there are
customer payments of $300 posted to the bank account, the accounts receivable balance should have
increased by $200, assuming no other additions or subtractions. You can roll forward the accounts
receivable balance by these amounts daily or monthly to provide further assurance that the particular
system is working as expected. Roll forwards should be performed daily or monthly depending on the
transaction volume of the particular system. Higher volume systems should be done daily.
This is only recommended for key systems. In many instances, the account reconciliation process may
be adequate to detect errors.
HR Procedures
Background checks for new employees
All new employees should have background checks which include criminal background and reference
checks. A criminal background check will tell you whether or not the candidate has been convicted of a
30
felony. This is important to know both from a workplace safety standpoint as well as a potential fraud
standpoint.
Reference checks are also important to ensure that the resume and application data provided is truthful.
In our litigious society, employment dates are sometimes all that is provided. However, it is important
to establish honesty with a potential employee. If they’re not honest on their application, you have a
higher likelihood of dishonesty elsewhere.
Risk Assessment
Credit policy
If the business sells on credit, is there a credit policy? This is important. Sales on credit are effectively
loans to another business. A credit policy establishes the level of risk that the business is willing to
accept.
The credit policy should be established by members of senior management and should include a policy
for establishing credit lines, evaluating credit risk and customer terms. While the policy may be flexible,
it should provide that exceptions are approved by specific members of senior management. That way, if
more risk is accepted for a particular customer, there is adequate consideration of the risk, reward
scenario.
This is a control in that without a policy, sales may be made to less than creditworthy customers which
may result in large, unanticipated bad debt expenses. Part of a good internal control environment is to
minimize unpleasant surprises like this.
Review insurance coverage
Insurance is there for unanticipated accidents and liabilities. It is important to have appropriate
insurance coverage so that an accident or catastrophic event does not cause the company financial
hardship. Like a credit policy, this also helps to minimize large, unexpected costs and a good internal
control environment should consider the potential financial impact of accidents and catastrophic events
and function to reasonably limit the businesses exposure to these events.
31
Review Questions 1. A small business has an accounting manager that handles all accounting and related functions
including cash receipts, cash disbursements and financial statement preparation. Is it possible
to have an effective internal control environment?
a. No. The inherent lack of segregation of duties makes any internal controls impossible
b. Yes. Achieving the best segregation of duties possible and involving appropriate senior
management in the process as informed reviewers can mitigate a lack of segregation of
duties
c. No. There is no such thing as a mitigating control. If there aren’t enough employees to
segregate the duties, then any internal control structure is a waste of time
d. No. The only way to have an effective internal control environment is to have a full-
time internal audit staff.
2. Which of the following is not an effective control over wire transfers?
a. Working with your banking partner to require password protection for the separate
initiation and approval of all wire transfers
b. Requiring all wire transfers of a material amount to have two approvals by senior
management
c. Separating the employees who are able to initiate a wire transfer from those who are
able to approve a wire transfer
d. Giving complete control over the initiation and approval of wire transfers of any amount
to the Controller
3. Which best describes the suggested process for signing checks?
a. Have two signatures on all checks
b. Have two signatures for all checks over a material amount
c. Have two signatures for all checks over a material amount and review invoices for
proper approval while signing checks
d. Use a signature stamp that is controlled by the person preparing the checks
4. Which of the following is an effective overall control?
a. The preparation of a forecast
b. The preparation of a budget
c. The preparation of financial statements
d. Financial statements with comparison to budgeted or forecasted amounts with an
accompanying explanation of variances
5. Which of the following will help detect internal control weaknesses in any function?
a. An open door policy of senior management that encourages employees to discuss issues
and concerns with senior managers
b. A requirement of two signatures on all checks
c. A requirement of two approvers on all wire transfers
d. A disbursement approval policy
32
6. ABC Corporation has one employee who posts customer cash receipts to the accounts
receivable system. Which control(s) would be most effective in ensuring that customer balances
are correctly stated and the likelihood of fraud is minimized?
a. The employee does not have access to account credits and write-offs or any account
credits and write-offs are properly reviewed and approved
b. There is an independent person who logs cash and checks received prior to being posted
to the accounts receivable system
c. Customer statements are sent out monthly
d. The employee does not have access to account credits and write-offs, there is an
independent person who logs cash and checks prior to posting and customer statements
are sent to customers monthly
33
Glossary
Approval policy – A set of internal rules that dictate who in the organization may sign contracts, approve
invoices and sign checks within a set dollar limit.
Dual signatures – A arrangement established with a banking institution that requires two signatures on
checks greater than a specified amount.
Informed reviewer – A person who has an understanding of the business process, but does not need to
be an expert. Enough knowledge to ask meaningful questions when something does not make sense is
all that is required. Senior management in most small businesses should be able to function as an
informed reviewer in most areas.
Material amount – It is the amount that the organization considers to be important relative to its sales
and profits as well as organizational culture. The amount is a subjective determination and depends on
the risk tolerance of the organization.
Segregation of duties – An internal control designed to prevent error or fraud that requires more than
one person’s involvement in a process or task.
34
Index
account reconciliations, 6, 7, 15, 22, 24, 27, 28 accounts receivable, 6, 7, 10, 11, 12, 19, 22, 25,
26, 27, 28, 29 approval policy, 7, 8, 9, 25 audit committee, 17, 23 board of directors, 17 CFO, 17, 20 checks, 5, 8, 9, 10, 11, 13, 15, 21, 22, 24, 26, 27,
29, 30 culture, 5, 8, 17, 33 disbursement, 4, 7, 8, 9, 18, 25, 26 embezzlement, 21, 22, 23 forecasts, 19, 28 Grant Thornton, 23, 25
internal controls, 22, 23, 24, 25 inventory, 7, 14 invoice, 8, 13, 14, 18, 27 journal entries, 6, 7, 15, 16, 22, 23, 24, 27 material, 7, 8, 9, 16, 25, 26, 27 Payroll, 10 procedure, 7, 18 receipts, 7, 10, 11, 12, 22, 26 reconciliation, 6, 7, 9, 15, 16, 25, 27, 28, 29 SEC, 21, 23, 24, 25 segregation of duties, 4, 5, 6, 7, 22, 25 senior management, 6, 7, 8, 9, 12, 13, 17, 18,
19, 25, 27, 30 vendors, 13, 14, 21, 22, 26, 27
35
Exam Questions
1. How can a small business mitigate a lack of segregation of duties?
a. This is impossible for a small business
b. If this cannot be achieved with existing personnel, the only way is to hire more people
c. Involve senior management in the control process and segregate their review and
control responsibilities as much as possible
d. Hire an internal audit staff
2. Which of the following is not a good control over check disbursements?
a. When signing the checks, review the invoices for proper authorization
b. Require two authorized signatures on checks that have been deemed a material amount
c. Check signers are not hesitant to question disbursements they don’t understand
d. The only required check signer is the Controller who also processes the invoices and
prepares the checks
3. A good internal contract and disbursement approval policy covers all topics listed below except:
a. Who prepares and reviews the bank reconciliation
b. Who has the authority to enter into contractual obligations
c. Who has the authority to approve invoices and in what maximum amounts
d. Who has the authority to sign checks and the amount for which checks require two
signers
4. An easy control over the proper posting of accounts receivable payments and credits is:
a. A daily detailed review of all accounts receivable postings
b. Sending monthly statements to customers with appropriate complaint follow-up
c. Calling each customer accounts payable representative to reconcile each customer
accounts receivable balance monthly
d. A daily management audit, tracing each customer payment to proper posting in the
correct customer account
5. Which of the following is a good internal control over bank reconciliations?
a. The bank reconciliation is prepared and reviewed by the Accounting Manager who also
performs accounts payable, disbursements and accounts receivable functions
b. The President reviews the bank reconciliation, but is confused by the reconciling items.
He simply looks at the bottom line to ensure that the book and bank balance match
c. The CFO reviews the bank reconciliation monthly and signs the reconciliation to
evidence her review. She questions any reconciling items that don’t make sense to her
d. The bank reconciliation process does not account for the pre-numbered sequence of
checks. Wire transfers and cashier’s checks that are not recorded are assumed to be
authorized and are posted based on the best guess of the person performing the
reconciliation
6. Which of the following is a good overall internal control?
a. A detailed budget process with several levels of approval with no comparison to
monthly financial results
36
b. Quarterly cash flow forecasts that are only provided to the banks to fulfill a loan
covenant
c. Keeping track of coffee cups in the break room to ensure that everyone is paying their
$.50 for a cup of coffee
d. A monthly review of financial statements by members of senior management where
current results are compared to budget, forecast or prior year results and explanations
for variances are provided
7. Which of the following is not true concerning journal entries?
a. Journal entries should be permitted after an accounting period is closed
b. There should be an approval process for all journal entries
c. Journal entries should be reviewed for proper approval as part of the balance sheet
account reconciliation process
d. Accounting software that provides an audit trail of journal entries is helpful in reviewing
journal entries for proper approval
8. Which of the following may help detect employee fraud?
a. The preparation of a forecast that is not compared to financial statements
b. Mandatory vacations for all employees with someone filling in for them while they’re
away
c. Approval of all journal entries
d. A contract and disbursement approval policy
9. Which of the following will NOT serve to actively prevent or detect employee fraud?
a. Two authorized signatures required on all checks
b. All invoices approved by an authorized member of management with secondary
approval required for material invoices
c. A statement regarding ethical compliance in the company’s mission statement
d. Authorized management approval of all journal entries
10. Your company does not require vendors to be approved prior to being entered into the accounts
payable system. Which of the following is NOT a risk of this practice?
a. Inferior goods or service from a vendor who was not properly vetted
b. Goods or services that are over-priced relative to the prevailing market
c. Employee theft through the use of a fake vendor
d. Duplicate payments to the unapproved vendor
37
Answers to Review Questions
1. A small business has an accounting manager that handles all accounting and related functions
including cash receipts, cash disbursements and financial statement preparation. Is it possible
to have an effective internal control environment?
a. Incorrect. No. The inherent lack of segregation of duties makes any internal controls
impossible. While an environment where segregation of duties is possible is the
optimum environment, it is possible to create mitigating controls that overcome the
lack of segregation of duties. These controls generally involve oversight by senior
managers in the organization.
b. Correct. Yes. Achieving the best segregation of duties possible and involving
appropriate senior management in the process as informed reviewers can mitigate a
lack of segregation of duties. The involvement of appropriate senior managers and
owners in the process as informed reviewers can mitigate the lack of segregation of
duties.
c. Incorrect. No. There is no such thing as a mitigating control. If there aren’t enough
employees to segregate the duties, then any internal control structure is a waste of time.
If this was a true statement, most small businesses could not achieve an effective
internal control environment unless the business hired well beyond its needs. Making
appropriate senior managers reviewers can overcome a lack of segregation of duties.
d. Incorrect. No. The only way to have an effective internal control environment is to have
a full-time internal audit staff. This is not correct and is impractical or impossible for
most small businesses. While an internal audit staff would be nice, it is not required to
have an effective internal control environment.
2. Which of the following is not an effective control over wire transfers?
a. Incorrect. Working with your banking partner to require password protection for the
separate initiation and approval of all wire transfers is an effective internal control. The
use of passwords helps to ensure that unauthorized personnel do not initiate or
approve wire transfers.
b. Incorrect. Requiring all wire transfers of a material amount to have two approvals by
senior management is an effective internal control. This ensures that material wire
transfers have the consent of two authorized members of senior management.
c. Incorrect. Separating the employees who are able to initiate a wire transfer from those
who are able to approve a wire transfer is an effective internal control. By separating
these two functions, it is less likely that an unauthorized wire transfer will be
undetected and more likely that an unauthorized wire transfer will be prevented.
d. Correct. Giving complete control over the initiation and approval of wire transfers of
any amount to the Controller is not an effective control. With this function in the hands
of one person, wire transfers may be performed without any checks. In this case, it is
highly likely that an unauthorized wire transfer would be made and be undetected.
3. Which best describes the suggested process for signing checks?
38
a. Incorrect. Having two signatures on all checks would not be practical and the suggested
process is that the check signer also reviews to ensure proper approval on all invoices
while signing checks.
b. Incorrect. Having two signatures for all checks over a material amount is one step in the
process. This would ensure that all material check amounts have a second review.
However, this ignores the suggested process that the check signer also reviews to
ensure proper approval on all invoices while signing checks.
c. Correct. Have two signatures for all checks over a material amount and review invoices
for proper approval while signing checks best describes the suggested process. This not
only helps to ensure that material check amounts have a second review but also helps
to ensure that invoices are properly approved.
d. Incorrect. The Use a signature stamp that is controlled by the person preparing the
checks would not be a good process. If the person who prepared the checks could also
sign them, it is possible that there would be no review of the checks. It is also possible
that there would not be a secondary review of invoices for proper authorization and
approval prior to payment.
4. Which of the following is an effective overall control?
a. Incorrect. The preparation of a forecast alone is not an effective internal control.
However, the comparison of actual results to forecasted results with an explanation of
variances may be effective.
b. Incorrect. The preparation of a budget alone is not an effective internal control.
However, the comparison of actual results to budgeted results with an explanation of
variances may be effective.
c. Incorrect. The preparation of financial statements alone is not an effective internal
control. The review of financial statements by management, though, would be an
effective internal control.
d. Correct. Financial statements with comparison to budgeted or forecasted amounts with
an accompanying explanation of variances is an effective internal control. This
facilitates a management review of the financial statements and the comparison of
actual results to a budget or forecast with accompanying explanation assists
management in identifying any potential inaccuracy in the financial statements.
5. Which of the following will help detect internal control weaknesses in any function?
a. Correct. An open door policy of senior management that encourages employees to
discuss issues and concerns with senior managers is a good detective control. Your
employees are good indicators of when something is working and when it is not
working. Listening to them will help to identify weaknesses in the internal control
structure of any function in the company.
b. Incorrect. A requirement of two signatures on all checks may detect a weakness in the
disbursement process and is definitely a preventative control. However, this will not
detect internal control weaknesses in any function.
c. Incorrect. A requirement of two approvers on all wire transfers may detect a weakness
in the disbursement process. This is also a preventative control. While an effective
39
control over wire transfers, this will not help detect internal control weaknesses in any
function.
d. Incorrect. A disbursement approval policy is a good control over disbursements and
enforcement of the policy may detect weaknesses in the disbursement process.
However, this will not help detect internal control weaknesses in any function of the
company.
6. ABC Corporation has one employee who posts customer cash receipts to the accounts
receivable system. Which control(s) would be most effective in ensuring that customer balances
are correctly stated and the likelihood of fraud is minimized?
a. Incorrect. The employee does not have access to account credits and write-offs or any
account credits and write-offs are properly reviewed and approved is an important
control. This will reduce the likelihood of fraud and unauthorized account credits.
However, this control alone is not the most effective means to ensure that customer
balances are stated correctly and the likelihood of fraud is minimized
b. Incorrect. There is an independent person who logs cash and checks received prior to
being posted to the accounts receivable system is also an important control. This helps
to ensure that all checks received are posted to accounts receivable and deposited.
However, this control alone is not the most effective means to ensure that customer
balances are stated correctly and the likelihood of fraud is minimized
c. Incorrect. Customer statements are sent out monthly is an important control to ensure
that customer balances are properly stated. However, this control alone is not the most
effective means to ensure that customer balances are stated correctly and the
likelihood of fraud is minimized
d. Correct. The employee does not have access to account credits and write-offs, there is
an independent person who logs cash and checks prior to posting and customer
statements are sent to customers monthly are the most effective controls to ensure that
customer balances are stated correctly and the likelihood of fraud is minimized. These
three controls working in tandem are more effective than any one individual control.
